From 5ab2e076771b490a1de64f669cb8f110a758ee1d Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 15 Aug 2007 15:21:14 +0000 Subject: [PATCH] regen --- sudo.cat | 368 +++++------ sudo.man.in | 226 +++---- sudoers.cat | 1642 +++++++++++++++++++++++------------------------- sudoers.man.in | 643 +++++++++---------- visudo.cat | 42 +- visudo.man.in | 37 +- 6 files changed, 1428 insertions(+), 1530 deletions(-) diff --git a/sudo.cat b/sudo.cat index 4f953eacb..cf188abbd 100644 --- a/sudo.cat +++ b/sudo.cat @@ -8,16 +8,16 @@ NNAAMMEE sudo, sudoedit - execute a command as another user SSYYNNOOPPSSIISS - ssuuddoo --KK | --kk | --hh | --LL | --VV | --vv + ssuuddoo --hh | --KK | --kk | --LL | --VV | --vv ssuuddoo --ll [--UU _u_s_e_r_n_a_m_e] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] [_c_o_m_m_a_n_d] ssuuddoo [--bbEEHHPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] - [--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e] - {--ee file [...] | --ii | --ss | _c_o_m_m_a_n_d} + [--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e] {--ii | --ss | _c_o_m_- + _m_a_n_d} - ssuuddooeeddiitt [--aa _a_u_t_h___t_y_p_e] [--pp _p_r_o_m_p_t] [--SS] [--uu _u_s_e_r_­ - _n_a_m_e|_#_u_i_d] file [...] + ssuuddooeeddiitt [--SS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] + [--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] file ... DDEESSCCRRIIPPTTIIOONN ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the @@ -25,10 +25,10 @@ DDEESSCCRRIIPPTTIIOONN file. The real and effective uid and gid are set to match those of the target user as specified in the passwd file and the group vector is initialized based on the group - file (unless the --PP option was specified). If the invok­ + file (unless the --PP option was specified). If the invok- ing user is root or if the target user is the same as the invoking user, no password is required. Otherwise, ssuuddoo - requires that users authenticate themselves with a pass­ + requires that users authenticate themselves with a pass- word by default (NOTE: in the default configuration this is the user's password, not the root password). Once a user has been authenticated, a timestamp is updated and @@ -39,29 +39,29 @@ DDEESSCCRRIIPPTTIIOONN is implied. ssuuddoo determines who is an authorized user by consulting - the file _/_e_t_c_/_s_u_d_o_e_r_s. By giving ssuuddoo the --vv flag a user - can update the time stamp without running a _c_o_m_m_a_n_d_. The + the file _/_e_t_c_/_s_u_d_o_e_r_s. By giving ssuuddoo the --vv flag, a user + can update the time stamp without running a _c_o_m_m_a_n_d. The password prompt itself will also time out if the user's - password is not entered within 5 minutes (unless overrid­ + password is not entered within 5 minutes (unless overrid- den via _s_u_d_o_e_r_s). If a user who is not listed in the _s_u_d_o_e_r_s file tries to - run a command via ssuuddoo, mail is sent to the proper author­ + run a command via ssuuddoo, mail is sent to the proper author- ities, as defined at configure time or in the _s_u_d_o_e_r_s file (defaults to root). Note that the mail will not be sent if an unauthorized user tries to run sudo with the --ll or --vv flags. This allows users to determine for themselves whether or not they are allowed to use ssuuddoo. - If ssuuddoo is run by root and the SUDO_USER environment vari­ + If ssuuddoo is run by root and the SUDO_USER environment vari- able is set, ssuuddoo will use this value to determine who the - actual user is. This can be used by a user to log com­ + actual user is. This can be used by a user to log com- mands through sudo even when a root shell has been invoked. It also allows the --ee flag to remain useful even -1.7 June 23, 2007 1 +1.7 August 15, 2007 1 @@ -84,50 +84,50 @@ OOPPTTIIOONNSS -a The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use the specified authentication type when validating the - user, as allowed by /etc/login.conf. The system + user, as allowed by _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system administrator may specify a list of sudo-specific authentication methods by adding an "auth-sudo" entry - in /etc/login.conf. This option is only available on - systems that support BSD authentication where ssuuddoo has - been configured with the --with-bsdauth option. + in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This option is only available on + systems that support BSD authentication. -b The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run the given command in the background. Note that if you use the - --bb option you cannot use shell job control to manipu­ + --bb option you cannot use shell job control to manipu- late the process. -C fd Normally, ssuuddoo will close all open file descriptors - other than standard input, standard output and stan­ + other than standard input, standard output and stan- dard error. The --CC (_c_l_o_s_e _f_r_o_m) option allows the user to specify a starting point above the standard error (file descriptor three). Values less than three are not permitted. This option is only available if the administrator has enabled the _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e - option in sudoers(4). + option in _s_u_d_o_e_r_s(4). -c The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified command with resources limited by the specified login class. The _c_l_a_s_s argument can be either a class name - as defined in /etc/login.conf, or a single '-' charac­ - ter. Specifying a _c_l_a_s_s of - indicates that the com­ + as defined in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a single '-' charac- + ter. Specifying a _c_l_a_s_s of - indicates that the com- mand should be run restricted by the default login capabilities for the user the command is run as. If the _c_l_a_s_s argument specifies an existing user class, the command must be run as root, or the ssuuddoo command must be run from a shell that is already root. This option is only available on systems with BSD login - classes where ssuuddoo has been configured with the - --with-logincap option. + classes. -E The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option will override the - _e_n_v___r_e_s_e_t option in sudoers(4)). It is only available + _e_n_v___r_e_s_e_t option in _s_u_d_o_e_r_s(4)). It is only available when either the matching command has the SETENV tag or - the _s_e_t_e_n_v option is set in sudoers(4). + the _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s(4). + -e The --ee (_e_d_i_t) option indicates that, instead of -1.7 June 23, 2007 2 + +1.7 August 15, 2007 2 @@ -136,27 +136,25 @@ OOPPTTIIOONNSS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - -e The --ee (_e_d_i_t) option indicates that, instead of run­ - ning a command, the user wishes to edit one or more + running a command, the user wishes to edit one or more files. In lieu of a command, the string "sudoedit" is used when consulting the _s_u_d_o_e_r_s file. If the user is authorized by _s_u_d_o_e_r_s the following steps are taken: - 1. Temporary copies are made of the files to be - edited with the owner set to the invoking - user. + 1. Temporary copies are made of the files to be + edited with the owner set to the invoking user. - 2. The editor specified by the VISUAL or EDITOR - environment variables is run to edit the tem­ - porary files. If neither VISUAL nor EDITOR - are set, the program listed in the _e_d_i_t_o_r - _s_u_d_o_e_r_s variable is used. + 2. The editor specified by the VISUAL or EDITOR envi- + ronment variables is run to edit the temporary + files. If neither VISUAL nor EDITOR are set, the + program listed in the _e_d_i_t_o_r _s_u_d_o_e_r_s variable is + used. - 3. If they have been modified, the temporary - files are copied back to their original loca­ - tion and the temporary versions are removed. + 3. If they have been modified, the temporary files + are copied back to their original location and the + temporary versions are removed. - If the specified file does not exist, it will be cre­ + If the specified file does not exist, it will be cre- ated. Note that unlike most commands run by ssuuddoo, the editor is run with the invoking user's environment unmodified. If, for some reason, ssuuddoo is unable to @@ -164,23 +162,23 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) receive a warning and the edited copy will remain in a temporary file. - -H The --HH (_H_O_M_E) option sets the HOME environment vari­ + -H The --HH (_H_O_M_E) option sets the HOME environment vari- able to the homedir of the target user (root by - default) as specified in passwd(4). By default, ssuuddoo + default) as specified in _p_a_s_s_w_d(4). By default, ssuuddoo does not modify HOME (see _s_e_t___h_o_m_e and _a_l_w_a_y_s___s_e_t___h_o_m_e - in sudoers(4)). + in _s_u_d_o_e_r_s(4)). - -h The --hh (_h_e_l_p) option causes ssuuddoo to print a usage mes­ + -h The --hh (_h_e_l_p) option causes ssuuddoo to print a usage mes- sage and exit. -i The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell - specified in the passwd(4) entry of the user that the + specified in the _p_a_s_s_w_d(4) entry of the user that the command is being run as. The command name argument given to the shell begins with a `-' to tell the shell to run as a login shell. ssuuddoo attempts to change to that user's home directory before running the shell. It also initializes the environment, leaving _D_I_S_P_L_A_Y - and _T_E_R_M unchanged, setting _H_O_M_E, _S_H_E_L_L, _U_S_E_R, _L_O_G_­ + and _T_E_R_M unchanged, setting _H_O_M_E, _S_H_E_L_L, _U_S_E_R, _L_O_G_- _N_A_M_E, and _P_A_T_H, and unsetting all other environment variables. @@ -190,10 +188,12 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -k The --kk (_k_i_l_l) option to ssuuddoo invalidates the user's timestamp by setting the time on it to the Epoch. The + next time ssuuddoo is run a password will be required. + This option does not require a password and was added -1.7 June 23, 2007 3 +1.7 August 15, 2007 3 @@ -202,12 +202,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - next time ssuuddoo is run a password will be required. - This option does not require a password and was added to allow a user to revoke ssuuddoo permissions from a .logout file. - -L The --LL (_l_i_s_t defaults) option will list out the param­ + -L The --LL (_l_i_s_t defaults) option will list out the param- eters that may be set in a _D_e_f_a_u_l_t_s line along with a short description for each. This option is useful in conjunction with _g_r_e_p(1). @@ -218,7 +216,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) invoking user (or the user specified by the --UU option) on the current host. If a _c_o_m_m_a_n_d is specified and is permitted by _s_u_d_o_e_r_s, the fully-qualified path to the - command is displayed along with any command line argu­ + command is displayed along with any command line argu- ments. If _c_o_m_m_a_n_d is not allowed, ssuuddoo will exit with a return value of 1. @@ -233,21 +231,20 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) default password prompt and use a custom one. The following percent (`%') escapes are supported: - %u expanded to the invoking user's login name + %H expanded to the local hostname including the + domain name (on if the machine's hostname is fully + qualified or the _f_q_d_n _s_u_d_o_e_r_s option is set) - %U expanded to the login name of the user the - command will be run as (defaults to root) + %h expanded to the local hostname without the domain + name - %h expanded to the local hostname without the - domain name + %U expanded to the login name of the user the command + will be run as (defaults to root) - %H expanded to the local hostname including the - domain name (on if the machine's hostname is - fully qualified or the _f_q_d_n _s_u_d_o_e_r_s option is - set) + %u expanded to the invoking user's login name - %% two consecutive % characters are collapsed - into a single % character + %% two consecutive % characters are collapsed into a + single % character -S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from the standard input instead of the terminal @@ -255,11 +252,14 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -s The --ss (_s_h_e_l_l) option runs the shell specified by the _S_H_E_L_L environment variable if it is set or the shell - as specified in passwd(4). + as specified in _p_a_s_s_w_d(4). + + -U The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with + the --ll option to specify the user whose privileges -1.7 June 23, 2007 4 +1.7 August 15, 2007 4 @@ -268,40 +268,43 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - -U The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with - the --ll option to specify the user whose privileges should be listed. Only root or a user with ssuuddoo ALL on the current host may use this option. -u The --uu (_u_s_e_r) option causes ssuuddoo to run the specified command as a user other than _r_o_o_t. To specify a _u_i_d - instead of a _u_s_e_r_n_a_m_e, use _#_u_i_d. Note that if the - _t_a_r_g_e_t_p_w Defaults option is set (see sudoers(4)) it is + instead of a _u_s_e_r_n_a_m_e, use _#_u_i_d. When running com- + mands as a _u_i_d, many shells require that the '#' be + escaped with a backslash ('\'). Note that if the _t_a_r_- + _g_e_t_p_w Defaults option is set (see _s_u_d_o_e_r_s(4)) it is not possible to run commands with a uid not listed in the password database. - -V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print the ver­ + -V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print the ver- sion number and exit. If the invoking user is already root the --VV option will print out a list of the defaults ssuuddoo was compiled with as well as the machine's local network addresses. -v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update - the user's timestamp, prompting for the user's pass­ + the user's timestamp, prompting for the user's pass- word if necessary. This extends the ssuuddoo timeout for another 5 minutes (or whatever the timeout is set to in _s_u_d_o_e_r_s) but does not run a command. -- The ---- flag indicates that ssuuddoo should stop processing - command line arguments. It is most useful in conjunc­ + command line arguments. It is most useful in conjunc- tion with the --ss flag. Environment variables to be set for the command may also be passed on the command line in the form of VVAARR=_v_a_l_u_e, - e.g. LLDD__LLIIBBRRAARRYY__PPAATTHH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. This is only - permitted when the _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s or the - command to be run has the SETENV tag set. See sudoers(4) - for more information. + e.g. LLDD__LLIIBBRRAARRYY__PPAATTHH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. Variables + passed on the command line are subject to the same + restrictions as normal environment variables with one + important exception. If the _s_e_t_e_n_v option is set in _s_u_d_o_- + _e_r_s or the command to be run has the SETENV tag set the + user may set variables that would overwise be forbidden. + See _s_u_d_o_e_r_s(4) for more information. RREETTUURRNN VVAALLUUEESS Upon successful execution of a program, the return value @@ -309,23 +312,20 @@ RREETTUURRNN VVAALLUUEESS that was executed. Otherwise, ssuuddoo quits with an exit value of 1 if there is - a configuration/permission problem or if ssuuddoo cannot exe­ + a configuration/permission problem or if ssuuddoo cannot exe- cute the given command. In the latter case the error string is printed to stderr. If ssuuddoo cannot _s_t_a_t(2) one or more entries in the user's PATH an error is printed on stderr. (If the directory does not exist or if it is not really a directory, the entry is ignored and no error is - printed.) This should not happen under normal circum­ + printed.) This should not happen under normal circum- stances. The most common reason for _s_t_a_t(2) to return "permission denied" is if you are running an automounter and one of the directories in your PATH is on a machine - that is currently unreachable. - - -1.7 June 23, 2007 5 +1.7 August 15, 2007 5 @@ -334,43 +334,52 @@ RREETTUURRNN VVAALLUUEESS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + that is currently unreachable. + SSEECCUURRIITTYY NNOOTTEESS ssuuddoo tries to be safe when executing external commands. - Variables that control how dynamic loading and binding is - done can be used to subvert the program that ssuuddoo runs. - To combat this the LD_*, _RLD_*, SHLIB_PATH (HP-UX only), - and LIBPATH (AIX only) environment variables are removed - from the environment passed on to all commands executed. - ssuuddoo will also remove the IFS, CDPATH, ENV, BASH_ENV, - KRB_CONF, KRBCONFDIR, KRBTKFILE, KRB5_CONFIG, LOCALDOMAIN, - RES_OPTIONS, HOSTALIASES, NLSPATH, PATH_LOCALE, TERMINFO, - TERMINFO_DIRS and TERMPATH variables as they too can pose - a threat. If the TERMCAP variable is set and is a path­ - name, it too is ignored. Additionally, if the LC_* or - LANGUAGE variables contain the / or % characters, they are - ignored. Environment variables with a value beginning - with () are also removed as they could be interpreted as - bbaasshh functions. If ssuuddoo has been compiled with SecurID - support, the VAR_ACE, USR_ACE and DLC_ACE variables are - cleared as well. The list of environment variables that - ssuuddoo clears is contained in the output of sudo -V when run - as root. + + There are two distinct ways to deal with environment vari- + ables. By default, the _e_n_v___r_e_s_e_t _s_u_d_o_e_r_s option is + enabled. This causes commands to be executed with a mini- + mal environment containing TERM, PATH, HOME, SHELL, LOG- + NAME, USER and USERNAME in addition to variables from the + invoking process permitted by the _e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p + _s_u_d_o_e_r_s options. There is effectively a whitelist for + environment variables. + + If, however, the _e_n_v___r_e_s_e_t option is disabled in _s_u_d_o_e_r_s, + any variables not explicitly denied by the _e_n_v___c_h_e_c_k and + _e_n_v___d_e_l_e_t_e options are inherited from the invoking pro- + cess. In this case, _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e behave like + a blacklist. Since it is not possible to blacklist all + potentially dangerous environment variables, use of the + default _e_n_v___r_e_s_e_t behavior is encouraged. + + In all cases, environment variables with a value beginning + with () are removed as they could be interpreted as bbaasshh + functions. The list of environment variables that ssuuddoo + allows or denies is contained in the output of sudo -V + when run as root. + + Note that the dynamic linker on most operating systems + will remove variables that can control dynamic linking + from the environment of setuid executables, including + ssuuddoo. Depending on the operating system this may include + _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and oth- + ers. These type of variables are removed from the envi- + ronment before ssuuddoo even begins execution and, as such, it + is not possible for ssuuddoo to preserve them. To prevent command spoofing, ssuuddoo checks "." and "" (both - denoting current directory) last when searching for a com­ + denoting current directory) last when searching for a com- mand in the user's PATH (if one or both are in the PATH). Note, however, that the actual PATH environment variable is _n_o_t modified and is passed unchanged to the program that ssuuddoo executes. - For security reasons, if your OS supports shared libraries - and does not disable user-defined library search paths for - setuid programs (most do), you should either use a linker - option that disables this behavior or link ssuuddoo stati­ - cally. - ssuuddoo will check the ownership of its timestamp directory - (_/_v_a_r_/_r_u_n_/_s_u_d_o by default) and ignore the directory's con­ + (_/_v_a_r_/_r_u_n_/_s_u_d_o by default) and ignore the directory's con- tents if it is not owned by root or if it is writable by a user other than root. On systems that allow non-root users to give away files via _c_h_o_w_n(2), if the timestamp @@ -379,19 +388,10 @@ SSEECCUURRIITTYY NNOOTTEESS timestamp directory before ssuuddoo is run. However, because ssuuddoo checks the ownership and mode of the directory and its contents, the only damage that can be done is to - "hide" files by putting them in the timestamp dir. This - is unlikely to happen since once the timestamp dir is - owned by root and inaccessible by any other user, the user - placing files there would be unable to get them back out. - To get around this issue you can use a directory that is - not world-writable for the timestamps (_/_v_a_r_/_a_d_m_/_s_u_d_o for - instance) or create _/_v_a_r_/_r_u_n_/_s_u_d_o with the appropriate - owner (root) and permissions (0700) in the system startup - files. -1.7 June 23, 2007 6 +1.7 August 15, 2007 6 @@ -400,6 +400,16 @@ SSEECCUURRIITTYY NNOOTTEESS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + "hide" files by putting them in the timestamp dir. This + is unlikely to happen since once the timestamp dir is + owned by root and inaccessible by any other user, the user + placing files there would be unable to get them back out. + To get around this issue you can use a directory that is + not world-writable for the timestamps (_/_v_a_r_/_a_d_m_/_s_u_d_o for + instance) or create _/_v_a_r_/_r_u_n_/_s_u_d_o with the appropriate + owner (root) and permissions (0700) in the system startup + files. + ssuuddoo will not honor timestamps set far in the future. Timestamps with a date greater than current_time + 2 * TIMEOUT will be ignored and sudo will log and complain. @@ -415,59 +425,64 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) escapes (including most editors). Because of this, care must be taken when giving users access to commands via ssuuddoo to verify that the command does not inadvertently - give the user an effective root shell. For more informa­ + give the user an effective root shell. For more informa- tion, please see the PREVENTING SHELL ESCAPES section in - sudoers(4). + _s_u_d_o_e_r_s(4). EENNVVIIRROONNMMEENNTT ssuuddoo utilizes the following environment variables: - EDITOR Default editor to use in -e (sudoedit) mode if - VISUAL is not set + EDITOR Default editor to use in --ee (sudoedit) + mode if VISUAL is not set - HOME In -s or -H mode (or if sudo was configured with - the --enable-shell-sets-home option), set to - homedir of the target user + HOME In --ss or --HH mode (or if sudo was config- + ured with the --enable-shell-sets-home + option), set to homedir of the target user - PATH Set to a sane value if sudo was configured with - the --with-secure-path option + PATH Set to a sane value if the _s_e_c_u_r_e___p_a_t_h + sudoers option is set. - SHELL Used to determine shell to run with -s option + SHELL Used to determine shell to run with -s + option - SUDO_PROMPT Used as the default password prompt + SUDO_PROMPT Used as the default password prompt - SUDO_COMMAND Set to the command run by sudo + SUDO_COMMAND Set to the command run by sudo - SUDO_USER Set to the login of the user who invoked sudo + SUDO_USER Set to the login of the user who invoked + sudo - SUDO_UID Set to the uid of the user who invoked sudo + SUDO_UID Set to the uid of the user who invoked + sudo - SUDO_GID Set to the gid of the user who invoked sudo - SUDO_PS1 If set, PS1 will be set to its value - USER Set to the target user (root unless the -u option - is specified) +1.7 August 15, 2007 7 - VISUAL Default editor to use in -e (sudoedit) mode -FFIILLEESS - /etc/sudoers List of who can run what - /var/run/sudo Directory containing timestamps -1.7 June 23, 2007 7 +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + SUDO_GID Set to the gid of the user who invoked + sudo + SUDO_PS1 If set, PS1 will be set to its value + USER Set to the target user (root unless the --uu + option is specified) -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + VISUAL Default editor to use in --ee (sudoedit) + mode +FFIILLEESS + _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what + _/_v_a_r_/_r_u_n_/_s_u_d_o Directory containing timestamps EEXXAAMMPPLLEESS - Note: the following examples assume suitable sudoers(4) + Note: the following examples assume suitable _s_u_d_o_e_r_s(4) entries. To get a file listing of an unreadable directory: @@ -495,16 +510,28 @@ EEXXAAMMPPLLEESS $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" SSEEEE AALLSSOO - _g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), sudoers(4), - passwd(4), visudo(1m) + _g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), _p_a_s_s_w_d(4), + _s_u_d_o_e_r_s(4), _v_i_s_u_d_o(1m) AAUUTTHHOORRSS - Many people have worked on ssuuddoo over the years; this ver­ + Many people have worked on ssuuddoo over the years; this ver- sion consists of code written primarily by: Todd C. Miller See the HISTORY file in the ssuuddoo distribution or visit + + + +1.7 August 15, 2007 8 + + + + + +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + + http://www.sudo.ws/sudo/history.html for a short history of ssuuddoo. @@ -515,23 +542,11 @@ CCAAVVEEAATTSS user to run commands via shell escapes, thus avoiding ssuuddoo's checks. However, on most systems it is possible to prevent shell escapes with ssuuddoo's _n_o_e_x_e_c functionality. - See the sudoers(4) manual for details. + See the _s_u_d_o_e_r_s(4) manual for details. It is not meaningful to run the cd command directly via sudo, e.g., - - - -1.7 June 23, 2007 8 - - - - - -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - $ sudo cd /usr/local/protected since when the command exits the parent process (your @@ -540,11 +555,11 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) If users have sudo ALL there is nothing to prevent them from creating their own program that gives them a root - shell regardless of any '!' elements in the user specifi­ + shell regardless of any '!' elements in the user specifi- cation. Running shell scripts via ssuuddoo can expose the same kernel - bugs that make setuid shell scripts unsafe on some operat­ + bugs that make setuid shell scripts unsafe on some operat- ing systems (if your OS has a /dev/fd/ directory, setuid shell scripts are generally safe). @@ -553,17 +568,17 @@ BBUUGGSS bug report at http://www.sudo.ws/sudo/bugs/ SSUUPPPPOORRTT - Limited free support is available via the sudo-users mail­ - ing list, see http://www.sudo.ws/mail­ + Limited free support is available via the sudo-users mail- + ing list, see http://www.sudo.ws/mail- man/listinfo/sudo-users to subscribe or search the archives. DDIISSCCLLAAIIMMEERR - SSuuddoo is provided ``AS IS'' and any express or implied war­ - ranties, including, but not limited to, the implied war­ + ssuuddoo is provided ``AS IS'' and any express or implied war- + ranties, including, but not limited to, the implied war- ranties of merchantability and fitness for a particular purpose are disclaimed. See the LICENSE file distributed - with ssuuddoo or http://www.sudo.ws/sudo/license.html for com­ + with ssuuddoo or http://www.sudo.ws/sudo/license.html for com- plete details. @@ -574,21 +589,6 @@ DDIISSCCLLAAIIMMEERR - - - - - - - - - - - - - - - -1.7 June 23, 2007 9 +1.7 August 15, 2007 9 diff --git a/sudo.man.in b/sudo.man.in index 3bdcdcc90..05516a920 100644 --- a/sudo.man.in +++ b/sudo.man.in @@ -150,22 +150,22 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "July 9, 2007" "1.7" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "August 15, 2007" "1.7" "MAINTENANCE COMMANDS" .SH "NAME" sudo, sudoedit \- execute a command as another user .SH "SYNOPSIS" .IX Header "SYNOPSIS" -\&\fBsudo\fR \fB\-K\fR | \fB\-k\fR | \fB\-h\fR | \fB\-L\fR | \fB\-V\fR | \fB\-v\fR +\&\fBsudo\fR \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-L\fR | \fB\-V\fR | \fB\-v\fR .PP \&\fBsudo\fR \fB\-l\fR [\fB\-U\fR\ \fIusername\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fIcommand\fR] .PP \&\fBsudo\fR [\fB\-bEHPS\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-C\fR\ \fIfd\fR] [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] -[\fB\s-1VAR\s0\fR=\fIvalue\fR] {\fB\-e\fR\ file\ [...]\ |\ \fB\-i\fR\ |\ \fB\-s\fR\ |\ \fIcommand\fR} +[\fB\s-1VAR\s0\fR=\fIvalue\fR] {\fB\-i\fR\ |\ \fB\-s\fR\ |\ \fIcommand\fR} .PP -\&\fBsudoedit\fR [\fB\-a\fR\ \fIauth_type\fR] [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] -[\fB\-p\fR\ \fIprompt\fR] [\fB\-S\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] -file [...] +\&\fBsudoedit\fR [\fB\-S\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-C\fR\ \fIfd\fR] +[\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] +file ... .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the @@ -186,8 +186,8 @@ When invoked as \fBsudoedit\fR, the \fB\-e\fR option (described below), is implied. .PP \&\fBsudo\fR determines who is an authorized user by consulting the file -\&\fI@sysconfdir@/sudoers\fR. By giving \fBsudo\fR the \fB\-v\fR flag a user -can update the time stamp without running a \fIcommand.\fR The password +\&\fI@sysconfdir@/sudoers\fR. By giving \fBsudo\fR the \fB\-v\fR flag, a user +can update the time stamp without running a \fIcommand\fR. The password prompt itself will also time out if the user's password is not entered within \f(CW\*(C`@password_timeout@\*(C'\fR minutes (unless overridden via \&\fIsudoers\fR). @@ -219,11 +219,10 @@ or via the \fIsudoers\fR file. .IX Item "-a" The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the specified authentication type when validating the user, as allowed -by /etc/login.conf. The system administrator may specify a list +by \fI/etc/login.conf\fR. The system administrator may specify a list of sudo-specific authentication methods by adding an \*(L"auth\-sudo\*(R" -entry in /etc/login.conf. This option is only available on systems -that support \s-1BSD\s0 authentication where \fBsudo\fR has been configured -with the \-\-with\-bsdauth option. +entry in \fI/etc/login.conf\fR. This option is only available on systems +that support \s-1BSD\s0 authentication. .IP "\-b" 4 .IX Item "-b" The \fB\-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given @@ -237,25 +236,24 @@ standard input, standard output and standard error. The \fB\-C\fR above the standard error (file descriptor three). Values less than three are not permitted. This option is only available if the administrator has enabled the \fIclosefrom_override\fR option in -sudoers(@mansectform@). +\&\fIsudoers\fR\|(@mansectform@). .IP "\-c" 4 .IX Item "-c" The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command with resources limited by the specified login class. The \fIclass\fR -argument can be either a class name as defined in /etc/login.conf, +argument can be either a class name as defined in \fI/etc/login.conf\fR, or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates that the command should be run restricted by the default login capabilities for the user the command is run as. If the \fIclass\fR argument specifies an existing user class, the command must be run as root, or the \fBsudo\fR command must be run from a shell that is already -root. This option is only available on systems with \s-1BSD\s0 login classes -where \fBsudo\fR has been configured with the \-\-with\-logincap option. +root. This option is only available on systems with \s-1BSD\s0 login classes. .IP "\-E" 4 .IX Item "-E" -The \fB\-E\fR (\fIpreserve environment\fR) option will override the -\&\fIenv_reset\fR option in sudoers(@mansectform@)). It is only +The \fB\-E\fR (\fIpreserve\fR \fIenvironment\fR) option will override the +\&\fIenv_reset\fR option in \fIsudoers\fR\|(@mansectform@)). It is only available when either the matching command has the \f(CW\*(C`SETENV\*(C'\fR tag -or the \fIsetenv\fR option is set in sudoers(@mansectform@). +or the \fIsetenv\fR option is set in \fIsudoers\fR\|(@mansectform@). .IP "\-e" 4 .IX Item "-e" The \fB\-e\fR (\fIedit\fR) option indicates that, instead of running @@ -264,15 +262,15 @@ of a command, the string \*(L"sudoedit\*(R" is used when consulting the \fIsudoers\fR file. If the user is authorized by \fIsudoers\fR the following steps are taken: .RS 4 -.IP "1." 8 +.IP "1." 4 Temporary copies are made of the files to be edited with the owner set to the invoking user. -.IP "2." 8 +.IP "2." 4 The editor specified by the \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR environment variables is run to edit the temporary files. If neither \f(CW\*(C`VISUAL\*(C'\fR nor \f(CW\*(C`EDITOR\*(C'\fR are set, the program listed in the \fIeditor\fR \fIsudoers\fR variable is used. -.IP "3." 8 +.IP "3." 4 If they have been modified, the temporary files are copied back to their original location and the temporary versions are removed. .RE @@ -289,15 +287,15 @@ temporary file. .IX Item "-H" The \fB\-H\fR (\fI\s-1HOME\s0\fR) option sets the \f(CW\*(C`HOME\*(C'\fR environment variable to the homedir of the target user (root by default) as specified -in passwd(@mansectform@). By default, \fBsudo\fR does not modify \f(CW\*(C`HOME\*(C'\fR -(see \fIset_home\fR and \fIalways_set_home\fR in sudoers(@mansectform@)). +in \fIpasswd\fR\|(@mansectform@). By default, \fBsudo\fR does not modify \f(CW\*(C`HOME\*(C'\fR +(see \fIset_home\fR and \fIalways_set_home\fR in \fIsudoers\fR\|(@mansectform@)). .IP "\-h" 4 .IX Item "-h" The \fB\-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a usage message and exit. .IP "\-i" 4 .IX Item "-i" The \fB\-i\fR (\fIsimulate initial login\fR) option runs the shell specified -in the passwd(@mansectform@) entry of the user that the command is +in the \fIpasswd\fR\|(@mansectform@) entry of the user that the command is being run as. The command name argument given to the shell begins with a `\f(CW\*(C`\-\*(C'\fR' to tell the shell to run as a login shell. \fBsudo\fR attempts to change to that user's home directory before running the @@ -332,7 +330,7 @@ command line arguments. If \fIcommand\fR is not allowed, \fBsudo\fR will exit with a return value of 1. .IP "\-P" 4 .IX Item "-P" -The \fB\-P\fR (\fIpreserve group vector\fR) option causes \fBsudo\fR to +The \fB\-P\fR (\fIpreserve\fR \fIgroup vector\fR) option causes \fBsudo\fR to preserve the invoking user's group vector unaltered. By default, \&\fBsudo\fR will initialize the group vector to the list of groups the target user is in. The real and effective group IDs, however, are @@ -343,27 +341,27 @@ The \fB\-p\fR (\fIprompt\fR) option allows you to override the default password prompt and use a custom one. The following percent (`\f(CW\*(C`%\*(C'\fR') escapes are supported: .RS 4 -.ie n .IP "%u" 8 -.el .IP "\f(CW%u\fR" 8 -.IX Item "%u" -expanded to the invoking user's login name -.ie n .IP "%U" 8 -.el .IP "\f(CW%U\fR" 8 -.IX Item "%U" -expanded to the login name of the user the command will -be run as (defaults to root) -.ie n .IP "%h" 8 -.el .IP "\f(CW%h\fR" 8 -.IX Item "%h" -expanded to the local hostname without the domain name -.ie n .IP "%H" 8 -.el .IP "\f(CW%H\fR" 8 +.ie n .IP "%H" 4 +.el .IP "\f(CW%H\fR" 4 .IX Item "%H" expanded to the local hostname including the domain name (on if the machine's hostname is fully qualified or the \fIfqdn\fR \&\fIsudoers\fR option is set) -.ie n .IP "\*(C`%%\*(C'" 8 -.el .IP "\f(CW\*(C`%%\*(C'\fR" 8 +.ie n .IP "%h" 4 +.el .IP "\f(CW%h\fR" 4 +.IX Item "%h" +expanded to the local hostname without the domain name +.ie n .IP "%U" 4 +.el .IP "\f(CW%U\fR" 4 +.IX Item "%U" +expanded to the login name of the user the command will +be run as (defaults to root) +.ie n .IP "%u" 4 +.el .IP "\f(CW%u\fR" 4 +.IX Item "%u" +expanded to the invoking user's login name +.ie n .IP "\*(C`%%\*(C'" 4 +.el .IP "\f(CW\*(C`%%\*(C'\fR" 4 .IX Item "%%" two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character .RE @@ -377,7 +375,7 @@ the standard input instead of the terminal device. .IX Item "-s" The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\s0\fR environment variable if it is set or the shell as specified -in passwd(@mansectform@). +in \fIpasswd\fR\|(@mansectform@). .IP "\-U" 4 .IX Item "-U" The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the \fB\-l\fR @@ -386,11 +384,13 @@ root or a user with \fBsudo\fR \f(CW\*(C`ALL\*(C'\fR on the current host may use option. .IP "\-u" 4 .IX Item "-u" -The \fB\-u\fR (\fIuser\fR) option causes \fBsudo\fR to run the specified command -as a user other than \fIroot\fR. To specify a \fIuid\fR instead of a -\&\fIusername\fR, use \fI#uid\fR. Note that if the \fItargetpw\fR Defaults -option is set (see sudoers(@mansectform@)) it is not possible -to run commands with a uid not listed in the password database. +The \fB\-u\fR (\fIuser\fR) option causes \fBsudo\fR to run the specified +command as a user other than \fIroot\fR. To specify a \fIuid\fR instead +of a \fIusername\fR, use \fI#uid\fR. When running commands as a \fIuid\fR, +many shells require that the '#' be escaped with a backslash ('\e'). +Note that if the \fItargetpw\fR Defaults option is set (see \fIsudoers\fR\|(@mansectform@)) +it is not possible to run commands with a uid not listed in the +password database. .IP "\-V" 4 .IX Item "-V" The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the version @@ -415,7 +415,7 @@ command line are subject to the same restrictions as normal environment variables with one important exception. If the \fIsetenv\fR option is set in \fIsudoers\fR or the command to be run has the \f(CW\*(C`SETENV\*(C'\fR tag set the user may set variables that would overwise be forbidden. -See sudoers(@mansectform@) for more information. +See \fIsudoers\fR\|(@mansectform@) for more information. .SH "RETURN VALUES" .IX Header "RETURN VALUES" Upon successful execution of a program, the return value from \fBsudo\fR @@ -502,72 +502,72 @@ editors). Because of this, care must be taken when giving users access to commands via \fBsudo\fR to verify that the command does not inadvertently give the user an effective root shell. For more information, please see the \f(CW\*(C`PREVENTING SHELL ESCAPES\*(C'\fR section in -sudoers(@mansectform@). +\&\fIsudoers\fR\|(@mansectform@). .SH "ENVIRONMENT" .IX Header "ENVIRONMENT" \&\fBsudo\fR utilizes the following environment variables: -.PP -.Vb 2 -\& EDITOR Default editor to use in -e (sudoedit) mode if -\& VISUAL is not set -.Ve -.PP -.Vb 3 -\& HOME In -s or -H mode (or if sudo was configured with -\& the --enable-shell-sets-home option), set to -\& homedir of the target user -.Ve -.PP -.Vb 2 -\& PATH Set to a sane value if sudo was configured with -\& the --with-secure-path option -.Ve -.PP -.Vb 1 -\& SHELL Used to determine shell to run with -s option -.Ve -.PP -.Vb 1 -\& SUDO_PROMPT Used as the default password prompt -.Ve -.PP -.Vb 1 -\& SUDO_COMMAND Set to the command run by sudo -.Ve -.PP -.Vb 1 -\& SUDO_USER Set to the login of the user who invoked sudo -.Ve -.PP -.Vb 1 -\& SUDO_UID Set to the uid of the user who invoked sudo -.Ve -.PP -.Vb 1 -\& SUDO_GID Set to the gid of the user who invoked sudo -.Ve -.PP -.Vb 1 -\& SUDO_PS1 If set, PS1 will be set to its value -.Ve -.PP -.Vb 2 -\& USER Set to the target user (root unless the -u option -\& is specified) -.Ve -.PP -.Vb 1 -\& VISUAL Default editor to use in -e (sudoedit) mode -.Ve +.ie n .IP "\*(C`EDITOR\*(C'" 16 +.el .IP "\f(CW\*(C`EDITOR\*(C'\fR" 16 +.IX Item "EDITOR" +Default editor to use in \fB\-e\fR (sudoedit) mode if \f(CW\*(C`VISUAL\*(C'\fR is not set +.ie n .IP "\*(C`HOME\*(C'" 16 +.el .IP "\f(CW\*(C`HOME\*(C'\fR" 16 +.IX Item "HOME" +In \fB\-s\fR or \fB\-H\fR mode (or if sudo was configured with the +\&\-\-enable\-shell\-sets\-home option), set to homedir of the target user +.ie n .IP "\*(C`PATH\*(C'" 16 +.el .IP "\f(CW\*(C`PATH\*(C'\fR" 16 +.IX Item "PATH" +Set to a sane value if the \fIsecure_path\fR sudoers option is set. +.ie n .IP "\*(C`SHELL\*(C'" 16 +.el .IP "\f(CW\*(C`SHELL\*(C'\fR" 16 +.IX Item "SHELL" +Used to determine shell to run with \f(CW\*(C`\-s\*(C'\fR option +.ie n .IP "\*(C`SUDO_PROMPT\*(C'" 16 +.el .IP "\f(CW\*(C`SUDO_PROMPT\*(C'\fR" 16 +.IX Item "SUDO_PROMPT" +Used as the default password prompt +.ie n .IP "\*(C`SUDO_COMMAND\*(C'" 16 +.el .IP "\f(CW\*(C`SUDO_COMMAND\*(C'\fR" 16 +.IX Item "SUDO_COMMAND" +Set to the command run by sudo +.ie n .IP "\*(C`SUDO_USER\*(C'" 16 +.el .IP "\f(CW\*(C`SUDO_USER\*(C'\fR" 16 +.IX Item "SUDO_USER" +Set to the login of the user who invoked sudo +.ie n .IP "\*(C`SUDO_UID\*(C'" 16 +.el .IP "\f(CW\*(C`SUDO_UID\*(C'\fR" 16 +.IX Item "SUDO_UID" +Set to the uid of the user who invoked sudo +.ie n .IP "\*(C`SUDO_GID\*(C'" 16 +.el .IP "\f(CW\*(C`SUDO_GID\*(C'\fR" 16 +.IX Item "SUDO_GID" +Set to the gid of the user who invoked sudo +.ie n .IP "\*(C`SUDO_PS1\*(C'" 16 +.el .IP "\f(CW\*(C`SUDO_PS1\*(C'\fR" 16 +.IX Item "SUDO_PS1" +If set, \f(CW\*(C`PS1\*(C'\fR will be set to its value +.ie n .IP "\*(C`USER\*(C'" 16 +.el .IP "\f(CW\*(C`USER\*(C'\fR" 16 +.IX Item "USER" +Set to the target user (root unless the \fB\-u\fR option is specified) +.ie n .IP "\*(C`VISUAL\*(C'" 16 +.el .IP "\f(CW\*(C`VISUAL\*(C'\fR" 16 +.IX Item "VISUAL" +Default editor to use in \fB\-e\fR (sudoedit) mode .SH "FILES" .IX Header "FILES" -.Vb 2 -\& @sysconfdir@/sudoers List of who can run what -\& @timedir@ Directory containing timestamps -.Ve +.ie n .IP "\fI@sysconfdir@/sudoers\fR\*(C` \*(C'List of who can run what" 4 +.el .IP "\fI@sysconfdir@/sudoers\fR\f(CW\*(C` \*(C'\fRList of who can run what" 4 +.IX Item "@sysconfdir@/sudoers List of who can run what" +.PD 0 +.ie n .IP "\fI@timedir@\fR\*(C` \*(C'Directory containing timestamps" 4 +.el .IP "\fI@timedir@\fR\f(CW\*(C` \*(C'\fRDirectory containing timestamps" 4 +.IX Item "@timedir@ Directory containing timestamps" +.PD .SH "EXAMPLES" .IX Header "EXAMPLES" -Note: the following examples assume suitable sudoers(@mansectform@) entries. +Note: the following examples assume suitable \fIsudoers\fR\|(@mansectform@) entries. .PP To get a file listing of an unreadable directory: .PP @@ -603,8 +603,8 @@ to make the \f(CW\*(C`cd\*(C'\fR and file redirection work. .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2), \fIlogin_cap\fR\|(3), sudoers(@mansectform@), -passwd(@mansectform@), visudo(@mansectsu@) +\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2), \fIlogin_cap\fR\|(3), \fIpasswd\fR\|(@mansectform@), +\&\fIsudoers\fR\|(@mansectform@), \fIvisudo\fR\|(@mansectsu@) .SH "AUTHORS" .IX Header "AUTHORS" Many people have worked on \fBsudo\fR over the years; this @@ -624,7 +624,7 @@ if that user is allowed to run arbitrary commands via \fBsudo\fR. Also, many programs (such as editors) allow the user to run commands via shell escapes, thus avoiding \fBsudo\fR's checks. However, on most systems it is possible to prevent shell escapes with \fBsudo\fR's -\&\fInoexec\fR functionality. See the sudoers(@mansectform@) manual +\&\fInoexec\fR functionality. See the \fIsudoers\fR\|(@mansectform@) manual for details. .PP It is not meaningful to run the \f(CW\*(C`cd\*(C'\fR command directly via sudo, e.g., @@ -654,7 +654,7 @@ see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or search the archives. .SH "DISCLAIMER" .IX Header "DISCLAIMER" -\&\fBSudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, +\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html diff --git a/sudoers.cat b/sudoers.cat index d00da61ef..f721da508 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -25,26 +25,26 @@ DDEESSCCRRIIPPTTIIOONN QQuuiicckk gguuiiddee ttoo EEBBNNFF EBNF is a concise and exact way of describing the grammar - of a language. Each EBNF definition is made up of _p_r_o_d_u_c_­ + of a language. Each EBNF definition is made up of _p_r_o_d_u_c_- _t_i_o_n _r_u_l_e_s. E.g., symbol ::= definition | alternate1 | alternate2 ... Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a - grammar for the language. EBNF also contains the follow­ - ing operators, which many readers will recognize from reg­ + grammar for the language. EBNF also contains the follow- + ing operators, which many readers will recognize from reg- ular expressions. Do not, however, confuse them with "wildcard" characters, which have different meanings. - ? Means that the preceding symbol (or group of sym­ - bols) is optional. That is, it may appear once or - not at all. + ? Means that the preceding symbol (or group of symbols) + is optional. That is, it may appear once or not at + all. - * Means that the preceding symbol (or group of sym­ - bols) may appear zero or more times. + * Means that the preceding symbol (or group of symbols) + may appear zero or more times. - + Means that the preceding symbol (or group of sym­ - bols) may appear one or more times. + + Means that the preceding symbol (or group of symbols) + may appear one or more times. Parentheses may be used to group symbols together. For clarity, we will use single quotes ('') to designate what @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.7 June 23, 2007 1 +1.7 August 15, 2007 1 @@ -90,7 +90,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Alias_Type NAME = item1, item2, ... where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias, - Host_Alias, or Cmnd_Alias. A NAME is a string of upper­ + Host_Alias, or Cmnd_Alias. A NAME is a string of upper- case letters, numbers, and underscore characters ('_'). A NAME mmuusstt start with an uppercase letter. It is possible to put several alias definitions of the same type on a @@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7 June 23, 2007 2 +1.7 August 15, 2007 2 @@ -140,8 +140,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) also contain uids (prefixed with '#') and instead of User_Aliases it can contain Runas_Aliases. Note that usernames and groups are matched as strings. In other - words, two users (groups) with the same uid (gid) are con­ - sidered to be distinct. If you wish to match all user­ + words, two users (groups) with the same uid (gid) are con- + sidered to be distinct. If you wish to match all user- names with the same uid (e.g. root and toor), you can use a uid instead (#0 in the example given). @@ -162,13 +162,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) each of the local host's network interfaces and, if the network number corresponds to one of the hosts's network interfaces, the corresponding netmask will be used. The - netmask may be specified either in dotted quad notation - (e.g. 255.255.255.0) or CIDR notation (number of bits, - e.g. 24). A hostname may include shell-style wildcards - (see the Wildcards section below), but unless the hostname - command on your machine returns the fully qualified host­ - name, you'll need to use the _f_q_d_n option for wildcards to - be useful. + netmask may be specified either in standard IP address + notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or + CIDR notation (number of bits, e.g. 24 or 64). A hostname + may include shell-style wildcards (see the Wildcards sec- + tion below), but unless the hostname command on your + machine returns the fully qualified hostname, you'll need + to use the _f_q_d_n option for wildcards to be useful. Cmnd_List ::= Cmnd | Cmnd ',' Cmnd_List @@ -182,8 +182,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) '!'* "sudoedit" | '!'* Cmnd_Alias - A Cmnd_List is a list of one or more commandnames, direc­ - tories, and other aliases. A commandname is a fully qual­ + A Cmnd_List is a list of one or more commandnames, direc- + tories, and other aliases. A commandname is a fully qual- ified filename which may include shell-style wildcards (see the Wildcards section below). A simple filename allows the user to run the command with any arguments @@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7 June 23, 2007 3 +1.7 August 15, 2007 3 @@ -212,7 +212,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) arguments in the Cmnd must match exactly those given by the user on the command line (or match the wildcards if there are any). Note that the following characters must - be escaped with a '\' if they are used in command argu­ + be escaped with a '\' if they are used in command argu- ments: ',', ':', '=', '\'. The special command "sudoedit" is used to permit a user to run ssuuddoo with the --ee flag (or as ssuuddooeeddiitt). It may take command line arguments just as @@ -248,7 +248,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are implicitly boolean and can be turned off via the '!' operator. Some integer, string and list - parameters may also be used in a boolean context to dis­ + parameters may also be used in a boolean context to dis- able them. Values may be enclosed in double quotes (") when they contain multiple words. Special characters may be escaped with a backslash (\). @@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7 June 23, 2007 4 +1.7 August 15, 2007 4 @@ -270,260 +270,128 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) to remove an element that does not exist in a list. - FFllaaggss: + See "SUDOERS OPTIONS" for a list of supported Defaults + parameters. - long_otp_prompt - When validating with a One Time Password - scheme (SS//KKeeyy or OOPPIIEE), a two-line prompt is - used to make it easier to cut and paste the - challenge to a local window. It's not as - pretty as the default but some people find it - more convenient. This flag is _o_f_f by default. - - ignore_dot If set, ssuuddoo will ignore '.' or '' (current - dir) in the PATH environment variable; the - PATH itself is not modified. This flag is _o_f_f - by default. - - mail_always Send mail to the _m_a_i_l_t_o user every time a - users runs ssuuddoo. This flag is _o_f_f by default. - - mail_badpass - Send mail to the _m_a_i_l_t_o user if the user run­ - ning ssuuddoo does not enter the correct password. - This flag is _o_f_f by default. - - mail_no_user - If set, mail will be sent to the _m_a_i_l_t_o user - if the invoking user is not in the _s_u_d_o_e_r_s - file. This flag is _o_n by default. - - mail_no_host - If set, mail will be sent to the _m_a_i_l_t_o user - if the invoking user exists in the _s_u_d_o_e_r_s - file, but is not allowed to run commands on - the current host. This flag is _o_f_f by - default. + UUsseerr SSppeecciiffiiccaattiioonn - mail_no_perms - If set, mail will be sent to the _m_a_i_l_t_o user - if the invoking user is allowed to use ssuuddoo - but the command they are trying is not listed - in their _s_u_d_o_e_r_s file entry or is explicitly - denied. This flag is _o_f_f by default. + User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ + (':' Host_List '=' Cmnd_Spec_List)* - tty_tickets If set, users must authenticate on a per-tty - basis. Normally, ssuuddoo uses a directory in the - ticket dir with the same name as the user run­ - ning it. With this flag enabled, ssuuddoo will - use a file named for the tty the user is - logged in on in that directory. This flag is - _o_f_f by default. + Cmnd_Spec_List ::= Cmnd_Spec | + Cmnd_Spec ',' Cmnd_Spec_List - authenticate - If set, users must authenticate themselves via + Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd + Runas_Spec ::= '(' Runas_List ')' + Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | + 'SETENV:' | 'NOSETENV:' ) -1.7 June 23, 2007 5 + A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may + run (and as what user) on specified hosts. By default, + commands are run as rroooott, but this can be changed on a + per-command basis. + Let's break that down into its constituent parts: + RRuunnaass__SSppeecc + A Runas_Spec is simply a Runas_List (as defined above) + enclosed in a set of parentheses. If you do not specify a + Runas_Spec in the user specification, a default Runas_Spec + of rroooott will be used. A Runas_Spec sets the default for + commands that follow it. What this means is that for the + entry: + dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m + -- but only as ooppeerraattoorr. E.g., + $ sudo -u operator /bin/ls. - a password (or other means of authentication) - before they may run commands. This default - may be overridden via the PASSWD and NOPASSWD - tags. This flag is _o_n by default. - - root_sudo If set, root is allowed to run ssuuddoo too. Dis­ - abling this prevents users from "chaining" - ssuuddoo commands to get a root shell by doing - something like "sudo sudo /bin/sh". Note, - however, that turning off _r_o_o_t___s_u_d_o will also - prevent root and from running ssuuddooeeddiitt. Dis­ - abling _r_o_o_t___s_u_d_o provides no real additional - security; it exists purely for historical rea­ - sons. This flag is _o_n by default. - - log_host If set, the hostname will be logged in the - (non-syslog) ssuuddoo log file. This flag is _o_f_f - by default. - - log_year If set, the four-digit year will be logged in - the (non-syslog) ssuuddoo log file. This flag is - _o_f_f by default. - - shell_noargs - If set and ssuuddoo is invoked with no arguments - it acts as if the --ss flag had been given. - That is, it runs a shell as root (the shell is - determined by the SHELL environment variable - if it is set, falling back on the shell listed - in the invoking user's /etc/passwd entry if - not). This flag is _o_f_f by default. - - set_home If set and ssuuddoo is invoked with the --ss flag - the HOME environment variable will be set to - the home directory of the target user (which - is root unless the --uu option is used). This - effectively makes the --ss flag imply --HH. This - flag is _o_f_f by default. - - always_set_home - If set, ssuuddoo will set the HOME environment - variable to the home directory of the target - user (which is root unless the --uu option is - used). This effectively means that the --HH - flag is always implied. This flag is _o_f_f by - default. + It is also possible to override a Runas_Spec later on in + an entry. If we modify the entry like so: - path_info Normally, ssuuddoo will tell the user when a com­ - mand could not be found in their PATH environ­ - ment variable. Some sites may wish to disable - this as it could be used to gather information - on the location of executables that the normal - user does not have access to. The disadvan­ - tage is that if the executable is simply not + dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm + Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, + but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. -1.7 June 23, 2007 6 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +1.7 August 15, 2007 5 - in the user's PATH, ssuuddoo will tell the user - that they are not allowed to run it, which can - be confusing. This flag is _o_f_f by default. - - preserve_groups - By default ssuuddoo will initialize the group vec­ - tor to the list of groups the target user is - in. When _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's - existing group vector is left unaltered. The - real and effective group IDs, however, are - still set to match the target user. This flag - is _o_f_f by default. - - fqdn Set this flag if you want to put fully quali­ - fied hostnames in the _s_u_d_o_e_r_s file. I.e., - instead of myhost you would use myhost.mydo­ - main.edu. You may still use the short form if - you wish (and even mix the two). Beware that - turning on _f_q_d_n requires ssuuddoo to make DNS - lookups which may make ssuuddoo unusable if DNS - stops working (for example if the machine is - not plugged into the network). Also note that - you must use the host's official name as DNS - knows it. That is, you may not use a host - alias (CNAME entry) due to performance issues - and the fact that there is no way to get all - aliases from DNS. If your machine's hostname - (as returned by the hostname command) is - already fully qualified you shouldn't need to - set _f_q_d_n. This flag is _o_f_f by default. - - insults If set, ssuuddoo will insult users when they enter - an incorrect password. This flag is _o_f_f by - default. - requiretty If set, ssuuddoo will only run when the user is - logged in to a real tty. This will disallow - things like "rsh somehost sudo ls" since - _r_s_h(1) does not allocate a tty. Because it is - not possible to turn off echo when there is no - tty present, some sites may wish to set this - flag to prevent a user from entering a visible - password. This flag is _o_f_f by default. - env_editor If set, vviissuuddoo will use the value of the EDI­ - TOR or VISUAL environment variables before - falling back on the default editor list. Note - that this may create a security hole as it - allows the user to run any arbitrary command - as root without logging. A safer alternative - is to place a colon-separated list of editors - in the editor variable. vviissuuddoo will then only - use the EDITOR or VISUAL if they match a value - specified in editor. This flag is off by +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7 June 23, 2007 7 + TTaagg__SSppeecc + A command may have zero or more tags associated with it. + There are eight possible tag values, NOPASSWD, PASSWD, + NOEXEC, EXEC, SETENV and NOSETENV. Once a tag is set on a + Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the + tag unless it is overridden by the opposite tag (i.e.: + PASSWD overrides NOPASSWD and NOEXEC overrides EXEC). + _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D + By default, ssuuddoo requires that a user authenticate him or + herself before running a command. This behavior can be + modified via the NOPASSWD tag. Like a Runas_Spec, the + NOPASSWD tag sets a default for the commands that follow + it in the Cmnd_Spec_List. Conversely, the PASSWD tag can + be used to reverse things. For example: + ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and + _/_u_s_r_/_b_i_n_/_l_p_r_m as root on the machine rushmore as rroooott + without authenticating himself. If we only want rraayy to be + able to run _/_b_i_n_/_k_i_l_l without a password the entry would + be: + ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm - default. + Note, however, that the PASSWD tag has no effect on users + who are in the group specified by the _e_x_e_m_p_t___g_r_o_u_p option. - rootpw If set, ssuuddoo will prompt for the root password - instead of the password of the invoking user. - This flag is _o_f_f by default. + By default, if the NOPASSWD tag is applied to any of the + entries for a user on the current host, he or she will be + able to run sudo -l without a password. Additionally, a + user may only run sudo -v without a password if the + NOPASSWD tag is present for all a user's entries that per- + tain to the current host. This behavior may be overridden + via the verifypw and listpw options. - runaspw If set, ssuuddoo will prompt for the password of - the user defined by the _r_u_n_a_s___d_e_f_a_u_l_t option - (defaults to root) instead of the password of - the invoking user. This flag is _o_f_f by - default. + _N_O_E_X_E_C _a_n_d _E_X_E_C - targetpw If set, ssuuddoo will prompt for the password of - the user specified by the --uu flag (defaults to - root) instead of the password of the invoking - user. Note that this precludes the use of a - uid not listed in the passwd database as an - argument to the --uu flag. This flag is _o_f_f by - default. + If ssuuddoo has been compiled with _n_o_e_x_e_c support and the + underlying operating system supports it, the NOEXEC tag + can be used to prevent a dynamically-linked executable + from running further commands itself. - set_logname Normally, ssuuddoo will set the LOGNAME, USER and - USERNAME environment variables to the name of - the target user (usually root unless the --uu - flag is given). However, since some programs - (including the RCS revision control system) - use LOGNAME to determine the real identity of - the user, it may be desirable to change this - behavior. This can be done by negating the - set_logname option. Note that if the - _e_n_v___r_e_s_e_t option has not been disabled, - entries in the _e_n_v___k_e_e_p list will override the - value of _s_e_t___l_o_g_n_a_m_e. + In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e + and _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. - stay_setuid Normally, when ssuuddoo executes a command the - real and effective UIDs are set to the target - user (root by default). This option changes - that behavior such that the real UID is left - as the invoking user's UID. In other words, - this makes ssuuddoo act as a setuid wrapper. This - can be useful on systems that disable some - potentially dangerous functionality when a - program is run setuid. This option is only - effective on systems with either the - _s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function. + aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi - env_reset If set, ssuuddoo will reset the environment to - only contain the LOGNAME, SHELL, USER, USER­ - NAME and the SUDO_* variables. Any variables - in the caller's environment that match the - env_keep and env_check lists are then added. - The default contents of the env_keep and - env_check lists are displayed when ssuuddoo is run - by root with the _-_V option. If the - _s_e_c_u_r_e___p_a_t_h option is set, its -value will be + See the "PREVENTING SHELL ESCAPES" section below for more + details on how NOEXEC works and whether or not it will + work on your system. -1.7 June 23, 2007 8 +1.7 August 15, 2007 6 @@ -532,262 +400,262 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - used for the PATH environment variable. This - flag is _o_n by default. - - use_loginclass - If set, ssuuddoo will apply the defaults specified - for the target user's login class if one - exists. Only available if ssuuddoo is configured - with the --with-logincap option. This flag is - _o_f_f by default. - - noexec If set, all commands run via ssuuddoo will behave - as if the NOEXEC tag has been set, unless - overridden by a EXEC tag. See the description - of _N_O_E_X_E_C _a_n_d _E_X_E_C below as well as the "PRE­ - VENTING SHELL ESCAPES" section at the end of - this manual. This flag is _o_f_f by default. - - monitor If set, all commands run via ssuuddoo will behave - as if the MONITOR tag has been set, unless - overridden by a NOMONITOR tag. See the - description of _M_O_N_I_T_O_R _a_n_d _N_O_M_O_N_I_T_O_R below as - well as the "PREVENTING SHELL ESCAPES" section - at the end of this manual. Be aware that - tracing is only supported on certain operating - systems. On systems where it is not supported - this flag will have no effect. This flag is - _o_f_f by default. + _S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V - ignore_local_sudoers - If set via LDAP, parsing of @sysconfdir@/sudo­ - ers will be skipped. This is intended for - Enterprises that wish to prevent the usage of - local sudoers files so that only LDAP is used. - This thwarts the efforts of rogue operators - who would attempt to add roles to - @sysconfdir@/sudoers. When this option is - present, @sysconfdir@/sudoers does not even - need to exist. Since this option tells ssuuddoo - how to behave when no specific LDAP entries - have been matched, this sudoOption is only - meaningful for the cn=defaults section. This - flag is _o_f_f by default. + These tags override the value of the _s_e_t_e_n_v option on a + per-command basis. Note that if SETENV has been set for a + command, any environment variables set on the command line + way are not subject to the restrictions imposed by + _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only trusted + users should be allowed to set variables in this manner. - closefrom_override - If set, the user may use ssuuddoo's --CC option - which overrides the default starting point at - which ssuuddoo begins closing open file descrip­ - tors. This flag is _o_f_f by default. + WWiillddccaarrddss - IInntteeggeerrss: + ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob char- + acters) to be used in pathnames as well as command line + arguments in the _s_u_d_o_e_r_s file. Wildcard matching is done + via the PPOOSSIIXX _f_n_m_a_t_c_h(3) routine. Note that these are _n_o_t + regular expressions. - passwd_tries - The number of tries a user gets to enter - his/her password before ssuuddoo logs the failure + * Matches any set of zero or more characters. + ? Matches any single character. + [...] Matches any character in the specified range. -1.7 June 23, 2007 9 + [!...] Matches any character nnoott in the specified range. + \x For any character "x", evaluates