From: Todd C. Miller Date: Mon, 21 Jan 2008 15:01:37 +0000 (+0000) Subject: regen X-Git-Tag: SUDO_1_7_0~213 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=bc5772f79891d0e17135598358de289ba5c5a7f9;p=sudo regen --- diff --git a/sudo.cat b/sudo.cat index 1acfcc5a2..1df7a46c5 100644 --- a/sudo.cat +++ b/sudo.cat @@ -1,7 +1,7 @@ -SUDO(8) MAINTENANCE COMMANDS SUDO(8) +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) NNAAMMEE @@ -10,554 +10,468 @@ NNAAMMEE SSYYNNOOPPSSIISS ssuuddoo --hh | --KK | --kk | --LL | --VV | --vv - ssuuddoo --ll [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d] [--UU _u_s_e_r_n_a_m_e] [--uu _u_s_e_r_- - _n_a_m_e|_#_u_i_d] [_c_o_m_m_a_n_d] + ssuuddoo --ll [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d] [--UU _u_s_e_r_n_a_m_e] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] [_c_o_m_m_a_n_d] - ssuuddoo [--bbEEHHPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] - [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] - [VVAARR=_v_a_l_u_e] [{--ii | --ss] [<_c_o_m_m_a_n_d}] + ssuuddoo [--bbEEHHPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d] + [--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e] [{--ii | --ss] [<_c_o_m_m_a_n_d}] - ssuuddooeeddiitt [--SS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] - [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] file - ... + ssuuddooeeddiitt [--SS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d] + [--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] file ... DDEESSCCRRIIPPTTIIOONN - ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the - superuser or another user, as specified in the _s_u_d_o_e_r_s - file. The real and effective uid and gid are set to match - those of the target user as specified in the passwd file - and the group vector is initialized based on the group - file (unless the --PP option was specified). If the invok- - ing user is root or if the target user is the same as the - invoking user, no password is required. Otherwise, ssuuddoo - requires that users authenticate themselves with a pass- - word by default (NOTE: in the default configuration this - is the user's password, not the root password). Once a - user has been authenticated, a timestamp is updated and - the user may then use sudo without a password for a short - period of time (5 minutes unless overridden in _s_u_d_o_e_r_s). + ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the superuser or + another user, as specified in the _s_u_d_o_e_r_s file. The real and effective + uid and gid are set to match those of the target user as specified in + the passwd file and the group vector is initialized based on the group + file (unless the --PP option was specified). If the invoking user is + root or if the target user is the same as the invoking user, no pass- + word is required. Otherwise, ssuuddoo requires that users authenticate + themselves with a password by default (NOTE: in the default configura- + tion this is the user's password, not the root password). Once a user + has been authenticated, a timestamp is updated and the user may then + use sudo without a password for a short period of time (5 minutes + unless overridden in _s_u_d_o_e_r_s). - When invoked as ssuuddooeeddiitt, the --ee option (described below), - is implied. + When invoked as ssuuddooeeddiitt, the --ee option (described below), is implied. - ssuuddoo determines who is an authorized user by consulting - the file _/_e_t_c_/_s_u_d_o_e_r_s. By giving ssuuddoo the --vv flag, a user - can update the time stamp without running a _c_o_m_m_a_n_d. The - password prompt itself will also time out if the user's - password is not entered within 5 minutes (unless overrid- - den via _s_u_d_o_e_r_s). + ssuuddoo determines who is an authorized user by consulting the file + _/_e_t_c_/_s_u_d_o_e_r_s. By giving ssuuddoo the --vv flag, a user can update the time + stamp without running a _c_o_m_m_a_n_d. The password prompt itself will also + time out if the user's password is not entered within 5 minutes (unless + overridden via _s_u_d_o_e_r_s). - If a user who is not listed in the _s_u_d_o_e_r_s file tries to - run a command via ssuuddoo, mail is sent to the proper author- - ities, as defined at configure time or in the _s_u_d_o_e_r_s file - (defaults to root). Note that the mail will not be sent - if an unauthorized user tries to run sudo with the --ll or - --vv flags. This allows users to determine for themselves - whether or not they are allowed to use ssuuddoo. + If a user who is not listed in the _s_u_d_o_e_r_s file tries to run a command + via ssuuddoo, mail is sent to the proper authorities, as defined at config- + ure time or in the _s_u_d_o_e_r_s file (defaults to root). Note that the mail + will not be sent if an unauthorized user tries to run sudo with the --ll + or --vv flags. This allows users to determine for themselves whether or + not they are allowed to use ssuuddoo. - If ssuuddoo is run by root and the SUDO_USER environment vari- - able is set, ssuuddoo will use this value to determine who the - actual user is. This can be used by a user to log + If ssuuddoo is run by root and the SUDO_USER environment variable is set, + ssuuddoo will use this value to determine who the actual user is. This can + be used by a user to log commands through sudo even when a root shell + has been invoked. It also allows the --ee flag to remain useful even + when being run via a sudo-run script or program. Note however, that + the sudoers lookup is still done for root, not the user specified by + SUDO_USER. + ssuuddoo can log both successful and unsuccessful attempts (as well as + errors) to _s_y_s_l_o_g(3), a log file, or both. By default ssuuddoo will log + via _s_y_s_l_o_g(3) but this is changeable at configure time or via the -1.7 January 1, 2008 1 +1.7 January 21, 2008 1 -SUDO(8) MAINTENANCE COMMANDS SUDO(8) +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - commands through sudo even when a root shell has been - invoked. It also allows the --ee flag to remain useful even - when being run via a sudo-run script or program. Note - however, that the sudoers lookup is still done for root, - not the user specified by SUDO_USER. - ssuuddoo can log both successful and unsuccessful attempts (as - well as errors) to _s_y_s_l_o_g(3), a log file, or both. By - default ssuuddoo will log via _s_y_s_l_o_g(3) but this is changeable - at configure time or via the _s_u_d_o_e_r_s file. + _s_u_d_o_e_r_s file. OOPPTTIIOONNSS ssuuddoo accepts the following command line options: - -a _t_y_p_e The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes - ssuuddoo to use the specified authentication type - when validating the user, as allowed by - _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system administrator may - specify a list of sudo-specific authentication - methods by adding an "auth-sudo" entry in - _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This option is only avail- - able on systems that support BSD authentica- - tion. - - -b The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run - the given command in the background. Note - that if you use the --bb option you cannot use - shell job control to manipulate the process. - - -C _f_d Normally, ssuuddoo will close all open file - descriptors other than standard input, stan- - dard output and standard error. The --CC (_c_l_o_s_e - _f_r_o_m) option allows the user to specify a - starting point above the standard error (file - descriptor three). Values less than three are - not permitted. This option is only available - if the administrator has enabled the _c_l_o_s_e_- - _f_r_o_m___o_v_e_r_r_i_d_e option in _s_u_d_o_e_r_s(5). - - -c _c_l_a_s_s The --cc (_c_l_a_s_s) option causes ssuuddoo to run the - specified command with resources limited by - the specified login class. The _c_l_a_s_s argument - can be either a class name as defined in - _/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a single '-' character. - Specifying a _c_l_a_s_s of - indicates that the - command should be run restricted by the - default login capabilities for the user the - command is run as. If the _c_l_a_s_s argument - specifies an existing user class, the command - must be run as root, or the ssuuddoo command must - be run from a shell that is already root. - This option is only available on systems with - BSD login classes. + -a _t_y_p_e The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use the + specified authentication type when validating the user, as + allowed by _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system administrator may + specify a list of sudo-specific authentication methods by + adding an "auth-sudo" entry in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This + option is only available on systems that support BSD + authentication. + + -b The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run the given com- + mand in the background. Note that if you use the --bb option + you cannot use shell job control to manipulate the process. + + -C _f_d Normally, ssuuddoo will close all open file descriptors other + than standard input, standard output and standard error. + The --CC (_c_l_o_s_e _f_r_o_m) option allows the user to specify a + starting point above the standard error (file descriptor + three). Values less than three are not permitted. This + option is only available if the administrator has enabled + the _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option in _s_u_d_o_e_r_s(4). + + -c _c_l_a_s_s The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified com- + mand with resources limited by the specified login class. + The _c_l_a_s_s argument can be either a class name as defined in + _/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a single '-' character. Specifying a + _c_l_a_s_s of - indicates that the command should be run + restricted by the default login capabilities for the user + the command is run as. If the _c_l_a_s_s argument specifies an + existing user class, the command must be run as root, or + the ssuuddoo command must be run from a shell that is already + root. This option is only available on systems with BSD + login classes. + + -E The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option will override the + _e_n_v___r_e_s_e_t option in _s_u_d_o_e_r_s(4)). It is only available when + either the matching command has the SETENV tag or the + _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s(4). + + -e The --ee (_e_d_i_t) option indicates that, instead of running a + command, the user wishes to edit one or more files. In + lieu of a command, the string "sudoedit" is used when con- + sulting the _s_u_d_o_e_r_s file. If the user is authorized by + _s_u_d_o_e_r_s the following steps are taken: + 1. Temporary copies are made of the files to be edited + with the owner set to the invoking user. + 2. The editor specified by the VISUAL or EDITOR environ- + ment variables is run to edit the temporary files. If + neither VISUAL nor EDITOR are set, the program listed -1.7 January 1, 2008 2 +1.7 January 21, 2008 2 -SUDO(8) MAINTENANCE COMMANDS SUDO(8) +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - -E The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option will - override the _e_n_v___r_e_s_e_t option in _s_u_d_o_e_r_s(5)). - It is only available when either the matching - command has the SETENV tag or the _s_e_t_e_n_v - option is set in _s_u_d_o_e_r_s(5). - -e The --ee (_e_d_i_t) option indicates that, instead - of running a command, the user wishes to edit - one or more files. In lieu of a command, the - string "sudoedit" is used when consulting the - _s_u_d_o_e_r_s file. If the user is authorized by - _s_u_d_o_e_r_s the following steps are taken: + in the _e_d_i_t_o_r _s_u_d_o_e_r_s variable is used. - 1. Temporary copies are made of the files to - be edited with the owner set to the invok- - ing user. + 3. If they have been modified, the temporary files are + copied back to their original location and the tempo- + rary versions are removed. - 2. The editor specified by the VISUAL or EDI- - TOR environment variables is run to edit - the temporary files. If neither VISUAL - nor EDITOR are set, the program listed in - the _e_d_i_t_o_r _s_u_d_o_e_r_s variable is used. + If the specified file does not exist, it will be created. + Note that unlike most commands run by ssuuddoo, the editor is + run with the invoking user's environment unmodified. If, + for some reason, ssuuddoo is unable to update a file with its + edited version, the user will receive a warning and the + edited copy will remain in a temporary file. - 3. If they have been modified, the temporary - files are copied back to their original - location and the temporary versions are - removed. + -g _g_r_o_u_p Normally, ssuuddoo sets the primary group to the one specified + by the passwd database for the user the command is being + run as (by default, root). The --gg (_g_r_o_u_p) option causes + ssuuddoo to run the specified command with the primary group + set to _g_r_o_u_p. To specify a _g_i_d instead of a _g_r_o_u_p _n_a_m_e, + use _#_g_i_d. When running commands as a _g_i_d, many shells + require that the '#' be escaped with a backslash ('\'). If + no --uu option is specified, the command will be run as the + invoking user (not root). In either case, the primary + group will be set to _g_r_o_u_p. - If the specified file does not exist, it will - be created. Note that unlike most commands - run by ssuuddoo, the editor is run with the invok- - ing user's environment unmodified. If, for - some reason, ssuuddoo is unable to update a file - with its edited version, the user will receive - a warning and the edited copy will remain in a - temporary file. + -H The --HH (_H_O_M_E) option sets the HOME environment variable to + the homedir of the target user (root by default) as speci- + fied in _p_a_s_s_w_d(4). By default, ssuuddoo does not modify HOME + (see _s_e_t___h_o_m_e and _a_l_w_a_y_s___s_e_t___h_o_m_e in _s_u_d_o_e_r_s(4)). - -g _g_r_o_u_p Normally, ssuuddoo sets the primary group to the - one specified by the passwd database for the - user the command is being run as (by default, - root). The --gg (_g_r_o_u_p) option causes ssuuddoo to - run the specified command with the primary - group set to _g_r_o_u_p. To specify a _g_i_d instead - of a _g_r_o_u_p _n_a_m_e, use _#_g_i_d. When running com- - mands as a _g_i_d, many shells require that the - '#' be escaped with a backslash ('\'). If no - --uu option is specified, the command will be - run as the invoking user (not root). In - either case, the primary group will be set to - _g_r_o_u_p. + -h The --hh (_h_e_l_p) option causes ssuuddoo to print a usage message + and exit. - -H The --HH (_H_O_M_E) option sets the HOME environment - variable to the homedir of the target user - (root by default) as specified in _p_a_s_s_w_d(5). + -i [command] + The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell spec- + ified in the _p_a_s_s_w_d(4) entry of the target user as a login + shell. This means that login-specific resource files such + as .profile or .login will be read by the shell. If a com- + mand is specified, it is passed to the shell for execution. + Otherwise, an interactive shell is executed. ssuuddoo attempts + to change to that user's home directory before running the + shell. It also initializes the environment, leaving _D_I_S_- + _P_L_A_Y and _T_E_R_M unchanged, setting _H_O_M_E, _S_H_E_L_L, _U_S_E_R, _L_O_G_- + _N_A_M_E, and _P_A_T_H, as well as the contents of _/_e_t_c_/_e_n_v_i_r_o_n_- + _m_e_n_t. All other environment variables are removed. + -K The --KK (sure _k_i_l_l) option is like --kk except that it removes + the user's timestamp entirely. Like --kk, this option does + not require a password. + -k The --kk (_k_i_l_l) option to ssuuddoo invalidates the user's times- + tamp by setting the time on it to the Epoch. The next time + ssuuddoo is run a password will be required. This option does + not require a password and was added to allow a user to + revoke ssuuddoo permissions from a .logout file. -1.7 January 1, 2008 3 +1.7 January 21, 2008 3 -SUDO(8) MAINTENANCE COMMANDS SUDO(8) - By default, ssuuddoo does not modify HOME (see - _s_e_t___h_o_m_e and _a_l_w_a_y_s___s_e_t___h_o_m_e in _s_u_d_o_e_r_s(5)). +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - -h The --hh (_h_e_l_p) option causes ssuuddoo to print a - usage message and exit. - -i [command] - The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs - the shell specified in the _p_a_s_s_w_d(5) entry of - the target user as a login shell. This means - that login-specific resource files such as - .profile or .login will be read by the shell. - If a command is specified, it is passed to the - shell for execution. Otherwise, an interac- - tive shell is executed. ssuuddoo attempts to - change to that user's home directory before - running the shell. It also initializes the - environment, leaving _D_I_S_P_L_A_Y and _T_E_R_M - unchanged, setting _H_O_M_E, _S_H_E_L_L, _U_S_E_R, _L_O_G_N_A_M_E, - and _P_A_T_H, as well as the contents of - _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t. All other environment vari- - ables are removed. - - -K The --KK (sure _k_i_l_l) option is like --kk except - that it removes the user's timestamp entirely. - Like --kk, this option does not require a pass- - word. - - -k The --kk (_k_i_l_l) option to ssuuddoo invalidates the - user's timestamp by setting the time on it to - the Epoch. The next time ssuuddoo is run a pass- - word will be required. This option does not - require a password and was added to allow a - user to revoke ssuuddoo permissions from a .logout - file. - - -L The --LL (_l_i_s_t defaults) option will list out - the parameters that may be set in a _D_e_f_a_u_l_t_s - line along with a short description for each. - This option is useful in conjunction with - _g_r_e_p(1). + -L The --LL (_l_i_s_t defaults) option will list out the parameters + that may be set in a _D_e_f_a_u_l_t_s line along with a short + description for each. This option is useful in conjunction + with _g_r_e_p(1). -l [_c_o_m_m_a_n_d] - If no _c_o_m_m_a_n_d is specified, the --ll (_l_i_s_t) - option will list the allowed (and forbidden) - commands for the invoking user (or the user - specified by the --UU option) on the current - host. If a _c_o_m_m_a_n_d is specified and is per- - mitted by _s_u_d_o_e_r_s, the fully-qualified path to - the command is displayed along with any com- - mand line arguments. If _c_o_m_m_a_n_d is not - allowed, ssuuddoo will exit with a return value of - 1. - - - - -1.7 January 1, 2008 4 - - - - - -SUDO(8) MAINTENANCE COMMANDS SUDO(8) + If no _c_o_m_m_a_n_d is specified, the --ll (_l_i_s_t) option will list + the allowed (and forbidden) commands for the invoking user + (or the user specified by the --UU option) on the current + host. If a _c_o_m_m_a_n_d is specified and is permitted by _s_u_d_o_- + _e_r_s, the fully-qualified path to the command is displayed + along with any command line arguments. If _c_o_m_m_a_n_d is not + allowed, ssuuddoo will exit with a return value of 1. + -P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to pre- + serve the invoking user's group vector unaltered. By + default, ssuuddoo will initialize the group vector to the list + of groups the target user is in. The real and effective + group IDs, however, are still set to match the target user. - -P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes - ssuuddoo to preserve the invoking user's group - vector unaltered. By default, ssuuddoo will ini- - tialize the group vector to the list of groups - the target user is in. The real and effective - group IDs, however, are still set to match the - target user. + -p _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default + password prompt and use a custom one. The following per- + cent (`%') escapes are supported: - -p _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override - the default password prompt and use a custom - one. The following percent (`%') escapes are - supported: + %H expanded to the local hostname including the domain + name (on if the machine's hostname is fully qualified + or the _f_q_d_n _s_u_d_o_e_r_s option is set) - %H expanded to the local hostname including - the domain name (on if the machine's host- - name is fully qualified or the _f_q_d_n _s_u_d_o_- - _e_r_s option is set) + %h expanded to the local hostname without the domain name - %h expanded to the local hostname without the - domain name + %p expanded to the user whose password is being asked for + (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w flags in + _s_u_d_o_e_r_s) - %U expanded to the login name of the user the - command will be run as (defaults to root) + %U expanded to the login name of the user the command will + be run as (defaults to root) %u expanded to the invoking user's login name - %% two consecutive % characters are collapsed - into a single % character + %% two consecutive % characters are collapsed into a sin- + gle % character - The prompt specified by the --pp option will - override the system password prompt on systems - that support PAM unless the _p_a_s_s_p_r_o_m_p_t___o_v_e_r_- - _r_i_d_e flag is disabled in _s_u_d_o_e_r_s. + The prompt specified by the --pp option will override the + system password prompt on systems that support PAM unless + the _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s. - -S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the - password from the standard input instead of - the terminal device. + -S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from + the standard input instead of the terminal device. -s [command] - The --ss (_s_h_e_l_l) option runs the shell specified - by the _S_H_E_L_L environment variable if it is set - or the shell as specified in _p_a_s_s_w_d(5). If a - command is specified, it is passed to the - shell for execution. Otherwise, an interac- - tive shell is executed. + The --ss (_s_h_e_l_l) option runs the shell specified by the _S_H_E_L_L + environment variable if it is set or the shell as specified + in _p_a_s_s_w_d(4). If a command is specified, it is passed to + the shell for execution. Otherwise, an interactive shell - -U _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunc- - tion with the --ll option to specify the user - whose privileges should be listed. Only root - or a user with ssuuddoo ALL on the current host - may use this option. - -u _u_s_e_r The --uu (_u_s_e_r) option causes ssuuddoo to run the - specified command as a user other than _r_o_o_t. +1.7 January 21, 2008 4 -1.7 January 1, 2008 5 +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -SUDO(8) MAINTENANCE COMMANDS SUDO(8) + is executed. + -U _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the + --ll option to specify the user whose privileges should be + listed. Only root or a user with ssuuddoo ALL on the current + host may use this option. - To specify a _u_i_d instead of a _u_s_e_r _n_a_m_e, use - _#_u_i_d. When running commands as a _u_i_d, many - shells require that the '#' be escaped with a - backslash ('\'). Note that if the _t_a_r_g_e_t_p_w - Defaults option is set (see _s_u_d_o_e_r_s(5)) it is - not possible to run commands with a uid not - listed in the password database. + -u _u_s_e_r The --uu (_u_s_e_r) option causes ssuuddoo to run the specified com- + mand as a user other than _r_o_o_t. To specify a _u_i_d instead + of a _u_s_e_r _n_a_m_e, use _#_u_i_d. When running commands as a _u_i_d, + many shells require that the '#' be escaped with a back- + slash ('\'). Note that if the _t_a_r_g_e_t_p_w Defaults option is + set (see _s_u_d_o_e_r_s(4)) it is not possible to run commands + with a uid not listed in the password database. - -V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print - the version number and exit. If the invoking - user is already root the --VV option will print - out a list of the defaults ssuuddoo was compiled - with as well as the machine's local network + -V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print the version + number and exit. If the invoking user is already root the + --VV option will print out a list of the defaults ssuuddoo was + compiled with as well as the machine's local network addresses. - -v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will - update the user's timestamp, prompting for the - user's password if necessary. This extends - the ssuuddoo timeout for another 5 minutes (or - whatever the timeout is set to in _s_u_d_o_e_r_s) but + -v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the + user's timestamp, prompting for the user's password if nec- + essary. This extends the ssuuddoo timeout for another 5 min- + utes (or whatever the timeout is set to in _s_u_d_o_e_r_s) but does not run a command. - -- The ---- flag indicates that ssuuddoo should stop - processing command line arguments. It is most - useful in conjunction with the --ss flag. - - Environment variables to be set for the command may also - be passed on the command line in the form of VVAARR=_v_a_l_u_e, - e.g. LLDD__LLIIBBRRAARRYY__PPAATTHH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. Variables - passed on the command line are subject to the same - restrictions as normal environment variables with one - important exception. If the _s_e_t_e_n_v option is set in _s_u_d_o_- - _e_r_s, the command to be run has the SETENV tag set or the - command matched is ALL, the user may set variables that - would overwise be forbidden. See _s_u_d_o_e_r_s(5) for more - information. + -- The ---- flag indicates that ssuuddoo should stop processing com- + mand line arguments. It is most useful in conjunction with + the --ss flag. + + Environment variables to be set for the command may also be passed on + the command line in the form of VVAARR=_v_a_l_u_e, e.g. + LLDD__LLIIBBRRAARRYY__PPAATTHH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. Variables passed on the command + line are subject to the same restrictions as normal environment vari- + ables with one important exception. If the _s_e_t_e_n_v option is set in + _s_u_d_o_e_r_s, the command to be run has the SETENV tag set or the command + matched is ALL, the user may set variables that would overwise be for- + bidden. See _s_u_d_o_e_r_s(4) for more information. RREETTUURRNN VVAALLUUEESS - Upon successful execution of a program, the return value - from ssuuddoo will simply be the return value of the program - that was executed. + Upon successful execution of a program, the return value from ssuuddoo will + simply be the return value of the program that was executed. - Otherwise, ssuuddoo quits with an exit value of 1 if there is - a configuration/permission problem or if ssuuddoo cannot exe- - cute the given command. In the latter case the error - string is printed to stderr. If ssuuddoo cannot _s_t_a_t(2) one - or more entries in the user's PATH an error is printed on - stderr. (If the directory does not exist or if it is not - really a directory, the entry is ignored and no error is - printed.) This should not happen under normal circum- - stances. The most common reason for _s_t_a_t(2) to return - "permission denied" is if you are running an automounter - and one of the directories in your PATH is on a machine - that is currently unreachable. + Otherwise, ssuuddoo quits with an exit value of 1 if there is a configura- + tion/permission problem or if ssuuddoo cannot execute the given command. + In the latter case the error string is printed to stderr. If ssuuddoo can- + not _s_t_a_t(2) one or more entries in the user's PATH an error is printed + on stderr. (If the directory does not exist or if it is not really a + directory, the entry is ignored and no error is printed.) This should + not happen under normal circumstances. The most common reason for + _s_t_a_t(2) to return "permission denied" is if you are running an auto- + mounter and one of the directories in your PATH is on a machine that is + currently unreachable. -1.7 January 1, 2008 6 +1.7 January 21, 2008 5 -SUDO(8) MAINTENANCE COMMANDS SUDO(8) +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SSEECCUURRIITTYY NNOOTTEESS ssuuddoo tries to be safe when executing external commands. - There are two distinct ways to deal with environment vari- - ables. By default, the _e_n_v___r_e_s_e_t _s_u_d_o_e_r_s option is - enabled. This causes commands to be executed with a mini- - mal environment containing TERM, PATH, HOME, SHELL, LOG- - NAME, USER and USERNAME in addition to variables from the - invoking process permitted by the _e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p - _s_u_d_o_e_r_s options. There is effectively a whitelist for - environment variables. - - If, however, the _e_n_v___r_e_s_e_t option is disabled in _s_u_d_o_e_r_s, - any variables not explicitly denied by the _e_n_v___c_h_e_c_k and - _e_n_v___d_e_l_e_t_e options are inherited from the invoking pro- - cess. In this case, _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e behave like - a blacklist. Since it is not possible to blacklist all - potentially dangerous environment variables, use of the + There are two distinct ways to deal with environment variables. By + default, the _e_n_v___r_e_s_e_t _s_u_d_o_e_r_s option is enabled. This causes commands + to be executed with a minimal environment containing TERM, PATH, HOME, + SHELL, LOGNAME, USER and USERNAME in addition to variables from the + invoking process permitted by the _e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p _s_u_d_o_e_r_s + options. There is effectively a whitelist for environment variables. + + If, however, the _e_n_v___r_e_s_e_t option is disabled in _s_u_d_o_e_r_s, any variables + not explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are + inherited from the invoking process. In this case, _e_n_v___c_h_e_c_k and + _e_n_v___d_e_l_e_t_e behave like a blacklist. Since it is not possible to black- + list all potentially dangerous environment variables, use of the default _e_n_v___r_e_s_e_t behavior is encouraged. - In all cases, environment variables with a value beginning - with () are removed as they could be interpreted as bbaasshh - functions. The list of environment variables that ssuuddoo - allows or denies is contained in the output of sudo -V - when run as root. + In all cases, environment variables with a value beginning with () are + removed as they could be interpreted as bbaasshh functions. The list of + environment variables that ssuuddoo allows or denies is contained in the + output of sudo -V when run as root. - Note that the dynamic linker on most operating systems - will remove variables that can control dynamic linking - from the environment of setuid executables, including - ssuuddoo. Depending on the operating system this may include - _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and oth- - ers. These type of variables are removed from the envi- - ronment before ssuuddoo even begins execution and, as such, it - is not possible for ssuuddoo to preserve them. + Note that the dynamic linker on most operating systems will remove + variables that can control dynamic linking from the environment of + setuid executables, including ssuuddoo. Depending on the operating system + this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and + others. These type of variables are removed from the environment + before ssuuddoo even begins execution and, as such, it is not possible for + ssuuddoo to preserve them. - To prevent command spoofing, ssuuddoo checks "." and "" (both - denoting current directory) last when searching for a com- - mand in the user's PATH (if one or both are in the PATH). - Note, however, that the actual PATH environment variable - is _n_o_t modified and is passed unchanged to the program - that ssuuddoo executes. + To prevent command spoofing, ssuuddoo checks "." and "" (both denoting cur- + rent directory) last when searching for a command in the user's PATH + (if one or both are in the PATH). Note, however, that the actual PATH + environment variable is _n_o_t modified and is passed unchanged to the + program that ssuuddoo executes. - ssuuddoo will check the ownership of its timestamp directory - (_/_v_a_r_/_r_u_n_/_s_u_d_o by default) and ignore the directory's con- - tents if it is not owned by root or if it is writable by a - user other than root. On systems that allow non-root - users to give away files via _c_h_o_w_n(2), if the timestamp - directory is located in a directory writable by anyone - (e.g., _/_t_m_p), it is possible for a user to create the - timestamp directory before ssuuddoo is run. However, because - ssuuddoo checks the ownership and mode of the directory and - its contents, the only damage that can be done is to - "hide" files by putting them in the timestamp dir. This - is unlikely to happen since once the timestamp dir is + ssuuddoo will check the ownership of its timestamp directory (_/_v_a_r_/_r_u_n_/_s_u_d_o + by default) and ignore the directory's contents if it is not owned by + root or if it is writable by a user other than root. On systems that + allow non-root users to give away files via _c_h_o_w_n(2), if the timestamp + directory is located in a directory writable by anyone (e.g., _/_t_m_p), it + is possible for a user to create the timestamp directory before ssuuddoo is + run. However, because ssuuddoo checks the ownership and mode of the direc- + tory and its contents, the only damage that can be done is to "hide" + files by putting them in the timestamp dir. This is unlikely to happen + since once the timestamp dir is owned by root and inaccessible by any + other user, the user placing files there would be unable to get them + back out. To get around this issue you can use a directory that is not + world-writable for the timestamps (_/_v_a_r_/_a_d_m_/_s_u_d_o for instance) or cre- + ate _/_v_a_r_/_r_u_n_/_s_u_d_o with the appropriate owner (root) and permissions + (0700) in the system startup files. + ssuuddoo will not honor timestamps set far in the future. Timestamps with + a date greater than current_time + 2 * TIMEOUT will be ignored and sudo -1.7 January 1, 2008 7 +1.7 January 21, 2008 6 -SUDO(8) MAINTENANCE COMMANDS SUDO(8) +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - owned by root and inaccessible by any other user, the user - placing files there would be unable to get them back out. - To get around this issue you can use a directory that is - not world-writable for the timestamps (_/_v_a_r_/_a_d_m_/_s_u_d_o for - instance) or create _/_v_a_r_/_r_u_n_/_s_u_d_o with the appropriate - owner (root) and permissions (0700) in the system startup - files. - ssuuddoo will not honor timestamps set far in the future. - Timestamps with a date greater than current_time + 2 * - TIMEOUT will be ignored and sudo will log and complain. - This is done to keep a user from creating his/her own - timestamp with a bogus date on systems that allow users to + will log and complain. This is done to keep a user from creating + his/her own timestamp with a bogus date on systems that allow users to give away files. - Please note that ssuuddoo will normally only log the command - it explicitly runs. If a user runs a command such as sudo - su or sudo sh, subsequent commands run from that shell - will _n_o_t be logged, nor will ssuuddoo's access control affect - them. The same is true for commands that offer shell - escapes (including most editors). Because of this, care - must be taken when giving users access to commands via - ssuuddoo to verify that the command does not inadvertently - give the user an effective root shell. For more informa- - tion, please see the PREVENTING SHELL ESCAPES section in - _s_u_d_o_e_r_s(5). + Please note that ssuuddoo will normally only log the command it explicitly + runs. If a user runs a command such as sudo su or sudo sh, subsequent + commands run from that shell will _n_o_t be logged, nor will ssuuddoo's access + control affect them. The same is true for commands that offer shell + escapes (including most editors). Because of this, care must be taken + when giving users access to commands via ssuuddoo to verify that the com- + mand does not inadvertently give the user an effective root shell. For + more information, please see the PREVENTING SHELL ESCAPES section in + _s_u_d_o_e_r_s(4). EENNVVIIRROONNMMEENNTT ssuuddoo utilizes the following environment variables: - EDITOR Default editor to use in --ee (sudoedit) - mode if VISUAL is not set + EDITOR Default editor to use in --ee (sudoedit) mode if VISUAL + is not set - HOME In --ss or --HH mode (or if sudo was config- - ured with the --enable-shell-sets-home - option), set to homedir of the target user + HOME In --ss or --HH mode (or if sudo was configured with the + --enable-shell-sets-home option), set to homedir of the + target user - PATH Set to a sane value if the _s_e_c_u_r_e___p_a_t_h - sudoers option is set. + PATH Set to a sane value if the _s_e_c_u_r_e___p_a_t_h sudoers option + is set. - SHELL Used to determine shell to run with -s - option + SHELL Used to determine shell to run with -s option SUDO_PROMPT Used as the default password prompt SUDO_COMMAND Set to the command run by sudo - SUDO_USER Set to the login of the user who invoked - sudo + SUDO_USER Set to the login of the user who invoked sudo - SUDO_UID Set to the uid of the user who invoked - sudo + SUDO_UID Set to the uid of the user who invoked sudo - SUDO_GID Set to the gid of the user who invoked + SUDO_GID Set to the gid of the user who invoked sudo + SUDO_PS1 If set, PS1 will be set to its value + USER Set to the target user (root unless the --uu option is + specified) -1.7 January 1, 2008 8 + VISUAL Default editor to use in --ee (sudoedit) mode +FFIILLEESS + _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what + _/_v_a_r_/_r_u_n_/_s_u_d_o Directory containing timestamps + _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mmooddee +EEXXAAMMPPLLEESS + Note: the following examples assume suitable _s_u_d_o_e_r_s(4) entries. -SUDO(8) MAINTENANCE COMMANDS SUDO(8) +1.7 January 21, 2008 7 - sudo - SUDO_PS1 If set, PS1 will be set to its value - USER Set to the target user (root unless the --uu - option is specified) - VISUAL Default editor to use in --ee (sudoedit) - mode -FFIILLEESS - _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what - _/_v_a_r_/_r_u_n_/_s_u_d_o Directory containing timestamps - _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mmooddee +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -EEXXAAMMPPLLEESS - Note: the following examples assume suitable _s_u_d_o_e_r_s(5) - entries. To get a file listing of an unreadable directory: $ sudo ls /usr/local/protected - To list the home directory of user yazza on a machine - where the file system holding ~yazza is not exported as - root: + To list the home directory of user yazza on a machine where the file + system holding ~yazza is not exported as root: $ sudo -u yazza ls ~yazza @@ -569,83 +483,103 @@ EEXXAAMMPPLLEESS $ sudo shutdown -r +15 "quick reboot" - To make a usage listing of the directories in the /home - partition. Note that this runs the commands in a sub- - shell to make the cd and file redirection work. + To make a usage listing of the directories in the /home partition. + Note that this runs the commands in a sub-shell to make the cd and file + redirection work. $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" SSEEEE AALLSSOO - _g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), _p_a_s_s_w_d(5), - _s_u_d_o_e_r_s(5), _v_i_s_u_d_o(8) + _g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), _p_a_s_s_w_d(4), _s_u_d_o_e_r_s(4), + _v_i_s_u_d_o(1m) AAUUTTHHOORRSS - Many people have worked on ssuuddoo over the years; this ver- - sion consists of code written primarily by: + Many people have worked on ssuuddoo over the years; this version consists + of code written primarily by: Todd C. Miller See the HISTORY file in the ssuuddoo distribution or visit + http://www.sudo.ws/sudo/history.html for a short history of ssuuddoo. +CCAAVVEEAATTSS + There is no easy way to prevent a user from gaining a root shell if + that user is allowed to run arbitrary commands via ssuuddoo. Also, many + programs (such as editors) allow the user to run commands via shell + escapes, thus avoiding ssuuddoo's checks. However, on most systems it is + possible to prevent shell escapes with ssuuddoo's _n_o_e_x_e_c functionality. + See the _s_u_d_o_e_r_s(4) manual for details. + It is not meaningful to run the cd command directly via sudo, e.g., -1.7 January 1, 2008 9 + $ sudo cd /usr/local/protected + since when the command exits the parent process (your shell) will still + be the same. Please see the EXAMPLES section for more information. + If users have sudo ALL there is nothing to prevent them from creating + their own program that gives them a root shell regardless of any '!' + elements in the user specification. -SUDO(8) MAINTENANCE COMMANDS SUDO(8) +1.7 January 21, 2008 8 - http://www.sudo.ws/sudo/history.html for a short history - of ssuuddoo. -CCAAVVEEAATTSS - There is no easy way to prevent a user from gaining a root - shell if that user is allowed to run arbitrary commands - via ssuuddoo. Also, many programs (such as editors) allow the - user to run commands via shell escapes, thus avoiding - ssuuddoo's checks. However, on most systems it is possible to - prevent shell escapes with ssuuddoo's _n_o_e_x_e_c functionality. - See the _s_u_d_o_e_r_s(5) manual for details. - It is not meaningful to run the cd command directly via - sudo, e.g., - $ sudo cd /usr/local/protected - - since when the command exits the parent process (your - shell) will still be the same. Please see the EXAMPLES - section for more information. +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - If users have sudo ALL there is nothing to prevent them - from creating their own program that gives them a root - shell regardless of any '!' elements in the user specifi- - cation. - Running shell scripts via ssuuddoo can expose the same kernel - bugs that make setuid shell scripts unsafe on some operat- - ing systems (if your OS has a /dev/fd/ directory, setuid - shell scripts are generally safe). + Running shell scripts via ssuuddoo can expose the same kernel bugs that + make setuid shell scripts unsafe on some operating systems (if your OS + has a /dev/fd/ directory, setuid shell scripts are generally safe). BBUUGGSS - If you feel you have found a bug in ssuuddoo, please submit a - bug report at http://www.sudo.ws/sudo/bugs/ + If you feel you have found a bug in ssuuddoo, please submit a bug report at + http://www.sudo.ws/sudo/bugs/ SSUUPPPPOORRTT - Limited free support is available via the sudo-users mail- - ing list, see http://www.sudo.ws/mail- - man/listinfo/sudo-users to subscribe or search the - archives. + Limited free support is available via the sudo-users mailing list, see + http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search + the archives. DDIISSCCLLAAIIMMEERR - ssuuddoo is provided ``AS IS'' and any express or implied war- - ranties, including, but not limited to, the implied war- - ranties of merchantability and fitness for a particular - purpose are disclaimed. See the LICENSE file distributed - with ssuuddoo or http://www.sudo.ws/sudo/license.html for com- - plete details. + ssuuddoo is provided ``AS IS'' and any express or implied warranties, + including, but not limited to, the implied warranties of merchantabil- + ity and fitness for a particular purpose are disclaimed. See the + LICENSE file distributed with ssuuddoo or + http://www.sudo.ws/sudo/license.html for complete details. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -655,6 +589,6 @@ DDIISSCCLLAAIIMMEERR -1.7 January 1, 2008 10 +1.7 January 21, 2008 9 diff --git a/sudo.man.in b/sudo.man.in index 66d6b2eed..b47528ad7 100644 --- a/sudo.man.in +++ b/sudo.man.in @@ -150,7 +150,7 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "January 1, 2008" "1.7" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "January 21, 2008" "1.7" "MAINTENANCE COMMANDS" .SH "NAME" sudo, sudoedit \- execute a command as another user .SH "SYNOPSIS" @@ -366,6 +366,11 @@ expanded to the local hostname including the domain name .el .IP "\f(CW%h\fR" 4 .IX Item "%h" expanded to the local hostname without the domain name +.ie n .IP "%p" 4 +.el .IP "\f(CW%p\fR" 4 +.IX Item "%p" +expanded to the user whose password is being asked for (respects the +\&\fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags in \fIsudoers\fR) .ie n .IP "%U" 4 .el .IP "\f(CW%U\fR" 4 .IX Item "%U" diff --git a/sudoers.cat b/sudoers.cat index 41fc4fe8d..8866236c0 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -8,60 +8,60 @@ NNAAMMEE sudoers - list of which users may execute what DDEESSCCRRIIPPTTIIOONN - The _s_u_d_o_e_r_s file is composed of two types of entries: - aliases (basically variables) and user specifications - (which specify who may run what). + The _s_u_d_o_e_r_s file is composed of two types of entries: aliases (basi- + cally variables) and user specifications (which specify who may run + what). - When multiple entries match for a user, they are applied - in order. Where there are multiple matches, the last - match is used (which is not necessarily the most specific - match). + When multiple entries match for a user, they are applied in order. + Where there are multiple matches, the last match is used (which is not + necessarily the most specific match). - The _s_u_d_o_e_r_s grammar will be described below in Extended - Backus-Naur Form (EBNF). Don't despair if you don't know - what EBNF is; it is fairly simple, and the definitions - below are annotated. + The _s_u_d_o_e_r_s grammar will be described below in Extended Backus-Naur + Form (EBNF). Don't despair if you don't know what EBNF is; it is + fairly simple, and the definitions below are annotated. QQuuiicckk gguuiiddee ttoo EEBBNNFF - EBNF is a concise and exact way of describing the grammar - of a language. Each EBNF definition is made up of _p_r_o_d_u_c_- - _t_i_o_n _r_u_l_e_s. E.g., + EBNF is a concise and exact way of describing the grammar of a lan- + guage. Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g., symbol ::= definition | alternate1 | alternate2 ... - Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a - grammar for the language. EBNF also contains the follow- - ing operators, which many readers will recognize from reg- - ular expressions. Do not, however, confuse them with - "wildcard" characters, which have different meanings. + Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a grammar for + the language. EBNF also contains the following operators, which many + readers will recognize from regular expressions. Do not, however, con- + fuse them with "wildcard" characters, which have different meanings. - ? Means that the preceding symbol (or group of symbols) - is optional. That is, it may appear once or not at - all. + ? Means that the preceding symbol (or group of symbols) is optional. + That is, it may appear once or not at all. - * Means that the preceding symbol (or group of symbols) - may appear zero or more times. + * Means that the preceding symbol (or group of symbols) may appear + zero or more times. - + Means that the preceding symbol (or group of symbols) - may appear one or more times. + + Means that the preceding symbol (or group of symbols) may appear + one or more times. - Parentheses may be used to group symbols together. For - clarity, we will use single quotes ('') to designate what - is a verbatim character string (as opposed to a symbol - name). + Parentheses may be used to group symbols together. For clarity, we + will use single quotes ('') to designate what is a verbatim character + string (as opposed to a symbol name). AAlliiaasseess - There are four kinds of aliases: User_Alias, Runas_Alias, - Host_Alias and Cmnd_Alias. + There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias + and Cmnd_Alias. + Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | + 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | + 'Host_Alias' Host_Alias (':' Host_Alias)* | + 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* + User_Alias ::= NAME '=' User_List + Runas_Alias ::= NAME '=' Runas_List -1.7 December 10, 2007 1 +1.7 January 21, 2008 1 @@ -70,15 +70,6 @@ DDEESSCCRRIIPPTTIIOONN SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | - 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | - 'Host_Alias' Host_Alias (':' Host_Alias)* | - 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* - - User_Alias ::= NAME '=' User_List - - Runas_Alias ::= NAME '=' Runas_List - Host_Alias ::= NAME '=' Host_List Cmnd_Alias ::= NAME '=' Cmnd_List @@ -89,17 +80,15 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Alias_Type NAME = item1, item2, ... - where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias, - Host_Alias, or Cmnd_Alias. A NAME is a string of upper- - case letters, numbers, and underscore characters ('_'). A - NAME mmuusstt start with an uppercase letter. It is possible - to put several alias definitions of the same type on a - single line, joined by a colon (':'). E.g., + where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias, Host_Alias, or + Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and + underscore characters ('_'). A NAME mmuusstt start with an uppercase let- + ter. It is possible to put several alias definitions of the same type + on a single line, joined by a colon (':'). E.g., Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 - The definitions of what constitutes a valid _a_l_i_a_s member - follow. + The definitions of what constitutes a valid _a_l_i_a_s member follow. User_List ::= User | User ',' User_List @@ -110,24 +99,35 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) '!'* '+'netgroup | '!'* User_Alias - A User_List is made up of one or more usernames, uids - (prefixed with '#'), system groups (prefixed with '%'), - netgroups (prefixed with '+') and User_Aliases. Each list - item may be prefixed with zero or more '!' operators. An - odd number of '!' operators negate the value of the item; - an even number just cancel each other out. + A User_List is made up of one or more usernames, uids (prefixed with + '#'), system groups (prefixed with '%'), netgroups (prefixed with '+') + and User_Aliases. Each list item may be prefixed with zero or more '!' + operators. An odd number of '!' operators negate the value of the + item; an even number just cancel each other out. Runas_List ::= Runas_Member | Runas_Member ',' Runas_List + Runas_Member ::= '!'* username | + '!'* '#'uid | + '!'* '%'group | + '!'* +netgroup | + '!'* Runas_Alias + A Runas_List is similar to a User_List except that instead of + User_Aliases it can contain Runas_Aliases. Note that usernames and + groups are matched as strings. In other words, two users (groups) with + the same uid (gid) are considered to be distinct. If you wish to match + all usernames with the same uid (e.g. root and toor), you can use a uid + instead (#0 in the example given). + Host_List ::= Host | + Host ',' Host_List - -1.7 December 10, 2007 2 +1.7 January 21, 2008 2 @@ -136,44 +136,24 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - Runas_Member ::= '!'* username | - '!'* '#'uid | - '!'* '%'group | - '!'* +netgroup | - '!'* Runas_Alias - - A Runas_List is similar to a User_List except that instead - of User_Aliases it can contain Runas_Aliases. Note that - usernames and groups are matched as strings. In other - words, two users (groups) with the same uid (gid) are con- - sidered to be distinct. If you wish to match all user- - names with the same uid (e.g. root and toor), you can use - a uid instead (#0 in the example given). - - Host_List ::= Host | - Host ',' Host_List - Host ::= '!'* hostname | '!'* ip_addr | '!'* network(/netmask)? | '!'* '+'netgroup | '!'* Host_Alias - A Host_List is made up of one or more hostnames, IP - addresses, network numbers, netgroups (prefixed with '+') - and other aliases. Again, the value of an item may be - negated with the '!' operator. If you do not specify a - netmask along with the network number, ssuuddoo will query - each of the local host's network interfaces and, if the - network number corresponds to one of the hosts's network - interfaces, the corresponding netmask will be used. The - netmask may be specified either in standard IP address - notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or - CIDR notation (number of bits, e.g. 24 or 64). A hostname - may include shell-style wildcards (see the Wildcards sec- - tion below), but unless the hostname command on your - machine returns the fully qualified hostname, you'll need - to use the _f_q_d_n option for wildcards to be useful. + A Host_List is made up of one or more hostnames, IP addresses, network + numbers, netgroups (prefixed with '+') and other aliases. Again, the + value of an item may be negated with the '!' operator. If you do not + specify a netmask along with the network number, ssuuddoo will query each + of the local host's network interfaces and, if the network number cor- + responds to one of the hosts's network interfaces, the corresponding + netmask will be used. The netmask may be specified either in standard + IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or + CIDR notation (number of bits, e.g. 24 or 64). A hostname may include + shell-style wildcards (see the Wildcards section below), but unless the + hostname command on your machine returns the fully qualified hostname, + you'll need to use the _f_q_d_n option for wildcards to be useful. Cmnd_List ::= Cmnd | Cmnd ',' Cmnd_List @@ -187,52 +167,46 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) '!'* "sudoedit" | '!'* Cmnd_Alias - A Cmnd_List is a list of one or more commandnames, direc- - tories, and other aliases. A commandname is a fully qual- - ified filename which may include shell-style wildcards + A Cmnd_List is a list of one or more commandnames, directories, and + other aliases. A commandname is a fully qualified filename which may + include shell-style wildcards (see the Wildcards section below). A + simple filename allows the user to run the command with any arguments + he/she wishes. However, you may also specify command line arguments + (including wildcards). Alternately, you can specify "" to indicate + that the command may only be run wwiitthhoouutt command line arguments. A + directory is a fully qualified pathname ending in a '/'. When you + specify a directory in a Cmnd_List, the user will be able to run any + file within that directory (but not in any subdirectories therein). + + If a Cmnd has associated command line arguments, then the arguments in + the Cmnd must match exactly those given by the user on the command line + (or match the wildcards if there are any). Note that the following + characters must be escaped with a '\' if they are used in command argu- + ments: ',', ':', '=', '\'. The special command "sudoedit" is used to + permit a user to run ssuuddoo with the --ee flag (or as ssuuddooeeddiitt). It may + take command line arguments just as a normal command does. + DDeeffaauullttss + Certain configuration options may be changed from their default values + at runtime via one or more Default_Entry lines. These may affect all -1.7 December 10, 2007 3 +1.7 January 21, 2008 3 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - (see the Wildcards section below). A simple filename - allows the user to run the command with any arguments - he/she wishes. However, you may also specify command line - arguments (including wildcards). Alternately, you can - specify "" to indicate that the command may only be run - wwiitthhoouutt command line arguments. A directory is a fully - qualified pathname ending in a '/'. When you specify a - directory in a Cmnd_List, the user will be able to run any - file within that directory (but not in any subdirectories - therein). - - If a Cmnd has associated command line arguments, then the - arguments in the Cmnd must match exactly those given by - the user on the command line (or match the wildcards if - there are any). Note that the following characters must - be escaped with a '\' if they are used in command argu- - ments: ',', ':', '=', '\'. The special command "sudoedit" - is used to permit a user to run ssuuddoo with the --ee flag (or - as ssuuddooeeddiitt). It may take command line arguments just as - a normal command does. +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - DDeeffaauullttss - Certain configuration options may be changed from their - default values at runtime via one or more Default_Entry - lines. These may affect all users on any host, all users - on a specific host, a specific user, a specific command, - or commands being run as a specific user. Note that per- - command entries may not include command line arguments. - If you need to specify arguments, define a Cmnd_Alias and - reference that instead. + users on any host, all users on a specific host, a specific user, a + specific command, or commands being run as a specific user. Note that + per-command entries may not include command line arguments. If you + need to specify arguments, define a Cmnd_Alias and reference that + instead. Default_Type ::= 'Defaults' | 'Defaults' '@' Host_List | @@ -250,33 +224,19 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Parameter '-=' Value | '!'* Parameter - Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or - lliissttss. Flags are implicitly boolean and can be turned off - via the '!' operator. Some integer, string and list - parameters may also be used in a boolean context to dis- - able them. Values may be enclosed in double quotes (") - when they contain multiple words. Special characters may - - - -1.7 December 10, 2007 4 - - + Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are + implicitly boolean and can be turned off via the '!' operator. Some + integer, string and list parameters may also be used in a boolean con- + text to disable them. Values may be enclosed in double quotes (") when + they contain multiple words. Special characters may be escaped with a + backslash (\). + Lists have two additional assignment operators, += and -=. These oper- + ators are used to add to and delete from a list respectively. It is + not an error to use the -= operator to remove an element that does not + exist in a list. - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - - be escaped with a backslash (\). - - Lists have two additional assignment operators, += and -=. - These operators are used to add to and delete from a list - respectively. It is not an error to use the -= operator - to remove an element that does not exist in a list. - - See "SUDOERS OPTIONS" for a list of supported Defaults - parameters. + See "SUDOERS OPTIONS" for a list of supported Defaults parameters. UUsseerr SSppeecciiffiiccaattiioonn @@ -293,189 +253,174 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | 'SETENV:' | 'NOSETENV:' ) - A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may - run (and as what user) on specified hosts. By default, - commands are run as rroooott, but this can be changed on a - per-command basis. - - Let's break that down into its constituent parts: - - RRuunnaass__SSppeecc + A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as + what user) on specified hosts. By default, commands are run as rroooott, + but this can be changed on a per-command basis. - A Runas_Spec determines the user and/or the group that a - command may be run as. A fully-specified Runas_Spec con- - sists of two Runas_Lists (as defined above) separated by a - colon (':') and enclosed in a set of parentheses. The - first Runas_List indicates which users the command may be - run as via ssuuddoo's --uu flag. The second defines a list of - groups that can be specified via ssuuddoo's --gg flag. If both - Runas_Lists are specified, the command may be run with any - combination of users and groups listed in their respective - Runas_Lists. If only the first is specified, the command - may be run as any user in the list but no --gg flag may be - specified. If the first Runas_List is empty but the sec- - ond is specified, the command may be run as the invoking - user with the group set to any listed in the Runas_List. - If no Runas_Spec is specified the command may be run as - rroooott and no group may be specified. - A Runas_Spec sets the default for the commands that follow - it. What this means is that for the entry: +1.7 January 21, 2008 4 -1.7 December 10, 2007 5 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + Let's break that down into its constituent parts: -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + RRuunnaass__SSppeecc + A Runas_Spec determines the user and/or the group that a command may be + run as. A fully-specified Runas_Spec consists of two Runas_Lists (as + defined above) separated by a colon (':') and enclosed in a set of + parentheses. The first Runas_List indicates which users the command + may be run as via ssuuddoo's --uu flag. The second defines a list of groups + that can be specified via ssuuddoo's --gg flag. If both Runas_Lists are + specified, the command may be run with any combination of users and + groups listed in their respective Runas_Lists. If only the first is + specified, the command may be run as any user in the list but no --gg + flag may be specified. If the first Runas_List is empty but the second + is specified, the command may be run as the invoking user with the + group set to any listed in the Runas_List. If no Runas_Spec is speci- + fied the command may be run as rroooott and no group may be specified. + + A Runas_Spec sets the default for the commands that follow it. What + this means is that for the entry: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm - The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m - -- but only as ooppeerraattoorr. E.g., + The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m -- but only + as ooppeerraattoorr. E.g., $ sudo -u operator /bin/ls. - It is also possible to override a Runas_Spec later on in - an entry. If we modify the entry like so: + It is also possible to override a Runas_Spec later on in an entry. If + we modify the entry like so: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm - Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, - but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. + Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l + and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. - We can extend this to allow ddggbb to run /bin/ls with either - the user or group set to ooppeerraattoorr: + We can extend this to allow ddggbb to run /bin/ls with either the user or + group set to ooppeerraattoorr: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \ /usr/bin/lprm - In the following example, user ttccmm may run commands that - access a modem device file with the dialer group. Note - that in this example only the group will be set, the com- - mand still runs as user ttccmm. + In the following example, user ttccmm may run commands that access a modem + device file with the dialer group. Note that in this example only the + group will be set, the command still runs as user ttccmm. tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \ /usr/local/bin/minicom TTaagg__SSppeecc - A command may have zero or more tags associated with it. - There are eight possible tag values, NOPASSWD, PASSWD, - NOEXEC, EXEC, SETENV and NOSETENV. Once a tag is set on a - Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the - tag unless it is overridden by the opposite tag (i.e.: - PASSWD overrides NOPASSWD and NOEXEC overrides EXEC). + A command may have zero or more tags associated with it. There are + eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV and + NOSETENV. Once a tag is set on a Cmnd, subsequent Cmnds in the - _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D - By default, ssuuddoo requires that a user authenticate him or - herself before running a command. This behavior can be - modified via the NOPASSWD tag. Like a Runas_Spec, the - NOPASSWD tag sets a default for the commands that follow - it in the Cmnd_Spec_List. Conversely, the PASSWD tag can - be used to reverse things. For example: - ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm +1.7 January 21, 2008 5 - would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and - _/_u_s_r_/_b_i_n_/_l_p_r_m as root on the machine rushmore as rroooott - without authenticating himself. If we only want rraayy to be - able to run _/_b_i_n_/_k_i_l_l without a password the entry would - be: -1.7 December 10, 2007 6 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + Cmnd_Spec_List, inherit the tag unless it is overridden by the opposite + tag (i.e.: PASSWD overrides NOPASSWD and NOEXEC overrides EXEC). + _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + By default, ssuuddoo requires that a user authenticate him or herself + before running a command. This behavior can be modified via the + NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for + the commands that follow it in the Cmnd_Spec_List. Conversely, the + PASSWD tag can be used to reverse things. For example: + + ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm + would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m + as root on the machine rushmore as rroooott without authenticating himself. + If we only want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the + entry would be: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm - Note, however, that the PASSWD tag has no effect on users - who are in the group specified by the _e_x_e_m_p_t___g_r_o_u_p option. + Note, however, that the PASSWD tag has no effect on users who are in + the group specified by the _e_x_e_m_p_t___g_r_o_u_p option. - By default, if the NOPASSWD tag is applied to any of the - entries for a user on the current host, he or she will be - able to run sudo -l without a password. Additionally, a - user may only run sudo -v without a password if the - NOPASSWD tag is present for all a user's entries that per- - tain to the current host. This behavior may be overridden - via the verifypw and listpw options. + By default, if the NOPASSWD tag is applied to any of the entries for a + user on the current host, he or she will be able to run sudo -l without + a password. Additionally, a user may only run sudo -v without a pass- + word if the NOPASSWD tag is present for all a user's entries that per- + tain to the current host. This behavior may be overridden via the ver- + ifypw and listpw options. _N_O_E_X_E_C _a_n_d _E_X_E_C - If ssuuddoo has been compiled with _n_o_e_x_e_c support and the - underlying operating system supports it, the NOEXEC tag - can be used to prevent a dynamically-linked executable - from running further commands itself. + If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying oper- + ating system supports it, the NOEXEC tag can be used to prevent a + dynamically-linked executable from running further commands itself. - In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e - and _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. + In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and + _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi - See the "PREVENTING SHELL ESCAPES" section below for more - details on how NOEXEC works and whether or not it will - work on your system. + See the "PREVENTING SHELL ESCAPES" section below for more details on + how NOEXEC works and whether or not it will work on your system. _S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V - These tags override the value of the _s_e_t_e_n_v option on a - per-command basis. Note that if SETENV has been set for a - command, any environment variables set on the command line - way are not subject to the restrictions imposed by - _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only trusted - users should be allowed to set variables in this manner. - If the command matched is AALLLL, the SETENV tag is implied - for that command; this default may be overridden by use of - the UNSETENV tag. + These tags override the value of the _s_e_t_e_n_v option on a per-command + basis. Note that if SETENV has been set for a command, any environment + variables set on the command line way are not subject to the restric- + tions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only + trusted users should be allowed to set variables in this manner. If + the command matched is AALLLL, the SETENV tag is implied for that command; + this default may be overridden by use of the UNSETENV tag. - WWiillddccaarrddss - ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob char- - acters) to be used in pathnames as well as command line - arguments in the _s_u_d_o_e_r_s file. Wildcard matching is done - via the PPOOSSIIXX _f_n_m_a_t_c_h(3) routine. Note that these are _n_o_t - regular expressions. - * Matches any set of zero or more characters. - ? Matches any single character. +1.7 January 21, 2008 6 - [...] Matches any character in the specified range. -1.7 December 10, 2007 7 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + WWiillddccaarrddss + ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be + used in pathnames as well as command line arguments in the _s_u_d_o_e_r_s + file. Wildcard matching is done via the PPOOSSIIXX _f_n_m_a_t_c_h(3) routine. + Note that these are _n_o_t regular expressions. -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + * Matches any set of zero or more characters. + + ? Matches any single character. + [...] Matches any character in the specified range. [!...] Matches any character nnoott in the specified range. - \x For any character "x", evaluates to "x". This is - used to escape special characters such as: "*", - "?", "[", and "}". + \x For any character "x", evaluates to "x". This is used to + escape special characters such as: "*", "?", "[", and "}". - Note that a forward slash ('/') will nnoott be matched by - wildcards used in the pathname. When matching the command - line arguments, however, a slash ddooeess get matched by wild- - cards. This is to make a path like: + Note that a forward slash ('/') will nnoott be matched by wildcards used + in the pathname. When matching the command line arguments, however, a + slash