From 9c954d803fb790ec81c72fabc55ec623c2ae159c Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Fri, 19 Nov 2004 22:09:10 +0000 Subject: [PATCH] Document per-command Defaults. --- sample.sudoers | 20 ++-- sudoers.cat | 262 ++++++++++++++++++++++++------------------------- sudoers.man.in | 20 ++-- sudoers.pod | 12 ++- 4 files changed, 166 insertions(+), 148 deletions(-) diff --git a/sample.sudoers b/sample.sudoers index 99cc4ac41..132f6c3fc 100644 --- a/sample.sudoers +++ b/sample.sudoers @@ -7,6 +7,16 @@ # # $Sudo$ +## +# Override built-in defaults +## +Defaults syslog=auth +Defaults>root !set_logname +Defaults:FULLTIMERS !lecture +Defaults:millert !authenticate +Defaults@SERVERS log_year, logfile=/var/log/sudo.log +Defaults!PAGERS noexec + ## # User alias specification ## @@ -48,15 +58,7 @@ Cmnd_Alias SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ Cmnd_Alias SU = /usr/bin/su Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \ /usr/bin/chfn - -## -# Override built-in defaults -## -Defaults syslog=auth -Defaults>root !set_logname -Defaults:FULLTIMERS !lecture -Defaults:millert !authenticate -Defaults@SERVERS log_year, logfile=/var/log/sudo.log +Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less ## # User specification diff --git a/sudoers.cat b/sudoers.cat index a5b2e8dc4..99e5ade55 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.6.9 November 12, 2004 1 +1.6.9 November 19, 2004 1 @@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 November 12, 2004 2 +1.6.9 November 19, 2004 2 @@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9 November 12, 2004 3 +1.6.9 November 19, 2004 3 @@ -221,12 +221,16 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Certain configuration options may be changed from their default values at runtime via one or more Default_Entry lines. These may affect all users on any host, all users - on a specific host, a specific user, or commands being run - as a specific user. + on a specific host, a specific user, a specific command, + or commands being run as a specific user. Note that per- + command entries may not include command line arguments. + If you need to specify arguments, define a Cmnd_Alias and + reference that instead. Default_Type ::= 'Defaults' | 'Defaults' '@' Host | 'Defaults' ':' User | + 'Defaults' '!' Cmnd | 'Defaults' '>' RunasUser Default_Entry ::= Default_Type Parameter_List @@ -252,14 +256,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) respectively. It is not an error to use the -= operator to remove an element that does not exist in a list. - FFllaaggss: - - long_otp_prompt - When validating with a One Time Password -1.6.9 November 12, 2004 4 +1.6.9 November 19, 2004 4 @@ -268,6 +268,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + FFllaaggss: + + long_otp_prompt + When validating with a One Time Password scheme (SS//KKeeyy or OOPPIIEE), a two-line prompt is used to make it easier to cut and paste the challenge to a local window. It's not as @@ -276,7 +280,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) ignore_dot If set, ssuuddoo will ignore '.' or '' (current dir) in the PATH environment variable; the - PATH itself is not modified. This flag is _o_n + PATH itself is not modified. This flag is _o_f_f by default. mail_always Send mail to the _m_a_i_l_t_o user every time a @@ -318,14 +322,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) If set, users must authenticate themselves via a password (or other means of authentication) before they may run commands. This default - may be overridden via the PASSWD and NOPASSWD - tags. This flag is _o_n by default. - - root_sudo If set, root is allowed to run ssuuddoo too. -1.6.9 November 12, 2004 5 +1.6.9 November 19, 2004 5 @@ -334,7 +334,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - Disabling this prevents users from "chaining" + may be overridden via the PASSWD and NOPASSWD + tags. This flag is _o_n by default. + + root_sudo If set, root is allowed to run ssuuddoo too. Dis­ + abling this prevents users from "chaining" ssuuddoo commands to get a root shell by doing something like "sudo sudo /bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o will also @@ -384,14 +388,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) tage is that if the executable is simply not in the user's PATH, ssuuddoo will tell the user that they are not allowed to run it, which can - be confusing. This flag is _o_f_f by default. - - preserve_groups - By default ssuuddoo will initialize the group -1.6.9 November 12, 2004 6 +1.6.9 November 19, 2004 6 @@ -400,12 +400,16 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - vector to the list of groups the target user - is in. When _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the - user's existing group vector is left unal­ - tered. The real and effective group IDs, how­ - ever, are still set to match the target user. - This flag is _o_f_f by default. + be confusing. This flag is _o_f_f by default. + + preserve_groups + By default ssuuddoo will initialize the group vec­ + tor to the list of groups the target user is + in. When _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's + existing group vector is left unaltered. The + real and effective group IDs, however, are + still set to match the target user. This flag + is _o_f_f by default. fqdn Set this flag if you want to put fully quali­ fied hostnames in the _s_u_d_o_e_r_s file. I.e., @@ -426,7 +430,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) set _f_q_d_n. This flag is _o_f_f by default. insults If set, ssuuddoo will insult users when they enter - an incorrect password. This flag is _o_n by + an incorrect password. This flag is _o_f_f by default. requiretty If set, ssuuddoo will only run when the user is @@ -447,17 +451,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) is to place a colon-separated list of editors in the editor variable. vviissuuddoo will then only use the EDITOR or VISUAL if they match a value - specified in editor. This flag is on by + specified in editor. This flag is off by default. - rootpw If set, ssuuddoo will prompt for the root password - instead of the password of the invoking user. - This flag is _o_f_f by default. - -1.6.9 November 12, 2004 7 +1.6.9 November 19, 2004 7 @@ -466,6 +466,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + rootpw If set, ssuuddoo will prompt for the root password + instead of the password of the invoking user. + This flag is _o_f_f by default. + runaspw If set, ssuuddoo will prompt for the password of the user defined by the _r_u_n_a_s___d_e_f_a_u_l_t option (defaults to root) instead of the password of @@ -516,14 +520,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) use_loginclass If set, ssuuddoo will apply the defaults specified - for the target user's login class if one - exists. Only available if ssuuddoo is configured - with the --with-logincap option. This flag is - _o_f_f by default. -1.6.9 November 12, 2004 8 +1.6.9 November 19, 2004 8 @@ -532,6 +532,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + for the target user's login class if one + exists. Only available if ssuuddoo is configured + with the --with-logincap option. This flag is + _o_f_f by default. + noexec If set, all commands run via ssuuddoo will behave as if the NOEXEC tag has been set, unless overridden by a EXEC tag. See the description @@ -581,15 +586,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) log. The default is 80 (use 0 or negate the option to disable word wrap). - timestamp_timeout - Number of minutes that can elapse before ssuuddoo - will ask for a passwd again. The default is - 5. Set this to 0 to always prompt for a pass­ - word. If set to a value less than 0 the -1.6.9 November 12, 2004 9 +1.6.9 November 19, 2004 9 @@ -598,6 +598,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + timestamp_timeout + Number of minutes that can elapse before ssuuddoo + will ask for a passwd again. The default is + 5. Set this to 0 to always prompt for a pass­ + word. If set to a value less than 0 the user's timestamp will never expire. This can be used to allow users to create or delete their own timestamps via sudo -v and sudo -k @@ -648,14 +653,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) %h expanded to the local hostname without the domain name - %H expanded to the local hostname includ­ - ing the domain name (on if the - machine's hostname is fully qualified - or the _f_q_d_n option is set) - -1.6.9 November 12, 2004 10 +1.6.9 November 19, 2004 10 @@ -664,6 +664,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + %H expanded to the local hostname includ­ + ing the domain name (on if the + machine's hostname is fully qualified + or the _f_q_d_n option is set) + %% two consecutive % characters are col­ laped into a single % character @@ -713,15 +718,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) always Always lecture the user. - The default value is _o_n_c_e. - - lecture_file - Path to a file containing an alternate ssuuddoo - lecture that will be used in place of the -1.6.9 November 12, 2004 11 +1.6.9 November 19, 2004 11 @@ -730,6 +730,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + The default value is _o_n_c_e. + + lecture_file + Path to a file containing an alternate ssuuddoo + lecture that will be used in place of the standard lecture if the named file exists. logfile Path to the ssuuddoo log file (not the syslog log @@ -738,7 +743,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) syslog Syslog facility if syslog is being used for logging (negate to disable syslog logging). - Defaults to authpriv. + Defaults to local2. mailerpath Path to mail program used to send warning mail. Defaults to the path to sendmail found @@ -779,15 +784,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) the NOPASSWD flag set to avoid enter­ ing a password. - never The user need never enter a password - to use the --vv flag. - - always The user must always enter a password - to use the --vv flag. -1.6.9 November 12, 2004 12 +1.6.9 November 19, 2004 12 @@ -796,6 +796,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + never The user need never enter a password + to use the --vv flag. + + always The user must always enter a password + to use the --vv flag. + The default value is `all'. listpw This option controls when a password will be @@ -844,16 +850,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) respectively. The default list of environment variables to remove is printed when ssuuddoo is run by root with the _-_V option. Note that - many operating systems will remove potentially - dangerous variables from the environment of - any setuid process (such as ssuuddoo). - - env_keep Environment variables to be preserved in the - user's environment when the _e_n_v___r_e_s_e_t option -1.6.9 November 12, 2004 13 +1.6.9 November 19, 2004 13 @@ -862,6 +862,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + many operating systems will remove potentially + dangerous variables from the environment of + any setuid process (such as ssuuddoo). + + env_keep Environment variables to be preserved in the + user's environment when the _e_n_v___r_e_s_e_t option is in effect. This allows fine-grained con­ trol over the environment ssuuddoo-spawned pro­ cesses will receive. The argument may be a @@ -911,22 +917,21 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) commands that follow it. What this means is that for the entry: - dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm - The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m - -- but only as ooppeerraattoorr. E.g., +1.6.9 November 19, 2004 14 -1.6.9 November 12, 2004 14 - +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm + The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m + -- but only as ooppeerraattoorr. E.g., $ sudo -u operator /bin/ls. @@ -978,14 +983,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) tain to the current host. This behavior may be overridden via the verifypw and listpw options. - _N_O_E_X_E_C _a_n_d _E_X_E_C - - If ssuuddoo has been compiled with _n_o_e_x_e_c support and the - underlying operating system supports it, the NOEXEC tag - -1.6.9 November 12, 2004 15 +1.6.9 November 19, 2004 15 @@ -994,6 +994,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + _N_O_E_X_E_C _a_n_d _E_X_E_C + + If ssuuddoo has been compiled with _n_o_e_x_e_c support and the + underlying operating system supports it, the NOEXEC tag can be used to prevent a dynamically-linked executable from running further commands itself. @@ -1045,13 +1049,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) used to escape special characters such as: "*", "?", "[", and "}". - Note that a forward slash ('/') will nnoott be matched by - wildcards used in the pathname. When matching the command - line arguments, however, a slash ddooeess get matched by - -1.6.9 November 12, 2004 16 +1.6.9 November 19, 2004 16 @@ -1060,7 +1060,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - wildcards. This is to make a path like: + Note that a forward slash ('/') will nnoott be matched by + wildcards used in the pathname. When matching the command + line arguments, however, a slash ddooeess get matched by wild­ + cards. This is to make a path like: /usr/bin/* @@ -1111,13 +1114,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) or Host_Alias. You should not try to define your own _a_l_i_a_s called AALLLL as the built-in alias will be used in preference to your own. Please note that using AALLLL can be - dangerous since in a command context, it allows the user - to run aannyy command on the system. - -1.6.9 November 12, 2004 17 +1.6.9 November 19, 2004 17 @@ -1126,6 +1126,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + dangerous since in a command context, it allows the user + to run aannyy command on the system. + An exclamation point ('!') can be used as a logical _n_o_t operator both in an _a_l_i_a_s and in front of a Cmnd. This allows one to exclude certain values. Note, however, that @@ -1180,10 +1183,7 @@ EEXXAAMMPPLLEESS - - - -1.6.9 November 12, 2004 18 +1.6.9 November 19, 2004 18 @@ -1204,6 +1204,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) /usr/local/bin/tcsh, /usr/bin/rsh, \ /usr/local/bin/zsh Cmnd_Alias SU = /usr/bin/su + Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less Here we override some of the compiled in default values. We want ssuuddoo to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility @@ -1214,7 +1215,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Additionally, on the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an additional local log file and make sure we log the year in each log line since the log entries will be - kept around for several years. + kept around for several years. Lastly, we disable shell + escapes for the commands in the PAGERS Cmnd_Alias + (/usr/bin/more, /usr/bin/pg and /usr/bin/less). # Override built-in defaults Defaults syslog=auth @@ -1222,6 +1225,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Defaults:FULLTIMERS !lecture Defaults:millert !authenticate Defaults@SERVERS log_year, logfile=/var/log/sudo.log + Defaults!PAGERS noexec The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually deter­ mines who may run what. @@ -1243,13 +1247,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) any command on any host but they must authenticate them­ selves first (since the entry lacks the NOPASSWD tag). - jack CSNETS = ALL - - The user jjaacckk may run any command on the machines in the - -1.6.9 November 12, 2004 19 +1.6.9 November 19, 2004 19 @@ -1258,6 +1258,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + jack CSNETS = ALL + + The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those networks, only 128.138.204.0 has an explicit netmask (in CIDR notation) indicating it @@ -1309,13 +1312,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) fred ALL = (DB) NOPASSWD: ALL The user ffrreedd can run commands as any user in the _D_B - Runas_Alias (oorraaccllee or ssyybbaassee) without giving a password. - - john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* -1.6.9 November 12, 2004 20 +1.6.9 November 19, 2004 20 @@ -1324,6 +1324,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + Runas_Alias (oorraaccllee or ssyybbaassee) without giving a password. + + john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* + On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is not allowed to give _s_u(1) any flags. @@ -1373,15 +1377,11 @@ SSEECCUURRIITTYY NNOOTTEESS bill ALL = ALL, !SU, !SHELLS Doesn't really prevent bbiillll from running the commands - listed in _S_U or _S_H_E_L_L_S since he can simply copy those com­ - mands to a different name, or use a shell escape from an - editor or other program. Therefore, these kind of - restrictions should be considered advisory at best (and - reinforced by policy). + listed in _S_U or _S_H_E_L_L_S since he can simply copy those -1.6.9 November 12, 2004 21 +1.6.9 November 19, 2004 21 @@ -1390,6 +1390,11 @@ SSEECCUURRIITTYY NNOOTTEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + commands to a different name, or use a shell escape from + an editor or other program. Therefore, these kind of + restrictions should be considered advisory at best (and + reinforced by policy). + PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS Once ssuuddoo executes a program, that program is free to do whatever it pleases, including run other programs. This @@ -1439,15 +1444,10 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS _n_o_e_x_e_c will work at compile-time. _N_o_e_x_e_c should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, MacOS X, and HP-UX 11.x. It is known nnoott - to work on AIX and UnixWare. _N_o_e_x_e_c is expected - to work on most operating systems that support - the LD_PRELOAD environment variable. Check your - operating system's manual pages for the dynamic - linker (usually ld.so, ld.so.1, dyld, dld.sl, -1.6.9 November 12, 2004 22 +1.6.9 November 19, 2004 22 @@ -1456,6 +1456,11 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + to work on AIX and UnixWare. _N_o_e_x_e_c is expected + to work on most operating systems that support + the LD_PRELOAD environment variable. Check your + operating system's manual pages for the dynamic + linker (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if LD_PRELOAD is sup­ ported. @@ -1505,22 +1510,22 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) tially hazardous operations (such as changing or overwrit­ ing files) that could lead to unintended privilege escala­ tion. In the specific case of an editor, a safer approach - is to give the user permission to run ssuuddooeeddiitt. -SSEEEE AALLSSOO - _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), sudo(1m), visudo(1m) +1.6.9 November 19, 2004 23 -1.6.9 November 12, 2004 23 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + is to give the