to "x". This is + used to escape special characters such as: "*", + "?", "[", and "}". + Note that a forward slash ('/') will nnoott be matched by + wildcards used in the pathname. When matching the command + line arguments, however, a slash ddooeess get matched by wild- + cards. This is to make a path like: + /usr/bin/* + match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess + The following exceptions apply to the above rules: - and exits. The default is 3. + "" If the empty string "" is the only command line + argument in the _s_u_d_o_e_r_s entry it means that com- + mand is not allowed to be run with aannyy arguments. - IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss - loglinelen Number of characters per line for the file - log. This value is used to decide when to - wrap lines for nicer log files. This has no - effect on the syslog log file, only the file - log. The default is 80 (use 0 or negate the - option to disable word wrap). + It is possible to include other _s_u_d_o_e_r_s files from within + the _s_u_d_o_e_r_s file currently being parsed using the #include + directive, similar to the one used by the C preprocessor. + This is useful, for example, for keeping a site-wide _s_u_d_o_- + _e_r_s file in addition to a per-machine local one. For the + sake of this example the site-wide _s_u_d_o_e_r_s will be - timestamp_timeout - Number of minutes that can elapse before ssuuddoo - will ask for a passwd again. The default is - 5. Set this to 0 to always prompt for a pass­ - word. If set to a value less than 0 the - user's timestamp will never expire. This can - be used to allow users to create or delete - their own timestamps via sudo -v and sudo -k - respectively. - - passwd_timeout - Number of minutes before the ssuuddoo password - prompt times out. The default is 5, set this - to 0 for no password timeout. - - umask Umask to use when running the command. Negate - this option or set it to 0777 to preserve the - user's umask. The default is 0022. - - closefrom Before it executes a command, ssuuddoo will close - all open file descriptors other than standard - input, standard output and standard error (ie: - file descriptors 0-2). The _c_l_o_s_e_f_r_o_m option - can be used to specify a different file - descriptor at which to start closing. The - default is 3. - - setenv Allow the user to set additional environment - variables from the command line. Note that - variables set this way are not subject to the - restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, - or _e_n_v___r_e_s_e_t. As such, only trusted users - should be allowed to set variables in this - manner. - SSttrriinnggss: - mailsub Subject of the mail sent to the _m_a_i_l_t_o user. - The escape %h will expand to the hostname of - the machine. Default is *** SECURITY informa­ - tion for %h ***. +1.7 August 15, 2007 7 -1.7 June 23, 2007 10 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will be _/_e_t_c_/_s_u_d_o_- + _e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from _/_e_t_c_/_s_u_d_o_- + _e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s: + #include /etc/sudoers.local + When ssuuddoo reaches this line it will suspend processing of + the current file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_- + _e_r_s_._l_o_c_a_l. Upon reaching the end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, + the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be processed. Files that + are included may themselves include other files. A hard + limit of 128 nested include files is enforced to prevent + include file loops. -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss + The pound sign ('#') is used to indicate a comment (unless + it is part of a #include directive or unless it occurs in + the context of a user name and is followed by one or more + digits, in which case it is treated as a uid). Both the + comment character and any text after it, up to the end of + the line, are ignored. - badpass_message - Message that is displayed if a user enters an - incorrect password. The default is Sorry, try - again. unless insults are enabled. + The reserved word AALLLL is a built-in _a_l_i_a_s that always + causes a match to succeed. It can be used wherever one + might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias, + or Host_Alias. You should not try to define your own + _a_l_i_a_s called AALLLL as the built-in alias will be used in + preference to your own. Please note that using AALLLL can be + dangerous since in a command context, it allows the user + to run aannyy command on the system. - timestampdir - The directory in which ssuuddoo stores its times­ - tamp files. The default is _/_v_a_r_/_r_u_n_/_s_u_d_o. + An exclamation point ('!') can be used as a logical _n_o_t + operator both in an _a_l_i_a_s and in front of a Cmnd. This + allows one to exclude certain values. Note, however, that + using a ! in conjunction with the built-in ALL alias to + allow a user to run "all but a few" commands rarely works + as intended (see SECURITY NOTES below). - timestampowner - The owner of the timestamp directory and the - timestamps stored therein. The default is - root. + Long lines can be continued with a backslash ('\') as the + last character on the line. - passprompt The default prompt to use when asking for a - password; can be overridden via the --pp option - or the SUDO_PROMPT environment variable. The - following percent (`%') escapes are supported: + Whitespace between elements in a list as well as special + syntactic characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', + '(', ')') is optional. - %u expanded to the invoking user's login - name + The following characters must be escaped with a backslash + ('\') when used as part of a word (e.g. a username or + hostname): '@', '!', '=', ':', ',', '(', ')', '\'. - %U expanded to the login name of the user - the command will be run as (defaults - to root) +SSUUDDOOEERRSS OOPPTTIIOONNSS + ssuuddoo's behavior can be modified by Default_Entry lines, as + explained earlier. A list of all supported Defaults + parameters, grouped by type, are listed below. - %h expanded to the local hostname without - the domain name - %H expanded to the local hostname includ­ - ing the domain name (on if the - machine's hostname is fully qualified - or the _f_q_d_n option is set) - %% two consecutive % characters are col­ - lapsed into a single % character +1.7 August 15, 2007 8 - The default value is Password:. - runas_default - The default user to run commands as if the --uu - flag is not specified on the command line. - This defaults to root. Note that if - _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur before any - Runas_Alias specifications. - syslog_goodpri - Syslog priority to use when user authenticates - successfully. Defaults to notice. - syslog_badpri - Syslog priority to use when user authenticates - unsuccessfully. Defaults to alert. +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + FFllaaggss: -1.7 June 23, 2007 11 + always_set_home If set, ssuuddoo will set the HOME environment + variable to the home directory of the tar- + get user (which is root unless the --uu + option is used). This effectively means + that the --HH flag is always implied. This + flag is _o_f_f by default. + authenticate If set, users must authenticate themselves + via a password (or other means of authen- + tication) before they may run commands. + This default may be overridden via the + PASSWD and NOPASSWD tags. This flag is _o_n + by default. + closefrom_override + If set, the user may use ssuuddoo's --CC option + which overrides the default starting point + at which ssuuddoo begins closing open file + descriptors. This flag is _o_f_f by default. + env_editor If set, vviissuuddoo will use the value of the + EDITOR or VISUAL environment variables + before falling back on the default editor + list. Note that this may create a secu- + rity hole as it allows the user to run any + arbitrary command as root without logging. + A safer alternative is to place a colon- + separated list of editors in the editor + variable. vviissuuddoo will then only use the + EDITOR or VISUAL if they match a value + specified in editor. This flag is _o_f_f by + default. + env_reset If set, ssuuddoo will reset the environment to + only contain the LOGNAME, SHELL, USER, + USERNAME and the SUDO_* variables. Any + variables in the caller's environment that + match the env_keep and env_check lists are + then added. The default contents of the + env_keep and env_check lists are displayed + when ssuuddoo is run by root with the _-_V + option. If the _s_e_c_u_r_e___p_a_t_h option is set, + its value will be used for the PATH envi- + ronment variable. This flag is _o_n by + default. -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + fqdn Set this flag if you want to put fully + qualified hostnames in the _s_u_d_o_e_r_s file. + I.e., instead of myhost you would use + myhost.mydomain.edu. You may still use + the short form if you wish (and even mix + the two). Beware that turning on _f_q_d_n - editor A colon (':') separated list of editors - allowed to be used with vviissuuddoo. vviissuuddoo will - choose the editor that matches the user's EDI­ - TOR environment variable if possible, or the - first editor in the list that exists and is - executable. The default is the path to vi on - your system. - noexec_file Path to a shared library containing dummy ver­ - sions of the _e_x_e_c_v_(_), _e_x_e_c_v_e_(_) and _f_e_x_e_c_v_e_(_) - library functions that just return an error. - This is used to implement the _n_o_e_x_e_c function­ - ality on systems that support LD_PRELOAD or - its equivalent. Defaults to - _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c. +1.7 August 15, 2007 9 - SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: - lecture This option controls when a short lecture will - be printed along with the password prompt. It - has the following possible values: - never Never lecture the user. - once Only lecture the user the first time - they run ssuuddoo. - always Always lecture the user. +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - If no value is specified, a value of _o_n_c_e is - implied. Negating the option results in a - value of _n_e_v_e_r being used. The default value - is _o_n_c_e. - lecture_file - Path to a file containing an alternate ssuuddoo - lecture that will be used in place of the - standard lecture if the named file exists. + requires ssuuddoo to make DNS lookups which + may make ssuuddoo unusable if DNS stops work- + ing (for example if the machine is not + plugged into the network). Also note that + you must use the host's official name as + DNS knows it. That is, you may not use a + host alias (CNAME entry) due to perfor- + mance issues and the fact that there is no + way to get all aliases from DNS. If your + machine's hostname (as returned by the + hostname command) is already fully quali- + fied you shouldn't need to set _f_q_d_n. This + flag is _o_f_f by default. + + ignore_dot If set, ssuuddoo will ignore '.' or '' (cur- + rent dir) in the PATH environment vari- + able; the PATH itself is not modified. + This flag is _o_f_f by default. - logfile Path to the ssuuddoo log file (not the syslog log - file). Setting a path turns on logging to a - file; negating this option turns it off. + ignore_local_sudoers + If set via LDAP, parsing of + @sysconfdir@/sudoers will be skipped. + This is intended for Enterprises that wish + to prevent the usage of local sudoers + files so that only LDAP is used. This + thwarts the efforts of rogue operators who + would attempt to add roles to + @sysconfdir@/sudoers. When this option is + present, @sysconfdir@/sudoers does not + even need to exist. Since this option + tells ssuuddoo how to behave when no specific + LDAP entries have been matched, this + sudoOption is only meaningful for the + cn=defaults section. This flag is _o_f_f by + default. - syslog Syslog facility if syslog is being used for - logging (negate to disable syslog logging). - Defaults to local2. + insults If set, ssuuddoo will insult users when they + enter an incorrect password. This flag is + _o_f_f by default. - mailerpath Path to mail program used to send warning - mail. Defaults to the path to sendmail found - at configure time. + log_host If set, the hostname will be logged in the + (non-syslog) ssuuddoo log file. This flag is + _o_f_f by default. - mailerflags Flags to use when invoking mailer. Defaults to - --tt. + log_year If set, the four-digit year will be logged + in the (non-syslog) ssuuddoo log file. This + flag is _o_f_f by default. + long_otp_prompt When validating with a One Time Password + (OPT) scheme such as SS//KKeeyy or OOPPIIEE, a two- + line prompt is used to make it easier to + cut and paste the challenge to a local + window. It's not as pretty as the default + but some people find it more convenient. -1.7 June 23, 2007 12 +1.7 August 15, 2007 10 @@ -796,64 +664,64 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - mailto Address to send warning and error mail to. - The address should be enclosed in double - quotes (") to protect against ssuuddoo interpret­ - ing the @ sign. Defaults to root. + This flag is _o_f_f by default. - exempt_group - Users in this group are exempt from password - and PATH requirements. This is not set by - default. + mail_always Send mail to the _m_a_i_l_t_o user every time a + users runs ssuuddoo. This flag is _o_f_f by + default. - secure_path Path used for every command run from ssuuddoo. If - you don't trust the people running ssuuddoo to - have a sane PATH environment variable you may - want to use this. Another use is if you want - to have the "root path" be separate from the - "user path." Users in the group specified by - the _e_x_e_m_p_t___g_r_o_u_p option are not affected by - _s_e_c_u_r_e___p_a_t_h. This is not set by default. + mail_badpass Send mail to the _m_a_i_l_t_o user if the user + running ssuuddoo does not enter the correct + password. This flag is _o_f_f by default. - verifypw This option controls when a password will be - required when a user runs ssuuddoo with the --vv - flag. It has the following possible values: + mail_no_host If set, mail will be sent to the _m_a_i_l_t_o + user if the invoking user exists in the + _s_u_d_o_e_r_s file, but is not allowed to run + commands on the current host. This flag + is _o_f_f by default. - all All the user's _s_u_d_o_e_r_s entries for the - current host must have the NOPASSWD - flag set to avoid entering a password. + mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o + user if the invoking user is allowed to + use ssuuddoo but the command they are trying + is not listed in their _s_u_d_o_e_r_s file entry + or is explicitly denied. This flag is _o_f_f + by default. - any At least one of the user's _s_u_d_o_e_r_s - entries for the current host must have - the NOPASSWD flag set to avoid enter­ - ing a password. + mail_no_user If set, mail will be sent to the _m_a_i_l_t_o + user if the invoking user is not in the + _s_u_d_o_e_r_s file. This flag is _o_n by default. - never The user need never enter a password - to use the --vv flag. + noexec If set, all commands run via ssuuddoo will + behave as if the NOEXEC tag has been set, + unless overridden by a EXEC tag. See the + description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as + well as the "PREVENTING SHELL ESCAPES" + section at the end of this manual. This + flag is _o_f_f by default. - always The user must always enter a password - to use the --vv flag. + path_info Normally, ssuuddoo will tell the user when a + command could not be found in their PATH + environment variable. Some sites may wish + to disable this as it could be used to + gather information on the location of exe- + cutables that the normal user does not + have access to. The disadvantage is that + if the executable is simply not in the + user's PATH, ssuuddoo will tell the user that + they are not allowed to run it, which can + be confusing. This flag is _o_n by default. - If no value is specified, a value of _a_l_l is - implied. Negating the option results in a - value of _n_e_v_e_r being used. The default value - is _a_l_l. + preserve_groups By default ssuuddoo will initialize the group + vector to the list of groups the target + user is in. When _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, + the user's existing group vector is left + unaltered. The real and effective group + IDs, however, are still set to match the + target user. This flag is _o_f_f by default. - listpw This option controls when a password will be - required when a user runs ssuuddoo with the --ll - flag. It has the following possible values: - - all All the user's _s_u_d_o_e_r_s entries for the - current host must have the NOPASSWD - flag set to avoid entering a password. - - any At least one of the user's _s_u_d_o_e_r_s - entries for the current host must have - the NOPASSWD flag set to avoid - -1.7 June 23, 2007 13 +1.7 August 15, 2007 11 @@ -862,361 +730,485 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - entering a password. + requiretty If set, ssuuddoo will only run when the user + is logged in to a real tty. This will + disallow things like "rsh somehost sudo + ls" since _r_s_h(1) does not allocate a tty. + Because it is not possible to turn off + echo when there is no tty present, some + sites may wish to set this flag to prevent + a user from entering a visible password. + This flag is _o_f_f by default. + + root_sudo If set, root is allowed to run ssuuddoo too. + Disabling this prevents users from "chain- + ing" ssuuddoo commands to get a root shell by + doing something like "sudo sudo /bin/sh". + Note, however, that turning off _r_o_o_t___s_u_d_o + will also prevent root and from running + ssuuddooeeddiitt. Disabling _r_o_o_t___s_u_d_o provides no + real additional security; it exists purely + for historical reasons. This flag is _o_n + by default. + + rootpw If set, ssuuddoo will prompt for the root + password instead of the password of the + invoking user. This flag is _o_f_f by + default. + + runaspw If set, ssuuddoo will prompt for the password + of the user defined by the _r_u_n_a_s___d_e_f_a_u_l_t + option (defaults to root) instead of the + password of the invoking user. This flag + is _o_f_f by default. + + set_home If set and ssuuddoo is invoked with the --ss + flag the HOME environment variable will be + set to the home directory of the target + user (which is root unless the --uu option + is used). This effectively makes the --ss + flag imply --HH. This flag is _o_f_f by + default. + + set_logname Normally, ssuuddoo will set the LOGNAME, USER + and USERNAME environment variables to the + name of the target user (usually root + unless the --uu flag is given). However, + since some programs (including the RCS + revision control system) use LOGNAME to + determine the real identity of the user, + it may be desirable to change this behav- + ior. This can be done by negating the + set_logname option. Note that if the + _e_n_v___r_e_s_e_t option has not been disabled, + entries in the _e_n_v___k_e_e_p list will override + the value of _s_e_t___l_o_g_n_a_m_e. This flag is + _o_f_f by default. + + + +1.7 August 15, 2007 12 - never The user need never enter a password - to use the --ll flag. - always The user must always enter a password - to use the --ll flag. - If no value is specified, a value of _a_n_y is - implied. Negating the option results in a - value of _n_e_v_e_r being used. The default value - is _a_n_y. - LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: - env_check Environment variables to be removed from the - user's environment if the variable's value - contains % or / characters. This can be used - to guard against printf-style format vulnera­ - bilities in poorly-written programs. The - argument may be a double-quoted, space-sepa­ - rated list or a single value without dou­ - ble-quotes. The list can be replaced, added - to, deleted from, or disabled by using the =, - +=, -=, and ! operators respectively. Regard­ - less of whether the env_reset option is - enabled or disabled, variables specified by - env_check will be preserved in the environment - if they pass the aforementioned check. The - default list of environment variables to check - is displayed when ssuuddoo is run by root with the - _-_V option. - - env_delete Environment variables to be removed from the - user's environment. The argument may be a - double-quoted, space-separated list or a sin­ - gle value without double-quotes. The list can - be replaced, added to, deleted from, or dis­ - abled by using the =, +=, -=, and ! operators - respectively. The default list of environment - variables to remove is displayed when ssuuddoo is - run by root with the _-_V option. Note that - many operating systems will remove potentially - dangerous variables from the environment of - any setuid process (such as ssuuddoo). - - env_keep Environment variables to be preserved in the - user's environment when the _e_n_v___r_e_s_e_t option - is in effect. This allows fine-grained con­ - trol over the environment ssuuddoo-spawned pro­ - cesses will receive. The argument may be a - double-quoted, space-separated list or a sin­ - gle value without double-quotes. The list can - be replaced, added to, deleted from, or - - - -1.7 June 23, 2007 14 