ddooeess get matched by wildcards. This is to make a path like: /usr/bin/* @@ -485,45 +430,34 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The following exceptions apply to the above rules: - "" If the empty string "" is the only command line - argument in the _s_u_d_o_e_r_s entry it means that com- - mand is not allowed to be run with aannyy arguments. + "" If the empty string "" is the only command line argument in the + _s_u_d_o_e_r_s entry it means that command is not allowed to be run + with aannyy arguments. IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss - It is possible to include other _s_u_d_o_e_r_s files from within - the _s_u_d_o_e_r_s file currently being parsed using the #include - directive, similar to the one used by the C preprocessor. - This is useful, for example, for keeping a site-wide _s_u_d_o_- - _e_r_s file in addition to a per-machine local one. For the - sake of this example the site-wide _s_u_d_o_e_r_s will be - _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will be _/_e_t_c_/_s_u_d_o_- - _e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from _/_e_t_c_/_s_u_d_o_- - _e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s: + It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s + file currently being parsed using the #include directive, similar to + the one used by the C preprocessor. This is useful, for example, for + keeping a site-wide _s_u_d_o_e_r_s file in addition to a per-machine local + one. For the sake of this example the site-wide _s_u_d_o_e_r_s will be + _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will be _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To + include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from _/_e_t_c_/_s_u_d_o_e_r_s we would use the following + line in _/_e_t_c_/_s_u_d_o_e_r_s: #include /etc/sudoers.local - When ssuuddoo reaches this line it will suspend processing of - the current file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_- - _e_r_s_._l_o_c_a_l. Upon reaching the end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, - the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be processed. Files that - are included may themselves include other files. A hard - limit of 128 nested include files is enforced to prevent - include file loops. - - OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss - - The pound sign ('#') is used to indicate a comment (unless - it is part of a #include directive or unless it occurs in - the context of a user name and is followed by one or more - digits, in which case it is treated as a uid). Both the - comment character and any text after it, up to the end of - the line, are ignored. + When ssuuddoo reaches this line it will suspend processing of the current + file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. Upon reaching + the end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be pro- + cessed. Files that are included may themselves include other files. A + hard limit of 128 nested include files is enforced to prevent include + file loops. -1.7 December 10, 2007 8 +1.7 January 21, 2008 7 @@ -532,64 +466,64 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - The reserved word AALLLL is a built-in _a_l_i_a_s that always - causes a match to succeed. It can be used wherever one - might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias, - or Host_Alias. You should not try to define your own - _a_l_i_a_s called AALLLL as the built-in alias will be used in - preference to your own. Please note that using AALLLL can be - dangerous since in a command context, it allows the user - to run aannyy command on the system. - - An exclamation point ('!') can be used as a logical _n_o_t - operator both in an _a_l_i_a_s and in front of a Cmnd. This - allows one to exclude certain values. Note, however, that - using a ! in conjunction with the built-in ALL alias to - allow a user to run "all but a few" commands rarely works + OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss + + The pound sign ('#') is used to indicate a comment (unless it is part + of a #include directive or unless it occurs in the context of a user + name and is followed by one or more digits, in which case it is treated + as a uid). Both the comment character and any text after it, up to the + end of the line, are ignored. + + The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to + succeed. It can be used wherever one might otherwise use a Cmnd_Alias, + User_Alias, Runas_Alias, or Host_Alias. You should not try to define + your own _a_l_i_a_s called AALLLL as the built-in alias will be used in prefer- + ence to your own. Please note that using AALLLL can be dangerous since in + a command context, it allows the user to run aannyy command on the system. + + An exclamation point ('!') can be used as a logical _n_o_t operator both + in an _a_l_i_a_s and in front of a Cmnd. This allows one to exclude certain + values. Note, however, that using a ! in conjunction with the built-in + ALL alias to allow a user to run "all but a few" commands rarely works as intended (see SECURITY NOTES below). - Long lines can be continued with a backslash ('\') as the - last character on the line. + Long lines can be continued with a backslash ('\') as the last charac- + ter on the line. - Whitespace between elements in a list as well as special - syntactic characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', - '(', ')') is optional. + Whitespace between elements in a list as well as special syntactic + characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', '(', ')') is optional. - The following characters must be escaped with a backslash - ('\') when used as part of a word (e.g. a username or - hostname): '@', '!', '=', ':', ',', '(', ')', '\'. + The following characters must be escaped with a backslash ('\') when + used as part of a word (e.g. a username or hostname): '@', '!', '=', + ':', ',', '(', ')', '\'. SSUUDDOOEERRSS OOPPTTIIOONNSS - ssuuddoo's behavior can be modified by Default_Entry lines, as - explained earlier. A list of all supported Defaults - parameters, grouped by type, are listed below. + ssuuddoo's behavior can be modified by Default_Entry lines, as explained + earlier. A list of all supported Defaults parameters, grouped by type, + are listed below. FFllaaggss: - always_set_home If set, ssuuddoo will set the HOME environment - variable to the home directory of the tar- - get user (which is root unless the --uu - option is used). This effectively means - that the --HH flag is always implied. This - flag is _o_f_f by default. - - authenticate If set, users must authenticate themselves - via a password (or other means of authen- - tication) before they may run commands. - This default may be overridden via the - PASSWD and NOPASSWD tags. This flag is _o_n + always_set_home If set, ssuuddoo will set the HOME environment variable to + the home directory of the target user (which is root + unless the --uu option is used). This effectively means + that the --HH flag is always implied. This flag is _o_f_f by default. - closefrom_override - If set, the user may use ssuuddoo's --CC option - which overrides the default starting point - at which ssuuddoo begins closing open file - descriptors. This flag is _o_f_f by default. + authenticate If set, users must authenticate themselves via a pass- + word (or other means of authentication) before they may + run commands. This default may be overridden via the + PASSWD and NOPASSWD tags. This flag is _o_n by default. + closefrom_override + If set, the user may use ssuuddoo's --CC option which over- + rides the default starting point at which ssuuddoo begins + closing open file descriptors. This flag is _o_f_f by + default. -1.7 December 10, 2007 9 +1.7 January 21, 2008 8 @@ -598,64 +532,64 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - env_editor If set, vviissuuddoo will use the value of the - EDITOR or VISUAL environment variables - before falling back on the default editor - list. Note that this may create a secu- - rity hole as it allows the user to run any - arbitrary command as root without logging. - A safer alternative is to place a colon- - separated list of editors in the editor - variable. vviissuuddoo will then only use the - EDITOR or VISUAL if they match a value - specified in editor. This flag is _o_f_f by - default. + env_editor If set, vviissuuddoo will use the value of the EDITOR or + VISUAL environment variables before falling back on the + default editor list. Note that this may create a secu- + rity hole as it allows the user to run any arbitrary + command as root without logging. A safer alternative + is to place a colon-separated list of editors in the + editor variable. vviissuuddoo will then only use the EDITOR + or VISUAL if they match a value specified in editor. + This flag is _o_f_f by default. - env_reset If set, ssuuddoo will reset the environment to - only contain the LOGNAME, SHELL, USER, - USERNAME and the SUDO_* variables. Any - variables in the caller's environment that - match the env_keep and env_check lists are - then added. The default contents of the - env_keep and env_check lists are displayed - when ssuuddoo is run by root with the _-_V - option. If the _s_e_c_u_r_e___p_a_t_h option is set, - its value will be used for the PATH envi- - ronment variable. This flag is _o_n by - default. + env_reset If set, ssuuddoo will reset the environment to only contain + the LOGNAME, SHELL, USER, USERNAME and the SUDO_* vari- + ables. Any variables in the caller's environment that + match the env_keep and env_check lists are then added. + The default contents of the env_keep and env_check + lists are displayed when ssuuddoo is run by root with the + _-_V option. If the _s_e_c_u_r_e___p_a_t_h option is set, its value + will be used for the PATH environment variable. This + flag is _o_n by default. + + fqdn Set this flag if you want to put fully qualified host- + names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you + would use myhost.mydomain.edu. You may still use the + short form if you wish (and even mix the two). Beware + that turning on _f_q_d_n requires ssuuddoo to make DNS lookups + which may make ssuuddoo unusable if DNS stops working (for + example if the machine is not plugged into the net- + work). Also note that you must use the host's official + name as DNS knows it. That is, you may not use a host + alias (CNAME entry) due to performance issues and the + fact that there is no way to get all aliases from DNS. + If your machine's hostname (as returned by the hostname + command) is already fully qualified you shouldn't need + to set _f_q_d_n. This flag is _o_f_f by default. + + ignore_dot If set, ssuuddoo will ignore '.' or '' (current dir) in the + PATH environment variable; the PATH itself is not modi- + fied. This flag is _o_f_f by default. - fqdn Set this flag if you want to put fully - qualified hostnames in the _s_u_d_o_e_r_s file. - I.e., instead of myhost you would use - myhost.mydomain.edu. You may still use - the short form if you wish (and even mix - the two). Beware that turning on _f_q_d_n - requires ssuuddoo to make DNS lookups which - may make ssuuddoo unusable if DNS stops work- - ing (for example if the machine is not - plugged into the network). Also note that - you must use the host's official name as - DNS knows it. That is, you may not use a - host alias (CNAME entry) due to perfor- - mance issues and the fact that there is no - way to get all aliases from DNS. If your - machine's hostname (as returned by the - hostname command) is already fully quali- - fied you shouldn't need to set _f_q_d_n. This + ignore_local_sudoers + If set via LDAP, parsing of @sysconfdir@/sudoers will + be skipped. This is intended for Enterprises that wish + to prevent the usage of local sudoers files so that + only LDAP is used. This thwarts the efforts of rogue + operators who would attempt to add roles to + @sysconfdir@/sudoers. When this option is present, + @sysconfdir@/sudoers does not even need to exist. + Since this option tells ssuuddoo how to behave when no spe- + cific LDAP entries have been matched, this sudoOption + is only meaningful for the cn=defaults section. This flag is _o_f_f by default. - ignore_dot If set, ssuuddoo will ignore '.' or '' (cur- - rent dir) in the PATH environment vari- - able; the PATH itself is not modified. - This flag is _o_f_f by default. - - ignore_local_sudoers - If set via LDAP, parsing of - @sysconfdir@/sudoers will be skipped. + insults If set, ssuuddoo will insult users when they enter an + incorrect password. This flag is _o_f_f by default. -1.7 December 10, 2007 10 +1.7 January 21, 2008 9 @@ -664,64 +598,64 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - This is intended for Enterprises that wish - to prevent the usage of local sudoers - files so that only LDAP is used. This - thwarts the efforts of rogue operators who - would attempt to add roles to - @sysconfdir@/sudoers. When this option is - present, @sysconfdir@/sudoers does not - even need to exist. Since this option - tells ssuuddoo how to behave when no specific - LDAP entries have been matched, this - sudoOption is only meaningful for the - cn=defaults section. This flag is _o_f_f by + log_host If set, the hostname will be logged in the (non-syslog) + ssuuddoo log file. This flag is _o_f_f by default. + + log_year If set, the four-digit year will be logged in the + (non-syslog) ssuuddoo log file. This flag is _o_f_f by default. - insults If set, ssuuddoo will insult users when they - enter an incorrect password. This flag is - _o_f_f by default. + long_otp_prompt When validating with a One Time Password (OPT) scheme + such as SS//KKeeyy or OOPPIIEE, a two-line prompt is used to + make it easier to cut and paste the challenge to a + local window. It's not as pretty as the default but + some people find it more convenient. This flag is _o_f_f + by default. - log_host If set, the hostname will be logged in the - (non-syslog) ssuuddoo log file. This flag is - _o_f_f by default. + mail_always Send mail to the _m_a_i_l_t_o user every time a users runs + ssuuddoo. This flag is _o_f_f by default. - log_year If set, the four-digit year will be logged - in the (non-syslog) ssuuddoo log file. This - flag is _o_f_f by default. + mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo + does not enter the correct password. This flag is _o_f_f + by default. - long_otp_prompt When validating with a One Time Password - (OPT) scheme such as SS//KKeeyy or OOPPIIEE, a two- - line prompt is used to make it easier to - cut and paste the challenge to a local - window. It's not as pretty as the default - but some people find it more convenient. - This flag is _o_f_f by default. + mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the + invoking user exists in the _s_u_d_o_e_r_s file, but is not + allowed to run commands on the current host. This flag + is _o_f_f by default. - mail_always Send mail to the _m_a_i_l_t_o user every time a - users runs ssuuddoo. This flag is _o_f_f by + mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the + invoking user is allowed to use ssuuddoo but the command + they are trying is not listed in their _s_u_d_o_e_r_s file + entry or is explicitly denied. This flag is _o_f_f by default. - mail_badpass Send mail to the _m_a_i_l_t_o user if the user - running ssuuddoo does not enter the correct - password. This flag is _o_f_f by default. - - mail_no_host If set, mail will be sent to the _m_a_i_l_t_o - user if the invoking user exists in the - _s_u_d_o_e_r_s file, but is not allowed to run - commands on the current host. This flag - is _o_f_f by default. + mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the + invoking user is not in the _s_u_d_o_e_r_s file. This flag is + _o_n by default. + + noexec If set, all commands run via ssuuddoo will behave as if the + NOEXEC tag has been set, unless overridden by a EXEC + tag. See the description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as + well as the "PREVENTING SHELL ESCAPES" section at the + end of this manual. This flag is _o_f_f by default. + + path_info Normally, ssuuddoo will tell the user when a command could + not be found in their PATH environment variable. Some + sites may wish to disable this as it could be used to + gather information on the location of executables that + the normal user does not have access to. The disadvan- + tage is that if the executable is simply not in the + user's PATH, ssuuddoo will tell the user that they are not + allowed to run it, which can be confusing. This flag + is _o_n by default. - mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o - user if the invoking user is allowed to - use ssuuddoo but the command they are trying - is not listed in their _s_u_d_o_e_r_s file entry - or is explicitly denied. This flag is _o_f_f - by default. + passprompt_override + The password prompt specified by _p_a_s_s_p_r_o_m_p_t will -1.7 December 10, 2007 11 +1.7 January 21, 2008 10 @@ -730,130 +664,64 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - mail_no_user If set, mail will be sent to the _m_a_i_l_t_o - user if the invoking user is not in the - _s_u_d_o_e_r_s file. This flag is _o_n by default. + normally only be used if the passwod prompt provided by + systems such as PAM matches the string "Password:". If + _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, _p_a_s_s_p_r_o_m_p_t will always be + used. This flag is _o_f_f by default. - noexec If set, all commands run via ssuuddoo will - behave as if the NOEXEC tag has been set, - unless overridden by a EXEC tag. See the - description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as - well as the "PREVENTING SHELL ESCAPES" - section at the end of this manual. This + preserve_groups By default ssuuddoo will initialize the group vector to the + list of groups the target user is in. When _p_r_e_- + _s_e_r_v_e___g_r_o_u_p_s is set, the user's existing group vector + is left unaltered. The real and effective group IDs, + however, are still set to match the target user. This flag is _o_f_f by default. - path_info Normally, ssuuddoo will tell the user when a - command could not be found in their PATH - environment variable. Some sites may wish - to disable this as it could be used to - gather information on the location of exe- - cutables that the normal user does not - have access to. The disadvantage is that - if the executable is simply not in the - user's PATH, ssuuddoo will tell the user that - they are not allowed to run it, which can - be confusing. This flag is _o_n by default. - - passprompt_override - The password prompt specified by - _p_a_s_s_p_r_o_m_p_t will normally only be used if - the passwod prompt provided by systems - such as PAM matches the string "Pass- - word:". If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, - _p_a_s_s_p_r_o_m_p_t will always be used. This flag - is _o_f_f by default. - - preserve_groups By default ssuuddoo will initialize the group - vector to the list of groups the target - user is in. When _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, - the user's existing group vector is left - unaltered. The real and effective group - IDs, however, are still set to match the - target user. This flag is _o_f_f by default. - - requiretty If set, ssuuddoo will only run when the user - is logged in to a real tty. This will - disallow things like "rsh somehost sudo - ls" since _r_s_h(1) does not allocate a tty. - Because it is not possible to turn off - echo when there is no tty present, some - sites may wish to set this flag to prevent - a user from entering a visible password. + requiretty If set, ssuuddoo will only run when the user is logged in + to a real tty. This will disallow things like "rsh + somehost sudo ls" since _r_s_h(1) does not allocate a tty. + Because it is not possible to turn off echo when there + is no tty present, some sites may wish to set this flag + to prevent a user from entering a visible password. This flag is _o_f_f by default. - root_sudo If set, root is allowed to run ssuuddoo too. - Disabling this prevents users from "chain- - ing" ssuuddoo commands to get a root shell by - - - -1.7 December 10, 2007 12 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - - doing something like "sudo sudo /bin/sh". - Note, however, that turning off _r_o_o_t___s_u_d_o - will also prevent root and from running - ssuuddooeeddiitt. Disabling _r_o_o_t___s_u_d_o provides no - real additional security; it exists purely - for historical reasons. This flag is _o_n + root_sudo If set, root is allowed to run ssuuddoo too. Disabling + this prevents users from "chaining" ssuuddoo commands to + get a root shell by doing something like "sudo sudo + /bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o + will also prevent root and from running ssuuddooeeddiitt. Dis- + abling _r_o_o_t___s_u_d_o provides no real additional security; + it exists purely for historical reasons. This flag is + _o_n by default. + + rootpw If set, ssuuddoo will prompt for the root password instead + of the password of the invoking user. This flag is _o_f_f by default. - rootpw If set, ssuuddoo will prompt for the root - password instead of the password of the - invoking user. This flag is _o_f_f by - default. - - runaspw If set, ssuuddoo will prompt for the password - of the user defined by the _r_u_n_a_s___d_e_f_a_u_l_t - option (defaults to root) instead of the - password of the invoking user. This flag - is _o_f_f by default. - - set_home If set and ssuuddoo is invoked with the --ss - flag the HOME environment variable will be - set to the home directory of the target - user (which is root unless the --uu option - is used). This effectively makes the --ss - flag imply --HH. This flag is _o_f_f by - default. - - set_logname Normally, ssuuddoo will set the LOGNAME, USER - and USERNAME environment variables to the - name of the target user (usually root - unless the --uu flag is given). However, - since some programs (including the RCS - revision control system) use LOGNAME to - determine the real identity of the user, - it may be desirable to change this behav- - ior. This can be done by negating the - set_logname option. Note that if the - _e_n_v___r_e_s_e_t option has not been disabled, - entries in the _e_n_v___k_e_e_p list will override - the value of _s_e_t___l_o_g_n_a_m_e. This flag is - _o_f_f by default. + runaspw If set, ssuuddoo will prompt for the password of the user + defined by the _r_u_n_a_s___d_e_f_a_u_l_t option (defaults to root) + instead of the password of the invoking user. This + flag is _o_f_f by default. - setenv Allow the user to disable the _e_n_v___r_e_s_e_t - option from the command line. Addition- - ally, environment variables set via the - command line are not subject to the - restrictions imposed by _e_n_v___c_h_e_c_k, - _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only - trusted users should be allowed to set - variables in this manner. This flag is - _o_f_f by default. + set_home If set and ssuuddoo is invoked with the --ss flag the HOME + environment variable will be set to the home directory + of the target user (which is root unless the --uu option + is used). This effectively makes the --ss flag imply --HH. + This flag is _o_f_f by default. - shell_noargs If set and ssuuddoo is invoked with no argu- - ments it acts as if the --ss flag had been + set_logname Normally, ssuuddoo