From 3db8baa45f042df6b1d34c4829fc4f8c5785dc89 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Sat, 13 Aug 2011 18:35:50 -0400 Subject: [PATCH] Prepare for sudo 1.7.7 --HG-- branch : 1.7 --- INSTALL | 4 +- NEWS | 30 ++ README | 2 - configure | 18 +- configure.in | 2 +- sudo.cat | 545 ++++++++------------ sudo.man.in | 2 +- sudoers.cat | 1165 ++++++++++++++++--------------------------- sudoers.ldap.cat | 555 +++++++-------------- sudoers.ldap.man.in | 12 +- sudoers.man.in | 24 +- sudoreplay.cat | 240 ++++----- sudoreplay.man.in | 2 +- visudo.cat | 172 +++---- visudo.man.in | 2 +- 15 files changed, 1042 insertions(+), 1733 deletions(-) diff --git a/INSTALL b/INSTALL index d9568d3ff..5008f35c3 100644 --- a/INSTALL +++ b/INSTALL @@ -1,5 +1,5 @@ -Installation instructions for Sudo 1.7 -====================================== +Sudo installation instructions +============================== Sudo uses a `configure' script to probe the capabilities and type of the system in question. In this release, `configure' takes many diff --git a/NEWS b/NEWS index 87bac52e1..282432050 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,33 @@ +What's new in Sudo 1.7.7 + + * Group ownership of the sudoers file is now only enforced when + the file mode on sudoers allows group readability or writability. + + * Visudo now checks the contents of an alias and warns about cycles + when the alias is expanded. + + * If the user specifes a group via sudo's -g option that matches + the target user's group in the password database, it is now + allowed even if no groups are present in the Runas_Spec. + + * Multi-factor authentication is now supported on AIX. + + * Added support for non-RFC 4517 compliant LDAP servers that require + that seconds be present in a timestamp, such as Tivoli Directory Server. + + * If the group vector is to be preserved, the PATH search for the + command is now done with the user's original group vector. + + * For LDAP-based sudoers, the "runas_default" sudoOption now works + properly in a sudoRole that contains a sudoCommand. + +What's new in Sudo 1.7.6p2 + + * Two-character CIDR-style IPv4 netmasks are now matched correctly + in the sudoers file. + + * A build error with MIT Kerberos V has been resolved. + What's new in Sudo 1.7.6p1 * A non-existent includedir is now treated the same as an empty diff --git a/README b/README index 387734f38..58a680c3a 100644 --- a/README +++ b/README @@ -1,5 +1,3 @@ -This is Sudo version 1.7.5 - The sudo philosophy =================== Sudo is a program designed to allow a sysadmin to give limited root privileges diff --git a/configure b/configure index f7ca48142..733232426 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.68 for sudo 1.7.6p2. +# Generated by GNU Autoconf 2.68 for sudo 1.7.7. # # Report bugs to . # @@ -570,8 +570,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='sudo' PACKAGE_TARNAME='sudo' -PACKAGE_VERSION='1.7.6p2' -PACKAGE_STRING='sudo 1.7.6p2' +PACKAGE_VERSION='1.7.7' +PACKAGE_STRING='sudo 1.7.7' PACKAGE_BUGREPORT='http://www.sudo.ws/bugs/' PACKAGE_URL='' @@ -1433,7 +1433,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures sudo 1.7.6p2 to adapt to many kinds of systems. +\`configure' configures sudo 1.7.7 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1498,7 +1498,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sudo 1.7.6p2:";; + short | recursive ) echo "Configuration of sudo 1.7.7:";; esac cat <<\_ACEOF @@ -1716,7 +1716,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sudo configure 1.7.6p2 +sudo configure 1.7.7 generated by GNU Autoconf 2.68 Copyright (C) 2010 Free Software Foundation, Inc. @@ -2420,7 +2420,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sudo $as_me 1.7.6p2, which was +It was created by sudo $as_me 1.7.7, which was generated by GNU Autoconf 2.68. Invocation command line was $ $0 $@ @@ -20363,7 +20363,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sudo $as_me 1.7.6p2, which was +This file was extended by sudo $as_me 1.7.7, which was generated by GNU Autoconf 2.68. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -20429,7 +20429,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -sudo config.status 1.7.6p2 +sudo config.status 1.7.7 configured by $0, generated by GNU Autoconf 2.68, with options \\"\$ac_cs_config\\" diff --git a/configure.in b/configure.in index 962f8fce0..488b5f5ff 100644 --- a/configure.in +++ b/configure.in @@ -3,7 +3,7 @@ dnl Process this file with GNU autoconf to produce a configure script. dnl dnl Copyright (c) 1994-1996,1998-2011 Todd C. Miller dnl -AC_INIT([sudo], [1.7.6p2], [http://www.sudo.ws/bugs/], [sudo]) +AC_INIT([sudo], [1.7.7], [http://www.sudo.ws/bugs/], [sudo]) AC_CONFIG_HEADER(config.h pathnames.h zlib/zconf.h) dnl dnl Note: this must come after AC_INIT diff --git a/sudo.cat b/sudo.cat index 4cee4867d..2efd5d000 100644 --- a/sudo.cat +++ b/sudo.cat @@ -1,150 +1,124 @@ +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - -NNAAMMEE +NAME sudo, sudoedit - execute a command as another user -SSYYNNOOPPSSIISS - ssuuddoo --hh | --KK | --kk | --LL | --VV +SYNOPSIS + sudo -h | -K | -k | -L | -V - ssuuddoo --vv [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] - [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] + sudo -v [-AknS] [-a auth_type] [-g group name|#gid] [-p prompt] + [-u username|#uid] - ssuuddoo --ll[[ll]] [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] - [--UU _u_s_e_r _n_a_m_e] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] [_c_o_m_m_a_n_d] + sudo -l[l] [-AknS] [-a auth_type] [-g group name|#gid] [-p prompt] + [-U user name] [-u user name|#uid] [command] - ssuuddoo [--AAbbEEHHnnPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] - [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--rr _r_o_l_e] [--tt _t_y_p_e] - [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e] [--ii | --ss] [_c_o_m_m_a_n_d] + sudo [-AbEHnPS] [-a auth_type] [-C fd] [-c class|-] + [-g group name|#gid] [-p prompt] [-r role] [-t type] + [-u user name|#uid] [VAR=value] [-i | -s] [command] - ssuuddooeeddiitt [--AAnnSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] - [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] file ... + sudoedit [-AnS] [-a auth_type] [-C fd] [-c class|-] + [-g group name|#gid] [-p prompt] [-u user name|#uid] file ... -DDEESSCCRRIIPPTTIIOONN - ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the superuser or - another user, as specified in the _s_u_d_o_e_r_s file. The real and effective +DESCRIPTION + sudo allows a permitted user to execute a command as the superuser or + another user, as specified in the sudoers file. The real and effective uid and gid are set to match those of the target user as specified in the passwd file and the group vector is initialized based on the group - file (unless the --PP option was specified). If the invoking user is + file (unless the -P option was specified). If the invoking user is root or if the target user is the same as the invoking user, no - password is required. Otherwise, ssuuddoo requires that users authenticate + password is required. Otherwise, sudo requires that users authenticate themselves with a password by default (NOTE: in the default configuration this is the user's password, not the root password). Once a user has been authenticated, a time stamp is updated and the user may then use sudo without a password for a short period of time (5 - minutes unless overridden in _s_u_d_o_e_r_s). + minutes unless overridden in sudoers). - When invoked as ssuuddooeeddiitt, the --ee option (described below), is implied. + When invoked as sudoedit, the -e option (described below), is implied. - ssuuddoo determines who is an authorized user by consulting the file - _/_e_t_c_/_s_u_d_o_e_r_s. By running ssuuddoo with the --vv option, a user can update - the time stamp without running a _c_o_m_m_a_n_d. If a password is required, - ssuuddoo will exit if the user's password is not entered within a + sudo determines who is an authorized user by consulting the file + /etc/sudoers. By running sudo with the -v option, a user can update + the time stamp without running a command. If a password is required, + sudo will exit if the user's password is not entered within a configurable time limit. The default password prompt timeout is 5 minutes. - If a user who is not listed in the _s_u_d_o_e_r_s file tries to run a command - via ssuuddoo, mail is sent to the proper authorities, as defined at - configure time or in the _s_u_d_o_e_r_s file (defaults to root). Note that + If a user who is not listed in the sudoers file tries to run a command + via sudo, mail is sent to the proper authorities, as defined at + configure time or in the sudoers file (defaults to root). Note that the mail will not be sent if an unauthorized user tries to run sudo - with the --ll or --vv option. This allows users to determine for - themselves whether or not they are allowed to use ssuuddoo. + with the -l or -v option. This allows users to determine for + themselves whether or not they are allowed to use sudo. - If ssuuddoo is run by root and the SUDO_USER environment variable is set, - ssuuddoo will use this value to determine who the actual user is. This can + If sudo is run by root and the SUDO_USER environment variable is set, + sudo will use this value to determine who the actual user is. This can be used by a user to log commands through sudo even when a root shell - has been invoked. It also allows the --ee option to remain useful even + has been invoked. It also allows the -e option to remain useful even when being run via a sudo-run script or program. Note however, that - - - -1.7.6 April 9, 2011 1 - - - - - -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - the sudoers lookup is still done for root, not the user specified by SUDO_USER. - ssuuddoo can log both successful and unsuccessful attempts (as well as - errors) to _s_y_s_l_o_g(3), a log file, or both. By default ssuuddoo will log - via _s_y_s_l_o_g(3) but this is changeable at configure time or via the - _s_u_d_o_e_r_s file. + sudo can log both successful and unsuccessful attempts (as well as + errors) to syslog(3), a log file, or both. By default sudo will log + via syslog(3) but this is changeable at configure time or via the + sudoers file. -OOPPTTIIOONNSS - ssuuddoo accepts the following command line options: +OPTIONS + sudo accepts the following command line options: - -A Normally, if ssuuddoo requires a password, it will read it from - the current terminal. If the --AA (_a_s_k_p_a_s_s) option is + -A Normally, if sudo requires a password, it will read it from + the current terminal. If the -A (askpass) option is specified, a (possibly graphical) helper program is executed to read the user's password and output the password to the standard output. If the SUDO_ASKPASS environment variable is set, it specifies the path to the helper program. Otherwise, the value specified by the - _a_s_k_p_a_s_s option in _s_u_d_o_e_r_s(4) is used. + askpass option in sudoers(4) is used. - -a _t_y_p_e The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use the + -a type The -a (authentication type) option causes sudo to use the specified authentication type when validating the user, as - allowed by _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system administrator may + allowed by /etc/login.conf. The system administrator may specify a list of sudo-specific authentication methods by - adding an "auth-sudo" entry in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This + adding an "auth-sudo" entry in /etc/login.conf. This option is only available on systems that support BSD authentication. - -b The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run the given - command in the background. Note that if you use the --bb + -b The -b (background) option tells sudo to run the given + command in the background. Note that if you use the -b option you cannot use shell job control to manipulate the process. - -C _f_d Normally, ssuuddoo will close all open file descriptors other + -C fd Normally, sudo will close all open file descriptors other than standard input, standard output and standard error. - The --CC (_c_l_o_s_e _f_r_o_m) option allows the user to specify a + The -C (close from) option allows the user to specify a starting point above the standard error (file descriptor three). Values less than three are not permitted. This option is only available if the administrator has enabled - the _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option in _s_u_d_o_e_r_s(4). + the closefrom_override option in sudoers(4). - -c _c_l_a_s_s The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified + -c class The -c (class) option causes sudo to run the specified command with resources limited by the specified login - class. The _c_l_a_s_s argument can be either a class name as - defined in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a single '-' character. - Specifying a _c_l_a_s_s of - indicates that the command should + class. The class argument can be either a class name as + defined in /etc/login.conf, or a single '-' character. + Specifying a class of - indicates that the command should be run restricted by the default login capabilities for the - user the command is run as. If the _c_l_a_s_s argument + user the command is run as. If the class argument specifies an existing user class, the command must be run - as root, or the ssuuddoo command must be run from a shell that + as root, or the sudo command must be run from a shell that is already root. This option is only available on systems with BSD login classes. - -E The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option will override the - - - -1.7.6 April 9, 2011 2 - - - - - -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - - _e_n_v___r_e_s_e_t option in _s_u_d_o_e_r_s(4)). It is only available when + -E The -E (preserve environment) option will override the + env_reset option in sudoers(4)). It is only available when either the matching command has the SETENV tag or the - _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s(4). + setenv option is set in sudoers(4). - -e The --ee (_e_d_i_t) option indicates that, instead of running a + -e The -e (edit) option indicates that, instead of running a command, the user wishes to edit one or more files. In lieu of a command, the string "sudoedit" is used when - consulting the _s_u_d_o_e_r_s file. If the user is authorized by - _s_u_d_o_e_r_s the following steps are taken: + consulting the sudoers file. If the user is authorized by + sudoers the following steps are taken: 1. Temporary copies are made of the files to be edited with the owner set to the invoking user. @@ -152,139 +126,115 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) 2. The editor specified by the SUDO_EDITOR, VISUAL or EDITOR environment variables is run to edit the temporary files. If none of SUDO_EDITOR, VISUAL or - EDITOR are set, the first program listed in the _e_d_i_t_o_r - _s_u_d_o_e_r_s variable is used. + EDITOR are set, the first program listed in the editor + sudoers variable is used. 3. If they have been modified, the temporary files are copied back to their original location and the temporary versions are removed. If the specified file does not exist, it will be created. - Note that unlike most commands run by ssuuddoo, the editor is + Note that unlike most commands run by sudo, the editor is run with the invoking user's environment unmodified. If, - for some reason, ssuuddoo is unable to update a file with its + for some reason, sudo is unable to update a file with its edited version, the user will receive a warning and the edited copy will remain in a temporary file. - -g _g_r_o_u_p Normally, ssuuddoo sets the primary group to the one specified + -g group Normally, sudo sets the primary group to the one specified by the passwd database for the user the command is being - run as (by default, root). The --gg (_g_r_o_u_p) option causes - ssuuddoo to run the specified command with the primary group - set to _g_r_o_u_p. To specify a _g_i_d instead of a _g_r_o_u_p _n_a_m_e, - use _#_g_i_d. When running commands as a _g_i_d, many shells + run as (by default, root). The -g (group) option causes + sudo to run the specified command with the primary group + set to group. To specify a gid instead of a group name, + use #gid. When running commands as a gid, many shells require that the '#' be escaped with a backslash ('\'). If - no --uu option is specified, the command will be run as the + no -u option is specified, the command will be run as the invoking user (not root). In either case, the primary - group will be set to _g_r_o_u_p. + group will be set to group. - -H The --HH (_H_O_M_E) option sets the HOME environment variable to + -H The -H (HOME) option sets the HOME environment variable to the homedir of the target user (root by default) as - specified in _p_a_s_s_w_d(4). The default handling of the HOME - environment variable depends on _s_u_d_o_e_r_s(4) settings. By - default, ssuuddoo will set HOME if _e_n_v___r_e_s_e_t or _a_l_w_a_y_s___s_e_t___h_o_m_e - are set, or if _s_e_t___h_o_m_e is set and the --ss option is + specified in passwd(4). The default handling of the HOME + environment variable depends on sudoers(4) settings. By + default, sudo will set HOME if env_reset or always_set_home + are set, or if set_home is set and the -s option is specified on the command line. - -h The --hh (_h_e_l_p) option causes ssuuddoo to print a short help + -h The -h (help) option causes sudo to print a short help message to the standard output and exit. -i [command] - The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell - - - -1.7.6 April 9, 2011 3 - - - - - -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - - specified in the _p_a_s_s_w_d(4) entry of the target user as a + The -i (simulate initial login) option runs the shell + specified in the passwd(4) entry of the target user as a login shell. This means that login-specific resource files such as .profile or .login will be read by the shell. If a command is specified, it is passed to the shell for execution. Otherwise, an interactive shell is executed. - ssuuddoo attempts to change to that user's home directory + sudo attempts to change to that user's home directory before running the shell. It also initializes the - environment, leaving _D_I_S_P_L_A_Y and _T_E_R_M unchanged, setting - _H_O_M_E, _M_A_I_L, _S_H_E_L_L, _U_S_E_R, _L_O_G_N_A_M_E, and _P_A_T_H, as well as the - contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t on Linux and AIX systems. All + environment, leaving DISPLAY and TERM unchanged, setting + HOME, MAIL, SHELL, USER, LOGNAME, and PATH, as well as the + contents of /etc/environment on Linux and AIX systems. All other environment variables are removed. - -K The --KK (sure _k_i_l_l) option is like --kk except that it removes + -K The -K (sure kill) option is like -k except that it removes the user's time stamp entirely and may not be used in conjunction with a command or other option. This option does not require a password. - -k When used by itself, the --kk (_k_i_l_l) option to ssuuddoo + -k When used by itself, the -k (kill) option to sudo invalidates the user's time stamp by setting the time on it - to the Epoch. The next time ssuuddoo is run a password will be + to the Epoch. The next time sudo is run a password will be required. This option does not require a password and was - added to allow a user to revoke ssuuddoo permissions from a + added to allow a user to revoke sudo permissions from a .logout file. When used in conjunction with a command or an option that - may require a password, the --kk option will cause ssuuddoo to - ignore the user's time stamp file. As a result, ssuuddoo will - prompt for a password (if one is required by _s_u_d_o_e_r_s) and + may require a password, the -k option will cause sudo to + ignore the user's time stamp file. As a result, sudo will + prompt for a password (if one is required by sudoers) and will not update the user's time stamp file. - -L The --LL (_l_i_s_t defaults) option will list the parameters that - may be set in a _D_e_f_a_u_l_t_s line along with a short + -L The -L (list defaults) option will list the parameters that + may be set in a Defaults line along with a short description for each. This option will be removed from a - future version of ssuuddoo. + future version of sudo. - -l[l] [_c_o_m_m_a_n_d] - If no _c_o_m_m_a_n_d is specified, the --ll (_l_i_s_t) option will list + -l[l] [command] + If no command is specified, the -l (list) option will list the allowed (and forbidden) commands for the invoking user - (or the user specified by the --UU option) on the current - host. If a _c_o_m_m_a_n_d is specified and is permitted by - _s_u_d_o_e_r_s, the fully-qualified path to the command is + (or the user specified by the -U option) on the current + host. If a command is specified and is permitted by + sudoers, the fully-qualified path to the command is displayed along with any command line arguments. If - _c_o_m_m_a_n_d is specified but not allowed, ssuuddoo will exit with a - status value of 1. If the --ll option is specified with an ll - argument (i.e. --llll), or if --ll is specified multiple times, + command is specified but not allowed, sudo will exit with a + status value of 1. If the -l option is specified with an l + argument (i.e. -ll), or if -l is specified multiple times, a longer list format is used. - -n The --nn (_n_o_n_-_i_n_t_e_r_a_c_t_i_v_e) option prevents ssuuddoo from + -n The -n (non-interactive) option prevents sudo from prompting the user for a password. If a password is - required for the command to run, ssuuddoo will display an error + required for the command to run, sudo will display an error messages and exit. - -P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to + -P The -P (preserve group vector) option causes sudo to preserve the invoking user's group vector unaltered. By - - - -1.7.6 April 9, 2011 4 - - - - - -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - - default, ssuuddoo will initialize the group vector to the list + default, sudo will initialize the group vector to the list of groups the target user is in. The real and effective group IDs, however, are still set to match the target user. - -p _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default + -p prompt The -p (prompt) option allows you to override the default password prompt and use a custom one. The following percent (`%') escapes are supported: %H expanded to the local host name including the domain name (on if the machine's host name is fully qualified - or the _f_q_d_n _s_u_d_o_e_r_s option is set) + or the fqdn sudoers option is set) %h expanded to the local host name without the domain name %p expanded to the user whose password is being asked for - (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w flags in - _s_u_d_o_e_r_s) + (respects the rootpw, targetpw and runaspw flags in + sudoers) %U expanded to the login name of the user the command will be run as (defaults to root) @@ -294,218 +244,183 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) %% two consecutive % characters are collapsed into a single % character - The prompt specified by the --pp option will override the + The prompt specified by the -p option will override the system password prompt on systems that support PAM unless - the _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s. + the passprompt_override flag is disabled in sudoers. - -r _r_o_l_e The --rr (_r_o_l_e) option causes the new (SELinux) security - context to have the role specified by _r_o_l_e. + -r role The -r (role) option causes the new (SELinux) security + context to have the role specified by role. - -S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from + -S The -S (stdin) option causes sudo to read the password from the standard input instead of the terminal device. The password must be followed by a newline character. -s [command] - The --ss (_s_h_e_l_l) option runs the shell specified by the _S_H_E_L_L + The -s (shell) option runs the shell specified by the SHELL environment variable if it is set or the shell as specified - in _p_a_s_s_w_d(4). If a command is specified, it is passed to + in passwd(4). If a command is specified, it is passed to the shell for execution. Otherwise, an interactive shell is executed. - -t _t_y_p_e The --tt (_t_y_p_e) option causes the new (SELinux) security - context to have the type specified by _t_y_p_e. If no type is + -t type The -t (type) option causes the new (SELinux) security + context to have the type specified by type. If no type is specified, the default type is derived from the specified role. - -U _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the - --ll option to specify the user whose privileges should be - listed. Only root or a user with ssuuddoo ALL on the current + -U user The -U (other user) option is used in conjunction with the + -l option to specify the user whose privileges should be + listed. Only root or a user with sudo ALL on the current host may use this option. - - - -1.7.6 April 9, 2011 5 - - - - - -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - - -u _u_s_e_r The --uu (_u_s_e_r) option causes ssuuddoo to run the specified - command as a user other than _r_o_o_t. To specify a _u_i_d - instead of a _u_s_e_r _n_a_m_e, use _#_u_i_d. When running commands as - a _u_i_d, many shells require that the '#' be escaped with a - backslash ('\'). Note that if the _t_a_r_g_e_t_p_w Defaults option - is set (see _s_u_d_o_e_r_s(4)) it is not possible to run commands + -u user The -u (user) option causes sudo to run the specified + command as a user other than root. To specify a uid + instead of a user name, use #uid. When running commands as + a uid, many shells require that the '#' be escaped with a + backslash ('\'). Note that if the targetpw Defaults option + is set (see sudoers(4)) it is not possible to run commands with a uid not listed in the password database. - -V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print the version + -V The -V (version) option causes sudo to print the version number and exit. If the invoking user is already root the - --VV option will print out a list of the defaults ssuuddoo was + -V option will print out a list of the defaults sudo was compiled with as well as the machine's local network addresses. - -v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the + -v If given the -v (validate) option, sudo will update the user's time stamp, prompting for the user's password if - necessary. This extends the ssuuddoo timeout for another 5 - minutes (or whatever the timeout is set to in _s_u_d_o_e_r_s) but + necessary. This extends the sudo timeout for another 5 + minutes (or whatever the timeout is set to in sudoers) but does not run a command. - -- The ---- option indicates that ssuuddoo should stop processing + -- The -- option indicates that sudo should stop processing command line arguments. Environment variables to be set for the command may also be passed on - the command line in the form of VVAARR=_v_a_l_u_e, e.g. - LLDD__LLIIBBRRAARRYY__PPAATTHH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. Variables passed on the command + the command line in the form of VAR=value, e.g. + LD_LIBRARY_PATH=/usr/local/pkg/lib. Variables passed on the command line are subject to the same restrictions as normal environment - variables with one important exception. If the _s_e_t_e_n_v option is set in - _s_u_d_o_e_r_s, the command to be run has the SETENV tag set or the command + variables with one important exception. If the setenv option is set in + sudoers, the command to be run has the SETENV tag set or the command matched is ALL, the user may set variables that would overwise be - forbidden. See _s_u_d_o_e_r_s(4) for more information. + forbidden. See sudoers(4) for more information. -RREETTUURRNN VVAALLUUEESS - Upon successful execution of a program, the exit status from ssuuddoo will +RETURN VALUES + Upon successful execution of a program, the exit status from sudo will simply be the exit status of the program that was executed. - Otherwise, ssuuddoo quits with an exit value of 1 if there is a - configuration/permission problem or if ssuuddoo cannot execute the given + Otherwise, sudo quits with an exit value of 1 if there is a + configuration/permission problem or if sudo cannot execute the given command. In the latter case the error string is printed to stderr. If - ssuuddoo cannot _s_t_a_t(2) one or more entries in the user's PATH an error is + sudo cannot stat(2) one or more entries in the user's PATH an error is printed on stderr. (If the directory does not exist or if it is not really a directory, the entry is ignored and no error is printed.) This should not happen under normal circumstances. The most common - reason for _s_t_a_t(2) to return "permission denied" is if you are running + reason for stat(2) to return "permission denied" is if you are running an automounter and one of the directories in your PATH is on a machine that is currently unreachable. -SSEECCUURRIITTYY NNOOTTEESS - ssuuddoo tries to be safe when executing external commands. +SECURITY NOTES + sudo tries to be safe when executing external commands. There are two distinct ways to deal with environment variables. By - default, the _e_n_v___r_e_s_e_t _s_u_d_o_e_r_s option is enabled. This causes commands + default, the env_reset sudoers option is enabled. This causes commands to be executed with a minimal environment containing TERM, PATH, HOME, SHELL, LOGNAME, USER and USERNAME in addition to variables from the - - - -1.7.6 April 9, 2011 6 - - - - - -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - - invoking process permitted by the _e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p _s_u_d_o_e_r_s + invoking process permitted by the env_check and env_keep sudoers options. There is effectively a whitelist for environment variables. - If, however, the _e_n_v___r_e_s_e_t option is disabled in _s_u_d_o_e_r_s, any variables - not explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are - inherited from the invoking process. In this case, _e_n_v___c_h_e_c_k and - _e_n_v___d_e_l_e_t_e behave like a blacklist. Since it is not possible to + If, however, the env_reset option is disabled in sudoers, any variables + not explicitly denied by the env_check and env_delete options are + inherited from the invoking process. In this case, env_check and + env_delete behave like a blacklist. Since it is not possible to blacklist all potentially dangerous environment variables, use of the - default _e_n_v___r_e_s_e_t behavior is encouraged. + default env_reset behavior is encouraged. In all cases, environment variables with a value beginning with () are - removed as they could be interpreted as bbaasshh functions. The list of - environment variables that ssuuddoo allows or denies is contained in the + removed as they could be interpreted as bash functions. The list of + environment variables that sudo allows or denies is contained in the output of sudo -V when run as root. Note that the dynamic linker on most operating systems will remove variables that can control dynamic linking from the environment of - setuid executables, including ssuuddoo. Depending on the operating system + setuid executables, including sudo. Depending on the operating system this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others. These type of variables are removed from the environment - before ssuuddoo even begins execution and, as such, it is not possible for - ssuuddoo to preserve them. + before sudo even begins execution and, as such, it is not possible for + sudo to preserve them. - To prevent command spoofing, ssuuddoo checks "." and "" (both denoting + To prevent command spoofing, sudo checks "." and "" (both denoting current directory) last when searching for a command in the user's PATH (if one or both are in the PATH). Note, however, that the actual PATH - environment variable is _n_o_t modified and is passed unchanged to the - program that ssuuddoo executes. + environment variable is not modified and is passed unchanged to the + program that sudo executes. - ssuuddoo will check the ownership of its time stamp directory - (_/_v_a_r_/_a_d_m_/_s_u_d_o by default) and ignore the directory's contents if it is + sudo will check the ownership of its time stamp directory + (/var/adm/sudo by default) and ignore the directory's contents if it is not owned by root or if it is writable by a user other than root. On - systems that allow non-root users to give away files via _c_h_o_w_n(2), if + systems that allow non-root users to give away files via chown(2), if the time stamp directory is located in a directory writable by anyone - (e.g., _/_t_m_p), it is possible for a user to create the time stamp - directory before ssuuddoo is run. However, because ssuuddoo checks the + (e.g., /tmp), it is possible for a user to create the time stamp + directory before sudo is run. However, because sudo checks the ownership and mode of the directory and its contents, the only damage that can be done is to "hide" files by putting them in the time stamp dir. This is unlikely to happen since once the time stamp dir is owned by root and inaccessible by any other user, the user placing files there would be unable to get them back out. To get around this issue you can use a directory that is not world-writable for the time stamps - (_/_v_a_r_/_a_d_m_/_s_u_d_o for instance) or create _/_v_a_r_/_a_d_m_/_s_u_d_o with the + (/var/adm/sudo for instance) or create /var/adm/sudo with the appropriate owner (root) and permissions (0700) in the system startup files. - ssuuddoo will not honor time stamps set far in the future. Timestamps with + sudo will not honor time stamps set far in the future. Timestamps with a date greater than current_time + 2 * TIMEOUT will be ignored and sudo will log and complain. This is done to keep a user from creating his/her own time stamp with a bogus date on systems that allow users to give away files. - On systems where the boot time is available, ssuuddoo will also not honor + On systems where the boot time is available, sudo will also not honor time stamps from before the machine booted. - - -1.7.6 April 9, 2011 7 - - - - - -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - Since time stamp files live in the file system, they can outlive a user's login session. As a result, a user may be able to login, run a - command with ssuuddoo after authenticating, logout, login again, and run - ssuuddoo without authenticating so long as the time stamp file's + command with sudo after authenticating, logout, login again, and run + sudo without authenticating so long as the time stamp file's modification time is within 5 minutes (or whatever the timeout is set - to in _s_u_d_o_e_r_s). When the _t_t_y___t_i_c_k_e_t_s option is enabled in _s_u_d_o_e_r_s, the + to in sudoers). When the tty_tickets option is enabled in sudoers, the time stamp has per-tty granularity but still may outlive the user's session. On Linux systems where the devpts filesystem is used, Solaris systems with the devices filesystem, as well as other systems that utilize a devfs filesystem that monotonically increase the inode number - of devices as they are created (such as Mac OS X), ssuuddoo is able to + of devices as they are created (such as Mac OS X), sudo is able to determine when a tty-based time stamp file is stale and will ignore it. Administrators should not rely on this feature as it is not universally available. - Please note that ssuuddoo will normally only log the command it explicitly + Please note that sudo will normally only log the command it explicitly runs. If a user runs a command such as sudo su or sudo sh, subsequent - commands run from that shell will _n_o_t be logged, nor will ssuuddoo's access + commands run from that shell will not be logged, nor will sudo's access control affect them. The same is true for commands that offer shell escapes (including most editors). Because of this, care must be taken - when giving users access to commands via ssuuddoo to verify that the + when giving users access to commands via sudo to verify that the command does not inadvertently give the user an effective root shell. For more information, please see the PREVENTING SHELL ESCAPES section - in _s_u_d_o_e_r_s(4). + in sudoers(4). -EENNVVIIRROONNMMEENNTT - ssuuddoo utilizes the following environment variables: +ENVIRONMENT + sudo utilizes the following environment variables: - EDITOR Default editor to use in --ee (sudoedit) mode if neither + EDITOR Default editor to use in -e (sudoedit) mode if neither SUDO_EDITOR nor VISUAL is set - MAIL In --ii mode or when _e_n_v___r_e_s_e_t is enabled in _s_u_d_o_e_r_s, set + MAIL In -i mode or when env_reset is enabled in sudoers, set to the mail spool of the target user - HOME Set to the home directory of the target user if --ii or - --HH are specified, _e_n_v___r_e_s_e_t or _a_l_w_a_y_s___s_e_t___h_o_m_e are set - in _s_u_d_o_e_r_s, or when the --ss option is specified and - _s_e_t___h_o_m_e is set in _s_u_d_o_e_r_s + HOME Set to the home directory of the target user if -i or + -H are specified, env_reset or always_set_home are set + in sudoers, or when the -s option is specified and + set_home is set in sudoers - PATH Set to a sane value if the _s_e_c_u_r_e___p_a_t_h sudoers option + PATH Set to a sane value if the secure_path sudoers option is set. SHELL Used to determine shell to run with -s option @@ -516,22 +431,10 @@ EENNVVIIRROONNMMEENNTT SUDO_COMMAND Set to the command run by sudo - SUDO_EDITOR Default editor to use in --ee (sudoedit) mode + SUDO_EDITOR Default editor to use in -e (sudoedit) mode SUDO_GID Set to the group ID of the user who invoked sudo - - - -1.7.6 April 9, 2011 8 - - - - - -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - SUDO_PROMPT Used as the default password prompt SUDO_PS1 If set, PS1 will be set to its value for the program @@ -541,22 +444,22 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO_USER Set to the login of the user who invoked sudo - USER Set to the target user (root unless the --uu option is + USER Set to the target user (root unless the -u option is specified) - VISUAL Default editor to use in --ee (sudoedit) mode if + VISUAL Default editor to use in -e (sudoedit) mode if SUDO_EDITOR is not set -FFIILLEESS - _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what +FILES + /etc/sudoers List of who can run what - _/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps + /var/adm/sudo Directory containing time stamps - _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on Linux and + /etc/environment Initial environment for -i mode on Linux and AIX -EEXXAAMMPPLLEESS - Note: the following examples assume suitable _s_u_d_o_e_r_s(4) entries. +EXAMPLES + Note: the following examples assume suitable sudoers(4) entries. To get a file listing of an unreadable directory: @@ -567,7 +470,7 @@ EEXXAAMMPPLLEESS $ sudo -u yaz ls ~yaz - To edit the _i_n_d_e_x_._h_t_m_l file as user www: + To edit the index.html file as user www: $ sudo -u www vi ~www/htdocs/index.html @@ -587,39 +490,28 @@ EEXXAAMMPPLLEESS Note that this runs the commands in a sub-shell to make the cd and file redirection work. - - -1.7.6 April 9, 2011 9 - - - - - -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" -SSEEEE AALLSSOO - _g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), _p_a_s_s_w_d(4), _s_u_d_o_e_r_s(5), - _v_i_s_u_d_o(1m) +SEE ALSO + grep(1), su(1), stat(2), login_cap(3), passwd(4), sudoers(5), + visudo(1m) -AAUUTTHHOORRSS - Many people have worked on ssuuddoo over the years; this version consists +AUTHORS + Many people have worked on sudo over the years; this version consists of code written primarily by: Todd C. Miller - See the HISTORY file in the ssuuddoo distribution or visit - http://www.sudo.ws/sudo/history.html for a short history of ssuuddoo. + See the HISTORY file in the sudo distribution or visit + http://www.sudo.ws/sudo/history.html for a short history of sudo. -CCAAVVEEAATTSS +CAVEATS There is no easy way to prevent a user from gaining a root shell if - that user is allowed to run arbitrary commands via ssuuddoo. Also, many + that user is allowed to run arbitrary commands via sudo. Also, many programs (such as editors) allow the user to run commands via shell - escapes, thus avoiding ssuuddoo's checks. However, on most systems it is - possible to prevent shell escapes with ssuuddoo's _n_o_e_x_e_c functionality. - See the _s_u_d_o_e_r_s(4) manual for details. + escapes, thus avoiding sudo's checks. However, on most systems it is + possible to prevent shell escapes with sudo's noexec functionality. + See the sudoers(4) manual for details. It is not meaningful to run the cd command directly via sudo, e.g., @@ -632,29 +524,26 @@ CCAAVVEEAATTSS their own program that gives them a root shell regardless of any '!' elements in the user specification. - Running shell scripts via ssuuddoo can expose the same kernel bugs that + Running shell scripts via sudo can expose the same kernel bugs that make setuid shell scripts unsafe on some operating systems (if your OS has a /dev/fd/ directory, setuid shell scripts are generally safe). -BBUUGGSS - If you feel you have found a bug in ssuuddoo, please submit a bug report at +BUGS + If you feel you have found a bug in sudo, please submit a bug report at http://www.sudo.ws/sudo/bugs/ -SSUUPPPPOORRTT +SUPPORT Limited free support is available via the sudo-users mailing list, see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives. -DDIISSCCLLAAIIMMEERR - ssuuddoo is provided ``AS IS'' and any express or implied warranties, +DISCLAIMER + sudo is provided ``AS IS'' and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. - See the LICENSE file distributed with ssuuddoo or + See the LICENSE file distributed with sudo or http://www.sudo.ws/sudo/license.html for complete details. - -1.7.6 April 9, 2011 10 - - +1.7.7 August 13, 2011 SUDO(1m) diff --git a/sudo.man.in b/sudo.man.in index 09f1508b4..54749bfba 100644 --- a/sudo.man.in +++ b/sudo.man.in @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "August 13, 2011" "1.7.7" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/sudoers.cat b/sudoers.cat index 2a7a521ce..502557a70 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -1,14 +1,12 @@ +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - -NNAAMMEE +NAME sudoers - list of which users may execute what -DDEESSCCRRIIPPTTIIOONN - The _s_u_d_o_e_r_s file is composed of two types of entries: aliases +DESCRIPTION + The sudoers file is composed of two types of entries: aliases (basically variables) and user specifications (which specify who may run what). @@ -16,17 +14,17 @@ DDEESSCCRRIIPPTTIIOONN Where there are multiple matches, the last match is used (which is not necessarily the most specific match). - The _s_u_d_o_e_r_s grammar will be described below in Extended Backus-Naur + The sudoers grammar will be described below in Extended Backus-Naur Form (EBNF). Don't despair if you don't know what EBNF is; it is fairly simple, and the definitions below are annotated. - QQuuiicckk gguuiiddee ttoo EEBBNNFF + Quick guide to EBNF EBNF is a concise and exact way of describing the grammar of a - language. Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g., + language. Each EBNF definition is made up of production rules. E.g., symbol ::= definition | alternate1 | alternate2 ... - Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a grammar for + Each production rule references others and thus makes up a grammar for the language. EBNF also contains the following operators, which many readers will recognize from regular expressions. Do not, however, confuse them with "wildcard" characters, which have different meanings. @@ -44,7 +42,7 @@ DDEESSCCRRIIPPTTIIOONN will use single quotes ('') to designate what is a verbatim character string (as opposed to a symbol name). - AAlliiaasseess + Aliases There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias. @@ -59,35 +57,23 @@ DDEESSCCRRIIPPTTIIOONN Host_Alias ::= NAME '=' Host_List - - -1.7.6 April 9, 2011 1 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - - Cmnd_Alias ::= NAME '=' Cmnd_List NAME ::= [A-Z]([A-Z][0-9]_)* - Each _a_l_i_a_s definition is of the form + Each alias definition is of the form Alias_Type NAME = item1, item2, ... - where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias, Host_Alias, or + where Alias_Type is one of User_Alias, Runas_Alias, Host_Alias, or Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and - underscore characters ('_'). A NAME mmuusstt start with an uppercase + underscore characters ('_'). A NAME must start with an uppercase letter. It is possible to put several alias definitions of the same type on a single line, joined by a colon (':'). E.g., Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 - The definitions of what constitutes a valid _a_l_i_a_s member follow. + The definitions of what constitutes a valid alias member follow. User_List ::= User | User ',' User_List @@ -125,17 +111,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567" - - -1.7.6 April 9, 2011 2 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - Note that quotes around group names are optional. Unquoted strings must use a backslash (\) to escape spaces and special characters. See "Other special characters and reserved words" for a list of characters @@ -172,7 +147,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) A Host_List is made up of one or more host names, IP addresses, network numbers, netgroups (prefixed with '+') and other aliases. Again, the value of an item may be negated with the '!' operator. If you do not - specify a netmask along with the network number, ssuuddoo will query each + specify a netmask along with the network number, sudo will query each of the local host's network interfaces and, if the network number corresponds to one of the hosts's network interfaces, the corresponding netmask will be used. The netmask may be specified either in standard @@ -180,8 +155,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) CIDR notation (number of bits, e.g. 24 or 64). A host name may include shell-style wildcards (see the Wildcards section below), but unless the host name command on your machine returns the fully qualified host - name, you'll need to use the _f_q_d_n option for wildcards to be useful. - Note ssuuddoo only inspects actual network interfaces; this means that IP + name, you'll need to use the fqdn option for wildcards to be useful. + Note sudo only inspects actual network interfaces; this means that IP address 127.0.0.1 (localhost) will never match. Also, the host name "localhost" will only match if that is the actual host name, which is usually only the case for non-networked systems. @@ -190,18 +165,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Cmnd ',' Cmnd_List commandname ::= file name | - - - -1.7.6 April 9, 2011 3 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - file name args | file name '""' @@ -216,7 +179,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) simple file name allows the user to run the command with any arguments he/she wishes. However, you may also specify command line arguments (including wildcards). Alternately, you can specify "" to indicate - that the command may only be run wwiitthhoouutt command line arguments. A + that the command may only be run without command line arguments. A directory is a fully qualified path name ending in a '/'. When you specify a directory in a Cmnd_List, the user will be able to run any file within that directory (but not in any subdirectories therein). @@ -226,10 +189,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) (or match the wildcards if there are any). Note that the following characters must be escaped with a '\' if they are used in command arguments: ',', ':', '=', '\'. The special command "sudoedit" is used - to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It + to permit a user to run sudo with the -e option (or as sudoedit). It may take command line arguments just as a normal command does. - DDeeffaauullttss + Defaults Certain configuration options may be changed from their default values at runtime via one or more Default_Entry lines. These may affect all users on any host, all users on a specific host, a specific user, a @@ -254,20 +217,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Parameter '-=' Value | '!'* Parameter - Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are + Parameters may be flags, integer values, strings, or lists. Flags are implicitly boolean and can be turned off via the '!' operator. Some - - - -1.7.6 April 9, 2011 4 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - integer, string and list parameters may also be used in a boolean context to disable them. Values may be enclosed in double quotes (") when they contain multiple words. Special characters may be escaped @@ -283,7 +234,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) See "SUDOERS OPTIONS" for a list of supported Defaults parameters. - UUsseerr SSppeecciiffiiccaattiioonn + User Specification User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ (':' Host_List '=' Cmnd_Spec_List)* @@ -300,47 +251,35 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:') - A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as - what user) on specified hosts. By default, commands are run as rroooott, + A user specification determines which commands a user may run (and as + what user) on specified hosts. By default, commands are run as root, but this can be changed on a per-command basis. The basic structure of a user specification is `who where = (as_whom) what'. Let's break that down into its constituent parts: - RRuunnaass__SSppeecc + Runas_Spec A Runas_Spec determines the user and/or the group that a command may be run as. A fully-specified Runas_Spec consists of two Runas_Lists (as defined above) separated by a colon (':') and enclosed in a set of parentheses. The first Runas_List indicates which users the command - may be run as via ssuuddoo's --uu option. The second defines a list of - groups that can be specified via ssuuddoo's --gg option. If both Runas_Lists + may be run as via sudo's -u option. The second defines a list of + groups that can be specified via sudo's -g option. If both Runas_Lists are specified, the command may be run with any combination of users and groups listed in their respective Runas_Lists. If only the first is - specified, the command may be run as any user in the list but no --gg + specified, the command may be run as any user in the list but no -g option may be specified. If the first Runas_List is empty but the second is specified, the command may be run as the invoking user with the group set to any listed in the Runas_List. If no Runas_Spec is - specified the command may be run as rroooott and no group may be specified. - - - - -1.7.6 April 9, 2011 5 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - + specified the command may be run as root and no group may be specified. A Runas_Spec sets the default for the commands that follow it. What this means is that for the entry: dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm - The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m -- but only - as ooppeerraattoorr. E.g., + The user dgb may run /bin/ls, /bin/kill, and /usr/bin/lprm -- but only + as operator. E.g., $ sudo -u operator /bin/ls @@ -349,11 +288,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm - Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l - and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. + Then user dgb is now allowed to run /bin/ls as operator, but /bin/kill + and /usr/bin/lprm as root. - We can extend this to allow ddggbb to run /bin/ls with either the user or - group set to ooppeerraattoorr: + We can extend this to allow dgb to run /bin/ls with either the user or + group set to operator: dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \ /usr/bin/lprm @@ -368,46 +307,34 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) $ sudo -u operator -g operator /bin/ls $ sudo -g operator /bin/ls - In the following example, user ttccmm may run commands that access a modem + In the following example, user tcm may run commands that access a modem device file with the dialer group. tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \ /usr/local/bin/minicom Note that in this example only the group will be set, the command still - runs as user ttccmm. E.g. + runs as user tcm. E.g. $ sudo -g dialer /usr/bin/cu Multiple users and groups may be present in a Runas_Spec, in which case - the user may select any combination of users and groups via the --uu and - --gg options. In this example: + the user may select any combination of users and groups via the -u and + -g options. In this example: alan ALL = (root, bin : operator, system) ALL - user aallaann may run any command as either user root or bin, optionally + user alan may run any command as either user root or bin, optionally setting the group to operator or system. - - - -1.7.6 April 9, 2011 6 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - - SSEELLiinnuuxx__SSppeecc - On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an + SELinux_Spec + On systems with SELinux support, sudoers entries may optionally have an SELinux role and/or type associated with a command. If a role or type is specified with the command it will override any default values - specified in _s_u_d_o_e_r_s. A role or type specified on the command line, - however, will supercede the values in _s_u_d_o_e_r_s. + specified in sudoers. A role or type specified on the command line, + however, will supercede the values in sudoers. - TTaagg__SSppeecc + Tag_Spec A command may have zero or more tags associated with it. There are eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a @@ -415,9 +342,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) the tag unless it is overridden by the opposite tag (i.e.: PASSWD overrides NOPASSWD and NOEXEC overrides EXEC). - _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D + NOPASSWD and PASSWD - By default, ssuuddoo requires that a user authenticate him or herself + By default, sudo requires that a user authenticate him or herself before running a command. This behavior can be modified via the NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that follow it in the Cmnd_Spec_List. Conversely, the @@ -425,15 +352,15 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm - would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m - as rroooott on the machine rushmore without authenticating himself. If we - only want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry + would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm + as root on the machine rushmore without authenticating himself. If we + only want ray to be able to run /bin/kill without a password the entry would be: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm Note, however, that the PASSWD tag has no effect on users who are in - the group specified by the _e_x_e_m_p_t___g_r_o_u_p option. + the group specified by the exempt_group option. By default, if the NOPASSWD tag is applied to any of the entries for a user on the current host, he or she will be able to run sudo -l without @@ -442,61 +369,49 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) pertain to the current host. This behavior may be overridden via the verifypw and listpw options. - _N_O_E_X_E_C _a_n_d _E_X_E_C + NOEXEC and EXEC - If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying + If sudo has been compiled with noexec support and the underlying operating system supports it, the NOEXEC tag can be used to prevent a dynamically-linked executable from running further commands itself. - In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and - _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. + In the following example, user aaron may run /usr/bin/more and + /usr/bin/vi but shell escapes will be disabled. aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi See the "PREVENTING SHELL ESCAPES" section below for more details on - - - -1.7.6 April 9, 2011 7 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - how NOEXEC works and whether or not it will work on your system. - _S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V + SETENV and NOSETENV - These tags override the value of the _s_e_t_e_n_v option on a per-command + These tags override the value of the setenv option on a per-command basis. Note that if SETENV has been set for a command, the user may - disable the _e_n_v___r_e_s_e_t option from the command line via the --EE option. + disable the env_reset option from the command line via the -E option. Additionally, environment variables set on the command line are not - subject to the restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or - _e_n_v___k_e_e_p. As such, only trusted users should be allowed to set - variables in this manner. If the command matched is AALLLL, the SETENV + subject to the restrictions imposed by env_check, env_delete, or + env_keep. As such, only trusted users should be allowed to set + variables in this manner. If the command matched is ALL, the SETENV tag is implied for that command; this default may be overridden by use of the NOSETENV tag. - _L_O_G___I_N_P_U_T _a_n_d _N_O_L_O_G___I_N_P_U_T + LOG_INPUT and NOLOG_INPUT - These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command - basis. For more information, see the description of _l_o_g___i_n_p_u_t in the + These tags override the value of the log_input option on a per-command + basis. For more information, see the description of log_input in the "SUDOERS OPTIONS" section below. - _L_O_G___O_U_T_P_U_T _a_n_d _N_O_L_O_G___O_U_T_P_U_T + LOG_OUTPUT and NOLOG_OUTPUT - These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command - basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the + These tags override the value of the log_output option on a per-command + basis. For more information, see the description of log_output in the "SUDOERS OPTIONS" section below. - WWiillddccaarrddss - ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be + Wildcards + sudo allows shell-style wildcards (aka meta or glob characters) to be used in host names, path names and command line arguments in the - _s_u_d_o_e_r_s file. Wildcard matching is done via the PPOOSSIIXX _g_l_o_b(3) and - _f_n_m_a_t_c_h(3) routines. Note that these are _n_o_t regular expressions. + sudoers file. Wildcard matching is done via the POSIX glob(3) and + fnmatch(3) routines. Note that these are not regular expressions. * Matches any set of zero or more characters. @@ -504,61 +419,50 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) [...] Matches any character in the specified range. - [!...] Matches any character nnoott in the specified range. + [!...] Matches any character not in the specified range. \x For any character "x", evaluates to "x". This is used to escape special characters such as: "*", "?", "[", and "}". - POSIX character classes may also be used if your system's _g_l_o_b(3) and - _f_n_m_a_t_c_h(3) functions support them. However, because the ':' character - has special meaning in _s_u_d_o_e_r_s, it must be escaped. For example: + POSIX character classes may also be used if your system's glob(3) and + fnmatch(3) functions support them. However, because the ':' character + has special meaning in sudoers, it must be escaped. For example: /bin/ls [[\:alpha\:]]* Would match any file name beginning with a letter. - Note that a forward slash ('/') will nnoott be matched by wildcards used + Note that a forward slash ('/') will not be matched by wildcards used in the path name. When matching the command line arguments, however, a - slash ddooeess get matched by wildcards. This is to make a path like: - - - -1.7.6 April 9, 2011 8 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - + slash does get matched by wildcards. This is to make a path like: /usr/bin/* - match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. + match /usr/bin/who but not /usr/bin/X11/xterm. - EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess + Exceptions to wildcard rules The following exceptions apply to the above rules: "" If the empty string "" is the only command line argument in the - _s_u_d_o_e_r_s entry it means that command is not allowed to be run - with aannyy arguments. + sudoers entry it means that command is not allowed to be run + with any arguments. - IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss - It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s + Including other files from within sudoers + It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives. - This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in + This can be used, for example, to keep a site-wide sudoers file in addition to a local, per-machine file. For the sake of this example - the site-wide _s_u_d_o_e_r_s will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will - be _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within - _/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s: + the site-wide sudoers will be /etc/sudoers and the per-machine one will + be /etc/sudoers.local. To include /etc/sudoers.local from within + /etc/sudoers we would use the following line in /etc/sudoers: #include /etc/sudoers.local - When ssuuddoo reaches this line it will suspend processing of the current - file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. Upon reaching - the end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be + When sudo reaches this line it will suspend processing of the current + file (/etc/sudoers) and switch to /etc/sudoers.local. Upon reaching + the end of /etc/sudoers.local, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops. @@ -568,57 +472,45 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) #include /etc/sudoers.%h - will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s. + will cause sudo to include the file /etc/sudoers.xerxes. - The #includedir directive can be used to create a _s_u_d_o_._d directory that - the system package manager can drop _s_u_d_o_e_r_s rules into as part of + The #includedir directive can be used to create a sudo.d directory that + the system package manager can drop sudoers rules into as part of package installation. For example, given: #includedir /etc/sudoers.d - ssuuddoo will read each file in _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that + sudo will read each file in /etc/sudoers.d, skipping file names that end in ~ or contain a . character to avoid causing problems with package manager or editor temporary/backup files. Files are parsed in - sorted lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed - before _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is - lexical, not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr - _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes + sorted lexical order. That is, /etc/sudoers.d/01_first will be parsed + before /etc/sudoers.d/10_second. Be aware that because the sorting is + lexical, not numeric, /etc/sudoers.d/1_whoops would be loaded after + /etc/sudoers.d/10_second. Using a consistent number of leading zeroes in the file names can be used to avoid such problems. - Note that unlike files included via #include, vviissuuddoo will not edit the - - - -1.7.6 April 9, 2011 9 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - + Note that unlike files included via #include, visudo will not edit the files in a #includedir directory unless one of them contains a syntax - error. It is still possible to run vviissuuddoo with the -f flag to edit the + error. It is still possible to run visudo with the -f flag to edit the files directly. - OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss + Other special characters and reserved words The pound sign ('#') is used to indicate a comment (unless it is part of a #include directive or unless it occurs in the context of a user name and is followed by one or more digits, in which case it is treated as a uid). Both the comment character and any text after it, up to the end of the line, are ignored. - The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to + The reserved word ALL is a built-in alias that always causes a match to succeed. It can be used wherever one might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias, or Host_Alias. You should not try to define - your own _a_l_i_a_s called AALLLL as the built-in alias will be used in - preference to your own. Please note that using AALLLL can be dangerous - since in a command context, it allows the user to run aannyy command on + your own alias called ALL as the built-in alias will be used in + preference to your own. Please note that using ALL can be dangerous + since in a command context, it allows the user to run any command on the system. - An exclamation point ('!') can be used as a logical _n_o_t operator both - in an _a_l_i_a_s and in front of a Cmnd. This allows one to exclude certain + An exclamation point ('!') can be used as a logical not operator both + in an alias and in front of a Cmnd. This allows one to exclude certain values. Note, however, that using a ! in conjunction with the built-in ALL alias to allow a user to run "all but a few" commands rarely works as intended (see SECURITY NOTES below). @@ -627,114 +519,90 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) character on the line. Whitespace between elements in a list as well as special syntactic - characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', '(', ')') is optional. + characters in a User Specification ('=', ':', '(', ')') is optional. The following characters must be escaped with a backslash ('\') when used as part of a word (e.g. a user name or host name): '!', '=', ':', ',', '(', ')', '\'. -SSUUDDOOEERRSS OOPPTTIIOONNSS - ssuuddoo's behavior can be modified by Default_Entry lines, as explained +SUDOERS OPTIONS + sudo's behavior can be modified by Default_Entry lines, as explained earlier. A list of all supported Defaults parameters, grouped by type, are listed below. - BBoooolleeaann FFllaaggss: + Boolean Flags: - always_set_home If enabled, ssuuddoo will set the HOME environment variable + always_set_home If enabled, sudo will set the HOME environment variable to the home directory of the target user (which is root - unless the --uu option is used). This effectively means - that the --HH option is always implied. Note that HOME - is already set when the the _e_n_v___r_e_s_e_t option is - enabled, so _a_l_w_a_y_s___s_e_t___h_o_m_e is only effective for - configurations where either _e_n_v___r_e_s_e_t is disabled or - HOME is present in the _e_n_v___k_e_e_p list. This flag is _o_f_f + unless the -u option is used). This effectively means + that the -H option is always implied. Note that HOME + is already set when the the env_reset option is + enabled, so always_set_home is only effective for + configurations where either env_reset is disabled or + HOME is present in the env_keep list. This flag is off by default. authenticate If set, users must authenticate themselves via a password (or other means of authentication) before they - - - -1.7.6 April 9, 2011 10 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - may run commands. This default may be overridden via - the PASSWD and NOPASSWD tags. This flag is _o_n by + the PASSWD and NOPASSWD tags. This flag is on by default. closefrom_override - If set, the user may use ssuuddoo's --CC option which - overrides the default starting point at which ssuuddoo - begins closing open file descriptors. This flag is _o_f_f + If set, the user may use sudo's -C option which + overrides the default starting point at which sudo + begins closing open