From ee2005c958d06ac3cf969cbed5443a62e9dffe87 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Fri, 17 Aug 2012 16:30:58 -0400 Subject: [PATCH] Sudo manuals formatted in mdoc, to replace the pod versions, back-ported from sudo trunk. --HG-- branch : 1.7 --- .hgignore | 3 + INSTALL | 12 +- Makefile.in | 278 ++- configure | 215 +- configure.in | 89 +- fixman.sh | 86 + fixmdoc.sh | 93 + sudo.cat | 1158 ++++++----- sudo.man.in | 2253 +++++++++++++------- sudo.mdoc.in | 1546 ++++++++++++++ sudo.pod | 707 ------- sudoers.cat | 1824 +++++++++-------- sudoers.ldap.cat | 950 +++++---- sudoers.ldap.man.in | 1928 ++++++++++-------- sudoers.ldap.mdoc.in | 1103 ++++++++++ sudoers.ldap.pod | 871 -------- sudoers.man.in | 4649 +++++++++++++++++++++++++++--------------- sudoers.mdoc.in | 2955 +++++++++++++++++++++++++++ sudoers.pod | 1755 ---------------- sudoreplay.cat | 224 +- sudoreplay.man.in | 679 +++--- sudoreplay.mdoc.in | 368 ++++ sudoreplay.pod | 346 ---- visudo.cat | 203 +- visudo.man.in | 546 ++--- visudo.mdoc.in | 317 +++ visudo.pod | 213 -- 27 files changed, 15480 insertions(+), 9891 deletions(-) create mode 100755 fixman.sh create mode 100755 fixmdoc.sh create mode 100644 sudo.mdoc.in delete mode 100644 sudo.pod create mode 100644 sudoers.ldap.mdoc.in delete mode 100644 sudoers.ldap.pod create mode 100644 sudoers.mdoc.in delete mode 100644 sudoers.pod create mode 100644 sudoreplay.mdoc.in delete mode 100644 sudoreplay.pod create mode 100644 visudo.mdoc.in delete mode 100644 visudo.pod diff --git a/.hgignore b/.hgignore index 4252e9383..9c093b027 100644 --- a/.hgignore +++ b/.hgignore @@ -18,6 +18,9 @@ Makefile$ ^ChangeLog$ ^.*\.man$ +^.*\.man\.sed$ +^.*\.mdoc$ +^.*\.mdoc\.sed$ ^varsub$ ^zlib/zconf.h$ diff --git a/INSTALL b/INSTALL index 1a91255fc..139061152 100644 --- a/INSTALL +++ b/INSTALL @@ -334,7 +334,7 @@ Special features/options: --with-otp-only This option is now just an alias for --without-passwd. - --with-selinux + --with-selinux Enable support for role based access control (RBAC) on systems that support SELinux. @@ -348,6 +348,16 @@ Special features/options: name as specified by --with-libvas). This option only has an effect when --with-libvas is specified. + --with-man + Use the "man" macros for manual pages. By default, mdoc + versions of the manuals are installed. This can be used + to override configure's test for "nroff -mdoc" support. + + --with-mdoc + Use the "mdoc" macros for manual pages. By default, mdoc + versions of the manuals are installed. This can be used + to override configure's test for "nroff -mdoc" support. + The following options are also configurable at runtime: --with-long-otp-prompt diff --git a/Makefile.in b/Makefile.in index cc1fcb737..bb201d682 100644 --- a/Makefile.in +++ b/Makefile.in @@ -33,10 +33,12 @@ top_builddir = . CC = @CC@ FLEX = @FLEX@ YACC = @YACC@ -NROFF = @NROFFPROG@ -Tascii LIBTOOL = @LIBTOOL@ AR=@AR@ RANLIB=@RANLIB@ +SED=@SED@ +TR = @TRPROG@ +MANDOC = @MANDOCPROG@ MANCOMPRESS = @MANCOMPRESS@ MANCOMPRESSEXT = @MANCOMPRESSEXT@ @@ -90,8 +92,8 @@ sudoersdir = $(sysconfdir) mantype = @MANTYPE@ mansectsu = @mansectsu@ mansectform = @mansectform@ -mandirsu = $(mandir)/$(mantype)$(mansectsu) -mandirform = $(mandir)/$(mantype)$(mansectform) +mandirsu = $(mandir)/@MANDIRTYPE@$(mansectsu) +mandirform = $(mandir)/@MANDIRTYPE@$(mansectform) # User and group ids the installed files should be "owned" by install_uid = 0 @@ -106,6 +108,9 @@ shlib_mode = @SHLIB_MODE@ # Pass in paths and uid/gid + OS dependent defined DEFS = @OSDEFS@ -D_PATH_SUDOERS=\"$(sudoersdir)/sudoers\" -DSUDOERS_UID=$(sudoers_uid) -DSUDOERS_GID=$(sudoers_gid) -DSUDOERS_MODE=$(sudoers_mode) +# Set to non-empty for development mode +DEVEL = @DEVEL@ + #### End of system configuration section. #### SHELL = @SHELL@ @@ -167,14 +172,15 @@ DISTFILES = $(SRCS) $(HDRS) ChangeLog HISTORY INSTALL INSTALL.configure \ LICENSE Makefile.in NEWS PORTING README README.LDAP \ TROUBLESHOOTING UPGRADE aclocal.m4 aixcrypt.exp config.guess \ config.h.in config.sub configure configure.in def_data.in \ - indent.pro install-sh ltmain.sh m4 mkdefaults mkinstalldirs \ - mkpkg pathnames.h.in pp sample.pam sample.syslog.conf \ - sample.sudoers schema.ActiveDirectory schema.OpenLDAP \ - schema.iPlanet siglist.in sudo.cat sudo.man.in sudo.pod sudo.pp \ - sudo_usage.h.in sudoers.in sudoers.cat sudoers.man.in sudoers.pod \ - sudoers.ldap.cat sudoers.ldap.man.in sudoers.ldap.pod \ - sudoers2ldif sudoreplay.cat sudoreplay.man.in sudoreplay.pod \ - visudo.cat visudo.man.in visudo.pod auth/API sudo.man.pl \ + fixman.sh fixmdoc.sh indent.pro install-sh ltmain.sh m4 \ + mkdefaults mkinstalldirs mkpkg pathnames.h.in pp sample.pam \ + sample.syslog.conf sample.sudoers schema.ActiveDirectory \ + schema.OpenLDAP schema.iPlanet siglist.in sudo.cat sudo.man.in \ + sudo.mdoc.in sudo.pp sudo_usage.h.in sudoers.in sudoers.cat \ + sudoers.man.in sudoers.mdoc.in sudoers.ldap.cat \ + sudoers.ldap.man.in sudoers.ldap.mdoc.in sudoers2ldif \ + sudoreplay.cat sudoreplay.man.in sudoreplay.mdoc.in \ + visudo.cat visudo.man.in visudo.mdoc.in auth/API sudo.man.pl \ sudoers.man.pl $(ZLIB_FILES) ZLIB_FILES = zlib/adler32.c zlib/compress.c zlib/crc32.c zlib/crc32.h \ @@ -195,7 +201,18 @@ AUTHDEP = $(SUDODEP) $(authdir)/sudo_auth.h INSDEP = $(srcdir)/ins_2001.h $(srcdir)/ins_classic.h $(srcdir)/ins_csops.h \ $(srcdir)/ins_goons.h $(srcdir)/insults.h -all: $(PROGS) +DOCS = sudo.$(mantype) visudo.$(mantype) sudoers.$(mantype) \ + sudoers.ldap.$(mantype) sudoers.$(mantype) \ + sudoreplay.$(mantype) + +DEVDOCS = $(srcdir)/sudo.man.in $(srcdir)/sudo.cat \ + $(srcdir)/visudo.man.in $(srcdir)/visudo.cat \ + $(srcdir)/sudoers.man.in $(srcdir)/sudoers.cat \ + $(srcdir)/sudoers.ldap.man.in $(srcdir)/sudoers.ldap.cat \ + $(srcdir)/sudoers.man.in $(srcdir)/sudoers.cat \ + $(srcdir)/sudoreplay.man.in $(srcdir)/sudoreplay.cat + +all: $(PROGS) $(DEVDOCS) $(DOCS) .SUFFIXES: .o .c .h .l .y .lo @@ -231,38 +248,47 @@ sudo_noexec.lo: $(srcdir)/sudo_noexec.c libsudo_noexec.la: sudo_noexec.lo $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir) -# Uncomment the following if you want "make distclean" to clean the parser -@DEV@GENERATED = gram.h gram.c toke.c def_data.c def_data.h getdate +GENERATED = gram.h gram.c toke.c def_data.c def_data.h getdate.c -# Uncomment the lines before -@true if you intend to modify gram.y $(devdir)/gram.c $(devdir)/gram.h: $(srcdir)/gram.y -@DEV@ $(YACC) -d $(srcdir)/gram.y -@DEV@ echo "#include " > $(devdir)/gram.c -@DEV@ cat y.tab.c >> $(devdir)/gram.c -@DEV@ rm -f y.tab.c -@DEV@ mv -f y.tab.h $(devdir)/gram.h - -@true - -# Uncomment the lines before -@true if you intend to modify toke.l + @if [ -n "$(DEVEL)" ]; then \ + if test "$(srcdir)" = "."; then \ + gram_y="gram.y"; \ + else \ + gram_y="$(srcdir)/gram.y"; \ + fi; \ + cmd='$(YACC) -d '"$$gram_y"'; echo "#include " > $(devdir)/gram.c; sed "s/^\\(#line .*\\) \"y\\.tab\\.c\"/\1 \"gram.c\"/" y.tab.c >> $(devdir)/gram.c; rm -f y.tab.c; mv -f y.tab.h $(devdir)/gram.h'; \ + echo "$$cmd"; eval $$cmd; \ + fi + $(devdir)/toke.c: $(srcdir)/toke.l -@DEV@ $(FLEX) $(srcdir)/toke.l -@DEV@ echo "#include " > $(devdir)/toke.c -@DEV@ cat lex.yy.c >> $(devdir)/toke.c -@DEV@ rm -f lex.yy.c - -@true + @if [ -n "$(DEVEL)" ]; then \ + if test "$(srcdir)" = "."; then \ + toke_l="toke.l"; \ + else \ + toke_l="$(srcdir)/toke.l"; \ + fi; \ + cmd='$(FLEX) '"$$toke_l"'; echo "#include " > $(devdir)/toke.c; cat lex.yy.c >> $(devdir)/toke.c; rm -f lex.yy.c'; \ + echo "$$cmd"; eval $$cmd; \ + fi -# Uncomment the lines before -@true if you intend to modify getdate.y $(devdir)/getdate.c: $(srcdir)/getdate.y -@DEV@ echo "expect 10 shift/reduce conflicts" -@DEV@ $(YACC) $(srcdir)/getdate.y -@DEV@ echo "#include " > $(devdir)/getdate.c -@DEV@ cat y.tab.c >> $(devdir)/getdate.c -@DEV@ rm -f y.tab.c - -@true + @if [ -n "$(DEVEL)" ]; then \ + echo "expect 10 shift/reduce conflicts"; \ + if test "$(srcdir)" = "."; then \ + getdate_y="getdate.y"; \ + else \ + getdate_y="$(srcdir)/getdate.y"; \ + fi; \ + cmd='$(YACC) '"$$getdate_y"'; echo "#include " > $(devdir)/getdate.c; sed "s/^\\(#line .*\\) \"y\\.tab\\.c\"/\1 \"getdate.c\"/" y.tab.c >> $(devdir)/getdate.c; rm -f y.tab.c'; \ + echo "$$cmd"; eval $$cmd; \ + fi -# Uncomment the following if you intend to modify def_data.in -@DEV@$(devdir)/def_data.h $(devdir)/def_data.c: $(srcdir)/def_data.in -@DEV@ perl $(srcdir)/mkdefaults -o def_data $(srcdir)/def_data.in +$(devdir)/def_data.c $(devdir)/def_data.h: $(srcdir)/def_data.in + @if [ -n "$(DEVEL)" ]; then \ + cmd='$(PERL) $(srcdir)/mkdefaults -o $(devdir)/def_data $(srcdir)/def_data.in'; \ + echo "$$cmd"; eval $$cmd; \ + fi siglist.c: mksiglist ./mksiglist > $@ @@ -270,8 +296,10 @@ siglist.c: mksiglist mksiglist: $(srcdir)/mksiglist.c $(srcdir)/mksiglist.h $(srcdir)/missing.h config.h $(CC) $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/mksiglist.c -o $@ -@DEV@$(srcdir)/mksiglist.h: $(srcdir)/siglist.in -@DEV@ awk 'BEGIN {print "/* public domain */\n"} /^ [A-Z]/ {printf("#ifdef SIG%s\n if (my_sys_siglist[SIG%s] == NULL)\n\tmy_sys_siglist[SIG%s] = \"%s\";\n#endif\n", $$1, $$1, $$1, substr($$0, 13))}' < $(srcdir)/siglist.in > $@ +$(srcdir)/mksiglist.h: $(srcdir)/siglist.in + @if [ -n "$(DEVEL)" ]; then \ + awk 'BEGIN {print "/* public domain */\n"} /^ [A-Z]/ {printf("#ifdef SIG%s\n if (my_sys_siglist[SIG%s] == NULL)\n\tmy_sys_siglist[SIG%s] = \"%s\";\n#endif\n", $$1, $$1, $$1, substr($$0, 13))}' < $(srcdir)/siglist.in > $@; \ + fi # Dependencies (not counting auth functions) aix.o: $(srcdir)/aix.c @@ -483,56 +511,160 @@ uncompr.o: $(srcdir)/zlib/zlib.h zlib/zconf.h zutil.o: $(srcdir)/zlib/zutil.h $(srcdir)/zlib/zlib.h zlib/zconf.h $(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(PIE_CFLAGS) $(srcdir)/zlib/zutil.c -@DEV@varsub: $(srcdir)/configure.in -@DEV@ printf 's#@%s@#1#\ns#@%s@#1#\ns#@%s@#1#\ns#@%s@#/etc#g\ns#@%s@#/usr/local#g\ns#@%s@#4#g\ns#@%s@#1m#g\n' SEMAN BAMAN LCMAN sysconfdir prefix mansectform mansectsu > $@; sed -n '/Begin initial values for man page substitution/,/End initial values for man page substitution/{;p;}' $(srcdir)/configure.in | sed -e '/^#/d' -e 's/^/s#@/' -e 's/=[\\"]*/@#/' -e 's/[\\"]*$$/#g/' >> $@ +varsub: $(srcdir)/configure.in + @if [ -n "$(DEVEL)" ]; then \ + printf 's#@%s@#1#\ns#@%s@#1#\ns#@%s@#1#\ns#@%s@#/etc#g\ns#@%s@#/usr/local#g\ns#@%s@#5#g\ns#@%s@#8#g\ns#@%s@#%s#\n' SEMAN BAMAN LCMAN sysconfdir prefix mansectform mansectsu PACKAGE_VERSION $(VERSION) > $@; \ + $(SED) -n '/Begin initial values for man page substitution/,/End initial values for man page substitution/{;p;}' $(srcdir)/configure.in | $(SED) -e '/^#/d' -e 's/^/s#@/' -e 's/=[\\"]*/@#/' -e 's/[\\"]*$$/#g/' >> $@; \ + fi -@DEV@$(srcdir)/sudo.man.in: $(srcdir)/sudo.pod -@DEV@ mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p $(srcdir)/sudo.man.pl >> $@ +$(srcdir)/sudo.man.in: $(srcdir)/sudo.mdoc.in + @if [ -n "$(DEVEL)" ]; then \ + echo "Generating $@"; \ + mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \ + mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \ + printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \ + printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudo.mdoc.in\n' >> $@; \ + $(SED) -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudo.mdoc.in >> $@; \ + $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \ + fi -sudo.man: $(srcdir)/sudo.man.in - $(SHELL) config.status --file=$@ +sudo.man.sed: $(srcdir)/fixman.sh + BAMAN=@BAMAN@ LCMAN=@LCMAN@ SEMAN=@SEMAN@ $(SHELL) $(srcdir)/fixman.sh $@ -@DEV@$(srcdir)/sudo.cat: varsub $(srcdir)/sudo.man.in -@DEV@ sed -f varsub $(srcdir)/sudo.man.in | $(NROFF) -man > $@ +sudo.man: $(srcdir)/sudo.man.in sudo.man.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/$@.in | $(SED) -f $@.sed > $@ -@DEV@$(srcdir)/visudo.man.in: $(srcdir)/visudo.pod -@DEV@ mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/visudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/visudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@ +sudo.mdoc.sed: $(srcdir)/fixmdoc.sh + BAMAN=@BAMAN@ LCMAN=@LCMAN@ SEMAN=@SEMAN@ $(SHELL) $(srcdir)/fixmdoc.sh $@ -visudo.man: $(srcdir)/visudo.man.in - $(SHELL) config.status --file=$@ +sudo.mdoc: $(srcdir)/sudo.mdoc.in sudo.mdoc.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/$@.in | $(SED) -f $@.sed > $@ -@DEV@$(srcdir)/visudo.cat: varsub $(srcdir)/visudo.man.in -@DEV@ sed -f varsub $(srcdir)/visudo.man.in | $(NROFF) -man > $@ +$(srcdir)/sudo.cat: varsub $(srcdir)/sudo.mdoc.in + @if [ -n "$(DEVEL)" ]; then \ + echo "Generating $@"; \ + $(SED) -f varsub $(srcdir)/sudo.mdoc.in | $(MANDOC) -mdoc | $(SED) -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \ + fi -@DEV@$(srcdir)/sudoers.man.in: $(srcdir)/sudoers.pod -@DEV@ mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudoers.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudoers.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p $(srcdir)/sudoers.man.pl >> $@ +sudo.cat: $(srcdir)/sudo.cat + +$(srcdir)/visudo.man.in: $(srcdir)/visudo.mdoc.in + @if [ -n "$(DEVEL)" ]; then \ + echo "Generating $@"; \ + mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \ + mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \ + printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \ + printf '.\\" IT IS GENERATED AUTOMATICALLY FROM visudo.mdoc.in\n' >> $@; \ + $(SED) -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/visudo.mdoc.in >> $@; \ + $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/visudo.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "VISUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \ + fi -sudoers.man: $(srcdir)/sudoers.man.in - $(SHELL) config.status --file=$@ +visudo.man.sed: $(srcdir)/fixman.sh + $(SHELL) $(srcdir)/fixman.sh $@ -@DEV@$(srcdir)/sudoers.cat: varsub $(srcdir)/sudoers.man.in -@DEV@ sed -f varsub $(srcdir)/sudoers.man.in | $(NROFF) -man > $@ +visudo.man: $(srcdir)/visudo.man.in visudo.man.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/$@.in | $(SED) -f $@.sed > $@ -@DEV@$(srcdir)/sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.pod -@DEV@ mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudoers.ldap.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudoers.ldap.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@ +visudo.mdoc: $(srcdir)/visudo.mdoc.in + (cd $(top_builddir) && $(SHELL) config.status --file=$@) -sudoers.ldap.man: $(srcdir)/sudoers.ldap.man.in - $(SHELL) config.status --file=$@ +$(srcdir)/visudo.cat: varsub $(srcdir)/visudo.mdoc.in + @if [ -n "$(DEVEL)" ]; then \ + echo "Generating $@"; \ + $(SED) -f varsub $(srcdir)/visudo.mdoc.in | $(MANDOC) -mdoc | $(SED) -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \ + fi -@DEV@$(srcdir)/sudoers.ldap.cat: varsub $(srcdir)/sudoers.ldap.man.in -@DEV@ sed -f varsub $(srcdir)/sudoers.ldap.man.in | $(NROFF) -man > $@ +visudo.cat: $(srcdir)/visudo.cat + +$(srcdir)/sudoers.man.in: $(srcdir)/sudoers.mdoc.in + @if [ -n "$(DEVEL)" ]; then \ + echo "Generating $@"; \ + mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \ + mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \ + printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \ + printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in\n' >> $@; \ + $(SED) -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudoers.mdoc.in >> $@; \ + $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS" \)"5"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \ + fi + +sudoers.man.sed: $(srcdir)/fixman.sh + LCMAN=@LCMAN@ SEMAN=@SEMAN@ $(SHELL) $(srcdir)/fixman.sh $@ + +sudoers.man: $(srcdir)/sudoers.man.in sudoers.man.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/$@.in | $(SED) -f $@.sed > $@ + +sudoers.mdoc.sed: $(srcdir)/fixmdoc.sh + LCMAN=@LCMAN@ SEMAN=@SEMAN@ $(SHELL) $(srcdir)/fixmdoc.sh $@ + +sudoers.mdoc: $(srcdir)/sudoers.mdoc.in sudoers.mdoc.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/$@.in | $(SED) -f $@.sed > $@ + +$(srcdir)/sudoers.cat: varsub $(srcdir)/sudoers.mdoc.in + @if [ -n "$(DEVEL)" ]; then \ + echo "Generating $@"; \ + $(SED) -f varsub $(srcdir)/sudoers.mdoc.in | $(MANDOC) -mdoc | $(SED) -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \ + fi + +sudoers.cat: $(srcdir)/sudoers.cat + +$(srcdir)/sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.mdoc.in + @if [ -n "$(DEVEL)" ]; then \ + echo "Generating $@"; \ + mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \ + mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \ + printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \ + printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in\n' >> $@; \ + $(SED) -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudoers.ldap.mdoc.in >> $@; \ + $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.ldap.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS.LDAP" \)"5"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \ + fi + +sudoers.ldap.man.sed: $(srcdir)/fixman.sh + $(SHELL) $(srcdir)/fixman.sh $@ -@DEV@$(srcdir)/sudoreplay.man.in: $(srcdir)/sudoreplay.pod -@DEV@ mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudoreplay.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudoreplay.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@ +sudoers.ldap.man: $(srcdir)/sudoers.ldap.man.in sudoers.ldap.man.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/$@.in | $(SED) -f $@.sed > $@ -sudoreplay.man: $(srcdir)/sudoreplay.man.in - $(SHELL) config.status --file=$@ +sudoers.ldap.mdoc: $(srcdir)/sudoers.ldap.mdoc.in + (cd $(top_builddir) && $(SHELL) config.status --file=$@) + +$(srcdir)/sudoers.ldap.cat: varsub $(srcdir)/sudoers.ldap.mdoc.in + @if [ -n "$(DEVEL)" ]; then \ + echo "Generating $@"; \ + $(SED) -f varsub $(srcdir)/sudoers.ldap.mdoc.in | $(MANDOC) -mdoc | $(SED) -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \ + fi + +sudoers.ldap.cat: $(srcdir)/sudoers.ldap.cat + +$(srcdir)/sudoreplay.man.in: $(srcdir)/sudoreplay.mdoc.in + @if [ -n "$(DEVEL)" ]; then \ + echo "Generating $@"; \ + mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \ + mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \ + printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \ + printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudoreplay.mdoc.in\n' >> $@; \ + $(SED) -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudoreplay.mdoc.in >> $@; \ + $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoreplay.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOREPLAY" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \ + fi + +sudoreplay.man.sed: $(srcdir)/fixman.sh + $(SHELL) $(srcdir)/fixman.sh $@ + +sudoreplay.man: $(srcdir)/sudoreplay.man.in sudoreplay.man.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/$@.in | $(SED) -f $@.sed > $@ + +sudoreplay.mdoc: $(srcdir)/sudoreplay.mdoc.in + (cd $(top_builddir) && $(SHELL) config.status --file=$@) + +$(srcdir)/sudoreplay.cat: varsub $(srcdir)/sudoreplay.mdoc.in + @if [ -n "$(DEVEL)" ]; then \ + echo "Generating $@"; \ + $(SED) -f varsub $(srcdir)/sudoreplay.mdoc.in | $(MANDOC) -mdoc | $(SED) -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \ + fi -@DEV@$(srcdir)/sudoreplay.cat: varsub $(srcdir)/sudoreplay.man.in -@DEV@ sed -f varsub $(srcdir)/sudoreplay.man.in | $(NROFF) -man > $@ +sudoreplay.cat: $(srcdir)/sudoreplay.cat sudoers: $(srcdir)/sudoers.in - (cd $(top_builddir) && $(SHELL) config.status --file=plugins/sudoers/$@) + (cd $(top_builddir) && $(SHELL) config.status --file=$@) # The 1.7 branch started Jan 18, 2010 ChangeLog: diff --git a/configure b/configure index dd2edbe39..998b7031b 100755 --- a/configure +++ b/configure @@ -619,6 +619,7 @@ FLEX YFLAGS YACC NROFFPROG +MANDOCPROG TRPROG UNAMEPROG OTOOL64 @@ -713,7 +714,7 @@ devdir SEMAN LCMAN BAMAN -DEV +DEVEL SUDOERS_GID SUDOERS_UID SUDOERS_MODE @@ -854,6 +855,8 @@ with_stow with_askpass with_libvas with_libvas_rpath +with_man +with_mdoc enable_authentication enable_root_mailer enable_setreuid @@ -1637,6 +1640,8 @@ Optional Packages: (default=libvas.so) --with-libvas-rpath=PATH Path to look for libvas in [default=/opt/quest/lib] + --with-man manual pages use man macros + --with-mdoc manual pages use mdoc macros --with-selinux enable SELinux support --with-pic[=PKGS] try to use only PIC/non-PIC objects [default=use both] @@ -2910,13 +2915,13 @@ secure_path="not set" INSTALL_NOEXEC= devdir='$(srcdir)' PROGS="sudo visudo" -: ${MANTYPE='man'} +: ${MANDIRTYPE='man'} : ${mansrcdir='.'} : ${SHLIB_MODE='0644'} : ${SUDOERS_MODE='0440'} : ${SUDOERS_UID='0'} : ${SUDOERS_GID='0'} -DEV="#" +DEVEL= LDAP="#" REPLAY="#" BAMAN=0 @@ -2972,7 +2977,7 @@ if test "${with_devel+set}" = set; then : $as_echo "$as_me: Setting up for development: -Wall, flex, yacc" >&6;} PROGS="${PROGS} testsudoers" OSDEFS="${OSDEFS} -DSUDO_DEVEL" - DEV="" + DEVEL="true" devdir=. ;; no) ;; @@ -5238,6 +5243,34 @@ fi +# Check whether --with-man was given. +if test "${with_man+set}" = set; then : + withval=$with_man; case $with_man in + yes) MANTYPE=man + ;; + no) as_fn_error $? "\"--without-man not supported.\"" "$LINENO" 5 + ;; + *) as_fn_error $? "\"ignoring unknown argument to --with-man: $with_man.\"" "$LINENO" 5 + ;; +esac +fi + + + +# Check whether --with-mdoc was given. +if test "${with_mdoc+set}" = set; then : + withval=$with_mdoc; case $with_mdoc in + yes) MANTYPE=mdoc + ;; + no) as_fn_error $? "\"--without-mdoc not supported.\"" "$LINENO" 5 + ;; + *) as_fn_error $? "\"ignoring unknown argument to --with-mdoc: $with_mdoc.\"" "$LINENO" 5 + ;; +esac +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to do user authentication by default" >&5 $as_echo_n "checking whether to do user authentication by default... " >&6; } # Check whether --enable-authentication was given. @@ -13574,20 +13607,22 @@ NOEXECDIR="`echo $with_noexec|sed -e 's:^${\([^}]*\)}:$(\1):' -e 's:^\(.*\)/[^/] set dummy uname; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_UNAMEPROG+:} false; then : +if ${ac_cv_path_UNAMEPROG+:} false; then : $as_echo_n "(cached) " >&6 else - if test -n "$UNAMEPROG"; then - ac_cv_prog_UNAMEPROG="$UNAMEPROG" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR + case $UNAMEPROG in + [\\/]* | ?:[\\/]*) + ac_cv_path_UNAMEPROG="$UNAMEPROG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_UNAMEPROG="uname" + ac_cv_path_UNAMEPROG="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi @@ -13595,9 +13630,11 @@ done done IFS=$as_save_IFS + test -z "$ac_cv_path_UNAMEPROG" && ac_cv_path_UNAMEPROG="uname" + ;; +esac fi -fi -UNAMEPROG=$ac_cv_prog_UNAMEPROG +UNAMEPROG=$ac_cv_path_UNAMEPROG if test -n "$UNAMEPROG"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $UNAMEPROG" >&5 $as_echo "$UNAMEPROG" >&6; } @@ -13611,20 +13648,22 @@ fi set dummy tr; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_TRPROG+:} false; then : +if ${ac_cv_path_TRPROG+:} false; then : $as_echo_n "(cached) " >&6 else - if test -n "$TRPROG"; then - ac_cv_prog_TRPROG="$TRPROG" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR + case $TRPROG in + [\\/]* | ?:[\\/]*) + ac_cv_path_TRPROG="$TRPROG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_TRPROG="tr" + ac_cv_path_TRPROG="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi @@ -13632,9 +13671,11 @@ done done IFS=$as_save_IFS + test -z "$ac_cv_path_TRPROG" && ac_cv_path_TRPROG="tr" + ;; +esac fi -fi -TRPROG=$ac_cv_prog_TRPROG +TRPROG=$ac_cv_path_TRPROG if test -n "$TRPROG"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $TRPROG" >&5 $as_echo "$TRPROG" >&6; } @@ -13644,26 +13685,26 @@ $as_echo "no" >&6; } fi -for ac_prog in nroff mandoc -do - # Extract the first word of "$ac_prog", so it can be a program name with args. -set dummy $ac_prog; ac_word=$2 +# Extract the first word of "mandoc", so it can be a program name with args. +set dummy mandoc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_NROFFPROG+:} false; then : +if ${ac_cv_path_MANDOCPROG+:} false; then : $as_echo_n "(cached) " >&6 else - if test -n "$NROFFPROG"; then - ac_cv_prog_NROFFPROG="$NROFFPROG" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR + case $MANDOCPROG in + [\\/]* | ?:[\\/]*) + ac_cv_path_MANDOCPROG="$MANDOCPROG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_prog_NROFFPROG="$ac_prog" + ac_cv_path_MANDOCPROG="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi @@ -13671,59 +13712,92 @@ done done IFS=$as_save_IFS + test -z "$ac_cv_path_MANDOCPROG" && ac_cv_path_MANDOCPROG="mandoc" + ;; +esac fi -fi -NROFFPROG=$ac_cv_prog_NROFFPROG -if test -n "$NROFFPROG"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $NROFFPROG" >&5 -$as_echo "$NROFFPROG" >&6; } +MANDOCPROG=$ac_cv_path_MANDOCPROG +if test -n "$MANDOCPROG"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MANDOCPROG" >&5 +$as_echo "$MANDOCPROG" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi - test -n "$NROFFPROG" && break +if test "$MANDOCPROG" != "mandoc"; then + : ${MANTYPE='mdoc'} +else + # Extract the first word of "nroff", so it can be a program name with args. +set dummy nroff; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_NROFFPROG+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $NROFFPROG in + [\\/]* | ?:[\\/]*) + ac_cv_path_NROFFPROG="$NROFFPROG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_path_NROFFPROG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi done + done +IFS=$as_save_IFS + ;; +esac +fi +NROFFPROG=$ac_cv_path_NROFFPROG if test -n "$NROFFPROG"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $NROFFPROG supports the -c option" >&5 -$as_echo_n "checking whether $NROFFPROG supports the -c option... " >&6; } -if ${sudo_cv_var_nroff_opt_c+:} false; then : - $as_echo_n "(cached) " >&6 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $NROFFPROG" >&5 +$as_echo "$NROFFPROG" >&6; } else - if $NROFFPROG -c /dev/null 2>&1; then - sudo_cv_var_nroff_opt_c=yes - else - sudo_cv_var_nroff_opt_c=no - fi - + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_nroff_opt_c" >&5 -$as_echo "$sudo_cv_var_nroff_opt_c" >&6; } - if test "$sudo_cv_var_nroff_opt_c" = "yes"; then - NROFFPROG="$NROFFPROG -c" - fi - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $NROFFPROG supports the -Tascii option" >&5 -$as_echo_n "checking whether $NROFFPROG supports the -Tascii option... " >&6; } -if ${sudo_cv_var_nroff_opt_Tascii+:} false; then : + + + if test -n "$NROFFPROG"; then + test -n "$MANTYPE" && sudo_cv_var_mantype="$MANTYPE" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking which macro set to use for manual pages" >&5 +$as_echo_n "checking which macro set to use for manual pages... " >&6; } +if ${sudo_cv_var_mantype+:} false; then : $as_echo_n "(cached) " >&6 else - if $NROFFPROG -Tascii /dev/null 2>&1; then - sudo_cv_var_nroff_opt_Tascii=yes - else - sudo_cv_var_nroff_opt_Tascii=no - fi - if test "$sudo_cv_var_nroff_opt_Tascii" = "yes"; then - NROFFPROG="$NROFFPROG -Tascii" - fi + + sudo_cv_var_mantype="man" + echo ".Sh NAME" > conftest + echo ".Nm sudo" >> conftest + echo ".Nd sudo" >> conftest + echo ".Sh DESCRIPTION" >> conftest + echo "sudo" >> conftest + if $NROFFPROG -mdoc conftest >/dev/null 2>&1; then + sudo_cv_var_mantype="mdoc" + fi + rm -f conftest + fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_nroff_opt_Tascii" >&5 -$as_echo "$sudo_cv_var_nroff_opt_Tascii" >&6; } -else - MANTYPE="cat" - mansrcdir='$(srcdir)' +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_mantype" >&5 +$as_echo "$sudo_cv_var_mantype" >&6; } + MANTYPE="$sudo_cv_var_mantype" + else + MANTYPE=cat + MANDIRTYPE=cat + mansrcdir='$(srcdir)' + fi fi if test -n "$sudo_cv_prev_host"; then @@ -20151,7 +20225,7 @@ test "$localedir" = '${datarootdir}/locale' && localedir='$(datarootdir)/locale' test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var' test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc' -ac_config_files="$ac_config_files Makefile sudo.man visudo.man sudoers.man sudoers.ldap.man sudoreplay.man sudo_usage.h sudoers" +ac_config_files="$ac_config_files Makefile sudo_usage.h sudoers" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -21145,11 +21219,6 @@ do "zlib/zconf.h") CONFIG_HEADERS="$CONFIG_HEADERS zlib/zconf.h" ;; "libtool") CONFIG_COMMANDS="$CONFIG_COMMANDS libtool" ;; "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; - "sudo.man") CONFIG_FILES="$CONFIG_FILES sudo.man" ;; - "visudo.man") CONFIG_FILES="$CONFIG_FILES visudo.man" ;; - "sudoers.man") CONFIG_FILES="$CONFIG_FILES sudoers.man" ;; - "sudoers.ldap.man") CONFIG_FILES="$CONFIG_FILES sudoers.ldap.man" ;; - "sudoreplay.man") CONFIG_FILES="$CONFIG_FILES sudoreplay.man" ;; "sudo_usage.h") CONFIG_FILES="$CONFIG_FILES sudo_usage.h" ;; "sudoers") CONFIG_FILES="$CONFIG_FILES sudoers" ;; diff --git a/configure.in b/configure.in index b59ad30a8..07d9e6784 100644 --- a/configure.in +++ b/configure.in @@ -36,7 +36,7 @@ AC_SUBST([SHLIB_MODE]) AC_SUBST([SUDOERS_MODE]) AC_SUBST([SUDOERS_UID]) AC_SUBST([SUDOERS_GID]) -AC_SUBST([DEV]) +AC_SUBST([DEVEL]) AC_SUBST([BAMAN]) AC_SUBST([LCMAN]) AC_SUBST([SEMAN]) @@ -146,13 +146,13 @@ dnl INSTALL_NOEXEC= devdir='$(srcdir)' PROGS="sudo visudo" -: ${MANTYPE='man'} +: ${MANDIRTYPE='man'} : ${mansrcdir='.'} : ${SHLIB_MODE='0644'} : ${SUDOERS_MODE='0440'} : ${SUDOERS_UID='0'} : ${SUDOERS_GID='0'} -DEV="#" +DEVEL= LDAP="#" REPLAY="#" BAMAN=0 @@ -204,7 +204,7 @@ AC_ARG_WITH(devel, [AS_HELP_STRING([--with-devel], [add development options])], yes) AC_MSG_NOTICE([Setting up for development: -Wall, flex, yacc]) PROGS="${PROGS} testsudoers" OSDEFS="${OSDEFS} -DSUDO_DEVEL" - DEV="" + DEVEL="true" devdir=. ;; no) ;; @@ -1106,6 +1106,26 @@ if test X"$with_libvas" != X"no"; then fi ]) +AC_ARG_WITH(man, [AS_HELP_STRING([--with-man], [manual pages use man macros])], +[case $with_man in + yes) MANTYPE=man + ;; + no) AC_MSG_ERROR(["--without-man not supported."]) + ;; + *) AC_MSG_ERROR(["ignoring unknown argument to --with-man: $with_man."]) + ;; +esac]) + +AC_ARG_WITH(mdoc, [AS_HELP_STRING([--with-mdoc], [manual pages use mdoc macros])], +[case $with_mdoc in + yes) MANTYPE=mdoc + ;; + no) AC_MSG_ERROR(["--without-mdoc not supported."]) + ;; + *) AC_MSG_ERROR(["ignoring unknown argument to --with-mdoc: $with_mdoc."]) + ;; +esac]) + dnl dnl Options for --enable dnl @@ -1389,35 +1409,36 @@ NOEXECDIR="`echo $with_noexec|sed -e 's:^${\([[^}]]*\)}:$(\1):' -e 's:^\(.*\)/[[ dnl dnl Find programs we use dnl -AC_CHECK_PROG(UNAMEPROG, [uname], [uname]) -AC_CHECK_PROG(TRPROG, [tr], [tr]) -AC_CHECK_PROGS(NROFFPROG, [nroff mandoc]) -if test -n "$NROFFPROG"; then - AC_CACHE_CHECK([whether $NROFFPROG supports the -c option], - [sudo_cv_var_nroff_opt_c], - [if $NROFFPROG -c /dev/null 2>&1; then - sudo_cv_var_nroff_opt_c=yes - else - sudo_cv_var_nroff_opt_c=no - fi] - ) - if test "$sudo_cv_var_nroff_opt_c" = "yes"; then - NROFFPROG="$NROFFPROG -c" - fi - AC_CACHE_CHECK([whether $NROFFPROG supports the -Tascii option], - [sudo_cv_var_nroff_opt_Tascii], - [if $NROFFPROG -Tascii /dev/null 2>&1; then - sudo_cv_var_nroff_opt_Tascii=yes - else - sudo_cv_var_nroff_opt_Tascii=no - fi] - if test "$sudo_cv_var_nroff_opt_Tascii" = "yes"; then - NROFFPROG="$NROFFPROG -Tascii" - fi - ) +AC_PATH_PROG(UNAMEPROG, [uname], [uname]) +AC_PATH_PROG(TRPROG, [tr], [tr]) +AC_PATH_PROG(MANDOCPROG, [mandoc], [mandoc]) +if test "$MANDOCPROG" != "mandoc"; then + : ${MANTYPE='mdoc'} else - MANTYPE="cat" - mansrcdir='$(srcdir)' + AC_PATH_PROG(NROFFPROG, [nroff]) + if test -n "$NROFFPROG"; then + test -n "$MANTYPE" && sudo_cv_var_mantype="$MANTYPE" + AC_CACHE_CHECK([which macro set to use for manual pages], + [sudo_cv_var_mantype], + [ + sudo_cv_var_mantype="man" + echo ".Sh NAME" > conftest + echo ".Nm sudo" >> conftest + echo ".Nd sudo" >> conftest + echo ".Sh DESCRIPTION" >> conftest + echo "sudo" >> conftest + if $NROFFPROG -mdoc conftest >/dev/null 2>&1; then + sudo_cv_var_mantype="mdoc" + fi + rm -f conftest + ] + ) + MANTYPE="$sudo_cv_var_mantype" + else + MANTYPE=cat + MANDIRTYPE=cat + mansrcdir='$(srcdir)' + fi fi dnl @@ -3131,9 +3152,9 @@ test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var' test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc' dnl -dnl Substitute into the Makefile and man pages +dnl Substitute into the Makefile, sudo_usage.h and example sudoers dnl -AC_CONFIG_FILES([Makefile sudo.man visudo.man sudoers.man sudoers.ldap.man sudoreplay.man sudo_usage.h sudoers]) +AC_CONFIG_FILES([Makefile sudo_usage.h sudoers]) AC_OUTPUT dnl diff --git a/fixman.sh b/fixman.sh new file mode 100755 index 000000000..cfbfb930f --- /dev/null +++ b/fixman.sh @@ -0,0 +1,86 @@ +#!/bin/sh + +OUTFILE="$1" +rm -f "$OUTFILE" +> "$OUTFILE" + +# HP-UX friendly header/footer for all man pages +if [ X"`uname 2>&1`" = X"HP-UX" ]; then + cat >>"$OUTFILE" <<-'EOF' + s/^\.TH \("[^"]*"\) \("[^"]*"\) "\([^"]*\)" "\([^"]*\)" \("[^"]*"\)/.TH \1 \2\ + .ds )H \4\ + .ds ]W \3/ +EOF +fi + +# Page specific hacks +case "$OUTFILE" in + sudo.man.sed) + # Replace "0 minutes" with "unlimited" + cat >>"$OUTFILE" <<-'EOF' + /^\\fR0\\fR$/ { + N + s/^\\fR0\\fR\ + minutes\.