From: Todd C. Miller Date: Mon, 9 Jul 2007 23:40:49 +0000 (+0000) Subject: regen X-Git-Tag: SUDO_1_7_0~491 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c0ffb8ce368ff883df497938f96d29784dcc9555;p=sudo regen --- diff --git a/sudo.man.in b/sudo.man.in index 42e6c7926..3bdcdcc90 100644 --- a/sudo.man.in +++ b/sudo.man.in @@ -150,7 +150,7 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "June 23, 2007" "1.7" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "July 9, 2007" "1.7" "MAINTENANCE COMMANDS" .SH "NAME" sudo, sudoedit \- execute a command as another user .SH "SYNOPSIS" @@ -163,7 +163,7 @@ sudo, sudoedit \- execute a command as another user [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fB\s-1VAR\s0\fR=\fIvalue\fR] {\fB\-e\fR\ file\ [...]\ |\ \fB\-i\fR\ |\ \fB\-s\fR\ |\ \fIcommand\fR} .PP -\&\fBsudoedit\fR [\fB\-a\fR\ \fIauth_type\fR] +\&\fBsudoedit\fR [\fB\-a\fR\ \fIauth_type\fR] [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-S\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] file [...] .SH "DESCRIPTION" @@ -410,10 +410,12 @@ line arguments. It is most useful in conjunction with the \fB\-s\fR flag. .PP Environment variables to be set for the command may also be passed on the command line in the form of \fB\s-1VAR\s0\fR=\fIvalue\fR, e.g. -\&\fB\s-1LD_LIBRARY_PATH\s0\fR=\fI/usr/local/pkg/lib\fR. This is only permitted -when the \fIsetenv\fR option is set in \fIsudoers\fR or the command to -be run has the \f(CW\*(C`SETENV\*(C'\fR tag set. See sudoers(@mansectform@) -for more information. +\&\fB\s-1LD_LIBRARY_PATH\s0\fR=\fI/usr/local/pkg/lib\fR. Variables passed on the +command line are subject to the same restrictions as normal environment +variables with one important exception. If the \fIsetenv\fR option +is set in \fIsudoers\fR or the command to be run has the \f(CW\*(C`SETENV\*(C'\fR tag +set the user may set variables that would overwise be forbidden. +See sudoers(@mansectform@) for more information. .SH "RETURN VALUES" .IX Header "RETURN VALUES" Upon successful execution of a program, the return value from \fBsudo\fR @@ -432,25 +434,35 @@ of the directories in your \f(CW\*(C`PATH\*(C'\fR is on a machine that is curren unreachable. .SH "SECURITY NOTES" .IX Header "SECURITY NOTES" -\&\fBsudo\fR tries to be safe when executing external commands. Variables -that control how dynamic loading and binding is done can be used -to subvert the program that \fBsudo\fR runs. To combat this the -\&\f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`_RLD_*\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR (\s-1HP\-UX\s0 only), and \f(CW\*(C`LIBPATH\*(C'\fR (\s-1AIX\s0 -only) environment variables are removed from the environment passed -on to all commands executed. \fBsudo\fR will also remove the \f(CW\*(C`IFS\*(C'\fR, -\&\f(CW\*(C`CDPATH\*(C'\fR, \f(CW\*(C`ENV\*(C'\fR, \f(CW\*(C`BASH_ENV\*(C'\fR, \f(CW\*(C`KRB_CONF\*(C'\fR, \f(CW\*(C`KRBCONFDIR\*(C'\fR, \f(CW\*(C`KRBTKFILE\*(C'\fR, -\&\f(CW\*(C`KRB5_CONFIG\*(C'\fR, \f(CW\*(C`LOCALDOMAIN\*(C'\fR, \f(CW\*(C`RES_OPTIONS\*(C'\fR, \f(CW\*(C`HOSTALIASES\*(C'\fR, -\&\f(CW\*(C`NLSPATH\*(C'\fR, \f(CW\*(C`PATH_LOCALE\*(C'\fR, \f(CW\*(C`TERMINFO\*(C'\fR, \f(CW\*(C`TERMINFO_DIRS\*(C'\fR and -\&\f(CW\*(C`TERMPATH\*(C'\fR variables as they too can pose a threat. If the -\&\f(CW\*(C`TERMCAP\*(C'\fR variable is set and is a pathname, it too is ignored. -Additionally, if the \f(CW\*(C`LC_*\*(C'\fR or \f(CW\*(C`LANGUAGE\*(C'\fR variables contain the -\&\f(CW\*(C`/\*(C'\fR or \f(CW\*(C`%\*(C'\fR characters, they are ignored. Environment variables -with a value beginning with \f(CW\*(C`()\*(C'\fR are also removed as they could -be interpreted as \fBbash\fR functions. If \fBsudo\fR has been -compiled with SecurID support, the \f(CW\*(C`VAR_ACE\*(C'\fR, \f(CW\*(C`USR_ACE\*(C'\fR and -\&\f(CW\*(C`DLC_ACE\*(C'\fR variables are cleared as well. The list of environment -variables that \fBsudo\fR clears is contained in the output of -\&\f(CW\*(C`sudo \-V\*(C'\fR when run as root. +\&\fBsudo\fR tries to be safe when executing external commands. +.PP +There are two distinct ways to deal with environment variables. +By default, the \fIenv_reset\fR \fIsudoers\fR option is