file descriptors. This flag is off by default. - compress_io If set, and ssuuddoo is configured to log a command's input - or output, the I/O logs will be compressed using zzlliibb. - This flag is _o_n by default when ssuuddoo is compiled with - zzlliibb support. + compress_io If set, and sudo is configured to log a command's input + or output, the I/O logs will be compressed using zlib. + This flag is on by default when sudo is compiled with + zlib support. - env_editor If set, vviissuuddoo will use the value of the EDITOR or + env_editor If set, visudo will use the value of the EDITOR or VISUAL environment variables before falling back on the default editor list. Note that this may create a security hole as it allows the user to run any arbitrary command as root without logging. A safer alternative is to place a colon-separated list of - editors in the editor variable. vviissuuddoo will then only + editors in the editor variable. visudo will then only use the EDITOR or VISUAL if they match a value - specified in editor. This flag is _o_f_f by default. + specified in editor. This flag is off by default. - env_reset If set, ssuuddoo will reset the environment to only contain + env_reset If set, sudo will reset the environment to only contain the LOGNAME, MAIL, SHELL, USER, USERNAME and the SUDO_* variables. Any variables in the caller's environment that match the env_keep and env_check lists are then added. The default contents of the env_keep and - env_check lists are displayed when ssuuddoo is run by root - with the _-_V option. If the _s_e_c_u_r_e___p_a_t_h option is set, + env_check lists are displayed when sudo is run by root + with the -V option. If the secure_path option is set, its value will be used for the PATH environment - variable. This flag is _o_n by default. + variable. This flag is on by default. - fast_glob Normally, ssuuddoo uses the _g_l_o_b(3) function to do shell- + fast_glob Normally, sudo uses the glob(3) function to do shell- style globbing when matching path names. However, - since it accesses the file system, _g_l_o_b(3) can take a + since it accesses the file system, glob(3) can take a long time to complete for some patterns, especially when the pattern references a network file system that - is mounted on demand (automounted). The _f_a_s_t___g_l_o_b - option causes ssuuddoo to use the _f_n_m_a_t_c_h(3) function, + is mounted on demand (automounted). The fast_glob + option causes sudo to use the fnmatch(3) function, which does not access the file system to do its - matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is - unable to match relative path names such as _._/_l_s or - _._._/_b_i_n_/_l_s. This has security implications when path + matching. The disadvantage of fast_glob is that it is + unable to match relative path names such as ./ls or + ../bin/ls. This has security implications when path names that include globbing characters are used with the negation operator, '!', as such rules can be trivially bypassed. As such, this option should not be - used when _s_u_d_o_e_r_s contains rules that contain negated + used when sudoers contains rules that contain negated path names which include globbing characters. This - flag is _o_f_f by default. + flag is off by default. fqdn Set this flag if you want to put fully qualified host - - - -1.7.6 April 9, 2011 11 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - - names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you + names in the sudoers file. I.e., instead of myhost you would use myhost.mydomain.edu. You may still use the short form if you wish (and even mix the two). Beware - that turning on _f_q_d_n requires ssuuddoo to make DNS lookups - which may make ssuuddoo unusable if DNS stops working (for + that turning on fqdn requires sudo to make DNS lookups + which may make sudo unusable if DNS stops working (for example if the machine is not plugged into the network). Also note that you must use the host's official name as DNS knows it. That is, you may not @@ -742,323 +610,265 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) issues and the fact that there is no way to get all aliases from DNS. If your machine's host name (as returned by the hostname command) is already fully - qualified you shouldn't need to set _f_q_d_n. This flag is - _o_f_f by default. + qualified you shouldn't need to set fqdn. This flag is + off by default. - ignore_dot If set, ssuuddoo will ignore '.' or '' (current dir) in the + ignore_dot If set, sudo will ignore '.' or '' (current dir) in the PATH environment variable; the PATH itself is not - modified. This flag is _o_f_f by default. + modified. This flag is off by default. ignore_local_sudoers - If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s will be + If set via LDAP, parsing of /etc/sudoers will be skipped. This is intended for Enterprises that wish to prevent the usage of local sudoers files so that only LDAP is used. This thwarts the efforts of rogue operators who would attempt to add roles to - _/_e_t_c_/_s_u_d_o_e_r_s. When this option is present, - _/_e_t_c_/_s_u_d_o_e_r_s does not even need to exist. Since this - option tells ssuuddoo how to behave when no specific LDAP + /etc/sudoers. When this option is present, + /etc/sudoers does not even need to exist. Since this + option tells sudo how to behave when no specific LDAP entries have been matched, this sudoOption is only meaningful for the cn=defaults section. This flag is - _o_f_f by default. + off by default. - insults If set, ssuuddoo will insult users when they enter an - incorrect password. This flag is _o_f_f by default. + insults If set, sudo will insult users when they enter an + incorrect password. This flag is off by default. log_host If set, the host name will be logged in the (non- - syslog) ssuuddoo log file. This flag is _o_f_f by default. + syslog) sudo log file. This flag is off by default. - log_input If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and + log_input If set, sudo will run the command in a pseudo tty and log all user input. If the standard input is not connected to the user's tty, due to I/O redirection or because the command is part of a pipeline, that input is also captured and stored in a separate log file. Input is logged to the directory specified by the - _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a - unique session ID that is included in the normal ssuuddoo - log line, prefixed with _T_S_I_D_=. + iolog_dir option (/var/log/sudo-io by default) using a + unique session ID that is included in the normal sudo + log line, prefixed with TSID=. Note that user input may contain sensitive information such as passwords (even if they are not echoed to the screen), which will be stored in the log file unencrypted. In most cases, logging the command output - via _l_o_g___o_u_t_p_u_t is all that is required. - - - -1.7.6 April 9, 2011 12 - - + via log_output is all that is required. - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - - log_output If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and + log_output If set, sudo will run the command in a pseudo tty and log all output that is sent to the screen, similar to - the _s_c_r_i_p_t(1) command. If the standard output or + the script(1) command. If the standard output or standard error is not connected to the user's tty, due to I/O redirection or because the command is part of a pipeline, that output is also captured and stored in separate log files. Output is logged to the directory specified by the - _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a - unique session ID that is included in the normal ssuuddoo - log line, prefixed with _T_S_I_D_=. + iolog_dir option (/var/log/sudo-io by default) using a + unique session ID that is included in the normal sudo + log line, prefixed with TSID=. - Output logs may be viewed with the _s_u_d_o_r_e_p_l_a_y(1m) + Output logs may be viewed with the sudoreplay(1m) utility, which can also be used to list or search the available logs. log_year If set, the four-digit year will be logged in the (non- - syslog) ssuuddoo log file. This flag is _o_f_f by default. + syslog) sudo log file. This flag is off by default. - long_otp_prompt When validating with a One Time Password (OPT) scheme - such as SS//KKeeyy or OOPPIIEE, a two-line prompt is used to + long_otp_prompt When validating with a One Time Password (OTP) scheme + such as S/Key or OPIE, a two-line prompt is used to make it easier to cut and paste the challenge to a local window. It's not as pretty as the default but - some people find it more convenient. This flag is _o_f_f + some people find it more convenient. This flag is off by default. - mail_always Send mail to the _m_a_i_l_t_o user every time a users runs - ssuuddoo. This flag is _o_f_f by default. + mail_always Send mail to the mailto user every time a users runs + sudo. This flag is off by default. - mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo - does not enter the correct password. This flag is _o_f_f + mail_badpass Send mail to the mailto user if the user running sudo + does not enter the correct password. This flag is off by default. - mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the - invoking user exists in the _s_u_d_o_e_r_s file, but is not + mail_no_host If set, mail will be sent to the mailto user if the + invoking user exists in the sudoers file, but is not allowed to run commands on the current host. This flag - is _o_f_f by default. + is off by default. - mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the - invoking user is allowed to use ssuuddoo but the command - they are trying is not listed in their _s_u_d_o_e_r_s file - entry or is explicitly denied. This flag is _o_f_f by + mail_no_perms If set, mail will be sent to the mailto user if the + invoking user is allowed to use sudo but the command + they are trying is not listed in their sudoers file + entry or is explicitly denied. This flag is off by default. - mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the - invoking user is not in the _s_u_d_o_e_r_s file. This flag is - _o_n by default. + mail_no_user If set, mail will be sent to the mailto user if the + invoking user is not in the sudoers file. This flag is + on by default. - noexec If set, all commands run via ssuuddoo will behave as if the + noexec If set, all commands run via sudo will behave as if the NOEXEC tag has been set, unless overridden by a EXEC - tag. See the description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as + tag. See the description of NOEXEC and EXEC below as well as the "PREVENTING SHELL ESCAPES" section at the - end of this manual. This flag is _o_f_f by default. - - - -1.7.6 April 9, 2011 13 - + end of this manual. This flag is off by default. - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - - path_info Normally, ssuuddoo will tell the user when a command could + path_info Normally, sudo will tell the user when a command could not be found in their PATH environment variable. Some sites may wish to disable this as it could be used to gather information on the location of executables that the normal user does not have access to. The disadvantage is that if the executable is simply not in - the user's PATH, ssuuddoo will tell the user that they are + the user's PATH, sudo will tell the user that they are not allowed to run it, which can be confusing. This - flag is _o_n by default. + flag is on by default. passprompt_override - The password prompt specified by _p_a_s_s_p_r_o_m_p_t will + The password prompt specified by passprompt will normally only be used if the password prompt provided by systems such as PAM matches the string "Password:". - If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, _p_a_s_s_p_r_o_m_p_t will always - be used. This flag is _o_f_f by default. + If passprompt_override is set, passprompt will always + be used. This flag is off by default. - preserve_groups By default, ssuuddoo will initialize the group vector to + preserve_groups By default, sudo will initialize the group vector to the list of groups the target user is in. When - _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's existing group + preserve_groups is set, the user's existing group vector is left unaltered. The real and effective group IDs, however, are still set to match the target user. - This flag is _o_f_f by default. + This flag is off by default. - pwfeedback By default, ssuuddoo reads the password like most other + pwfeedback By default, sudo reads the password like most other Unix programs, by turning off echo until the user hits the return (or enter) key. Some users become confused - by this as it appears to them that ssuuddoo has hung at - this point. When _p_w_f_e_e_d_b_a_c_k is set, ssuuddoo will provide + by this as it appears to them that sudo has hung at + this point. When pwfeedback is set, sudo will provide visual feedback when the user presses a key. Note that this does have a security impact as an onlooker may be able to determine the length of the password being - entered. This flag is _o_f_f by default. + entered. This flag is off by default. - requiretty If set, ssuuddoo will only run when the user is logged in - to a real tty. When this flag is set, ssuuddoo can only be + requiretty If set, sudo will only run when the user is logged in + to a real tty. When this flag is set, sudo can only be run from a login session and not via other means such - as _c_r_o_n(1m) or cgi-bin scripts. This flag is _o_f_f by + as cron(1m) or cgi-bin scripts. This flag is off by default. - root_sudo If set, root is allowed to run ssuuddoo too. Disabling - this prevents users from "chaining" ssuuddoo commands to + root_sudo If set, root is allowed to run sudo too. Disabling + this prevents users from "chaining" sudo commands to get a root shell by doing something like "sudo sudo - /bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o - will also prevent root from running ssuuddooeeddiitt. - Disabling _r_o_o_t___s_u_d_o provides no real additional + /bin/sh". Note, however, that turning off root_sudo + will also prevent root from running sudoedit. + Disabling root_sudo provides no real additional security; it exists purely for historical reasons. - This flag is _o_n by default. + This flag is on by default. - rootpw If set, ssuuddoo will prompt for the root password instead - of the password of the invoking user. This flag is _o_f_f + rootpw If set, sudo will prompt for the root password instead + of the password of the invoking user. This flag is off by default. - runaspw If set, ssuuddoo will prompt for the password of the user - - - -1.7.6 April 9, 2011 14 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - - defined by the _r_u_n_a_s___d_e_f_a_u_l_t option (defaults to root) + runaspw If set, sudo will prompt for the password of the user + defined by the runas_default option (defaults to root) instead of the password of the invoking user. This - flag is _o_f_f by default. + flag is off by default. - set_home If enabled and ssuuddoo is invoked with the --ss option the + set_home If enabled and sudo is invoked with the -s option the HOME environment variable will be set to the home directory of the target user (which is root unless the - --uu option is used). This effectively makes the --ss - option imply --HH. Note that HOME is already set when - the the _e_n_v___r_e_s_e_t option is enabled, so _s_e_t___h_o_m_e is + -u option is used). This effectively makes the -s + option imply -H. Note that HOME is already set when + the the env_reset option is enabled, so set_home is only effective for configurations where either - _e_n_v___r_e_s_e_t is disabled or HOME is present in the - _e_n_v___k_e_e_p list. This flag is _o_f_f by default. + env_reset is disabled or HOME is present in the + env_keep list. This flag is off by default. - set_logname Normally, ssuuddoo will set the LOGNAME, USER and USERNAME + set_logname Normally, sudo will set the LOGNAME, USER and USERNAME environment variables to the name of the target user - (usually root unless the --uu option is given). However, + (usually root unless the -u option is given). However, since some programs (including the RCS revision control system) use LOGNAME to determine the real identity of the user, it may be desirable to change this behavior. This can be done by negating the set_logname option. - Note that if the _e_n_v___r_e_s_e_t option has not been - disabled, entries in the _e_n_v___k_e_e_p list will override - the value of _s_e_t___l_o_g_n_a_m_e. This flag is _o_n by default. + Note that if the env_reset option has not been + disabled, entries in the env_keep list will override + the value of set_logname. This flag is on by default. - setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the + setenv Allow the user to disable the env_reset option from the command line. Additionally, environment variables set via the command line are not subject to the - restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or - _e_n_v___k_e_e_p. As such, only trusted users should be + restrictions imposed by env_check, env_delete, or + env_keep. As such, only trusted users should be allowed to set variables in this manner. This flag is - _o_f_f by default. + off by default. - shell_noargs If set and ssuuddoo is invoked with no arguments it acts as - if the --ss option had been given. That is, it runs a + shell_noargs If set and sudo is invoked with no arguments it acts as + if the -s option had been given. That is, it runs a shell as root (the shell is determined by the SHELL environment variable if it is set, falling back on the shell listed in the invoking user's /etc/passwd entry - if not). This flag is _o_f_f by default. + if not). This flag is off by default. - stay_setuid Normally, when ssuuddoo executes a command the real and + stay_setuid Normally, when sudo executes a command the real and effective UIDs are set to the target user (root by default). This option changes that behavior such that the real UID is left as the invoking user's UID. In - other words, this makes ssuuddoo act as a setuid wrapper. + other words, this makes sudo act as a setuid wrapper. This can be useful on systems that disable some potentially dangerous functionality when a program is run setuid. This option is only effective on systems - with either the _s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function. - This flag is _o_f_f by default. + with either the setreuid() or setresuid() function. + This flag is off by default. - targetpw If set, ssuuddoo will prompt for the password of the user - specified by the --uu option (defaults to root) instead + targetpw If set, sudo will prompt for the password of the user + specified by the -u option (defaults to root) instead of the password of the invoking user. In addition, the - - - -1.7.6 April 9, 2011 15 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - timestamp file name will include the target user's name. Note that this flag precludes the use of a uid not listed in the passwd database as an argument to the - --uu option. This flag is _o_f_f by default. + -u option. This flag is off by default. tty_tickets If set, users must authenticate on a per-tty basis. - With this flag enabled, ssuuddoo will use a file named for + With this flag enabled, sudo will use a file named for the tty the user is logged in on in the user's time stamp directory. If disabled, the time stamp of the - directory is used instead. This flag is _o_n by default. + directory is used instead. This flag is on by default. - umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s + umask_override If set, sudo will set the umask as specified by sudoers without modification. This makes it possible to - specify a more permissive umask in _s_u_d_o_e_r_s than the + specify a more permissive umask in sudoers than the user's own umask and matches historical behavior. If - _u_m_a_s_k___o_v_e_r_r_i_d_e is not set, ssuuddoo will set the umask to + umask_override is not set, sudo will set the umask to be the union of the user's umask and what is specified - in _s_u_d_o_e_r_s. This flag is _o_f_f by default. + in sudoers. This flag is off by default. - use_loginclass If set, ssuuddoo will apply the defaults specified for the + use_loginclass If set, sudo will apply the defaults specified for the target user's login class if one exists. Only - available if ssuuddoo is configured with the - --with-logincap option. This flag is _o_f_f by default. + available if sudo is configured with the + --with-logincap option. This flag is off by default. - use_pty If set, ssuuddoo will run the command in a pseudo-pty even + use_pty If set, sudo will run the command in a pseudo-pty even if no I/O logging is being gone. A malicious program - run under ssuuddoo could conceivably fork a background + run under sudo could conceivably fork a background process that retains to the user's terminal device after the main program has finished executing. Use of this option will make that impossible. - visiblepw By default, ssuuddoo will refuse to run if the user must + visiblepw By default, sudo will refuse to run if the user must enter a password but it is not possible to disable echo - on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo + on the terminal. If the visiblepw flag is set, sudo will prompt for a password even when it would be visible on the screen. This makes it possible to run - things like "rsh somehost sudo ls" since _r_s_h(1) does - not allocate a tty. This flag is _o_f_f by default. + things like "rsh somehost sudo ls" since rsh(1) does + not allocate a tty. This flag is off by default. - IInntteeggeerrss: + Integers: - closefrom Before it executes a command, ssuuddoo will close all open + closefrom Before it executes a command, sudo will close all open file descriptors other than standard input, standard output and standard error (ie: file descriptors 0-2). - The _c_l_o_s_e_f_r_o_m option can be used to specify a different + The closefrom option can be used to specify a different file descriptor at which to start closing. The default is 3. passwd_tries The number of tries a user gets to enter his/her - password before ssuuddoo logs the failure and exits. The + password before sudo logs the failure and exits. The default is 3. - IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: - - - - -1.7.6 April 9, 2011 16 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - + Integers that can be used in a boolean context: loglinelen Number of characters per line for the file log. This value is used to decide when to wrap lines for nicer @@ -1066,13 +876,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) only