will set the LOGNAME, USER and USERNAME + environment variables to the name of the target user + (usually root unless the --uu flag is given). However, + since some programs (including the RCS revision control + system) use LOGNAME to determine the real identity of + the user, it may be desirable to change this behavior. + This can be done by negating the set_logname option. + Note that if the _e_n_v___r_e_s_e_t option has not been dis- + abled, entries in the _e_n_v___k_e_e_p list will override the + value of _s_e_t___l_o_g_n_a_m_e. This flag is _o_f_f by default. -1.7 December 10, 2007 13 +1.7 January 21, 2008 11 @@ -862,64 +730,64 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - given. That is, it runs a shell as root - (the shell is determined by the SHELL - environment variable if it is set, falling - back on the shell listed in the invoking - user's /etc/passwd entry if not). This + setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the + command line. Additionally, environment variables set + via the command line are not subject to the restric- + tions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. + As such, only trusted users should be allowed to set + variables in this manner. This flag is _o_f_f by default. + + shell_noargs If set and ssuuddoo is invoked with no arguments it acts as + if the --ss flag had been given. That is, it runs a + shell as root (the shell is determined by the SHELL + environment variable if it is set, falling back on the + shell listed in the invoking user's /etc/passwd entry + if not). This flag is _o_f_f by default. + + stay_setuid Normally, when ssuuddoo executes a command the real and + effective UIDs are set to the target user (root by + default). This option changes that behavior such that + the real UID is left as the invoking user's UID. In + other words, this makes ssuuddoo act as a setuid wrapper. + This can be useful on systems that disable some poten- + tially dangerous functionality when a program is run + setuid. This option is only effective on systems with + either the _s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function. This flag is _o_f_f by default. - stay_setuid Normally, when ssuuddoo executes a command the - real and effective UIDs are set to the - target user (root by default). This - option changes that behavior such that the - real UID is left as the invoking user's - UID. In other words, this makes ssuuddoo act - as a setuid wrapper. This can be useful - on systems that disable some potentially - dangerous functionality when a program is - run setuid. This option is only effective - on systems with either the _s_e_t_r_e_u_i_d_(_) or - _s_e_t_r_e_s_u_i_d_(_) function. This flag is _o_f_f by - default. + targetpw If set, ssuuddoo will prompt for the password of the user + specified by the --uu flag (defaults to root) instead of + the password of the invoking user. Note that this pre- + cludes the use of a uid not listed in the passwd + database as an argument to the --uu flag. This flag is + _o_f_f by default. + + tty_tickets If set, users must authenticate on a per-tty basis. + Normally, ssuuddoo uses a directory in the ticket dir with + the same name as the user running it. With this flag + enabled, ssuuddoo will use a file named for the tty the + user is logged in on in that directory. This flag is + _o_f_f by default. - targetpw If set, ssuuddoo will prompt for the password - of the user specified by the --uu flag - (defaults to root) instead of the password - of the invoking user. Note that this pre- - cludes the use of a uid not listed in the - passwd database as an argument to the --uu - flag. This flag is _o_f_f by default. - - tty_tickets If set, users must authenticate on a per- - tty basis. Normally, ssuuddoo uses a direc- - tory in the ticket dir with the same name - as the user running it. With this flag - enabled, ssuuddoo will use a file named for - the tty the user is logged in on in that - directory. This flag is _o_f_f by default. - - use_loginclass If set, ssuuddoo will apply the defaults spec- - ified for the target user's login class if - one exists. Only available if ssuuddoo is - configured with the --with-logincap + use_loginclass If set, ssuuddoo will apply the defaults specified for the + target user's login class if one exists. Only avail- + able if ssuuddoo is configured with the --with-logincap option. This flag is _o_f_f by default. IInntteeggeerrss: - closefrom Before it executes a command, ssuuddoo will - close all open file descriptors other than - standard input, standard output and stan- - dard error (ie: file descriptors 0-2). - The _c_l_o_s_e_f_r_o_m option can be used to spec- - ify a different file descriptor at which - to start closing. The default is 3. + closefrom Before it executes a command, ssuuddoo will close all open + file descriptors other than standard input, standard + output and standard error (ie: file descriptors 0-2). + The _c_l_o_s_e_f_r_o_m option can be used to specify a different + file descriptor at which to start closing. The default + is 3. - passwd_tries The number of tries a user gets to enter + passwd_tries The number of tries a user gets to enter his/her -1.7 December 10, 2007 14 +1.7 January 21, 2008 12 @@ -928,64 +796,64 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - his/her password before ssuuddoo logs the - failure and exits. The default is 3. + password before ssuuddoo logs the failure and exits. The + default is 3. IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: - loglinelen Number of characters per line for the file - log. This value is used to decide when to - wrap lines for nicer log files. This has - no effect on the syslog log file, only the - file log. The default is 80 (use 0 or - negate the option to disable word wrap). + loglinelen Number of characters per line for the file log. This + value is used to decide when to wrap lines for nicer + log files. This has no effect on the syslog log file, + only the file log. The default is 80 (use 0 or negate + the option to disable word wrap). - passwd_timeout Number of minutes before the ssuuddoo password - prompt times out. The default is 5; set - this to 0 for no password timeout. + passwd_timeout Number of minutes before the ssuuddoo password prompt times + out. The default is 5; set this to 0 for no password + timeout. timestamp_timeout - Number of minutes that can elapse before - ssuuddoo will ask for a passwd again. The - default is 5. Set this to 0 to always - prompt for a password. If set to a value - less than 0 the user's timestamp will - never expire. This can be used to allow - users to create or delete their own times- - tamps via sudo -v and sudo -k respec- + Number of minutes that can elapse before ssuuddoo will ask + for a passwd again. The default is 5. Set this to 0 + to always prompt for a password. If set to a value + less than 0 the user's timestamp will never expire. + This can be used to allow users to create or delete + their own timestamps via sudo -v and sudo -k respec- tively. - umask Umask to use when running the command. - Negate this option or set it to 0777 to - preserve the user's umask. The default is - 0022. + umask Umask to use when running the command. Negate this + option or set it to 0777 to preserve the user's umask. + The default is 0022. SSttrriinnggss: - badpass_message Message that is displayed if a user enters - an incorrect password. The default is - Sorry, try again. unless insults are - enabled. - - editor A colon (':') separated list of editors - allowed to be used with vviissuuddoo. vviissuuddoo - will choose the editor that matches the - user's EDITOR environment variable if pos- - sible, or the first editor in the list - that exists and is executable. The - default is the path to vi on your system. - - mailsub Subject of the mail sent to the _m_a_i_l_t_o - user. The escape %h will expand to the - hostname of the machine. Default is *** - SECURITY information for %h ***. + badpass_message Message that is displayed if a user enters an incorrect + password. The default is Sorry, try again. unless + insults are enabled. + + editor A colon (':') separated list of editors allowed to be + used with vviissuuddoo. vviissuuddoo will choose the editor that + matches the user's EDITOR environment variable if pos- + sible, or the first editor in the list that exists and + is executable. The default is the path to vi on your + system. + + mailsub Subject of the mail sent to the _m_a_i_l_t_o user. The escape + %h will expand to the hostname of the machine. Default + is *** SECURITY information for %h ***. + + noexec_file Path to a shared library containing dummy versions of + the _e_x_e_c_v_(_), _e_x_e_c_v_e_(_) and _f_e_x_e_c_v_e_(_) library functions + that just return an error. This is used to implement + the _n_o_e_x_e_c functionality on systems that support + LD_PRELOAD or its equivalent. Defaults to + _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o. - noexec_file Path to a shared library containing dummy - versions of the _e_x_e_c_v_(_), _e_x_e_c_v_e_(_) and + passprompt The default prompt to use when asking for a password; + can be overridden via the --pp option or the SUDO_PROMPT -1.7 December 10, 2007 15 +1.7 January 21, 2008 13 @@ -994,262 +862,196 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - _f_e_x_e_c_v_e_(_) library functions that just - return an error. This is used to imple- - ment the _n_o_e_x_e_c functionality on systems - that support LD_PRELOAD or its equivalent. - Defaults to - _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o. - - passprompt The default prompt to use when asking for - a password; can be overridden via the --pp - option or the SUDO_PROMPT environment - variable. The following percent (`%') + environment variable. The following percent (`%') escapes are supported: - %H expanded to the local hostname includ- - ing the domain name (on if the - machine's hostname is fully qualified - or the _f_q_d_n option is set) + %H expanded to the local hostname including the domain + name (on if the machine's hostname is fully quali- + fied or the _f_q_d_n option is set) - %h expanded to the local hostname without - the domain name + %h expanded to the local hostname without the domain + name - %U expanded to the login name of the user - the command will be run as (defaults - to root) + %p expanded to the user whose password is being asked + for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w + flags in _s_u_d_o_e_r_s) - %u expanded to the invoking user's login - name + %U expanded to the login name of the user the command + will be run as (defaults to root) - %% two consecutive % characters are col- - lapsed into a single % character + %u expanded to the invoking user's login name + + %% two consecutive % characters are collapsed into a + single % character The default value is Password:. - runas_default The default user to run commands as if the - --uu flag is not specified on the command - line. This defaults to root. Note that - if _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur + runas_default The default user to run commands as if the --uu flag is + not specified on the command line. This defaults to + root. Note that if _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur before any Runas_Alias specifications. - syslog_badpri Syslog priority to use when user authenti- - cates unsuccessfully. Defaults to alert. + syslog_badpri Syslog priority to use when user authenticates unsuc- + cessfully. Defaults to alert. - syslog_goodpri Syslog priority to use when user authenti- - cates successfully. Defaults to notice. + syslog_goodpri Syslog priority to use when user authenticates success- + fully. Defaults to notice. - timestampdir The directory in which ssuuddoo stores its - timestamp files. The default is - _/_v_a_r_/_r_u_n_/_s_u_d_o. + timestampdir The directory in which ssuuddoo stores its timestamp files. + The default is _/_v_a_r_/_r_u_n_/_s_u_d_o. - timestampowner The owner of the timestamp directory and - the timestamps stored therein. The - default is root. + timestampowner The owner of the timestamp directory and the timestamps + stored therein. The default is root. SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + exempt_group + Users in this group are exempt from password and PATH + requirements. This is not set by default. + lecture This option controls when a short lecture will be printed + along with the password prompt. It has the following pos- + sible values: -1.7 December 10, 2007 16 + always Always lecture the user. + never Never lecture the user. +1.7 January 21, 2008 14 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - exempt_group - Users in this group are exempt from password - and PATH requirements. This is not set by - default. - lecture This option controls when a short lecture will - be printed along with the password prompt. It - has the following possible values: - always Always lecture the user. +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - never Never lecture the user. - once Only lecture the user the first time - they run ssuuddoo. + once Only lecture the user the first time they run ssuuddoo. - If no value is specified, a value of _o_n_c_e is - implied. Negating the option results in a - value of _n_e_v_e_r being used. The default value - is _o_n_c_e. + If no value is specified, a value of _o_n_c_e is implied. + Negating the option results in a value of _n_e_v_e_r being used. + The default value is _o_n_c_e. lecture_file - Path to a file containing an alternate ssuuddoo - lecture that will be used in place of the - standard lecture if the named file exists. By - default, ssuuddoo uses a built-in lecture. + Path to a file containing an alternate ssuuddoo lecture that + will be used in place of the standard lecture if the named + file exists. By default, ssuuddoo uses a built-in lecture. - listpw This option controls when a password will be - required when a user runs ssuuddoo with the --ll - flag. It has the following possible values: + listpw This option controls when a password will be required when + a user runs ssuuddoo with the --ll flag. It has the following + possible values: - all All the user's _s_u_d_o_e_r_s entries for the - current host must have the NOPASSWD - flag set to avoid entering a password. + all All the user's _s_u_d_o_e_r_s entries for the current host + must have the NOPASSWD flag set to avoid entering a + password. - always The user must always enter a password - to use the --ll flag. + always The user must always enter a password to use the --ll + flag. - any At least one of the user's _s_u_d_o_e_r_s - entries for the current host must have - the NOPASSWD flag set to avoid enter- - ing a password. + any At least one of the user's _s_u_d_o_e_r_s entries for the + current host must have the NOPASSWD flag set to + avoid entering a password. - never The user need never enter a password - to use the --ll flag. + never The user need never enter a password to use the --ll + flag. - If no value is specified, a value of _a_n_y is - implied. Negating the option results in a - value of _n_e_v_e_r being used. The default value - is _a_n_y. + If no value is specified, a value of _a_n_y is implied. + Negating the option results in a value of _n_e_v_e_r being used. + The default value is _a_n_y. - logfile Path to the ssuuddoo log file (not the syslog log - file). Setting a path turns on logging to a - file; negating this option turns it off. By + logfile Path to the ssuuddoo log file (not the syslog log file). Set- + ting a path turns on logging to a file; negating this + option turns it off. By default, ssuuddoo logs via syslog. + mailerflags Flags to use when invoking mailer. Defaults to --tt. + mailerpath Path to mail program used to send warning mail. Defaults + to the path to sendmail found at configure time. -1.7 December 10, 2007 17 + mailto Address to send warning and error mail to. The address + should be enclosed in double quotes (") to protect against + ssuuddoo interpreting the @ sign. Defaults to root. + secure_path Path used for every command run from ssuuddoo. If you don't + trust the people running ssuuddoo to have a sane PATH environ- + ment variable you may want to use this. Another use is if + you want to have the "root path" be separate from the "user + path." Users in the group specified by the _e_x_e_m_p_t___g_r_o_u_p + option are not affected by _s_e_c_u_r_e___p_a_t_h. This is not set by + default. -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +1.7 January 21, 2008 15 - default, ssuuddoo logs via syslog. - mailerflags Flags to use when invoking mailer. Defaults to - --tt. - mailerpath Path to mail program used to send warning - mail. Defaults to the path to sendmail found - at configure time. - mailto Address to send warning and error mail to. - The address should be enclosed in double - quotes (") to protect against ssuuddoo interpret- - ing the @ sign. Defaults to root. +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - secure_path Path used for every command run from ssuuddoo. If - you don't trust the people running ssuuddoo to - have a sane PATH environment variable you may - want to use this. Another use is if you want - to have the "root path" be separate from the - "user path." Users in the group specified by - the _e_x_e_m_p_t___g_r_o_u_p option are not affected by - _s_e_c_u_r_e___p_a_t_h. This is not set by default. - syslog Syslog facility if syslog is being used for - logging (negate to disable syslog logging). - Defaults to local2. + syslog Syslog facility if syslog is being used for logging (negate + to disable syslog logging). Defaults to local2. - verifypw This option controls when a password will be - required when a user runs ssuuddoo with the --vv - flag. It has the following possible values: + verifypw This option controls when a password will be required when + a user runs ssuuddoo with the --vv flag. It has the following + possible values: - all All the user's _s_u_d_o_e_r_s entries for the - current host must have the NOPASSWD - flag set to avoid entering a password. + all All the user's _s_u_d_o_e_r_s entries for the current host + must have the NOPASSWD flag set to avoid entering a + password. - always The user must always enter a password - to use the --vv flag. + always The user must always enter a password to use the --vv + flag. - any At least one of the user's _s_u_d_o_e_r_s - entries for the current host must have - the NOPASSWD flag set to avoid enter- - ing a password. + any At least one of the user's _s_u_d_o_e_r_s entries for the + current host must have the NOPASSWD flag set to + avoid entering a password. - never The user need never enter a password - to use the --vv flag. + never The user need never enter a password to use the --vv + flag. - If no value is specified, a value of _a_l_l is - implied. Negating the option results in a - value of _n_e_v_e_r being used. The default value - is _a_l_l. + If no value is specified, a value of _a_l_l is implied. + Negating the option results in a value of _n_e_v_e_r being used. + The default value is _a_l_l. LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: - env_check Environment variables to be removed from + env_check Environment variables to be removed from the user's + environment if the variable's value contains % or / + characters. This can be used to guard against printf- + style format vulnerabilities in poorly-written pro- + grams. The argument may be a double-quoted, space-sep- + arated list or a single value without double-quotes. + The list can be replaced, added to, deleted from, or + disabled by using the =, +=, -=, and ! operators + respectively. Regardless of whether the env_reset + option is enabled or disabled, variables specified by + env_check will be preserved in the environment if they + pass the aforementioned check. The default list of + environment variables to check is displayed when ssuuddoo + is run by root with the _-_V option. + env_delete Environment variables to be removed from the user's + environment. The argument may be a double-quoted, + space-separated list or a single value without dou- + ble-quotes. The list can be replaced, added to, + deleted from, or disabled by using the =, +=, -=, and ! + operators respectively. The default list of environ- + ment variables to remove is displayed when ssuuddoo is run + by root with the _-_V option. Note that many operating + systems will remove potentially dangerous variables + from the environment of any setuid process (such as + ssuuddoo). -1.7 December 10, 2007 18 - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - - the user's environment if the variable's - value contains % or / characters. This - can be used to guard against printf-style - format vulnerabilities in poorly-written - programs. The argument may be a dou- - ble-quoted, space-separated list or a sin- - gle value without double-quotes. The list - can be replaced, added to, deleted from, - or disabled by using the =, +=, -=, and ! - operators respectively. Regardless of - whether the env_reset option is enabled or - disabled, variables specified by env_check - will be preserved in the environment if - they pass the aforementioned check. The - default list of environment variables to - check is displayed when ssuuddoo is run by - root with the _-_V option. - - env_delete Environment variables to be removed from - the user's environment. The argument may - be a double-quoted, space-separated list - or a single value without double-quotes. - The list can be replaced, added to, - deleted from, or disabled by using the =, - +=, -=, and ! operators respectively. The - default list of environment variables to - remove is displayed when ssuuddoo is run by - root with the _-_V option. Note that many - operating systems will remove potentially - dangerous variables from the environment - of any setuid process (such as ssuuddoo). - - env_keep Environment variables to be preserved in - the user's environment when the _e_n_v___r_e_s_e_t - option is in effect. This allows fine- - grained control over the environment - ssuuddoo-spawned processes will receive. The - argument may be a double-quoted, space- - separated list or a single value without - double-quotes. The list can be replaced, - added to, deleted from, or disabled by - using the =, +=, -=, and ! operators - respectively. The default list of vari- - ables to keep is displayed when ssuuddoo is - run by root with the _-_V option. - - When logging via _s_y_s_l_o_g(3), ssuuddoo accepts the following - values for the syslog facility (the value of the ssyysslloogg - Parameter): aauutthhpprriivv (if your OS supports it), aauutthh, ddaaee-- - mmoonn, uusseerr, llooccaall00, llooccaall11, llooccaall22, llooccaall33, llooccaall44, llooccaall55, - llooccaall66, and llooccaall77. The following syslog priorities are - supported: aalleerrtt, ccrriitt, ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee, - and wwaarrnniinngg. - - - - -1.7 December 10, 2007 19 +1.7 January 21, 2008 16 @@ -1258,14 +1060,32 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + env_keep Environment variables to be preserved in the user's + environment when the _e_n_v___r_e_s_e_t option is in effect. + This allows fine-grained control over the environment + ssuuddoo-spawned processes will receive. The argument may + be a double-quoted, space-separated list or a single + value without double-quotes. The list can