enabled. +This causes commands to be executed with a minimal environment +containing \f(CW\*(C`TERM\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR +and \f(CW\*(C`USERNAME\*(C'\fR in addition to variables from the invoking process +permitted by the \fIenv_check\fR and \fIenv_keep\fR \fIsudoers\fR options. +There is effectively a whitelist for environment variables. +.PP +If, however, the \fIenv_reset\fR option is disabled in \fIsudoers\fR, any +variables not explicitly denied by the \fIenv_check\fR and \fIenv_delete\fR +options are inherited from the invoking process. In this case, +\&\fIenv_check\fR and \fIenv_delete\fR behave like a blacklist. Since it +is not possible to blacklist all potentially dangerous environment +variables, use of the default \fIenv_reset\fR behavior is encouraged. +.PP +In all cases, environment variables with a value beginning with +\&\f(CW\*(C`()\*(C'\fR are removed as they could be interpreted as \fBbash\fR functions. +The list of environment variables that \fBsudo\fR allows or denies is +contained in the output of \f(CW\*(C`sudo \-V\*(C'\fR when run as root. +.PP +Note that the dynamic linker on most operating systems will remove +variables that can control dynamic linking from the environment of +setuid executables, including \fBsudo\fR. Depending on the operating +system this may include \f(CW\*(C`_RLD*\*(C'\fR, \f(CW\*(C`DYLD_*\*(C'\fR, \f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`LDR_*\*(C'\fR, +\&\f(CW\*(C`LIBPATH\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR, and others. These type of variables are +removed from the environment before \fBsudo\fR even begins execution +and, as such, it is not possible for \fBsudo\fR to preserve them. .PP To prevent command spoofing, \fBsudo\fR checks \*(L".\*(R" and "" (both denoting current directory) last when searching for a command in the user's @@ -458,11 +470,6 @@ current directory) last when searching for a command in the user's actual \f(CW\*(C`PATH\*(C'\fR environment variable is \fInot\fR modified and is passed unchanged to the program that \fBsudo\fR executes. .PP -For security reasons, if your \s-1OS\s0 supports shared libraries and does -not disable user-defined library search paths for setuid programs -(most do), you should either use a linker option that disables this -behavior or link \fBsudo\fR statically. -.PP \&\fBsudo\fR will check the ownership of its timestamp directory (\fI@timedir@\fR by default) and ignore the directory's contents if it is not owned by root or if it is writable by a user other than @@ -556,7 +563,7 @@ sudoers(@mansectform@). .IX Header "FILES" .Vb 2 \& @sysconfdir@/sudoers List of who can run what -\& @timedir@ Directory containing timestamps +\& @timedir@ Directory containing timestamps .Ve .SH "EXAMPLES" .IX Header "EXAMPLES" diff --git a/sudoers.man.in b/sudoers.man.in index c03b226dd..c415fb4fe 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "June 23, 2007" "1.7" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "July 9, 2007" "1.7" "MAINTENANCE COMMANDS" .SH "NAME" sudoers \- list of which users may execute what .SH "DESCRIPTION" @@ -397,6 +397,260 @@ These operators are used to add to and delete from a list respectively. It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element that does not exist in a list. .PP +See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults parameters. +.Sh "User Specification" +.IX Subsection "User Specification" +.Vb 2 +\& User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e +\& (':' Host_List '=' Cmnd_Spec_List)* +.Ve +.PP +.Vb 2 +\& Cmnd_Spec_List ::= Cmnd_Spec | +\& Cmnd_Spec ',' Cmnd_Spec_List +.Ve +.PP +.Vb 1 +\& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd +.Ve +.PP +.Vb 1 +\& Runas_Spec ::= '(' Runas_List ')' +.Ve +.PP +.Vb 2 +\& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | +\& 'SETENV:' | 'NOSETENV:' | 'MONITOR:' | 'NOMONITOR:') +.Ve +.PP +A \fBuser specification\fR determines which commands a user may run +(and as what user) on specified hosts. By default, commands are +run as \fBroot\fR, but this can be changed on a per-command basis. +.PP +Let's break that down into its constituent parts: +.Sh "Runas_Spec" +.IX