the file log. The default is 80 (use 0 or negate the option to disable word wrap). - passwd_timeout Number of minutes before the ssuuddoo password prompt times + passwd_timeout Number of minutes before the sudo password prompt times out, or 0 for no timeout. The timeout may include a fractional component if minute granularity is insufficient, for example 2.5. The default is 5. timestamp_timeout - Number of minutes that can elapse before ssuuddoo will ask + Number of minutes that can elapse before sudo will ask for a passwd again. The timeout may include a fractional component if minute granularity is insufficient, for example 2.5. The default is 5. Set @@ -1085,68 +895,56 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) umask Umask to use when running the command. Negate this option or set it to 0777 to preserve the user's umask. The actual umask that is used will be the union of the - user's umask and the value of the _u_m_a_s_k option, which - defaults to 0022. This guarantees that ssuuddoo never + user's umask and the value of the umask option, which + defaults to 0022. This guarantees that sudo never lowers the umask when running a command. Note on systems that use PAM, the default PAM configuration may specify its own umask which will override the value set - in _s_u_d_o_e_r_s. + in sudoers. - SSttrriinnggss: + Strings: badpass_message Message that is displayed if a user enters an incorrect password. The default is Sorry, try again. unless insults are enabled. editor A colon (':') separated list of editors allowed to be - used with vviissuuddoo. vviissuuddoo will choose the editor that + used with visudo. visudo will choose the editor that matches the user's EDITOR environment variable if possible, or the first editor in the list that exists and is executable. The default is "vi". iolog_dir The directory in which to store input/output logs when - the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t options are enabled or when + the log_input or log_output options are enabled or when the LOG_INPUT or LOG_OUTPUT tags are present for a command. The default is "/var/log/sudo-io". - mailsub Subject of the mail sent to the _m_a_i_l_t_o user. The escape + mailsub Subject of the mail sent to the mailto user. The escape %h will expand to the host name of the machine. Default is *** SECURITY information for %h ***. noexec_file Path to a shared library containing dummy versions of - - - -1.7.6 April 9, 2011 17 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - - the _e_x_e_c_v_(_), _e_x_e_c_v_e_(_) and _f_e_x_e_c_v_e_(_) library functions + the execv(), execve() and fexecve() library functions that just return an error. This is used to implement - the _n_o_e_x_e_c functionality on systems that support + the noexec functionality on systems that support LD_PRELOAD or its equivalent. Defaults to - _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o. + /usr/local/libexec/sudo_noexec.so. passprompt The default prompt to use when asking for a password; - can be overridden via the --pp option or the SUDO_PROMPT + can be overridden via the -p option or the SUDO_PROMPT environment variable. The following percent (`%') escapes are supported: %H expanded to the local host name including the domain name (on if the machine's host name is fully - qualified or the _f_q_d_n option is set) + qualified or the fqdn option is set) %h expanded to the local host name without the domain name %p expanded to the user whose password is being asked - for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w - flags in _s_u_d_o_e_r_s) + for (respects the rootpw, targetpw and runaspw + flags in sudoers) %U expanded to the login name of the user the command will be run as (defaults to root) @@ -1160,73 +958,67 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) role The default SELinux role to use when constructing a new security context to run the command. The default role - may be overridden on a per-command basis in _s_u_d_o_e_r_s or + may be overridden on a per-command basis in sudoers or via command line options. This option is only - available whe ssuuddoo is built with SELinux support. + available whe sudo is built with SELinux support. - runas_default The default user to run commands as if the --uu option is + runas_default The default user to run commands as if the -u option is not specified on the command line. This defaults to - root. Note that if _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur - before any Runas_Alias specifications. + root. syslog_badpri Syslog priority to use when user authenticates unsuccessfully. Defaults to alert. + The following syslog priorities are supported: alert, + crit, debug, emerg, err, info, notice, and warning. + syslog_goodpri Syslog priority to use when user authenticates successfully. Defaults to notice. + See syslog_badpri for the list of supported syslog + priorities. + sudoers_locale Locale to use when parsing the sudoers file, logging commands, and sending email. Note that changing the locale may affect how sudoers is interpreted. Defaults to "C". - - - -1.7.6 April 9, 2011 18 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - - timestampdir The directory in which ssuuddoo stores its timestamp files. - The default is _/_v_a_r_/_a_d_m_/_s_u_d_o. + timestampdir The directory in which sudo stores its timestamp files. + The default is /var/adm/sudo. timestampowner The owner of the timestamp directory and the timestamps stored therein. The default is root. type The default SELinux type to use when constructing a new security context to run the command. The default type - may be overridden on a per-command basis in _s_u_d_o_e_r_s or + may be overridden on a per-command basis in sudoers or via command line options. This option is only - available whe ssuuddoo is built with SELinux support. + available whe sudo is built with SELinux support. - SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + Strings that can be used in a boolean context: - askpass The _a_s_k_p_a_s_s option specifies the fully qualified path to a + askpass The askpass option specifies the fully qualified path to a helper program used to read the user's password when no - terminal is available. This may be the case when ssuuddoo is + terminal is available. This may be the case when sudo is executed from a graphical (as opposed to text-based) - application. The program specified by _a_s_k_p_a_s_s should + application. The program specified by askpass should display the argument passed to it as the prompt and write the user's password to the standard output. The value of - _a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS environment + askpass may be overridden by the SUDO_ASKPASS environment variable. - env_file The _e_n_v___f_i_l_e options specifies the fully qualified path to + env_file The env_file options specifies the fully qualified path to a file containing variables to be set in the environment of the program being run. Entries in this file should either be of the form VARIABLE=value or export VARIABLE=value. The value may optionally be surrounded by single or double - quotes. Variables in this file are subject to other ssuuddoo - environment settings such as _e_n_v___k_e_e_p and _e_n_v___c_h_e_c_k. + quotes. Variables in this file are subject to other sudo + environment settings such as env_keep and env_check. exempt_group Users in this group are exempt from password and PATH - requirements. This is not set by default. + requirements. The group name specified should not include + a % prefix. This is not set by default. lecture This option controls when a short lecture will be printed along with the password prompt. It has the following @@ -1236,113 +1028,95 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) never Never lecture the user. - once Only lecture the user the first time they run ssuuddoo. + once Only lecture the user the first time they run sudo. - If no value is specified, a value of _o_n_c_e is implied. - Negating the option results in a value of _n_e_v_e_r being used. - The default value is _o_n_c_e. + If no value is specified, a value of once is implied. + Negating the option results in a value of never being used. + The default value is once. lecture_file - Path to a file containing an alternate ssuuddoo lecture that + Path to a file containing an alternate sudo lecture that will be used in place of the standard lecture if the named - file exists. By default, ssuuddoo uses a built-in lecture. - - - -1.7.6 April 9, 2011 19 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - + file exists. By default, sudo uses a built-in lecture. listpw This option controls when a password will be required when - a user runs ssuuddoo with the --ll option. It has the following + a user runs sudo with the -l option. It has the following possible values: - all All the user's _s_u_d_o_e_r_s entries for the current host + all All the user's sudoers entries for the current host must have the NOPASSWD flag set to avoid entering a password. - always The user must always enter a password to use the --ll + always The user must always enter a password to use the -l option. - any At least one of the user's _s_u_d_o_e_r_s entries for the + any At least one of the user's sudoers entries for the current host must have the NOPASSWD flag set to avoid entering a password. - never The user need never enter a password to use the --ll + never The user need never enter a password to use the -l option. - If no value is specified, a value of _a_n_y is implied. - Negating the option results in a value of _n_e_v_e_r being used. - The default value is _a_n_y. + If no value is specified, a value of any is implied. + Negating the option results in a value of never being used. + The default value is any. - logfile Path to the ssuuddoo log file (not the syslog log file). + logfile Path to the sudo log file (not the syslog log file). Setting a path turns on logging to a file; negating this - option turns it off. By default, ssuuddoo logs via syslog. + option turns it off. By default, sudo logs via syslog. - mailerflags Flags to use when invoking mailer. Defaults to --tt. + mailerflags Flags to use when invoking mailer. Defaults to -t. mailerpath Path to mail program used to send warning mail. Defaults to the path to sendmail found at configure time. mailfrom Address to use for the "from" address when sending warning and error mail. The address should be enclosed in double - quotes (") to protect against ssuuddoo interpreting the @ sign. - Defaults to the name of the user running ssuuddoo. + quotes (") to protect against sudo interpreting the @ sign. + Defaults to the name of the user running sudo. mailto Address to send warning and error mail to. The address should be enclosed in double quotes (") to protect against - ssuuddoo interpreting the @ sign. Defaults to root. + sudo interpreting the @ sign. Defaults to root. - secure_path Path used for every command run from ssuuddoo. If you don't - trust the people running ssuuddoo to have a sane PATH + secure_path Path used for every command run from sudo. If you don't + trust the people running sudo to have a sane PATH environment variable you may want to use this. Another use is if you want to have the "root path" be separate from the "user path." Users in the group specified by the - _e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This + exempt_group option are not affected by secure_path. This option is not set by default. syslog Syslog facility if syslog is being used for logging (negate to disable syslog logging). Defaults to auth. + The following syslog facilities are supported: authpriv (if + your OS supports it), auth, daemon, user, local0, local1, + local2, local3, local4, local5, local6, and local7. + verifypw This option controls when a password will be required when - a user runs ssuuddoo with the --vv option. It has the following + a user runs sudo with the -v option. It has the following possible values: - - -1.7.6 April 9, 2011 20 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - - all All the user's _s_u_d_o_e_r_s entries for the current host + all All the user's sudoers entries for the current host must have the NOPASSWD flag set to avoid entering a password. - always The user must always enter a password to use the --vv + always The user must always enter a password to use the -v option. - any At least one of the user's _s_u_d_o_e_r_s entries for the + any At least one of the user's sudoers entries for the current host must have the NOPASSWD flag set to avoid entering a password. - never The user need never enter a password to use the --vv + never The user need never enter a password to use the -v option. - If no value is specified, a value of _a_l_l is implied. - Negating the option results in a value of _n_e_v_e_r being used. - The default value is _a_l_l. + If no value is specified, a value of all is implied. + Negating the option results in a value of never being used. + The default value is all. - LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + Lists that can be used in a boolean context: env_check Environment variables to be removed from the user's environment if the variable's value contains % or / @@ -1356,64 +1130,45 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) option is enabled or disabled, variables specified by env_check will be preserved in the environment if they pass the aforementioned check. The default list of - environment variables to check is displayed when ssuuddoo - is run by root with the _-_V option. + environment variables to check is displayed when sudo + is run by root with the -V option. env_delete Environment variables to be removed from the user's - environment when the _e_n_v___r_e_s_e_t option is not in effect. + environment when the env_reset option is not in effect. The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the =, +=, -=, and ! operators respectively. The default list of environment variables to remove is - displayed when ssuuddoo is run by root with the _-_V option. + displayed when sudo is run by root with the -V option. Note that many operating systems will remove potentially dangerous variables from the environment of - any setuid process (such as ssuuddoo). + any setuid process (such as sudo). env_keep Environment variables to be preserved in the user's - environment when the _e_n_v___r_e_s_e_t option is in effect. + environment when the env_reset option is in effect. This allows fine-grained control over the environment - ssuuddoo-spawned processes will receive. The argument may + sudo-spawned processes will receive. The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the =, +=, - - - -1.7.6 April 9, 2011 21 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - -=, and ! operators respectively. The default list of - variables to keep is displayed when ssuuddoo is run by root - with the _-_V option. - - When logging via _s_y_s_l_o_g(3), ssuuddoo accepts the following values for the - syslog facility (the value of the ssyysslloogg Parameter): aauutthhpprriivv (if your - OS supports it), aauutthh, ddaaeemmoonn, uusseerr, llooccaall00, llooccaall11, llooccaall22, llooccaall33, - llooccaall44, llooccaall55, llooccaall66, and llooccaall77. The following syslog priorities - are supported: aalleerrtt, ccrriitt, ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee, and - wwaarrnniinngg. + variables to keep is displayed when sudo is run by root + with the -V option. -FFIILLEESS - _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what +FILES + /etc/sudoers List of who can run what - _/_e_t_c_/_g_r_o_u_p Local groups file + /etc/group Local groups file - _/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups + /etc/netgroup List of network groups - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files + /var/log/sudo-io I/O log files -EEXXAAMMPPLLEESS - Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit +EXAMPLES + Below are example sudoers entries. Admittedly, some of these are a bit contrived. First, we allow a few environment variables to pass and - then define our _a_l_i_a_s_e_s: + then define our aliases: # Run X applications through sudo; HOME is used to find the # .Xauthority file. Note that other programs use HOME to find @@ -1444,18 +1199,6 @@ EEXXAAMMPPLLEESS Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ /usr/sbin/restore, /usr/sbin/rrestore Cmnd_Alias KILL = /usr/bin/kill - - - -1.7.6 April 9, 2011 22 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown Cmnd_Alias HALT = /usr/sbin/halt @@ -1466,16 +1209,16 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Cmnd_Alias SU = /usr/bin/su Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less - Here we override some of the compiled in default values. We want ssuuddoo - to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility in all cases. We don't - want to subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt + Here we override some of the compiled in default values. We want sudo + to log via syslog(3) using the auth facility in all cases. We don't + want to subject the full time staff to the sudo lecture, user millert need not give a password, and we don't want to reset the LOGNAME, USER or USERNAME environment variables when running commands as root. - Additionally, on the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an + Additionally, on the machines in the SERVERS Host_Alias, we keep an additional local log file and make sure we log the year in each log line since the log entries will be kept around for several years. Lastly, we disable shell escapes for the commands in the PAGERS - Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and _/_u_s_r_/_b_i_n_/_l_e_s_s). + Cmnd_Alias (/usr/bin/more, /usr/bin/pg and /usr/bin/less). # Override built-in defaults Defaults syslog=auth @@ -1485,138 +1228,114 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Defaults@SERVERS log_year, logfile=/var/log/sudo.log Defaults!PAGERS noexec - The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run + The User specification is the part that actually determines who may run what. root ALL = (ALL) ALL %wheel ALL = (ALL) ALL - We let rroooott and any user in group wwhheeeell run any command on any host as + We let root and any user in group wheel run any command on any host as any user. FULLTIMERS ALL = NOPASSWD: ALL - Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on + Full time sysadmins (millert, mikef, and dowdy) may run any command on any host without authenticating themselves. PARTTIMERS ALL = ALL - Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on + Part time sysadmins (bostley, jwfox, and crawl) may run any command on any host but they must authenticate themselves first (since the entry lacks the NOPASSWD tag). jack CSNETS = ALL - The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias + The user jack may run any command on the machines in the CSNETS alias (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those networks, only 128.138.204.0 has an explicit netmask (in CIDR - - - -1.7.6 April 9, 2011 23 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - notation) indicating it is a class C network. For the other networks - in _C_S_N_E_T_S, the local machine's netmask will be used during matching. + in CSNETS, the local machine's netmask will be used during matching. lisa CUNETS = ALL - The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the + The user lisa may run any command on any host in the CUNETS alias (the class B network 128.138.0.0). operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ sudoedit /etc/printcap, /usr/oper/bin/ - The ooppeerraattoorr user may run commands limited to simple maintenance. + The operator user may run commands limited to simple maintenance. Here, those are commands related to backups, killing processes, the printing system, shutting down the system, and any commands in the - directory _/_u_s_r_/_o_p_e_r_/_b_i_n_/. + directory /usr/oper/bin/. joe ALL = /usr/bin/su operator - The user jjooee may only _s_u(1) to operator. + The user joe may only su(1) to operator. pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root %opers ALL = (: ADMINGRP) /usr/sbin/ - Users in the ooppeerrss group may run commands in _/_u_s_r_/_s_b_i_n_/ as themselves - with any group in the _A_D_M_I_N_G_R_P Runas_Alias (the aaddmm and ooppeerr groups). + Users in the opers group may run commands in /usr/sbin/ as themselves + with any group in the ADMINGRP Runas_Alias (the adm and oper groups). - The user ppeettee is allowed to change anyone's password except for root on - the _H_P_P_A machines. Note that this assumes _p_a_s_s_w_d(1) does not take + The user pete is allowed to change anyone's password except for root on + the HPPA machines. Note that this assumes passwd(1) does not take multiple user names on the command line. bob SPARC = (OP) ALL : SGI = (OP) ALL - The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user - listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr). + The user bob may run anything on the SPARC and SGI machines as any user + listed in the OP Runas_Alias (root and operator). jim +biglab = ALL - The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup. - ssuuddoo knows that "biglab" is a netgroup due to the '+' prefix. + The user jim may run any command on machines in the biglab netgroup. + sudo knows that "biglab" is a netgroup due to the '+' prefix. +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser - Users in the sseeccrreettaarriieess netgroup need to help manage the printers as + Users in the secretaries netgroup need to help manage the printers as well as add and remove users, so they are allowed to run those commands on all machines. fred ALL = (DB) NOPASSWD: ALL - The user ffrreedd can run commands as any user in the _D_B Runas_Alias - (oorraaccllee or ssyybbaassee) without giving a password. + The user fred can run commands as any user in the DB Runas_Alias + (oracle or sybase) without giving a password. john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* - - - -1.7.6 April 9, 2011 24 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - - On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is - not allowed to specify any options to the _s_u(1) command. + On the ALPHA machines, user john may su to anyone except root but he is + not allowed to specify any options to the su(1) command. jen ALL, !SERVERS = ALL - The user jjeenn may run any command on any machine except for those in the - _S_E_R_V_E_R_S Host_Alias (master, mail, www and ns). + The user jen may run any command on any machine except for those in the + SERVERS Host_Alias (master, mail, www and ns). jill SERVERS = /usr/bin/, !SU, !SHELLS - For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in - the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U - and _S_H_E_L_L_S Cmnd_Aliases. + For any machine in the SERVERS Host_Alias, jill may run any commands in + the directory /usr/bin/ except for those commands belonging to the SU + and SHELLS Cmnd_Aliases. steve CSNETS = (operator) /usr/local/op_commands/ - The user sstteevvee may run any command in the directory + The user steve may run any command in the directory /usr/local/op_commands/ but only as user operator. matt valkyrie = KILL - On his personal workstation, valkyrie, mmaatttt needs to be able to kill + On his personal workstation, valkyrie, matt needs to be able to kill hung processes. WEBMASTERS www = (www) ALL, (root) /usr/bin/su www - On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias (will, wendy, + On the host www, any user in the WEBMASTERS User_Alias (will, wendy, and wim), may run any command as user www (which owns the web pages) or - simply _s_u(1) to www. + simply su(1) to www. ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM @@ -1626,7 +1345,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) This is a bit tedious for users to type, so it is a prime candidate for encapsulating in a shell script. -SSEECCUURRIITTYY NNOOTTEESS +SECURITY NOTES It is generally not effective to "subtract" commands from ALL using the '!' operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that. For @@ -1634,44 +1353,32 @@ SSEECCUURRIITTYY NNOOTTEESS bill ALL = ALL, !SU, !SHELLS - Doesn't really prevent bbiillll from running the commands listed in _S_U or - _S_H_E_L_L_S since he can simply copy those commands to a different name, or + Doesn't really prevent bill from running the commands listed in SU or + SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy). - Furthermore, if the _f_a_s_t___g_l_o_b option is in use, it is not possible to + Furthermore, if the fast_glob option is in use, it is not possible to reliably negate commands where the path name includes globbing (aka - - - -1.7.6 April 9, 2011 25 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - - wildcard) characters. This is because the C library's _f_n_m_a_t_c_h(3) + wildcard) characters. This is because the C library's fnmatch(3) function cannot resolve relative paths. While this is typically only an inconvenience for rules that grant privileges, it can result in a security issue for rules that subtract or revoke privileges. - For example, given the following _s_u_d_o_e_r_s entry: + For example, given the following sudoers entry: john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*, /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root - User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by - changing to _/_u_s_r_/_b_i_n and running ./passwd root instead. + User john can still run /usr/bin/passwd root if fast_glob is enabled by + changing to /usr/bin and running ./passwd root instead. -PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS - Once ssuuddoo executes a program, that program is free to do whatever it +PREVENTING SHELL ESCAPES + Once sudo executes a program, that program is free to do whatever it pleases, including run other programs. This can be a security issue since it is not uncommon for a program to allow shell escapes, which - lets a user bypass ssuuddoo's access control and logging. Common programs + lets a user bypass sudo's access control and logging. Common programs that permit shell escapes include shells (obviously), editors, paginators, mail and terminal programs. @@ -1679,22 +1386,22 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS restrict Avoid giving users access to commands that allow the user to run arbitrary commands. Many editors have a restricted mode - where shell escapes are disabled, though ssuuddooeeddiitt is a better - solution to running editors via ssuuddoo. Due to the large + where shell escapes are disabled, though sudoedit is a better + solution to running editors via sudo. Due to the large number of programs that offer shell escapes, restricting users to the set of programs that do not is often unworkable. noexec Many systems that support shared libraries have the ability to override default library functions by pointing an environment variable (usually LD_PRELOAD) to an alternate - shared library. On such systems, ssuuddoo's _n_o_e_x_e_c functionality - can be used to prevent a program run by ssuuddoo from executing + shared library. On such systems, sudo's noexec functionality + can be used to prevent a program run by sudo from executing any other programs. Note, however, that this applies only to native dynamically-linked executables. Statically-linked executables and foreign executables running under binary emulation are not affected. - To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you can run the + To tell whether or not sudo supports noexec, you can run the following as root: sudo -V | grep "dummy exec" @@ -1703,80 +1410,66 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS File containing dummy exec functions: - then ssuuddoo may be able to replace the exec family of functions + then sudo may be able to replace the exec family of functions in the standard library with its own that simply return an error. Unfortunately, there is no foolproof way to know - whether or not _n_o_e_x_e_c will work at compile-time. _n_o_e_x_e_c + whether or not noexec will work at compile-time. noexec should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, - - - -1.7.6 April 9, 2011 26 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - - MacOS X, and HP-UX 11.x. It is known nnoott to work on AIX and - UnixWare. _n_o_e_x_e_c is expected to work on most operating + MacOS X, and HP-UX 11.x. It is known not to work on AIX and + UnixWare. noexec is expected to work on most operating systems that support the LD_PRELOAD environment variable. Check your operating system's manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if LD_PRELOAD is supported. - To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as + To enable noexec for a command, use the NOEXEC tag as documented in the User Specification section above. Here is that example again: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi - This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i - with _n_o_e_x_e_c enabled. This will prevent those two commands + This allows user aaron to run /usr/bin/more and /usr/bin/vi + with noexec enabled. This will prevent those two commands from executing other commands (such as a shell). If you are unsure whether or not your system is capable of supporting - _n_o_e_x_e_c you can always just try it out and see if it works. + noexec you can always just try it out and see if it works. Note that restricting shell escapes is not a panacea. Programs running as root are still capable of many potentially hazardous operations (such as changing or overwriting files) that could lead to unintended privilege escalation. In the specific case of an editor, a safer - approach is to give the user permission to run ssuuddooeeddiitt. + approach is to give the user permission to run sudoedit. -SSEEEE AALLSSOO - _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _g_l_o_b(3), _s_u_d_o(1m), _v_i_s_u_d_o(8) +SEE ALSO + rsh(1), su(1), fnmatch(3), glob(3), sudo(1m), visudo(8) -CCAAVVEEAATTSS - The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which +CAVEATS + The sudoers file should always be edited by the visudo command which locks the file and does grammatical checking. It is imperative that - _s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a - syntactically incorrect _s_u_d_o_e_r_s file. + sudoers be free of syntax errors since sudo will not run with a + syntactically incorrect sudoers file. When using netgroups of machines (as opposed to users), if you store fully qualified host name in the netgroup (as is usually the case), you either need to have the machine's host name be fully qualified as - returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s. + returned by the hostname command or use the fqdn option in sudoers. -BBUUGGSS - If you feel you have found a bug in ssuuddoo, please submit a bug report at +BUGS + If you feel you have found a bug in sudo, please submit a bug report at http://www.sudo.ws/sudo/bugs/ -SSUUPPPPOORRTT +SUPPORT Limited free support is available via the sudo-users mailing list, see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives. -DDIISSCCLLAAIIMMEERR - ssuuddoo is provided ``AS IS'' and any express or implied warranties, +DISCLAIMER + sudo is provided ``AS IS'' and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. - See the LICENSE file distributed with ssuuddoo or + See the LICENSE file distributed with sudo or http://www.sudo.ws/sudo/license.html for complete details. -1.7.6 April 9, 2011 27 - - +1.7.7 August 13, 2011 SUDOERS(4) diff --git a/sudoers.ldap.cat b/sudoers.ldap.cat index 8b1433382..0f5b6f23d 100644 --- a/sudoers.ldap.cat +++ b/sudoers.ldap.cat @@ -1,76 +1,62 @@ +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - -NNAAMMEE +NAME sudoers.ldap - sudo LDAP configuration -DDEESSCCRRIIPPTTIIOONN - In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be configured via - LDAP. This can be especially useful for synchronizing _s_u_d_o_e_r_s in a +DESCRIPTION + In addition to the standard sudoers file, sudo may be configured via + LDAP. This can be especially useful for synchronizing sudoers in a large, distributed environment. - Using LDAP for _s_u_d_o_e_r_s has several benefits: + Using LDAP for sudoers has several benefits: - +o ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety. When LDAP is + +o sudo no longer needs to read sudoers in its entirety. When LDAP is used, there are only two or three LDAP queries per invocation. This makes it especially fast and particularly usable in LDAP environments. - +o ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s. It is not + +o sudo no longer exits if there is a typo in sudoers. It is not possible to load LDAP data into the server that does not conform to the sudoers schema, so proper syntax is guaranteed. It is still possible to have typos in a user or host name, but this will not - prevent ssuuddoo from running. + prevent sudo from running. +o It is possible to specify per-entry options that override the - global default options. _/_e_t_c_/_s_u_d_o_e_r_s only supports default options + global default options. /etc/sudoers only supports default options and limited options associated with user/host/commands/aliases. The syntax is complicated and can be difficult for users to understand. Placing the options directly in the entry is more natural. - +o The vviissuuddoo program is no longer needed. vviissuuddoo provides locking - and syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file. Since LDAP updates + +o The visudo program is no longer needed. visudo provides locking + and syntax checking of the /etc/sudoers file. Since LDAP updates are atomic, locking is no longer necessary. Because syntax is checked when the data is inserted into LDAP, there is no need for a specialized tool to check syntax. - Another major difference between LDAP and file-based _s_u_d_o_e_r_s is that in - LDAP, ssuuddoo-specific Aliases are not supported. + Another major difference between LDAP and file-based sudoers is that in + LDAP, sudo-specific Aliases are not supported. - For the most part, there is really no need for ssuuddoo-specific Aliases. + For the most part, there is really no need for sudo-specific Aliases. Unix groups or user netgroups can be used in place of User_Aliases and Runas_Aliases. Host netgroups can be used in place of Host_Aliases. Since Unix groups and netgroups can also be stored in LDAP there is no - real need for ssuuddoo-specific aliases. + real need for sudo-specific aliases. Cmnd_Aliases are not really required either since it is possible to have multiple users listed in a sudoRole. Instead of defining a Cmnd_Alias that is referenced by multiple users, one can create a sudoRole that contains the commands and assign multiple users to it. - SSUUDDOOeerrss LLDDAAPP ccoonnttaaiinneerr - The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers LDAP + SUDOers LDAP container + The sudoers configuration is contained in the ou=SUDOers LDAP container. Sudo first looks for the cn=default entry in the SUDOers container. If found, the multi-valued sudoOption attribute is parsed in the same - - - -1.7.6 April 9, 2011 1 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - - manner as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following + manner as a global Defaults line in /etc/sudoers. In the following example, the SSH_AUTH_SOCK variable will be preserved in the environment for all users. @@ -84,77 +70,69 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) The equivalent of a sudoer in LDAP is a sudoRole. It consists of the following attributes: - ssuuddooUUsseerr + sudoUser A user name, uid (prefixed with '#'), Unix group (prefixed with a '%') or user netgroup (prefixed with a '+'). - ssuuddooHHoosstt + sudoHost A host name, IP address, IP network, or host netgroup (prefixed with a '+'). The special value ALL will match any host. - ssuuddooCCoommmmaanndd + sudoCommand A Unix command with optional command line arguments, potentially including globbing characters (aka wild cards). The special value ALL will match any command. If a command is prefixed with an exclamation point '!', the user will be prohibited from running that command. - ssuuddooOOppttiioonn + sudoOption Identical in function to the global options described above, but specific to the sudoRole in which it resides. - ssuuddooRRuunnAAssUUsseerr + sudoRunAsUser A user name or uid (prefixed with '#') that commands may be run as or a Unix group (prefixed with a '%') or user netgroup (prefixed with a '+') that contains a list of users that commands may be run as. The special value ALL will match any user. - The sudoRunAsUser attribute is only available in ssuuddoo versions - 1.7.0 and higher. Older versions of ssuuddoo use the sudoRunAs + The sudoRunAsUser attribute is only available in sudo versions + 1.7.0 and higher. Older versions of sudo use the sudoRunAs attribute instead. - ssuuddooRRuunnAAssGGrroouupp + sudoRunAsGroup A Unix group or gid (prefixed with '#') that commands may be run as. The special value ALL will match any group. - The sudoRunAsGroup attribute is only available in ssuuddoo versions + The sudoRunAsGroup attribute is only available in sudo versions 1.7.0 and higher. - ssuuddooNNoottBBeeffoorree - A timestamp in the form yyyymmddHHMMZ that can be used to provide a - start date/time for when the sudoRole will be valid. If multiple + sudoNotBefore + A timestamp in the form yyyymmddHHMMSSZ that can be used to provide + a start date/time for when the sudoRole will be valid. If multiple sudoNotBefore entries are present, the earliest is used. Note that - - - -1.7.6 April 9, 2011 2 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - timestamps must be in Coordinated Universal Time (UTC), not the - local timezone. + local timezone. The minute and seconds portions are optional, but + some LDAP servers require that they be present (contrary to the + RFC). - The sudoNotBefore attribute is only available in ssuuddoo versions + The sudoNotBefore attribute is only available in sudo versions 1.7.5 and higher and must be explicitly enabled via the - SSUUDDOOEERRSS__TTIIMMEEDD option in _/_e_t_c_/_l_d_a_p_._c_o_n_f. - - ssuuddooNNoottAAfftteerr - A timestamp in the form yyyymmddHHMMZ that indicates an expiration - date/time, after which the sudoRole will no longer be valid. If - multiple sudoNotBefore entries are present, the last one is used. - Note that timestamps must be in Coordinated Universal Time (UTC), - not the local timezone. - - The sudoNotAfter attribute is only available in ssuuddoo versions 1.7.5 - and higher and must be explicitly enabled via the SSUUDDOOEERRSS__TTIIMMEEDD - option in _/_e_t_c_/_l_d_a_p_._c_o_n_f. - - ssuuddooOOrrddeerr + SUDOERS_TIMED option in /etc/ldap.conf. + + sudoNotAfter + A timestamp in the form yyyymmddHHMMSSZ that indicates an + expiration date/time, after which the sudoRole will no longer be + valid. If multiple sudoNotBefore entries are present, the last one + is used. Note that timestamps must be in Coordinated Universal + Time (UTC), not the local timezone. The minute and seconds + portions are optional, but some LDAP servers require that they be + present (contrary to the RFC). + + The sudoNotAfter attribute is only available in sudo versions 1.7.5 + and higher and must be explicitly enabled via the SUDOERS_TIMED + option in /etc/ldap.conf. + + sudoOrder The sudoRole entries retrieved from the LDAP directory have no inherent order. The sudoOrder attribute is an integer (or floating point value for LDAP servers that support it) that is used to sort @@ -165,7 +143,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) corresponds to the "last match" behavior of the sudoers file. If the sudoOrder attribute is not present, a value of 0 is assumed. - The sudoOrder attribute is only available in ssuuddoo versions 1.7.5 + The sudoOrder attribute is only available in sudo versions 1.7.5 and higher. Each attribute listed above should contain a single value, but there @@ -173,7 +151,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) contain at least one sudoUser, sudoHost and sudoCommand. The following example allows users in group wheel to run any command on - any host via ssuuddoo: + any host via sudo: dn: cn=%wheel,ou=SUDOers,dc=example,dc=com objectClass: top @@ -183,32 +161,20 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) sudoHost: ALL sudoCommand: ALL - AAnnaattoommyy ooff LLDDAAPP ssuuddooeerrss llooookkuupp + Anatomy of LDAP sudoers lookup When looking up a sudoer using LDAP there are only two or three LDAP queries per invocation. The first query is to parse the global options. The second is to match against the user's name and the groups that the user belongs to. (The special ALL tag is matched in this query too.) If no match is returned for the user's name and groups, a third query returns all entries containing user netgroups and checks to - - - -1.7.6 April 9, 2011 3 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - see if the user belongs to any of them. - If timed entries are enabled with the SSUUDDOOEERRSS__TTIIMMEEDD configuration + If timed entries are enabled with the SUDOERS_TIMED configuration directive, the LDAP queries include a subfilter that limits retrieval to entries that satisfy the time constraints, if any. - DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss + Differences between LDAP and non-LDAP sudoers There are some subtle differences in the way sudoers is handled once in LDAP. Probably the biggest is that according to the RFC, LDAP ordering is arbitrary and you cannot expect that Attributes and Entries are @@ -255,19 +221,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) currently ignored. For example, the following attributes do not behave the way one might expect. - - - - -1.7.6 April 9, 2011 4 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - # does not match all but joe # rather, does not match anyone sudoUser: !joe @@ -282,206 +235,170 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) sudoHost: ALL sudoHost: !web01 - SSuuddooeerrss SScchheemmaa - In order to use ssuuddoo's LDAP support, the ssuuddoo schema must be installed + Sudoers Schema + In order to use sudo's LDAP support, the sudo schema must be installed on your LDAP server. In addition, be sure to index the 'sudoUser' attribute. Three versions of the schema: one for OpenLDAP servers - (_s_c_h_e_m_a_._O_p_e_n_L_D_A_P), one for Netscape-derived servers (_s_c_h_e_m_a_._i_P_l_a_n_e_t), - and one for Microsoft Active Directory (_s_c_h_e_m_a_._A_c_t_i_v_e_D_i_r_e_c_t_o_r_y) may be - found in the ssuuddoo distribution. + (schema.OpenLDAP), one for Netscape-derived servers (schema.iPlanet), + and one for Microsoft Active Directory (schema.ActiveDirectory) may be + found in the sudo distribution. - The schema for ssuuddoo in OpenLDAP form is included in the EXAMPLES + The schema for sudo in OpenLDAP form is included in the EXAMPLES section. - CCoonnffiigguurriinngg llddaapp..ccoonnff - Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration. + Configuring ldap.conf + Sudo reads the /etc/ldap.conf file for LDAP-specific configuration. Typically, this file is shared amongst different LDAP-aware clients. - As such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo - parses _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from - those described in the _l_d_a_p_._c_o_n_f(4) manual. + As such, most of the settings are not sudo-specific. Note that sudo + parses /etc/ldap.conf itself and may support options that differ from + those described in the ldap.conf(4) manual. Also note that on systems using the OpenLDAP libraries, default values - specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are + specified in /etc/openldap/ldap.conf or the user's .ldaprc files are not used. - Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f as being - supported by ssuuddoo are honored. Configuration options are listed below + Only those options explicitly listed in /etc/ldap.conf as being + supported by sudo are honored. Configuration options are listed below in upper case but are parsed in a case-independent manner. - UURRII ldap[s]://[hostname[:port]] ... + URI ldap[s]://[hostname[:port]] ... Specifies a whitespace-delimited list of one or more URIs - describing the LDAP server(s) to connect to. The _p_r_o_t_o_c_o_l may be - either llddaapp or llddaappss, the latter being for servers that support TLS - (SSL) encryption. If no _p_o_r_t is specified, the default is port 389 - for ldap:// or port 636 for ldaps://. If no _h_o_s_t_n_a_m_e is specified, - ssuuddoo will connect to llooccaallhhoosstt. Multiple UURRII lines are treated - identically to a UURRII line containing multiple entries. Only + describing the LDAP server(s) to connect to. The protocol may be + either ldap or ldaps, the latter being for servers that support TLS + (SSL) encryption. If no port is specified, the default is port 389 + for ldap:// or port 636 for ldaps://. If no hostname is specified, + sudo will connect to localhost. Multiple URI lines are treated + identically to a URI line containing multiple entries. Only systems using the OpenSSL libraries support the mixing of ldap:// and ldaps:// URIs. The Netscape-derived libraries