user permission to run ssuuddooeeddiitt. +SSEEEE AALLSSOO + _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), sudo(1m), visudo(1m) CCAAVVEEAATTSS The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo @@ -1574,11 +1579,6 @@ DDIISSCCLLAAIIMMEERR - - - - - -1.6.9 November 12, 2004 24 +1.6.9 November 19, 2004 24 diff --git a/sudoers.man.in b/sudoers.man.in index 784684d06..7012e95e8 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "November 12, 2004" "1.6.9" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "November 19, 2004" "1.6.9" "MAINTENANCE COMMANDS" .SH "NAME" sudoers \- list of which users may execute what .SH "DESCRIPTION" @@ -354,12 +354,16 @@ a normal command does. Certain configuration options may be changed from their default values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These may affect all users on any host, all users on a specific host, a -specific user, or commands being run as a specific user. +specific user, a specific command, or commands being run as a specific user. +Note that per-command entries may not include command line arguments. +If you need to specify arguments, define a \f(CW\*(C`Cmnd_Alias\*(C'\fR and reference +that instead. .PP -.Vb 4 +.Vb 5 \& Default_Type ::= 'Defaults' | \& 'Defaults' '@' Host | \& 'Defaults' ':' User | +\& 'Defaults' '!' Cmnd | \& 'Defaults' '>' RunasUser .Ve .PP @@ -1131,7 +1135,7 @@ these are a bit contrived. First, we define our \fIaliases\fR: \& Host_Alias CDROM = orion, perseus, hercules .Ve .PP -.Vb 12 +.Vb 13 \& # Cmnd alias specification \& Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e \& /usr/sbin/restore, /usr/sbin/rrestore @@ -1144,6 +1148,7 @@ these are a bit contrived. First, we define our \fIaliases\fR: \& /usr/local/bin/tcsh, /usr/bin/rsh, \e \& /usr/local/bin/zsh \& Cmnd_Alias SU = /usr/bin/su +\& Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less .Ve .PP Here we override some of the compiled in default values. We want @@ -1154,15 +1159,18 @@ want to reset the \f(CW\*(C`LOGNAME\*(C'\fR or \f(CW\*(C`USER\*(C'\fR environmen running commands as root. Additionally, on the machines in the \&\fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, we keep an additional local log file and make sure we log the year in each log line since the log entries -will be kept around for several years. +will be kept around for several years. Lastly, we disable shell +escapes for the commands in the \s-1PAGERS\s0 \f(CW\*(C`Cmnd_Alias\*(C'\fR (/usr/bin/more, +/usr/bin/pg and /usr/bin/less). .PP -.Vb 6 +.Vb 7 \& # Override built-in defaults \& Defaults syslog=auth \& Defaults>root !set_logname \& Defaults:FULLTIMERS !lecture \& Defaults:millert !authenticate \& Defaults@SERVERS log_year, logfile=/var/log/sudo.log +\& Defaults!PAGERS noexec .Ve .PP The \fIUser specification\fR is the part that actually determines who may diff --git a/sudoers.pod b/sudoers.pod index 9146ef19e..fee274681 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -198,11 +198,15 @@ a normal command does. Certain configuration options may be changed from their default values at runtime via one or more C lines. These may affect all users on any host, all users on a specific host, a -specific user, or commands being run as a specific user. +specific user, a specific command, or commands being run as a specific user. +Note that per-command entries may not include command line arguments. +If you need to specify arguments, define a C and reference +that instead. Default_Type ::= 'Defaults' | 'Defaults' '@' Host | 'Defaults' ':' User | + 'Defaults' '!' Cmnd | 'Defaults' '>' RunasUser Default_Entry ::= Default_Type Parameter_List @@ -1054,6 +1058,7 @@ these are a bit contrived. First, we define our I: /usr/local/bin/tcsh, /usr/bin/rsh, \ /usr/local/bin/zsh Cmnd_Alias SU = /usr/bin/su + Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less Here we override some of the compiled in default values. We want B to log via L using the I facility in all @@ -1063,7 +1068,9 @@ want to reset the C or C environment variables when running commands as root. Additionally, on the machines in the I C, we keep an additional local log file and make sure we log the year in each log line since the log entries -will be kept around for several years. +will be kept around for several years. Lastly, we disable shell +escapes for the commands in the PAGERS C (/usr/bin/more, +/usr/bin/pg and /usr/bin/less). # Override built-in defaults Defaults syslog=auth @@ -1071,6 +1078,7 @@ will be kept around for several years. Defaults:FULLTIMERS !lecture Defaults:millert !authenticate Defaults@SERVERS log_year, logfile=/var/log/sudo.log + Defaults!PAGERS noexec The I is the part that actually determines who may run what. -- 2.50.1