$/unlimited./ + } + EOF + + # BSD auth + if [ X"$BAMAN" != X"1" ]; then + cat >>"$OUTFILE" <<-'EOF' + /^\[\\fB\\-a\\fR\\ \\fIauth_type\\fR/d + /^\\fB\\-a\\fR \\fItype\\fR$/,/^\.TP 12n$/ { + /^\.PD$/!d + } + EOF + fi + + # BSD login class + if [ X"$LCMAN" != X"1" ]; then + cat >>"$OUTFILE" <<-'EOF' + /^\[\\fB\\-c\\fR\\ \\fIclass\\fR/d + /^\\fB\\-c\\fR \\fIclass\\fR$/,/^\.TP 12n$/ { + /^\.PD$/!d + } + EOF + fi + + # SELinux + if [ X"$SEMAN" != X"1" ]; then + cat >>"$OUTFILE" <<-'EOF' + /^\[\\fB\\-[rt]\\fR\\ \\fI[rt][oy][lp]e\\fR/d + /^\\fB\\-[rt]\\fR \\fI[rt][oy][lp]e\\fR$/,/^\.TP 12n$/ { + /^\.PD$/!d + } + EOF + fi + ;; + sudoers.man.sed) + # BSD login class + if [ X"$LCMAN" != X"1" ]; then + cat >>"$OUTFILE" <<-EOF + /^On BSD systems/,/\.$/ { + d + } + /^use_loginclass$/,/^\.TP 18n$/ { + /^\.PD$/!d + } + EOF + fi + + # SELinux + if [ X"$SEMAN" != X"1" ]; then + cat >>"$OUTFILE" <<-EOF + s/SELinux_Spec? // + /^SELinux_Spec ::=/ { + N + d + } + /^\.SS "SELinux_Spec"/,/^\.SS/{;/^\.SS "[^S][^E][^L]/!d;}; + /^[rt][oy][lp]e$/,/^\.TP 18n$/ { + /^\.PD$/!d + } + EOF + fi + ;; +esac diff --git a/fixmdoc.sh b/fixmdoc.sh new file mode 100755 index 000000000..cf730140e --- /dev/null +++ b/fixmdoc.sh @@ -0,0 +1,93 @@ +#!/bin/sh + +OUTFILE="$1" +rm -f "$OUTFILE" +> "$OUTFILE" + +# Page specific hacks +case "$OUTFILE" in + sudo.mdoc.sed) + # Replace "0 minutes" with "unlimited" + cat >>"$OUTFILE" <<-'EOF' + /^\.Li 0$/ { + N + s/^\.Li 0\nminutes\.$/unlimited./ + } + EOF + + # BSD auth + BA_FLAG= + if [ X"$BAMAN" != X"1" ]; then + BA_FLAG='/^.*\n\.Op Fl a Ar auth_type/{;N;/^.*\n\.Ek$/d;};' + cat >>"$OUTFILE" <<-'EOF' + /^\.It Fl a Ar type/,/BSD authentication\.$/ { + d + } + EOF + fi + + # BSD login class + LC_FLAG= + if [ X"$LCMAN" != X"1" ]; then + LC_FLAG='/^.*\n\.Op Fl c Ar class/{;N;/^.*\n\.Ek$/d;};' + cat >>"$OUTFILE" <<-'EOF' + /^\.It Fl c Ar class/,/BSD login classes\.$/ { + d + } + /^\.Xr login_cap 3 ,$/d + EOF + fi + + # SELinux + SE_FLAG= + if [ X"$SEMAN" != X"1" ]; then + SE_FLAG='/^.*\n\.Op Fl r Ar role/{;N;/^.*\n\.Ek$/d;};/^.*\n\.Op Fl t Ar type/{;N;/^.*\n\.Ek$/d;};' + cat >>"$OUTFILE" <<-'EOF' + /^\.It Fl r Ar role/,/newline character\.$/ { + d + } + /^\.It Fl t Ar type/,/specified role\.$/ { + d + } + EOF + fi + + # Unsupported flags must be removed together + if [ -n "$BA_FLAG$LC_FLAG$SE_FLAG" ]; then + cat >>"$OUTFILE" <<-EOF + /^\.Bk -words\$/ { + N + $BA_FLAG$LC_FLAG$SE_FLAG + } + EOF + fi + ;; + sudoers.mdoc.sed) + # BSD login class + if [ X"$LCMAN" != X"1" ]; then + cat >>"$OUTFILE" <<-'EOF' + /^On BSD systems/,/\.$/ { + d + } + /^\.It use_loginclass$/,/^\.It/ { + /^\.It [^u][^s][^e][^_][^l]/!d + } + EOF + fi + + # SELinux + if [ X"$SEMAN" != X"1" ]; then + cat >>"$OUTFILE" <<-'EOF' + s/SELinux_Spec? // + /^SELinux_Spec ::=/ { + N + d + } + /^\.Ss SELinux_Spec/,/^\.Ss/{;/^\.Ss [^S][^E][^L]/!d;}; + /^\.It [rt][oy][lp]e$/,/^\.It/ { + /^\.It [^rt][^oy][^lp][^e]$/!d + } + EOF + fi + ;; +esac diff --git a/sudo.cat b/sudo.cat index fb035a786..1712ed0b9 100644 --- a/sudo.cat +++ b/sudo.cat @@ -1,554 +1,750 @@ -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - - +SUDO(1m) System Manager's Manual SUDO(1m) NNAAMMEE - sudo, sudoedit - execute a command as another user + ssuuddoo, ssuuddooeeddiitt - execute a command as another user SSYYNNOOPPSSIISS - ssuuddoo --hh | --KK | --kk | --LL | --VV - - ssuuddoo --vv [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] - [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] - - ssuuddoo --ll[[ll]] [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] - [--UU _u_s_e_r _n_a_m_e] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] [_c_o_m_m_a_n_d] - - ssuuddoo [--AAbbEEHHnnPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] - [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--rr _r_o_l_e] [--tt _t_y_p_e] - [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e] [--ii | --ss] [_c_o_m_m_a_n_d] - - ssuuddooeeddiitt [--AAnnSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] - [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] file ... + ssuuddoo --hh | --KK | --kk | --LL | --VV + ssuuddoo --vv [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t] + [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] + ssuuddoo --ll[_l] [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t] + [--UU _u_s_e_r _n_a_m_e] [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] [_c_o_m_m_a_n_d] + ssuuddoo [--AAbbEEHHnnPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s | _-] + [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t] [--rr _r_o_l_e] [--tt _t_y_p_e] + [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] [VVAARR=_v_a_l_u_e] --ii | --ss [_c_o_m_m_a_n_d] + ssuuddooeeddiitt [--AAnnSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s | _-] + [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] file + ... DDEESSCCRRIIPPTTIIOONN - ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the superuser or - another user, as specified in the _s_u_d_o_e_r_s file. The real and effective - uid and gid are set to match those of the target user as specified in - the passwd file and the group vector is initialized based on the group - file (unless the --PP option was specified). If the invoking user is - root or if the target user is the same as the invoking user, no - password is required. Otherwise, ssuuddoo requires that users authenticate - themselves with a password by default (NOTE: in the default - configuration this is the user's password, not the root password). - Once a user has been authenticated, a time stamp is updated and the - user may then use sudo without a password for a short period of time (5 - minutes unless overridden in _s_u_d_o_e_r_s). - - When invoked as ssuuddooeeddiitt, the --ee option (described below), is implied. - - ssuuddoo determines who is an authorized user by consulting the file - _/_e_t_c_/_s_u_d_o_e_r_s. By running ssuuddoo with the --vv option, a user can update - the time stamp without running a _c_o_m_m_a_n_d. If a password is required, - ssuuddoo will exit if the user's password is not entered within a - configurable time limit. The default password prompt timeout is 5 - minutes. - - If a user who is not listed in the _s_u_d_o_e_r_s file tries to run a command - via ssuuddoo, mail is sent to the proper authorities, as defined at - configure time or in the _s_u_d_o_e_r_s file (defaults to root). Note that - the mail will not be sent if an unauthorized user tries to run sudo - with the --ll or --vv option. This allows users to determine for - themselves whether or not they are allowed to use ssuuddoo. - - If ssuuddoo is run by root and the SUDO_USER environment variable is set, - ssuuddoo will use this value to determine who the actual user is. This can - be used by a user to log commands through sudo even when a root shell - has been invoked. It also allows the --ee option to remain useful even - when being run via a sudo-run script or program. Note however, that - the sudoers lookup is still done for root, not the user specified by - SUDO_USER. - - ssuuddoo can log both successful and unsuccessful attempts (as well as - errors) to _s_y_s_l_o_g(3), a log file, or both. By default ssuuddoo will log - via _s_y_s_l_o_g(3) but this is changeable at configure time or via the - _s_u_d_o_e_r_s file. - -OOPPTTIIOONNSS - ssuuddoo accepts the following command line options: - - -A Normally, if ssuuddoo requires a password, it will read it from - the current terminal. If the --AA (_a_s_k_p_a_s_s) option is - specified, a (possibly graphical) helper program is - executed to read the user's password and output the - password to the standard output. If the SUDO_ASKPASS - environment variable is set, it specifies the path to the - helper program. Otherwise, the value specified by the - _a_s_k_p_a_s_s option in _s_u_d_o_e_r_s(4) is used. - - -a _t_y_p_e The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use the - specified authentication type when validating the user, as - allowed by _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system administrator may - specify a list of sudo-specific authentication methods by - adding an "auth-sudo" entry in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This - option is only available on systems that support BSD - authentication. - - -b The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run the given - command in the background. Note that if you use the --bb - option you cannot use shell job control to manipulate the - process. - - -C _f_d Normally, ssuuddoo will close all open file descriptors other - than standard input, standard output and standard error. - The --CC (_c_l_o_s_e _f_r_o_m) option allows the user to specify a - starting point above the standard error (file descriptor - three). Values less than three are not permitted. This - option is only available if the administrator has enabled - the _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option in _s_u_d_o_e_r_s(4). - - -c _c_l_a_s_s The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified - command with resources limited by the specified login - class. The _c_l_a_s_s argument can be either a class name as - defined in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a single '-' character. - Specifying a _c_l_a_s_s of - indicates that the command should - be run restricted by the default login capabilities for the - user the command is run as. If the _c_l_a_s_s argument - specifies an existing user class, the command must be run - as root, or the ssuuddoo command must be run from a shell that - is already root. This option is only available on systems - with BSD login classes. - - -E The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option will override the - _e_n_v___r_e_s_e_t option in _s_u_d_o_e_r_s(4)). It is only available when - either the matching command has the SETENV tag or the - _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s(4). - - -e The --ee (_e_d_i_t) option indicates that, instead of running a - command, the user wishes to edit one or more files. In - lieu of a command, the string "sudoedit" is used when - consulting the _s_u_d_o_e_r_s file. If the user is authorized by - _s_u_d_o_e_r_s the following steps are taken: - - 1. Temporary copies are made of the files to be edited + ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the superuser or + another user, as specified by the _s_u_d_o_e_r_s file. The real and effective + uid and gid are set to match those of the target user, as specified in + the password database, and the group vector is initialized based on the + group database (unless the --PP option was specified). See the _C_o_m_m_a_n_d + _E_n_v_i_r_o_n_m_e_n_t section below for more details. + + ssuuddoo determines who is an authorized user by consulting the file + _/_e_t_c_/_s_u_d_o_e_r_s. By running ssuuddoo with the --vv option, a user can update the + time stamp without running a _c_o_m_m_a_n_d. If authentication is required, + ssuuddoo will exit if the user's password is not entered within a + configurable time limit. The default password prompt timeout is 5 + minutes. + + When invoked as ssuuddooeeddiitt, the --ee option (described below), is implied. + + The options are as follows: + + --AA Normally, if ssuuddoo requires a password, it will read it from + the user's terminal. If the --AA (_a_s_k_p_a_s_s) option is + specified, a (possibly graphical) helper program is executed + to read the user's password and output the password to the + standard output. If the SUDO_ASKPASS environment variable is + set, it specifies the path to the helper program. Otherwise, + the value specified by the _a_s_k_p_a_s_s option in sudoers(4) is + used. If no askpass program is available, ssuuddoo will exit + with an error. + + --aa _t_y_p_e The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use the + specified authentication type when validating the user, as + allowed by _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system administrator may + specify a list of sudo-specific authentication methods by + adding an ``auth-sudo'' entry in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This + option is only available on systems that support BSD + authentication. + + --bb The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run the given + command in the background. Note that if you use the --bb + option you cannot use shell job control to manipulate the + process. Most interactive commands will fail to work + properly in background mode. + + --CC _f_d Normally, ssuuddoo will close all open file descriptors other + than standard input, standard output and standard error. The + --CC (_c_l_o_s_e _f_r_o_m) option allows the user to specify a starting + point above the standard error (file descriptor three). + Values less than three are not permitted. This option is + only available when the administrator has enabled the + _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option in sudoers(4). + + --cc _c_l_a_s_s The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified + command with resources limited by the specified login class. + The _c_l_a_s_s argument can be either a class name as defined in + _/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a single `-' character. Specifying a + _c_l_a_s_s of - indicates that the command should be run + restricted by the default login capabilities for the user the + command is run as. If the _c_l_a_s_s argument specifies an + existing user class, the command must be run as root, or the + ssuuddoo command must be run from a shell that is already root. + This option is only available on systems with BSD login + classes. + + --EE The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option will override the + _e_n_v___r_e_s_e_t option in sudoers(4). It is only available when + either the matching command has the SETENV tag or the _s_e_t_e_n_v + option is set in sudoers(4). ssuuddoo will return an error if + the --EE option is specified and the user does not have + permission to preserve the environment. + + --ee The --ee (_e_d_i_t) option indicates that, instead of running a + command, the user wishes to edit one or more files. In lieu + of a command, the string "sudoedit" is used when consulting + the _s_u_d_o_e_r_s file. If the user is authorized by _s_u_d_o_e_r_s, the + following steps are taken: + + 1. Temporary copies are made of the files to be edited with the owner set to the invoking user. - 2. The editor specified by the SUDO_EDITOR, VISUAL or - EDITOR environment variables is run to edit the - temporary files. If none of SUDO_EDITOR, VISUAL or - EDITOR are set, the first program listed in the _e_d_i_t_o_r - _s_u_d_o_e_r_s variable is used. + 2. The editor specified by the SUDO_EDITOR, VISUAL or + EDITOR environment variables (in that order) is run to + edit the temporary files. If none of SUDO_EDITOR, + VISUAL or EDITOR are set, the first program listed in + the _e_d_i_t_o_r sudoers(4) option is used. - 3. If they have been modified, the temporary files are + 3. If they have been modified, the temporary files are copied back to their original location and the temporary versions are removed. - If the specified file does not exist, it will be created. - Note that unlike most commands run by ssuuddoo, the editor is - run with the invoking user's environment unmodified. If, - for some reason, ssuuddoo is unable to update a file with its - edited version, the user will receive a warning and the - edited copy will remain in a temporary file. - - -g _g_r_o_u_p Normally, ssuuddoo sets the primary group to the one specified - by the passwd database for the user the command is being - run as (by default, root). The --gg (_g_r_o_u_p) option causes - ssuuddoo to run the specified command with the primary group - set to _g_r_o_u_p. To specify a _g_i_d instead of a _g_r_o_u_p _n_a_m_e, - use _#_g_i_d. When running commands as a _g_i_d, many shells - require that the '#' be escaped with a backslash ('\'). If - no --uu option is specified, the command will be run as the - invoking user (not root). In either case, the primary - group will be set to _g_r_o_u_p. - - -H The --HH (_H_O_M_E) option sets the HOME environment variable to - the homedir of the target user (root by default) as - specified in _p_a_s_s_w_d(4). The default handling of the HOME - environment variable depends on _s_u_d_o_e_r_s(4) settings. By - default, ssuuddoo will set HOME if _e_n_v___r_e_s_e_t or _a_l_w_a_y_s___s_e_t___h_o_m_e - are set, or if _s_e_t___h_o_m_e is set and the --ss option is - specified on the command line. - - -h The --hh (_h_e_l_p) option causes ssuuddoo to print a short help - message to the standard output and exit. - - -i [command] - The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell - specified in the _p_a_s_s_w_d(4) entry of the target user as a - login shell. This means that login-specific resource files - such as .profile or .login will be read by the shell. If a - command is specified, it is passed to the shell for - execution. Otherwise, an interactive shell is executed. - ssuuddoo attempts to change to that user's home directory - before running the shell. It also initializes the - environment, leaving _D_I_S_P_L_A_Y and _T_E_R_M unchanged, setting - _H_O_M_E, _M_A_I_L, _S_H_E_L_L, _U_S_E_R, _L_O_G_N_A_M_E, and _P_A_T_H, as well as the - contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t on Linux and AIX systems. All - other environment variables are removed. - - -K The --KK (sure _k_i_l_l) option is like --kk except that it removes - the user's time stamp entirely and may not be used in - conjunction with a command or other option. This option - does not require a password. - - -k When used by itself, the --kk (_k_i_l_l) option to ssuuddoo - invalidates the user's time stamp by setting the time on it - to the Epoch. The next time ssuuddoo is run a password will be - required. This option does not require a password and was - added to allow a user to revoke ssuuddoo permissions from a - .logout file. - - When used in conjunction with a command or an option that - may require a password, the --kk option will cause ssuuddoo to - ignore the user's time stamp file. As a result, ssuuddoo will - prompt for a password (if one is required by _s_u_d_o_e_r_s) and - will not update the user's time stamp file. - - -L The --LL (_l_i_s_t defaults) option will list the parameters that - may be set in a _D_e_f_a_u_l_t_s line along with a short - description for each. This option will be removed from a - future version of ssuuddoo. - - -l[l] [_c_o_m_m_a_n_d] - If no _c_o_m_m_a_n_d is specified, the --ll (_l_i_s_t) option will list - the allowed (and forbidden) commands for the invoking user - (or the user specified by the --UU option) on the current - host. If a _c_o_m_m_a_n_d is specified and is permitted by - _s_u_d_o_e_r_s, the fully-qualified path to the command is - displayed along with any command line arguments. If - _c_o_m_m_a_n_d is specified but not allowed, ssuuddoo will exit with a - status value of 1. If the --ll option is specified with an ll - argument (i.e. --llll), or if --ll is specified multiple times, - a longer list format is used. - - -n The --nn (_n_o_n_-_i_n_t_e_r_a_c_t_i_v_e) option prevents ssuuddoo from - prompting the user for a password. If a password is - required for the command to run, ssuuddoo will display an error - message and exit. - - -P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to - preserve the invoking user's group vector unaltered. By - default, ssuuddoo will initialize the group vector to the list - of groups the target user is in. The real and effective - group IDs, however, are still set to match the target user. - - -p _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default - password prompt and use a custom one. The following - percent (`%') escapes are supported: - - %H expanded to the local host name including the domain - name (on if the machine's host name is fully qualified - or the _f_q_d_n _s_u_d_o_e_r_s option is set) - - %h expanded to the local host name without the domain name - - %p expanded to the user whose password is being asked for - (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w flags in - _s_u_d_o_e_r_s) - - %U expanded to the login name of the user the command will - be run as (defaults to root) - - %u expanded to the invoking user's login name - - %% two consecutive % characters are collapsed into a - single % character - - The prompt specified by the --pp option will override the - system password prompt on systems that support PAM unless - the _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s. - - -r _r_o_l_e The --rr (_r_o_l_e) option causes the new (SELinux) security - context to have the role specified by _r_o_l_e. - - -S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from - the standard input instead of the terminal device. The - password must be followed by a newline character. - - -s [command] - The --ss (_s_h_e_l_l) option runs the shell specified by the _S_H_E_L_L - environment variable if it is set or the shell as specified - in _p_a_s_s_w_d(4). If a command is specified, it is passed to - the shell for execution. Otherwise, an interactive shell - is executed. - - -t _t_y_p_e The --tt (_t_y_p_e) option causes the new (SELinux) security - context to have the type specified by _t_y_p_e. If no type is - specified, the default type is derived from the specified - role. - - -U _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the - --ll option to specify the user whose privileges should be - listed. Only root or a user with ssuuddoo ALL on the current - host may use this option. - - -u _u_s_e_r The --uu (_u_s_e_r) option causes ssuuddoo to run the specified - command as a user other than _r_o_o_t. To specify a _u_i_d - instead of a _u_s_e_r _n_a_m_e, use _#_u_i_d. When running commands as - a _u_i_d, many shells require that the '#' be escaped with a - backslash ('\'). Note that if the _t_a_r_g_e_t_p_w Defaults option - is set (see _s_u_d_o_e_r_s(4)) it is not possible to run commands - with a uid not listed in the password database. - - -V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print the version - number and exit. If the invoking user is already root the - --VV option will print out a list of the defaults ssuuddoo was - compiled with as well as the machine's local network - addresses. - - -v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the - user's time stamp, prompting for the user's password if - necessary. This extends the ssuuddoo timeout for another 5 - minutes (or whatever the timeout is set to in _s_u_d_o_e_r_s) but - does not run a command. - - -- The ---- option indicates that ssuuddoo should stop processing - command line arguments. - - Environment variables to be set for the command may also be passed on - the command line in the form of VVAARR=_v_a_l_u_e, e.g. - LLDD__LLIIBBRRAARRYY__PPAATTHH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. Variables passed on the command - line are subject to the same restrictions as normal environment - variables with one important exception. If the _s_e_t_e_n_v option is set in - _s_u_d_o_e_r_s, the command to be run has the SETENV tag set or the command - matched is ALL, the user may set variables that would overwise be - forbidden. See _s_u_d_o_e_r_s(4) for more information. + If the specified file does not exist, it will be created. + Note that unlike most commands run by _s_u_d_o, the editor is run + with the invoking user's environment unmodified. If, for + some reason, ssuuddoo is unable to update a file with its edited + version, the user will receive a warning and the edited copy + will remain in a temporary file. + + --gg _g_r_o_u_p Normally, ssuuddoo runs a command with the primary group set to + the one specified by the password database for the user the + command is being run as (by default, root). The --gg (_g_r_o_u_p) + option causes ssuuddoo to run the command with the primary group + set to _g_r_o_u_p instead. To specify a _g_i_d instead of a _g_r_o_u_p + _n_a_m_e, use _#_g_i_d. When running commands as a _g_i_d, many shells + require that the `#' be escaped with a backslash (`\'). If + no --uu option is specified, the command will be run as the + invoking user (not root). In either case, the primary group + will be set to _g_r_o_u_p. + + --HH The --HH (_H_O_M_E) option option sets the HOME environment + variable to the home directory of the target user (root by + default) as specified by the password database. The default + handling of the HOME environment variable depends on + sudoers(4) settings. By default, ssuuddoo will set HOME if + _e_n_v___r_e_s_e_t or _a_l_w_a_y_s___s_e_t___h_o_m_e are set, or if _s_e_t___h_o_m_e is set + and the --ss option is specified on the command line. + + --hh The --hh (_h_e_l_p) option causes ssuuddoo to print a short help + message to the standard output and exit. + + --ii [_c_o_m_m_a_n_d] + The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell + specified by the password database entry of the target user + as a login shell. This means that login-specific resource + files such as _._p_r_o_f_i_l_e or _._l_o_g_i_n will be read by the shell. + If a command is specified, it is passed to the shell for + execution via the shell's --cc option. If no command is + specified, an interactive shell is executed. ssuuddoo attempts + to change to that user's home directory before running the + shell. It also initializes the environment to a minimal set + of variables, similar to what is present when a user logs in. + The _C_o_m_m_a_n_d _E_n_v_i_r_o_n_m_e_n_t section below documents in detail how + the --ii option affects the environment in which a command is + run. + + --KK The --KK (sure _k_i_l_l) option is like --kk except that it removes + the user's time stamp file entirely and may not be used in + conjunction with a command or other option. This option does + not require a password. + + --kk [_c_o_m_m_a_n_d] + When used alone, the --kk (_k_i_l_l) option to ssuuddoo invalidates the + user's time stamp file. The next time ssuuddoo is run a password + will be required. This option does not require a password + and was added to allow a user to revoke ssuuddoo permissions from + a _._l_o_g_o_u_t file. + + When used in conjunction with a command or an option that may + require a password, the --kk option will cause ssuuddoo to ignore + the user's time stamp file. As a result, ssuuddoo will prompt + for a password (if one is required by _s_u_d_o_e_r_s) and will not + update the user's time stamp file. + + --LL The --LL (_l_i_s_t defaults) option will list the parameters that + may be set in a _D_e_f_a_u_l_t_s line along with a short description + for each. This option will be removed from a future version + of ssuuddoo. + + --ll[ll] [_c_o_m_m_a_n_d] + If no _c_o_m_m_a_n_d is specified, the --ll (_l_i_s_t) option will list + the allowed (and forbidden) commands for the invoking user + (or the user specified by the --UU option) on the current host. + If a _c_o_m_m_a_n_d is specified and is permitted by _s_u_d_o_e_r_s, the + fully-qualified path to the command is displayed along with + any command line arguments. If _c_o_m_m_a_n_d is specified but not + allowed, ssuuddoo will exit with a status value of 1. If the --ll + option is specified with an _l argument (i.e. --llll), or if --ll + is specified multiple times, a longer list format is used. + + --nn The --nn (_n_o_n_-_i_n_t_e_r_a_c_t_i_v_e) option prevents ssuuddoo from prompting + the user for a password. If a password is required for the + command to run, ssuuddoo will display an error message and exit. + + --PP The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to preserve + the invoking user's group vector unaltered. By default, ssuuddoo + will initialize the group vector to the list of groups the + target user is in. The real and effective group IDs, + however, are still set to match the target user. + + --pp _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default + password prompt and use a custom one. The following percent + (`%') escapes are supported: + + %H expanded to the host name including the domain name (on + if the machine's host name is fully qualified or the _f_q_d_n + option is set in sudoers(4)) + + %h expanded to the local host name without the domain name + + %p expanded to the name of the user whose password is being + requested (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w, and _r_u_n_a_s_p_w + flags in sudoers(4)) + + %U expanded to the login name of the user the command will + be run as (defaults to root unless the --uu option is also + specified) + + %u expanded to the invoking user's login name + + %% two consecutive `%' characters are collapsed into a + single `%' character + + The prompt specified by the --pp option will override the + system password prompt on systems that support PAM unless the + _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s. + + --rr _r_o_l_e The --rr (_r_o_l_e) option causes the new (SELinux) security + context to have the role specified by _r_o_l_e. + + --SS The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from + the standard input instead of the terminal device. The + password must be followed by a newline character. + + --ss [_c_o_m_m_a_n_d] + The --ss (_s_h_e_l_l) option runs the shell specified by the SHELL + environment variable if it is set or the shell as specified + in the password database. If a command is specified, it is + passed to the shell for execution via the shell's --cc option. + If no command is specified, an interactive shell is executed. + + --tt _t_y_p_e The --tt (_t_y_p_e) option causes the new (SELinux) security + context to have the type specified by _t_y_p_e. If no type is + specified, the default type is derived from the specified + role. + + --UU _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the --ll + option to specify the user whose privileges should be listed. + Only root or a user with the ALL privilege on the current + host may use this option. + + --uu _u_s_e_r The --uu (_u_s_e_r) option causes ssuuddoo to run the specified command + as a user other than _r_o_o_t. To specify a _u_i_d instead of a + _u_s_e_r _n_a_m_e, _#_u_i_d. When running commands as a _u_i_d, many shells + require that the `#' be escaped with a backslash (`\'). Note + that if the _t_a_r_g_e_t_p_w Defaults option is set (see sudoers(4)), + it is not possible to run commands with a uid not listed in + the password database. + + --VV The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print its version + string and exit. If the invoking user is already root the --VV + option will display the arguments passed to configure when + ssuuddoo was built as well a list of the defaults ssuuddoo was + compiled with as well as the machine's local network + addresses. + + --vv When given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the + user's time stamp file, authenticating the user's password if + necessary. This extends the ssuuddoo timeout for another 5 + minutes (or whatever the timeout is set to in _s_u_d_o_e_r_s) but + does not run a command. + + ---- The ---- option indicates that ssuuddoo should stop processing + command line arguments. + + Environment variables to be set for the command may also be passed on the + command line in the form of VVAARR=_v_a_l_u_e, e.g. + LLDD__LLIIBBRRAARRYY__PPAATTHH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. Variables passed on the command line + are subject to the same restrictions as normal environment variables with + one important exception. If the _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s, the + command to be run has the SETENV tag set or the command matched is ALL, + the user may set variables that would otherwise be forbidden. See + sudoers(4) for more information. + + AAuutthheennttiiccaattiioonn aanndd LLooggggiinngg + ssuuddoo requires that most users authenticate themselves by default. A + password is not required if the invoking user is root, if the target user + is the same as the invoking user, or if the authentication has been + disabled for the user or command in the _s_u_d_o_e_r_s file. Unlike su(1), when + ssuuddoo requires authentication, it validates the invoking user's + credentials, not the target user's (or root's) credentials. This can be + changed via the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w Defaults entries in _s_u_d_o_e_r_s. + + If a user who is not listed in _s_u_d_o_e_r_s tries to run a command via ssuuddoo, + mail is sent to the proper authorities. The address used for such mail + is configurable via the _m_a_i_l_t_o _s_u_d_o_e_r_s Defaults entry and defaults to + root. + + Note that mail will not be sent if an unauthorized user tries to run ssuuddoo + with the --ll or --vv option. This allows users to determine for themselves + whether or not they are allowed to use ssuuddoo. + + If ssuuddoo is run by root and the SUDO_USER environment variable is set, its + value will be used to determine who the actual user is. This can be used + by a user to log commands through ssuuddoo even when a root shell has been + invoked. It also allows the --ee option to remain useful even when invoked + via a sudo-run script or program. Note, however, that the _s_u_d_o_e_r_s lookup + is still done for root, not the user specified by SUDO_USER. + + ssuuddoo uses time stamp files for credential caching. Once a user has been + authenticated, the time stamp is updated and the user may then use sudo + without a password for a short period of time (5 minutes unless + overridden by the _t_i_m_e_o_u_t option). By default, ssuuddoo uses a tty-based + time stamp which means that there is a separate time stamp for each of a + user's login sessions. The _t_t_y___t_i_c_k_e_t_s option can be disabled to force + the use of a single time stamp for all of a user's sessions. + + ssuuddoo can log both successful and unsuccessful attempts (as well as + errors) to syslog(3), a log file, or both. By default, ssuuddoo will log via + syslog(3) but this is changeable via the _s_y_s_l_o_g and _l_o_g_f_i_l_e Defaults + settings. + + ssuuddoo also supports logging a command's input and output streams. I/O + logging is not on by default but can be enabled using the _l_o_g___i_n_p_u_t and + _l_o_g___o_u_t_p_u_t Defaults flags as well as the LOG_INPUT and LOG_OUTPUT command + tags. + + CCoommmmaanndd EEnnvviirroonnmmeenntt + Since environment variables can influence program behavior, ssuuddoo provides + a means to restrict which variables from the user's environment are + inherited by the command to be run. There are two distinct ways _s_u_d_o_e_r_s + can be configured to handle with environment variables. + + By default, the _e_n_v___r_e_s_e_t option is enabled. This causes commands to be + executed with a new, minimal environment. On AIX (and Linux systems + without PAM), the environment is initialized with the contents of the + _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t file. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s option is + enabled, the environment is initialized based on the _p_a_t_h and _s_e_t_e_n_v + settings in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The new environment contains the TERM, + PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in + addition to variables from the invoking process permitted by the + _e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p options. This is effectively a whitelist for + environment variables. + + If, however, the _e_n_v___r_e_s_e_t option is disabled, any variables not + explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are inherited + from the invoking process. In this case, _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e behave + like a blacklist. Since it is not possible to blacklist all potentially + dangerous environment variables, use of the default _e_n_v___r_e_s_e_t behavior is + encouraged. + + In all cases, environment variables with a value beginning with () are + removed as they could be interpreted as bbaasshh functions. The list of + environment variables that ssuuddoo allows or denies is contained in the + output of ``sudo -V'' when run as root. + + Note that the dynamic linker on most operating systems will remove + variables that can control dynamic linking from the environment of setuid + executables, including ssuuddoo. Depending on the operating system this may + include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others. + These type of variables are removed from the environment before ssuuddoo even + begins execution and, as such, it is not possible for ssuuddoo to preserve + them. + + As a special case, if ssuuddoo's --ii option (initial login) is specified, ssuuddoo + will initialize the environment regardless of the value of _e_n_v___r_e_s_e_t. + The DISPLAY, PATH and TERM variables remain unchanged; HOME, MAIL, SHELL, + USER, and LOGNAME are set based on the target user. On AIX (and Linux + systems without PAM), the contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are also included. + On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s option is enabled, the _p_a_t_h and + _s_e_t_e_n_v variables in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f are also applied. All other + environment variables are removed. + + Finally, if the _e_n_v___f_i_l_e option is defined, any variables present in that + file will be set to their specified values as long as they would not + conflict with an existing environment variable. EEXXIITT VVAALLUUEE - Upon successful execution of a program, the exit status from ssuuddoo will - simply be the exit status of the program that was executed. - - Otherwise, ssuuddoo quits with an exit value of 1 if there is a - configuration/permission problem or if ssuuddoo cannot execute the given - command. In the latter case the error string is printed to stderr. If - ssuuddoo cannot _s_t_a_t(2) one or more entries in the user's PATH an error is - printed on stderr. (If the directory does not exist or if it is not - really a directory, the entry is ignored and no error is printed.) - This should not happen under normal circumstances. The most common - reason for _s_t_a_t(2) to return "permission denied" is if you are running - an automounter and one of the directories in your PATH is on a machine - that is currently unreachable. + Upon successful execution of a program, the exit status from _s_u_d_o will + simply be the exit status of the program that was executed. + + Otherwise, ssuuddoo exits with a value of 1 if there is a + configuration/permission problem or if ssuuddoo cannot execute the given + command. In the latter case the error string is printed to the standard + error. If ssuuddoo cannot stat(2) one or more entries in the user's PATH, an + error is printed on stderr. (If the directory does not exist or if it is + not really a directory, the entry is ignored and no error is printed.) + This should not happen under normal circumstances. The most common + reason for stat(2) to return ``permission denied'' is if you are running + an automounter and one of the directories in your PATH is on a machine + that is currently unreachable. + +LLOOGG FFOORRMMAATT + ssuuddoo can log events using either syslog(3) or a simple log file. In each + case the log format is almost identical. + + AAcccceepptteedd ccoommmmaanndd lloogg eennttrriieess + Commands that sudo runs are logged using the following format (split into + multiple lines for readability): + + date hostname progname: username : TTY=ttyname ; PWD=cwd ; \ + USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \ + ENV=env_vars COMMAND=command + + Where the fields are as follows: + + date The date the command was run. Typically, this is in the + format ``MMM, DD, HH:MM:SS''. If logging via syslog(3), + the actual date format is controlled by the syslog daemon. + If logging to a file and the _l_o_g___y_e_a_r option is enabled, + the date will also include the year. + + hostname The name of the host ssuuddoo was run on. This field is only + present when logging via syslog(3). + + progname The name of the program, usually _s_u_d_o or _s_u_d_o_e_d_i_t. This + field is only present when logging via syslog(3). + + username The login name of the user who ran ssuuddoo. + + ttyname The short name of the terminal (e.g. ``console'', + ``tty01'', or ``pts/0'') ssuuddoo was run on, or ``unknown'' if + there was no terminal present. + + cwd The current working directory that ssuuddoo was run in. + + runasuser The user the command was run as. + + runasgroup The group the command was run as if one was specified on + the command line. + + logid An I/O log identifier that can be used to replay the + command's output. This is only present when the _l_o_g___i_n_p_u_t + or _l_o_g___o_u_t_p_u_t option is enabled. + + env_vars A list of environment variables specified on the command + line, if specified. + + command The actual command that was executed. + + Messages are logged using the locale specified by _s_u_d_o_e_r_s___l_o_c_a_l_e, which + defaults to the ``C'' locale. + + DDeenniieedd ccoommmmaanndd lloogg eennttrriieess + If the user is not allowed to run the command, the reason for the denial + will follow the user name. Possible reasons include: + + user NOT in sudoers + The user is not listed in the _s_u_d_o_e_r_s file. + + user NOT authorized on host + The user is listed in the _s_u_d_o_e_r_s file but is not allowed to run + commands on the host. + + command not allowed + The user is listed in the _s_u_d_o_e_r_s file for the host but they are not + allowed to run the specified command. + + 3 incorrect password attempts + The user failed to enter their password after 3 tries. The actual + number of tries will vary based on the number of failed attempts and + the value of the _p_a_s_s_w_d___t_r_i_e_s _s_u_d_o_e_r_s option. + + a password is required + The --nn option was specified but a password was required. + + sorry, you are not allowed to set the following environment variables + The user specified environment variables on the command line that were + not allowed by _s_u_d_o_e_r_s. + + EErrrroorr lloogg eennttrriieess + If an error occurs, ssuuddoo will log a message and, in most cases, send a + message to the administrator via email. Possible errors include: + + parse error in /etc/sudoers near line N + ssuuddoo encountered an error when parsing the specified file. In some + cases, the actual error may be one line above or below the line number + listed, depending on the type of error. + + problem with defaults entries + The _s_u_d_o_e_r_s file contains one or more unknown Defaults settings. This + does not prevent ssuuddoo from running, but the _s_u_d_o_e_r_s file should be + checked using vviissuuddoo. + + timestamp owner (username): No such user + The time stamp directory owner, as specified by the _t_i_m_e_s_t_a_m_p_o_w_n_e_r + setting, could not be found in the password database. + + unable to open/read /etc/sudoers + The _s_u_d_o_e_r_s file could not be opened for reading. This can happen + when the _s_u_d_o_e_r_s file is located on a remote file system that maps + user ID 0 to a different value. Normally, ssuuddoo tries to open _s_u_d_o_e_r_s + using group permissions to avoid this problem. + + unable to stat /etc/sudoers + The _/_e_t_c_/_s_u_d_o_e_r_s file is missing. + + /etc/sudoers is not a regular file + The _/_e_t_c_/_s_u_d_o_e_r_s file exists but is not a regular file or symbolic + link. + + /etc/sudoers is owned by uid N, should be 0 + The _s_u_d_o_e_r_s file has the wrong owner. + + /etc/sudoers is world writable + The permissions on the _s_u_d_o_e_r_s file allow all users to write to it. + The _s_u_d_o_e_r_s file must not be world-writable, the default file mode is + 0440 (readable by owner and group, writable by none). + + /etc/sudoers is owned by gid N, should be 1 + The _s_u_d_o_e_r_s file has the wrong group ownership. + + unable to open /var/adm/sudo/username/ttyname + _s_u_d_o_e_r_s was unable to read or create the user's time stamp file. + + unable to write to /var/adm/sudo/username/ttyname + _s_u_d_o_e_r_s was unable to write to the user's time stamp file. + + unable to mkdir to /var/adm/sudo/username + _s_u_d_o_e_r_s was unable to create the user's time stamp directory. + + NNootteess oonn llooggggiinngg vviiaa ssyysslloogg + By default, _s_u_d_o_e_r_s logs messages via syslog(3). The _d_a_t_e, _h_o_s_t_n_a_m_e, and + _p_r_o_g_n_a_m_e fields are added by the syslog daemon, not _s_u_d_o_e_r_s itself. As + such, they may vary in format on different systems. + + On most systems, syslog(3) has a relatively small log buffer. To prevent + the command line arguments from being truncated, ssuuddoo will split up log + messages that are larger than 960 characters (not including the date, + hostname, and the string ``sudo''). When a message is split, additional + parts will include the string ``(command continued)'' after the user name + and before the continued command line arguments. + + NNootteess oonn llooggggiinngg ttoo aa ffiillee + If the _l_o_g_f_i_l_e option is set, _s_u_d_o_e_r_s will log to a local file, such as + _/_v_a_r_/_l_o_g_/_s_u_d_o. When logging to a file, _s_u_d_o_e_r_s uses a format similar to + syslog(3), with a few important differences: + + 1. The _p_r_o_g_n_a_m_e and _h_o_s_t_n_a_m_e fields are not present. + + 2. If the _l_o_g___y_e_a_r _s_u_d_o_e_r_s option is enabled, the date will also + include the year. + + 3. Lines that are longer than _l_o_g_l_i_n_e_l_e_n characters (80 by default) are + word-wrapped and continued on the next line with a four character + indent. This makes entries easier to read for a human being, but + makes it more difficult to use grep(1) on the log files. If the + _l_o_g_l_i_n_e_l_e_n _s_u_d_o_e_r_s option is set to 0 (or negated with a `!'), word + wrap will be disabled. SSEECCUURRIITTYY NNOOTTEESS - ssuuddoo tries to be safe when executing external commands. - - There are two distinct ways to deal with environment variables. By - default, the _e_n_v___r_e_s_e_t _s_u_d_o_e_r_s option is enabled. This causes commands - to be executed with a new, minimal environment containing. On AIX (and - Linux systems without PAM), the environment is initialized with the - contents of the _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t file. On BSD systems, if the - _u_s_e___l_o_g_i_n_c_l_a_s_s option is enabled, the environment is initialized based - on the _p_a_t_h and _s_e_t_e_n_v settings in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The new - environment contains the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER, - USERNAME and SUDO_* variables in addition to variables from the - invoking process permitted by the _e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p options. This - is effectively a whitelist for environment variables. - - If, however, the _e_n_v___r_e_s_e_t option is disabled in _s_u_d_o_e_r_s, any variables - not explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are - inherited from the invoking process. In this case, _e_n_v___c_h_e_c_k and - _e_n_v___d_e_l_e_t_e behave like a blacklist. Since it is not possible to - blacklist all potentially dangerous environment variables, use of the - default _e_n_v___r_e_s_e_t behavior is encouraged. - - In all cases, environment variables with a value beginning with () are - removed as they could be interpreted as bbaasshh functions. The list of - environment variables that ssuuddoo allows or denies is contained in the - output of sudo -V when run as root. - - Note that the dynamic linker on most operating systems will remove - variables that can control dynamic linking from the environment of - setuid executables, including ssuuddoo. Depending on the operating system - this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and - others. These type of variables are removed from the environment - before ssuuddoo even begins execution and, as such, it is not possible for - ssuuddoo to preserve them. - - To prevent command spoofing, ssuuddoo checks "." and "" (both denoting - current directory) last when searching for a command in the user's PATH - (if one or both are in the PATH). Note, however, that the actual PATH - environment variable is _n_o_t modified and is passed unchanged to the - program that ssuuddoo executes. - - ssuuddoo will check the ownership of its time stamp directory - (_/_v_a_r_/_a_d_m_/_s_u_d_o by default) and ignore the directory's contents if it is - not owned by root or if it is writable by a user other than root. On - systems that allow non-root users to give away files via _c_h_o_w_n(2), if - the time stamp directory is located in a directory writable by anyone - (e.g., _/_t_m_p), it is possible for a user to create the time stamp - directory before ssuuddoo is run. However, because ssuuddoo checks the - ownership and mode of the directory and its contents, the only damage - that can be done is to "hide" files by putting them in the time stamp - dir. This is unlikely to happen since once the time stamp dir is owned - by root and inaccessible by any other user, the user placing files - there would be unable to get them back out. To get around this issue - you can use a directory that is not world-writable for the time stamps - (_/_v_a_r_/_a_d_m_/_s_u_d_o for instance) or create _/_v_a_r_/_a_d_m_/_s_u_d_o with the - appropriate owner (root) and permissions (0700) in the system startup - files. - - ssuuddoo will not honor time stamps set far in the future. Timestamps with - a date greater than current_time + 2 * TIMEOUT will be ignored and sudo - will log and complain. This is done to keep a user from creating - his/her own time stamp with a bogus date on systems that allow users to - give away files. - - On systems where the boot time is available, ssuuddoo will also not honor - time stamps from before the machine booted. - - Since time stamp files live in the file system, they can outlive a - user's login session. As a result, a user may be able to login, run a - command with ssuuddoo after authenticating, logout, login again, and run - ssuuddoo without authenticating so long as the time stamp file's - modification time is within 5 minutes (or whatever the timeout is set - to in _s_u_d_o_e_r_s). When the _t_t_y___t_i_c_k_e_t_s option is enabled in _s_u_d_o_e_r_s, the - time stamp has per-tty granularity but still may outlive the user's - session. On Linux systems where the devpts filesystem is used, Solaris - systems with the devices filesystem, as well as other systems that - utilize a devfs filesystem that monotonically increase the inode number - of devices as they are created (such as Mac OS X), ssuuddoo is able to - determine when a tty-based time stamp file is stale and will ignore it. - Administrators should not rely on this feature as it is not universally - available. - - Please note that ssuuddoo will normally only log the command it explicitly - runs. If a user runs a command such as sudo su or sudo sh, subsequent - commands run from that shell will _n_o_t be logged, nor will ssuuddoo's access - control affect them. The same is true for commands that offer shell - escapes (including most editors). Because of this, care must be taken - when giving users access to commands via ssuuddoo to verify that the - command does not inadvertently give the user an effective root shell. - For more information, please see the PREVENTING SHELL ESCAPES section - in _s_u_d_o_e_r_s(4). + ssuuddoo tries to be safe when executing external commands. + + To prevent command spoofing, ssuuddoo checks "." and "" (both denoting + current directory) last when searching for a command in the user's PATH + (if one or both are in the PATH). Note, however, that the actual PATH + environment variable is _n_o_t modified and is passed unchanged to the + program that ssuuddoo executes. + + ssuuddoo will check the ownership of its time stamp directory (_/_v_a_r_/_a_d_m_/_s_u_d_o + by default) and ignore the directory's contents if it is not owned by + root or if it is writable by a user other than root. On systems that + allow non-root users to give away files via chown(2), if the time stamp + directory is located in a world-writable directory (e.g., _/_t_m_p), it is + possible for a user to create the time stamp directory before ssuuddoo is + run. However, because ssuuddoo checks the ownership and mode of the + directory and its contents, the only damage that can be done is to + ``hide'' files by putting them in the time stamp dir. This is unlikely + to happen since once the time stamp dir is owned by root and inaccessible + by any other user, the user placing files there would be unable to get + them back out. + + ssuuddoo will not honor time stamps set far in the future. Time stamps with + a date greater than current_time + 2 * TIMEOUT will be ignored and sudo + will log and complain. This is done to keep a user from creating his/her + own time stamp with a bogus date on systems that allow users to give away + files if the time stamp directory is located in a world-writable + directory. + + On systems where the boot time is available, ssuuddoo will ignore time stamps + that date from before the machine booted. + + Since time stamp files live in the file system, they can outlive a user's + login session. As a result, a user may be able to login, run a command + with ssuuddoo after authenticating, logout, login again, and run ssuuddoo without + authenticating so long as the time stamp file's modification time is + within 5 minutes (or whatever the timeout is set to in _s_u_d_o_e_r_s). When + the _t_t_y___t_i_c_k_e_t_s _s_u_d_o_e_r_s option is enabled, the time stamp has per-tty + granularity but still may outlive the user's session. On Linux systems + where the devpts filesystem is used, Solaris systems with the devices + filesystem, as well as other systems that utilize a devfs filesystem that + monotonically increase the inode number of devices as they are created + (such as Mac OS X), ssuuddoo is able to determine when a tty-based time stamp + file is stale and will ignore it. Administrators should not rely on this + feature as it is not universally available. + + Please note that ssuuddoo will normally only log the command it explicitly + runs. If a user runs a command such as sudo su or sudo sh, subsequent + commands run from that shell are not subject to ssuuddoo's security policy. + The same is true for commands that offer shell escapes (including most + editors). If I/O logging is enabled, subsequent commands will have their + input and/or output logged, but there will not be traditional logs for + those commands. Because of this, care must be taken when giving users + access to commands via ssuuddoo to verify that the command does not + inadvertently give the user an effective root shell. For more + information, please see the _P_R_E_V_E_N_T_I_N_G _S_H_E_L_L _E_S_C_A_P_E_S section in + sudoers(4). + + To prevent the disclosure of potentially sensitive information, ssuuddoo + disables core dumps by default while it is executing (they are re-enabled + for the command that is run). + + For information on the security implications of _s_u_d_o_e_r_s entries, please + see the _S_E_C_U_R_I_T_Y _N_O_T_E_S section in sudoers(4). EENNVVIIRROONNMMEENNTT - ssuuddoo utilizes the following environment variables: + ssuuddoo utilizes the following environment variables: - EDITOR Default editor to use in --ee (sudoedit) mode if neither - SUDO_EDITOR nor VISUAL is set. + EDITOR Default editor to use in --ee (sudoedit) mode if neither + SUDO_EDITOR nor VISUAL is set. - MAIL In --ii mode or when _e_n_v___r_e_s_e_t is enabled in _s_u_d_o_e_r_s, set - to the mail spool of the target user. + MAIL In --ii mode or when _e_n_v___r_e_s_e_t is enabled in _s_u_d_o_e_r_s, set + to the mail spool of the target user. - HOME Set to the home directory of the target user if --ii or - --HH are specified, _e_n_v___r_e_s_e_t or _a_l_w_a_y_s___s_e_t___h_o_m_e are set - in _s_u_d_o_e_r_s, or when the --ss option is specified and - _s_e_t___h_o_m_e is set in _s_u_d_o_e_r_s. + HOME Set to the home directory of the target user if --ii or --HH + are specified, _e_n_v___r_e_s_e_t or _a_l_w_a_y_s___s_e_t___h_o_m_e are set in + _s_u_d_o_e_r_s, or when the --ss option is specified and _s_e_t___h_o_m_e + is set in _s_u_d_o_e_r_s. - PATH Set to a sane value if the _s_e_c_u_r_e___p_a_t_h sudoers option - is set. + PATH Set to a sane value if the _s_e_c_u_r_e___p_a_t_h option is set in + the _s_u_d_o_e_r_s file. - SHELL Used to determine shell to run with --ss option. + SHELL Used to determine shell to run with --ss option. - SUDO_ASKPASS Specifies the path to a helper program used to read the - password if no terminal is available or if the --AA - option is specified. + SUDO_ASKPASS Specifies the path to a helper program used to read the + password if no terminal is available or if the --AA option + is specified. - SUDO_COMMAND Set to the command run by sudo. + SUDO_COMMAND Set to the command run by sudo. - SUDO_EDITOR Default editor to use in --ee (sudoedit) mode. + SUDO_EDITOR Default editor to use in --ee (sudoedit) mode. - SUDO_GID Set to the group ID of the user who invoked sudo. + SUDO_GID Set to the group ID of the user who invoked sudo. - SUDO_PROMPT Used as the default password prompt. + SUDO_PROMPT Used as the default password prompt. - SUDO_PS1 If set, PS1 will be set to its value for the program - being run. + SUDO_PS1 If set, PS1 will be set to its value for the program + being run. - SUDO_UID Set to the user ID of the user who invoked sudo. + SUDO_UID Set to the user ID of the user who invoked sudo. - SUDO_USER Set to the login of the user who invoked sudo. + SUDO_USER Set to the login name of the user who invoked sudo. - USER Set to the target user (root unless the --uu option is - specified). + USER Set to the target user (root unless the --uu option is + specified). - VISUAL Default editor to use in --ee (sudoedit) mode if - SUDO_EDITOR is not set. + VISUAL Default editor to use in --ee (sudoedit) mode if + SUDO_EDITOR is not set. FFIILLEESS - _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what + _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what - _/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps + _/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps - _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on AIX and + _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on AIX and Linux systems EEXXAAMMPPLLEESS - Note: the following examples assume suitable _s_u_d_o_e_r_s(4) entries. + Note: the following examples assume suitable sudoers(4) entries. - To get a file listing of an unreadable directory: + To get a file listing of an unreadable directory: - $ sudo ls /usr/local/protected + $ sudo ls /usr/local/protected - To list the home directory of user yaz on a machine where the file - system holding ~yaz is not exported as root: + To list the home directory of user yaz on a machine where the file system + holding ~yaz is not exported as root: - $ sudo -u yaz ls ~yaz + $ sudo -u yaz ls ~yaz - To edit the _i_n_d_e_x_._h_t_m_l file as user www: + To edit the _i_n_d_e_x_._h_t_m_l file as user www: - $ sudo -u www vi ~www/htdocs/index.html + $ sudo -u www vi ~www/htdocs/index.html - To view system logs only accessible to root and users in the adm group: + To view system logs only accessible to root and users in the adm group: - $ sudo -g adm view /var/log/syslog + $ sudo -g adm view /var/log/syslog - To run an editor as jim with a different primary group: + To run an editor as jim with a different primary group: - $ sudo -u jim -g audio vi ~jim/sound.txt + $ sudo -u jim -g audio vi ~jim/sound.txt - To shutdown a machine: + To shut down a machine: - $ sudo shutdown -r +15 "quick reboot" + $ sudo shutdown -r +15 "quick reboot" - To make a usage listing of the directories in the /home partition. - Note that this runs the commands in a sub-shell to make the cd and file - redirection work. + To make a usage listing of the directories in the /home partition. Note + that this runs the commands in a sub-shell to make the cd and file + redirection work. - $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" + $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" SSEEEE AALLSSOO - _g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), _p_a_s_s_w_d(4), _s_u_d_o_e_r_s(5), - _v_i_s_u_d_o(1m) + grep(1), su(1), stat(2), login_cap(3), passwd(4), sudoers(4), + sudoreplay(1m), visudo(1m) + +HHIISSTTOORRYY + See the HISTORY file in the ssuuddoo distribution + (http://www.sudo.ws/sudo/history.html) for a brief history of sudo. AAUUTTHHOORRSS - Many people have worked on ssuuddoo over the years; this version consists - of code written primarily by: + Many people have worked on ssuuddoo over the years; this version consists of + code written primarily by: - Todd C. Miller + Todd C. Miller - See the HISTORY file in the ssuuddoo distribution or visit - http://www.sudo.ws/sudo/history.html for a short history of ssuuddoo. + See the CONTRIBUTORS file in the ssuuddoo distribution + (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of + people who have contributed to ssuuddoo. CCAAVVEEAATTSS - There is no easy way to prevent a user from gaining a root shell if - that user is allowed to run arbitrary commands via ssuuddoo. Also, many - programs (such as editors) allow the user to run commands via shell - escapes, thus avoiding ssuuddoo's checks. However, on most systems it is - possible to prevent shell escapes with ssuuddoo's _n_o_e_x_e_c functionality. - See the _s_u_d_o_e_r_s(4) manual for details. + There is no easy way to prevent a user from gaining a root shell if that + user is allowed to run arbitrary commands via ssuuddoo. Also, many programs + (such as editors) allow the user to run commands via shell escapes, thus + avoiding ssuuddoo's checks. However, on most systems it is possible to + prevent shell escapes with ssuuddoo '' ss _n_o_e_x_e_c functionality. See the + sudoers(4) manual for details. - It is not meaningful to run the cd command directly via sudo, e.g., + It is not meaningful to run the cd command directly via sudo, e.g., - $ sudo cd /usr/local/protected + $ sudo cd /usr/local/protected - since when the command exits the parent process (your shell) will still - be the same. Please see the EXAMPLES section for more information. + since when the command exits the parent process (your shell) will still + be the same. Please see the _E_X_A_M_P_L_E_S section for more information. - If users have sudo ALL there is nothing to prevent them from creating - their own program that gives them a root shell regardless of any '!' - elements in the user specification. - - Running shell scripts via ssuuddoo can expose the same kernel bugs that - make setuid shell scripts unsafe on some operating systems (if your OS - has a /dev/fd/ directory, setuid shell scripts are generally safe). + Running shell scripts via ssuuddoo can expose the same kernel bugs that make + setuid shell scripts unsafe on some operating systems (if your OS has a + /dev/fd/ directory, setuid shell scripts are generally safe). BBUUGGSS - If you feel you have found a bug in ssuuddoo, please submit a bug report at - http://www.sudo.ws/sudo/bugs/ + If you feel you have found a bug in ssuuddoo, please submit a bug report at + http://www.sudo.ws/sudo/bugs/ SSUUPPPPOORRTT - Limited free support is available via the sudo-users mailing list, see - http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search - the archives. + Limited free support is available via the sudo-users mailing list, see + http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the + archives. DDIISSCCLLAAIIMMEERR - ssuuddoo is provided ``AS IS'' and any express or implied warranties, - including, but not limited to, the implied warranties of - merchantability and fitness for a particular purpose are disclaimed. - See the LICENSE file distributed with ssuuddoo or - http://www.sudo.ws/sudo/license.html for complete details. - - + ssuuddoo is provided ``AS IS'' and any express or implied warranties, + including, but not limited to, the implied warranties of merchantability + and fitness for a particular purpose are disclaimed. See the LICENSE + file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for + complete details. -1.7.10 July 12, 2012 SUDO(1m) +Sudo 1.7.10 July 10, 2012 Sudo 1.7.10 diff --git a/sudo.man.in b/sudo.man.in index 384f8530e..c2f10a60f 100644 --- a/sudo.man.in +++ b/sudo.man.in @@ -1,10 +1,13 @@ -.\" Copyright (c) 1994-1996, 1998-2005, 2007-2010 -.\" Todd C. Miller -.\" +.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! +.\" IT IS GENERATED AUTOMATICALLY FROM sudo.mdoc.in +.\" +.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012 +.\" Todd C. Miller +.\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR @@ -13,796 +16,1594 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" +.\" .\" Sponsored in part by the Defense Advanced Research Projects .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. -.\" -.nr SL @SEMAN@ -.nr BA @BAMAN@ -.nr LC @LCMAN@ -.nr PT @password_timeout@ -.\" -.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` -. ds C' -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' .