Subsection "Runas_Spec" +A \f(CW\*(C`Runas_Spec\*(C'\fR is simply a \f(CW\*(C`Runas_List\*(C'\fR (as defined above) +enclosed in a set of parentheses. If you do not specify a +\&\f(CW\*(C`Runas_Spec\*(C'\fR in the user specification, a default \f(CW\*(C`Runas_Spec\*(C'\fR +of \fBroot\fR will be used. A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for +commands that follow it. What this means is that for the entry: +.PP +.Vb 1 +\& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm +.Ve +.PP +The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and +\&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g., +.PP +.Vb 1 +\& $ sudo -u operator /bin/ls. +.Ve +.PP +It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an +entry. If we modify the entry like so: +.PP +.Vb 1 +\& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm +.Ve +.PP +Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR, +but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR. +.Sh "Tag_Spec" +.IX Subsection "Tag_Spec" +A command may have zero or more tags associated with it. There are +eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR, +\&\f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`MONITOR\*(C'\fR and \f(CW\*(C`NOMONITOR\*(C'\fR. +Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the +\&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the +opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR +overrides \f(CW\*(C`EXEC\*(C'\fR). +.PP +\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR +.IX Subsection "NOPASSWD and PASSWD" +.PP +By default, \fBsudo\fR requires that a user authenticate him or herself +before running a command. This behavior can be modified via the +\&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets +a default for the commands that follow it in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR. +Conversely, the \f(CW\*(C`PASSWD\*(C'\fR tag can be used to reverse things. +For example: +.PP +.Vb 1 +\& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm +.Ve +.PP +would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and +\&\fI/usr/bin/lprm\fR as root on the machine rushmore as \fBroot\fR without +authenticating himself. If we only want \fBray\fR to be able to +run \fI/bin/kill\fR without a password the entry would be: +.PP +.Vb 1 +\& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm +.Ve +.PP +Note, however, that the \f(CW\*(C`PASSWD\*(C'\fR tag has no effect on users who are +in the group specified by the \fIexempt_group\fR option. +.PP +By default, if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is applied to any of the entries +for a user on the current host, he or she will be able to run +\&\f(CW\*(C`sudo \-l\*(C'\fR without a password. Additionally, a user may only run +\&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present +for all a user's entries that pertain to the current host. +This behavior may be overridden via the verifypw and listpw options. +.PP +\fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR +.IX Subsection "NOEXEC and EXEC" +.PP +If \fBsudo\fR has been compiled with \fInoexec\fR support and the underlying +operating system supports it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent +a dynamically-linked executable from running further commands itself. +.PP +In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR +and \fI/usr/bin/vi\fR but shell escapes will be disabled. +.PP +.Vb 1 +\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi +.Ve +.PP +See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details +on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system. +.PP +\fI\s-1SETENV\s0 and \s-1NOSETENV\s0\fR +.IX Subsection "SETENV and NOSETENV" +.PP +These tags override the value of the \fIsetenv\fR option on a per-command +basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, any +environment variables set on the command line way are not subject +to the restrictions imposed by \fIenv_check\fR, \fIenv_delete\fR, or +\&\fIenv_keep\fR. As such, only trusted users should be allowed to set +variables in this manner. +.PP +\fI\s-1MONITOR\s0 and \s-1NOMONITOR\s0\fR +.IX Subsection "MONITOR and NOMONITOR" +.PP +If \fBsudo\fR