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + setenv Allow the user to disable the _e_n_v___r_e_s_e_t + option from the command line. Addition- + ally, environment variables set via the + command line are not subject to the + restrictions imposed by _e_n_v___c_h_e_c_k, + _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only + trusted users should be allowed to set + variables in this manner. This flag is + _o_f_f by default. + + shell_noargs If set and ssuuddoo is invoked with no argu- + ments it acts as if the --ss flag had been + given. That is, it runs a shell as root + (the shell is determined by the SHELL + environment variable if it is set, falling + back on the shell listed in the invoking + user's /etc/passwd entry if not). This + flag is _o_f_f by default. + + stay_setuid Normally, when ssuuddoo executes a command the + real and effective UIDs are set to the + target user (root by default). This + option changes that behavior such that the + real UID is left as the invoking user's + UID. In other words, this makes ssuuddoo act + as a setuid wrapper. This can be useful + on systems that disable some potentially + dangerous functionality when a program is + run setuid. This option is only effective + on systems with either the _s_e_t_r_e_u_i_d_(_) or + _s_e_t_r_e_s_u_i_d_(_) function. This flag is _o_f_f by + default. + + targetpw If set, ssuuddoo will prompt for the password + of the user specified by the --uu flag + (defaults to root) instead of the password + of the invoking user. Note that this pre- + cludes the use of a uid not listed in the + passwd database as an argument to the --uu + flag. This flag is _o_f_f by default. + + tty_tickets If set, users must authenticate on a per- + tty basis. Normally, ssuuddoo uses a direc- + tory in the ticket dir with the same name + as the user running it. With this flag + enabled, ssuuddoo will use a file named for + the tty the user is logged in on in that + directory. This flag is _o_f_f by default. + + use_loginclass If set, ssuuddoo will apply the defaults spec- + ified for the target user's login class if + one exists. Only available if ssuuddoo is + configured with the --with-logincap + option. This flag is _o_f_f by default. + + + +1.7 August 15, 2007 13 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - disabled by using the =, +=, -=, and ! opera­ - tors respectively. The default list of vari­ - ables to keep is displayed when ssuuddoo is run by - root with the _-_V option. +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - When logging via _s_y_s_l_o_g(3), ssuuddoo accepts the following - values for the syslog facility (the value of the ssyysslloogg - Parameter): aauutthhpprriivv (if your OS supports it), aauutthh, ddaaee­­ - mmoonn, uusseerr, llooccaall00, llooccaall11, llooccaall22, llooccaall33, llooccaall44, llooccaall55, - llooccaall66, and llooccaall77. The following syslog priorities are - supported: aalleerrtt, ccrriitt, ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee, - and wwaarrnniinngg. - UUsseerr SSppeecciiffiiccaattiioonn + IInntteeggeerrss: - User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ - (':' Host_List '=' Cmnd_Spec_List)* + closefrom Before it executes a command, ssuuddoo will + close all open file descriptors other than + standard input, standard output and stan- + dard error (ie: file descriptors 0-2). + The _c_l_o_s_e_f_r_o_m option can be used to spec- + ify a different file descriptor at which + to start closing. The default is 3. - Cmnd_Spec_List ::= Cmnd_Spec | - Cmnd_Spec ',' Cmnd_Spec_List + passwd_tries The number of tries a user gets to enter + his/her password before ssuuddoo logs the + failure and exits. The default is 3. - Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd + IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: - Runas_Spec ::= '(' Runas_List ')' + loglinelen Number of characters per line for the file + log. This value is used to decide when to + wrap lines for nicer log files. This has + no effect on the syslog log file, only the + file log. The default is 80 (use 0 or + negate the option to disable word wrap). - Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | - 'SETENV:' | 'NOSETENV:' | 'MONITOR:' | 'NOMONITOR:') + passwd_timeout Number of minutes before the ssuuddoo password + prompt times out. The default is 5; set + this to 0 for no password timeout. - A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may - run (and as what user) on specified hosts. By default, - commands are run as rroooott, but this can be changed on a - per-command basis. + timestamp_timeout + Number of minutes that can elapse before + ssuuddoo will ask for a passwd again. The + default is 5. Set this to 0 to always + prompt for a password. If set to a value + less than 0 the user's timestamp will + never expire. This can be used to allow + users to create or delete their own times- + tamps via sudo -v and sudo -k respec- + tively. + + umask Umask to use when running the command. + Negate this option or set it to 0777 to + preserve the user's umask. The default is + 0022. - Let's break that down into its constituent parts: + SSttrriinnggss: - RRuunnaass__SSppeecc + badpass_message Message that is displayed if a user enters + an incorrect password. The default is + Sorry, try again. unless insults are + enabled. - A Runas_Spec is simply a Runas_List (as defined above) - enclosed in a set of parentheses. If you do not specify a - Runas_Spec in the user specification, a default Runas_Spec - of rroooott will be used. A Runas_Spec sets the default for - commands that follow it. What this means is that for the - entry: + editor A colon (':') separated list of editors + allowed to be used with vviissuuddoo. vviissuuddoo + will choose the editor that matches the + user's EDITOR environment variable if - dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm - The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m - -- but only as ooppeerraattoorr. E.g., - $ sudo -u operator /bin/ls. +1.7 August 15, 2007 14 - It is also possible to override a Runas_Spec later on in - an entry. If we modify the entry like so: -1.7 June 23, 2007 15 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + possible, or the first editor in the list + that exists and is executable. The + default is the path to vi on your system. + mailsub Subject of the mail sent to the _m_a_i_l_t_o + user. The escape %h will expand to the + hostname of the machine. Default is *** + SECURITY information for %h ***. + noexec_file Path to a shared library containing dummy + versions of the _e_x_e_c_v_(_), _e_x_e_c_v_e_(_) and _f_e_x_- + _e_c_v_e_(_) library functions that just return + an error. This is used to implement the + _n_o_e_x_e_c functionality on systems that sup- + port LD_PRELOAD or its equivalent. + Defaults to + _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c. -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + passprompt The default prompt to use when asking for + a password; can be overridden via the --pp + option or the SUDO_PROMPT environment + variable. The following percent (`%') + escapes are supported: + %H expanded to the local hostname includ- + ing the domain name (on if the + machine's hostname is fully qualified + or the _f_q_d_n option is set) - dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm + %h expanded to the local hostname without + the domain name - Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, - but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. + %U expanded to the login name of the user + the command will be run as (defaults + to root) - TTaagg__SSppeecc + %u expanded to the invoking user's login + name - A command may have zero or more tags associated with it. - There are eight possible tag values, NOPASSWD, PASSWD, - NOEXEC, EXEC, SETENV, NOSETENV, MONITOR and NOMONITOR. - Once a tag is set on a Cmnd, subsequent Cmnds in the - Cmnd_Spec_List, inherit the tag unless it is overridden by - the opposite tag (i.e.: PASSWD overrides NOPASSWD and - NOEXEC overrides EXEC). + %% two consecutive % characters are col- + lapsed into a single % character - _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D + The default value is Password:. - By default, ssuuddoo requires that a user authenticate him or - herself before running a command. This behavior can be - modified via the NOPASSWD tag. Like a Runas_Spec, the - NOPASSWD tag sets a default for the commands that follow - it in the Cmnd_Spec_List. Conversely, the PASSWD tag can - be used to reverse things. For example: + runas_default The default user to run commands as if the + --uu flag is not specified on the command + line. This defaults to root. Note that + if _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur + before any Runas_Alias specifications. - ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm + syslog_badpri Syslog priority to use when user authenti- + cates unsuccessfully. Defaults to alert. - would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and - _/_u_s_r_/_b_i_n_/_l_p_r_m as root on the machine rushmore as rroooott - without authenticating himself. If we only want rraayy to be - able to run _/_b_i_n_/_k_i_l_l without a password the entry would - be: + syslog_goodpri Syslog priority to use when user - ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm - Note, however, that the PASSWD tag has no effect on users - who are in the group specified by the _e_x_e_m_p_t___g_r_o_u_p option. - By default, if the NOPASSWD tag is applied to any of the - entries for a user on the current host, he or she will be - able to run sudo -l without a password. Additionally, a - user may only run sudo -v without a password if the - NOPASSWD tag is present for all a user's entries that per­ - tain to the current host. This behavior may be overridden - via the verifypw and listpw options. +1.7 August 15, 2007 15 - _N_O_E_X_E_C _a_n_d _E_X_E_C - If ssuuddoo has been compiled with _n_o_e_x_e_c support and the - underlying operating system supports it, the NOEXEC tag - can be used to prevent a dynamically-linked executable - from running further commands itself. - In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e - and _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7 June 23, 2007 16 + authenticates successfully. Defaults to + notice. + timestampdir The directory in which ssuuddoo stores its + timestamp files. The default is + _/_v_a_r_/_r_u_n_/_s_u_d_o. + timestampowner The owner of the timestamp directory and + the timestamps stored therein. The + default is root. + SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + exempt_group + Users in this group are exempt from password + and PATH requirements. This is not set by + default. + lecture This option controls when a short lecture will + be printed along with the password prompt. It + has the following possible values: - aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi + always Always lecture the user. - See the "PREVENTING SHELL ESCAPES" section below for more - details on how NOEXEC works and whether or not it will - work on your system. + never Never lecture the user. - _S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V + once Only lecture the user the first time + they run ssuuddoo. - These tags override the value of the _s_e_t_e_n_v option on a - per-command basis. Note that environment variables set on - the command line way are not subject to the restrictions - imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or _e_n_v___r_e_s_e_t. As such, - only trusted users should be allowed to set variables in - this manner. + If no value is specified, a value of _o_n_c_e is + implied. Negating the option results in a + value of _n_e_v_e_r being used. The default value + is _o_n_c_e. - _M_O_N_I_T_O_R _a_n_d _N_O_M_O_N_I_T_O_R + lecture_file + Path to a file containing an alternate ssuuddoo + lecture that will be used in place of the + standard lecture if the named file exists. By + default, ssuuddoo uses a built-in lecture. - If ssuuddoo has been configured with the --with-systrace - option, the MONITOR tag can be used to cause programs - spawned by a command to be checked against _s_u_d_o_e_r_s and - logged just like they would be if run through ssuuddoo - directly. This is useful in conjunction with commands - that allow shell escapes such as editors, shells and pagi­ - nators. + listpw This option controls when a password will be + required when a user runs ssuuddoo with the --ll + flag. It has the following possible values: - In the following example, user cchhuucckk may run any command - on the machine research in monitor mode. + all All the user's _s_u_d_o_e_r_s entries for the + current host must have the NOPASSWD + flag set to avoid entering a password. - chuck research = MONITOR: ALL + always The user must always enter a password + to use the --ll flag. - See the "PREVENTING SHELL ESCAPES" section below for more - details on how MONITOR works and whether or not it will - work on your system. + any At least one of the user's _s_u_d_o_e_r_s + entries for the current host must have + the NOPASSWD flag set to avoid - WWiillddccaarrddss - ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob char­ - acters) to be used in pathnames as well as command line - arguments in the _s_u_d_o_e_r_s file. Wildcard matching is done - via the PPOOSSIIXX _f_n_m_a_t_c_h(3) routine. Note that these are _n_o_t - regular expressions. - * Matches any set of zero or more characters. +1.7 August 15, 2007 16 - ? Matches any single character. - [...] Matches any character in the specified range. - [!...] Matches any character nnoott in the specified range. - \x For any character "x", evaluates to "x". This is - used to escape special characters such as: "*", - "?", "[", and "}". +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + entering a password. -1.7 June 23, 2007 17 + never The user need never enter a password + to use the --ll flag. + If no value is specified, a value of _a_n_y is + implied. Negating the option results in a + value of _n_e_v_e_r being used. The default value + is _a_n_y. + logfile Path to the ssuuddoo log file (not the syslog log + file). Setting a path turns on logging to a + file; negating this option turns it off. By + default, ssuuddoo logs via syslog. + mailerflags Flags to use when invoking mailer. Defaults to + --tt. + mailerpath Path to mail program used to send warning + mail. Defaults to the path to sendmail found + at configure time. -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + mailto Address to send warning and error mail to. + The address should be enclosed in double + quotes (") to protect against ssuuddoo interpret- + ing the @ sign. Defaults to root. + secure_path Path used for every command run from ssuuddoo. If + you don't trust the people running ssuuddoo to + have a sane PATH environment variable you may + want to use this. Another use is if you want + to have the "root path" be separate from the + "user path." Users in the group specified by + the _e_x_e_m_p_t___g_r_o_u_p option are not affected by + _s_e_c_u_r_e___p_a_t_h. This is not set by default. - Note that a forward slash ('/') will nnoott be matched by - wildcards used in the pathname. When matching the command - line arguments, however, a slash ddooeess get matched by wild­ - cards. This is to make a path like: + syslog Syslog facility if syslog is being used for + logging (negate to disable syslog logging). + Defaults to local2. - /usr/bin/* + verifypw This option controls when a password will be + required when a user runs ssuuddoo with the --vv + flag. It has the following possible values: - match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. + all All the user's _s_u_d_o_e_r_s entries for the + current host must have the NOPASSWD + flag set to avoid entering a password. - EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess + always The user must always enter a password + to use the --vv flag. - The following exceptions apply to the above rules: + any At least one of the user's _s_u_d_o_e_r_s + entries for the current host must have + the NOPASSWD flag set to avoid - "" If the empty string "" is the only command line - argument in the _s_u_d_o_e_r_s entry it means that com­ - mand is not allowed to be run with aannyy arguments. - IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss - It is possible to include other _s_u_d_o_e_r_s files from within - the _s_u_d_o_e_r_s file currently being parsed using the #include - directive, similar to the one used by the C preprocessor. - This is useful, for example, for keeping a site-wide _s_u_d_o_­ - _e_r_s file in addition to a per-machine local one. For the - sake of this example the site-wide _s_u_d_o_e_r_s will be - _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will be _/_e_t_c_/_s_u_d_o_­ - _e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from _/_e_t_c_/_s_u_d_o_­ - _e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s: +1.7 August 15, 2007 17 - #include /etc/sudoers.local - When ssuuddoo reaches this line it will suspend processing of - the current file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_­ - _e_r_s_._l_o_c_a_l. Upon reaching the end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, - the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be processed. Files that - are included may themselves include other files. A hard - limit of 128 nested include files is enforced to prevent - include file loops. - OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss - The pound sign ('#') is used to indicate a comment (unless - it is part of a #include directive or unless it occurs in - the context of a user name and is followed by one or more - digits, in which case it is treated as a uid). Both the - comment character and any text after it, up to the end of - the line, are ignored. - The reserved word AALLLL is a built-in _a_l_i_a_s that always - causes a match to succeed. It can be used wherever one - might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias, - or Host_Alias. You should not try to define your own - _a_l_i_a_s called AALLLL as the built-in alias will be used in - preference to your own. Please note that using AALLLL can be +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + entering a password. -1.7 June 23, 2007 18 + never The user need never enter a password + to use the --vv flag. + If no value is specified, a value of _a_l_l is + implied. Negating the option results in a + value of _n_e_v_e_r being used. The default value + is _a_l_l. + LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + env_check Environment variables to be removed from + the user's environment if the variable's + value contains % or / characters. This + can be used to guard against printf-style + format vulnerabilities in poorly-written + programs. The argument may be a dou- + ble-quoted, space-separated list or a sin- + gle value without double-quotes. The list + can be replaced, added to, deleted from, + or disabled by using the =, +=, -=, and ! + operators respectively. Regardless of + whether the env_reset option is enabled or + disabled, variables specified by env_check + will be preserved in the environment if + they pass the aforementioned check. The + default list of environment variables to + check is displayed when ssuuddoo is run by + root with the _-_V option. + + env_delete Environment variables to be removed from + the user's environment. The argument may + be a double-quoted, space-separated list + or a single value without double-quotes. + The list can be replaced, added to, + deleted from, or disabled by using the =, + +=, -=, and ! operators respectively. The + default list of environment variables to + remove is displayed when ssuuddoo is run by + root with the _-_V option. Note that many + operating systems will remove potentially + dangerous variables from the environment + of any setuid process (such as ssuuddoo). + + env_keep Environment variables to be preserved in + the user's environment when the _e_n_v___r_e_s_e_t + option is in effect. This allows fine- + grained control over the environment + ssuuddoo-spawned processes will receive. The + argument may be a double-quoted, space- + separated list or a single value without + double-quotes. The list can be replaced, + added to, deleted from, or disabled by + + + +1.7 August 15, 2007 18 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - dangerous since in a command context, it allows the user - to run aannyy command on the system. - An exclamation point ('!') can be used as a logical _n_o_t - operator both in an _a_l_i_a_s and in front of a Cmnd. This - allows one to exclude certain values. Note, however, that - using a ! in conjunction with the built-in ALL alias to - allow a user to run "all but a few" commands rarely works - as intended (see SECURITY NOTES below). +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - Long lines can be continued with a backslash ('\') as the - last character on the line. - Whitespace between elements in a list as well as special - syntactic characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', - '(', ')') is optional. + using the =, +=, -=, and ! operators + respectively. The default list of vari- + ables to keep is displayed when ssuuddoo is + run by root with the _-_V option. - The following characters must be escaped with a backslash - ('\') when used as part of a word (e.g. a username or - hostname): '@', '!', '=', ':', ',', '(', ')', '\'. + When logging via _s_y_s_l_o_g(3), ssuuddoo accepts the following + values for the syslog facility (the value of the ssyysslloogg + Parameter): aauutthhpprriivv (if your OS supports it), aauutthh, ddaaee-- + mmoonn, uusseerr, llooccaall00, llooccaall11, llooccaall22, llooccaall33, llooccaall44, llooccaall55, + llooccaall66, and llooccaall77. The following syslog priorities are + supported: aalleerrtt, ccrriitt, ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee, + and wwaarrnniinngg. FFIILLEESS - /etc/sudoers List of who can run what - /etc/group Local groups file - /etc/netgroup List of network groups + _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what + _/_e_t_c_/_g_r_o_u_p Local groups file + _/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups EEXXAAMMPPLLEESS Below are example _s_u_d_o_e_r_s entries. Admittedly, some of @@ -1241,23 +1233,6 @@ EEXXAAMMPPLLEESS Host_Alias SERVERS = master, mail, www, ns Host_Alias CDROM = orion, perseus, hercules - - - - - - - - -1.7 June 23, 2007 19 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - # Cmnd alias specification Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ /usr/sbin/restore, /usr/sbin/rrestore @@ -1272,6 +1247,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Cmnd_Alias SU = /usr/bin/su Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less + + +1.7 August 15, 2007 19 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + Here we override some of the compiled in default values. We want ssuuddoo to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility in all cases. We don't want to subject the full time @@ -1283,7 +1269,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) sure we log the year in each log line since the log entries will be kept around for several years. Lastly, we disable shell escapes for the commands in the PAGERS - Cmnd_Alias (/usr/bin/more, /usr/bin/pg and /usr/bin/less). + Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and _/_u_s_r_/_b_i_n_/_l_e_s_s). # Override built-in defaults Defaults syslog=auth @@ -1293,7 +1279,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Defaults@SERVERS log_year, logfile=/var/log/sudo.log Defaults!PAGERS noexec - The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually deter­ + The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually deter- mines who may run what. root ALL = (ALL) ALL @@ -1310,20 +1296,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) PARTTIMERS ALL = ALL Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run - any command on any host but they must authenticate them­ + any command on any host but they must authenticate them- selves first (since the entry lacks the NOPASSWD tag). - - -1.7 June 23, 2007 20 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - jack CSNETS = ALL The user jjaacckk may run any command on the machines in the @@ -1338,10 +1313,21 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the class B network 128.138.0.0). + + +1.7 August 15, 2007 20 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ sudoedit /etc/printcap, /usr/oper/bin/ - The ooppeerraattoorr user may run commands limited to simple main­ + The ooppeerraattoorr user may run commands limited to simple main- tenance. Here, those are commands related to backups, killing processes, the printing system, shutting down the system, and any commands in the directory _/_u_s_r_/_o_p_e_r_/_b_i_n_/. @@ -1366,7 +1352,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) jim +biglab = ALL The user jjiimm may run any command on machines in the _b_i_g_l_a_b - netgroup. SSuuddoo knows that "biglab" is a netgroup due to + netgroup. ssuuddoo knows that "biglab" is a netgroup due to the '+' prefix. +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser @@ -1378,18 +1364,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) fred ALL = (DB) NOPASSWD: ALL The user ffrreedd can run commands as any user in the _D_B - - - -1.7 June 23, 2007 21 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - Runas_Alias (oorraaccllee or ssyybbaassee) without giving a password. john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* @@ -1405,8 +1379,19 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) jill SERVERS = /usr/bin/, !SU, !SHELLS + + +1.7 August 15, 2007 21 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run - any commands in the directory /usr/bin/ except for those + any commands in the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U and _S_H_E_L_L_S Cmnd_Aliases. steve CSNETS = (operator) /usr/local/op_commands/ @@ -1436,28 +1421,16 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SSEECCUURRIITTYY NNOOTTEESS It is generally not effective to "subtract" commands from - ALL using the '!' operator. A user can trivially circum­ + ALL using the '!' operator. A user can trivially circum- vent this by copying the desired command to a different name and then executing that. For example: bill ALL = ALL, !SU, !SHELLS Doesn't really prevent bbiillll from running the commands - listed in _S_U or _S_H_E_L_L_S since he can simply copy those - - - -1.7 June 23, 2007 22 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - - commands to a different name, or use a shell escape from - an editor or other program. Therefore, these kind of + listed in _S_U or _S_H_E_L_L_S since he can simply copy those com- + mands to a different name, or use a shell escape from an + editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy). @@ -1470,26 +1443,37 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS permit shell escapes include shells (obviously), editors, paginators, mail and terminal programs. - There are three basic approaches to this problem: + There are two basic approaches to this problem: + + + +1.7 August 15, 2007 22 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + restrict Avoid giving users access to commands that allow - the user to run arbitrary commands. Many edi­ + the user to run arbitrary commands. Many edi- tors have a restricted mode where shell escapes - are disabled, though ssuuddooeeddiitt is a better solu­ + are disabled, though ssuuddooeeddiitt is a better solu- tion to running editors via ssuuddoo. Due to the large number of programs that offer shell - escapes, restricting users to the set of pro­ + escapes, restricting users to the set of pro- grams that do not if often unworkable. noexec Many systems that support shared libraries have - the ability to override default library func­ - tions by pointing an environment variable (usu­ + the ability to override default library func- + tions by pointing an environment variable (usu- ally LD_PRELOAD) to an alternate shared library. On such systems, ssuuddoo's _n_o_e_x_e_c functionality can be used to prevent a program run by ssuuddoo from executing any other programs. Note, however, that this applies only to native dynamically- - linked executables. Statically-linked executa­ + linked executables. Statically-linked executa- bles and foreign executables running under binary emulation are not affected. @@ -1507,79 +1491,29 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS of functions in the standard library with its own that simply return an error. Unfortunately, there is no foolproof way to know whether or not - _n_o_e_x_e_c will work at compile-time. _N_o_e_x_e_c should + _n_o_e_x_e_c will work at compile-time. _n_o_e_x_e_c should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, MacOS X, and HP-UX 11.x. It is known nnoott - - - -1.7 June 23, 2007 23 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - - to work on AIX and UnixWare. _N_o_e_x_e_c is expected + to work on AIX and UnixWare. _n_o_e_x_e_c is expected to work on most operating systems that support the LD_PRELOAD environment variable. Check your operating system's manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld, dld.sl, - rld, or loader) to see if LD_PRELOAD is sup­ + rld, or loader) to see if LD_PRELOAD is sup- ported. To enable _n_o_e_x_e_c for a command, use the NOEXEC - tag as documented in the User Specification sec­ + tag as documented in the User Specification sec- tion above. Here is that example again: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and - _/_u_s_r_/_b_i_n_/_v_i with _n_o_e_x_e_c enabled. This will pre­ - vent those two commands from executing other - commands (such as a shell). If you are unsure - whether or not your system is capable of sup­ - porting _n_o_e_x_e_c you can always just try it out - and see if it works. - - monitor On operating systems that support the ssyyssttrraaccee - pseudo-device, the --with-systrace configure - option can be used to compile support for proc­ - cess monitoring in ssuuddoo. In monitor mode ssuuddoo - can transparently intercept a new command, allow - or deny it based on _s_u_d_o_e_r_s, and log the result. - This does require that ssuuddoo become a daemon that - persists until the command and all its descen­ - dents have exited. - - To enable monitor mode on a per-command basis, - use the MONITOR tag as documented in the User - Specification section above. Here is that exam­ - ple again: - - chuck research = MONITOR: ALL - - This allows user cchhuucckk to run any command on the - machine research in monitor mode. Any commands - run via shell escapes will be logged by ssuuddoo. - - At the time of this writing the ssyyssttrraaccee pseudo- - device comes standard with OpenBSD and NetBSD - and is available as patches to FreeBSD, MacOS X - and Linux. See for - more information. + _/_u_s_r_/_b_i_n_/_v_i with _n_o_e_x_e_c enabled. This will - Note that restricting shell escapes is not a panacea. - Programs running as root are still capable of many poten­ - tially hazardous operations (such as changing or overwrit­ - ing files) that could lead to unintended privilege escala­ - tion. In the specific case of an editor, a safer approach - -1.7 June 23, 2007 24 +1.7 August 15, 2007 23 @@ -1588,16 +1522,27 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + prevent those two commands from executing other + commands (such as a shell). If you are unsure + whether or not your system is capable of sup- + porting _n_o_e_x_e_c you can always just try it out + and see if it works. + + Note that restricting shell escapes is not a panacea. + Programs running as root are still capable of many poten- + tially hazardous operations (such as changing or overwrit- + ing files) that could lead to unintended privilege escala- + tion. In the specific case of an editor, a safer approach is to give the user permission to run ssuuddooeeddiitt. SSEEEE AALLSSOO - _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), sudo(1m), visudo(1m) + _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _s_u_d_o(1m), _v_i_s_u_d_o(8) CCAAVVEEAATTSS The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo - command which locks the file and does grammatical check­ + command which locks the file and does grammatical check- ing. It is imperative that _s_u_d_o_e_r_s be free of syntax - errors since ssuuddoo will not run with a syntactically incor­ + errors since ssuuddoo will not run with a syntactically incor- rect _s_u_d_o_e_r_s file. When using netgroups of machines (as opposed to users), if @@ -1611,17 +1556,17 @@ BBUUGGSS bug report at http://www.sudo.ws/sudo/bugs/ SSUUPPPPOORRTT - Limited free support is available via the sudo-users mail­ - ing list, see http://www.sudo.ws/mail­ + Limited free support is available via the sudo-users mail- + ing list, see http://www.sudo.ws/mail- man/listinfo/sudo-users to subscribe or search the archives. DDIISSCCLLAAIIMMEERR - SSuuddoo is provided ``AS IS'' and any express or implied war­ - ranties, including, but not limited to, the implied war­ + ssuuddoo is provided ``AS IS'' and any express or implied war- + ranties, including, but not limited to, the implied war- ranties of merchantability and fitness for a particular purpose are disclaimed. See the LICENSE file distributed - with ssuuddoo or http://www.sudo.ws/sudo/license.html for com­ + with ssuuddoo or http://www.sudo.ws/sudo/license.html for com- plete details. @@ -1634,17 +1579,6 @@ DDIISSCCLLAAIIMMEERR - - - - - - - - - - - -1.7 June 23, 2007 25 +1.7 August 15, 2007 24 diff --git a/sudoers.man.in b/sudoers.man.in index c415fb4fe..bffe07e31 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -1,4 +1,5 @@ -.\" Copyright (c) 1994-1996,1998-2005 Todd C. Miller +.\" Copyright (c) 1994-1996, 1998-2005, 2007 +.\" Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -149,7 +150,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "July 9, 2007" "1.7" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "August 15, 2007" "1.7" "MAINTENANCE COMMANDS" .SH "NAME" sudoers \- list of which users may execute what .SH "DESCRIPTION" @@ -179,18 +180,18 @@ grammar for the language. \s-1EBNF\s0 also contains the following operators, which many readers will recognize from regular expressions. Do not, however, confuse them with \*(L"wildcard\*(R" characters, which have different meanings. -.ie n .IP "\*(C`?\*(C'" 8 -.el .IP "\f(CW\*(C`?\*(C'\fR" 8 +.ie n .IP "\*(C`?\*(C'" 4 +.el .IP "\f(CW\*(C`?\*(C'\fR" 4 .IX Item "?" Means that the preceding symbol (or group of symbols) is optional. That is, it may appear once or not at all. -.ie n .IP "\*(C`*\*(C'" 8 -.el .IP "\f(CW\*(C`*\*(C'\fR" 8 +.ie n .IP "\*(C`*\*(C'" 4 +.el .IP "\f(CW\*(C`*\*(C'\fR" 4 .IX Item "*" Means that the preceding symbol (or group of symbols) may appear zero or more times. -.ie n .IP "\*(C`+\*(C'" 8 -.el .IP "\f(CW\*(C`+\*(C'\fR" 8 +.ie n .IP "\*(C`+\*(C'" 4 +.el .IP "\f(CW\*(C`+\*(C'\fR" 4 .IX Item "+" Means that the preceding symbol (or group of symbols) may appear one or more times. @@ -307,8 +308,9 @@ If you do not specify a netmask along with the network number, \&\fBsudo\fR will query each of the local host's network interfaces and, if the network number corresponds to one of the hosts's network interfaces, the corresponding netmask will be used. The netmask -may be specified either in dotted quad notation (e.g.\ 255.255.255.0) -or \s-1CIDR\s0 notation (number of bits, e.g.\ 24). A hostname may +may be specified either in standard \s-1IP\s0 address notation +(e.g.\ 255.255.255.0 or ffff:ffff:ffff:ffff::), +or \s-1CIDR\s0 notation (number of bits, e.g.\ 24 or 64). A hostname may include shell-style wildcards (see the Wildcards section below), but unless the \f(CW\*(C`hostname\*(C'\fR command on your machine returns the fully qualified hostname, you'll need to use the \fIfqdn\fR option for @@ -420,7 +422,7 @@ See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults par .PP .Vb 2 \& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | -\& 'SETENV:' | 'NOSETENV:' | 'MONITOR:' | 'NOMONITOR:') +\& 'SETENV:' | 'NOSETENV:' ) .Ve .PP A \fBuser specification\fR determines which commands a user may run @@ -460,7 +462,7 @@ but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR. .IX Subsection "Tag_Spec" A command may have zero or more tags associated with it. There are eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR, -\&\f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`MONITOR\*(C'\fR and \f(CW\*(C`NOMONITOR\*(C'\fR. +\&\f(CW\*(C`SETENV\*(C'\fR and \f(CW\*(C`NOSETENV\*(C'\fR. Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the \&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR @@ -525,26 +527,6 @@ environment variables set on the command line way are not subject to the restrictions imposed by \fIenv_check\fR, \fIenv_delete\fR, or \&\fIenv_keep\fR. As such, only trusted users should be allowed to set variables in this manner. -.PP -\fI\s-1MONITOR\s0 and \s-1NOMONITOR\s0\fR -.IX Subsection "MONITOR and NOMONITOR" -.PP -If \fBsudo\fR has been configured with the \f(CW\*(C`\-\-with\-systrace\*(C'\fR option, -the \f(CW\*(C`MONITOR\*(C'\fR tag can be used to cause programs spawned by a command -to be checked against \fIsudoers\fR and logged just like they would -be if run through \fBsudo\fR directly. This is useful in conjunction -with commands that allow shell escapes such as editors, shells and -paginators. -.PP -In the following example, user \fBchuck\fR may run any command on the -machine research in monitor mode. -.PP -.Vb 1 -\& chuck research = MONITOR: ALL -.Ve -.PP -See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details -on how \f(CW\*(C`MONITOR\*(C'\fR works and whether or not it will work on your system. .Sh "Wildcards" .IX Subsection "Wildcards" \&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters) @@ -647,97 +629,126 @@ used as part of a word (e.g.\ a username or hostname): \&'@', '!', '=', ':', ',', '(', ')', '\e'. .SH "SUDOERS OPTIONS" .IX Header "SUDOERS OPTIONS" -Sudo's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as +\&\fBsudo\fR's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as explained earlier. A list of all supported Defaults parameters, grouped by type, are listed below. .PP \&\fBFlags\fR: -.IP "long_otp_prompt" 12 -.IX Item "long_otp_prompt" -When validating with a One Time Password scheme (\fBS/Key\fR or \fB\s-1OPIE\s0\fR), -a two-line prompt is used to make it easier to cut and paste the -challenge to a local window. It's not as pretty as the default but -some people find it more convenient. This flag is \fI@long_otp_prompt@\fR -by default. -.IP "ignore_dot" 12 +.IP "always_set_home" 16 +.IX Item "always_set_home" +If set, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the home +directory of the target user (which is root unless the \fB\-u\fR option is used). +This effectively means that the \fB\-H\fR flag is always implied. +This flag is \fIoff\fR by default. +.IP "authenticate" 16 +.IX Item "authenticate" +If set, users must authenticate themselves via a password (or other +means of authentication) before they may run commands. This default +may be overridden via the \f(CW\*(C`PASSWD\*(C'\fR and \f(CW\*(C`NOPASSWD\*(C'\fR tags. +This flag is \fIon\fR by default. +.IP "closefrom_override" 16 +.IX Item "closefrom_override" +If set, the user may use \fBsudo\fR's \fB\-C\fR option which +overrides the default starting point at which \fBsudo\fR begins +closing open file descriptors. This flag is \fIoff\fR by default. +.IP "env_editor" 16 +.IX Item "env_editor" +If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0 +environment variables before falling back on the default editor list. +Note that this may create a security hole as it allows the user to +run any arbitrary command as root without logging. A safer alternative +is to place a colon-separated list of editors in the \f(CW\*(C`editor\*(C'\fR +variable. \fBvisudo\fR will then only use the \s-1EDITOR\s0 or \s-1VISUAL\s0 if +they match a value specified in \f(CW\*(C`editor\*(C'\fR. This flag is \fI@env_editor@\fR by +default. +.IP "env_reset" 16 +.IX Item "env_reset" +If set, \fBsudo\fR will reset the environment to only contain the +\&\s-1LOGNAME\s0, \s-1SHELL\s0, \s-1USER\s0, \s-1USERNAME\s0 and the \f(CW\*(C`SUDO_*\*(C'\fR variables. Any +variables in the caller's environment that match the \f(CW\*(C`env_keep\*(C'\fR +and \f(CW\*(C`env_check\*(C'\fR lists are then added. The default contents of the +\&\f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are displayed when \fBsudo\fR is +run by root with the \fI\-V\fR option. If the \fIsecure_path\fR option +is set, its value will be used for the \f(CW\*(C`PATH\*(C'\fR environment variable. +This flag is \fIon\fR by default. +.IP "fqdn" 16 +.IX Item "fqdn" +Set this flag if you want to put fully qualified hostnames in the +\&\fIsudoers\fR file. I.e., instead of myhost you would use myhost.mydomain.edu. +You may still use the short form if you wish (and even mix the two). +Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups +which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example +if the machine is not plugged into the network). Also note that +you must use the host's official name as \s-1DNS\s0 knows it. That is, +you may not use a host alias (\f(CW\*(C`CNAME\*(C'\fR entry) due to performance +issues and the fact that there is no way to get all aliases from +\&\s-1DNS\s0. If your machine's hostname (as returned by the \f(CW\*(C`hostname\*(C'\fR +command) is already fully qualified you shouldn't need to set +\&\fIfqdn\fR. This flag is \fI@fqdn@\fR by default. +.IP "ignore_dot" 16 .IX Item "ignore_dot" If set, \fBsudo\fR will ignore '.' or '' (current dir) in the \f(CW\*(C`PATH\*(C'\fR environment variable; the \f(CW\*(C`PATH\*(C'\fR itself is not modified. This flag is \fI@ignore_dot@\fR by default. -.IP "mail_always" 12 +.IP "ignore_local_sudoers" 16 +.IX Item "ignore_local_sudoers" +If set via \s-1LDAP\s0, parsing of \f(CW@sysconfdir\fR@/sudoers will be skipped. +This is intended for Enterprises that wish to prevent the usage of local +sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of +rogue operators who would attempt to add roles to \f(CW@sysconfdir\fR@/sudoers. +When this option is present, \f(CW@sysconfdir\fR@/sudoers does not even need to exist. +Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0 entries +have been matched, this sudoOption is only meaningful for the cn=defaults +section. This flag is \fIoff\fR by default. +.IP "insults" 16 +.IX Item "insults" +If set, \fBsudo\fR will insult users when they enter an incorrect +password. This