\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.ie \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.el \{\ -. de IX -.. -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "July 12, 2012" "1.7.10" "MAINTENANCE COMMANDS" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l +.TH "SUDO" "@mansectsu@" "July 10, 2012" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .nh +.if n .ad l .SH "NAME" -sudo, sudoedit \- execute a command as another user +\fBsudo\fR, +\fBsudoedit\fR +\- execute a command as another user .SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBsudo\fR \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-L\fR | \fB\-V\fR -.PP -\&\fBsudo\fR \fB\-v\fR [\fB\-AknS\fR] -.if \n(BA [\fB\-a\fR\ \fIauth_type\fR] -[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] -[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] -.PP -\&\fBsudo\fR \fB\-l[l]\fR [\fB\-AknS\fR] -.if \n(BA [\fB\-a\fR\ \fIauth_type\fR] -[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] -[\fB\-U\fR\ \fIuser\ name\fR] [\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] [\fIcommand\fR] -.PP -\&\fBsudo\fR [\fB\-AbEHnPS\fR] -.if \n(BA [\fB\-a\fR\ \fIauth_type\fR] +.HP 5n +\fBsudo\fR +\fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-L\fR | \fB\-V\fR +.PD 0 +.HP 5n +\fBsudo\fR +\fB\-v\fR +[\fB\-AknS\fR] +[\fB\-a\fR\ \fIauth_type\fR] +[\fB\-g\fR\ \fIgroup\ name\fR\ |\ \fI#gid\fR] +[\fB\-p\fR\ \fIprompt\fR] +[\fB\-u\fR\ \fIuser\ name\fR\ |\ \fI#uid\fR] +.br +.HP 5n +\fBsudo\fR +\fB\-l\fR[\fIl\fR] +[\fB\-AknS\fR] +[\fB\-a\fR\ \fIauth_type\fR] +[\fB\-g\fR\ \fIgroup\ name\fR\ |\ \fI#gid\fR] +[\fB\-p\fR\ \fIprompt\fR] +[\fB\-U\fR\ \fIuser\ name\fR] +[\fB\-u\fR\ \fIuser\ name\fR\ |\ \fI#uid\fR] +[\fIcommand\fR] +.br +.HP 5n +\fBsudo\fR +[\fB\-AbEHnPS\fR] +[\fB\-a\fR\ \fIauth_type\fR] [\fB\-C\fR\ \fIfd\fR] -.if \n(LC [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] -[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] -.if \n(SL [\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR] -[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] -[\fB\s-1VAR\s0\fR=\fIvalue\fR] [\fB\-i\fR\ |\ \fB\-s\fR] [\fIcommand\fR] -.PP -\&\fBsudoedit\fR [\fB\-AnS\fR] -.if \n(BA [\fB\-a\fR\ \fIauth_type\fR] +[\fB\-c\fR\ \fIclass\fR\ |\ \fI-\fR] +[\fB\-g\fR\ \fIgroup\ name\fR\ |\ \fI#gid\fR] +[\fB\-p\fR\ \fIprompt\fR] +[\fB\-r\fR\ \fIrole\fR] +[\fB\-t\fR\ \fItype\fR] +[\fB\-u\fR\ \fIuser\ name\fR\ |\ \fI#uid\fR] +[\fBVAR\fR=\fIvalue\fR] +\fB\-i\fR\ |\ \fB\-s\fR +[\fIcommand\fR] +.br +.HP 9n +\fBsudoedit\fR +[\fB\-AnS\fR] +[\fB\-a\fR\ \fIauth_type\fR] [\fB\-C\fR\ \fIfd\fR] -.if \n(LC [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] -[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] -[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] file ... +[\fB\-c\fR\ \fIclass\fR\ |\ \fI-\fR] +[\fB\-g\fR\ \fIgroup\ name\fR\ |\ \fI#gid\fR] +[\fB\-p\fR\ \fIprompt\fR] +[\fB\-u\fR\ \fIuser\ name\fR\ |\ \fI#uid\fR] +file ... +.PD .SH "DESCRIPTION" -.IX Header "DESCRIPTION" -\&\fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the -superuser or another user, as specified in the \fIsudoers\fR file. +\fBsudo\fR +allows a permitted user to execute a +\fIcommand\fR +as the superuser or another user, as specified by the +\fIsudoers\fR +file. The real and effective uid and gid are set to match those of the -target user as specified in the passwd file and the group vector -is initialized based on the group file (unless the \fB\-P\fR option was -specified). If the invoking user is root or if the target user is -the same as the invoking user, no password is required. Otherwise, -\&\fBsudo\fR requires that users authenticate themselves with a password -by default (\s-1NOTE:\s0 in the default configuration this is the user's -password, not the root password). Once a user has been authenticated, -a time stamp is updated and the user may then use sudo without a -password for a short period of time (\f(CW\*(C`@timeout@\*(C'\fR minutes unless -overridden in \fIsudoers\fR). -.PP -When invoked as \fBsudoedit\fR, the \fB\-e\fR option (described below), -is implied. -.PP -\&\fBsudo\fR determines who is an authorized user by consulting the file -\&\fI@sysconfdir@/sudoers\fR. By running \fBsudo\fR with the \fB\-v\fR option, -a user can update the time stamp without running a \fIcommand\fR. If -a password is required, \fBsudo\fR will exit if the user's password -is not entered within a configurable time limit. The default -password prompt timeout is -.ie \n(PT \f(CW\*(C`@password_timeout@\*(C'\fR minutes. -.el unlimited. -.PP -If a user who is not listed in the \fIsudoers\fR file tries to run a -command via \fBsudo\fR, mail is sent to the proper authorities, as -defined at configure time or in the \fIsudoers\fR file (defaults to -\&\f(CW\*(C`@mailto@\*(C'\fR). Note that the mail will not be sent if an unauthorized -user tries to run sudo with the \fB\-l\fR or \fB\-v\fR option. This allows -users to determine for themselves whether or not they are allowed -to use \fBsudo\fR. -.PP -If \fBsudo\fR is run by root and the \f(CW\*(C`SUDO_USER\*(C'\fR environment variable -is set, \fBsudo\fR will use this value to determine who the actual -user is. This can be used by a user to log commands through sudo -even when a root shell has been invoked. It also allows the \fB\-e\fR -option to remain useful even when being run via a sudo-run script or -program. Note however, that the sudoers lookup is still done for -root, not the user specified by \f(CW\*(C`SUDO_USER\*(C'\fR. -.PP -\&\fBsudo\fR can log both successful and unsuccessful attempts (as well -as errors) to \fIsyslog\fR\|(3), a log file, or both. By default \fBsudo\fR -will log via \fIsyslog\fR\|(3) but this is changeable at configure time -or via the \fIsudoers\fR file. -.SH "OPTIONS" -.IX Header "OPTIONS" -\&\fBsudo\fR accepts the following command line options: -.IP "\-A" 12 -.IX Item "-A" -Normally, if \fBsudo\fR requires a password, it will read it from the -current terminal. If the \fB\-A\fR (\fIaskpass\fR) option is specified, -a (possibly graphical) helper program is executed to read the -user's password and output the password to the standard output. If -the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR environment variable is set, it specifies the -path to the helper program. Otherwise, the value specified by the -\&\fIaskpass\fR option in \fIsudoers\fR\|(@mansectform@) is used. -.if \n(BA \{\ -.IP "\-a \fItype\fR" 12 -.IX Item "-a type" -The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the -specified authentication type when validating the user, as allowed -by \fI/etc/login.conf\fR. The system administrator may specify a list -of sudo-specific authentication methods by adding an \*(L"auth-sudo\*(R" -entry in \fI/etc/login.conf\fR. This option is only available on systems -that support \s-1BSD\s0 authentication. -\} -.IP "\-b" 12 -.IX Item "-b" -The \fB\-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given -command in the background. Note that if you use the \fB\-b\fR +target user, as specified in the password database, and the group +vector is initialized based on the group database (unless the +\fB\-P\fR +option was specified). +See the +\fICommand Environment\fR +section below for more details. +.PP +\fBsudo\fR +determines who is an authorized user by consulting the file +\fI@sysconfdir@/sudoers\fR. +By running +\fBsudo\fR +with the +\fB\-v\fR +option, a user can update the time stamp without running a +\fIcommand\fR. +If authentication is required, +\fBsudo\fR +will exit if the user's password is not entered within a configurable +time limit. +The default password prompt timeout is +\fR@password_timeout@\fR +minutes. +.PP +When invoked as +\fBsudoedit\fR, +the +\fB\-e\fR +option (described below), is implied. +.PP +The options are as follows: +.TP 12n +\fB\-A\fR +Normally, if +\fBsudo\fR +requires a password, it will read it from the user's terminal. +If the +\fB\-A\fR (\fIaskpass\fR) +option is specified, a (possibly graphical) helper program is +executed to read the user's password and output the password to the +standard output. +If the +\fRSUDO_ASKPASS\fR +environment variable is set, it specifies the path to the helper +program. +Otherwise, the value specified by the +\fIaskpass\fR +option in +sudoers(@mansectform@) +is used. +If no askpass program is available, +\fBsudo\fR +will exit with an error. +.TP 12n +\fB\-a\fR \fItype\fR +The +\fB\-a\fR (\fIauthentication type\fR) +option causes +\fBsudo\fR +to use the specified authentication type when validating the user, +as allowed by +\fI/etc/login.conf\fR. +The system administrator may specify a list of sudo-specific +authentication methods by adding an +``auth-sudo'' +entry in +\fI/etc/login.conf\fR. +This option is only available on systems that support BSD authentication. +.TP 12n +\fB\-b\fR +The +\fB\-b\fR (\fIbackground\fR) +option tells +\fBsudo\fR +to run the given command in the background. +Note that if you use the +\fB\-b\fR option you cannot use shell job control to manipulate the process. -.IP "\-C \fIfd\fR" 12 -.IX Item "-C fd" -Normally, \fBsudo\fR will close all open file descriptors other than -standard input, standard output and standard error. The \fB\-C\fR -(\fIclose from\fR) option allows the user to specify a starting point -above the standard error (file descriptor three). Values less than -three are not permitted. This option is only available if the -administrator has enabled the \fIclosefrom_override\fR option in -\&\fIsudoers\fR\|(@mansectform@). -.if \n(LC \{\ -.IP "\-c \fIclass\fR" 12 -.IX Item "-c class" -The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command -with resources limited by the specified login class. The \fIclass\fR -argument can be either a class name as defined in \fI/etc/login.conf\fR, -or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates -that the command should be run restricted by the default login -capabilities for the user the command is run as. If the \fIclass\fR +Most interactive commands will fail to work properly in background +mode. +.TP 12n +\fB\-C\fR \fIfd\fR +Normally, +\fBsudo\fR +will close all open file descriptors other than standard input, +standard output and standard error. +The +\fB\-C\fR (\fIclose from\fR) +option allows the user to specify a starting point above the standard +error (file descriptor three). +Values less than three are not permitted. +This option is only available when the administrator has enabled the +\fIclosefrom_override\fR +option in +sudoers(@mansectform@). +.TP 12n +\fB\-c\fR \fIclass\fR +The +\fB\-c\fR (\fIclass\fR) +option causes +\fBsudo\fR +to run the specified command with resources limited by the specified +login class. +The +\fIclass\fR +argument can be either a class name as defined in +\fI/etc/login.conf\fR, +or a single +`\-' +character. +Specifying a +\fIclass\fR +of +\fR-\fR +indicates that the command should be run restricted by the default +login capabilities for the user the command is run as. +If the +\fIclass\fR argument specifies an existing user class, the command must be run -as root, or the \fBsudo\fR command must be run from a shell that is already -root. This option is only available on systems with \s-1BSD\s0 login classes. -\} -.IP "\-E" 12 -.IX Item "-E" -The \fB\-E\fR (\fIpreserve\fR \fIenvironment\fR) option will override the -\&\fIenv_reset\fR option in \fIsudoers\fR\|(@mansectform@)). It is only -available when either the matching command has the \f(CW\*(C`SETENV\*(C'\fR tag -or the \fIsetenv\fR option is set in \fIsudoers\fR\|(@mansectform@). -.IP "\-e" 12 -.IX Item "-e" -The \fB\-e\fR (\fIedit\fR) option indicates that, instead of running -a command, the user wishes to edit one or more files. In lieu -of a command, the string \*(L"sudoedit\*(R" is used when consulting -the \fIsudoers\fR file. If the user is authorized by \fIsudoers\fR +as root, or the +\fBsudo\fR +command must be run from a shell that is already root. +This option is only available on systems with BSD login classes. +.TP 12n +\fB\-E\fR +The +\fB\-E\fR (\fIpreserve environment\fR) +option will override the +\fIenv_reset\fR +option in +sudoers(@mansectform@). +It is only available when either the matching command has the +\fRSETENV\fR +tag or the +\fIsetenv\fR +option is set in +sudoers(@mansectform@). +\fBsudo\fR +will return an error if the +\fB\-E\fR +option is specified and the user does not have permission to preserve +the environment. +.TP 12n +\fB\-e\fR +The +\fB\-e\fR (\fIedit\fR) +option indicates that, instead of running a command, the user wishes +to edit one or more files. +In lieu of a command, the string "sudoedit" is used when consulting the +\fIsudoers\fR +file. +If the user is authorized by +\fIsudoers\fR, the following steps are taken: -.RS 12 -.IP "1." 4 +.RS +.TP 5n +1. Temporary copies are made of the files to be edited with the owner set to the invoking user. -.IP "2." 4 -The editor specified by the \f(CW\*(C`SUDO_EDITOR\*(C'\fR, \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR -environment variables is run to edit the temporary files. If none -of \f(CW\*(C`SUDO_EDITOR\*(C'\fR, \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR are set, the first program -listed in the \fIeditor\fR \fIsudoers\fR variable is used. -.IP "3." 4 +.TP 5n +2. +The editor specified by the +\fRSUDO_EDITOR\fR, +\fRVISUAL\fR +or +\fREDITOR\fR +environment variables (in that order) is run to edit the temporary files. +If none of +\fRSUDO_EDITOR\fR, +\fRVISUAL\fR +or +\fREDITOR\fR +are set, the first program listed in the +\fIeditor\fR +sudoers(@mansectform@) +option is used. +.TP 5n +3. If they have been modified, the temporary files are copied back to their original location and the temporary versions are removed. +.PP +If the specified file does not exist, it will be created. +Note that unlike most commands run by +\fIsudo\fR, +the editor is run with the invoking user's environment unmodified. +If, for some reason, +\fBsudo\fR +is unable to update a file with its edited version, the user will +receive a warning and the edited copy will remain in a temporary +file. +.PP .RE -.RS 12 -.Sp -If the specified file does not exist, it will be created. Note -that unlike most commands run by \fBsudo\fR, the editor is run with -the invoking user's environment unmodified. If, for some reason, -\&\fBsudo\fR is unable to update a file with its edited version, the -user will receive a warning and the edited copy will remain in a -temporary file. -.RE -.IP "\-g \fIgroup\fR" 12 -.IX Item "-g group" -Normally, \fBsudo\fR sets the primary group to the one specified by -the passwd database for the user the command is being run as (by -default, root). The \fB\-g\fR (\fIgroup\fR) option causes \fBsudo\fR to run -the specified command with the primary group set to \fIgroup\fR. To -specify a \fIgid\fR instead of a \fIgroup name\fR, use \fI#gid\fR. When -running commands as a \fIgid\fR, many shells require that the '#' be -escaped with a backslash ('\e'). If no \fB\-u\fR option is specified, -the command will be run as the invoking user (not root). In either -case, the primary group will be set to \fIgroup\fR. -.IP "\-H" 12 -.IX Item "-H" -The \fB\-H\fR (\fI\s-1HOME\s0\fR) option sets the \f(CW\*(C`HOME\*(C'\fR environment variable -to the homedir of the target user (root by default) as specified -in \fIpasswd\fR\|(@mansectform@). The default handling of the \f(CW\*(C`HOME\*(C'\fR environment -variable depends on \fIsudoers\fR\|(@mansectform@) settings. By default, \fBsudo\fR -will set \f(CW\*(C`HOME\*(C'\fR if \fIenv_reset\fR or \fIalways_set_home\fR are set, or -if \fIset_home\fR is set and the \fB\-s\fR option is specified on the -command line. -.IP "\-h" 12 -.IX Item "-h" -The \fB\-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a short help message -to the standard output and exit. -.IP "\-i [command]" 12 -.IX Item "-i [command]" -The \fB\-i\fR (\fIsimulate initial login\fR) option runs the shell specified -in the \fIpasswd\fR\|(@mansectform@) entry of the target user as a login shell. This -means that login-specific resource files such as \f(CW\*(C`.profile\*(C'\fR or -\&\f(CW\*(C`.login\*(C'\fR will be read by the shell. If a command is specified, -it is passed to the shell for execution. Otherwise, an interactive -shell is executed. \fBsudo\fR attempts to change to that user's home -directory before running the shell. It also initializes the -environment, leaving \fI\s-1DISPLAY\s0\fR and \fI\s-1TERM\s0\fR unchanged, setting -\&\fI\s-1HOME\s0\fR, \fI\s-1MAIL\s0\fR, \fI\s-1SHELL\s0\fR, \fI\s-1USER\s0\fR, \fI\s-1LOGNAME\s0\fR, and \fI\s-1PATH\s0\fR, as well as -the contents of \fI/etc/environment\fR on Linux and \s-1AIX\s0 systems. -All other environment variables are removed. -.IP "\-K" 12 -.IX Item "-K" -The \fB\-K\fR (sure \fIkill\fR) option is like \fB\-k\fR except that it removes -the user's time stamp entirely and may not be used in conjunction -with a command or other option. This option does not require a -password. -.IP "\-k" 12 -.IX Item "-k" -When used by itself, the \fB\-k\fR (\fIkill\fR) option to \fBsudo\fR invalidates -the user's time stamp by setting the time on it to the Epoch. The -next time \fBsudo\fR is run a password will be required. This option -does not require a password and was added to allow a user to revoke -\&\fBsudo\fR permissions from a .logout file. -.Sp +.PD 0 +.TP 12n +\fB\-g\fR \fIgroup\fR +Normally, +\fBsudo\fR +runs a command with the primary group set to the one specified by +the password database for the user the command is being run as (by +default, root). +The +\fB\-g\fR (\fIgroup\fR) +option causes +\fBsudo\fR +to run the command with the primary group set to +\fIgroup\fR +instead. +To specify a +\fIgid\fR +instead of a +\fIgroup name\fR, +use +\fI#gid\fR. +When running commands as a +\fIgid\fR, +many shells require that the +`#' +be escaped with a backslash +(`\e'). +If no +\fB\-u\fR +option is specified, the command will be run as the invoking user +(not root). +In either case, the primary group will be set to +\fIgroup\fR. +.PD +.TP 12n +\fB\-H\fR +The +\fB\-H\fR (\fIHOME\fR) +option option sets the +\fRHOME\fR +environment variable to the home directory of the target user (root +by default) as specified by the password database. +The default handling of the +\fRHOME\fR +environment variable depends on +sudoers(@mansectform@) +settings. +By default, +\fBsudo\fR +will set +\fRHOME\fR +if +\fIenv_reset\fR +or +\fIalways_set_home\fR +are set, or if +\fIset_home\fR +is set and the +\fB\-s\fR +option is specified on the command line. +.TP 12n +\fB\-h\fR +The +\fB\-h\fR (\fIhelp\fR) +option causes +\fBsudo\fR +to print a short help message to the standard output and exit. +.TP 12n +\fB\-i\fR [\fIcommand\fR] +The +\fB\-i\fR (\fIsimulate initial login\fR) +option runs the shell specified by the password database entry of +the target user as a login shell. +This means that login-specific resource files such as +\fI.profile\fR +or +\fI.login\fR +will be read by the shell. +If a command is specified, it is passed to the shell for execution +via the shell's +\fB\-c\fR +option. +If no command is specified, an interactive shell is executed. +\fBsudo\fR +attempts to change to that user's home directory before running the +shell. +It also initializes the environment to a minimal +set of variables, similar to what is present when a user logs in. +The +\fICommand Environment\fR +section below documents in detail how the +\fB\-i\fR +option affects the environment in which a command is run. +.TP 12n +\fB\-K\fR +The +\fB\-K\fR (sure \fIkill\fR) +option is like +\fB\-k\fR +except that it removes the user's time stamp file entirely and +may not be used in conjunction with a command or other option. +This option does not require a password. +.TP 12n +\fB\-k\fR [\fIcommand\fR] +When used alone, the +\fB\-k\fR (\fIkill\fR) +option to +\fBsudo\fR +invalidates the user's time stamp file. +The next time +\fBsudo\fR +is run a password will be required. +This option does not require a password and was added to allow a +user to revoke +\fBsudo\fR +permissions from a +\fI.logout\fR +file. +.sp When used in conjunction with a command or an option that may require -a password, the \fB\-k\fR option will cause \fBsudo\fR to ignore the user's -time stamp file. As a result, \fBsudo\fR will prompt for a password -(if one is required by \fIsudoers\fR) and will not update the user's -time stamp file. -.IP "\-L" 12 -.IX Item "-L" -The \fB\-L\fR (\fIlist\fR defaults) option will list the parameters that -may be set in a \fIDefaults\fR line along with a short description for -each. This option will be removed from a future version of \fBsudo\fR. -.IP "\-l[l] [\fIcommand\fR]" 12 -.IX Item "-l[l] [command]" -If no \fIcommand\fR is specified, the \fB\-l\fR (\fIlist\fR) option will list -the allowed (and forbidden) commands for the invoking user (or the -user specified by the \fB\-U\fR option) on the current host. If a -\&\fIcommand\fR is specified and is permitted by \fIsudoers\fR, the -fully-qualified path to the command is displayed along with any -command line arguments. If \fIcommand\fR is specified but not allowed, -\&\fBsudo\fR will exit with a status value of 1. If the \fB\-l\fR option is -specified with an \fBl\fR argument (i.e. \fB\-ll\fR), or if \fB\-l\fR +a password, the +\fB\-k\fR +option will cause +\fBsudo\fR +to ignore the user's time stamp file. +As a result, +\fBsudo\fR +will prompt for a password (if one is required by +\fIsudoers\fR) +and will not update the user's time stamp file. +.TP 12n +\fB\-L\fR +The +\fB\-L\fR (\fIlist\fR defaults) +option will list the parameters that +may be set in a +\fIDefaults\fR +line along with a short description for each. +This option will be removed from a future version of +\fBsudo\fR. +.TP 12n +\fB\-l\fR[\fBl\fR] [\fIcommand\fR] +If no +\fIcommand\fR +is specified, the +\fB\-l\fR (\fIlist\fR) +option will list the allowed (and forbidden) commands for the +invoking user (or the user specified by the +\fB\-U\fR +option) on the current host. +If a +\fIcommand\fR +is specified and is permitted by +\fIsudoers\fR, +the fully-qualified +path to the command is displayed along with any command line +arguments. +If +\fIcommand\fR +is specified but not allowed, +\fBsudo\fR +will exit with a status value of 1. +If the +\fB\-l\fR +option is specified with an +\fIl\fR +argument +(i.e.\& \fB\-ll\fR), +or if +\fB\-l\fR is specified multiple times, a longer list format is used. -.IP "\-n" 12 -.IX Item "-n" -The \fB\-n\fR (\fInon-interactive\fR) option prevents \fBsudo\fR from prompting -the user for a password. If a password is required for the command -to run, \fBsudo\fR will display an error message and exit. -.IP "\-P" 12 -.IX Item "-P" -The \fB\-P\fR (\fIpreserve\fR \fIgroup vector\fR) option causes \fBsudo\fR to -preserve the invoking user's group vector unaltered. By default, -\&\fBsudo\fR will initialize the group vector to the list of groups the -target user is in. The real and effective group IDs, however, are -still set to match the target user. -.IP "\-p \fIprompt\fR" 12 -.IX Item "-p prompt" -The \fB\-p\fR (\fIprompt\fR) option allows you to override the default -password prompt and use a custom one. The following percent (`\f(CW\*(C`%\*(C'\fR') +.TP 12n +\fB\-n\fR +The +\fB\-n\fR (\fInon-interactive\fR) +option prevents +\fBsudo\fR +from prompting the user for a password. +If a password is required for the command to run, +\fBsudo\fR +will display an error message and exit. +.TP 12n +\fB\-P\fR +The +\fB\-P\fR (\fIpreserve group vector\fR) +option causes +\fBsudo\fR +to preserve the invoking user's group vector unaltered. +By default, +\fBsudo\fR +will initialize the group vector to the list of groups the +target user is in. +The real and effective group IDs, however, are still set to match +the target user. +.TP 12n +\fB\-p\fR \fIprompt\fR +The +\fB\-p\fR (\fIprompt\fR) +option allows you to override the default password prompt and use +a custom one. +The following percent +(`%') escapes are supported: -.RS 12 -.ie n .IP "%H" 4 -.el .IP "\f(CW%H\fR" 4 -.IX Item "%H" -expanded to the local host name including the domain name -(on if the machine's host name is fully qualified or the \fIfqdn\fR -\&\fIsudoers\fR option is set) -.ie n .IP "%h" 4 -.el .IP "\f(CW%h\fR" 4 -.IX Item "%h" +.RS +.TP 4n +\fR%H\fR +expanded to the host name including the domain name (on if the +machine's host name is fully qualified or the +\fIfqdn\fR +option is set in +sudoers(@mansectform@)) +.TP 4n +\fR%h\fR expanded to the local host name without the domain name -.ie n .IP "%p" 4 -.el .IP "\f(CW%p\fR" 4 -.IX Item "%p" -expanded to the user whose password is being asked for (respects the -\&\fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags in \fIsudoers\fR) -.ie n .IP "%U" 4 -.el .IP "\f(CW%U\fR" 4 -.IX Item "%U" -expanded to the login name of the user the command will -be run as (defaults to root) -.ie n .IP "%u" 4 -.el .IP "\f(CW%u\fR" 4 -.IX Item "%u" +.TP 4n +\fR%p\fR +expanded to the name of the user whose password is being requested +(respects the +\fIrootpw\fR, +\fItargetpw\fR, +and +\fIrunaspw\fR +flags in +sudoers(@mansectform@)) +.TP 4n +\fR\&%U\fR +expanded to the login name of the user the command will be run as +(defaults to root unless the +\fB\-u\fR +option is also specified) +.TP 4n +\fR%u\fR expanded to the invoking user's login name -.ie n .IP "\*(C`%%\*(C'" 4 -.el .IP "\f(CW\*(C`%%\*(C'\fR" 4 -.IX Item "%%" -two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character -.RE -.RS 12 -.Sp -The prompt specified by the \fB\-p\fR option will override the system -password prompt on systems that support \s-1PAM\s0 unless the -\&\fIpassprompt_override\fR flag is disabled in \fIsudoers\fR. +.TP 4n +\fR%%\fR +two consecutive +`%' +characters are collapsed into a single +`%' +character +.PP +The prompt specified by the +\fB\-p\fR +option will override the system password prompt on systems that +support PAM unless the +\fIpassprompt_override\fR +flag is disabled in +\fIsudoers\fR. +.PP .RE -.if \n(SL \{\ -.IP "\-r \fIrole\fR" 12 -.IX Item "-r role" -The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to -have the role specified by \fIrole\fR. -\} -.IP "\-S" 12 -.IX Item "-S" -The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from -the standard input instead of the terminal device. The password must -be followed by a newline character. -.IP "\-s [command]" 12 -.IX Item "-s [command]" -The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\s0\fR -environment variable if it is set or the shell as specified in -\&\fIpasswd\fR\|(@mansectform@). If a command is specified, it is passed to the shell -for execution. Otherwise, an interactive shell is executed. -.if \n(SL \{\ -.IP "\-t \fItype\fR" 12 -.IX Item "-t type" -The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to -have the type specified by \fItype\fR. If no type is specified, the default -type is derived from the specified role. -\} -.IP "\-U \fIuser\fR" 12 -.IX Item "-U user" -The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the \fB\-l\fR -option to specify the user whose privileges should be listed. Only -root or a user with \fBsudo\fR \f(CW\*(C`ALL\*(C'\fR on the current host may use this +.PD 0 +.TP 12n +\fB\-r\fR \fIrole\fR +The +\fB\-r\fR (\fIrole\fR) +option causes the new (SELinux) security context to have the role +specified by +\fIrole\fR. +.PD +.TP 12n +\fB\-S\fR +The +\fB\-S\fR (\fIstdin\fR) +option causes +\fBsudo\fR +to read the password from the standard input instead of the terminal +device. +The password must be followed by a newline character. +.TP 12n +\fB\-s\fR [\fIcommand\fR] +The +\fB\-s\fR (\fIshell\fR) +option runs the shell specified by the +\fRSHELL\fR +environment variable if it is set or the shell as specified in the +password database. +If a command is specified, it is passed to the shell for execution +via the shell's +\fB\-c\fR option. -.IP "\-u \fIuser\fR" 12 -.IX Item "-u user" -The \fB\-u\fR (\fIuser\fR) option causes \fBsudo\fR to run the specified -command as a user other than \fIroot\fR. To specify a \fIuid\fR instead -of a \fIuser name\fR, use \fI#uid\fR. When running commands as a \fIuid\fR, -many shells require that the '#' be escaped with a backslash ('\e'). -Note that if the \fItargetpw\fR Defaults option is set (see \fIsudoers\fR\|(@mansectform@)) +If no command is specified, an interactive shell is executed. +.TP 12n +\fB\-t\fR \fItype\fR +The +\fB\-t\fR (\fItype\fR) +option causes the new (SELinux) security context to have the type +specified by +\fItype\fR. +If no type is specified, the default type is derived from the +specified role. +.TP 12n +\fB\-U\fR \fIuser\fR +The +\fB\-U\fR (\fIother user\fR) +option is used in conjunction with the +\fB\-l\fR +option to specify the user whose privileges should be listed. +Only root or a user with the +\fRALL\fR +privilege on the current host may use this option. +.TP 12n +\fB\-u\fR \fIuser\fR +The +\fB\-u\fR (\fIuser\fR) +option causes +\fBsudo\fR +to run the specified command as a user other than +\fIroot\fR. +To specify a +\fIuid\fR +instead of a +\fIuser name\fR, +\fI#uid\fR. +When running commands as a +\fIuid\fR, +many shells require that the +`#' +be escaped with a backslash +(`\e'). +Note that if the +\fItargetpw\fR +Defaults option is set (see +sudoers(@mansectform@)), it is not possible to run commands with a uid not listed in the password database. -.IP "\-V" 12 -.IX Item "-V" -The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the version -number and exit. If the invoking user is already root the \fB\-V\fR -option will print out a list of the defaults \fBsudo\fR was compiled -with as well as the machine's local network addresses. -.IP "\-v" 12 -.IX Item "-v" -If given the \fB\-v\fR (\fIvalidate\fR) option, \fBsudo\fR will update the -user's time stamp, prompting for the user's password if necessary. -This extends the \fBsudo\fR timeout for another \f(CW\*(C`@timeout@\*(C'\fR minutes -(or whatever the timeout is set to in \fIsudoers\fR) but does not run -a command. -.IP "\-\-" 12 -The \fB\-\-\fR option indicates that \fBsudo\fR should stop processing command -line arguments. +.TP 12n +\fB\-V\fR +The +\fB\-V\fR (\fIversion\fR) +option causes +\fBsudo\fR +to print its version string and exit. +If the invoking user is already root the +\fB\-V\fR +option will display the arguments passed to configure when +\fBsudo\fR +was built as well a list of the defaults +\fBsudo\fR +was compiled with as well as the machine's local network addresses. +.TP 12n +\fB\-v\fR +When given the +\fB\-v\fR (\fIvalidate\fR) +option, +\fBsudo\fR +will update the user's time stamp file, authenticating the user's +password if necessary. +This extends the +\fBsudo\fR +timeout for another +\fR@timeout@\fR +minutes (or whatever the timeout is set to in +\fIsudoers\fR) +but does not run a command. +.TP 12n +\fB\--\fR +The +\fB\--\fR +option indicates that +\fBsudo\fR +should stop processing command line arguments. .PP Environment variables to be set for the command may also be passed -on the command line in the form of \fB\s-1VAR\s0\fR=\fIvalue\fR, e.g. -\&\fB\s-1LD_LIBRARY_PATH\s0\fR=\fI/usr/local/pkg/lib\fR. Variables passed on the -command line are subject to the same restrictions as normal environment -variables with one important exception. If the \fIsetenv\fR option -is set in \fIsudoers\fR, the command to be run has the \f(CW\*(C`SETENV\*(C'\fR tag -set or the command matched is \f(CW\*(C`ALL\*(C'\fR, the user may set variables -that would overwise be forbidden. See \fIsudoers\fR\|(@mansectform@) for more information. -.SH "EXIT VALUE" -.IX Header "EXIT VALUE" -Upon successful execution of a program, the exit status from \fBsudo\fR -will simply be the exit status of the program that was executed. +on the command line in the form of +\fBVAR\fR=\fIvalue\fR, +e.g.