has been configured with the \f(CW\*(C`\-\-with\-systrace\*(C'\fR option, +the \f(CW\*(C`MONITOR\*(C'\fR tag can be used to cause programs spawned by a command +to be checked against \fIsudoers\fR and logged just like they would +be if run through \fBsudo\fR directly. This is useful in conjunction +with commands that allow shell escapes such as editors, shells and +paginators. +.PP +In the following example, user \fBchuck\fR may run any command on the +machine research in monitor mode. +.PP +.Vb 1 +\& chuck research = MONITOR: ALL +.Ve +.PP +See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details +on how \f(CW\*(C`MONITOR\*(C'\fR works and whether or not it will work on your system. +.Sh "Wildcards" +.IX Subsection "Wildcards" +\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters) +to be used in pathnames as well as command line arguments in the +\&\fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR +\&\fIfnmatch\fR\|(3) routine. Note that these are \fInot\fR regular expressions. +.ie n .IP "\*(C`*\*(C'" 8 +.el .IP "\f(CW\*(C`*\*(C'\fR" 8 +.IX Item "*" +Matches any set of zero or more characters. +.ie n .IP "\*(C`?\*(C'" 8 +.el .IP "\f(CW\*(C`?\*(C'\fR" 8 +.IX Item "?" +Matches any single character. +.ie n .IP "\*(C`[...]\*(C'" 8 +.el .IP "\f(CW\*(C`[...]\*(C'\fR" 8 +.IX Item "[...]" +Matches any character in the specified range. +.ie n .IP "\*(C`[!...]\*(C'" 8 +.el .IP "\f(CW\*(C`[!...]\*(C'\fR" 8 +.IX Item "[!...]" +Matches any character \fBnot\fR in the specified range. +.ie n .IP "\*(C`\ex\*(C'" 8 +.el .IP "\f(CW\*(C`\ex\*(C'\fR" 8 +.IX Item "x" +For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to +escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R". +.PP +Note that a forward slash ('/') will \fBnot\fR be matched by +wildcards used in the pathname. When matching the command +line arguments, however, a slash \fBdoes\fR get matched by +wildcards. This is to make a path like: +.PP +.Vb 1 +\& /usr/bin/* +.Ve +.PP +match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR. +.Sh "Exceptions to wildcard rules" +.IX Subsection "Exceptions to wildcard rules" +The following exceptions apply to the above rules: +.ie n .IP """""" 8 +.el .IP "\f(CW``''\fR" 8 +.IX Item """""" +If the empty string \f(CW""\fR is the only command line argument in the +\&\fIsudoers\fR entry it means that command is not allowed to be run +with \fBany\fR arguments. +.Sh "Including other files from within sudoers" +.IX Subsection "Including other files from within sudoers" +It is possible to include other \fIsudoers\fR files from within the +\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR +directive, similar to the one used by the C preprocessor. This is +useful, for example, for keeping a site-wide \fIsudoers\fR file in +addition to a per-machine local one. For the sake of this example +the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the per-machine +one will be \fI/etc/sudoers.local\fR. To include \fI/etc/sudoers.local\fR +from \fI/etc/sudoers\fR we would use the following line in \fI/etc/sudoers\fR: +.PP +.Vb 1 +\& #include /etc/sudoers.local +.Ve +.PP +When \fBsudo\fR reaches this line it will suspend processing of the +current file (\fI/etc/sudoers\fR) and switch to \fI/etc/sudoers.local\fR. +Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of +\&\fI/etc/sudoers\fR will be processed. Files that are included may +themselves include other files. A hard limit of 128 nested include +files is enforced to prevent include file loops. +.Sh "Other special characters and reserved words" +.IX Subsection "Other special characters and reserved words" +The pound sign ('#') is used to indicate a comment (unless it is +part of a #include directive or unless it occurs in the context of +a user name and is followed by one or more digits, in which case +it is treated as a uid). Both the comment character and any text +after it, up to the end of the line, are ignored. +.PP +The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes +a match to succeed. It can be used wherever one might otherwise +use a \f(CW\*(C`Cmnd_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, or \f(CW\*(C`Host_Alias\*(C'\fR. +You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the +built-in alias will be used in preference to your own. Please note +that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it +allows the user to run \fBany\fR command on the system. +.PP +An exclamation point ('!') can be used as a logical \fInot\fR operator +both in an \fIalias\fR and in front of a \f(CW\*(C`Cmnd\*(C'\fR. This allows one to +exclude certain values. Note, however, that using a \f(CW\*(C`!