be replaced, + added to, deleted from, or disabled by using the =, +=, + -=, and ! operators respectively. The default list of + variables to keep is displayed when ssuuddoo is run by root + with the _-_V option. + + When logging via _s_y_s_l_o_g(3), ssuuddoo accepts the following values for the + syslog facility (the value of the ssyysslloogg Parameter): aauutthhpprriivv (if your + OS supports it), aauutthh, ddaaeemmoonn, uusseerr, llooccaall00, llooccaall11, llooccaall22, llooccaall33, + llooccaall44, llooccaall55, llooccaall66, and llooccaall77. The following syslog priorities + are supported: aalleerrtt, ccrriitt, ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee, and wwaarrnn-- + iinngg. + FFIILLEESS _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what _/_e_t_c_/_g_r_o_u_p Local groups file _/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups EEXXAAMMPPLLEESS - Below are example _s_u_d_o_e_r_s entries. Admittedly, some of - these are a bit contrived. First, we define our _a_l_i_a_s_e_s: + Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit + contrived. First, we define our _a_l_i_a_s_e_s: # User alias specification User_Alias FULLTIMERS = millert, mikef, dowdy @@ -1286,6 +1106,26 @@ EEXXAAMMPPLLEESS Host_Alias SERVERS = master, mail, www, ns Host_Alias CDROM = orion, perseus, hercules + + + + + + + + + + + +1.7 January 21, 2008 17 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + # Cmnd alias specification Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ /usr/sbin/restore, /usr/sbin/rrestore @@ -1300,29 +1140,16 @@ EEXXAAMMPPLLEESS Cmnd_Alias SU = /usr/bin/su Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less - Here we override some of the compiled in default values. - We want ssuuddoo to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility - in all cases. We don't want to subject the full time - staff to the ssuuddoo lecture, user mmiilllleerrtt need not give a - password, and we don't want to reset the LOGNAME, USER or - USERNAME environment variables when running commands as - root. Additionally, on the machines in the _S_E_R_V_E_R_S - Host_Alias, we keep an additional local log file and make - sure we log the year in each log line since the log - entries will be kept around for several years. Lastly, we - disable shell escapes for the commands in the PAGERS - Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and _/_u_s_r_/_b_i_n_/_l_e_s_s). - - - -1.7 December 10, 2007 20 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - + Here we override some of the compiled in default values. We want ssuuddoo + to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility in all cases. We don't + want to subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt + need not give a password, and we don't want to reset the LOGNAME, USER + or USERNAME environment variables when running commands as root. Addi- + tionally, on the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an addi- + tional local log file and make sure we log the year in each log line + since the log entries will be kept around for several years. Lastly, + we disable shell escapes for the commands in the PAGERS Cmnd_Alias + (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and _/_u_s_r_/_b_i_n_/_l_e_s_s). # Override built-in defaults Defaults syslog=auth @@ -1332,188 +1159,163 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Defaults@SERVERS log_year, logfile=/var/log/sudo.log Defaults!PAGERS noexec - The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually deter- - mines who may run what. + The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run + what. root ALL = (ALL) ALL %wheel ALL = (ALL) ALL - We let rroooott and any user in group wwhheeeell run any command on - any host as any user. + We let rroooott and any user in group wwhheeeell run any command on any host as + any user. FULLTIMERS ALL = NOPASSWD: ALL - Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run - any command on any host without authenticating themselves. + Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on + any host without authenticating themselves. PARTTIMERS ALL = ALL - Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run - any command on any host but they must authenticate them- - selves first (since the entry lacks the NOPASSWD tag). + Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on + any host but they must authenticate themselves first (since the entry + lacks the NOPASSWD tag). jack CSNETS = ALL - The user jjaacckk may run any command on the machines in the - _C_S_N_E_T_S alias (the networks 128.138.243.0, 128.138.204.0, - and 128.138.242.0). Of those networks, only 128.138.204.0 - has an explicit netmask (in CIDR notation) indicating it - is a class C network. For the other networks in _C_S_N_E_T_S, - the local machine's netmask will be used during matching. - lisa CUNETS = ALL - The user lliissaa may run any command on any host in the - _C_U_N_E_T_S alias (the class B network 128.138.0.0). +1.7 January 21, 2008 18 - operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ - sudoedit /etc/printcap, /usr/oper/bin/ - The ooppeerraattoorr user may run commands limited to simple main- - tenance. Here, those are commands related to backups, - killing processes, the printing system, shutting down the - system, and any commands in the directory _/_u_s_r_/_o_p_e_r_/_b_i_n_/. - joe ALL = /usr/bin/su operator - - The user jjooee may only _s_u(1) to operator. +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7 December 10, 2007 21 + The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias + (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of + those networks, only 128.138.204.0 has an explicit netmask (in CIDR + notation) indicating it is a class C network. For the other networks + in _C_S_N_E_T_S, the local machine's netmask will be used during matching. + lisa CUNETS = ALL + The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the + class B network 128.138.0.0). + operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ + sudoedit /etc/printcap, /usr/oper/bin/ + The ooppeerraattoorr user may run commands limited to simple maintenance. + Here, those are commands related to backups, killing processes, the + printing system, shutting down the system, and any commands in the + directory _/_u_s_r_/_o_p_e_r_/_b_i_n_/. -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + joe ALL = /usr/bin/su operator + The user jjooee may only _s_u(1) to operator. pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root - The user ppeettee is allowed to change anyone's password - except for root on the _H_P_P_A machines. Note that this - assumes _p_a_s_s_w_d(1) does not take multiple usernames on the - command line. + The user ppeettee is allowed to change anyone's password except for root on + the _H_P_P_A machines. Note that this assumes _p_a_s_s_w_d(1) does not take mul- + tiple usernames on the command line. bob SPARC = (OP) ALL : SGI = (OP) ALL - The user bboobb may run anything on the _S_P_A_R_C and _S_G_I - machines as any user listed in the _O_P Runas_Alias (rroooott - and ooppeerraattoorr). + The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user + listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr). jim +biglab = ALL - The user jjiimm may run any command on machines in the _b_i_g_l_a_b - netgroup. ssuuddoo knows that "biglab" is a netgroup due to - the '+' prefix. + The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup. + ssuuddoo knows that "biglab" is a netgroup due to the '+' prefix. +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser - Users in the sseeccrreettaarriieess netgroup need to help manage the - printers as well as add and remove users, so they are - allowed to run those commands on all machines. + Users in the sseeccrreettaarriieess netgroup need to help manage the printers as + well as add and remove users, so they are allowed to run those commands + on all machines. fred ALL = (DB) NOPASSWD: ALL - The user ffrreedd can run commands as any user in the _D_B - Runas_Alias (oorraaccllee or ssyybbaassee) without giving a password. + The user ffrreedd can run commands as any user in the _D_B Runas_Alias (oorraa-- + ccllee or ssyybbaassee) without giving a password. john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* - On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except - root but he is not allowed to give _s_u(1) any flags. + On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is + not allowed to give _s_u(1) any flags. - jen ALL, !SERVERS = ALL - The user jjeenn may run any command on any machine except for - those in the _S_E_R_V_E_R_S Host_Alias (master, mail, www and - ns). - jill SERVERS = /usr/bin/, !SU, !SHELLS +1.7 January 21, 2008 19 - For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run - any commands in the directory _/_u_s_r_/_b_i_n_/ except for those - commands belonging to the _S_U and _S_H_E_L_L_S Cmnd_Aliases. - steve CSNETS = (operator) /usr/local/op_commands/ - The user sstteevvee may run any command in the directory - /usr/local/op_commands/ but only as user operator. - - matt valkyrie = KILL +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7 December 10, 2007 22 + jen ALL, !SERVERS = ALL + The user jjeenn may run any command on any machine except for those in the + _S_E_R_V_E_R_S Host_Alias (master, mail, www and ns). + jill SERVERS = /usr/bin/, !SU, !SHELLS + For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in + the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U + and _S_H_E_L_L_S Cmnd_Aliases. + steve CSNETS = (operator) /usr/local/op_commands/ -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + The user sstteevvee may run any command in the directory /usr/local/op_com- + mands/ but only as user operator. + matt valkyrie = KILL - On his personal workstation, valkyrie, mmaatttt needs to be - able to kill hung processes. + On his personal workstation, valkyrie, mmaatttt needs to be able to kill + hung processes. WEBMASTERS www = (www) ALL, (root) /usr/bin/su www - On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias - (will, wendy, and wim), may run any command as user www - (which owns the web pages) or simply _s_u(1) to www. + On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias (will, wendy, + and wim), may run any command as user www (which owns the web pages) or + simply _s_u(1) to www. ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM - Any user may mount or unmount a CD-ROM on the machines in - the CDROM Host_Alias (orion, perseus, hercules) without - entering a password. This is a bit tedious for users to - type, so it is a prime candidate for encapsulating in a - shell script. + Any user may mount or unmount a CD-ROM on the machines in the CDROM + Host_Alias (orion, perseus, hercules) without entering a password. + This is a bit tedious for users to type, so it is a prime candidate for + encapsulating in a shell script. SSEECCUURRIITTYY NNOOTTEESS - It is generally not effective to "subtract" commands from - ALL using the '!' operator. A user can trivially circum- - vent this by copying the desired command to a different - name and then executing that. For example: + It is generally not effective to "subtract" commands from ALL using the + '!' operator. A user can trivially circumvent this by copying the + desired command to a different name and then executing that. For exam- + ple: bill ALL = ALL, !SU, !SHELLS - Doesn't really prevent bbiillll from running the commands - listed in _S_U or _S_H_E_L_L_S since he can simply copy those com- - mands to a different name, or use a shell escape from an - editor or other program. Therefore, these kind of - restrictions should be considered advisory at best (and - reinforced by policy). + Doesn't really prevent bbiillll from running the commands listed in _S_U or + _S_H_E_L_L_S since he can simply copy those commands to a different name, or + use a shell escape from an editor or other program. Therefore, these + kind of restrictions should be considered advisory at best (and rein- + forced by policy). PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS - Once ssuuddoo executes a program, that program is free to do - whatever it pleases, including run other programs. This - can be a security issue since it is not uncommon for a - program to allow shell escapes, which lets a user bypass - ssuuddoo's access control and logging. Common programs that - permit shell escapes include shells (obviously), editors, - paginators, mail and terminal programs. - - There are two basic approaches to this problem: - - restrict Avoid giving users access to commands that allow - the user to run arbitrary commands. Many edi- - tors have a restricted mode where shell escapes - are disabled, though ssuuddooeeddiitt is a better solu- - tion to running editors via ssuuddoo. Due to the - large number of programs that offer shell - escapes, restricting users to the set of pro- - grams that do not if often unworkable. + Once ssuuddoo executes a program, that program is free to do whatever it + pleases, including run other programs. This can be a security issue + since it is not uncommon for a program to allow shell escapes, which + lets a user bypass ssuuddoo's access control and logging. Common programs - noexec Many systems that support shared libraries have - -1.7 December 10, 2007 23 +1.7 January 21, 2008 20 @@ -1522,64 +1324,64 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - the ability to override default library func- - tions by pointing an environment variable (usu- - ally LD_PRELOAD) to an alternate shared library. - On such systems, ssuuddoo's _n_o_e_x_e_c functionality can - be used to prevent a program run by ssuuddoo from - executing any other programs. Note, however, - that this applies only to native dynamically- - linked executables. Statically-linked executa- - bles and foreign executables running under - binary emulation are not affected. + that permit shell escapes include shells (obviously), editors, pagina- + tors, mail and terminal programs. + + There are two basic approaches to this problem: - To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you - can run the following as root: + restrict Avoid giving users access to commands that allow the user to + run arbitrary commands. Many editors have a restricted mode + where shell escapes are disabled, though ssuuddooeeddiitt is a better + solution to running editors via ssuuddoo. Due to the large num- + ber of programs that offer shell escapes, restricting users + to the set of programs that do not if often unworkable. + + noexec Many systems that support shared libraries have the ability + to override default library functions by pointing an environ- + ment variable (usually LD_PRELOAD) to an alternate shared + library. On such systems, ssuuddoo's _n_o_e_x_e_c functionality can be + used to prevent a program run by ssuuddoo from executing any + other programs. Note, however, that this applies only to + native dynamically-linked executables. Statically-linked + executables and foreign executables running under binary emu- + lation are not affected. + + To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you can run the + following as root: sudo -V | grep "dummy exec" - If the resulting output contains a line that - begins with: + If the resulting output contains a line that begins with: File containing dummy exec functions: - then ssuuddoo may be able to replace the exec family - of functions in the standard library with its - own that simply return an error. Unfortunately, - there is no foolproof way to know whether or not - _n_o_e_x_e_c will work at compile-time. _n_o_e_x_e_c should - work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 - UNIX, MacOS X, and HP-UX 11.x. It is known nnoott - to work on AIX and UnixWare. _n_o_e_x_e_c is expected - to work on most operating systems that support - the LD_PRELOAD environment variable. Check your - operating system's manual pages for the dynamic - linker (usually ld.so, ld.so.1, dyld, dld.sl, - rld, or loader) to see if LD_PRELOAD is sup- - ported. - - To enable _n_o_e_x_e_c for a command, use the NOEXEC - tag as documented in the User Specification sec- - tion above. Here is that example again: + then ssuuddoo may be able to replace the exec family of functions + in the standard library with its own that simply return an + error. Unfortunately, there is no foolproof way to know + whether or not _n_o_e_x_e_c will work at compile-time. _n_o_e_x_e_c + should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, + MacOS X, and HP-UX 11.x. It is known nnoott to work on AIX and + UnixWare. _n_o_e_x_e_c is expected to work on most operating sys- + tems that support the LD_PRELOAD environment variable. Check + your operating system's manual pages for the dynamic linker + (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see + if LD_PRELOAD is supported. + + To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as docu- + mented in the User Specification section above. Here is that + example again: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi - This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and - _/_u_s_r_/_b_i_n_/_v_i with _n_o_e_x_e_c enabled. This will pre- - vent those two commands from executing other - commands (such as a shell). If you are unsure - whether or not your system is capable of sup- - porting _n_o_e_x_e_c you can always just try it out - and see if it works. + This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i + with _n_o_e_x_e_c enabled. This will prevent those two commands + from executing other commands (such as a shell). If you are + unsure whether or not your system is capable of supporting + _n_o_e_x_e_c you can always just try it out and see if it works. - Note that restricting shell escapes is not a panacea. - Programs running as root are still capable of many poten- - tially hazardous operations (such as changing or overwrit- - ing files) that could lead to unintended privilege - -1.7 December 10, 2007 24 +1.7 January 21, 2008 21 @@ -1588,42 +1390,42 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - escalation. In the specific case of an editor, a safer + Note that restricting shell escapes is not a panacea. Programs running + as root are still capable of many potentially hazardous operations + (such as changing or overwriting files) that could lead to unintended + privilege escalation. In the specific case of an editor, a safer approach is to give the user permission to run ssuuddooeeddiitt. SSEEEE AALLSSOO _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _s_u_d_o(1m), _v_i_s_u_d_o(8) CCAAVVEEAATTSS - The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo - command which locks the file and does grammatical check- - ing. It is imperative that _s_u_d_o_e_r_s be free of syntax - errors since ssuuddoo will not run with a syntactically incor- - rect _s_u_d_o_e_r_s file. - - When using netgroups of machines (as opposed to users), if - you store fully qualified hostnames in the netgroup (as is - usually the case), you either need to have the machine's - hostname be fully qualified as returned by the hostname - command or use the _f_q_d_n option in _s_u_d_o_e_r_s. + The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which + locks the file and does grammatical checking. It is imperative that + _s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a syntac- + tically incorrect _s_u_d_o_e_r_s file. + + When using netgroups of machines (as opposed to users), if you store + fully qualified hostnames in the netgroup (as is usually the case), you + either need to have the machine's hostname be fully qualified as + returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s. BBUUGGSS - If you feel you have found a bug in ssuuddoo, please submit a - bug report at http://www.sudo.ws/sudo/bugs/ + If you feel you have found a bug in ssuuddoo, please submit a bug report at + http://www.sudo.ws/sudo/bugs/ SSUUPPPPOORRTT - Limited free support is available via the sudo-users mail- - ing list, see http://www.sudo.ws/mail- - man/listinfo/sudo-users to subscribe or search the - archives. + Limited free support is available via the sudo-users mailing list, see + http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search + the archives. DDIISSCCLLAAIIMMEERR - ssuuddoo is provided ``AS IS'' and any express or implied war- - ranties, including, but not limited to, the implied war- - ranties of merchantability and fitness for a particular - purpose are disclaimed. See the LICENSE file distributed - with ssuuddoo or http://www.sudo.ws/sudo/license.html for com- - plete details. + ssuuddoo is provided ``AS IS'' and any express or implied warranties, + including, but not limited to, the implied warranties of merchantabil- + ity and fitness for a particular purpose are disclaimed. See the + LICENSE file distributed with ssuuddoo or + http://www.sudo.ws/sudo/license.html for complete details. + @@ -1645,6 +1447,6 @@ DDIISSCCLLAAIIMMEERR -1.7 December 10, 2007 25 +1.7 January 21, 2008 22 diff --git a/sudoers.ldap.cat b/sudoers.ldap.cat index d650c33ec..84015a64f 100644 --- a/sudoers.ldap.cat +++ b/sudoers.ldap.cat @@ -8,60 +8,60 @@ NNAAMMEE sudoers.ldap - sudo LDAP configuration DDEESSCCRRIIPPTTIIOONN - In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be con- - figured via LAP. This can be especially useful for syn- - chronizing _s_u_d_o_e_r_s in a large, distributed environment. + In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be configured via + LAP. This can be especially useful for synchronizing _s_u_d_o_e_r_s in a + large, distributed environment. Using LDAP for _s_u_d_o_e_r_s has several benefits: - +o ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety. - When LDAP is used, there are only two or three LDAP - queries per invocation. This makes it especially fast - and particularly usable in LDAP environments. + +o ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety. When LDAP is + used, there are only two or three LDAP queries per invocation. + This makes it especially fast and particularly usable in LDAP envi- + ronments. + + +o ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s. It is not pos- + sible to load LDAP data into the server that does not conform to + the sudoers schema, so proper syntax is guaranteed. It is still + possible to have typos in a user or host name, but this will not + prevent ssuuddoo from running. + + +o It is possible to specify per-entry options that override the + global default options. _/_e_t_c_/_s_u_d_o_e_r_s only supports default options + and limited options associated with user/host/commands/aliases. + The syntax is complicated and can be difficult for users to under- + stand. Placing the options directly in the entry is more natural. + + +o The vviissuuddoo program is no longer needed. vviissuuddoo provides locking + and syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file. Since LDAP updates + are atomic, locking is no longer necessary. Because syntax is + checked when the data is inserted into LDAP, there is no need for a + specialized tool to check syntax. + + Another major difference between LDAP and file-based _s_u_d_o_e_r_s is that in + LDAP, ssuuddoo-specific Aliases are not supported. + + For the most part, there is really no need for ssuuddoo-specific Aliases. + Unix groups or user netgroups can be used in place of User_Aliases and + RunasAliases. Host