\& +\fBLD_LIBRARY_PATH\fR=\fI/usr/local/pkg/lib\fR. +Variables passed on the command line are subject to the same +restrictions as normal environment variables with one important +exception. +If the +\fIsetenv\fR +option is set in +\fIsudoers\fR, +the command to be run has the +\fRSETENV\fR +tag set or the command matched is +\fRALL\fR, +the user may set variables that would otherwise be forbidden. +See +sudoers(@mansectform@) +for more information. +.SS "Authentication and Logging" +\fBsudo\fR +requires that most users authenticate themselves by default. +A password is not required +if the invoking user is root, if the target user is the same as the +invoking user, or if the authentication has been disabled for the +user or command in the +\fIsudoers\fR +file. +Unlike +su(1), +when +\fBsudo\fR +requires +authentication, it validates the invoking user's credentials, not +the target user's (or root's) credentials. +This can be changed via +the +\fIrootpw\fR, +\fItargetpw\fR +and +\fIrunaspw\fR +Defaults entries in +\fIsudoers\fR. .PP -Otherwise, \fBsudo\fR quits with an exit value of 1 if there is a -configuration/permission problem or if \fBsudo\fR cannot execute the -given command. In the latter case the error string is printed to -stderr. If \fBsudo\fR cannot \fIstat\fR\|(2) one or more entries in the user's -\&\f(CW\*(C`PATH\*(C'\fR an error is printed on stderr. (If the directory does not -exist or if it is not really a directory, the entry is ignored and -no error is printed.) This should not happen under normal -circumstances. The most common reason for \fIstat\fR\|(2) to return -\&\*(L"permission denied\*(R" is if you are running an automounter and one -of the directories in your \f(CW\*(C`PATH\*(C'\fR is on a machine that is currently -unreachable. -.SH "SECURITY NOTES" -.IX Header "SECURITY NOTES" -\&\fBsudo\fR tries to be safe when executing external commands. -.PP -There are two distinct ways to deal with environment variables. By -default, the \fIenv_reset\fR \fIsudoers\fR option is enabled. This causes -commands to be executed with a new, minimal environment containing. -On \s-1AIX\s0 (and Linux systems without \s-1PAM\s0), the environment is initialized -with the contents of the \fI/etc/environment\fR file. On \s-1BSD\s0 systems, -if the \fIuse_loginclass\fR option is enabled, the environment is -initialized based on the \fIpath\fR and \fIsetenv\fR settings in -\&\fI/etc/login.conf\fR. The new environment contains the \f(CW\*(C`TERM\*(C'\fR, -\&\f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`MAIL\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR, \f(CW\*(C`USERNAME\*(C'\fR -and \f(CW\*(C`SUDO_*\*(C'\fR variables in addition to variables from the invoking -process permitted by the \fIenv_check\fR and \fIenv_keep\fR options. This -is effectively a whitelist for environment variables. -.PP -If, however, the \fIenv_reset\fR option is disabled in \fIsudoers\fR, any -variables not explicitly denied by the \fIenv_check\fR and \fIenv_delete\fR -options are inherited from the invoking process. In this case, -\&\fIenv_check\fR and \fIenv_delete\fR behave like a blacklist. Since it -is not possible to blacklist all potentially dangerous environment -variables, use of the default \fIenv_reset\fR behavior is encouraged. +If a user who is not listed in +\fIsudoers\fR +tries to run a command via +\fBsudo\fR, +mail is sent to the proper authorities. +The address +used for such mail is configurable via the +\fImailto\fR +\fIsudoers\fR +Defaults entry and defaults to +\fR@mailto@\fR. +.PP +Note that mail will not be sent if an unauthorized user tries to +run +\fBsudo\fR +with the +\fB\-l\fR +or +\fB\-v\fR +option. +This allows users to +determine for themselves whether or not they are allowed to use +\fBsudo\fR. +.PP +If +\fBsudo\fR +is run by root and the +\fRSUDO_USER\fR +environment variable +is set, its value will be used to determine who the actual user is. +This can be used by a user to log commands +through +\fBsudo\fR +even when a root shell has been invoked. +It also +allows the +\fB\-e\fR +option to remain useful even when invoked via a +sudo-run script or program. +Note, however, that the +\fIsudoers\fR +lookup is still done for root, not the user specified by +\fRSUDO_USER\fR. +.PP +\fBsudo\fR +uses time stamp files for credential caching. +Once a +user has been authenticated, the time stamp is updated and the user +may then use sudo without a password for a short period of time +(\fR@timeout@\fR +minutes unless overridden by the +\fItimeout\fR +option) +\&. +By default, +\fBsudo\fR +uses a tty-based time stamp which means that +there is a separate time stamp for each of a user's login sessions. +The +\fItty_tickets\fR +option can be disabled to force the use of a +single time stamp for all of a user's sessions. +.PP +\fBsudo\fR +can log both successful and unsuccessful attempts (as well +as errors) to +syslog(3), +a log file, or both. +By default, +\fBsudo\fR +will log via +syslog(3) +but this is changeable via the +\fIsyslog\fR +and +\fIlogfile\fR +Defaults settings. +.PP +\fBsudo\fR +also supports logging a command's input and output +streams. +I/O logging is not on by default but can be enabled using +the +\fIlog_input\fR +and +\fIlog_output\fR +Defaults flags as well as the +\fRLOG_INPUT\fR +and +\fRLOG_OUTPUT\fR +command tags. +.SS "Command Environment" +Since environment variables can influence program behavior, +\fBsudo\fR +provides a means to restrict which variables from the user's +environment are inherited by the command to be run. +There are two +distinct ways +\fIsudoers\fR +can be configured to handle with environment variables. +.PP +By default, the +\fIenv_reset\fR +option is enabled. +This causes commands +to be executed with a new, minimal environment. +On AIX (and Linux +systems without PAM), the environment is initialized with the +contents of the +\fI/etc/environment\fR +file. +On BSD systems, if the +\fIuse_loginclass\fR +option is enabled, the environment is initialized +based on the +\fIpath\fR +and +\fIsetenv\fR +settings in +\fI/etc/login.conf\fR. +The new environment contains the +\fRTERM\fR, +\fRPATH\fR, +\fRHOME\fR, +\fRMAIL\fR, +\fRSHELL\fR, +\fRLOGNAME\fR, +\fRUSER\fR, +\fRUSERNAME\fR +and +\fRSUDO_*\fR +variables +in addition to variables from the invoking process permitted by the +\fIenv_check\fR +and +\fIenv_keep\fR +options. +This is effectively a whitelist +for environment variables. +.PP +If, however, the +\fIenv_reset\fR +option is disabled, any variables not +explicitly denied by the +\fIenv_check\fR +and +\fIenv_delete\fR +options are +inherited from the invoking process. +In this case, +\fIenv_check\fR +and +\fIenv_delete\fR +behave like a blacklist. +Since it is not possible +to blacklist all potentially dangerous environment variables, use +of the default +\fIenv_reset\fR +behavior is encouraged. .PP In all cases, environment variables with a value beginning with -\&\f(CW\*(C`()\*(C'\fR are removed as they could be interpreted as \fBbash\fR functions. -The list of environment variables that \fBsudo\fR allows or denies is -contained in the output of \f(CW\*(C`sudo \-V\*(C'\fR when run as root. +\fR()\fR +are removed as they could be interpreted as +\fBbash\fR +functions. +The list of environment variables that +\fBsudo\fR +allows or denies is +contained in the output of +``\fRsudo -V\fR'' +when run as root. .PP Note that the dynamic linker on most operating systems will remove variables that can control dynamic linking from the environment of -setuid executables, including \fBsudo\fR. Depending on the operating -system this may include \f(CW\*(C`_RLD*\*(C'\fR, \f(CW\*(C`DYLD_*\*(C'\fR, \f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`LDR_*\*(C'\fR, -\&\f(CW\*(C`LIBPATH\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR, and others. These type of variables are -removed from the environment before \fBsudo\fR even begins execution -and, as such, it is not possible for \fBsudo\fR to preserve them. -.PP -To prevent command spoofing, \fBsudo\fR checks \*(L".\*(R" and "" (both denoting -current directory) last when searching for a command in the user's -\&\s-1PATH\s0 (if one or both are in the \s-1PATH\s0). Note, however, that the -actual \f(CW\*(C`PATH\*(C'\fR environment variable is \fInot\fR modified and is passed -unchanged to the program that \fBsudo\fR executes. -.PP -\&\fBsudo\fR will check the ownership of its time stamp directory -(\fI@timedir@\fR by default) and ignore the directory's contents if -it is not owned by root or if it is writable by a user other than -root. On systems that allow non-root users to give away files via -\&\fIchown\fR\|(2), if the time stamp directory is located in a directory -writable by anyone (e.g., \fI/tmp\fR), it is possible for a user to -create the time stamp directory before \fBsudo\fR is run. However, -because \fBsudo\fR checks the ownership and mode of the directory and -its contents, the only damage that can be done is to \*(L"hide\*(R" files -by putting them in the time stamp dir. This is unlikely to happen -since once the time stamp dir is owned by root and inaccessible by -any other user, the user placing files there would be unable to get -them back out. To get around this issue you can use a directory -that is not world-writable for the time stamps (\fI/var/adm/sudo\fR for -instance) or create \fI@timedir@\fR with the appropriate owner (root) -and permissions (0700) in the system startup files. -.PP -\&\fBsudo\fR will not honor time stamps set far in the future. -Timestamps with a date greater than current_time + 2 * \f(CW\*(C`TIMEOUT\*(C'\fR -will be ignored and sudo will log and complain. This is done to -keep a user from creating his/her own time stamp with a bogus -date on systems that allow users to give away files. -.PP -On systems where the boot time is available, \fBsudo\fR will also not -honor time stamps from before the machine booted. +setuid executables, including +\fBsudo\fR. +Depending on the operating +system this may include +\fR_RLD*\fR, +\fRDYLD_*\fR, +\fRLD_*\fR, +\fRLDR_*\fR, +\fRLIBPATH\fR, +\fRSHLIB_PATH\fR, +and others. +These type of variables are +removed from the environment before +\fBsudo\fR +even begins execution +and, as such, it is not possible for +\fBsudo\fR +to preserve them. +.PP +As a special case, if +\fBsudo\fR's +\fB\-i\fR +option (initial login) is +specified, +\fBsudo\fR +will initialize the environment regardless +of the value of +\fIenv_reset\fR. +The +\fRDISPLAY\fR, +\fRPATH\fR +and +\fRTERM\fR +variables remain unchanged; +\fRHOME\fR, +\fRMAIL\fR, +\fRSHELL\fR, +\fRUSER\fR, +and +\fRLOGNAME\fR +are set based on the target user. +On AIX (and Linux +systems without PAM), the contents of +\fI/etc/environment\fR +are also +included. +On BSD systems, if the +\fIuse_loginclass\fR +option is +enabled, the +\fIpath\fR +and +\fIsetenv\fR +variables in +\fI/etc/login.conf\fR +are also applied. +All other environment variables are removed. +.PP +Finally, if the +\fIenv_file\fR +option is defined, any variables present +in that file will be set to their specified values as long as they +would not conflict with an existing environment variable. +.SH "EXIT VALUE" +Upon successful execution of a program, the exit status from +\fIsudo\fR +will simply be the exit status of the program that was executed. +.PP +Otherwise, +\fBsudo\fR +exits with a value of 1 if there is a configuration/permission +problem or if +\fBsudo\fR +cannot execute the given command. +In the latter case the error string is printed to the standard error. +If +\fBsudo\fR +cannot +stat(2) +one or more entries in the user's +\fRPATH\fR, +an error is printed on stderr. +(If the directory does not exist or if it is not really a directory, +the entry is ignored and no error is printed.) +This should not happen under normal circumstances. +The most common reason for +stat(2) +to return +``permission denied'' +is if you are running an automounter and one of the directories in +your +\fRPATH\fR +is on a machine that is currently unreachable. +.SH "LOG FORMAT" +\fBsudo\fR +can log events using either +syslog(3) +or a simple log file. +In each case the log format is almost identical. +.SS "Accepted command log entries" +Commands that sudo runs are logged using the following format (split +into multiple lines for readability): +.nf +.sp +.RS 4n +date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e + USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e + ENV=env_vars COMMAND=command +.RE +.fi +.PP +Where the fields are as follows: +.TP 14n +date +The date the command was run. +Typically, this is in the format +``MMM, DD, HH:MM:SS''. +If logging via +syslog(3), +the actual date format is controlled by the syslog daemon. +If logging to a file and the +\fIlog_year\fR +option is enabled, +the date will also include the year. +.TP 14n +hostname +The name of the host +\fBsudo\fR +was run on. +This field is only present when logging via +syslog(3). +.TP 14n +progname +The name of the program, usually +\fIsudo\fR +or +\fIsudoedit\fR. +This field is only present when logging via +syslog(3). +.TP 14n +username +The login name of the user who ran +\fBsudo\fR. +.TP 14n +ttyname +The short name of the terminal (e.g.\& +``console'', +``tty01'', +or +``pts/0'') +\fBsudo\fR +was run on, or +``unknown'' +if there was no terminal present. +.TP 14n +cwd +The current working directory that +\fBsudo\fR +was run in. +.TP 14n +runasuser +The user the command was run as. +.TP 14n +runasgroup +The group the command was run as if one was specified on the command line. +.TP 14n +logid +An I/O log identifier that can be used to replay the command's output. +This is only present when the +\fIlog_input\fR +or +\fIlog_output\fR +option is enabled. +.TP 14n +env_vars +A list of environment variables specified on the command line, +if specified. +.TP 14n +command +The actual command that was executed. +.PP +Messages are logged using the locale specified by +\fIsudoers_locale\fR, +which defaults to the +``\fRC\fR'' +locale. +.SS "Denied command log entries" +If the user is not allowed to run the command, the reason for the denial +will follow the user name. +Possible reasons include: +.TP 3n +user NOT in sudoers +The user is not listed in the +\fIsudoers\fR +file. +.TP 3n +user NOT authorized on host +The user is listed in the +\fIsudoers\fR +file but is not allowed to run commands on the host. +.TP 3n +command not allowed +The user is listed in the +\fIsudoers\fR +file for the host but they are not allowed to run the specified command. +.TP 3n +3 incorrect password attempts +The user failed to enter their password after 3 tries. +The actual number of tries will vary based on the number of +failed attempts and the value of the +\fIpasswd_tries\fR +\fIsudoers\fR +option. +.TP 3n +a password is required +The +\fB\-n\fR +option was specified but a password was required. +.TP 3n +sorry, you are not allowed to set the following environment variables +The user specified environment variables on the command line that +were not allowed by +\fIsudoers\fR. +.SS "Error log entries" +If an error occurs, +\fBsudo\fR +will log a message and, in most cases, send a message to the +administrator via email. +Possible errors include: +.TP 3n +parse error in @sysconfdir@/sudoers near line N +\fBsudo\fR +encountered an error when parsing the specified file. +In some cases, the actual error may be one line above or below the +line number listed, depending on the type of error. +.TP 3n +problem with defaults entries +The +\fIsudoers\fR +file contains one or more unknown Defaults settings. +This does not prevent +\fBsudo\fR +from running, but the +\fIsudoers\fR +file should be checked using +\fBvisudo\fR. +.TP 3n +timestamp owner (username): \&No such user +The time stamp directory owner, as specified by the +\fItimestampowner\fR +setting, could not be found in the password database. +.TP 3n +unable to open/read @sysconfdir@/sudoers +The +\fIsudoers\fR +file could not be opened for reading. +This can happen when the +\fIsudoers\fR +file is located on a remote file system that maps user ID 0 to +a different value. +Normally, +\fBsudo\fR +tries to open +\fIsudoers\fR +using group permissions to avoid this problem. +.TP 3n +unable to stat @sysconfdir@/sudoers +The +\fI@sysconfdir@/sudoers\fR +file is missing. +.TP 3n +@sysconfdir@/sudoers is not a regular file +The +\fI@sysconfdir@/sudoers\fR +file exists but is not a regular file or symbolic link. +.TP 3n +@sysconfdir@/sudoers is owned by uid N, should be 0 +The +\fIsudoers\fR +file has the wrong owner. +.TP 3n +@sysconfdir@/sudoers is world writable +The permissions on the +\fIsudoers\fR +file allow all users to write to it. +The +\fIsudoers\fR +file must not be world-writable, the default file mode +is 0440 (readable by owner and group, writable by none). +.TP 3n +@sysconfdir@/sudoers is owned by gid N, should be 1 +The +\fIsudoers\fR +file has the wrong group ownership. +.TP 3n +unable to open @timedir@/username/ttyname +\fIsudoers\fR +was unable to read or create the user's time stamp file. +.TP 3n +unable to write to @timedir@/username/ttyname +\fIsudoers\fR +was unable to write to the user's time stamp file. +.TP 3n +unable to mkdir to @timedir@/username +\fIsudoers\fR +was unable to create the user's time stamp directory. +.SS "Notes on logging via syslog" +By default, +\fIsudoers\fR +logs messages via +syslog(3). +The +\fIdate\fR, +\fIhostname\fR, +and +\fIprogname\fR +fields are added by the syslog daemon, not +\fIsudoers\fR +itself. +As such, they may vary in format on different systems. +.PP +On most systems, +syslog(3) +has a relatively small log buffer. +To prevent the command line arguments from being truncated, +\fBsudo\fR +will split up log messages that are larger than 960 characters +(not including the date, hostname, and the string +``sudo''). +When a message is split, additional parts will include the string +``(command continued)'' +after the user name and before the continued command line arguments. +.SS "Notes on logging to a file" +If the +\fIlogfile\fR +option is set, +\fIsudoers\fR +will log to a local file, such as +\fI/var/log/sudo\fR. +When logging to a file, +\fIsudoers\fR +uses a format similar to +syslog(3), +with a few important differences: +.TP 5n +1. +The +\fIprogname\fR +and +\fIhostname\fR +fields are not present. +.TP 5n +2. +If the +\fIlog_year\fR +\fIsudoers\fR +option is enabled, +the date will also include the year. +.TP 5n +3. +Lines that are longer than +\fIloglinelen\fR +characters (80 by default) are word-wrapped and continued on the +next line with a four character indent. +This makes entries easier to read for a human being, but makes it +more difficult to use +grep(1) +on the log files. +If the +\fIloglinelen\fR +\fIsudoers\fR +option is set to 0 (or negated with a +`\&!'), +word wrap will be disabled. +.SH "SECURITY NOTES" +\fBsudo\fR +tries to be safe when executing external commands. +.PP +To prevent command spoofing, +\fBsudo\fR +checks "." and "" (both denoting current directory) last when +searching for a command in the user's +\fRPATH\fR +(if one or both are in the +\fRPATH\fR). +Note, however, that the actual +\fRPATH\fR +environment variable is +\fInot\fR +modified and is passed unchanged to the program that +\fBsudo\fR +executes. +.PP +\fBsudo\fR +will check the ownership of its time stamp directory +(\fI@timedir@\fR +by default) +and ignore the directory's contents if it is not owned by root or +if it is writable by a user other than root. +On systems that allow non-root users to give away files via +chown(2), +if the time stamp directory is located in a world-writable +directory (e.g.\&, +\fI/tmp\fR), +it is possible for a user to create the time stamp directory before +\fBsudo\fR +is run. +However, because +\fBsudo\fR +checks the ownership and mode of the directory and its +contents, the only damage that can be done is to +``hide'' +files by putting them in the time stamp dir. +This is unlikely to happen since once the time stamp dir is owned by root +and inaccessible by any other user, the user placing files there would be +unable to get them back out. +.PP +\fBsudo\fR +will not honor time stamps set far in the future. +Time stamps with a date greater than current_time + 2 * +\fRTIMEOUT\fR +will be ignored and sudo will log and complain. +This is done to keep a user from creating his/her own time stamp with a +bogus date on systems that allow users to give away files if the time +stamp directory is located in a world-writable directory. +.PP +On systems where the boot time is available, +\fBsudo\fR +will ignore time stamps that date from before the machine booted. .PP Since time stamp files live in the file system, they can outlive a -user's login session. As a result, a user may be able to login, -run a command with \fBsudo\fR after authenticating, logout, login -again, and run \fBsudo\fR without authenticating so long as the time -stamp file's modification time is within \f(CW\*(C`@timeout@\*(C'\fR minutes (or -whatever the timeout is set to in \fIsudoers\fR). When the \fItty_tickets\fR -option is enabled in \fIsudoers\fR, the time stamp has per-tty granularity -but still may outlive the user's session. On Linux systems where -the devpts filesystem is used, Solaris systems with the devices -filesystem, as well as other systems that utilize a devfs filesystem -that monotonically increase the inode number of devices as they are -created (such as Mac \s-1OS\s0 X), \fBsudo\fR is able to determine when a -tty-based time stamp file is stale and will ignore it. Administrators -should not rely on this feature as it is not universally available. -.PP -Please note that \fBsudo\fR will normally only log the command it -explicitly runs. If a user runs a command such as \f(CW\*(C`sudo su\*(C'\fR or -\&\f(CW\*(C`sudo sh\*(C'\fR, subsequent commands run from that shell will \fInot\fR be -logged, nor will \fBsudo\fR's access control affect them. The same -is true for commands that offer shell escapes (including most -editors). Because of this, care must be taken when giving users -access to commands via \fBsudo\fR to verify that the command does not -inadvertently give the user an effective root shell. For more -information, please see the \f(CW\*(C`PREVENTING SHELL ESCAPES\*(C'\fR section in -\&\fIsudoers\fR\|(@mansectform@). +user's login session. +As a result, a user may be able to login, run a command with +\fBsudo\fR +after authenticating, logout, login again, and run +\fBsudo\fR +without authenticating so long as the time stamp file's modification +time is within +\fR@timeout@\fR +minutes (or whatever the timeout is set to in +\fIsudoers\fR). +When the +\fItty_tickets\fR +\fIsudoers\fR +option is enabled, the time stamp has per-tty granularity but still +may outlive the user's session. +On Linux systems where the devpts filesystem is used, Solaris systems +with the devices filesystem, as well as other systems that utilize a +devfs filesystem that monotonically increase the inode number of devices +as they are created (such as Mac OS X), +\fBsudo\fR +is able to determine when a tty-based time stamp file is stale and will +ignore it. +Administrators should not rely on this feature as it is not universally +available. +.PP +Please note that +\fBsudo\fR +will normally only log the command it explicitly runs. +If a user runs a command such as +\fRsudo su\fR +or +\fRsudo sh\fR, +subsequent commands run from that shell are not subject to +\fBsudo\fR's +security policy. +The same is true for commands that offer shell escapes (including +most editors). +If I/O logging is enabled, subsequent commands will have their input and/or +output logged, but there will not be traditional logs for those commands. +Because of this, care must be taken when giving users access to commands via +\fBsudo\fR +to verify that the command does not inadvertently give the user an +effective root shell. +For more information, please see the +\fIPREVENTING SHELL ESCAPES\fR +section in +sudoers(@mansectform@). +.PP +To prevent the disclosure of potentially sensitive information, +\fBsudo\fR +disables core dumps by default while it is executing (they are +re-enabled for the command that is run). +.PP +For information on the security implications of +\fIsudoers\fR +entries, please see the +\fISECURITY NOTES\fR +section in +sudoers(@mansectform@). .SH "ENVIRONMENT" -.IX Header "ENVIRONMENT" -\&\fBsudo\fR utilizes the following environment variables: -.ie n .IP "\*(C`EDITOR\*(C'" 16 -.el .IP "\f(CW\*(C`EDITOR\*(C'\fR" 16 -.IX Item "EDITOR" -Default editor to use in \fB\-e\fR (sudoedit) mode if neither \f(CW\*(C`SUDO_EDITOR\*(C'\fR -nor \f(CW\*(C`VISUAL\*(C'\fR is set. -.ie n .IP "\*(C`MAIL\*(C'" 16 -.el .IP "\f(CW\*(C`MAIL\*(C'\fR" 16 -.IX Item "MAIL" -In \fB\-i\fR mode or when \fIenv_reset\fR is enabled in \fIsudoers\fR, set -to the mail spool of the target user. -.ie n .IP "\*(C`HOME\*(C'" 16 -.el .IP "\f(CW\*(C`HOME\*(C'\fR" 16 -.IX Item "HOME" -Set to the home directory of the target user if \fB\-i\fR or \fB\-H\fR are -specified, \fIenv_reset\fR or \fIalways_set_home\fR are set in \fIsudoers\fR, -or when the \fB\-s\fR option is specified and \fIset_home\fR is set in -\&\fIsudoers\fR. -.ie n .IP "\*(C`PATH\*(C'" 16 -.el .IP "\f(CW\*(C`PATH\*(C'\fR" 16 -.IX Item "PATH" -Set to a sane value if the \fIsecure_path\fR sudoers option is set. -.ie n .IP "\*(C`SHELL\*(C'" 16 -.el .IP "\f(CW\*(C`SHELL\*(C'\fR" 16 -.IX Item "SHELL" -Used to determine shell to run with \fB\-s\fR option. -.ie n .IP "\*(C`SUDO_ASKPASS\*(C'" 16 -.el .IP "\f(CW\*(C`SUDO_ASKPASS\*(C'\fR" 16 -.IX Item "SUDO_ASKPASS" +\fBsudo\fR +utilizes the following environment variables: +.TP 17n +\fREDITOR\fR +Default editor to use in +\fB\-e\fR +(sudoedit) mode if neither +\fRSUDO_EDITOR\fR +nor +\fRVISUAL\fR +is set. +.TP 17n +\fRMAIL\fR +In +\fB\-i\fR +mode or when +\fIenv_reset\fR +is enabled in +\fIsudoers\fR, +set to the mail spool of the target user. +.TP 17n +\fRHOME\fR +Set to the home directory of the target user if +\fB\-i\fR +or +\fB\-H\fR +are specified, +\fIenv_reset\fR +or +\fIalways_set_home\fR +are set in +\fIsudoers\fR, +or when the +\fB\-s\fR +option is specified and +\fIset_home\fR +is set in +\fIsudoers\fR. +.TP 17n +\fRPATH\fR +Set to a sane value if the +\fIsecure_path\fR +option is set in the +\fIsudoers\fR +file. +.TP 17n +\fRSHELL\fR +Used to determine shell to run with +\fB\-s\fR +option. +.TP 17n +\fRSUDO_ASKPASS\fR Specifies the path to a helper program used to read the password -if no terminal is available or if the \fB\-A\fR option is specified. -.ie n .IP "\*(C`SUDO_COMMAND\*(C'" 16 -.el .IP "\f(CW\*(C`SUDO_COMMAND\*(C'\fR" 16 -.IX Item "SUDO_COMMAND" +if no terminal is available or if the +\fB\-A\fR +option is specified. +.TP 17n +\fRSUDO_COMMAND\fR Set to the command run by sudo. -.ie n .IP "\*(C`SUDO_EDITOR\*(C'" 16 -.el .IP "\f(CW\*(C`SUDO_EDITOR\*(C'\fR" 16 -.IX Item "SUDO_EDITOR" -Default editor to use in \fB\-e\fR (sudoedit) mode. -.ie n .IP "\*(C`SUDO_GID\*(C'" 16 -.el .IP "\f(CW\*(C`SUDO_GID\*(C'\fR" 16 -.IX Item "SUDO_GID" -Set to the group \s-1ID\s0 of the user who invoked sudo. -.ie n .IP "\*(C`SUDO_PROMPT\*(C'" 16 -.el .IP "\f(CW\*(C`SUDO_PROMPT\*(C'\fR" 16 -.IX Item "SUDO_PROMPT" +.TP 17n +\fRSUDO_EDITOR\fR +Default editor to use in +\fB\-e\fR +(sudoedit) mode. +.TP 17n +\fRSUDO_GID\fR +Set to the group ID of the user who invoked sudo. +.TP 17n +\fRSUDO_PROMPT\fR Used as the default password prompt. -.ie n .IP "\*(C`SUDO_PS1\*(C'" 16 -.el .IP "\f(CW\*(C`SUDO_PS1\*(C'\fR" 16 -.IX Item "SUDO_PS1" -If set, \f(CW\*(C`PS1\*(C'\fR will be set to its value for the program being run. -.ie n .IP "\*(C`SUDO_UID\*(C'" 16 -.el .IP "\f(CW\*(C`SUDO_UID\*(C'\fR" 16 -.IX Item "SUDO_UID" -Set to the user \s-1ID\s0 of the user who invoked sudo. -.ie n .IP "\*(C`SUDO_USER\*(C'" 16 -.el .IP "\f(CW\*(C`SUDO_USER\*(C'\fR" 16 -.IX Item "SUDO_USER" -Set to the login of the user who invoked sudo. -.ie n .IP "\*(C`USER\*(C'" 16 -.el .IP "\f(CW\*(C`USER\*(C'\fR" 16 -.IX Item "USER" -Set to the target user (root unless the \fB\-u\fR option is specified). -.ie n .IP "\*(C`VISUAL\*(C'" 16 -.el .IP "\f(CW\*(C`VISUAL\*(C'\fR" 16 -.IX Item "VISUAL" -Default editor to use in \fB\-e\fR (sudoedit) mode if \f(CW\*(C`SUDO_EDITOR\*(C'\fR +.TP 17n +\fRSUDO_PS1\fR +If set, +\fRPS1\fR +will be set to its value for the program being run. +.TP 17n +\fRSUDO_UID\fR +Set to the user ID of the user who invoked sudo. +.TP 17n +\fRSUDO_USER\fR +Set to the login name of the user who invoked sudo. +.TP 17n +\fRUSER\fR +Set to the target user (root unless the +\fB\-u\fR +option is specified). +.TP 17n +\fRVISUAL\fR +Default editor to use in +\fB\-e\fR +(sudoedit) mode if +\fRSUDO_EDITOR\fR is not set. .SH "FILES" -.IX Header "FILES" -.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24 -.el .IP "\fI@sysconfdir@/sudoers\fR" 24 -.IX Item "@sysconfdir@/sudoers" +.TP 26n +\fI@sysconfdir@/sudoers\fR List of who can run what -.ie n .IP "\fI@timedir@\fR" 24 -.el .IP "\fI@timedir@\fR" 24 -.IX Item "@timedir@" +.TP 26n +\fI@timedir@\fR Directory containing time stamps -.IP "\fI/etc/environment\fR" 24 -.IX Item "/etc/environment" -Initial environment for \fB\-i\fR mode on \s-1AIX\s0 and Linux systems +.TP 26n +\fI/etc/environment\fR +Initial environment for +\fB\-i\fR +mode on AIX and Linux systems .SH "EXAMPLES" -.IX Header "EXAMPLES" -Note: the following examples assume suitable \fIsudoers\fR\|(@mansectform@) entries. +Note: the following examples assume suitable +sudoers(@mansectform@) +entries. .PP To get a file listing of an unreadable directory: +.nf +.sp +.RS 6n +$ sudo ls /usr/local/protected +.RE +.fi .PP -.Vb 1 -\& $ sudo ls /usr/local/protected -.Ve -.PP -To list the home directory of user yaz on a machine where the -file system holding ~yaz is not exported as root: -.PP -.Vb 1 -\& $ sudo \-u yaz ls ~yaz -.Ve -.PP -To edit the \fIindex.html\fR file as user www: -.PP -.Vb 1 -\& $ sudo \-u www vi ~www/htdocs/index.html -.Ve +To list the home directory of user yaz on a machine where the file +system holding ~yaz is not exported as root: +.nf +.sp +.RS 6n +$ sudo -u yaz ls ~yaz +.RE +.fi .PP -To view system logs only accessible to root and users in the adm group: +To edit the +\fIindex.html\fR +file as user www: +.nf +.sp +.RS 6n +$ sudo -u www vi ~www/htdocs/index.html +.RE +.fi .PP -.Vb 1 -\& $ sudo \-g adm view /var/log/syslog -.Ve +To view system logs only accessible to root and users in the adm +group: +.nf +.sp +.RS 6n +$ sudo -g adm view /var/log/syslog +.RE +.fi .PP To run an editor as jim with a different primary group: +.nf +.sp +.RS 6n +$ sudo -u jim -g audio vi ~jim/sound.txt +.RE +.fi .PP -.Vb 1 -\& $ sudo \-u jim \-g audio vi ~jim/sound.txt -.Ve -.PP -To shutdown a machine: -.PP -.Vb 1 -\& $ sudo shutdown \-r +15 "quick reboot" -.Ve -.PP -To make a usage listing of the directories in the /home -partition. Note that this runs the commands in a sub-shell -to make the \f(CW\*(C`cd\*(C'\fR and file redirection work. +To shut down a machine: +.nf +.sp +.RS 6n +$ sudo shutdown -r +15 "quick reboot" +.RE +.fi .PP -.Vb 1 -\& $ sudo sh \-c "cd /home ; du \-s * | sort \-rn > USAGE" -.Ve +To make a usage listing of the directories in the /home partition. +Note that this runs the commands in a sub-shell to make the +\fRcd\fR +and file redirection work. +.nf +.sp +.RS 6n +$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" +.RE +.fi .SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2), -.if \n(LC \&\fIlogin_cap\fR\|(3), -\&\fIpasswd\fR\|(@mansectform@), \fIsudoers\fR\|(5), \fIvisudo\fR\|(@mansectsu@) +grep(1), +su(1), +stat(2), +login_cap(3), +passwd(@mansectform@), +sudoers(@mansectform@), +sudoreplay(@mansectsu@), +visudo(@mansectsu@) +.SH "HISTORY" +See the HISTORY file in the +\fBsudo\fR +distribution (http://www.sudo.ws/sudo/history.html) for a brief +history of sudo. .SH "AUTHORS" -.IX Header "AUTHORS" -Many people have worked on \fBsudo\fR over the years; this -version consists of code written primarily by: -.PP -.Vb 1 -\& Todd C. Miller -.Ve +Many people have worked on +\fBsudo\fR +over the years; this version consists of code written primarily by: +.sp +.RS 6n +Todd C. Miller +.RE .PP -See the \s-1HISTORY\s0 file in the \fBsudo\fR distribution or visit -http://www.sudo.ws/sudo/history.html for a short history -of \fBsudo\fR. +See the CONTRIBUTORS file in the +\fBsudo\fR +distribution (http://www.sudo.ws/sudo/contributors.html) for an +exhaustive list of people who have contributed to +\fBsudo\fR. .SH "CAVEATS" -.IX Header "CAVEATS" There is no easy way to prevent a user from gaining a root shell -if that user is allowed to run arbitrary commands via \fBsudo\fR. +if that user is allowed to run arbitrary commands via +\fBsudo\fR. Also, many programs (such as editors) allow the user to run commands -via shell escapes, thus avoiding \fBsudo\fR's checks. However, on -most systems it is possible to prevent shell escapes with \fBsudo\fR's -\&\fInoexec\fR functionality. See the \fIsudoers\fR\|(@mansectform@) manual -for details. -.PP -It is not meaningful to run the \f(CW\*(C`cd\*(C'\fR command directly via sudo, e.g., +via shell escapes, thus avoiding +\fBsudo\fR's +checks. +However, on most systems it is possible to prevent shell escapes with +\fBsudo ' s\fR +\fInoexec\fR +functionality. +See the +sudoers(@mansectform@) +manual for details. .PP -.Vb 1 -\& $ sudo cd /usr/local/protected -.Ve +It is not meaningful to run the +\fRcd\fR +command directly via sudo, e.g., +.nf +.sp +.RS 6n +$ sudo cd /usr/local/protected +.RE +.fi .PP since when the command exits the parent process (your shell) will -still be the same. Please see the \s-1EXAMPLES\s0 section for more information. -.PP -If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from -creating their own program that gives them a root shell regardless -of any '!' elements in the user specification. +still be the same. +Please see the +\fIEXAMPLES\fR +section for more information. .PP -Running shell scripts via \fBsudo\fR can expose the same kernel bugs that -make setuid shell scripts unsafe on some operating systems (if your \s-1OS\s0 -has a /dev/fd/ directory, setuid shell scripts are generally safe). +Running shell scripts via +\fBsudo\fR +can expose the same kernel bugs that make setuid shell scripts +unsafe on some operating systems (if your OS has a /dev/fd/ directory, +setuid shell scripts are generally safe). .SH "BUGS" -.IX Header "BUGS" -If you feel you have found a bug in \fBsudo\fR, please submit a bug report -at http://www.sudo.ws/sudo/bugs/ +If you feel you have found a bug in +\fBsudo\fR, +please submit a bug report at http://www.sudo.ws/sudo/bugs/ .SH "SUPPORT" -.IX Header "SUPPORT" Limited free support is available via the sudo-users mailing list, -see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or +see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives. .SH "DISCLAIMER" -.IX Header "DISCLAIMER" -\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, -including, but not limited to, the implied warranties of merchantability -and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 -file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html -for complete details. +\fBsudo\fR +is provided +``AS IS'' +and any express or implied warranties, including, but not limited +to, the implied warranties of merchantability and fitness for a +particular purpose are disclaimed. +See the LICENSE file distributed with +\fBsudo\fR +or http://www.sudo.ws/sudo/license.html for complete details. diff --git a/sudo.mdoc.in b/sudo.mdoc.in new file mode 100644 index 000000000..1c5c3f6b6 --- /dev/null +++ b/sudo.mdoc.in @@ -0,0 +1,1546 @@ +.