\*(C'\fR in +conjunction with the built-in \f(CW\*(C`ALL\*(C'\fR alias to allow a user to +run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0 +\&\s-1NOTES\s0 below). +.PP +Long lines can be continued with a backslash ('\e') as the last +character on the line. +.PP +Whitespace between elements in a list as well as special syntactic +characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional. +.PP +The following characters must be escaped with a backslash ('\e') when +used as part of a word (e.g.\ a username or hostname): +\&'@', '!', '=', ':', ',', '(', ')', '\e'. +.SH "SUDOERS OPTIONS" +.IX Header "SUDOERS OPTIONS" +Sudo's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as +explained earlier. A list of all supported Defaults parameters, +grouped by type, are listed below. +.PP \&\fBFlags\fR: .IP "long_otp_prompt" 12 .IX Item "long_otp_prompt" @@ -655,11 +909,11 @@ to specify a different file descriptor at which to start closing. The default is 3. .IP "setenv" 12 .IX Item "setenv" -Allow the user to set additional environment variables from the -command line. Note that variables set this way are not subject to -the restrictions imposed by \fIenv_check\fR, \fIenv_delete\fR, or -\&\fIenv_reset\fR. As such, only trusted users should be allowed to set -variables in this manner. +Allow the user to disable the \fIenv_reset\fR option from the command +line. Additionally, environment variables set via the command line +are not subject to the restrictions imposed by \fIenv_check\fR, +\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should +be allowed to set variables in this manner. .PP \&\fBStrings\fR: .IP "mailsub" 12 @@ -896,252 +1150,6 @@ for the syslog facility (the value of the \fBsyslog\fR Parameter): \&\fBlocal6\fR, and \fBlocal7\fR. The following syslog priorities are supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR, \&\fBnotice\fR, and \fBwarning\fR. -.Sh "User Specification" -.IX Subsection "User Specification" -.Vb 2 -\& User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e -\& (':' Host_List '=' Cmnd_Spec_List)* -.Ve -.PP -.Vb 2 -\& Cmnd_Spec_List ::= Cmnd_Spec | -\& Cmnd_Spec ',' Cmnd_Spec_List -.Ve -.PP -.Vb 1 -\& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd -.Ve -.PP -.Vb 1 -\& Runas_Spec ::= '(' Runas_List ')' -.Ve -.PP -.Vb 2 -\& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | -\& 'SETENV:' | 'NOSETENV:' | 'MONITOR:' | 'NOMONITOR:') -.Ve -.PP -A \fBuser specification\fR determines which commands a user may run -(and as what user) on specified hosts. By default, commands are -run as \fBroot\fR, but this can be changed on a per-command basis. -.PP -Let's break that down into its constituent parts: -.Sh "Runas_Spec" -.IX Subsection "Runas_Spec" -A \f(CW\*(C`Runas_Spec\*(C'\fR is simply a \f(CW\*(C`Runas_List\*(C'\fR (as defined above) -enclosed in a set of parentheses. If you do not specify a -\&\f(CW\*(C`Runas_Spec\*(C'\fR in the user specification, a default \f(CW\*(C`Runas_Spec\*(C'\fR -of \fBroot\fR will be used. A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for -commands that follow it. What this means is that for the entry: -.PP -.Vb 1 -\& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm -.Ve -.PP -The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and -\&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g., -.PP -.Vb 1 -\& $ sudo -u operator /bin/ls. -.Ve -.PP -It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an -entry. If we modify the entry like so: -.PP -.Vb 1 -\& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm -.Ve -.PP -Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR, -but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR. -.Sh "Tag_Spec" -.IX Subsection "Tag_Spec" -A command