flag is \fI@insults@\fR by default. +.IP "log_host" 16 +.IX Item "log_host" +If set, the hostname will be logged in the (non\-syslog) \fBsudo\fR log file. +This flag is \fIoff\fR by default. +.IP "log_year" 16 +.IX Item "log_year" +If set, the four-digit year will be logged in the (non\-syslog) \fBsudo\fR log file. +This flag is \fIoff\fR by default. +.IP "long_otp_prompt" 16 +.IX Item "long_otp_prompt" +When validating with a One Time Password (\s-1OPT\s0) scheme such as +\&\fBS/Key\fR or \fB\s-1OPIE\s0\fR, a two-line prompt is used to make it easier +to cut and paste the challenge to a local window. It's not as +pretty as the default but some people find it more convenient. This +flag is \fI@long_otp_prompt@\fR by default. +.IP "mail_always" 16 .IX Item "mail_always" Send mail to the \fImailto\fR user every time a users runs \fBsudo\fR. This flag is \fIoff\fR by default. -.IP "mail_badpass" 12 +.IP "mail_badpass" 16 .IX Item "mail_badpass" Send mail to the \fImailto\fR user if the user running \fBsudo\fR does not enter the correct password. This flag is \fIoff\fR by default. -.IP "mail_no_user" 12 -.IX Item "mail_no_user" -If set, mail will be sent to the \fImailto\fR user if the invoking -user is not in the \fIsudoers\fR file. This flag is \fI@mail_no_user@\fR -by default. -.IP "mail_no_host" 12 +.IP "mail_no_host" 16 .IX Item "mail_no_host" If set, mail will be sent to the \fImailto\fR user if the invoking user exists in the \fIsudoers\fR file, but is not allowed to run commands on the current host. This flag is \fI@mail_no_host@\fR by default. -.IP "mail_no_perms" 12 +.IP "mail_no_perms" 16 .IX Item "mail_no_perms" If set, mail will be sent to the \fImailto\fR user if the invoking user is allowed to use \fBsudo\fR but the command they are trying is not listed in their \fIsudoers\fR file entry or is explicitly denied. This flag is \fI@mail_no_perms@\fR by default. -.IP "tty_tickets" 12 -.IX Item "tty_tickets" -If set, users must authenticate on a per-tty basis. Normally, -\&\fBsudo\fR uses a directory in the ticket dir with the same name as -the user running it. With this flag enabled, \fBsudo\fR will use a -file named for the tty the user is logged in on in that directory. -This flag is \fI@tty_tickets@\fR by default. -.IP "authenticate" 12 -.IX Item "authenticate" -If set, users must authenticate themselves via a password (or other -means of authentication) before they may run commands. This default -may be overridden via the \f(CW\*(C`PASSWD\*(C'\fR and \f(CW\*(C`NOPASSWD\*(C'\fR tags. -This flag is \fIon\fR by default. -.IP "root_sudo" 12 -.IX Item "root_sudo" -If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users -from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something -like \f(CW"sudo sudo /bin/sh"\fR. Note, however, that turning off \fIroot_sudo\fR -will also prevent root and from running \fBsudoedit\fR. -Disabling \fIroot_sudo\fR provides no real additional security; it -exists purely for historical reasons. -This flag is \fI@root_sudo@\fR by default. -.IP "log_host" 12 -.IX Item "log_host" -If set, the hostname will be logged in the (non\-syslog) \fBsudo\fR log file. -This flag is \fIoff\fR by default. -.IP "log_year" 12 -.IX Item "log_year" -If set, the four-digit year will be logged in the (non\-syslog) \fBsudo\fR log file. -This flag is \fIoff\fR by default. -.IP "shell_noargs" 12 -.IX Item "shell_noargs" -If set and \fBsudo\fR is invoked with no arguments it acts as if the -\&\fB\-s\fR flag had been given. That is, it runs a shell as root (the -shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is -set, falling back on the shell listed in the invoking user's -/etc/passwd entry if not). This flag is \fIoff\fR by default. -.IP "set_home" 12 -.IX Item "set_home" -If set and \fBsudo\fR is invoked with the \fB\-s\fR flag the \f(CW\*(C`HOME\*(C'\fR -environment variable will be set to the home directory of the target -user (which is root unless the \fB\-u\fR option is used). This effectively -makes the \fB\-s\fR flag imply \fB\-H\fR. This flag is \fIoff\fR by default. -.IP "always_set_home" 12 -.IX Item "always_set_home" -If set, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the home -directory of the target user (which is root unless the \fB\-u\fR option is used). -This effectively means that the \fB\-H\fR flag is always implied. -This flag is \fIoff\fR by default. -.IP "path_info" 12 +.IP "mail_no_user" 16 +.IX Item "mail_no_user" +If set, mail will be sent to the \fImailto\fR user if the invoking +user is not in the \fIsudoers\fR file. This flag is \fI@mail_no_user@\fR +by default. +.IP "noexec" 16 +.IX Item "noexec" +If set, all commands run via \fBsudo\fR will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR +tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the +description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default. +.IP "path_info" 16 .IX Item "path_info" Normally, \fBsudo\fR will tell the user when a command could not be found in their \f(CW\*(C`PATH\*(C'\fR environment variable. Some sites may wish @@ -745,34 +756,16 @@ to disable this as it could be used to gather information on the location of executables that the normal user does not have access to. The disadvantage is that if the executable is simply not in the user's \f(CW\*(C`PATH\*(C'\fR, \fBsudo\fR will tell the user that they are not -allowed to run it, which can be confusing. This flag is \fIoff\fR by -default. -.IP "preserve_groups" 12 +allowed to run it, which can be confusing. This flag is \fI@path_info@\fR +by default. +.IP "preserve_groups" 16 .IX Item "preserve_groups" By default \fBsudo\fR will initialize the group vector to the list of groups the target user is in. When \fIpreserve_groups\fR is set, the user's existing group vector is left unaltered. The real and effective group IDs, however, are still set to match the target user. This flag is \fIoff\fR by default. -.IP "fqdn" 12 -.IX Item "fqdn" -Set this flag if you want to put fully qualified hostnames in the -\&\fIsudoers\fR file. I.e., instead of myhost you would use myhost.mydomain.edu. -You may still use the short form if you wish (and even mix the two). -Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups -which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example -if the machine is not plugged into the network). Also note that -you must use the host's official name as \s-1DNS\s0 knows it. That is, -you may not use a host alias (\f(CW\*(C`CNAME\*(C'\fR entry) due to performance -issues and the fact that there is no way to get all aliases from -\&\s-1DNS\s0. If your machine's hostname (as returned by the \f(CW\*(C`hostname\*(C'\fR -command) is already fully qualified you shouldn't need to set -\&\fIfqdn\fR. This flag is \fI@fqdn@\fR by default. -.IP "insults" 12 -.IX Item "insults" -If set, \fBsudo\fR will insult users when they enter an incorrect -password. This flag is \fI@insults@\fR by default. -.IP "requiretty" 12 +.IP "requiretty" 16 .IX Item "requiretty" If set, \fBsudo\fR will only run when the user is logged in to a real tty. This will disallow things like \f(CW"rsh somehost sudo ls"\fR since @@ -780,33 +773,31 @@ tty. This will disallow things like \f(CW"rsh somehost sudo ls"\fR since off echo when there is no tty present, some sites may wish to set this flag to prevent a user from entering a visible password. This flag is \fIoff\fR by default. -.IP "env_editor" 12 -.IX Item "env_editor" -If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0 -environment variables before falling back on the default editor list. -Note that this may create a security hole as it allows the user to -run any arbitrary command as root without logging. A safer alternative -is to place a colon-separated list of editors in the \f(CW\*(C`editor\*(C'\fR -variable. \fBvisudo\fR will then only use the \s-1EDITOR\s0 or \s-1VISUAL\s0 if -they match a value specified in \f(CW\*(C`editor\*(C'\fR. This flag is \f(CW\*(C`@env_editor@\*(C'\fR by -default. -.IP "rootpw" 12 +.IP "root_sudo" 16 +.IX Item "root_sudo" +If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users +from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something +like \f(CW"sudo sudo /bin/sh"\fR. Note, however, that turning off \fIroot_sudo\fR +will also prevent root and from running \fBsudoedit\fR. +Disabling \fIroot_sudo\fR provides no real additional security; it +exists purely for historical reasons. +This flag is \fI@root_sudo@\fR by default. +.IP "rootpw" 16 .IX Item "rootpw" If set, \fBsudo\fR will prompt for the root password instead of the password of the invoking user. This flag is \fIoff\fR by default. -.IP "runaspw" 12 +.IP "runaspw" 16 .IX Item "runaspw" If set, \fBsudo\fR will prompt for the password of the user defined by the \&\fIrunas_default\fR option (defaults to \f(CW\*(C`@runas_default@\*(C'\fR) instead of the password of the invoking user. This flag is \fIoff\fR by default. -.IP "targetpw" 12 -.IX Item "targetpw" -If set, \fBsudo\fR will prompt for the password of the user specified by -the \fB\-u\fR flag (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password of the -invoking user. Note that this precludes the use of a uid not listed -in the passwd database as an argument to the \fB\-u\fR flag. -This flag is \fIoff\fR by default. -.IP "set_logname" 12 +.IP "set_home" 16 +.IX Item "set_home" +If set and \fBsudo\fR is invoked with the \fB\-s\fR flag the \f(CW\*(C`HOME\*(C'\fR +environment variable will be set to the home directory of the target +user (which is root unless the \fB\-u\fR option is used). This effectively +makes the \fB\-s\fR flag imply \fB\-H\fR. This flag is \fIoff\fR by default. +.IP "set_logname" 16 .IX Item "set_logname" Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR environment variables to the name of the target user (usually root @@ -816,8 +807,23 @@ determine the real identity of the user, it may be desirable to change this behavior. This can be done by negating the set_logname option. Note that if the \fIenv_reset\fR option has not been disabled, entries in the \fIenv_keep\fR list will override the value of -\&\fIset_logname\fR. -.IP "stay_setuid" 12 +\&\fIset_logname\fR. This flag is \fIoff\fR by default. +.IP "setenv" 16 +.IX Item "setenv" +Allow the user to disable the \fIenv_reset\fR option from the command +line. Additionally, environment variables set via the command line +are not subject to the restrictions imposed by \fIenv_check\fR, +\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should +be allowed to set variables in this manner. This flag is \fIoff\fR +by default. +.IP "shell_noargs" 16 +.IX Item "shell_noargs" +If set and \fBsudo\fR is invoked with no arguments it acts as if the +\&\fB\-s\fR flag had been given. That is, it runs a shell as root (the +shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is +set, falling back on the shell listed in the invoking user's +/etc/passwd entry if not). This flag is \fIoff\fR by default. +.IP "stay_setuid" 16 .IX Item "stay_setuid" Normally, when \fBsudo\fR executes a command the real and effective UIDs are set to the target user (root by default). This option @@ -826,65 +832,52 @@ user's \s-1UID\s0. In other words, this makes \fBsudo\fR act as a setuid wrapper. This can be useful on systems that disable some potentially dangerous functionality when a program is run setuid. This option is only effective on systems with either the \fIsetreuid()\fR or \fIsetresuid()\fR -function. -.IP "env_reset" 12 -.IX Item "env_reset" -If set, \fBsudo\fR will reset the environment to only contain the -\&\s-1LOGNAME\s0, \s-1SHELL\s0, \s-1USER\s0, \s-1USERNAME\s0 and the \f(CW\*(C`SUDO_*\*(C'\fR variables. Any -variables in the caller's environment that match the \f(CW\*(C`env_keep\*(C'\fR -and \f(CW\*(C`env_check\*(C'\fR lists are then added. The default contents of the -\&\f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are displayed when \fBsudo\fR is -run by root with the \fI\-V\fR option. If the \fIsecure_path\fR option -is set, its \-value will be used for the \f(CW\*(C`PATH\*(C'\fR environment variable. -This flag is \fIon\fR by default. -.IP "use_loginclass" 12 +function. This flag is \fIoff\fR by default. +.IP "targetpw" 16 +.IX Item "targetpw" +If set, \fBsudo\fR will prompt for the password of the user specified by +the \fB\-u\fR flag (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password of the +invoking user. Note that this precludes the use of a uid not listed +in the passwd database as an argument to the \fB\-u\fR flag. +This flag is \fIoff\fR by default. +.IP "tty_tickets" 16 +.IX Item "tty_tickets" +If set, users must authenticate on a per-tty basis. Normally, +\&\fBsudo\fR uses a directory in the ticket dir with the same name as +the user running it. With this flag enabled, \fBsudo\fR will use a +file named for the tty the user is logged in on in that directory. +This flag is \fI@tty_tickets@\fR by default. +.IP "use_loginclass" 16 .IX Item "use_loginclass" If set, \fBsudo\fR will apply the defaults specified for the target user's login class if one exists. Only available if \fBsudo\fR is configured with the \-\-with\-logincap option. This flag is \fIoff\fR by default. -.IP "noexec" 12 -.IX Item "noexec" -If set, all commands run via \fBsudo\fR will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR -tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the -description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default. -.IP "monitor" 12 -.IX Item "monitor" -If set, all commands run via \fBsudo\fR will behave as if the \f(CW\*(C`MONITOR\*(C'\fR -tag has been set, unless overridden by a \f(CW\*(C`NOMONITOR\*(C'\fR tag. See the -description of \fI\s-1MONITOR\s0 and \s-1NOMONITOR\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section at the end of this manual. Be aware that -tracing is only supported on certain operating systems. On systems -where it is not supported this flag will have no effect. -This flag is \fIoff\fR by default. -.IP "ignore_local_sudoers" 12 -.IX Item "ignore_local_sudoers" -If set via \s-1LDAP\s0, parsing of \f(CW@sysconfdir\fR@/sudoers will be skipped. -This is intended for Enterprises that wish to prevent the usage of local -sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of -rogue operators who would attempt to add roles to \f(CW@sysconfdir\fR@/sudoers. -When this option is present, \f(CW@sysconfdir\fR@/sudoers does not even need to exist. -Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0 entries -have been matched, this sudoOption is only meaningful for the cn=defaults -section. This flag is \fIoff\fR by default. -.IP "closefrom_override" 12 -.IX Item "closefrom_override" -If set, the user may use \fBsudo\fR's \fB\-C\fR option which -overrides the default starting point at which \fBsudo\fR begins -closing open file descriptors. This flag is \fIoff\fR by default. .PP \&\fBIntegers\fR: -.IP "passwd_tries" 12 +.IP "closefrom" 16 +.IX Item "closefrom" +Before it executes a command, \fBsudo\fR will close all open file +descriptors other than standard input, standard output and standard +error (ie: file descriptors 0\-2). The \fIclosefrom\fR option can be used +to specify a different file descriptor at which to start closing. +The default is \f(CW3\fR. +.IP "passwd_tries" 16 .IX Item "passwd_tries" The number of tries a user gets to enter his/her password before \&\fBsudo\fR logs the failure and exits. The default is \f(CW\*(C`@passwd_tries@\*(C'\fR. .PP \&\fBIntegers that can be used in a boolean context\fR: -.IP "loglinelen" 12 +.IP "loglinelen" 16 .IX Item "loglinelen" Number of characters per line for the file log. This value is used to decide when to wrap lines for nicer log files. This has no effect on the syslog log file, only the file log. The default is \&\f(CW\*(C`@loglen@\*(C'\fR (use 0 or negate the option to disable word wrap). -.IP "timestamp_timeout" 12 +.IP "passwd_timeout" 16 +.IX Item "passwd_timeout" +Number of minutes before the \fBsudo\fR password prompt times out. +The default is \f(CW\*(C`@password_timeout@\*(C'\fR; set this to \f(CW0\fR for no password timeout. +.IP "timestamp_timeout" 16 .IX Item "timestamp_timeout" Number of minutes that can elapse before \fBsudo\fR will ask for a passwd again. The default is \f(CW\*(C`@timeout@\*(C'\fR. Set this to \f(CW0\fR to always @@ -892,124 +885,110 @@ prompt for a password. If set to a value less than \f(CW0\fR the user's timestamp will never expire. This can be used to allow users to create or delete their own timestamps via \f(CW\*(C`sudo \-v\*(C'\fR and \f(CW\*(C`sudo \-k\*(C'\fR respectively. -.IP "passwd_timeout" 12 -.IX Item "passwd_timeout" -Number of minutes before the \fBsudo\fR password prompt times out. -The default is \f(CW\*(C`@password_timeout@\*(C'\fR, set this to \f(CW0\fR for no password timeout. -.IP "umask" 12 +.IP "umask" 16 .IX Item "umask" Umask to use when running the command. Negate this option or set it to 0777 to preserve the user's umask. The default is \f(CW\*(C`@sudo_umask@\*(C'\fR. -.IP "closefrom" 12 -.IX Item "closefrom" -Before it executes a command, \fBsudo\fR will close all open file -descriptors other than standard input, standard output and standard -error (ie: file descriptors 0\-2). The \fIclosefrom\fR option can be used -to specify a different file descriptor at which to start closing. -The default is 3. -.IP "setenv" 12 -.IX Item "setenv" -Allow the user to disable the \fIenv_reset\fR option from the command -line. Additionally, environment variables set via the command line -are not subject to the restrictions imposed by \fIenv_check\fR, -\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should -be allowed to set variables in this manner. .PP \&\fBStrings\fR: -.IP "mailsub" 12 +.IP "badpass_message" 16 +.IX Item "badpass_message" +Message that is displayed if a user enters an incorrect password. +The default is \f(CW\*(C`@badpass_message@\*(C'\fR unless insults are enabled. +.IP "editor" 16 +.IX Item "editor" +A colon (':') separated list of editors allowed to be used with +\&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's +\&\s-1EDITOR\s0 environment variable if possible, or the first editor in the +list that exists and is executable. The default is the path to vi +on your system. +.IP "mailsub" 16 .IX Item "mailsub" Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR will expand to the hostname of the machine. Default is \f(CW\*(C`@mailsub@\*(C'\fR. -.IP "badpass_message" 12 -.IX Item "badpass_message" -Message that is displayed if a user enters an incorrect password. -The default is \f(CW\*(C`@badpass_message@\*(C'\fR unless insults are enabled. -.IP "timestampdir" 12 -.IX Item "timestampdir" -The directory in which \fBsudo\fR stores its timestamp files. -The default is \fI@timedir@\fR. -.IP "timestampowner" 12 -.IX Item "timestampowner" -The owner of the timestamp directory and the timestamps stored therein. -The default is \f(CW\*(C`root\*(C'\fR. -.IP "passprompt" 12 +.IP "noexec_file" 16 +.IX Item "noexec_file" +Path to a shared library containing dummy versions of the \fIexecv()\fR, +\&\fIexecve()\fR and \fIfexecve()\fR library functions that just return an error. +This is used to implement the \fInoexec\fR functionality on systems that +support \f(CW\*(C`LD_PRELOAD\*(C'\fR or its equivalent. Defaults to \fI@noexec_file@\fR. +.IP "passprompt" 16 .IX Item "passprompt" The default prompt to use when asking for a password; can be overridden via the \fB\-p\fR option or the \f(CW\*(C`SUDO_PROMPT\*(C'\fR environment variable. The following percent (`\f(CW\*(C`%\*(C'\fR') escapes are supported: -.RS 12 -.ie n .IP "%u" 8 -.el .IP "\f(CW%u\fR" 8 -.IX Item "%u" -expanded to the invoking user's login name -.ie n .IP "%U" 8 -.el .IP "\f(CW%U\fR" 8 -.IX Item "%U" -expanded to the login name of the user the command will -be run as (defaults to root) -.ie n .IP "%h" 8 -.el .IP "\f(CW%h\fR" 8 -.IX Item "%h" -expanded to the local hostname without the domain name -.ie n .IP "%H" 8 -.el .IP "\f(CW%H\fR" 8 +.RS 16 +.ie n .IP "%H" 4 +.el .IP "\f(CW%H\fR" 4 .IX Item "%H" expanded to the local hostname including the domain name (on if the machine's hostname is fully qualified or the \fIfqdn\fR option is set) -.ie n .IP "\*(C`%%\*(C'" 8 -.el .IP "\f(CW\*(C`%%\*(C'\fR" 8 +.ie n .IP "%h" 4 +.el .IP "\f(CW%h\fR" 4 +.IX Item "%h" +expanded to the local hostname without the domain name +.ie n .IP "%U" 4 +.el .IP "\f(CW%U\fR" 4 +.IX Item "%U" +expanded to the login name of the user the command will +be run as (defaults to root) +.ie n .IP "%u" 4 +.el .IP "\f(CW%u\fR" 4 +.IX Item "%u" +expanded to the invoking user's login name +.ie n .IP "\*(C`%%\*(C'" 4 +.el .IP "\f(CW\*(C`%%\*(C'\fR" 4 .IX Item "%%" two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character .RE -.RS 12 +.RS 16 .Sp The default value is \f(CW\*(C`@passprompt@\*(C'\fR. .RE -.IP "runas_default" 12 +.IP "runas_default" 16 .IX Item "runas_default" The default user to run commands as if the \fB\-u\fR flag is not specified on the command line. This defaults to \f(CW\*(C`@runas_default@\*(C'\fR. Note that if \fIrunas_default\fR is set it \fBmust\fR occur before any \f(CW\*(C`Runas_Alias\*(C'\fR specifications. -.IP "syslog_goodpri" 12 -.IX Item "syslog_goodpri" -Syslog priority to use when user authenticates successfully. -Defaults to \f(CW\*(C`@goodpri@\*(C'\fR. -.IP "syslog_badpri" 12 +.IP "syslog_badpri" 16 .IX Item "syslog_badpri" Syslog priority to use when user authenticates unsuccessfully. Defaults to \f(CW\*(C`@badpri@\*(C'\fR. -.IP "editor" 12 -.IX Item "editor" -A colon (':') separated list of editors allowed to be used with -\&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's -\&\s-1EDITOR\s0 environment variable if possible, or the first editor in the -list that exists and is executable. The default is the path to vi -on your system. -.IP "noexec_file" 12 -.IX Item "noexec_file" -Path to a shared library containing dummy versions of the \fIexecv()\fR, -\&\fIexecve()\fR and \fIfexecve()\fR library functions that just return an error. -This is used to implement the \fInoexec\fR functionality on systems that -support \f(CW\*(C`LD_PRELOAD\*(C'\fR or its equivalent. Defaults to \fI@noexec_file@\fR. +.IP "syslog_goodpri" 16 +.IX Item "syslog_goodpri" +Syslog priority to use when user authenticates successfully. +Defaults to \f(CW\*(C`@goodpri@\*(C'\fR. +.IP "timestampdir" 16 +.IX Item "timestampdir" +The directory in which \fBsudo\fR stores its timestamp files. +The default is \fI@timedir@\fR. +.IP "timestampowner" 16 +.IX Item "timestampowner" +The owner of the timestamp directory and the timestamps stored therein. +The default is \f(CW\*(C`root\*(C'\fR. .PP \&\fBStrings that can be used in a boolean context\fR: +.IP "exempt_group" 12 +.IX Item "exempt_group" +Users in this group are exempt from password and \s-1PATH\s0 requirements. +This is not set by default. .IP "lecture" 12 .IX Item "lecture" This option controls when a short lecture will be printed along with the password prompt. It has the following possible values: .RS 12 +.IP "always" 8 +.IX Item "always" +Always lecture the user. .IP "never" 8 .IX Item "never" Never lecture the user. .IP "once" 8 .IX Item "once" Only lecture the user the first time they run \fBsudo\fR. -.IP "always" 8 -.IX Item "always" -Always lecture the user. .RE .RS 12 .Sp @@ -1021,30 +1000,50 @@ The default value is \fI@lecture@\fR. .IX Item "lecture_file" Path to a file containing an alternate \fBsudo\fR lecture that will be used in place of the standard lecture if the named file exists. +By default, \fBsudo\fR uses a built-in lecture. +.IP "listpw" 12 +.IX Item "listpw" +This option controls when a password will be required when a +user runs \fBsudo\fR with the \fB\-l\fR flag. It has the following possible values: +.RS 12 +.IP "all" 8 +.IX Item "all" +All the user's \fIsudoers\fR entries for the current host must have +the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password. +.IP "always" 8 +.IX Item "always" +The user must always enter a password to use the \fB\-l\fR flag. +.IP "any" 8 +.IX Item "any" +At least one of the user's \fIsudoers\fR entries for the current host +must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password. +.IP "never" 8 +.IX Item "never" +The user need never enter a password to use the \fB\-l\fR flag. +.RE +.RS 12 +.Sp +If no value is specified, a value of \fIany\fR is implied. +Negating the option results in a value of \fInever\fR being used. +The default value is \fIany\fR. +.RE .IP "logfile" 12 .IX Item "logfile" Path to the \fBsudo\fR log file (not the syslog log file). Setting a path turns on logging to a file; negating this option turns it off. -.IP "syslog" 12 -.IX Item "syslog" -Syslog facility if syslog is being used for logging (negate to -disable syslog logging). Defaults to \f(CW\*(C`@logfac@\*(C'\fR. +By default, \fBsudo\fR logs via syslog. +.IP "mailerflags" 12 +.IX Item "mailerflags" +Flags to use when invoking mailer. Defaults to \fB\-t\fR. .IP "mailerpath" 12 .IX Item "mailerpath" Path to mail program used to send warning mail. Defaults to the path to sendmail found at configure time. -.IP "mailerflags" 12 -.IX Item "mailerflags" -Flags to use when invoking mailer. Defaults to \fB\-t\fR. .IP "mailto" 12 .IX Item "mailto" Address to send warning and error mail to. The address should be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to protect against \fBsudo\fR interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`@mailto@\*(C'\fR. -.IP "exempt_group" 12 -.IX Item "exempt_group" -Users in this group are exempt from password and \s-1PATH\s0 requirements. -This is not set by default. .IP "secure_path" 12 .IX Item "secure_path" Path used for every command run from \fBsudo\fR. If you don't trust the @@ -1053,6 +1052,10 @@ want to use this. Another use is if you want to have the \*(L"root path\*(R" be separate from the \*(L"user path.\*(R" Users in the group specified by the \&\fIexempt_group\fR option are not affected by \fIsecure_path\fR. This is not set by default. +.IP "syslog" 12 +.IX Item "syslog" +Syslog facility if syslog is being used for logging (negate to +disable syslog logging). Defaults to \f(CW\*(C`@logfac@\*(C'\fR. .IP "verifypw" 12 .IX Item "verifypw" This option controls when a password will be required when a user runs @@ -1062,52 +1065,26 @@ This option controls when a password will be required when a user runs .IX Item "all" All the user's \fIsudoers\fR entries for the current host must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password. -.IP "any" 8 -.IX Item "any" -At least one of the user's \fIsudoers\fR entries for the current host -must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password. -.IP "never" 8 -.IX Item "never" -The user need never enter a password to use the \fB\-v\fR flag. .IP "always" 8 .IX Item "always" The user must always enter a password to use the \fB\-v\fR flag. -.RE -.RS 12 -.Sp -If no value is specified, a value of \fIall\fR is implied. -Negating the option results in a value of \fInever\fR being used. -The default value is \fIall\fR. -.RE -.IP "listpw" 12 -.IX Item "listpw" -This option controls when a password will be required when a -user runs \fBsudo\fR with the \fB\-l\fR flag. It has the following possible values: -.RS 12 -.IP "all" 8 -.IX Item "all" -All the user's \fIsudoers\fR entries for the current host must have -the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password. .IP "any" 8 .IX Item "any" At least one of the user's \fIsudoers\fR entries for the current host must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password. .IP "never" 8 .IX Item "never" -The user need never enter a password to use the \fB\-l\fR flag. -.IP "always" 8 -.IX Item "always" -The user must always enter a password to use the \fB\-l\fR flag. +The user need never enter a password to use the \fB\-v\fR flag. .RE .RS 12 .Sp -If no value is specified, a value of \fIany\fR is implied. +If no value is specified, a value of \fIall\fR is implied. Negating the option results in a value of \fInever\fR being used. -The default value is \fIany\fR. +The default value is \fIall\fR. .RE .PP \&\fBLists that can be used in a boolean context\fR: -.IP "env_check" 12 +.IP "env_check" 16 .IX Item "env_check" Environment variables to be removed from the user's environment if the variable's value contains \f(CW\*(C`%\*(C'\fR or \f(CW\*(C`/\*(C'\fR characters. This can @@ -1121,7 +1098,7 @@ specified by \f(CW\*(C`env_check\*(C'\fR will be preserved in the environment if they pass the aforementioned check. The default list of environment variables to check is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option. -.IP "env_delete" 12 +.IP "env_delete" 16 .IX Item "env_delete" Environment variables to be removed from the user's environment. The argument may be a double\-quoted, space-separated list or a @@ -1132,7 +1109,7 @@ variables to remove is displayed when \fBsudo\fR is run by root with the \&\fI\-V\fR option. Note that many operating systems will remove potentially dangerous variables from the environment of any setuid process (such as \fBsudo\fR). -.IP "env_keep" 12 +.IP "env_keep" 16 .IX Item "env_keep" Environment variables to be preserved in the user's environment when the \fIenv_reset\fR option is in effect. This allows fine-grained @@ -1152,11 +1129,17 @@ supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo \&\fBnotice\fR, and \fBwarning\fR. .SH "FILES" .IX Header "FILES" -.Vb 3 -\& @sysconfdir@/sudoers List of who can run what -\& /etc/group Local groups file -\& /etc/netgroup List of network groups -.Ve +.ie n .IP "\fI@sysconfdir@/sudoers\fR\*(C` \*(C' List of who can run what" 4 +.el .IP "\fI@sysconfdir@/sudoers\fR\f(CW\*(C` \*(C'\fR List of who can run what" 4 +.IX Item "@sysconfdir@/sudoers List of who can run what" +.PD 0 +.ie n .IP "\fI/etc/group\fR\*(C` \*(C' Local groups file" 4 +.el .IP "\fI/etc/group\fR\f(CW\*(C` \*(C'\fR Local groups file" 4 +.IX Item "/etc/group Local groups file" +.ie n .IP "\fI/etc/netgroup\fR\*(C` \*(C' List of network groups" 4 +.el .IP "\fI/etc/netgroup\fR\f(CW\*(C` \*(C'\fR List of network groups" 4 +.IX Item "/etc/netgroup List of network groups" +.PD .SH "EXAMPLES" .IX Header "EXAMPLES" Below are example \fIsudoers\fR entries. Admittedly, some of @@ -1213,7 +1196,7 @@ machines in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, we keep an ad local log file and make sure we log the year in each log line since the log entries will be kept around for several years. Lastly, we disable shell escapes for the commands in the \s-1PAGERS\s0 \f(CW\*(C`Cmnd_Alias\*(C'\fR -(/usr/bin/more, /usr/bin/pg and /usr/bin/less). +(\fI/usr/bin/more\fR, \fI/usr/bin/pg\fR and \fI/usr/bin/less\fR). .PP .Vb 7 \& # Override built-in defaults @@ -1305,7 +1288,7 @@ as any user listed in the \fI\s-1OP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (\fBroot .Ve .PP The user \fBjim\fR may run any command on machines in the \fIbiglab\fR netgroup. -\&\fBSudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the '+' prefix. +\&\fBsudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the '+' prefix. .PP .Vb 1 \& +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser @@ -1341,7 +1324,7 @@ in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR (master, mail, www and .Ve .PP For any machine in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, \fBjill\fR may run -any commands in the directory /usr/bin/ except for those commands +any commands in the directory \fI/usr/bin/\fR except for those commands belonging to the \fI\s-1SU\s0\fR and \fI\s-1SHELLS\s0\fR \f(CW\*(C`Cmnd_Aliases\*(C'\fR. .PP .Vb 1 @@ -1400,7 +1383,7 @@ which lets a user bypass \fBsudo\fR's access control and logging. Common programs that permit shell escapes include shells (obviously), editors, paginators, mail and terminal programs. .PP -There are three basic approaches to this problem: +There are two basic approaches to this problem: .IP "restrict" 10 .IX Item "restrict" Avoid giving users access to commands that allow the user to run @@ -1436,9 +1419,9 @@ If the resulting output contains a line that begins with: then \fBsudo\fR may be able to replace the exec family of functions in the standard library with its own that simply return an error. Unfortunately, there is no foolproof way to know whether or not -\&\fInoexec\fR will work at compile\-time. \fINoexec\fR should work on +\&\fInoexec\fR will work at compile\-time. \fInoexec\fR should work on SunOS, Solaris, *BSD, Linux, \s-1IRIX\s0, Tru64 \s-1UNIX\s0, MacOS X, and HP-UX -11.x. It is known \fBnot\fR to work on \s-1AIX\s0 and UnixWare. \fINoexec\fR +11.x. It is known \fBnot\fR to work on \s-1AIX\s0 and UnixWare. \fInoexec\fR is expected to work on most operating systems that support the \&\f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. Check your operating system's manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld, @@ -1456,32 +1439,6 @@ with \fInoexec\fR enabled. This will prevent those two commands from executing other commands (such as a shell). If you are unsure whether or not your system is capable of supporting \fInoexec\fR you can always just try it out and see if it works. -.IP "monitor" 10 -.IX Item "monitor" -On operating systems that support the \fBsystrace\fR pseudo\-device, -the \f(CW\*(C`\-\-with\-systrace\*(C'\fR configure option can be used to compile -support for proccess monitoring in \fBsudo\fR. In monitor mode -\&\fBsudo\fR can transparently intercept a new command, allow or deny -it based on \fIsudoers\fR, and log the result. This does require that -\&\fBsudo\fR become a daemon that persists until the command and all its -descendents have exited. -.Sp -To enable monitor mode on a per-command basis, use the \f(CW\*(C`MONITOR\*(C'\fR -tag as documented in the User Specification section above. Here -is that example again: -.Sp -.Vb 1 -\& chuck research = MONITOR: ALL -.Ve -.Sp -This allows user \fBchuck\fR to run any command on the machine research -in monitor mode. Any commands run via shell escapes will be logged -by \fBsudo\fR. -.Sp -At the time of this writing the \fBsystrace\fR pseudo-device comes -standard with OpenBSD and NetBSD and is available as patches to -FreeBSD, MacOS X and Linux. See for -more information. .PP Note that restricting shell escapes is not a panacea. Programs running as root are still capable of many potentially hazardous @@ -1491,7 +1448,7 @@ editor, a safer approach is to give the user permission to run \&\fBsudoedit\fR. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), sudo(@mansectsu@), visudo(@mansectsu@) +\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIsudo\fR\|(@mansectsu@), \fIvisudo\fR\|(8) .SH "CAVEATS" .IX Header "CAVEATS" The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR @@ -1515,7 +1472,7 @@ see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or search the archives. .SH "DISCLAIMER" .IX Header "DISCLAIMER" -\&\fBSudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, +\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html diff --git a/visudo.cat b/visudo.cat index 89c76c5f3..62ae4fab5 100644 --- a/visudo.cat +++ b/visudo.cat @@ -8,11 +8,11 @@ NNAAMMEE visudo - edit the sudoers file SSYYNNOOPPSSIISS - vviissuuddoo [ --cc ] [ --ff _s_u_d_o_e_r_s ] [ --qq ] [ --ss ] [ --VV ] + vviissuuddoo [--cc] [--qq] [--ss] [--VV] [--ff _s_u_d_o_e_r_s] DDEESSCCRRIIPPTTIIOONN vviissuuddoo edits the _s_u_d_o_e_r_s file in a safe fashion, analogous - to vipw(1m). vviissuuddoo locks the _s_u_d_o_e_r_s file against multi­ + to _v_i_p_w(1m). vviissuuddoo locks the _s_u_d_o_e_r_s file against multi- ple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the _s_u_d_o_e_r_s file is currently being edited you will receive a message to try again @@ -25,7 +25,7 @@ DDEESSCCRRIIPPTTIIOONN script. Normally, vviissuuddoo does not honor the VISUAL or EDITOR environment variables unless they contain an editor in the aforementioned editors list. However, if vviissuuddoo is - configured with the _-_-_w_i_t_h_-_e_n_v_e_d_i_t_o_r flag or the _e_n_v___e_d_i_­ + configured with the _-_-_w_i_t_h_-_e_n_v_e_d_i_t_o_r flag or the _e_n_v___e_d_i_- _t_o_r Default variable is set in _s_u_d_o_e_r_s, vviissuuddoo will use any the editor defines by VISUAL or EDITOR. Note that this can be a security hole since it allows the user to @@ -61,7 +61,7 @@ OOPPTTIIOONNSS -1.7 June 23, 2007 1 +1.7 August 15, 2007 1 @@ -80,8 +80,8 @@ VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) when combined with the --cc flag. -s Enable ssttrriicctt checking of the _s_u_d_o_e_r_s file. If an - alias is used before it is defined, vviissuuddoo will con­ - sider this a parse error. Note that it is not possi­ + alias is used before it is defined, vviissuuddoo will con- + sider this a parse error. Note that it is not possi- ble to differentiate between an alias and a hostname or username that consists solely of uppercase letters, digits, and the underscore ('_') character. @@ -93,12 +93,13 @@ EENNVVIIRROONNMMEENNTT The following environment variables are used only if vviissuuddoo was configured with the _-_-_w_i_t_h_-_e_n_v_-_e_d_i_t_o_r option: - VISUAL Invoked by visudo as the editor to use - EDITOR Used by visudo if VISUAL is not set + VISUAL Invoked by visudo as the editor to use + + EDITOR Used by visudo if VISUAL is not set FFIILLEESS - /etc/sudoers List of who can run what - /etc/sudoers.tmp Lock file for visudo + _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what + _/_e_t_c_/_s_u_d_o_e_r_s_._t_m_p Lock file for visudo DDIIAAGGNNOOSSTTIICCSS sudoers file busy, try again later. @@ -114,7 +115,7 @@ DDIIAAGGNNOOSSTTIICCSS defined Either you are trying to use an undeclare {User,Runas,Host,Cmnd}_Alias or you have a user or - hostname listed that consists solely of uppercase let­ + hostname listed that consists solely of uppercase let- ters, digits, and the underscore ('_') character. In the latter case, you can ignore the warnings (ssuuddoo will not complain). In --ss (strict) mode these are @@ -123,11 +124,10 @@ DDIIAAGGNNOOSSTTIICCSS Warning: unused {User,Runas,Host,Cmnd}_Alias The specified {User,Runas,Host,Cmnd}_Alias was defined but never used. You may wish to comment out or remove - the unused alias. In --ss (strict) mode this is an -1.7 June 23, 2007 2 +1.7 August 15, 2007 2 @@ -136,13 +136,14 @@ DDIIAAGGNNOOSSTTIICCSS VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) + the unused alias. In --ss (strict) mode this is an error, not a warning. SSEEEE AALLSSOO - _v_i(1), sudoers(4), sudo(1m), vipw(1m) + _v_i(1), _s_u_d_o_e_r_s(4), _s_u_d_o(1m), _v_i_p_w(8) AAUUTTHHOORR - Many people have worked on _s_u_d_o over the years; this ver­ + Many people have worked on _s_u_d_o over the years; this ver- sion of vviissuuddoo was written by: Todd Miller @@ -159,17 +160,17 @@ BBUUGGSS a bug report at http://www.sudo.ws/sudo/bugs/ SSUUPPPPOORRTT - Limited free support is available via the sudo-users mail­ - ing list, see http://www.sudo.ws/mail­ + Limited free support is available via the sudo-users mail- + ing list, see http://www.sudo.ws/mail- man/listinfo/sudo-users to subscribe or search the archives. DDIISSCCLLAAIIMMEERR - VViissuuddoo is provided ``AS IS'' and any express or implied + vviissuuddoo is provided ``AS IS'' and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. See the LICENSE file distributed - with ssuuddoo or http://www.sudo.ws/sudo/license.html for com­ + with ssuuddoo or http://www.sudo.ws/sudo/license.html for com- plete details. @@ -192,7 +193,6 @@ DDIISSCCLLAAIIMMEERR - -1.7 June 23, 2007 3 +1.7 August 15, 2007 3 diff --git a/visudo.man.in b/visudo.man.in index de434b528..28d88988a 100644 --- a/visudo.man.in +++ b/visudo.man.in @@ -1,4 +1,4 @@ -.\" Copyright (c) 1996,1998-2004 Todd C. Miller +.\" Copyright (c) 1996,1998-2005, 2007 Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -149,16 +149,16 @@ .\" ======================================================================== .\" .IX Title "VISUDO @mansectsu@" -.TH VISUDO @mansectsu@ "June 23, 2007" "1.7" "MAINTENANCE COMMANDS" +.TH VISUDO @mansectsu@ "August 15, 2007" "1.7" "MAINTENANCE COMMANDS" .SH "NAME" visudo \- edit the sudoers file .SH "SYNOPSIS" .IX Header "SYNOPSIS" -\&\fBvisudo\fR [ \fB\-c\fR ] [ \fB\-f\fR \fIsudoers\fR ] [ \fB\-q\fR ] [ \fB\-s\fR ] [ \fB\-V\fR ] +\&\fBvisudo\fR [\fB\-c\fR] [\fB\-q\fR] [\fB\-s\fR] [\fB\-V\fR] [\fB\-f\fR \fIsudoers\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fBvisudo\fR edits the \fIsudoers\fR file in a safe fashion, analogous to -vipw(@mansectsu@). \fBvisudo\fR locks the \fIsudoers\fR file against multiple +\&\fIvipw\fR\|(@mansectsu@). \fBvisudo\fR locks the \fIsudoers\fR file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the \fIsudoers\fR file is currently being edited you will receive a message to try again later. @@ -225,17 +225,24 @@ and exit. .IX Header "ENVIRONMENT" The following environment variables are used only if \fBvisudo\fR was configured with the \fI\-\-with\-env\-editor\fR option: -.PP -.Vb 2 -\& VISUAL Invoked by visudo as the editor to use -\& EDITOR Used by visudo if VISUAL is not set -.Ve +.ie n .IP "\*(C`VISUAL\*(C'" 16 +.el .IP "\f(CW\*(C`VISUAL\*(C'\fR" 16 +.IX Item "VISUAL" +Invoked by visudo as the editor to use +.ie n .IP "\*(C`EDITOR\*(C'" 16 +.el .IP "\f(CW\*(C`EDITOR\*(C'\fR" 16 +.IX Item "EDITOR" +Used by visudo if \s-1VISUAL\s0 is not set .SH "FILES" .IX Header "FILES" -.Vb 2 -\& @sysconfdir@/sudoers List of who can run what -\& @sysconfdir@/sudoers.tmp Lock file for visudo -.Ve +.ie n .IP "\fI@sysconfdir@/sudoers\fR\*(C` \*(C'List of who can run what" 4 +.el .IP "\fI@sysconfdir@/sudoers\fR\f(CW\*(C` \*(C'\fRList of who can run what" 4 +.IX Item "@sysconfdir@/sudoers List of who can run what" +.PD 0 +.ie n .IP "\fI@sysconfdir@/sudoers.tmp\fR\*(C` \*(C'Lock file for visudo" 4 +.el .IP "\fI@sysconfdir@/sudoers.tmp\fR\f(CW\*(C` \*(C'\fRLock file for visudo" 4 +.IX Item "@sysconfdir@/sudoers.tmp Lock file for visudo" +.PD .SH "DIAGNOSTICS" .IX Header "DIAGNOSTICS" .IP "sudoers file busy, try again later." 4 @@ -261,7 +268,7 @@ used. You may wish to comment out or remove the unused alias. In \&\fB\-s\fR (strict) mode this is an error, not a warning. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIvi\fR\|(1), sudoers(@mansectform@), sudo(@mansectsu@), vipw(@mansectsu@) +\&\fIvi\fR\|(1), \fIsudoers\fR\|(@mansectform@), \fIsudo\fR\|(@mansectsu@), \fIvipw\fR\|(8) .SH "AUTHOR" .IX Header "AUTHOR" Many people have worked on \fIsudo\fR over the years; this version of @@ -288,7 +295,7 @@ see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or search the archives. .SH "DISCLAIMER" .IX Header "DISCLAIMER" -\&\fBVisudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, +\&\fBvisudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html -- 2.40.0