\" +.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012 +.\" Todd C. Miller +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" Sponsored in part by the Defense Advanced Research Projects +.\" Agency (DARPA) and Air Force Research Laboratory, Air Force +.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. +.\" +.Dd July 10, 2012 +.Dt SUDO @mansectsu@ +.Os Sudo @PACKAGE_VERSION@ +.Sh NAME +.Nm sudo , +.Nm sudoedit +.Nd execute a command as another user +.Sh SYNOPSIS +.Nm sudo +.Fl h No | Fl K No | Fl k No | Fl L No | Fl V +.Nm sudo +.Fl v +.Op Fl AknS +.Bk -words +.Op Fl a Ar auth_type +.Ek +.Bk -words +.Op Fl g Ar group name No | Ar #gid +.Ek +.Bk -words +.Op Fl p Ar prompt +.Ek +.Bk -words +.Op Fl u Ar user name No | Ar #uid +.Ek +.Nm sudo +.Fl l Ns Op Ar l +.Op Fl AknS +.Bk -words +.Op Fl a Ar auth_type +.Ek +.Bk -words +.Op Fl g Ar group name No | Ar #gid +.Ek +.Bk -words +.Op Fl p Ar prompt +.Ek +.Bk -words +.Op Fl U Ar user name +.Ek +.Bk -words +.Op Fl u Ar user name No | Ar #uid +.Ek +.Op Ar command +.Nm sudo +.Op Fl AbEHnPS +.Bk -words +.Op Fl a Ar auth_type +.Ek +.Bk -words +.Op Fl C Ar fd +.Ek +.Bk -words +.Op Fl c Ar class No | Ar - +.Ek +.Bk -words +.Op Fl g Ar group name No | Ar #gid +.Ek +.Bk -words +.Op Fl p Ar prompt +.Ek +.Bk -words +.Op Fl r Ar role +.Ek +.Bk -words +.Op Fl t Ar type +.Ek +.Bk -words +.Op Fl u Ar user name No | Ar #uid +.Ek +.Bk -words +.Op Sy VAR Ns = Ns Ar value +.Ek +.Bk -words +.Fl i No | Fl s +.Ek +.Op Ar command +.Nm sudoedit +.Op Fl AnS +.Bk -words +.Op Fl a Ar auth_type +.Ek +.Bk -words +.Op Fl C Ar fd +.Ek +.Bk -words +.Op Fl c Ar class No | Ar - +.Ek +.Bk -words +.Op Fl g Ar group name No | Ar #gid +.Ek +.Bk -words +.Op Fl p Ar prompt +.Ek +.Bk -words +.Op Fl u Ar user name No | Ar #uid +.Ek +.Bk -words +file ... +.Ek +.Sh DESCRIPTION +.Nm sudo +allows a permitted user to execute a +.Ar command +as the superuser or another user, as specified by the +.Em sudoers +file. +The real and effective uid and gid are set to match those of the +target user, as specified in the password database, and the group +vector is initialized based on the group database (unless the +.Fl P +option was specified). +See the +.Sx Command Environment +section below for more details. +.Pp +.Nm sudo +determines who is an authorized user by consulting the file +.Pa @sysconfdir@/sudoers . +By running +.Nm sudo +with the +.Fl v +option, a user can update the time stamp without running a +.Ar command . +If authentication is required, +.Nm sudo +will exit if the user's password is not entered within a configurable +time limit. +The default password prompt timeout is +.Li @password_timeout@ +minutes. +.Pp +When invoked as +.Nm sudoedit , +the +.Fl e +option (described below), is implied. +.Pp +The options are as follows: +.Bl -tag -width Fl +.It Fl A +Normally, if +.Nm sudo +requires a password, it will read it from the user's terminal. +If the +.Fl A No ( Em askpass Ns No ) +option is specified, a (possibly graphical) helper program is +executed to read the user's password and output the password to the +standard output. +If the +.Ev SUDO_ASKPASS +environment variable is set, it specifies the path to the helper +program. +Otherwise, the value specified by the +.Em askpass +option in +.Xr sudoers @mansectform@ +is used. +If no askpass program is available, +.Nm sudo +will exit with an error. +.It Fl a Ar type +The +.Fl a No ( Em "authentication type" Ns No ) +option causes +.Nm sudo +to use the specified authentication type when validating the user, +as allowed by +.Pa /etc/login.conf . +The system administrator may specify a list of sudo-specific +authentication methods by adding an +.Dq auth-sudo +entry in +.Pa /etc/login.conf . +This option is only available on systems that support BSD authentication. +.It Fl b +The +.Fl b No ( Em background Ns No ) +option tells +.Nm sudo +to run the given command in the background. +Note that if you use the +.Fl b +option you cannot use shell job control to manipulate the process. +Most interactive commands will fail to work properly in background +mode. +.It Fl C Ar fd +Normally, +.Nm sudo +will close all open file descriptors other than standard input, +standard output and standard error. +The +.Fl C No ( Em close from Ns No ) +option allows the user to specify a starting point above the standard +error (file descriptor three). +Values less than three are not permitted. +This option is only available when the administrator has enabled the +.Em closefrom_override +option in +.Xr sudoers @mansectform@ . +.It Fl c Ar class +The +.Fl c No ( Em class Ns No ) +option causes +.Nm sudo +to run the specified command with resources limited by the specified +login class. +The +.Em class +argument can be either a class name as defined in +.Pa /etc/login.conf , +or a single +.Ql \- +character. +Specifying a +.Ar class +of +.Li - +indicates that the command should be run restricted by the default +login capabilities for the user the command is run as. +If the +.Ar class +argument specifies an existing user class, the command must be run +as root, or the +.Nm sudo +command must be run from a shell that is already root. +This option is only available on systems with BSD login classes. +.It Fl E +The +.Fl E No ( Em preserve environment Ns No ) +option will override the +.Em env_reset +option in +.Xr sudoers @mansectform@ . +It is only available when either the matching command has the +.Li SETENV +tag or the +.Em setenv +option is set in +.Xr sudoers @mansectform@ . +.Nm sudo +will return an error if the +.Fl E +option is specified and the user does not have permission to preserve +the environment. +.It Fl e +The +.Fl e No ( Em edit Ns No ) +option indicates that, instead of running a command, the user wishes +to edit one or more files. +In lieu of a command, the string "sudoedit" is used when consulting the +.Em sudoers +file. +If the user is authorized by +.Em sudoers , +the following steps are taken: +.Bl -enum -offset 4 +.It +Temporary copies are made of the files to be edited with the owner +set to the invoking user. +.It +The editor specified by the +.Ev SUDO_EDITOR , +.Ev VISUAL +or +.Ev EDITOR +environment variables (in that order) is run to edit the temporary files. +If none of +.Ev SUDO_EDITOR , +.Ev VISUAL +or +.Ev EDITOR +are set, the first program listed in the +.Em editor +.Xr sudoers @mansectform@ +option is used. +.It +If they have been modified, the temporary files are copied back to +their original location and the temporary versions are removed. +.El +.Pp +If the specified file does not exist, it will be created. +Note that unlike most commands run by +.Em sudo , +the editor is run with the invoking user's environment unmodified. +If, for some reason, +.Nm sudo +is unable to update a file with its edited version, the user will +receive a warning and the edited copy will remain in a temporary +file. +.It Fl g Ar group +Normally, +.Nm sudo +runs a command with the primary group set to the one specified by +the password database for the user the command is being run as (by +default, root). +The +.Fl g No ( Em group Ns No ) +option causes +.Nm sudo +to run the command with the primary group set to +.Ar group +instead. +To specify a +.Em gid +instead of a +.Em "group name" , +use +.Em #gid . +When running commands as a +.Em gid , +many shells require that the +.Ql # +be escaped with a backslash +.Pq Ql \e . +If no +.Fl u +option is specified, the command will be run as the invoking user +(not root). +In either case, the primary group will be set to +.Em group . +.It Fl H +The +.Fl H No ( Em HOME Ns No ) +option option sets the +.Ev HOME +environment variable to the home directory of the target user (root +by default) as specified by the password database. +The default handling of the +.Ev HOME +environment variable depends on +.Xr sudoers @mansectform@ +settings. +By default, +.Nm sudo +will set +.Ev HOME +if +.Em env_reset +or +.Em always_set_home +are set, or if +.Em set_home +is set and the +.Fl s +option is specified on the command line. +.It Fl h +The +.Fl h No ( Em help Ns No ) +option causes +.Nm sudo +to print a short help message to the standard output and exit. +.It Fl i Op Ar command +The +.Fl i No ( Em simulate initial login Ns No ) +option runs the shell specified by the password database entry of +the target user as a login shell. +This means that login-specific resource files such as +.Pa .profile +or +.Pa .login +will be read by the shell. +If a command is specified, it is passed to the shell for execution +via the shell's +.Fl c +option. +If no command is specified, an interactive shell is executed. +.Nm sudo +attempts to change to that user's home directory before running the +shell. +It also initializes the environment to a minimal +set of variables, similar to what is present when a user logs in. +The +.Sx Command Environment +section below documents in detail how the +.Fl i +option affects the environment in which a command is run. +.It Fl K +The +.Fl K No ( sure Em kill Ns No ) +option is like +.Fl k +except that it removes the user's time stamp file entirely and +may not be used in conjunction with a command or other option. +This option does not require a password. +.It Fl k Op Ar command +When used alone, the +.Fl k No ( Em kill Ns No ) +option to +.Nm sudo +invalidates the user's time stamp file. +The next time +.Nm sudo +is run a password will be required. +This option does not require a password and was added to allow a +user to revoke +.Nm sudo +permissions from a +.Pa .logout +file. +.Pp +When used in conjunction with a command or an option that may require +a password, the +.Fl k +option will cause +.Nm sudo +to ignore the user's time stamp file. +As a result, +.Nm sudo +will prompt for a password (if one is required by +.Em sudoers ) +and will not update the user's time stamp file. +.It Fl L +The +.Fl L No ( Em list No defaults Ns ) +option will list the parameters that +may be set in a +.Em Defaults +line along with a short description for each. +This option will be removed from a future version of +.Nm sudo . +.It Fl l Ns Oo Sy l Oc Op Ar command +If no +.Ar command +is specified, the +.Fl l No ( Em list Ns No ) +option will list the allowed (and forbidden) commands for the +invoking user (or the user specified by the +.Fl U +option) on the current host. +If a +.Ar command +is specified and is permitted by +.Em sudoers , +the fully-qualified +path to the command is displayed along with any command line +arguments. +If +.Ar command +is specified but not allowed, +.Nm sudo +will exit with a status value of 1. +If the +.Fl l +option is specified with an +.Ar l +argument +.Pq i.e.\& Fl ll , +or if +.Fl l +is specified multiple times, a longer list format is used. +.It Fl n +The +.Fl n No ( Em non-interactive Ns No ) +option prevents +.Nm sudo +from prompting the user for a password. +If a password is required for the command to run, +.Nm sudo +will display an error message and exit. +.It Fl P +The +.Fl P No ( Em preserve group vector Ns No ) +option causes +.Nm sudo +to preserve the invoking user's group vector unaltered. +By default, +.Nm sudo +will initialize the group vector to the list of groups the +target user is in. +The real and effective group IDs, however, are still set to match +the target user. +.It Fl p Ar prompt +The +.Fl p No ( Em prompt Ns No ) +option allows you to override the default password prompt and use +a custom one. +The following percent +.Pq Ql % +escapes are supported: +.Bl -tag -width 2n +.It Li %H +expanded to the host name including the domain name (on if the +machine's host name is fully qualified or the +.Em fqdn +option is set in +.Xr sudoers @mansectform@ ) +.It Li %h +expanded to the local host name without the domain name +.It Li %p +expanded to the name of the user whose password is being requested +(respects the +.Em rootpw , +.Em targetpw , +and +.Em runaspw +flags in +.Xr sudoers @mansectform@ ) +.It Li \&%U +expanded to the login name of the user the command will be run as +(defaults to root unless the +.Fl u +option is also specified) +.It Li %u +expanded to the invoking user's login name +.It Li %% +two consecutive +.Ql % +characters are collapsed into a single +.Ql % +character +.El +.Pp +The prompt specified by the +.Fl p +option will override the system password prompt on systems that +support PAM unless the +.Em passprompt_override +flag is disabled in +.Em sudoers . +.It Fl r Ar role +The +.Fl r No ( Em role Ns No ) +option causes the new (SELinux) security context to have the role +specified by +.Ar role . +.It Fl S +The +.Fl S ( Em stdin Ns No ) +option causes +.Nm sudo +to read the password from the standard input instead of the terminal +device. +The password must be followed by a newline character. +.It Fl s Op Ar command +The +.Fl s ( Em shell Ns No ) +option runs the shell specified by the +.Ev SHELL +environment variable if it is set or the shell as specified in the +password database. +If a command is specified, it is passed to the shell for execution +via the shell's +.Fl c +option. +If no command is specified, an interactive shell is executed. +.It Fl t Ar type +The +.Fl t ( Em type Ns No ) +option causes the new (SELinux) security context to have the type +specified by +.Ar type . +If no type is specified, the default type is derived from the +specified role. +.It Fl U Ar user +The +.Fl U ( Em other user Ns No ) +option is used in conjunction with the +.Fl l +option to specify the user whose privileges should be listed. +Only root or a user with the +.Li ALL +privilege on the current host may use this option. +.It Fl u Ar user +The +.Fl u ( Em user Ns No ) +option causes +.Nm sudo +to run the specified command as a user other than +.Em root . +To specify a +.Em uid +instead of a +.Em user name , +.Em #uid . +When running commands as a +.Em uid , +many shells require that the +.Ql # +be escaped with a backslash +.Pq Ql \e . +Note that if the +.Em targetpw +Defaults option is set (see +.Xr sudoers @mansectform@ ) , +it is not possible to run commands with a uid not listed in the +password database. +.It Fl V +The +.Fl V ( Em version Ns No ) +option causes +.Nm sudo +to print its version string and exit. +If the invoking user is already root the +.Fl V +option will display the arguments passed to configure when +.Nm sudo +was built as well a list of the defaults +.Nm sudo +was compiled with as well as the machine's local network addresses. +.It Fl v +When given the +.Fl v ( Em validate Ns No ) +option, +.Nm sudo +will update the user's time stamp file, authenticating the user's +password if necessary. +This extends the +.Nm sudo +timeout for another +.Li @timeout@ +minutes (or whatever the timeout is set to in +.Em sudoers ) +but does not run a command. +.It Fl - +The +.Fl - +option indicates that +.Nm sudo +should stop processing command line arguments. +.El +.Pp +Environment variables to be set for the command may also be passed +on the command line in the form of +.Sy VAR Ns No = Ns Em value , +e.g.\& +.Sy LD_LIBRARY_PATH Ns No = Ns Em /usr/local/pkg/lib . +Variables passed on the command line are subject to the same +restrictions as normal environment variables with one important +exception. +If the +.Em setenv +option is set in +.Em sudoers , +the command to be run has the +.Li SETENV +tag set or the command matched is +.Li ALL , +the user may set variables that would otherwise be forbidden. +See +.Xr sudoers @mansectform@ +for more information. +.Ss Authentication and Logging +.Nm sudo +requires that most users authenticate themselves by default. +A password is not required +if the invoking user is root, if the target user is the same as the +invoking user, or if the authentication has been disabled for the +user or command in the +.Em sudoers +file. +Unlike +.Xr su 1 , +when +.Nm sudo +requires +authentication, it validates the invoking user's credentials, not +the target user's (or root's) credentials. +This can be changed via +the +.Em rootpw , +.Em targetpw +and +.Em runaspw +Defaults entries in +.Em sudoers . +.Pp +If a user who is not listed in +.Em sudoers +tries to run a command via +.Nm sudo , +mail is sent to the proper authorities. +The address +used for such mail is configurable via the +.Em mailto +.Em sudoers +Defaults entry and defaults to +.Li @mailto@ . +.Pp +Note that mail will not be sent if an unauthorized user tries to +run +.Nm sudo +with the +.Fl l +or +.Fl v +option. +This allows users to +determine for themselves whether or not they are allowed to use +.Nm sudo . +.Pp +If +.Nm sudo +is run by root and the +.Ev SUDO_USER +environment variable +is set, its value will be used to determine who the actual user is. +This can be used by a user to log commands +through +.Nm sudo +even when a root shell has been invoked. +It also +allows the +.Fl e +option to remain useful even when invoked via a +sudo-run script or program. +Note, however, that the +.Em sudoers +lookup is still done for root, not the user specified by +.Ev SUDO_USER . +.Pp +.Nm sudo +uses time stamp files for credential caching. +Once a +user has been authenticated, the time stamp is updated and the user +may then use sudo without a password for a short period of time +.Po +.Li @timeout@ +minutes unless overridden by the +.Em timeout +option +.Pc . +By default, +.Nm sudo +uses a tty-based time stamp which means that +there is a separate time stamp for each of a user's login sessions. +The +.Em tty_tickets +option can be disabled to force the use of a +single time stamp for all of a user's sessions. +.Pp +.Nm sudo +can log both successful and unsuccessful attempts (as well +as errors) to +.Xr syslog 3 , +a log file, or both. +By default, +.Nm sudo +will log via +.Xr syslog 3 +but this is changeable via the +.Em syslog +and +.Em logfile +Defaults settings. +.Pp +.Nm sudo +also supports logging a command's input and output +streams. +I/O logging is not on by default but can be enabled using +the +.Em log_input +and +.Em log_output +Defaults flags as well as the +.Li LOG_INPUT +and +.Li LOG_OUTPUT +command tags. +.Ss Command Environment +Since environment variables can influence program behavior, +.Nm sudo +provides a means to restrict which variables from the user's +environment are inherited by the command to be run. +There are two +distinct ways +.Em sudoers +can be configured to handle with environment variables. +.Pp +By default, the +.Em env_reset +option is enabled. +This causes commands +to be executed with a new, minimal environment. +On AIX (and Linux +systems without PAM), the environment is initialized with the +contents of the +.Pa /etc/environment +file. +On BSD systems, if the +.Em use_loginclass +option is enabled, the environment is initialized +based on the +.Em path +and +.Em setenv +settings in +.Pa /etc/login.conf . +The new environment contains the +.Ev TERM , +.Ev PATH , +.Ev HOME , +.Ev MAIL , +.Ev SHELL , +.Ev LOGNAME , +.Ev USER , +.Ev USERNAME +and +.Ev SUDO_* +variables +in addition to variables from the invoking process permitted by the +.Em env_check +and +.Em env_keep +options. +This is effectively a whitelist +for environment variables. +.Pp +If, however, the +.Em env_reset +option is disabled, any variables not +explicitly denied by the +.Em env_check +and +.Em env_delete +options are +inherited from the invoking process. +In this case, +.Em env_check +and +.Em env_delete +behave like a blacklist. +Since it is not possible +to blacklist all potentially dangerous environment variables, use +of the default +.Em env_reset +behavior is encouraged. +.Pp +In all cases, environment variables with a value beginning with +.Li () +are removed as they could be interpreted as +.Sy bash +functions. +The list of environment variables that +.Nm sudo +allows or denies is +contained in the output of +.Dq Li sudo -V +when run as root. +.Pp +Note that the dynamic linker on most operating systems will remove +variables that can control dynamic linking from the environment of +setuid executables, including +.Nm sudo . +Depending on the operating +system this may include +.Ev _RLD* , +.Ev DYLD_* , +.Ev LD_* , +.Ev LDR_* , +.Ev LIBPATH , +.Ev SHLIB_PATH , +and others. +These type of variables are +removed from the environment before +.Nm sudo +even begins execution +and, as such, it is not possible for +.Nm sudo +to preserve them. +.Pp +As a special case, if +.Nm sudo Ns No 's +.Fl i +option (initial login) is +specified, +.Nm sudo +will initialize the environment regardless +of the value of +.Em env_reset . +The +.Ev DISPLAY , +.Ev PATH +and +.Ev TERM +variables remain unchanged; +.Ev HOME , +.Ev MAIL , +.Ev SHELL , +.Ev USER , +and +.Ev LOGNAME +are set based on the target user. +On AIX (and Linux +systems without PAM), the contents of +.Pa /etc/environment +are also +included. +On BSD systems, if the +.Em use_loginclass +option is +enabled, the +.Em path +and +.Em setenv +variables in +.Pa /etc/login.conf +are also applied. +All other environment variables are removed. +.Pp +Finally, if the +.Em env_file +option is defined, any variables present +in that file will be set to their specified values as long as they +would not conflict with an existing environment variable. +.Sh EXIT VALUE +Upon successful execution of a program, the exit status from +.Em sudo +will simply be the exit status of the program that was executed. +.Pp +Otherwise, +.Nm sudo +exits with a value of 1 if there is a configuration/permission +problem or if +.Nm sudo +cannot execute the given command. +In the latter case the error string is printed to the standard error. +If +.Nm sudo +cannot +.Xr stat 2 +one or more entries in the user's +.Ev PATH , +an error is printed on stderr. +(If the directory does not exist or if it is not really a directory, +the entry is ignored and no error is printed.) +This should not happen under normal circumstances. +The most common reason for +.Xr stat 2 +to return +.Dq permission denied +is if you are running an automounter and one of the directories in +your +.Ev PATH +is on a machine that is currently unreachable. +.Sh LOG FORMAT +.Nm sudo +can log events using either +.Xr syslog 3 +or a simple log file. +In each case the log format is almost identical. +.Ss Accepted command log entries +Commands that sudo runs are logged using the following format (split +into multiple lines for readability): +.Bd -literal -offset 4n +date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e + USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e + ENV=env_vars COMMAND=command +.Ed +.Pp +Where the fields are as follows: +.Bl -tag -width 12n +.It date +The date the command was run. +Typically, this is in the format +.Dq MMM, DD, HH:MM:SS . +If logging via +.Xr syslog 3 , +the actual date format is controlled by the syslog daemon. +If logging to a file and the +.Em log_year +option is enabled, +the date will also include the year. +.It hostname +The name of the host +.Nm sudo +was run on. +This field is only present when logging via +.Xr syslog 3 . +.It progname +The name of the program, usually +.Em sudo +or +.Em sudoedit . +This field is only present when logging via +.Xr syslog 3 . +.It username +The login name of the user who ran +.Nm sudo . +.It ttyname +The short name of the terminal (e.g.\& +.Dq console , +.Dq tty01 , +or +.Dq pts/0 ) +.Nm sudo +was run on, or +.Dq unknown +if there was no terminal present. +.It cwd +The current working directory that +.Nm sudo +was run in. +.It runasuser +The user the command was run as. +.It runasgroup +The group the command was run as if one was specified on the command line. +.It logid +An I/O log identifier that can be used to replay the command's output. +This is only present when the +.Em log_input +or +.Em log_output +option is enabled. +.It env_vars +A list of environment variables specified on the command line, +if specified. +.It command +The actual command that was executed. +.El +.Pp +Messages are logged using the locale specified by +.Em sudoers_locale , +which defaults to the +.Dq Li C +locale. +.Ss Denied command log entries +If the user is not allowed to run the command, the reason for the denial +will follow the user name. +Possible reasons include: +.Bl -tag -width 4 +.It user NOT in sudoers +The user is not listed in the +.Em sudoers +file. +.It user NOT authorized on host +The user is listed in the +.Em sudoers +file but is not allowed to run commands on the host. +.It command not allowed +The user is listed in the +.Em sudoers +file for the host but they are not allowed to run the specified command. +.It 3 incorrect password attempts +The user failed to enter their password after 3 tries. +The actual number of tries will vary based on the number of +failed attempts and the value of the +.Em passwd_tries +.Em sudoers +option. +.It a password is required +The +.Fl n +option was specified but a password was required. +.It sorry, you are not allowed to set the following environment variables +The user specified environment variables on the command line that +were not allowed by +.Em sudoers . +.El +.Ss Error log entries +If an error occurs, +.Nm sudo +will log a message and, in most cases, send a message to the +administrator via email. +Possible errors include: +.Bl -tag -width 4 +.It parse error in @sysconfdir@/sudoers near line N +.Nm sudo +encountered an error when parsing the specified file. +In some cases, the actual error may be one line above or below the +line number listed, depending on the type of error. +.It problem with defaults entries +The +.Em sudoers +file contains one or more unknown Defaults settings. +This does not prevent +.Nm sudo +from running, but the +.Em sudoers +file should be checked using +.Nm visudo . +.It timestamp owner (username): \&No such user +The time stamp directory owner, as specified by the +.Em timestampowner +setting, could not be found in the password database. +.It unable to open/read @sysconfdir@/sudoers +The +.Em sudoers +file could not be opened for reading. +This can happen when the +.Em sudoers +file is located on a remote file system that maps user ID 0 to +a different value. +Normally, +.Nm sudo +tries to open +.Em sudoers +using group permissions to avoid this problem. +.It unable to stat @sysconfdir@/sudoers +The +.Pa @sysconfdir@/sudoers +file is missing. +.It @sysconfdir@/sudoers is not a regular file +The +.Pa @sysconfdir@/sudoers +file exists but is not a regular file or symbolic link. +.It @sysconfdir@/sudoers is owned by uid N, should be 0 +The +.Em sudoers +file has the wrong owner. +.It @sysconfdir@/sudoers is world writable +The permissions on the +.Em sudoers +file allow all users to write to it. +The +.Em sudoers +file must not be world-writable, the default file mode +is 0440 (readable by owner and group, writable by none). +.It @sysconfdir@/sudoers is owned by gid N, should be 1 +The +.Em sudoers +file has the wrong group ownership. +.It unable to open @timedir@/username/ttyname +.Em sudoers +was unable to read or create the user's time stamp file. +.It unable to write to @timedir@/username/ttyname +.Em sudoers +was unable to write to the user's time stamp file. +.It unable to mkdir to @timedir@/username +.Em sudoers +was unable to create the user's time stamp directory. +.El +.Ss Notes on logging via syslog +By default, +.Em sudoers +logs messages via +.Xr syslog 3 . +The +.Em date , +.Em hostname , +and +.Em progname +fields are added by the syslog daemon, not +.Em sudoers +itself. +As such, they may vary in format on different systems. +.Pp +On most systems, +.Xr syslog 3 +has a relatively small log buffer. +To prevent the command line arguments from being truncated, +.Nm sudo +will split up log messages that are larger than 960 characters +(not including the date, hostname, and the string +.Dq sudo ) . +When a message is split, additional parts will include the string +.Dq Pq command continued +after the user name and before the continued command line arguments. +.Ss Notes on logging to a file +If the +.Em logfile +option is set, +.Em sudoers +will log to a local file, such as +.Pa /var/log/sudo . +When logging to a file, +.Em sudoers +uses a format similar to +.Xr syslog 3 , +with a few important differences: +.Bl -enum +.It +The +.Em progname +and +.Em hostname +fields are not present. +.It +If the +.Em log_year +.Em sudoers +option is enabled, +the date will also include the year. +.It +Lines that are longer than +.Em loglinelen +characters (80 by default) are word-wrapped and continued on the +next line with a four character indent. +This makes entries easier to read for a human being, but makes it +more difficult to use +.Xr grep 1 +on the log files. +If the +.Em loglinelen +.Em sudoers +option is set to 0 (or negated with a +.Ql \&! ) , +word wrap will be disabled. +.El +.Sh SECURITY NOTES +.Nm sudo +tries to be safe when executing external commands. +.Pp +To prevent command spoofing, +.Nm sudo +checks "." and "" (both denoting current directory) last when +searching for a command in the user's +.Ev PATH +(if one or both are in the +.Ev PATH ) . +Note, however, that the actual +.Ev PATH +environment variable is +.Em not +modified and is passed unchanged to the program that +.Nm sudo +executes. +.Pp +.Nm sudo +will check the ownership of its time stamp directory +.Po +.Pa @timedir@ +by default +.Pc +and ignore the directory's contents if it is not owned by root or +if it is writable by a user other than root. +On systems that allow non-root users to give away files via +.Xr chown 2 , +if the time stamp directory is located in a world-writable +directory (e.g.