may have zero or more tags associated with it. There are -eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR, -\&\f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`MONITOR\*(C'\fR and \f(CW\*(C`NOMONITOR\*(C'\fR. -Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the -\&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the -opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR -overrides \f(CW\*(C`EXEC\*(C'\fR). -.PP -\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR -.IX Subsection "NOPASSWD and PASSWD" -.PP -By default, \fBsudo\fR requires that a user authenticate him or herself -before running a command. This behavior can be modified via the -\&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets -a default for the commands that follow it in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR. -Conversely, the \f(CW\*(C`PASSWD\*(C'\fR tag can be used to reverse things. -For example: -.PP -.Vb 1 -\& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm -.Ve -.PP -would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and -\&\fI/usr/bin/lprm\fR as root on the machine rushmore as \fBroot\fR without -authenticating himself. If we only want \fBray\fR to be able to -run \fI/bin/kill\fR without a password the entry would be: -.PP -.Vb 1 -\& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm -.Ve -.PP -Note, however, that the \f(CW\*(C`PASSWD\*(C'\fR tag has no effect on users who are -in the group specified by the \fIexempt_group\fR option. -.PP -By default, if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is applied to any of the entries -for a user on the current host, he or she will be able to run -\&\f(CW\*(C`sudo \-l\*(C'\fR without a password. Additionally, a user may only run -\&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present -for all a user's entries that pertain to the current host. -This behavior may be overridden via the verifypw and listpw options. -.PP -\fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR -.IX Subsection "NOEXEC and EXEC" -.PP -If \fBsudo\fR has been compiled with \fInoexec\fR support and the underlying -operating system supports it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent -a dynamically-linked executable from running further commands itself. -.PP -In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR -and \fI/usr/bin/vi\fR but shell escapes will be disabled. -.PP -.Vb 1 -\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi -.Ve -.PP -See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details -on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system. -.PP -\fI\s-1SETENV\s0 and \s-1NOSETENV\s0\fR -.IX Subsection "SETENV and NOSETENV" -.PP -These tags override the value of the \fIsetenv\fR option on a per-command -basis. Note that environment variables set on the command line way -are not subject to the restrictions imposed by \fIenv_check\fR, -\&\fIenv_delete\fR, or \fIenv_reset\fR. As such, only trusted users should -be allowed to set variables in this manner. -.PP -\fI\s-1MONITOR\s0 and \s-1NOMONITOR\s0\fR -.IX Subsection "MONITOR and NOMONITOR" -.PP -If \fBsudo\fR has been configured with the \f(CW\*(C`\-\-with\-systrace\*(C'\fR option, -the \f(CW\*(C`MONITOR\*(C'\fR tag can be used to cause programs spawned by a command -to be checked against \fIsudoers\fR and logged just like they would -be if run through \fBsudo\fR directly. This is useful in conjunction -with commands that allow shell escapes such as editors, shells and -paginators. -.PP -In the following example, user \fBchuck\fR may run any command on the -machine research in monitor mode. -.PP -.Vb 1 -\& chuck research = MONITOR: ALL -.Ve -.PP -See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details -on how \f(CW\*(C`MONITOR\*(C'\fR works and whether or not it will work on your system. -.Sh "Wildcards" -.IX Subsection "Wildcards" -\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters) -to be used in pathnames as well as command line arguments in the -\&\fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR -\&\fIfnmatch\fR\|(3) routine. Note that these are \fInot\fR regular expressions. -.ie n .IP "\*(C`*\*(C'" 8 -.el .IP "\f(CW\*(C`*\*(C'\fR" 8 -.IX Item "*" -Matches any set of zero or more characters. -.ie n .IP "\*(C`?