netgroups can be used in place of HostAliases. + Since Unix groups and netgroups can also be stored in LDAP there is no + real need for ssuuddoo-specific aliases. + + Cmnd_Aliases are not really required either since it is possible to + have multiple users listed in a sudoRole. Instead of defining a + Cmnd_Alias that is referenced by multiple users, one can create a sudo- + Role that contains the commands and assign multiple users to it. - +o ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s. - It is not possible to load LDAP data into the server - that does not conform to the sudoers schema, so proper - syntax is guaranteed. It is still possible to have - typos in a user or host name, but this will not pre- - vent ssuuddoo from running. - - +o It is possible to specify per-entry options that over- - ride the global default options. _/_e_t_c_/_s_u_d_o_e_r_s only - supports default options and limited options associ- - ated with user/host/commands/aliases. The syntax is - complicated and can be difficult for users to under- - stand. Placing the options directly in the entry is - more natural. - - +o vviissuuddoo is no longer needed. vviissuuddoo provides locking - and syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file. Since - LDAP updates are atomic, locking is no longer neces- - sary. Because syntax is checked when the data is - inserted into LDAP, there is no need for a specialized - tool to check syntax. - - Another major difference between LDAP and file-based _s_u_d_o_- - _e_r_s is that in LDAP, ssuuddoo-specific Aliases are not sup- - ported. - - For the most part, there is really no need for ssuuddoo-spe- - cific Aliases. Unix groups or user netgroups can be used - in place of User_Aliases and RunasAliases. Host netgroups - can be used in place of HostAliases. Since Unix groups - and netgroups can also be stored in LDAP there is no real - need for ssuuddoo-specific aliases. + SSUUDDOOeerrss LLDDAAPP ccoonnttaaiinneerr - Cmnd_Aliases are not really required either since it is - possible to have multiple users listed in a sudoRole. - Instead of defining a Cmnd_Alias that is referenced by - multiple users, one can create a sudoRole that contains - the commands and assign multiple users to it. + The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers LDAP con- + tainer. + Sudo first looks for the cn=default entry in the SUDOers container. If + found, the multi-valued sudoOption attribute is parsed in the same -1.7 January 20, 2008 1 +1.7 January 21, 2008 1 @@ -70,17 +70,9 @@ DDEESSCCRRIIPPTTIIOONN SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - SSUUDDOOeerrss LLDDAAPP ccoonnttaaiinneerr - - The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers - LDAP container. - - Sudo first looks for the cn=default entry in the SUDOers - container. If found, the multi-valued sudoOption - attribute is parsed in the same manner as a global - Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following example, - the SSH_AUTH_SOCK variable will be preserved in the envi- - ronment for all users. + manner as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following + example, the SSH_AUTH_SOCK variable will be preserved in the environ- + ment for all users. dn: cn=defaults,ou=SUDOers,dc=example,dc=com objectClass: top @@ -89,63 +81,60 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) description: Default sudoOption's go here sudoOption: env_keep+=SSH_AUTH_SOCK - The equivalent of a sudoer in LDAP is a sudoRole. It con- - sists of the following components: + The equivalent of a sudoer in LDAP is a sudoRole. It consists of the + following components: ssuuddooUUsseerr - A user name, uid (prefixed with '#'), Unix group (pre- - fixed with a '%') or user netgroup (prefixed with a - '+'). + A user name, uid (prefixed with '#'), Unix group (prefixed with a + '%') or user netgroup (prefixed with a '+'). ssuuddooHHoosstt - A host name, IP address, IP network, or host netgroup - (prefixed with a '+'). The special value ALL will - match any host. + A host name, IP address, IP network, or host netgroup (prefixed + with a '+'). The special value ALL will match any host. ssuuddooCCoommmmaanndd - A Unix command with optional command line arguments, - potentially including globbing characters (aka wild - cards). The special value ALL will match any command. - If a command is prefixed with an exclamation point - '!', the user will be prohibited from running that - command. + A Unix command with optional command line arguments, potentially + including globbing characters (aka wild cards). The special value + ALL will match any command. If a command is prefixed with an + exclamation point '!', the user will be prohibited from running + that command. ssuuddooOOppttiioonn - Identical in function to the global options described - above, but specific to the sudoRole in which it - resides. + Identical in function to the global options described above, but + specific to the sudoRole in which it resides. ssuuddooRRuunnAAssUUsseerr - A user name or uid (prefixed with '#') that commands - may be run as or a Unix group (prefixed with a '%') or - user netgroup (prefixed with a '+') that contains a - list of users that commands may be run as. The spe- - cial value ALL will match any user. + A user name or uid (prefixed with '#') that commands may be run as + or a Unix group (prefixed with a '%') or user netgroup (prefixed + with a '+') that contains a list of users that commands may be run + as. The special value ALL will match any user. ssuuddooRRuunnAAssGGrroouupp - A Unix group or gid (prefixed with '#') that commands + A Unix group or gid (prefixed with '#') that commands may be run + as. The special value ALL will match any group. + Each component listed above should contain a single value, but there + may be multiple instances of each component type. A sudoRole must con- + tain at least one sudoUser, sudoHost and sudoCommand. + + The following example allows users in group wheel to run any command on + any host via ssuuddoo: -1.7 January 20, 2008 2 -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) +1.7 January 21, 2008 2 - may be run as. The special value ALL will match any - group. - Each component listed above should contain a single value, - but there may be multiple instances of each component - type. A sudoRole must contain at least one sudoUser, - sudoHost and sudoCommand. - The following example allows users in group wheel to run - any command on any host via ssuuddoo: + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + dn: cn=%wheel,ou=SUDOers,dc=example,dc=com objectClass: top @@ -157,25 +146,22 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) AAnnaattoommyy ooff LLDDAAPP ssuuddooeerrss llooookkuupp - When looking up a sudoer using LDAP there are only two or - three LDAP queries per invocation. The first query is to - parse the global options. The second is to match against - the user's name and the groups that the user belongs to. - (The special ALL tag is matched in this query too.) If no - match is returned for the user's name and groups, a third - query returns all entries containing user netgroups and - checks to see if the user belongs to any of them. + When looking up a sudoer using LDAP there are only two or three LDAP + queries per invocation. The first query is to parse the global + options. The second is to match against the user's name and the groups + that the user belongs to. (The special ALL tag is matched in this + query too.) If no match is returned for the user's name and groups, a + third query returns all entries containing user netgroups and checks to + see if the user belongs to any of them. DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss - There are some subtle differences in the way sudoers is - handled once in LDAP. Probably the biggest is that - according to the RFC, LDAP ordering is arbitrary and you - cannot expect that Attributes and Entries are returned in - any specific order. If there are conflicting command - rules on an entry, the negative takes precedence. This is - called paranoid behavior (not necessarily the most spe- - cific match). + There are some subtle differences in the way sudoers is handled once in + LDAP. Probably the biggest is that according to the RFC, LDAP ordering + is arbitrary and you cannot expect that Attributes and Entries are + returned in any specific order. If there are conflicting command rules + on an entry, the negative takes precedence. This is called paranoid + behavior (not necessarily the most specific match). Here is an example: @@ -185,6 +171,16 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) # Always allows all commands because ALL is matched last puddles ALL=(root) !/bin/sh,ALL + # LDAP equivalent of johnny + # Allows all commands except shell + dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com + objectClass: sudoRole + objectClass: top + cn: role1 + sudoUser: johnny + sudoHost: ALL + sudoCommand: ALL + sudoCommand: !/bin/sh @@ -193,25 +189,18 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7 January 20, 2008 3 +1.7 January 21, 2008 3 -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - # LDAP equivalent of johnny - # Allows all commands except shell - dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com - objectClass: sudoRole - objectClass: top - cn: role1 - sudoUser: johnny - sudoHost: ALL - sudoCommand: ALL - sudoCommand: !/bin/sh + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + # LDAP equivalent of puddles # Notice that even though ALL comes last, it still behaves like @@ -225,9 +214,9 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) sudoCommand: !/bin/sh sudoCommand: ALL - Another difference is that negations on the Host, User or - Runas are currently ignorred. For example, the following - attributes do not behave the way one might expect. + Another difference is that negations on the Host, User or Runas are + currently ignorred. For example, the following attributes do not + behave the way one might expect. # does not match all but joe # rather, does not match anyone @@ -245,194 +234,178 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SSuuddooeerrss SScchheemmaa - In order to use ssuuddoo's LDAP support, the ssuuddoo schema must - be installed on your LDAP server. In addition, be sure to - index the 'sudoUser' attribute. - - Two versions of the schema, one for OpenLDAP servers - (_s_c_h_e_m_a_._O_p_e_n_L_D_A_P) and another for Netscape-derived servers - (_s_c_h_e_m_a_._i_P_l_a_n_e_t), may be found in the ssuuddoo distribution. + In order to use ssuuddoo's LDAP support, the ssuuddoo schema must be installed + on your LDAP server. In addition, be sure to index the 'sudoUser' + attribute. - The schema for ssuuddoo in OpenLDAP form is included in the - EXAMPLES section. + Two versions of the schema, one for OpenLDAP servers (_s_c_h_e_m_a_._O_p_e_n_L_D_A_P) + and another for Netscape-derived servers (_s_c_h_e_m_a_._i_P_l_a_n_e_t), may be found + in the ssuuddoo distribution. + The schema for ssuuddoo in OpenLDAP form is included in the EXAMPLES sec- + tion. + CCoonnffiigguurriinngg llddaapp..ccoonnff + Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration. + Typically, this file is shared amongst different LDAP-aware clients. + As such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo + parses _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from + those described in the _l_d_a_p_._c_o_n_f(4) manual. -1.7 January 20, 2008 4 + Also note that on systems using the OpenLDAP libraries, default values + specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are + not used. +1.7 January 21, 2008 4 -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - CCoonnffiigguurriinngg llddaapp..ccoonnff - Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific con- - figuration. Typically, this file is shared amongst dif- - ferent LDAP-aware clients. As such, most of the settings - are not ssuuddoo-specific. Note that ssuuddoo parses - _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ - from those described in the _l_d_a_p_._c_o_n_f(4) manual. +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - Also note that on systems using the OpenLDAP libraries, - default values specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the - user's _._l_d_a_p_r_c files are not used. - Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f - that are supported by ssuuddoo are honored. Configuration - options are listed below in upper case but are parsed in a - case-independent manner. + Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f that are sup- + ported by ssuuddoo are honored. Configuration options are listed below in + upper case but are parsed in a case-independent manner. UURRII ldap[s]://[hostname[:port]] ... - Specifies a whitespace-delimited list of one or more - URIs describing the LDAP server(s) to connect to. The - _p_r_o_t_o_c_o_l may be either llddaapp or llddaappss, the latter being - for servers that support TLS (SSL) encryption. If no - _p_o_r_t is specified, the default is port 389 for ldap:// - or port 636 for ldaps://. If no _h_o_s_t_n_a_m_e is speci- - fied, ssuuddoo will connect to llooccaallhhoosstt. Only systems - using the OpenSSL libraries support the mixing of - ldap:// and ldaps:// URIs. The Netscape-derived - libraries used on most commercial versions of Unix are - only capable of supporting one or the other. + Specifies a whitespace-delimited list of one or more URIs describ- + ing the LDAP server(s) to connect to. The _p_r_o_t_o_c_o_l may be either + llddaapp or llddaappss, the latter being for servers that support TLS (SSL) + encryption. If no _p_o_r_t is specified, the default is port 389 for + ldap:// or port 636 for ldaps://. If no _h_o_s_t_n_a_m_e is specified, + ssuuddoo will connect to llooccaallhhoosstt. Only systems using the OpenSSL + libraries support the mixing of ldap:// and ldaps:// URIs. The + Netscape-derived libraries used on most commercial versions of Unix + are only capable of supporting one or the other. HHOOSSTT name[:port] ... - If no UURRII is specified, the HHOOSSTT parameter specifies a - whitespace-delimited list of LDAP servers to connect - to. Each host may include an optional _p_o_r_t separated - by a colon (':'). The HHOOSSTT parameter is deprecated in - favor of the UURRII specification and is included for - backwards compatibility. + If no UURRII is specified, the HHOOSSTT parameter specifies a whitespace- + delimited list of LDAP servers to connect to. Each host may + include an optional _p_o_r_t separated by a colon (':'). The HHOOSSTT + parameter is deprecated in favor of the UURRII specification and is + included for backwards compatibility. PPOORRTT port_number - If no UURRII is specified, the PPOORRTT parameter specifies - the default port to connect to on the LDAP server if a - HHOOSSTT parameter does not specify the port itself. If - no PPOORRTT parameter is used, the default is port 389 for - LDAP and port 636 for LDAP over TLS (SSL). The PPOORRTT - parameter is deprecated in favor of the UURRII specifica- - tion and is included for backwards compatibility. + If no UURRII is specified, the PPOORRTT parameter specifies the default + port to connect to on the LDAP server if a HHOOSSTT parameter does not + specify the port itself. If no PPOORRTT parameter is used, the default + is port 389 for LDAP and port 636 for LDAP over TLS (SSL). The + PPOORRTT parameter is deprecated in favor of the UURRII specification and + is included for backwards compatibility. BBIINNDD__TTIIMMEELLIIMMIITT seconds - The BBIINNDD__TTIIMMEELLIIMMIITT parameter specifies the amount of - time, in seconds, to wait while trying to connect to - an LDAP server. If multiple UURRIIs or HHOOSSTTs are speci- - fied, this is the amount of time to wait before trying - the next one in the list. + The BBIINNDD__TTIIMMEELLIIMMIITT parameter specifies the amount of time, in sec- + onds, to wait while trying to connect to an LDAP server. If multi- + ple UURRIIs or HHOOSSTTs are specified, this is the amount of time to wait + before trying the next one in the list. + TTIIMMEELLIIMMIITT seconds + The TTIIMMEELLIIMMIITT parameter specifies the amount of time, in seconds, + to wait for a response to an LDAP query. + SSUUDDOOEERRSS__BBAASSEE base + The base DN to use when performing ssuuddoo LDAP queries. Typically + this is of the form ou=SUDOers,dc=example,dc=com for the domain + example.com. -1.7 January 20, 2008 5 + SSUUDDOOEERRSS__DDEEBBUUGG debug_level + This sets the debug level for ssuuddoo LDAP queries. Debugging infor- + mation is printed to the standard error. A value of 1 results in a + moderate amount of debugging information. A value of 2 shows the + results of the matches themselves. This parameter should not be + set in a production environment as the extra information is likely + to confuse users. -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) +1.7 January 21, 2008 5 - TTIIMMEELLIIMMIITT seconds - The TTIIMMEELLIIMMIITT parameter specifies the amount of time, - in seconds, to wait for a response to an LDAP query. - SSUUDDOOEERRSS__BBAASSEE base - The base DN to use when performing ssuuddoo LDAP queries. - Typically this is of the form ou=SUDOers,dc=exam- - ple,dc=com for the domain example.com. - SSUUDDOOEERRSS__DDEEBBUUGG debug_level - This sets the debug level for ssuuddoo LDAP queries. - Debugging information is printed to the standard - error. A value of 1 results in a moderate amount of - debugging information. A value of 2 shows the results - of the matches themselves. This parameter should not - be set in a production environment as the extra infor- - mation is likely to confuse users. + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + BBIINNDDDDNN DN - The BBIINNDDDDNN parameter specifies the identity, in the - form of a Distinguished Name (DN), to use when per- - forming LDAP operations. If not specified, LDAP oper- - ations are performed with an anonymous identity. By - default, most LDAP servers will allow anonymous + The BBIINNDDDDNN parameter specifies the identity, in the form of a Dis- + tinguished Name (DN), to use when performing LDAP operations. If + not specified, LDAP operations are performed with an anonymous + identity. By default, most LDAP servers will allow anonymous access. BBIINNDDPPWW secret - The BBIINNDDPPWW parameter specifies the password to use - when performing LDAP operations. This is typically - used in conjunction with the BBIINNDDDDNN parameter. + The BBIINNDDPPWW parameter specifies the password to use when performing + LDAP operations. This is typically used in conjunction with the + BBIINNDDDDNN parameter. RROOOOTTBBIINNDDDDNN DN - The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in - the form of a Distinguished Name (DN), to use when - performing privileged LDAP operations, such as _s_u_d_o_e_r_s - queries. The password corresponding to the identity - should be stored in _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t. If not speci- + The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a + Distinguished Name (DN), to use when performing privileged LDAP + operations, such as _s_u_d_o_e_r_s queries. The password corresponding to + the identity should be stored in _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t. If not speci- fied, the BBIINNDDDDNN identity is used (if any). LLDDAAPP__VVEERRSSIIOONN number - The version of the LDAP protocol to use when connect- - ing to the server. The default value is protocol ver- - sion 3. + The version of the LDAP protocol to use when connecting to the + server. The default value is protocol version 3. SSSSLL on/true/yes/off/false/no - If the SSSSLL parameter is set to on, true or yes, TLS - (SSL) encryption is always used when communicating - with the LDAP server. Typically, this involves con- - necting to the server on port 636 (ldaps). + If the SSSSLL parameter is set to on, true or yes, TLS (SSL) encryp- + tion is always used when communicating with the LDAP server. Typi- + cally, this involves connecting to the server on port 636 (ldaps). SSSSLL start_tls - If the SSSSLL parameter is set to start_tls, the LDAP - server connection is initiated normally and TLS - encryption is begun before the bind credentials are + If the SSSSLL parameter is set to start_tls, the LDAP server connec- + tion is initiated normally and TLS encryption is begun before the + bind credentials are sent. This has the advantage of not requiring + a dedicated port for encrypted communications. This parameter is + only supported by LDAP servers that honor the start_tls extension, + such as the OpenLDAP server. + TTLLSS__CCHHEECCKKPPEEEERR on/true/yes/off/false/no + If enabled, TTLLSS__CCHHEECCKKPPEEEERR will cause the LDAP server's TLS certifi- + cated to be verified. If the server's TLS certificate cannot be + verified (usually because it is signed by an unknown certificate + authority), ssuuddoo will be unable to connect to it. If TTLLSS__CCHHEECCKKPPEEEERR + is disabled, no check is made. + TTLLSS__CCAACCEERRTTFFIILLEE file name + The path to a certificate authority bundle which contains the cer- + tificates for all the Certificate Authorities the client knows to + be valid, e.g. _/_e_t_c_/_s_s_l_/_c_a_-_b_u_n_d_l_e_._p_e_m. This option is only sup- + ported by the OpenLDAP libraries. -1.7 January 20, 2008 6 + TTLLSS__CCAACCEERRTTDDIIRR directory + Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory + containing individual Certificate Authority certificates, e.g. + _/_e_t_c_/_s_s_l_/_c_e_r_t_s. The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is + checked after TTLLSS__CCAACCEERRTTFFIILLEE. This option is only supported by the +1.7 January 21, 2008 6 -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - sent. This has the advantage of not requiring a dedi- - cated port for encrypted communications. This parame- - ter is only supported by LDAP servers that honor the - start_tls extension, such as the OpenLDAP server. - TTLLSS__CCHHEECCKKPPEEEERR on/true/yes/off/false/no - If enabled, TTLLSS__CCHHEECCKKPPEEEERR will cause the LDAP server's - TLS certificated to be verified. If the server's TLS - certificate cannot be verified (usually because it is - signed by an unknown certificate authority), ssuuddoo will - be unable to connect to it. If TTLLSS__CCHHEECCKKPPEEEERR is dis- - abled, no check is made. +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - TTLLSS__CCAACCEERRTTFFIILLEE file name - The path to a certificate authority bundle which con- - tains the certificates for all the Certificate Author- - ities the client knows to be valid, e.g. - _/_e_t_c_/_s_s_l_/_c_a_-_b_u_n_d_l_e_._p_e_m. This option is only supported - by the OpenLDAP libraries. - TTLLSS__CCAACCEERRTTDDIIRR directory - Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is - a directory containing individual Certificate Author- - ity certificates, e.g. _/_e_t_c_/_s_s_l_/_c_e_r_t_s. The directory - specified by TTLLSS__CCAACCEERRTTDDIIRR is checked after TTLLSS__CCAACC-- - EERRTTFFIILLEE. This option is only supported by the OpenL- - DAP libraries. + OpenLDAP libraries. TTLLSS__CCEERRTT file name - The path to a file containing the client certificate - which can be used to authenticate the client to the - LDAP server. The certificate type depends on the LDAP - libraries used. + The path to a file containing the client certificate which can be + used to authenticate the client to the LDAP server. The