used on most commercial versions of Unix are only capable of supporting one or the other. - - -1.7.6 April 9, 2011 5 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - - HHOOSSTT name[:port] ... - If no UURRII is specified, the HHOOSSTT parameter specifies a whitespace- + HOST name[:port] ... + If no URI is specified, the HOST parameter specifies a whitespace- delimited list of LDAP servers to connect to. Each host may - include an optional _p_o_r_t separated by a colon (':'). The HHOOSSTT - parameter is deprecated in favor of the UURRII specification and is + include an optional port separated by a colon (':'). The HOST + parameter is deprecated in favor of the URI specification and is included for backwards compatibility. - PPOORRTT port_number - If no UURRII is specified, the PPOORRTT parameter specifies the default - port to connect to on the LDAP server if a HHOOSSTT parameter does not - specify the port itself. If no PPOORRTT parameter is used, the default + PORT port_number + If no URI is specified, the PORT parameter specifies the default + port to connect to on the LDAP server if a HOST parameter does not + specify the port itself. If no PORT parameter is used, the default is port 389 for LDAP and port 636 for LDAP over TLS (SSL). The - PPOORRTT parameter is deprecated in favor of the UURRII specification and + PORT parameter is deprecated in favor of the URI specification and is included for backwards compatibility. - BBIINNDD__TTIIMMEELLIIMMIITT seconds - The BBIINNDD__TTIIMMEELLIIMMIITT parameter specifies the amount of time, in + BIND_TIMELIMIT seconds + The BIND_TIMELIMIT parameter specifies the amount of time, in seconds, to wait while trying to connect to an LDAP server. If - multiple UURRIIs or HHOOSSTTs are specified, this is the amount of time to + multiple URIs or HOSTs are specified, this is the amount of time to wait before trying the next one in the list. - NNEETTWWOORRKK__TTIIMMEEOOUUTT seconds - An alias for BBIINNDD__TTIIMMEELLIIMMIITT for OpenLDAP compatibility. + NETWORK_TIMEOUT seconds + An alias for BIND_TIMELIMIT for OpenLDAP compatibility. - TTIIMMEELLIIMMIITT seconds - The TTIIMMEELLIIMMIITT parameter specifies the amount of time, in seconds, + TIMELIMIT seconds + The TIMELIMIT parameter specifies the amount of time, in seconds, to wait for a response to an LDAP query. - TTIIMMEEOOUUTT seconds - The TTIIMMEEOOUUTT parameter specifies the amount of time, in seconds, to + TIMEOUT seconds + The TIMEOUT parameter specifies the amount of time, in seconds, to wait for a response from the various LDAP APIs. - SSUUDDOOEERRSS__BBAASSEE base - The base DN to use when performing ssuuddoo LDAP queries. Typically + SUDOERS_BASE base + The base DN to use when performing sudo LDAP queries. Typically this is of the form ou=SUDOers,dc=example,dc=com for the domain - example.com. Multiple SSUUDDOOEERRSS__BBAASSEE lines may be specified, in + example.com. Multiple SUDOERS_BASE lines may be specified, in which case they are queried in the order specified. - SSUUDDOOEERRSS__SSEEAARRCCHH__FFIILLTTEERR ldap_filter + SUDOERS_SEARCH_FILTER ldap_filter An LDAP filter which is used to restrict the set of records - returned when performing a ssuuddoo LDAP query. Typically, this is of + returned when performing a sudo LDAP query. Typically, this is of the form attribute=value or (&(attribute=value)(attribute2=value2)). - SSUUDDOOEERRSS__TTIIMMEEDD on/true/yes/off/false/no + SUDOERS_TIMED on/true/yes/off/false/no Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes that implement time-dependent sudoers entries. - SSUUDDOOEERRSS__DDEEBBUUGG debug_level - This sets the debug level for ssuuddoo LDAP queries. Debugging + SUDOERS_DEBUG debug_level + This sets the debug level for sudo LDAP queries. Debugging information is printed to the standard error. A value of 1 results in a moderate amount of debugging information. A value of 2 shows the results of the matches themselves. This parameter should not be set in a production environment as the extra information is - - - -1.7.6 April 9, 2011 6 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - likely to confuse users. - BBIINNDDDDNN DN - The BBIINNDDDDNN parameter specifies the identity, in the form of a + BINDDN DN + The BINDDN parameter specifies the identity, in the form of a Distinguished Name (DN), to use when performing LDAP operations. If not specified, LDAP operations are performed with an anonymous identity. By default, most LDAP servers will allow anonymous access. - BBIINNDDPPWW secret - The BBIINNDDPPWW parameter specifies the password to use when performing + BINDPW secret + The BINDPW parameter specifies the password to use when performing LDAP operations. This is typically used in conjunction with the - BBIINNDDDDNN parameter. + BINDDN parameter. - RROOOOTTBBIINNDDDDNN DN - The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a + ROOTBINDDN DN + The ROOTBINDDN parameter specifies the identity, in the form of a Distinguished Name (DN), to use when performing privileged LDAP - operations, such as _s_u_d_o_e_r_s queries. The password corresponding to - the identity should be stored in _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t. If not - specified, the BBIINNDDDDNN identity is used (if any). + operations, such as sudoers queries. The password corresponding to + the identity should be stored in /etc/ldap.secret. If not + specified, the BINDDN identity is used (if any). - LLDDAAPP__VVEERRSSIIOONN number + LDAP_VERSION number The version of the LDAP protocol to use when connecting to the server. The default value is protocol version 3. - SSSSLL on/true/yes/off/false/no - If the SSSSLL parameter is set to on, true or yes, TLS (SSL) + SSL on/true/yes/off/false/no + If the SSL parameter is set to on, true or yes, TLS (SSL) encryption is always used when communicating with the LDAP server. Typically, this involves connecting to the server on port 636 (ldaps). - SSSSLL start_tls - If the SSSSLL parameter is set to start_tls, the LDAP server + SSL start_tls + If the SSL parameter is set to start_tls, the LDAP server connection is initiated normally and TLS encryption is begun before the bind credentials are sent. This has the advantage of not requiring a dedicated port for encrypted communications. This parameter is only supported by LDAP servers that honor the start_tls extension, such as the OpenLDAP server. - TTLLSS__CCHHEECCKKPPEEEERR on/true/yes/off/false/no - If enabled, TTLLSS__CCHHEECCKKPPEEEERR will cause the LDAP server's TLS + TLS_CHECKPEER on/true/yes/off/false/no + If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certificated to be verified. If the server's TLS certificate cannot be verified (usually because it is signed by an unknown - certificate authority), ssuuddoo will be unable to connect to it. If - TTLLSS__CCHHEECCKKPPEEEERR is disabled, no check is made. Note that disabling + certificate authority), sudo will be unable to connect to it. If + TLS_CHECKPEER is disabled, no check is made. Note that disabling the check creates an opportunity for man-in-the-middle attacks since the server's identity will not be authenticated. If possible, the CA's certificate should be installed locally so it can be verified. - TTLLSS__CCAACCEERRTT file name - An alias for TTLLSS__CCAACCEERRTTFFIILLEE for OpenLDAP compatibility. - - - - - -1.7.6 April 9, 2011 7 + TLS_CACERT file name + An alias for TLS_CACERTFILE for OpenLDAP compatibility. - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - - TTLLSS__CCAACCEERRTTFFIILLEE file name + TLS_CACERTFILE file name The path to a certificate authority bundle which contains the certificates for all the Certificate Authorities the client knows - to be valid, e.g. _/_e_t_c_/_s_s_l_/_c_a_-_b_u_n_d_l_e_._p_e_m. This option is only + to be valid, e.g. /etc/ssl/ca-bundle.pem. This option is only supported by the OpenLDAP libraries. Netscape-derived LDAP libraries use the same certificate database for CA and client - certificates (see TTLLSS__CCEERRTT). + certificates (see TLS_CERT). - TTLLSS__CCAACCEERRTTDDIIRR directory - Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory + TLS_CACERTDIR directory + Similar to TLS_CACERTFILE but instead of a file, it is a directory containing individual Certificate Authority certificates, e.g. - _/_e_t_c_/_s_s_l_/_c_e_r_t_s. The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is - checked after TTLLSS__CCAACCEERRTTFFIILLEE. This option is only supported by the + /etc/ssl/certs. The directory specified by TLS_CACERTDIR is + checked after TLS_CACERTFILE. This option is only supported by the OpenLDAP libraries. - TTLLSS__CCEERRTT file name + TLS_CERT file name The path to a file containing the client certificate which can be used to authenticate the client to the LDAP server. The certificate type depends on the LDAP libraries used. @@ -495,9 +412,9 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) When using Netscape-derived libraries, this file may also contain Certificate Authority certificates. - TTLLSS__KKEEYY file name + TLS_KEY file name The path to a file containing the private key which matches the - certificate specified by TTLLSS__CCEERRTT. The private key must not be + certificate specified by TLS_CERT. The private key must not be password-protected. The key type depends on the LDAP libraries used. @@ -507,60 +424,47 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) Netscape-derived: tls_key /var/ldap/key3.db - TTLLSS__RRAANNDDFFIILLEE file name - The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source + TLS_RANDFILE file name + The TLS_RANDFILE parameter specifies the path to an entropy source for systems that lack a random device. It is generally used in - conjunction with _p_r_n_g_d or _e_g_d. This option is only supported by + conjunction with prngd or egd. This option is only supported by the OpenLDAP libraries. - TTLLSS__CCIIPPHHEERRSS cipher list - The TTLLSS__CCIIPPHHEERRSS parameter allows the administer to restrict which + TLS_CIPHERS cipher list + The TLS_CIPHERS parameter allows the administer to restrict which encryption algorithms may be used for TLS (SSL) connections. See the OpenSSL manual for a list of valid ciphers. This option is only supported by the OpenLDAP libraries. + USE_SASL on/true/yes/off/false/no + Enable USE_SASL for LDAP servers that support SASL authentication. - - - -1.7.6 April 9, 2011 8 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - - UUSSEE__SSAASSLL on/true/yes/off/false/no - Enable UUSSEE__SSAASSLL for LDAP servers that support SASL authentication. - - SSAASSLL__AAUUTTHH__IIDD identity + SASL_AUTH_ID identity The SASL user name to use when connecting to the LDAP server. By - default, ssuuddoo will use an anonymous connection. + default, sudo will use an anonymous connection. - RROOOOTTUUSSEE__SSAASSLL on/true/yes/off/false/no - Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting - to an LDAP server from a privileged process, such as ssuuddoo. + ROOTUSE_SASL on/true/yes/off/false/no + Enable ROOTUSE_SASL to enable SASL authentication when connecting + to an LDAP server from a privileged process, such as sudo. - RROOOOTTSSAASSLL__AAUUTTHH__IIDD identity - The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled. + ROOTSASL_AUTH_ID identity + The SASL user name to use when ROOTUSE_SASL is enabled. - SSAASSLL__SSEECCPPRROOPPSS none/properties - SASL security properties or _n_o_n_e for no properties. See the SASL + SASL_SECPROPS none/properties + SASL security properties or none for no properties. See the SASL programmer's manual for details. - KKRRBB55__CCCCNNAAMMEE file name + KRB5_CCNAME file name The path to the Kerberos 5 credential cache to use when authenticating with the remote server. See the ldap.conf entry in the EXAMPLES section. - CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff - Unless it is disabled at build time, ssuuddoo consults the Name Service - Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order. + Configuring nsswitch.conf + Unless it is disabled at build time, sudo consults the Name Service + Switch file, /etc/nsswitch.conf, to specify the sudoers search order. Sudo looks for a line beginning with sudoers: and uses this to - determine the search order. Note that ssuuddoo does not stop searching + determine the search order. Note that sudo does not stop searching after the first match and later matches take precedence over earlier ones. @@ -577,34 +481,22 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) sudoers: ldap files - The local _s_u_d_o_e_r_s file can be ignored completely by using: + The local sudoers file can be ignored completely by using: sudoers: ldap - If the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f file is not present or there is no sudoers + If the /etc/nsswitch.conf file is not present or there is no sudoers line, the following default is assumed: sudoers: files - - - -1.7.6 April 9, 2011 9 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - - Note that _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f is supported even when the underlying + Note that /etc/nsswitch.conf is supported even when the underlying operating system does not use an nsswitch.conf file. - CCoonnffiigguurriinngg nneettssvvcc..ccoonnff - On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of - _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f. ssuuddoo simply treats _n_e_t_s_v_c_._c_o_n_f as a variant of - _n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the + Configuring netsvc.conf + On AIX systems, the /etc/netsvc.conf file is consulted instead of + /etc/nsswitch.conf. sudo simply treats netsvc.conf as a variant of + nsswitch.conf; information in the previous section unrelated to the file format itself still applies. To consult LDAP first followed by the local sudoers file (if it @@ -612,7 +504,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) sudoers = ldap, files - The local _s_u_d_o_e_r_s file can be ignored completely by using: + The local sudoers file can be ignored completely by using: sudoers = ldap @@ -622,22 +514,22 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) sudoers = ldap = auth, files Note that in the above example, the auth qualfier only affects user - lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries. + lookups; both LDAP and sudoers will be queried for Defaults entries. - If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers + If the /etc/netsvc.conf file is not present or there is no sudoers line, the following default is assumed: sudoers = files -FFIILLEESS - _/_e_t_c_/_l_d_a_p_._c_o_n_f LDAP configuration file +FILES + /etc/ldap.conf LDAP configuration file - _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f determines sudoers source order + /etc/nsswitch.conf determines sudoers source order - _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f determines sudoers source order on AIX + /etc/netsvc.conf determines sudoers source order on AIX -EEXXAAMMPPLLEESS - EExxaammppllee llddaapp..ccoonnff +EXAMPLES + Example ldap.conf # Either specify one or more URIs or one or more host:port pairs. # If neither is specified sudo will default to localhost, port 389. # @@ -652,18 +544,6 @@ EEXXAAMMPPLLEESS #uri ldaps://secureldapserver #uri ldaps://secureldapserver ldap://ldapserver # - - - -1.7.6 April 9, 2011 10 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - # The amount of time, in seconds, to wait while trying to connect to # an LDAP server. bind_timelimit 30 @@ -718,18 +598,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) #tls_randfile /etc/egd-pool # # You may restrict which ciphers are used. Consult your SSL - - - -1.7.6 April 9, 2011 11 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - # documentation for which options go here. # Only supported when using OpenLDAP. # @@ -769,11 +637,11 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) # sasl_secprops none # krb5_ccname /etc/.ldapcache - SSuuddoo sscchheemmaa ffoorr OOppeennLLDDAAPP - The following schema, in OpenLDAP format, is included with ssuuddoo source - and binary distributions as _s_c_h_e_m_a_._O_p_e_n_L_D_A_P. Simply copy it to the - schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include - line in slapd.conf and restart ssllaappdd. + Sudo schema for OpenLDAP + The following schema, in OpenLDAP format, is included with sudo source + and binary distributions as schema.OpenLDAP. Simply copy it to the + schema directory (e.g. /etc/openldap/schema), add the proper include + line in slapd.conf and restart slapd. attributetype ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' @@ -784,18 +652,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) attributetype ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' - - - -1.7.6 April 9, 2011 12 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch @@ -850,18 +706,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch - - - -1.7.6 April 9, 2011 13 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL @@ -872,53 +716,30 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) sudoOrder $ description ) ) -SSEEEE AALLSSOO - _l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(5) +SEE ALSO + ldap.conf(4), sudoers(5) -CCAAVVEEAATTSS - Note that there are differences in the way that LDAP-based _s_u_d_o_e_r_s is - parsed compared to file-based _s_u_d_o_e_r_s. See the "Differences between +CAVEATS + Note that there are differences in the way that LDAP-based sudoers is + parsed compared to file-based sudoers. See the "Differences between LDAP and non-LDAP sudoers" section for more information. -BBUUGGSS - If you feel you have found a bug in ssuuddoo, please submit a bug report at +BUGS + If you feel you have found a bug in sudo, please submit a bug report at http://www.sudo.ws/sudo/bugs/ -SSUUPPPPOORRTT +SUPPORT Limited free support is available via the sudo-users mailing list, see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives. -DDIISSCCLLAAIIMMEERR - ssuuddoo is provided ``AS IS'' and any express or implied warranties, +DISCLAIMER + sudo is provided ``AS IS'' and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. - See the LICENSE file distributed with ssuuddoo or + See the LICENSE file distributed with sudo or http://www.sudo.ws/sudo/license.html for complete details. - - - - - - - - - - - - - - - - - - - - - -1.7.6 April 9, 2011 14 - - +1.7.7 August 13, 2011 SUDOERS.LDAP(4) diff --git a/sudoers.ldap.man.in b/sudoers.ldap.man.in index 74cafeca5..f2ca505d5 100644 --- a/sudoers.ldap.man.in +++ b/sudoers.ldap.man.in @@ -140,7 +140,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS.LDAP @mansectform@" -.TH SUDOERS.LDAP @mansectform@ "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS" +.TH SUDOERS.LDAP @mansectform@ "August 13, 2011" "1.7.7" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -254,22 +254,24 @@ The \f(CW\*(C`sudoRunAsGroup\*(C'\fR attribute is only available in \fBsudo\fR v 1.7.0 and higher. .IP "\fBsudoNotBefore\fR" 4 .IX Item "sudoNotBefore" -A timestamp in the form \f(CW\*(C`yyyymmddHHMMZ\*(C'\fR that can be used to provide +A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that can be used to provide a start date/time for when the \f(CW\*(C`sudoRole\*(C'\fR will be valid. If multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the earliest is used. Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0), -not the local timezone. +not the local timezone. The minute and seconds portions are optional, +but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0). .Sp The \f(CW\*(C`sudoNotBefore\*(C'\fR attribute is only available in \fBsudo\fR versions 1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR option in \fI@ldap_conf@\fR. .IP "\fBsudoNotAfter\fR" 4 .IX Item "sudoNotAfter" -A timestamp in the form \f(CW\*(C`yyyymmddHHMMZ\*(C'\fR that indicates an expiration +A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that indicates an expiration date/time, after which the \f(CW\*(C`sudoRole\*(C'\fR will no longer be valid. If multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the last one is used. Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0), -not the local timezone. +not the local timezone. The minute and seconds portions are optional, +but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0). .Sp The \f(CW\*(C`sudoNotAfter\*(C'\fR attribute is only available in \fBsudo\fR versions 1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR diff --git a/sudoers.man.in b/sudoers.man.in index 531ead6ed..0e1206d87 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -148,7 +148,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "August 13, 2011" "1.7.7" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -911,7 +911,7 @@ If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log fi This flag is \fIoff\fR by default. .IP "long_otp_prompt" 16 .IX Item "long_otp_prompt" -When validating with a One Time Password (\s-1OPT\s0) scheme such as +When validating with a One Time Password (\s-1OTP\s0) scheme such as \&\fBS/Key\fR or \fB\s-1OPIE\s0\fR, a two-line prompt is used to make it easier to cut and paste the challenge to a local window. It's not as pretty as the default but some people find it more convenient. This @@ -1219,16 +1219,19 @@ This option is only available whe \fBsudo\fR is built with SELinux support. .IX Item "runas_default" The default user to run commands as if the \fB\-u\fR option is not specified on the command line. This defaults to \f(CW\*(C`@runas_default@\*(C'\fR. -Note that if \fIrunas_default\fR is set it \fBmust\fR occur before -any \f(CW\*(C`Runas_Alias\*(C'\fR specifications. .IP "syslog_badpri" 16 .IX Item "syslog_badpri" Syslog priority to use when user authenticates unsuccessfully. Defaults to \f(CW\*(C`@badpri@\*(C'\fR. +.Sp +The following syslog priorities are supported: \fBalert\fR, \fBcrit\fR, +\&\fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR, \fBnotice\fR, and \fBwarning\fR. .IP "syslog_goodpri" 16 .IX Item "syslog_goodpri" Syslog priority to use when user authenticates successfully. Defaults to \f(CW\*(C`@goodpri@\*(C'\fR. +.Sp +See syslog_badpri for the list of supported syslog priorities. .IP "sudoers_locale" 16 .IX Item "sudoers_locale" Locale to use when parsing the sudoers file, logging commands, and @@ -1274,6 +1277,7 @@ as \fIenv_keep\fR and \fIenv_check\fR. .IP "exempt_group" 12 .IX Item "exempt_group" Users in this group are exempt from password and \s-1PATH\s0 requirements. +The group name specified should not include a \f(CW\*(C`%\*(C'\fR prefix. This is not set by default. .IP "lecture" 12 .IX Item "lecture" @@ -1362,6 +1366,10 @@ This option is @secure_path@ by default. .IX Item "syslog" Syslog facility if syslog is being used for logging (negate to disable syslog logging). Defaults to \f(CW\*(C`@logfac@\*(C'\fR. +.Sp +The following syslog facilities are supported: \fBauthpriv\fR (if your +\&\s-1OS\s0 supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, \fBlocal0\fR, \fBlocal1\fR, +\&\fBlocal2\fR, \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR, and \fBlocal7\fR. .IP "verifypw" 12 .IX Item "verifypw" This option controls when a password will be required when a user runs @@ -1426,14 +1434,6 @@ single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of variables to keep is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option. -.PP -When logging via \fIsyslog\fR\|(3), \fBsudo\fR accepts the following values -for the syslog facility (the value of the \fBsyslog\fR Parameter): -\&\fBauthpriv\fR (if your \s-1OS\s0 supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, -\&\fBlocal0\fR, \fBlocal1\fR, \fBlocal2\fR, \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, -\&\fBlocal6\fR, and \fBlocal7\fR. The following syslog priorities are -supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR, -\&\fBnotice\fR, and \fBwarning\fR. .SH "FILES" .IX Header "FILES" .ie n .IP "\fI@sysconfdir@/sudoers\fR" 24 diff --git a/sudoreplay.cat b/sudoreplay.cat index aee5497cf..18786130f 100644 --- a/sudoreplay.cat +++ b/sudoreplay.cat @@ -1,31 +1,29 @@ +SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m) -SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m) - - -NNAAMMEE +NAME sudoreplay - replay sudo session logs -SSYYNNOOPPSSIISS - ssuuddoorreeppllaayy [--hh] [--dd _d_i_r_e_c_t_o_r_y] [--ff _f_i_l_t_e_r] [--mm _m_a_x___w_a_i_t] [--ss - _s_p_e_e_d___f_a_c_t_o_r] ID +SYNOPSIS + sudoreplay [-h] [-d directory] [-f filter] [-m max_wait] [-s + speed_factor] ID - ssuuddoorreeppllaayy [--hh] [--dd _d_i_r_e_c_t_o_r_y] -l [search expression] + sudoreplay [-h] [-d directory] -l [search expression] -DDEESSCCRRIIPPTTIIOONN - ssuuddoorreeppllaayy plays back or lists the session logs created by ssuuddoo. When - replaying, ssuuddoorreeppllaayy can play the session back in real-time, or the +DESCRIPTION + sudoreplay plays back or lists the session logs created by sudo. When + replaying, sudoreplay can play the session back in real-time, or the playback speed may be adjusted (faster or slower) based on the command - line options. The _I_D should be a six character sequence of digits and - upper case letters, e.g. 0100A5, which is logged by ssuuddoo when a + line options. The ID should be a six character sequence of digits and + upper case letters, e.g. 0100A5, which is logged by sudo when a command is run with session logging enabled. - In list mode, ssuuddoorreeppllaayy can be used to find the ID of a session based + In list mode, sudoreplay can be used to find the ID of a session based on a number of criteria such as the user, tty or command run. In replay mode, if the standard output has not been redirected, - ssuuddoorreeppllaayy will act on the following keys: + sudoreplay will act on the following keys: ' ' (space) Pause output; press any key to resume. @@ -34,127 +32,102 @@ DDEESSCCRRIIPPTTIIOONN '>' Double the playback speed. -OOPPTTIIOONNSS - ssuuddoorreeppllaayy accepts the following command line options: +OPTIONS + sudoreplay accepts the following command line options: - -d _d_i_r_e_c_t_o_r_y - Use _d_i_r_e_c_t_o_r_y to for the session logs instead of the - default, _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o. + -d directory + Use directory to for the session logs instead of the + default, /var/log/sudo-io. - -f _f_i_l_t_e_r By default, ssuuddoorreeppllaayy will play back the command's - standard output, standard error and tty output. The _-_f + -f filter By default, sudoreplay will play back the command's + standard output, standard error and tty output. The -f option can be used to select which of these to output. The - _f_i_l_t_e_r argument is a comma-separated list, consisting of - one or more of following: _s_t_d_o_u_t, _s_t_d_e_r_r, and _t_t_y_o_u_t. + filter argument is a comma-separated list, consisting of + one or more of following: stdout, stderr, and ttyout. - -h The --hh (_h_e_l_p) option causes ssuuddoorreeppllaayy to print a short + -h The -h (help) option causes sudoreplay to print a short help message to the standard output and exit. - -l [_s_e_a_r_c_h _e_x_p_r_e_s_s_i_o_n] - Enable "list mode". In this mode, ssuuddoorreeppllaayy will list - available session IDs. If a _s_e_a_r_c_h _e_x_p_r_e_s_s_i_o_n is + -l [search expression] + Enable "list mode". In this mode, sudoreplay will list + available session IDs. If a search expression is specified, it will be used to restrict the IDs that are displayed. An expression is composed of the following predicates: - - - - -1.7.6 April 9, 2011 1 - - - - - -SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m) - - - command _c_o_m_m_a_n_d _p_a_t_t_e_r_n + command command pattern Evaluates to true if the command run matches - _c_o_m_m_a_n_d _p_a_t_t_e_r_n. On systems with POSIX regular + command pattern. On systems with POSIX regular expression support, the pattern may be an extended regular expression. On systems without POSIX regular expression support, a simple substring match is performed instead. - cwd _d_i_r_e_c_t_o_r_y + cwd directory Evaluates to true if the command was run with the specified current working directory. - fromdate _d_a_t_e + fromdate date Evaluates to true if the command was run on or - after _d_a_t_e. See "Date and time format" for a + after date. See "Date and time format" for a description of supported date and time formats. - group _r_u_n_a_s___g_r_o_u_p + group runas_group Evaluates to true if the command was run with the - specified _r_u_n_a_s___g_r_o_u_p. Note that unless a - _r_u_n_a_s___g_r_o_u_p was explicitly specified when ssuuddoo was + specified runas_group. Note that unless a + runas_group was explicitly specified when sudo was run this field will be empty in the log. - runas _r_u_n_a_s___u_s_e_r + runas runas_user Evaluates to true if the command was run as the - specified _r_u_n_a_s___u_s_e_r. Note that ssuuddoo runs commands - as user _r_o_o_t by default. + specified runas_user. Note that sudo runs commands + as user root by default. - todate _d_a_t_e + todate date Evaluates to true if the command was run on or - prior to _d_a_t_e. See "Date and time format" for a + prior to date. See "Date and time format" for a description of supported date and time formats. - tty _t_t_y Evaluates to true if the command was run on the - specified terminal device. The _t_t_y should be - specified without the _/_d_e_v_/ prefix, e.g. _t_t_y_0_1 - instead of _/_d_e_v_/_t_t_y_0_1. + tty tty Evaluates to true if the command was run on the + specified terminal device. The tty should be + specified without the /dev/ prefix, e.g. tty01 + instead of /dev/tty01. - user _u_s_e_r _n_a_m_e + user user name Evaluates to true if the ID matches a command run - by _u_s_e_r _n_a_m_e. + by user name. Predicates may be abbreviated to the shortest unique string (currently all predicates may be shortened to a single character). - Predicates may be combined using _a_n_d, _o_r and _! operators as + Predicates may be combined using and, or and ! operators as well as '(' and ')' for grouping (note that parentheses - must generally be escaped from the shell). The _a_n_d + must generally be escaped from the shell). The and operator is optional, adjacent predicates have an implied - _a_n_d unless separated by an _o_r. - - -m _m_a_x___w_a_i_t Specify an upper bound on how long to wait between key - presses or output data. By default, ssuuddoo__rreeppllaayy will - - - -1.7.6 April 9, 2011 2 - - - - - -SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m) - + and unless separated by an or. + -m max_wait Specify an upper bound on how long to wait between key + presses or output data. By default, sudo_replay will accurately reproduce the delays between key presses or program output. However, this can be tedious when the - session includes long pauses. When the _-_m option is - specified, ssuuddoorreeppllaayy will limit these pauses to at most - _m_a_x___w_a_i_t seconds. The value may be specified as a floating - point number, .e.g. _2_._5. + session includes long pauses. When the -m option is + specified, sudoreplay will limit these pauses to at most + max_wait seconds. The value may be specified as a floating + point number, .e.g. 2.5. - -s _s_p_e_e_d___f_a_c_t_o_r - This option causes ssuuddoorreeppllaayy to adjust the number of + -s speed_factor + This option causes sudoreplay to adjust the number of seconds it will wait between key presses or program output. This can be used to slow down or speed up the display. For - example, a _s_p_e_e_d___f_a_c_t_o_r of _2 would make the output twice as - fast whereas a _s_p_e_e_d___f_a_c_t_o_r of <.5> would make the output + example, a speed_factor of 2 would make the output twice as + fast whereas a speed_factor of <.5> would make the output twice as slow. - -V The --VV (version) option causes ssuuddoorreeppllaayy to print its + -V The -V (version) option causes sudoreplay to print its version number and exit. - DDaattee aanndd ttiimmee ffoorrmmaatt + Date and time format The time and date may be specified multiple ways, common formats include: @@ -191,17 +164,6 @@ SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m) 2 hours ago 2 hours ago. - - -1.7.6 April 9, 2011 3 - - - - - -SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m) - - next Friday The first second of the next Friday. @@ -225,54 +187,43 @@ SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m) 10:01 am Sep 17, 2009 10:01 am, September 17, 2009. -FFIILLEESS - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o The default I/O log directory. +FILES + /var/log/sudo-io The default I/O log directory. - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_l_o_g + /var/log/sudo-io/00/00/01/log Example session log info. - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_s_t_d_i_n + /var/log/sudo-io/00/00/01/stdin Example session standard input log. - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_s_t_d_o_u_t + /var/log/sudo-io/00/00/01/stdout Example session standard output log. - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_s_t_d_e_r_r + /var/log/sudo-io/00/00/01/stderr Example session standard error log. - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_t_t_y_i_n + /var/log/sudo-io/00/00/01/ttyin Example session tty input file. - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_t_t_y_o_u_t + /var/log/sudo-io/00/00/01/ttyout Example session tty output file. - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_t_i_m_i_n_g + /var/log/sudo-io/00/00/01/timing Example session timing file. - Note that the _s_t_d_i_n, _s_t_d_o_u_t and _s_t_d_e_r_r files will be empty unless ssuuddoo + Note that the stdin, stdout and stderr files will be empty unless sudo was used as part of a pipeline for a particular command. -EEXXAAMMPPLLEESS - List sessions run by user _m_i_l_l_e_r_t: +EXAMPLES + List sessions run by user millert: sudoreplay -l user millert - - -1.7.6 April 9, 2011 4 - - - - - -SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m) - - - List sessions run by user _b_o_b with a command containing the string vi: + List sessions run by user bob with a command containing the string vi: sudoreplay -l user bob command vi - List sessions run by user _j_e_f_f that match a regular expression: + List sessions run by user jeff that match a regular expression: sudoreplay -l user jeff command '/bin/[a-z]*sh' @@ -280,51 +231,28 @@ SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m) sudoreplay -l ( user jeff or user bob ) tty console -SSEEEE AALLSSOO - _s_u_d_o(1m), _s_c_r_i_p_t(1) +SEE ALSO + sudo(1m), script(1) -AAUUTTHHOORR +AUTHOR Todd C. Miller -BBUUGGSS - If you feel you have found a bug in ssuuddoorreeppllaayy, please submit a bug +BUGS + If you feel you have found a bug in sudoreplay, please submit a bug report at http://www.sudo.ws/sudo/bugs/ -SSUUPPPPOORRTT +SUPPORT Limited free support is available via the sudo-users mailing list, see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives. -DDIISSCCLLAAIIMMEERR - ssuuddoorreeppllaayy is provided ``AS IS'' and any express or implied warranties, +DISCLAIMER + sudoreplay is provided ``AS IS'' and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. - See the LICENSE file distributed with ssuuddoo or + See the LICENSE file distributed with sudo or http://www.sudo.ws/sudo/license.html for complete details. - - - - - - - - - - - - - - - - - - - - - -1.7.6 April 9, 2011 5 - - +1.7.7 August 13, 2011 SUDOREPLAY(1m) diff --git a/sudoreplay.man.in b/sudoreplay.man.in index 89418d8ee..c6ed9e1ba 100644 --- a/sudoreplay.man.in +++ b/sudoreplay.man.in @@ -139,7 +139,7 @@ .\" ======================================================================== .\" .IX Title "SUDOREPLAY @mansectsu@" -.TH SUDOREPLAY @mansectsu@ "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS" +.TH SUDOREPLAY @mansectsu@ "August 13, 2011" "1.7.7" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/visudo.cat b/visudo.cat index ce7c1a3f6..fd320aec8 100644 --- a/visudo.cat +++ b/visudo.cat @@ -1,111 +1,97 @@ +VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) -VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) - - -NNAAMMEE +NAME visudo - edit the sudoers file -SSYYNNOOPPSSIISS - vviissuuddoo [--cchhqqssVV] [--ff _s_u_d_o_e_r_s] +SYNOPSIS + visudo [-chqsV] [-f sudoers] -DDEESSCCRRIIPPTTIIOONN - vviissuuddoo edits the _s_u_d_o_e_r_s file in a safe fashion, analogous to _v_i_p_w(1m). - vviissuuddoo locks the _s_u_d_o_e_r_s file against multiple simultaneous edits, +DESCRIPTION + visudo edits the sudoers file in a safe fashion, analogous to vipw(1m). + visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the - _s_u_d_o_e_r_s file is currently being edited you will receive a message to + sudoers file is currently being edited you will receive a message to try again later. - There is a hard-coded list of one or more editors that vviissuuddoo will use - set at compile-time that may be overridden via the _e_d_i_t_o_r _s_u_d_o_e_r_s - Default variable. This list defaults to "vi". Normally, vviissuuddoo does + There is a hard-coded list of one or more editors that visudo will use + set at compile-time that may be overridden via the editor sudoers + Default variable. This list defaults to "vi". Normally, visudo does not honor the VISUAL or EDITOR environment variables unless they contain an editor in the aforementioned editors list. However, if - vviissuuddoo is configured with the _-_-_w_i_t_h_-_e_n_v_-_e_d_i_t_o_r option or the - _e_n_v___e_d_i_t_o_r Default variable is set in _s_u_d_o_e_r_s, vviissuuddoo will use any the + visudo is configured with the --with-env-editor option or the + env_editor Default variable is set in sudoers, visudo will use any the editor defines by VISUAL or EDITOR. Note that this can be a security hole since it allows the user to execute any program they wish simply by setting VISUAL or EDITOR. - vviissuuddoo parses the _s_u_d_o_e_r_s file after the edit and will not save the - changes if there is a syntax error. Upon finding an error, vviissuuddoo will + visudo parses the sudoers file after the edit and will not save the + changes if there is a syntax error. Upon finding an error, visudo will print a message stating the line number(s) where the error occurred and the user will receive the "What now?" prompt. At this point the user - may enter "e" to re-edit the _s_u_d_o_e_r_s file, "x" to exit without saving + may enter "e" to re-edit the sudoers file, "x" to exit without saving the changes, or "Q" to quit and save changes. The "Q" option should be - used with extreme care because if vviissuuddoo believes there to be a parse - error, so will ssuuddoo and no one will be able to ssuuddoo again until the - error is fixed. If "e" is typed to edit the _s_u_d_o_e_r_s file after a + used with extreme care because if visudo believes there to be a parse + error, so will sudo and no one will be able to sudo again until the + error is fixed. If "e" is typed to edit the sudoers file after a parse error has been detected, the cursor will be placed on the line where the error occurred (if the editor supports this feature). -OOPPTTIIOONNSS - vviissuuddoo accepts the following command line options: +OPTIONS + visudo accepts the following command line options: - -c Enable cchheecckk--oonnllyy mode. The existing _s_u_d_o_e_r_s file will be + -c Enable check-only mode. The existing sudoers file will be checked for syntax and a message will be printed to the - standard output detailing the status of _s_u_d_o_e_r_s. If the - syntax check completes successfully, vviissuuddoo will exit with - a value of 0. If a syntax error is encountered, vviissuuddoo + standard output detailing the status of sudoers. If the + syntax check completes successfully, visudo will exit with + a value of 0. If a syntax error is encountered, visudo will exit with a value of 1. - -f _s_u_d_o_e_r_s Specify and alternate _s_u_d_o_e_r_s file location. With this - option vviissuuddoo will edit (or check) the _s_u_d_o_e_r_s file of your - choice, instead of the default, _/_e_t_c_/_s_u_d_o_e_r_s. The lock - file used is the specified _s_u_d_o_e_r_s file with ".tmp" - appended to it. In cchheecckk--oonnllyy mode only, the argument to - --ff may be "-", indicating that _s_u_d_o_e_r_s will be read from + -f sudoers Specify and alternate sudoers file location. With this + option visudo will edit (or check) the sudoers file of your + choice, instead of the default, /etc/sudoers. The lock + file used is the specified sudoers file with ".tmp" + appended to it. In check-only mode only, the argument to + -f may be "-", indicating that sudoers will be read from the standard input. - - - -1.7.6 April 9, 2011 1 - - - - - -VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) - - - -h The --hh (_h_e_l_p) option causes vviissuuddoo to print a short help + -h The -h (help) option causes visudo to print a short help message to the standard output and exit. - -q Enable qquuiieett mode. In this mode details about syntax + -q Enable quiet mode. In this mode details about syntax errors are not printed. This option is only useful when - combined with the --cc option. + combined with the -c option. - -s Enable ssttrriicctt checking of the _s_u_d_o_e_r_s file. If an alias is - used before it is defined, vviissuuddoo will consider this a + -s Enable strict checking of the sudoers file. If an alias is + used before it is defined, visudo will consider this a parse error. Note that it is not possible to differentiate between an alias and a host name or user name that consists solely of uppercase letters, digits, and the underscore ('_') character. - -V The --VV (version) option causes vviissuuddoo to print its version + -V The -V (version) option causes visudo to print its version number and exit. -EENNVVIIRROONNMMEENNTT +ENVIRONMENT The following environment variables may be consulted depending on the - value of the _e_d_i_t_o_r and _e_n_v___e_d_i_t_o_r _s_u_d_o_e_r_s variables: + value of the editor and env_editor sudoers variables: VISUAL Invoked by visudo as the editor to use EDITOR Used by visudo if VISUAL is not set -FFIILLEESS - _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what +FILES + /etc/sudoers List of who can run what - _/_e_t_c_/_s_u_d_o_e_r_s_._t_m_p Lock file for visudo + /etc/sudoers.tmp Lock file for visudo -DDIIAAGGNNOOSSTTIICCSS +DIAGNOSTICS sudoers file busy, try again later. - Someone else is currently editing the _s_u_d_o_e_r_s file. + Someone else is currently editing the sudoers file. /etc/sudoers.tmp: Permission denied - You didn't run vviissuuddoo as root. + You didn't run visudo as root. Can't find you in the passwd database Your userid does not appear in the system passwd file. @@ -115,32 +101,19 @@ DDIIAAGGNNOOSSTTIICCSS {User,Runas,Host,Cmnd}_Alias or you have a user or host name listed that consists solely of uppercase letters, digits, and the underscore ('_') character. In the latter case, you can ignore the - warnings (ssuuddoo will not complain). In --ss (strict) mode these are + warnings (sudo will not complain). In -s (strict) mode these are errors, not warnings. Warning: unused {User,Runas,Host,Cmnd}_Alias The specified {User,Runas,Host,Cmnd}_Alias was defined but never used. You may wish to comment out or remove the unused alias. In - --ss (strict) mode this is an error, not a warning. + -s (strict) mode this is an error, not a warning. +SEE ALSO + vi(1), sudoers(4), sudo(1m), vipw(8) - - - -1.7.6 April 9, 2011 2 - - - - - -VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) - - -SSEEEE AALLSSOO - _v_i(1), _s_u_d_o_e_r_s(4), _s_u_d_o(1m), _v_i_p_w(8) - -AAUUTTHHOORR - Many people have worked on _s_u_d_o over the years; this version of vviissuuddoo +AUTHOR + Many people have worked on sudo over the years; this version of visudo was written by: Todd Miller @@ -148,51 +121,26 @@ AAUUTTHHOORR See the HISTORY file in the sudo distribution or visit http://www.sudo.ws/sudo/history.html for more details. -CCAAVVEEAATTSS +CAVEATS There is no easy way to prevent a user from gaining a root shell if the - editor used by vviissuuddoo allows shell escapes. + editor used by visudo allows shell escapes. -BBUUGGSS - If you feel you have found a bug in vviissuuddoo, please submit a bug report +BUGS + If you feel you have found a bug in visudo, please submit a bug report at http://www.sudo.ws/sudo/bugs/ -SSUUPPPPOORRTT +SUPPORT Limited free support is available via the sudo-users mailing list, see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives. -DDIISSCCLLAAIIMMEERR - vviissuuddoo is provided ``AS IS'' and any express or implied warranties, +DISCLAIMER + visudo is provided ``AS IS'' and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. - See the LICENSE file distributed with ssuuddoo or + See the LICENSE file distributed with sudo or http://www.sudo.ws/sudo/license.html for complete details. - - - - - - - - - - - - - - - - - - - - - - - -1.7.6 April 9, 2011 3 - - +1.7.7 August 13, 2011 VISUDO(1m) diff --git a/visudo.man.in b/visudo.man.in index c8ee72e5a..4a3031cca 100644 --- a/visudo.man.in +++ b/visudo.man.in @@ -144,7 +144,7 @@ .\" ======================================================================== .\" .IX Title "VISUDO @mansectsu@" -.TH VISUDO @mansectsu@ "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS" +.TH VISUDO @mansectsu@ "August 13, 2011" "1.7.7" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l -- 2.40.0