\*(C'" 8 -.el .IP "\f(CW\*(C`?\*(C'\fR" 8 -.IX Item "?" -Matches any single character. -.ie n .IP "\*(C`[...]\*(C'" 8 -.el .IP "\f(CW\*(C`[...]\*(C'\fR" 8 -.IX Item "[...]" -Matches any character in the specified range. -.ie n .IP "\*(C`[!...]\*(C'" 8 -.el .IP "\f(CW\*(C`[!...]\*(C'\fR" 8 -.IX Item "[!...]" -Matches any character \fBnot\fR in the specified range. -.ie n .IP "\*(C`\ex\*(C'" 8 -.el .IP "\f(CW\*(C`\ex\*(C'\fR" 8 -.IX Item "x" -For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to -escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R". -.PP -Note that a forward slash ('/') will \fBnot\fR be matched by -wildcards used in the pathname. When matching the command -line arguments, however, a slash \fBdoes\fR get matched by -wildcards. This is to make a path like: -.PP -.Vb 1 -\& /usr/bin/* -.Ve -.PP -match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR. -.Sh "Exceptions to wildcard rules" -.IX Subsection "Exceptions to wildcard rules" -The following exceptions apply to the above rules: -.ie n .IP """""" 8 -.el .IP "\f(CW``''\fR" 8 -.IX Item """""" -If the empty string \f(CW""\fR is the only command line argument in the -\&\fIsudoers\fR entry it means that command is not allowed to be run -with \fBany\fR arguments. -.Sh "Including other files from within sudoers" -.IX Subsection "Including other files from within sudoers" -It is possible to include other \fIsudoers\fR files from within the -\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR -directive, similar to the one used by the C preprocessor. This is -useful, for example, for keeping a site-wide \fIsudoers\fR file in -addition to a per-machine local one. For the sake of this example -the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the per-machine -one will be \fI/etc/sudoers.local\fR. To include \fI/etc/sudoers.local\fR -from \fI/etc/sudoers\fR we would use the following line in \fI/etc/sudoers\fR: -.PP -.Vb 1 -\& #include /etc/sudoers.local -.Ve -.PP -When \fBsudo\fR reaches this line it will suspend processing of the -current file (\fI/etc/sudoers\fR) and switch to \fI/etc/sudoers.local\fR. -Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of -\&\fI/etc/sudoers\fR will be processed. Files that are included may -themselves include other files. A hard limit of 128 nested include -files is enforced to prevent include file loops. -.Sh "Other special characters and reserved words" -.IX Subsection "Other special characters and reserved words" -The pound sign ('#') is used to indicate a comment (unless it is -part of a #include directive or unless it occurs in the context of -a user name and is followed by one or more digits, in which case -it is treated as a uid). Both the comment character and any text -after it, up to the end of the line, are ignored. -.PP -The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes -a match to succeed. It can be used wherever one might otherwise -use a \f(CW\*(C`Cmnd_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, or \f(CW\*(C`Host_Alias\*(C'\fR. -You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the -built-in alias will be used in preference to your own. Please note -that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it -allows the user to run \fBany\fR command on the system. -.PP -An exclamation point ('!') can be used as a logical \fInot\fR operator -both in an \fIalias\fR and in front of a \f(CW\*(C`Cmnd\*(C'\fR. This allows one to -exclude certain values. Note, however, that using a \f(CW\*(C`!\*(C'\fR in -conjunction with the built-in \f(CW\*(C`ALL\*(C'\fR alias to allow a user to -run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0 -\&\s-1NOTES\s0 below). -.PP -Long lines can be continued with a backslash ('\e') as the last -character on the line. -.PP -Whitespace between elements in a list as well as special syntactic -characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional. -.PP -The following characters must be escaped with a backslash ('\e') when -used as part of a word (e.g.\ a username or hostname): -\&'@', '!', '=', ':', ',', '(', ')', '\e'. .SH "FILES" .IX Header "FILES" .Vb 3