certifi- + cate type depends on the LDAP libraries used. OpenLDAP: tls_cert /etc/ssl/client_cert.pem @@ -440,14 +413,14 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) Netscape-derived: tls_cert /var/ldap/cert7.db - When using Netscape-derived libraries, this file may - also contain Certificate Authority certificates. + When using Netscape-derived libraries, this file may also contain + Certificate Authority certificates. TTLLSS__KKEEYY file name - The path to a file containing the private key which - matches the certificate specified by TTLLSS__CCEERRTT. The - private key must not be password-protected. The key - type depends on the LDAP libraries used. + The path to a file containing the private key which matches the + certificate specified by TTLLSS__CCEERRTT. The private key must not be + password-protected. The key type depends on the LDAP libraries + used. OpenLDAP: tls_cert /etc/ssl/client_key.pem @@ -455,92 +428,72 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) Netscape-derived: tls_cert /var/ldap/key3.db - - -1.7 January 20, 2008 7 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - TTLLSS__RRAANNDDFFIILLEE file name - The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an - entropy source for systems that lack a random device. - It is generally used in conjunction with _p_r_n_g_d or _e_g_d. - This option is only supported by the OpenLDAP - libraries. + The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source + for systems that lack a random device. It is generally used in + conjunction with _p_r_n_g_d or _e_g_d. This option is only supported by + the OpenLDAP libraries. TTLLSS__CCIIPPHHEERRSS cipher list - The TTLLSS__CCIIPPHHEERRSS parameter allows the administer to - restrict which encryption algorithms may be used for - TLS (SSL) connections. See the OpenSSL manual for a - list of valid ciphers. This option is only supported - by the OpenLDAP libraries. + The TTLLSS__CCIIPPHHEERRSS parameter allows the administer to restrict which + encryption algorithms may be used for TLS (SSL) connections. See + the OpenSSL manual for a list of valid ciphers. This option is + only supported by the OpenLDAP libraries. UUSSEE__SSAASSLL on/true/yes/off/false/no - Enable UUSSEE__SSAASSLL for LDAP servers that support SASL - authentication. + Enable UUSSEE__SSAASSLL for LDAP servers that support SASL authentication. SSAASSLL__AAUUTTHH__IIDD identity - The SASL user name to use when connecting to the LDAP - server. By default, ssuuddoo will use an anonymous con- - nection. + The SASL user name to use when connecting to the LDAP server. By + default, ssuuddoo will use an anonymous connection. RROOOOTTUUSSEE__SSAASSLL on/true/yes/off/false/no - Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when - connecting to an LDAP server from a privileged pro- - cess, such as ssuuddoo. + Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting + to an LDAP server from a privileged process, such as ssuuddoo. RROOOOTTSSAASSLL__AAUUTTHH__IIDD identity - The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is - enabled. + The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled. - SSAASSLL__SSEECCPPRROOPPSS none/properties - SASL security properties or _n_o_n_e for no properties. - See the SASL programmer's manual for details. - KKRRBB55__CCCCNNAAMMEE file name - The path to the Kerberos 5 credential cache to use - when authenticating with the remote server. - See the ldap.conf entry in the EXAMPLES section. - CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff +1.7 January 21, 2008 7 - Sudo consults the Name Service Switch file, _/_e_t_c_/_n_s_s_- - _w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order. Sudo - looks for a line beginning with sudoers: and uses this to - determine the search order. Note that ssuuddoo does not stop - searching after the first match and later matches take - precedence over earlier ones. - - The following sources are recognized: +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7 January 20, 2008 8 + SSAASSLL__SSEECCPPRROOPPSS none/properties + SASL security properties or _n_o_n_e for no properties. See the SASL + programmer's manual for details. + KKRRBB55__CCCCNNAAMMEE file name + The path to the Kerberos 5 credential cache to use when authenti- + cating with the remote server. + See the ldap.conf entry in the EXAMPLES section. + CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + Sudo consults the Name Service Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to + specify the _s_u_d_o_e_r_s search order. Sudo looks for a line beginning with + sudoers: and uses this to determine the search order. Note that ssuuddoo + does not stop searching after the first match and later matches take + precedence over earlier ones. + The following sources are recognized: files read sudoers from F ldap read sudoers from LDAP - In addition, the entry [NOTFOUND=return] will short-cir- - cuit the search if the user was not found in the preceding - source. + In addition, the entry [NOTFOUND=return] will short-circuit the search + if the user was not found in the preceding source. - To consult LDAP first followed by the local sudoers file - (if it exists), use: + To consult LDAP first followed by the local sudoers file (if it + exists), use: sudoers: ldap files @@ -548,14 +501,13 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) sudoers: ldap - If the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f file is not present or there is - no sudoers line, the following default is assumed: + If the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f file is not present or there is no sudoers + line, the following default is assumed: sudoers: files - Note that _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f is supported even when the - underlying operating system does not use an nsswitch.conf - file. + Note that _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f is supported even when the underlying + operating system does not use an nsswitch.conf file. FFIILLEESS _/_e_t_c_/_l_d_a_p_._c_o_n_f LDAP configuration file @@ -571,25 +523,7 @@ EEXXAAMMPPLLEESS - - - - - - - - - - - - - - - - - - -1.7 January 20, 2008 9 +1.7 January 21, 2008 8 @@ -655,7 +589,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7 January 20, 2008 10 +1.7 January 21, 2008 9 @@ -708,20 +642,20 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SSuuddoo sscchheemmaa ffoorr OOppeennLLDDAAPP - The following schema is in OpenLDAP format. Simply copy - it to the schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), - add the proper include line in slapd.conf and restart - ssllaappdd. - - - - - + The following schema is in OpenLDAP format. Simply copy it to the + schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include + line in slapd.conf and restart ssllaappdd. + attributetype ( 1.3.6.1.4.1.15953.9.1.1 + NAME 'sudoUser' + DESC 'User(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -1.7 January 20, 2008 11 +1.7 January 21, 2008 10 @@ -730,13 +664,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - attributetype ( 1.3.6.1.4.1.15953.9.1.1 - NAME 'sudoUser' - DESC 'User(s) who may run sudo' - EQUALITY caseExactIA5Match - SUBSTR caseExactIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - attributetype ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' @@ -781,54 +708,61 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) sudoRunAsGroup $ sudoOption $ description ) ) + XXXXXX nnsssswwiittcchh..ccoonnff eexxaammppllee?? + XXXXXX mmoorree eexxhhaauussttiivvee ssuuddooeerrss llddiiff eexxaammppllee?? - - -1.7 January 20, 2008 12 +SSEEEE AALLSSOO + _l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(5) -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) +1.7 January 21, 2008 11 - XXXXXX nnsssswwiittcchh..ccoonnff eexxaammppllee?? - XXXXXX mmoorree eexxhhaauussttiivvee ssuuddooeerrss llddiiff eexxaammppllee?? +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -SSEEEE AALLSSOO - _l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(5) CCAAVVEEAATTSS - The way that _s_u_d_o_e_r_s is parsed differs between Note that - there are differences in the way that LDAP-based _s_u_d_o_e_r_s - is parsed compared to file-based _s_u_d_o_e_r_s. See the "Dif- - ferences between LDAP and non-LDAP sudoers" section for - more information. + The way that _s_u_d_o_e_r_s is parsed differs between Note that there are dif- + ferences in the way that LDAP-based _s_u_d_o_e_r_s is parsed compared to file- + based _s_u_d_o_e_r_s. See the "Differences between LDAP and non-LDAP sudoers" + section for more information. BBUUGGSS - If you feel you have found a bug in ssuuddoo, please submit a - bug report at http://www.sudo.ws/sudo/bugs/ + If you feel you have found a bug in ssuuddoo, please submit a bug report at + http://www.sudo.ws/sudo/bugs/ SSUUPPPPOORRTT - Limited free support is available via the sudo-users mail- - ing list, see http://www.sudo.ws/mail- - man/listinfo/sudo-users to subscribe or search the - archives. + Limited free support is available via the sudo-users mailing list, see + http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search + the archives. DDIISSCCLLAAIIMMEERR - ssuuddoo is provided ``AS IS'' and any express or implied war- - ranties, including, but not limited to, the implied war- - ranties of merchantability and fitness for a particular - purpose are disclaimed. See the LICENSE file distributed - with ssuuddoo or http://www.sudo.ws/sudo/license.html for com- - plete details. + ssuuddoo is provided ``AS IS'' and any express or implied warranties, + including, but not limited to, the implied warranties of merchantabil- + ity and fitness for a particular purpose are disclaimed. See the + LICENSE file distributed with ssuuddoo or + http://www.sudo.ws/sudo/license.html for complete details. + + + + + + + + + + + + @@ -853,6 +787,6 @@ DDIISSCCLLAAIIMMEERR -1.7 January 20, 2008 13 +1.7 January 21, 2008 12 diff --git a/sudoers.ldap.man.in b/sudoers.ldap.man.in index a9ba18438..2a40c0d10 100644 --- a/sudoers.ldap.man.in +++ b/sudoers.ldap.man.in @@ -146,7 +146,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS.LDAP @mansectform@" -.TH SUDOERS.LDAP @mansectform@ "January 20, 2008" "1.7" "MAINTENANCE COMMANDS" +.TH SUDOERS.LDAP @mansectform@ "January 21, 2008" "1.7" "MAINTENANCE COMMANDS" .SH "NAME" sudoers.ldap \- sudo LDAP configuration .SH "DESCRIPTION" @@ -174,11 +174,11 @@ limited options associated with user/host/commands/aliases. The syntax is complicated and can be difficult for users to understand. Placing the options directly in the entry is more natural. .IP "\(bu" 4 -\&\fBvisudo\fR is no longer needed. \fBvisudo\fR provides locking and -syntax checking of the \fI@sysconfdir@/sudoers\fR file. Since \s-1LDAP\s0 updates -are atomic, locking is no longer necessary. Because syntax is -checked when the data is inserted into \s-1LDAP\s0, there is no need -for a specialized tool to check syntax. +The \fBvisudo\fR program is no longer needed. \fBvisudo\fR provides +locking and syntax checking of the \fI@sysconfdir@/sudoers\fR file. +Since \s-1LDAP\s0 updates are atomic, locking is no longer necessary. +Because syntax is checked when the data is inserted into \s-1LDAP\s0, there +is no need for a specialized tool to check syntax. .PP Another major difference between \s-1LDAP\s0 and file-based \fIsudoers\fR is that in \s-1LDAP\s0, \fBsudo\fR\-specific Aliases are not supported. diff --git a/sudoers.man.in b/sudoers.man.in index 09e040c4c..8368bd0f0 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -150,7 +150,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "December 10, 2007" "1.7" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "January 21, 2008" "1.7" "MAINTENANCE COMMANDS" .SH "NAME" sudoers \- list of which users may execute what .SH "DESCRIPTION" @@ -967,6 +967,11 @@ option is set) .el .IP "\f(CW%h\fR" 4 .IX Item "%h" expanded to the local hostname without the domain name +.ie n .IP "%p" 4 +.el .IP "\f(CW%p\fR" 4 +.IX Item "%p" +expanded to the user whose password is being asked for (respects the +\&\fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags in \fIsudoers\fR) .ie n .IP "%U" 4 .el .IP "\f(CW%U\fR" 4 .IX Item "%U" diff --git a/visudo.cat b/visudo.cat index 2035e7aaa..f2c951db1 100644 --- a/visudo.cat +++ b/visudo.cat @@ -11,91 +11,80 @@ SSYYNNOOPPSSIISS vviissuuddoo [--cc] [--qq] [--ss] [--VV] [--ff _s_u_d_o_e_r_s] DDEESSCCRRIIPPTTIIOONN - vviissuuddoo edits the _s_u_d_o_e_r_s file in a safe fashion, analogous - to _v_i_p_w(1m). vviissuuddoo locks the _s_u_d_o_e_r_s file against multi- - ple simultaneous edits, provides basic sanity checks, and - checks for parse errors. If the _s_u_d_o_e_r_s file is currently - being edited you will receive a message to try again + vviissuuddoo edits the _s_u_d_o_e_r_s file in a safe fashion, analogous to _v_i_p_w(1m). + vviissuuddoo locks the _s_u_d_o_e_r_s file against multiple simultaneous edits, pro- + vides basic sanity checks, and checks for parse errors. If the _s_u_d_o_e_r_s + file is currently being edited you will receive a message to try again later. - There is a hard-coded list of editors that vviissuuddoo will use - set at compile-time that may be overridden via the _e_d_i_t_o_r - _s_u_d_o_e_r_s Default variable. This list defaults to the path - to _v_i(1) on your system, as determined by the _c_o_n_f_i_g_u_r_e - script. Normally, vviissuuddoo does not honor the VISUAL or - EDITOR environment variables unless they contain an editor - in the aforementioned editors list. However, if vviissuuddoo is - configured with the _-_-_w_i_t_h_-_e_n_v_e_d_i_t_o_r flag or the _e_n_v___e_d_i_- - _t_o_r Default variable is set in _s_u_d_o_e_r_s, vviissuuddoo will use - any the editor defines by VISUAL or EDITOR. Note that - this can be a security hole since it allows the user to - execute any program they wish simply by setting VISUAL or - EDITOR. - - vviissuuddoo parses the _s_u_d_o_e_r_s file after the edit and will not - save the changes if there is a syntax error. Upon finding - an error, vviissuuddoo will print a message stating the line - number(s) where the error occurred and the user will - receive the "What now?" prompt. At this point the user - may enter "e" to re-edit the _s_u_d_o_e_r_s file, "x" to exit - without saving the changes, or "Q" to quit and save - changes. The "Q" option should be used with extreme care - because if vviissuuddoo believes there to be a parse error, so - will ssuuddoo and no one will be able to ssuuddoo again until the - error is fixed. If "e" is typed to edit the _s_u_d_o_e_r_s file - after a parse error has been detected, the cursor will be - placed on the line where the error occurred (if the editor - supports this feature). + There is a hard-coded list of editors that vviissuuddoo will use set at com- + pile-time that may be overridden via the _e_d_i_t_o_r _s_u_d_o_e_r_s Default vari- + able. This list defaults to the path to _v_i(1) on your system, as + determined by the _c_o_n_f_i_g_u_r_e script. Normally, vviissuuddoo does not honor + the VISUAL or EDITOR environment variables unless they contain an edi- + tor in the aforementioned editors list. However, if vviissuuddoo is config- + ured with the _-_-_w_i_t_h_-_e_n_v_e_d_i_t_o_r flag or the _e_n_v___e_d_i_t_o_r Default variable + is set in _s_u_d_o_e_r_s, vviissuuddoo will use any the editor defines by VISUAL or + EDITOR. Note that this can be a security hole since it allows the user + to execute any program they wish simply by setting VISUAL or EDITOR. + + vviissuuddoo parses the _s_u_d_o_e_r_s file after the edit and will not save the + changes if there is a syntax error. Upon finding an error, vviissuuddoo will + print a message stating the line number(s) where the error occurred and + the user will receive the "What now?" prompt. At this point the user + may enter "e" to re-edit the _s_u_d_o_e_r_s file, "x" to exit without saving + the changes, or "Q" to quit and save changes. The "Q" option should be + used with extreme care because if vviissuuddoo believes there to be a parse + error, so will ssuuddoo and no one will be able to ssuuddoo again until the + error is fixed. If "e" is typed to edit the _s_u_d_o_e_r_s file after a + parse error has been detected, the cursor will be placed on the line + where the error occurred (if the editor supports this feature). OOPPTTIIOONNSS vviissuuddoo accepts the following command line options: - -c Enable cchheecckk--oonnllyy mode. The existing _s_u_d_o_e_r_s - file will be checked for syntax and a message - will be printed to the standard output detail- - ing the status of _s_u_d_o_e_r_s. If the syntax - check completes successfully, vviissuuddoo will exit - with a value of 0. If a syntax error is - encountered, vviissuuddoo will exit with a value of - 1. + -c Enable cchheecckk--oonnllyy mode. The existing _s_u_d_o_e_r_s file will be + checked for syntax and a message will be printed to the + standard output detailing the status of _s_u_d_o_e_r_s. If the + syntax check completes successfully, vviissuuddoo will exit with + a value of 0. If a syntax error is encountered, vviissuuddoo + will exit with a value of 1. + + -f _s_u_d_o_e_r_s Specify and alternate _s_u_d_o_e_r_s file location. With this + option vviissuuddoo will edit (or check) the _s_u_d_o_e_r_s file of your + choice, instead of the default, _/_e_t_c_/_s_u_d_o_e_r_s. The lock + file used is the specified _s_u_d_o_e_r_s file with ".tmp" + appended to it. + -q Enable qquuiieett mode. In this mode details about syntax + errors are not printed. This option is only useful when -1.7 October 20, 2007 1 +1.7 January 21, 2008 1 -VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) +VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) - -f _s_u_d_o_e_r_s Specify and alternate _s_u_d_o_e_r_s file location. - With this option vviissuuddoo will edit (or check) - the _s_u_d_o_e_r_s file of your choice, instead of - the default, _/_e_t_c_/_s_u_d_o_e_r_s. The lock file used - is the specified _s_u_d_o_e_r_s file with ".tmp" - appended to it. - -q Enable qquuiieett mode. In this mode details about - syntax errors are not printed. This option is - only useful when combined with the --cc flag. + combined with the --cc flag. - -s Enable ssttrriicctt checking of the _s_u_d_o_e_r_s file. - If an alias is used before it is defined, - vviissuuddoo will consider this a parse error. Note - that it is not possible to differentiate - between an alias and a hostname or username - that consists solely of uppercase letters, - digits, and the underscore ('_') character. + -s Enable ssttrriicctt checking of the _s_u_d_o_e_r_s file. If an alias is + used before it is defined, vviissuuddoo will consider this a + parse error. Note that it is not possible to differentiate + between an alias and a hostname or username that consists + solely of uppercase letters, digits, and the underscore + ('_') character. - -V The --VV (version) option causes vviissuuddoo to print - its version number and exit. + -V The --VV (version) option causes vviissuuddoo to print its version + number and exit. EENNVVIIRROONNMMEENNTT - The following environment variables may be consulted - depending on the value of the _e_d_i_t_o_r and _e_n_v___e_d_i_t_o_r _s_u_d_o_- - _e_r_s variables: + The following environment variables may be consulted depending on the + value of the _e_d_i_t_o_r and _e_n_v___e_d_i_t_o_r _s_u_d_o_e_r_s variables: VISUAL Invoked by visudo as the editor to use @@ -115,39 +104,37 @@ DDIIAAGGNNOOSSTTIICCSS Can't find you in the passwd database Your userid does not appear in the system passwd file. - Warning: {User,Runas,Host,Cmnd}_Alias referenced but not - defined + Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined Either you are trying to use an undeclare - {User,Runas,Host,Cmnd}_Alias or you have a user or - hostname listed that consists solely of uppercase let- - ters, digits, and the underscore ('_') character. In - the latter case, you can ignore the warnings (ssuuddoo - will not complain). In --ss (strict) mode these are + {User,Runas,Host,Cmnd}_Alias or you have a user or hostname listed + that consists solely of uppercase letters, digits, and the under- + score ('_') character. In the latter case, you can ignore the + warnings (ssuuddoo will not complain). In --ss (strict) mode these are errors, not warnings. + Warning: unused {User,Runas,Host,Cmnd}_Alias + The specified {User,Runas,Host,Cmnd}_Alias was defined but never + used. You may wish to comment out or remove the unused alias. In + --ss (strict) mode this is an error, not a warning. +SSEEEE AALLSSOO + _v_i(1), _s_u_d_o_e_r_s(4), _s_u_d_o(1m), _v_i_p_w(8) -1.7 October 20, 2007 2 +AAUUTTHHOORR + Many people have worked on _s_u_d_o over the years; this version of vviissuuddoo + was written by: +1.7 January 21, 2008 2 -VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) - Warning: unused {User,Runas,Host,Cmnd}_Alias - The specified {User,Runas,Host,Cmnd}_Alias was defined - but never used. You may wish to comment out or remove - the unused alias. In --ss (strict) mode this is an - error, not a warning. -SSEEEE AALLSSOO - _v_i(1), _s_u_d_o_e_r_s(4), _s_u_d_o(1m), _v_i_p_w(8) -AAUUTTHHOORR - Many people have worked on _s_u_d_o over the years; this ver- - sion of vviissuuddoo was written by: +VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) + Todd Miller @@ -155,26 +142,39 @@ AAUUTTHHOORR http://www.sudo.ws/sudo/history.html for more details. CCAAVVEEAATTSS - There is no easy way to prevent a user from gaining a root - shell if the editor used by vviissuuddoo allows shell escapes. + There is no easy way to prevent a user from gaining a root shell if the + editor used by vviissuuddoo allows shell escapes. BBUUGGSS - If you feel you have found a bug in vviissuuddoo, please submit - a bug report at http://www.sudo.ws/sudo/bugs/ + If you feel you have found a bug in vviissuuddoo, please submit a bug report + at http://www.sudo.ws/sudo/bugs/ SSUUPPPPOORRTT - Limited free support is available via the sudo-users mail- - ing list, see http://www.sudo.ws/mail- - man/listinfo/sudo-users to subscribe or search the - archives. + Limited free support is available via the sudo-users mailing list, see + http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search + the archives. DDIISSCCLLAAIIMMEERR - vviissuuddoo is provided ``AS IS'' and any express or implied - warranties, including, but not limited to, the implied - warranties of merchantability and fitness for a particular - purpose are disclaimed. See the LICENSE file distributed - with ssuuddoo or http://www.sudo.ws/sudo/license.html for com- - plete details. + vviissuuddoo is provided ``AS IS'' and any express or implied warranties, + including, but not limited to, the implied warranties of merchantabil- + ity and fitness for a particular purpose are disclaimed. See the + LICENSE file distributed with ssuuddoo or + http://www.sudo.ws/sudo/license.html for complete details. + + + + + + + + + + + + + + + @@ -193,6 +193,6 @@ DDIISSCCLLAAIIMMEERR -1.7 October 20, 2007 3 +1.7 January 21, 2008 3 diff --git a/visudo.man.in b/visudo.man.in index cb32f061f..ecefe4477 100644 --- a/visudo.man.in +++ b/visudo.man.in @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "VISUDO @mansectsu@" -.TH VISUDO @mansectsu@ "October 20, 2007" "1.7" "MAINTENANCE COMMANDS" +.TH VISUDO @mansectsu@ "January 21, 2008" "1.7" "MAINTENANCE COMMANDS" .SH "NAME" visudo \- edit the sudoers file .SH "SYNOPSIS"