\&, +.Pa /tmp ) , +it is possible for a user to create the time stamp directory before +.Nm sudo +is run. +However, because +.Nm sudo +checks the ownership and mode of the directory and its +contents, the only damage that can be done is to +.Dq hide +files by putting them in the time stamp dir. +This is unlikely to happen since once the time stamp dir is owned by root +and inaccessible by any other user, the user placing files there would be +unable to get them back out. +.Pp +.Nm sudo +will not honor time stamps set far in the future. +Time stamps with a date greater than current_time + 2 * +.Li TIMEOUT +will be ignored and sudo will log and complain. +This is done to keep a user from creating his/her own time stamp with a +bogus date on systems that allow users to give away files if the time +stamp directory is located in a world-writable directory. +.Pp +On systems where the boot time is available, +.Nm sudo +will ignore time stamps that date from before the machine booted. +.Pp +Since time stamp files live in the file system, they can outlive a +user's login session. +As a result, a user may be able to login, run a command with +.Nm sudo +after authenticating, logout, login again, and run +.Nm sudo +without authenticating so long as the time stamp file's modification +time is within +.Li @timeout@ +minutes (or whatever the timeout is set to in +.Em sudoers ) . +When the +.Em tty_tickets +.Em sudoers +option is enabled, the time stamp has per-tty granularity but still +may outlive the user's session. +On Linux systems where the devpts filesystem is used, Solaris systems +with the devices filesystem, as well as other systems that utilize a +devfs filesystem that monotonically increase the inode number of devices +as they are created (such as Mac OS X), +.Nm sudo +is able to determine when a tty-based time stamp file is stale and will +ignore it. +Administrators should not rely on this feature as it is not universally +available. +.Pp +Please note that +.Nm sudo +will normally only log the command it explicitly runs. +If a user runs a command such as +.Li sudo su +or +.Li sudo sh , +subsequent commands run from that shell are not subject to +.Nm sudo Ns No 's +security policy. +The same is true for commands that offer shell escapes (including +most editors). +If I/O logging is enabled, subsequent commands will have their input and/or +output logged, but there will not be traditional logs for those commands. +Because of this, care must be taken when giving users access to commands via +.Nm sudo +to verify that the command does not inadvertently give the user an +effective root shell. +For more information, please see the +.Em PREVENTING SHELL ESCAPES +section in +.Xr sudoers @mansectform@ . +.Pp +To prevent the disclosure of potentially sensitive information, +.Nm sudo +disables core dumps by default while it is executing (they are +re-enabled for the command that is run). +.Pp +For information on the security implications of +.Em sudoers +entries, please see the +.Em SECURITY NOTES +section in +.Xr sudoers @mansectform@ . +.Sh ENVIRONMENT +.Nm sudo +utilizes the following environment variables: +.Bl -tag -width 15n +.It Ev EDITOR +Default editor to use in +.Fl e +(sudoedit) mode if neither +.Ev SUDO_EDITOR +nor +.Ev VISUAL +is set. +.It Ev MAIL +In +.Fl i +mode or when +.Em env_reset +is enabled in +.Em sudoers , +set to the mail spool of the target user. +.It Ev HOME +Set to the home directory of the target user if +.Fl i +or +.Fl H +are specified, +.Em env_reset +or +.Em always_set_home +are set in +.Em sudoers , +or when the +.Fl s +option is specified and +.Em set_home +is set in +.Em sudoers . +.It Ev PATH +Set to a sane value if the +.Em secure_path +option is set in the +.Em sudoers +file. +.It Ev SHELL +Used to determine shell to run with +.Fl s +option. +.It Ev SUDO_ASKPASS +Specifies the path to a helper program used to read the password +if no terminal is available or if the +.Fl A +option is specified. +.It Ev SUDO_COMMAND +Set to the command run by sudo. +.It Ev SUDO_EDITOR +Default editor to use in +.Fl e +(sudoedit) mode. +.It Ev SUDO_GID +Set to the group ID of the user who invoked sudo. +.It Ev SUDO_PROMPT +Used as the default password prompt. +.It Ev SUDO_PS1 +If set, +.Ev PS1 +will be set to its value for the program being run. +.It Ev SUDO_UID +Set to the user ID of the user who invoked sudo. +.It Ev SUDO_USER +Set to the login name of the user who invoked sudo. +.It Ev USER +Set to the target user (root unless the +.Fl u +option is specified). +.It Ev VISUAL +Default editor to use in +.Fl e +(sudoedit) mode if +.Ev SUDO_EDITOR +is not set. +.El +.Sh FILES +.Bl -tag -width 24n +.It Pa @sysconfdir@/sudoers +List of who can run what +.It Pa @timedir@ +Directory containing time stamps +.It Pa /etc/environment +Initial environment for +.Fl i +mode on AIX and Linux systems +.El +.Sh EXAMPLES +Note: the following examples assume suitable +.Xr sudoers 5 +entries. +.Pp +To get a file listing of an unreadable directory: +.Bd -literal -offset indent +$ sudo ls /usr/local/protected +.Ed +.Pp +To list the home directory of user yaz on a machine where the file +system holding ~yaz is not exported as root: +.Bd -literal -offset indent +$ sudo -u yaz ls ~yaz +.Ed +.Pp +To edit the +.Pa index.html +file as user www: +.Bd -literal -offset indent +$ sudo -u www vi ~www/htdocs/index.html +.Ed +.Pp +To view system logs only accessible to root and users in the adm +group: +.Bd -literal -offset indent +$ sudo -g adm view /var/log/syslog +.Ed +.Pp +To run an editor as jim with a different primary group: +.Bd -literal -offset indent +$ sudo -u jim -g audio vi ~jim/sound.txt +.Ed +.Pp +To shut down a machine: +.Bd -literal -offset indent +$ sudo shutdown -r +15 "quick reboot" +.Ed +.Pp +To make a usage listing of the directories in the /home partition. +Note that this runs the commands in a sub-shell to make the +.Li cd +and file redirection work. +.Bd -literal -offset indent +$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" +.Ed +.Sh SEE ALSO +.Xr grep 1 , +.Xr su 1 , +.Xr stat 2 , +.Xr login_cap 3 , +.Xr passwd @mansectform@ , +.Xr sudoers @mansectform@ , +.Xr sudoreplay @mansectsu@ , +.Xr visudo @mansectsu@ +.Sh HISTORY +See the HISTORY file in the +.Nm sudo +distribution (http://www.sudo.ws/sudo/history.html) for a brief +history of sudo. +.Sh AUTHORS +Many people have worked on +.Nm sudo +over the years; this version consists of code written primarily by: +.Bd -ragged -offset indent +Todd C. Miller +.Ed +.Pp +See the CONTRIBUTORS file in the +.Nm sudo +distribution (http://www.sudo.ws/sudo/contributors.html) for an +exhaustive list of people who have contributed to +.Nm sudo . +.Sh CAVEATS +There is no easy way to prevent a user from gaining a root shell +if that user is allowed to run arbitrary commands via +.Nm sudo . +Also, many programs (such as editors) allow the user to run commands +via shell escapes, thus avoiding +.Nm sudo Ns No 's +checks. +However, on most systems it is possible to prevent shell escapes with +.Nm sudo ' s +.Em noexec +functionality. +See the +.Xr sudoers @mansectform@ +manual for details. +.Pp +It is not meaningful to run the +.Li cd +command directly via sudo, e.g., +.Bd -literal -offset indent +$ sudo cd /usr/local/protected +.Ed +.Pp +since when the command exits the parent process (your shell) will +still be the same. +Please see the +.Sx EXAMPLES +section for more information. +.Pp +Running shell scripts via +.Nm sudo +can expose the same kernel bugs that make setuid shell scripts +unsafe on some operating systems (if your OS has a /dev/fd/ directory, +setuid shell scripts are generally safe). +.Sh BUGS +If you feel you have found a bug in +.Nm sudo , +please submit a bug report at http://www.sudo.ws/sudo/bugs/ +.Sh SUPPORT +Limited free support is available via the sudo-users mailing list, +see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or +search the archives. +.Sh DISCLAIMER +.Nm sudo +is provided +.Dq AS IS +and any express or implied warranties, including, but not limited +to, the implied warranties of merchantability and fitness for a +particular purpose are disclaimed. +See the LICENSE file distributed with +.Nm sudo +or http://www.sudo.ws/sudo/license.html for complete details. diff --git a/sudo.pod b/sudo.pod deleted file mode 100644 index 432446a2c..000000000 --- a/sudo.pod +++ /dev/null @@ -1,707 +0,0 @@ -Copyright (c) 1994-1996, 1998-2005, 2007-2010 - Todd C. Miller - -Permission to use, copy, modify, and distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -Sponsored in part by the Defense Advanced Research Projects -Agency (DARPA) and Air Force Research Laboratory, Air Force -Materiel Command, USAF, under agreement number F39502-99-1-0512. - -=pod - -=head1 NAME - -sudo, sudoedit - execute a command as another user - -=head1 SYNOPSIS - -B B<-h> | B<-K> | B<-k> | B<-L> | B<-V> - -B B<-v> [B<-AknS>] -S<[B<-a> I]> -S<[B<-g> I|I<#gid>]> S<[B<-p> I]> -S<[B<-u> I|I<#uid>]> - -B B<-l[l]> [B<-AknS>] -S<[B<-a> I]> -S<[B<-g> I|I<#gid>]> S<[B<-p> I]> -S<[B<-U> I]> S<[B<-u> I|I<#uid>]> [I] - -B [B<-AbEHnPS>] -S<[B<-a> I]> -S<[B<-C> I]> -S<[B<-c> I|I<->]> -S<[B<-g> I|I<#gid>]> S<[B<-p> I]> -S<[B<-r> I]> S<[B<-t> I]> -S<[B<-u> I|I<#uid>]> -S<[B=I]> S<[B<-i> | B<-s>]> [I] - -B [B<-AnS>] -S<[B<-a> I]> -S<[B<-C> I]> -S<[B<-c> I|I<->]> -S<[B<-g> I|I<#gid>]> S<[B<-p> I]> -S<[B<-u> I|I<#uid>]> file ... - -=head1 DESCRIPTION - -B allows a permitted user to execute a I as the -superuser or another user, as specified in the I file. -The real and effective uid and gid are set to match those of the -target user as specified in the passwd file and the group vector -is initialized based on the group file (unless the B<-P> option was -specified). If the invoking user is root or if the target user is -the same as the invoking user, no password is required. Otherwise, -B requires that users authenticate themselves with a password -by default (NOTE: in the default configuration this is the user's -password, not the root password). Once a user has been authenticated, -a time stamp is updated and the user may then use sudo without a -password for a short period of time (C<@timeout@> minutes unless -overridden in I). - -When invoked as B, the B<-e> option (described below), -is implied. - -B determines who is an authorized user by consulting the file -F<@sysconfdir@/sudoers>. By running B with the B<-v> option, -a user can update the time stamp without running a I. If -a password is required, B will exit if the user's password -is not entered within a configurable time limit. The default -password prompt timeout is C<@password_timeout@> minutes. - -If a user who is not listed in the I file tries to run a -command via B, mail is sent to the proper authorities, as -defined at configure time or in the I file (defaults to -C<@mailto@>). Note that the mail will not be sent if an unauthorized -user tries to run sudo with the B<-l> or B<-v> option. This allows -users to determine for themselves whether or not they are allowed -to use B. - -If B is run by root and the C environment variable -is set, B will use this value to determine who the actual -user is. This can be used by a user to log commands through sudo -even when a root shell has been invoked. It also allows the B<-e> -option to remain useful even when being run via a sudo-run script or -program. Note however, that the sudoers lookup is still done for -root, not the user specified by C. - -B can log both successful and unsuccessful attempts (as well -as errors) to syslog(3), a log file, or both. By default B -will log via syslog(3) but this is changeable at configure time -or via the I file. - -=head1 OPTIONS - -B accepts the following command line options: - -=over 12 - -=item -A - -Normally, if B requires a password, it will read it from the -current terminal. If the B<-A> (I) option is specified, -a (possibly graphical) helper program is executed to read the -user's password and output the password to the standard output. If -the C environment variable is set, it specifies the -path to the helper program. Otherwise, the value specified by the -I option in L is used. - -=item -a I - -The B<-a> (I) option causes B to use the -specified authentication type when validating the user, as allowed -by F. The system administrator may specify a list -of sudo-specific authentication methods by adding an "auth-sudo" -entry in F. This option is only available on systems -that support BSD authentication. - -=item -b - -The B<-b> (I) option tells B to run the given -command in the background. Note that if you use the B<-b> -option you cannot use shell job control to manipulate the process. - -=item -C I - -Normally, B will close all open file descriptors other than -standard input, standard output and standard error. The B<-C> -(I) option allows the user to specify a starting point -above the standard error (file descriptor three). Values less than -three are not permitted. This option is only available if the -administrator has enabled the I option in -L. - -=item -c I - -The B<-c> (I) option causes B to run the specified command -with resources limited by the specified login class. The I -argument can be either a class name as defined in F, -or a single '-' character. Specifying a I of C<-> indicates -that the command should be run restricted by the default login -capabilities for the user the command is run as. If the I -argument specifies an existing user class, the command must be run -as root, or the B command must be run from a shell that is already -root. This option is only available on systems with BSD login classes. - -=item -E - -The B<-E> (I I) option will override the -I option in L). It is only -available when either the matching command has the C tag -or the I option is set in L. - -=item -e - -The B<-e> (I) option indicates that, instead of running -a command, the user wishes to edit one or more files. In lieu -of a command, the string "sudoedit" is used when consulting -the I file. If the user is authorized by I -the following steps are taken: - -=over 4 - -=item 1. - -Temporary copies are made of the files to be edited with the owner -set to the invoking user. - -=item 2. - -The editor specified by the C, C or C -environment variables is run to edit the temporary files. If none -of C, C or C are set, the first program -listed in the I I variable is used. - -=item 3. - -If they have been modified, the temporary files are copied back to -their original location and the temporary versions are removed. - -=back - -If the specified file does not exist, it will be created. Note -that unlike most commands run by B, the editor is run with -the invoking user's environment unmodified. If, for some reason, -B is unable to update a file with its edited version, the -user will receive a warning and the edited copy will remain in a -temporary file. - -=item -g I - -Normally, B sets the primary group to the one specified by -the passwd database for the user the command is being run as (by -default, root). The B<-g> (I) option causes B to run -the specified command with the primary group set to I. To -specify a I instead of a I, use I<#gid>. When -running commands as a I, many shells require that the '#' be -escaped with a backslash ('\'). If no B<-u> option is specified, -the command will be run as the invoking user (not root). In either -case, the primary group will be set to I. - -=item -H - -The B<-H> (I) option sets the C environment variable -to the homedir of the target user (root by default) as specified -in passwd(5). The default handling of the C environment -variable depends on L settings. By default, B -will set C if I or I are set, or -if I is set and the B<-s> option is specified on the -command line. - -=item -h - -The B<-h> (I) option causes B to print a short help message -to the standard output and exit. - -=item -i [command] - -The B<-i> (I) option runs the shell specified -in the L entry of the target user as a login shell. This -means that login-specific resource files such as C<.profile> or -C<.login> will be read by the shell. If a command is specified, -it is passed to the shell for execution. Otherwise, an interactive -shell is executed. B attempts to change to that user's home -directory before running the shell. It also initializes the -environment, leaving I and I unchanged, setting -I, I, I, I, I, and I, as well as -the contents of F on Linux and AIX systems. -All other environment variables are removed. - -=item -K - -The B<-K> (sure I) option is like B<-k> except that it removes -the user's time stamp entirely and may not be used in conjunction -with a command or other option. This option does not require a -password. - -=item -k - -When used by itself, the B<-k> (I) option to B invalidates -the user's time stamp by setting the time on it to the Epoch. The -next time B is run a password will be required. This option -does not require a password and was added to allow a user to revoke -B permissions from a .logout file. - -When used in conjunction with a command or an option that may require -a password, the B<-k> option will cause B to ignore the user's -time stamp file. As a result, B will prompt for a password -(if one is required by I) and will not update the user's -time stamp file. - -=item -L - -The B<-L> (I defaults) option will list the parameters that -may be set in a I line along with a short description for -each. This option will be removed from a future version of B. - -=item -l[l] [I] - -If no I is specified, the B<-l> (I) option will list -the allowed (and forbidden) commands for the invoking user (or the -user specified by the B<-U> option) on the current host. If a -I is specified and is permitted by I, the -fully-qualified path to the command is displayed along with any -command line arguments. If I is specified but not allowed, -B will exit with a status value of 1. If the B<-l> option is -specified with an B argument (i.e. B<-ll>), or if B<-l> -is specified multiple times, a longer list format is used. - -=item -n - -The B<-n> (I) option prevents B from prompting -the user for a password. If a password is required for the command -to run, B will display an error message and exit. - -=item -P - -The B<-P> (I I) option causes B to -preserve the invoking user's group vector unaltered. By default, -B will initialize the group vector to the list of groups the -target user is in. The real and effective group IDs, however, are -still set to match the target user. - -=item -p I - -The B<-p> (I) option allows you to override the default -password prompt and use a custom one. The following percent (`C<%>') -escapes are supported: - -=over 4 - -=item C<%H> - -expanded to the local host name including the domain name -(on if the machine's host name is fully qualified or the I -I option is set) - -=item C<%h> - -expanded to the local host name without the domain name - -=item C<%p> - -expanded to the user whose password is being asked for (respects the -I, I and I flags in I) - -=item C<%U> - -expanded to the login name of the user the command will -be run as (defaults to root) - -=item C<%u> - -expanded to the invoking user's login name - -=item C<%%> - -two consecutive C<%> characters are collapsed into a single C<%> character - -=back - -The prompt specified by the B<-p> option will override the system -password prompt on systems that support PAM unless the -I flag is disabled in I. - -=item -r I - -The B<-r> (I) option causes the new (SELinux) security context to -have the role specified by I. - -=item -S - -The B<-S> (I) option causes B to read the password from -the standard input instead of the terminal device. The password must -be followed by a newline character. - -=item -s [command] - -The B<-s> (I) option runs the shell specified by the I -environment variable if it is set or the shell as specified in -L. If a command is specified, it is passed to the shell -for execution. Otherwise, an interactive shell is executed. - -=item -t I - -The B<-t> (I) option causes the new (SELinux) security context to -have the type specified by I. If no type is specified, the default -type is derived from the specified role. - -=item -U I - -The B<-U> (I) option is used in conjunction with the B<-l> -option to specify the user whose privileges should be listed. Only -root or a user with B C on the current host may use this -option. - -=item -u I - -The B<-u> (I) option causes B to run the specified -command as a user other than I. To specify a I instead -of a I, use I<#uid>. When running commands as a I, -many shells require that the '#' be escaped with a backslash ('\'). -Note that if the I Defaults option is set (see L) -it is not possible to run commands with a uid not listed in the -password database. - -=item -V - -The B<-V> (I) option causes B to print the version -number and exit. If the invoking user is already root the B<-V> -option will print out a list of the defaults B was compiled -with as well as the machine's local network addresses. - -=item -v - -If given the B<-v> (I) option, B will update the -user's time stamp, prompting for the user's password if necessary. -This extends the B timeout for another C<@timeout@> minutes -(or whatever the timeout is set to in I) but does not run -a command. - -=item -- - -The B<--> option indicates that B should stop processing command -line arguments. - -=back - -Environment variables to be set for the command may also be passed -on the command line in the form of B=I, e.g. -B=I. Variables passed on the -command line are subject to the same restrictions as normal environment -variables with one important exception. If the I option -is set in I, the command to be run has the C tag -set or the command matched is C, the user may set variables -that would overwise be forbidden. See L for more information. - -=head1 EXIT VALUE - -Upon successful execution of a program, the exit status from B -will simply be the exit status of the program that was executed. - -Otherwise, B quits with an exit value of 1 if there is a -configuration/permission problem or if B cannot execute the -given command. In the latter case the error string is printed to -stderr. If B cannot L one or more entries in the user's -C an error is printed on stderr. (If the directory does not -exist or if it is not really a directory, the entry is ignored and -no error is printed.) This should not happen under normal -circumstances. The most common reason for L to return -"permission denied" is if you are running an automounter and one -of the directories in your C is on a machine that is currently -unreachable. - -=head1 SECURITY NOTES - -B tries to be safe when executing external commands. - -There are two distinct ways to deal with environment variables. By -default, the I I option is enabled. This causes -commands to be executed with a new, minimal environment containing. -On AIX (and Linux systems without PAM), the environment is initialized -with the contents of the F file. On BSD systems, -if the I option is enabled, the environment is -initialized based on the I and I settings in -F. The new environment contains the C, -C, C, C, C, C, C, C -and C variables in addition to variables from the invoking -process permitted by the I and I options. This -is effectively a whitelist for environment variables. - -If, however, the I option is disabled in I, any -variables not explicitly denied by the I and I -options are inherited from the invoking process. In this case, -I and I behave like a blacklist. Since it -is not possible to blacklist all potentially dangerous environment -variables, use of the default I behavior is encouraged. - -In all cases, environment variables with a value beginning with -C<()> are removed as they could be interpreted as B functions. -The list of environment variables that B allows or denies is -contained in the output of C when run as root. - -Note that the dynamic linker on most operating systems will remove -variables that can control dynamic linking from the environment of -setuid executables, including B. Depending on the operating -system this may include C<_RLD*>, C, C, C, -C, C, and others. These type of variables are -removed from the environment before B even begins execution -and, as such, it is not possible for B to preserve them. - -To prevent command spoofing, B checks "." and "" (both denoting -current directory) last when searching for a command in the user's -PATH (if one or both are in the PATH). Note, however, that the -actual C environment variable is I modified and is passed -unchanged to the program that B executes. - -B will check the ownership of its time stamp directory -(F<@timedir@> by default) and ignore the directory's contents if -it is not owned by root or if it is writable by a user other than -root. On systems that allow non-root users to give away files via -L, if the time stamp directory is located in a directory -writable by anyone (e.g., F), it is possible for a user to -create the time stamp directory before B is run. However, -because B checks the ownership and mode of the directory and -its contents, the only damage that can be done is to "hide" files -by putting them in the time stamp dir. This is unlikely to happen -since once the time stamp dir is owned by root and inaccessible by -any other user, the user placing files there would be unable to get -them back out. To get around this issue you can use a directory -that is not world-writable for the time stamps (F for -instance) or create F<@timedir@> with the appropriate owner (root) -and permissions (0700) in the system startup files. - -B will not honor time stamps set far in the future. -Timestamps with a date greater than current_time + 2 * C -will be ignored and sudo will log and complain. This is done to -keep a user from creating his/her own time stamp with a bogus -date on systems that allow users to give away files. - -On systems where the boot time is available, B will also not -honor time stamps from before the machine booted. - -Since time stamp files live in the file system, they can outlive a -user's login session. As a result, a user may be able to login, -run a command with B after authenticating, logout, login -again, and run B without authenticating so long as the time -stamp file's modification time is within C<@timeout@> minutes (or -whatever the timeout is set to in I). When the I -option is enabled in I, the time stamp has per-tty granularity -but still may outlive the user's session. On Linux systems where -the devpts filesystem is used, Solaris systems with the devices -filesystem, as well as other systems that utilize a devfs filesystem -that monotonically increase the inode number of devices as they are -created (such as Mac OS X), B is able to determine when a -tty-based time stamp file is stale and will ignore it. Administrators -should not rely on this feature as it is not universally available. - -Please note that B will normally only log the command it -explicitly runs. If a user runs a command such as C or -C, subsequent commands run from that shell will I be -logged, nor will B's access control affect them. The same -is true for commands that offer shell escapes (including most -editors). Because of this, care must be taken when giving users -access to commands via B to verify that the command does not -inadvertently give the user an effective root shell. For more -information, please see the C section in -L. - -=head1 ENVIRONMENT - -B utilizes the following environment variables: - -=over 16 - -=item C - -Default editor to use in B<-e> (sudoedit) mode if neither C -nor C is set. - -=item C - -In B<-i> mode or when I is enabled in I, set -to the mail spool of the target user. - -=item C - -Set to the home directory of the target user if B<-i> or B<-H> are -specified, I or I are set in I, -or when the B<-s> option is specified and I is set in -I. - -=item C - -Set to a sane value if the I sudoers option is set. - -=item C - -Used to determine shell to run with B<-s> option. - -=item C - -Specifies the path to a helper program used to read the password -if no terminal is available or if the B<-A> option is specified. - -=item C - -Set to the command run by sudo. - -=item C - -Default editor to use in B<-e> (sudoedit) mode. - -=item C - -Set to the group ID of the user who invoked sudo. - -=item C - -Used as the default password prompt. - -=item C - -If set, C will be set to its value for the program being run. - -=item C - -Set to the user ID of the user who invoked sudo. - -=item C - -Set to the login of the user who invoked sudo. - -=item C - -Set to the target user (root unless the B<-u> option is specified). - -=item C - -Default editor to use in B<-e> (sudoedit) mode if C -is not set. - -=back - -=head1 FILES - -=over 24 - -=item F<@sysconfdir@/sudoers> - -List of who can run what - -=item F<@timedir@> - -Directory containing time stamps - -=item F - -Initial environment for B<-i> mode on AIX and Linux systems - -=back - -=head1 EXAMPLES - -Note: the following examples assume suitable L entries. - -To get a file listing of an unreadable directory: - - $ sudo ls /usr/local/protected - -To list the home directory of user yaz on a machine where the -file system holding ~yaz is not exported as root: - - $ sudo -u yaz ls ~yaz - -To edit the F file as user www: - - $ sudo -u www vi ~www/htdocs/index.html - -To view system logs only accessible to root and users in the adm group: - - $ sudo -g adm view /var/log/syslog - -To run an editor as jim with a different primary group: - - $ sudo -u jim -g audio vi ~jim/sound.txt - -To shutdown a machine: - - $ sudo shutdown -r +15 "quick reboot" - -To make a usage listing of the directories in the /home -partition. Note that this runs the commands in a sub-shell -to make the C and file redirection work. - - $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" - -=head1 SEE ALSO - -L, L, L, -L, -L, L, L - -=head1 AUTHORS - -Many people have worked on B over the years; this -version consists of code written primarily by: - - Todd C. Miller - -See the HISTORY file in the B distribution or visit -http://www.sudo.ws/sudo/history.html for a short history -of B. - -=head1 CAVEATS - -There is no easy way to prevent a user from gaining a root shell -if that user is allowed to run arbitrary commands via B. -Also, many programs (such as editors) allow the user to run commands -via shell escapes, thus avoiding B's checks. However, on -most systems it is possible to prevent shell escapes with B's -I functionality. See the L manual -for details. - -It is not meaningful to run the C command directly via sudo, e.g., - - $ sudo cd /usr/local/protected - -since when the command exits the parent process (your shell) will -still be the same. Please see the EXAMPLES section for more information. - -If users have sudo C there is nothing to prevent them from -creating their own program that gives them a root shell regardless -of any '!' elements in the user specification. - -Running shell scripts via B can expose the same kernel bugs that -make setuid shell scripts unsafe on some operating systems (if your OS -has a /dev/fd/ directory, setuid shell scripts are generally safe). - -=head1 BUGS - -If you feel you have found a bug in B, please submit a bug report -at http://www.sudo.ws/sudo/bugs/ - -=head1 SUPPORT - -Limited free support is available via the sudo-users mailing list, -see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or -search the archives. - -=head1 DISCLAIMER - -B is provided ``AS IS'' and any express or implied warranties, -including, but not limited to, the implied warranties of merchantability -and fitness for a particular purpose are disclaimed. See the LICENSE -file distributed with B or http://www.sudo.ws/sudo/license.html -for complete details. diff --git a/sudoers.cat b/sudoers.cat index a64af02e8..16565510e 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -1,547 +1,594 @@ -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - +SUDOERS(4) Programmer's Manual SUDOERS(4) NNAAMMEE - sudoers - list of which users may execute what + ssuuddooeerrss - list of which users may execute what DDEESSCCRRIIPPTTIIOONN - The _s_u_d_o_e_r_s file is composed of two types of entries: aliases - (basically variables) and user specifications (which specify who may - run what). + The _s_u_d_o_e_r_s file is composed of two types of entries: aliases (basically + variables) and user specifications (which specify who may run what). - When multiple entries match for a user, they are applied in order. - Where there are multiple matches, the last match is used (which is not - necessarily the most specific match). + When multiple entries match for a user, they are applied in order. Where + there are multiple matches, the last match is used (which is not + necessarily the most specific match). - The _s_u_d_o_e_r_s grammar will be described below in Extended Backus-Naur - Form (EBNF). Don't despair if you don't know what EBNF is; it is - fairly simple, and the definitions below are annotated. + The _s_u_d_o_e_r_s grammar will be described below in Extended Backus-Naur Form + (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly + simple, and the definitions below are annotated. QQuuiicckk gguuiiddee ttoo EEBBNNFF - EBNF is a concise and exact way of describing the grammar of a - language. Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g., + EBNF is a concise and exact way of describing the grammar of a language. + Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g., - symbol ::= definition | alternate1 | alternate2 ... + symbol ::= definition | alternate1 | alternate2 ... - Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a grammar for - the language. EBNF also contains the following operators, which many - readers will recognize from regular expressions. Do not, however, - confuse them with "wildcard" characters, which have different meanings. + Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a grammar for + the language. EBNF also contains the following operators, which many + readers will recognize from regular expressions. Do not, however, + confuse them with ``wildcard'' characters, which have different meanings. - ? Means that the preceding symbol (or group of symbols) is optional. + ? Means that the preceding symbol (or group of symbols) is optional. That is, it may appear once or not at all. - * Means that the preceding symbol (or group of symbols) may appear + * Means that the preceding symbol (or group of symbols) may appear zero or more times. - + Means that the preceding symbol (or group of symbols) may appear + + Means that the preceding symbol (or group of symbols) may appear one or more times. - Parentheses may be used to group symbols together. For clarity, we - will use single quotes ('') to designate what is a verbatim character - string (as opposed to a symbol name). + Parentheses may be used to group symbols together. For clarity, we will + use single quotes ('') to designate what is a verbatim character string + (as opposed to a symbol name). AAlliiaasseess - There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias - and Cmnd_Alias. + There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and + Cmnd_Alias. - Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | - 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | - 'Host_Alias' Host_Alias (':' Host_Alias)* | - 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* - - User_Alias ::= NAME '=' User_List - - Runas_Alias ::= NAME '=' Runas_List - - Host_Alias ::= NAME '=' Host_List - - Cmnd_Alias ::= NAME '=' Cmnd_List - - NAME ::= [A-Z]([A-Z][0-9]_)* - - Each _a_l_i_a_s definition is of the form - - Alias_Type NAME = item1, item2, ... - - where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias, Host_Alias, or - Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and - underscore characters ('_'). A NAME mmuusstt start with an uppercase - letter. It is possible to put several alias definitions of the same - type on a single line, joined by a colon (':'). E.g., - - Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 - - The definitions of what constitutes a valid _a_l_i_a_s member follow. - - User_List ::= User | - User ',' User_List - - User ::= '!'* user name | - '!'* #uid | - '!'* %group | - '!'* %#gid | - '!'* +netgroup | - '!'* %:nonunix_group | - '!'* %:#nonunix_gid | - '!'* User_Alias - - A User_List is made up of one or more user names, user ids (prefixed - with '#'), system group names and ids (prefixed with '%' and '%#' - respectively), netgroups (prefixed with '+'), non-Unix group names and - IDs (prefixed with '%:' and '%:#' respectively) and User_Aliases. Each - list item may be prefixed with zero or more '!' operators. An odd - number of '!' operators negate the value of the item; an even number - just cancel each other out. - - A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid - may be enclosed in double quotes to avoid the need for escaping special - characters. Alternately, special characters may be specified in - escaped hex mode, e.g. \x20 for space. When using double quotes, any - prefix characters must be included inside the quotes. - - The nonunix_group and nonunix_gid syntax depends on the underlying - implementation. For instance, the QAS AD backend supports the - following formats: - - o Group in the same domain: "%:Group Name" - - o Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN" - - o Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567" - - Note that quotes around group names are optional. Unquoted strings - must use a backslash (\) to escape spaces and special characters. See - "Other special characters and reserved words" for a list of characters - that need to be escaped. - - Runas_List ::= Runas_Member | - Runas_Member ',' Runas_List - - Runas_Member ::= '!'* user name | - '!'* #uid | - '!'* %group | - '!'* %#gid | - '!'* %:nonunix_group | - '!'* %:#nonunix_gid | - '!'* +netgroup | - '!'* Runas_Alias - - A Runas_List is similar to a User_List except that instead of - User_Aliases it can contain Runas_Aliases. Note that user names and - groups are matched as strings. In other words, two users (groups) with - the same uid (gid) are considered to be distinct. If you wish to match - all user names with the same uid (e.g. root and toor), you can use a - uid instead (#0 in the example given). - - Host_List ::= Host | - Host ',' Host_List - - Host ::= '!'* host name | - '!'* ip_addr | - '!'* network(/netmask)? | - '!'* +netgroup | - '!'* Host_Alias - - A Host_List is made up of one or more host names, IP addresses, network - numbers, netgroups (prefixed with '+') and other aliases. Again, the - value of an item may be negated with the '!' operator. If you do not - specify a netmask along with the network number, ssuuddoo will query each - of the local host's network interfaces and, if the network number - corresponds to one of the hosts's network interfaces, the corresponding - netmask will be used. The netmask may be specified either in standard - IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or - CIDR notation (number of bits, e.g. 24 or 64). A host name may include - shell-style wildcards (see the Wildcards section below), but unless the - host name command on your machine returns the fully qualified host - name, you'll need to use the _f_q_d_n option for wildcards to be useful. - Note ssuuddoo only inspects actual network interfaces; this means that IP - address 127.0.0.1 (localhost) will never match. Also, the host name - "localhost" will only match if that is the actual host name, which is - usually only the case for non-networked systems. - - Cmnd_List ::= Cmnd | - Cmnd ',' Cmnd_List - - commandname ::= file name | - file name args | - file name '""' - - Cmnd ::= '!'* commandname | - '!'* directory | - '!'* "sudoedit" | - '!'* Cmnd_Alias - - A Cmnd_List is a list of one or more commandnames, directories, and - other aliases. A commandname is a fully qualified file name which may - include shell-style wildcards (see the Wildcards section below). A - simple file name allows the user to run the command with any arguments - he/she wishes. However, you may also specify command line arguments - (including wildcards). Alternately, you can specify "" to indicate - that the command may only be run wwiitthhoouutt command line arguments. A - directory is a fully qualified path name ending in a '/'. When you - specify a directory in a Cmnd_List, the user will be able to run any - file within that directory (but not in any subdirectories therein). - - If a Cmnd has associated command line arguments, then the arguments in - the Cmnd must match exactly those given by the user on the command line - (or match the wildcards if there are any). Note that the following - characters must be escaped with a '\' if they are used in command - arguments: ',', ':', '=', '\'. The special command "sudoedit" is used - to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It - may take command line arguments just as a normal command does. + Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | + 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | + 'Host_Alias' Host_Alias (':' Host_Alias)* | + 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* + + User_Alias ::= NAME '=' User_List + + Runas_Alias ::= NAME '=' Runas_List + + Host_Alias ::= NAME '=' Host_List + + Cmnd_Alias ::= NAME '=' Cmnd_List + + NAME ::= [A-Z]([A-Z][0-9]_)* + + Each _a_l_i_a_s definition is of the form + + Alias_Type NAME = item1, item2, ... + + where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias, Host_Alias, or + Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and + underscore characters (`_'). A NAME mmuusstt start with an uppercase letter. + It is possible to put several alias definitions of the same type on a + single line, joined by a colon (`:'). E.g., + + Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 + + The definitions of what constitutes a valid _a_l_i_a_s member follow. + + User_List ::= User | + User ',' User_List + + User ::= '!'* user name | + '!'* #uid | + '!'* %group | + '!'* %#gid | + '!'* +netgroup | + '!'* %:nonunix_group | + '!'* %:#nonunix_gid | + '!'* User_Alias + + A User_List is made up of one or more user names, user ids (prefixed with + `#'), system group names and ids (prefixed with `%' and `%#' + respectively), netgroups (prefixed with `+'), non-Unix group names and + IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each + list item may be prefixed with zero or more `!' operators. An odd number + of `!' operators negate the value of the item; an even number just cancel + each other out. + + A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may + be enclosed in double quotes to avoid the need for escaping special + characters. Alternately, special characters may be specified in escaped + hex mode, e.g. \x20 for space. When using double quotes, any prefix + characters must be included inside the quotes. + + The actual nonunix_group and nonunix_gid syntax depends on the underlying + implementation. For instance, the QAS AD backend supports the following + formats: + + oo Group in the same domain: "%:Group Name" + + oo Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN" + + oo Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567" + + Note that quotes around group names are optional. Unquoted strings must + use a backslash (`\') to escape spaces and special characters. See _O_t_h_e_r + _s_p_e_c_i_a_l _c_h_a_r_a_c_t_e_r_s _a_n_d _r_e_s_e_r_v_e_d _w_o_r_d_s for a list of characters that need + to be escaped. + + Runas_List ::= Runas_Member | + Runas_Member ',' Runas_List + + Runas_Member ::= '!'* user name | + '!'* #uid | + '!'* %group | + '!'* %#gid | + '!'* %:nonunix_group | + '!'* %:#nonunix_gid | + '!'* +netgroup | + '!'* Runas_Alias + + A Runas_List is similar to a User_List except that instead of + User_Aliases it can contain Runas_Aliases. Note that user names and + groups are matched as strings. In other words, two users (groups) with + the same uid (gid) are considered to be distinct. If you wish to match + all user names with the same uid (e.g. root and toor), you can use a uid + instead (#0 in the example given). + + Host_List ::= Host | + Host ',' Host_List + + Host ::= '!'* host name | + '!'* ip_addr | + '!'* network(/netmask)? | + '!'* +netgroup | + '!'* Host_Alias + + A Host_List is made up of one or more host names, IP addresses, network + numbers, netgroups (prefixed with `+') and other aliases. Again, the + value of an item may be negated with the `!' operator. If you do not + specify a netmask along with the network number, ssuuddoo will query each of + the local host's network interfaces and, if the network number + corresponds to one of the hosts's network interfaces, the corresponding + netmask will be used. The netmask may be specified either in standard IP + address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR + notation (number of bits, e.g. 24 or 64). A host name may include shell- + style wildcards (see the _W_i_l_d_c_a_r_d_s section below), but unless the host + name command on your machine returns the fully qualified host name, + you'll need to use the _f_q_d_n option for wildcards to be useful. Note that + ssuuddoo only inspects actual network interfaces; this means that IP address + 127.0.0.1 (localhost) will never match. Also, the host name + ``localhost'' will only match if that is the actual host name, which is + usually only the case for non-networked systems. + + Cmnd_List ::= Cmnd | + Cmnd ',' Cmnd_List + + command name ::= file name | + file name args | + file name '""' + + Cmnd ::= '!'* command name | + '!'* directory | + '!'* "sudoedit" | + '!'* Cmnd_Alias + + A Cmnd_List is a list of one or more command names, directories, and + other aliases. A command name is a fully qualified file name which may + include shell-style wildcards (see the _W_i_l_d_c_a_r_d_s section below). A + simple file name allows the user to run the command with any arguments + he/she wishes. However, you may also specify command line arguments + (including wildcards). Alternately, you can specify "" to indicate that + the command may only be run wwiitthhoouutt command line arguments. A directory + is a fully qualified path name ending in a `/'. When you specify a + directory in a Cmnd_List, the user will be able to run any file within + that directory (but not in any sub-directories therein). + + If a Cmnd has associated command line arguments, then the arguments in + the Cmnd must match exactly those given by the user on the command line + (or match the wildcards if there are any). Note that the following + characters must be escaped with a `\' if they are used in command + arguments: `,', `:', `=', `\'. The special command ``sudoedit'' is used + to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may + take command line arguments just as a normal command does. DDeeffaauullttss - Certain configuration options may be changed from their default values - at runtime via one or more Default_Entry lines. These may affect all - users on any host, all users on a specific host, a specific user, a - specific command, or commands being run as a specific user. Note that - per-command entries may not include command line arguments. If you - need to specify arguments, define a Cmnd_Alias and reference that - instead. - - Default_Type ::= 'Defaults' | - 'Defaults' '@' Host_List | - 'Defaults' ':' User_List | - 'Defaults' '!' Cmnd_List | - 'Defaults' '>' Runas_List - - Default_Entry ::= Default_Type Parameter_List - - Parameter_List ::= Parameter | - Parameter ',' Parameter_List - - Parameter ::= Parameter '=' Value | - Parameter '+=' Value | - Parameter '-=' Value | - '!'* Parameter - - Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are - implicitly boolean and can be turned off via the '!' operator. Some - integer, string and list parameters may also be used in a boolean - context to disable them. Values may be enclosed in double quotes ("") - when they contain multiple words. Special characters may be escaped - with a backslash (\). - - Lists have two additional assignment operators, += and -=. These - operators are used to add to and delete from a list respectively. It - is not an error to use the -= operator to remove an element that does - not exist in a list. - - Defaults entries are parsed in the following order: generic, host and - user Defaults first, then runas Defaults and finally command defaults. - - See "SUDOERS OPTIONS" for a list of supported Defaults parameters. + Certain configuration options may be changed from their default values at + run-time via one or more Default_Entry lines. These may affect all users + on any host, all users on a specific host, a specific user, a specific + command, or commands being run as a specific user. Note that per-command + entries may not include command line arguments. If you need to specify + arguments, define a Cmnd_Alias and reference that instead. + + Default_Type ::= 'Defaults' | + 'Defaults' '@' Host_List | + 'Defaults' ':' User_List | + 'Defaults' '!' Cmnd_List | + 'Defaults' '>' Runas_List + + Default_Entry ::= Default_Type Parameter_List + + Parameter_List ::= Parameter | + Parameter ',' Parameter_List + + Parameter ::= Parameter '=' Value | + Parameter '+=' Value | + Parameter '-=' Value | + '!'* Parameter + + Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are + implicitly boolean and can be turned off via the `!' operator. Some + integer, string and list parameters may also be used in a boolean context + to disable them. Values may be enclosed in double quotes ("") when they + contain multiple words. Special characters may be escaped with a + backslash (`\'). + + Lists have two additional assignment operators, += and -=. These + operators are used to add to and delete from a list respectively. It is + not an error to use the -= operator to remove an element that does not + exist in a list. + + Defaults entries are parsed in the following order: generic, host and + user Defaults first, then runas Defaults and finally command defaults. + + See _S_U_D_O_E_R_S _O_P_T_I_O_N_S for a list of supported Defaults parameters. UUsseerr SSppeecciiffiiccaattiioonn - User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ - (':' Host_List '=' Cmnd_Spec_List)* + User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ + (':' Host_List '=' Cmnd_Spec_List)* + + Cmnd_Spec_List ::= Cmnd_Spec | + Cmnd_Spec ',' Cmnd_Spec_List - Cmnd_Spec_List ::= Cmnd_Spec | - Cmnd_Spec ',' Cmnd_Spec_List + Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd - Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd + Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' - Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' + SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') - SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') + Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset') - Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | - 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' | - 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:') + Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | + 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' | + 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:') - A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as - what user) on specified hosts. By default, commands are run as rroooott, - but this can be changed on a per-command basis. + A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as + what user) on specified hosts. By default, commands are run as rroooott, but + this can be changed on a per-command basis. - The basic structure of a user specification is `who where = (as_whom) - what'. Let's break that down into its constituent parts: + The basic structure of a user specification is ``who where = (as_whom) + what''. Let's break that down into its constituent parts: RRuunnaass__SSppeecc - A Runas_Spec determines the user and/or the group that a command may be - run as. A fully-specified Runas_Spec consists of two Runas_Lists (as - defined above) separated by a colon (':') and enclosed in a set of - parentheses. The first Runas_List indicates which users the command - may be run as via ssuuddoo's --uu option. The second defines a list of - groups that can be specified via ssuuddoo's --gg option. If both Runas_Lists - are specified, the command may be run with any combination of users and - groups listed in their respective Runas_Lists. If only the first is - specified, the command may be run as any user in the list but no --gg - option may be specified. If the first Runas_List is empty but the - second is specified, the command may be run as the invoking user with - the group set to any listed in the Runas_List. If no Runas_Spec is - specified the command may be run as rroooott and no group may be specified. + A Runas_Spec determines the user and/or the group that a command may be + run as. A fully-specified Runas_Spec consists of two Runas_Lists (as + defined above) separated by a colon (`:') and enclosed in a set of + parentheses. The first Runas_List indicates which users the command may + be run as via ssuuddoo's --uu option. The second defines a list of groups that + can be specified via ssuuddoo's --gg option. If both Runas_Lists are + specified, the command may be run with any combination of users and + groups listed in their respective Runas_Lists. If only the first is + specified, the command may be run as any user in the list but no --gg + option may be specified. If the first Runas_List is empty but the second + is specified, the command may be run as the invoking user with the group + set to any listed in the Runas_List. If no Runas_Spec is specified the + command may be run as rroooott and no group may be specified. - A Runas_Spec sets the default for the commands that follow it. What - this means is that for the entry: + A Runas_Spec sets the default for the commands that follow it. What this + means is that for the entry: - dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm + dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm - The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m -- but only - as ooppeerraattoorr. E.g., + The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m--but only as + ooppeerraattoorr. E.g., - $ sudo -u operator /bin/ls + $ sudo -u operator /bin/ls - It is also possible to override a Runas_Spec later on in an entry. If - we modify the entry like so: + It is also possible to override a Runas_Spec later on in an entry. If we + modify the entry like so: - dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm + dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm - Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l - and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. + Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l + and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. - We can extend this to allow ddggbb to run /bin/ls with either the user or - group set to ooppeerraattoorr: + We can extend this to allow ddggbb to run /bin/ls with either the user or + group set to ooppeerraattoorr: - dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\ - /usr/bin/lprm + dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\ + /usr/bin/lprm - Note that while the group portion of the Runas_Spec permits the user to - run as command with that group, it does not force the user to do so. - If no group is specified on the command line, the command will run with - the group listed in the target user's password database entry. The - following would all be permitted by the sudoers entry above: + Note that while the group portion of the Runas_Spec permits the user to + run as command with that group, it does not force the user to do so. If + no group is specified on the command line, the command will run with the + group listed in the target user's password database entry. The following + would all be permitted by the sudoers entry above: - $ sudo -u operator /bin/ls - $ sudo -u operator -g operator /bin/ls - $ sudo -g operator /bin/ls + $ sudo -u operator /bin/ls + $ sudo -u operator -g operator /bin/ls + $ sudo -g operator /bin/ls - In the following example, user ttccmm may run commands that access a modem - device file with the dialer group. + In the following example, user ttccmm may run commands that access a modem + device file with the dialer group. - tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\ - /usr/local/bin/minicom + tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\ + /usr/local/bin/minicom - Note that in this example only the group will be set, the command still - runs as user ttccmm. E.g. + Note that in this example only the group will be set, the command still + runs as user ttccmm. E.g. - $ sudo -g dialer /usr/bin/cu + $ sudo -g dialer /usr/bin/cu - Multiple users and groups may be present in a Runas_Spec, in which case - the user may select any combination of users and groups via the --uu and - --gg options. In this example: + Multiple users and groups may be present in a Runas_Spec, in which case + the user may select any combination of users and groups via the --uu and --gg + options. In this example: - alan ALL = (root, bin : operator, system) ALL + alan ALL = (root, bin : operator, system) ALL - user aallaann may run any command as either user root or bin, optionally - setting the group to operator or system. + user aallaann may run any command as either user root or bin, optionally + setting the group to operator or system. SSEELLiinnuuxx__SSppeecc - On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an - SELinux role and/or type associated with a command. If a role or type - is specified with the command it will override any default values - specified in _s_u_d_o_e_r_s. A role or type specified on the command line, - however, will supercede the values in _s_u_d_o_e_r_s. + On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an + SELinux role and/or type associated with a command. If a role or type is + specified with the command it will override any default values specified + in _s_u_d_o_e_r_s. A role or type specified on the command line, however, will + supersede the values in _s_u_d_o_e_r_s. + + SSoollaarriiss__PPrriivv__SSppeecc + On Solaris systems, _s_u_d_o_e_r_s entries may optionally specify Solaris + privilege set and/or limit privilege set associated with a command. If + privileges or limit privileges are specified with the command it will + override any default values specified in _s_u_d_o_e_r_s. + + A privilege set is a comma-separated list of privilege names. The + ppriv(1) command can be used to list all privileges known to the system. + For example: + + $ ppriv -l + + In addition, there are several ``special'' privilege strings: + + none the empty set + + all the set of all privileges + + zone the set of all privileges available in the current zone + + basic the default set of privileges normal users are granted at login + time + + Privileges can be excluded from a set by prefixing the privilege name + with either an `!' or `-' character. TTaagg__SSppeecc - A command may have zero or more tags associated with it. There are ten - possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV, - LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a tag is set - on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag - unless it is overridden by the opposite tag (in other words, PASSWD - overrides NOPASSWD and NOEXEC overrides EXEC). + A command may have zero or more tags associated with it. There are ten + possible tag values: NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV, + LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a tag is set + on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag unless + it is overridden by the opposite tag (in other words, PASSWD overrides + NOPASSWD and NOEXEC overrides EXEC). - _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D + _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D - By default, ssuuddoo requires that a user authenticate him or herself - before running a command. This behavior can be modified via the - NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for - the commands that follow it in the Cmnd_Spec_List. Conversely, the - PASSWD tag can be used to reverse things. For example: + By default, ssuuddoo requires that a user authenticate him or herself before + running a command. This behavior can be modified via the NOPASSWD tag. + Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that + follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used + to reverse things. For example: - ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm + ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm - would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m - as rroooott on the machine rushmore without authenticating himself. If we - only want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry - would be: + would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m as + rroooott on the machine rushmore without authenticating himself. If we only + want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry would + be: - ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm + ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm - Note, however, that the PASSWD tag has no effect on users who are in - the group specified by the _e_x_e_m_p_t___g_r_o_u_p option. + Note, however, that the PASSWD tag has no effect on users who are in the + group specified by the _e_x_e_m_p_t___g_r_o_u_p option. - By default, if the NOPASSWD tag is applied to any of the entries for a - user on the current host, he or she will be able to run sudo -l without - a password. Additionally, a user may only run sudo -v without a - password if the NOPASSWD tag is present for all a user's entries that - pertain to the current host. This behavior may be overridden via the - verifypw and listpw options. + By default, if the NOPASSWD tag is applied to any of the entries for a + user on the current host, he or she will be able to run ``sudo -l'' + without a password. Additionally, a user may only run ``sudo -v'' + without a password if the NOPASSWD tag is present for all a user's + entries that pertain to the current host. This behavior may be + overridden via the _v_e_r_i_f_y_p_w and _l_i_s_t_p_w options. - _N_O_E_X_E_C _a_n_d _E_X_E_C + _N_O_E_X_E_C _a_n_d _E_X_E_C - If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying - operating system supports it, the NOEXEC tag can be used to prevent a - dynamically-linked executable from running further commands itself. + If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying + operating system supports it, the NOEXEC tag can be used to prevent a + dynamically-linked executable from running further commands itself. - In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and - _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. + In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and + _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. - aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi + aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi - See the "PREVENTING SHELL ESCAPES" section below for more details on - how NOEXEC works and whether or not it will work on your system. + See the _P_r_e_v_e_n_t_i_n_g _S_h_e_l_l _E_s_c_a_p_e_s section below for more details on how + NOEXEC works and whether or not it will work on your system. - _S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V + _S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V - These tags override the value of the _s_e_t_e_n_v option on a per-command - basis. Note that if SETENV has been set for a command, the user may - disable the _e_n_v___r_e_s_e_t option from the command line via the --EE option. - Additionally, environment variables set on the command line are not - subject to the restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or - _e_n_v___k_e_e_p. As such, only trusted users should be allowed to set - variables in this manner. If the command matched is AALLLL, the SETENV - tag is implied for that command; this default may be overridden by use - of the NOSETENV tag. + These tags override the value of the _s_e_t_e_n_v option on a per-command + basis. Note that if SETENV has been set for a command, the user may + disable the _e_n_v___r_e_s_e_t option from the command line via the --EE option. + Additionally, environment variables set on the command line are not + subject to the restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or + _e_n_v___k_e_e_p. As such, only trusted users should be allowed to set variables + in this manner. If the command matched is AALLLL, the SETENV tag is implied + for that command; this default may be overridden by use of the NOSETENV + tag. - _L_O_G___I_N_P_U_T _a_n_d _N_O_L_O_G___I_N_P_U_T + _L_O_G___I_N_P_U_T _a_n_d _N_O_L_O_G___I_N_P_U_T - These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command - basis. For more information, see the description of _l_o_g___i_n_p_u_t in the - "SUDOERS OPTIONS" section below. + These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command + basis. For more information, see the description of _l_o_g___i_n_p_u_t in the + _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below. - _L_O_G___O_U_T_P_U_T _a_n_d _N_O_L_O_G___O_U_T_P_U_T + _L_O_G___O_U_T_P_U_T _a_n_d _N_O_L_O_G___O_U_T_P_U_T - These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command - basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the - "SUDOERS OPTIONS" section below. + These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command + basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the + _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below. WWiillddccaarrddss - ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be - used in host names, path names and command line arguments in the - _s_u_d_o_e_r_s file. Wildcard matching is done via the PPOOSSIIXX _g_l_o_b(3) and - _f_n_m_a_t_c_h(3) routines. Note that these are _n_o_t regular expressions. + ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be + used in host names, path names and command line arguments in the _s_u_d_o_e_r_s + file. Wildcard matching is done via the PPOOSSIIXX glob(3) and fnmatch(3) + routines. Note that these are _n_o_t regular expressions. + + * Matches any set of zero or more characters. + + ? Matches any single character. + + [...] Matches any character in the specified range. + + [!...] Matches any character nnoott in the specified range. - * Matches any set of zero or more characters. + \x For any character `x', evaluates to `x'. This is used to + escape special characters such as: `*', `?', `[', and `]'. - ? Matches any single character. + POSIX character classes may also be used if your system's glob(3) and + fnmatch(3) functions support them. However, because the `:' character + has special meaning in _s_u_d_o_e_r_s, it must be escaped. For example: - [...] Matches any character in the specified range. + /bin/ls [[:alpha:]]* - [!...] Matches any character nnoott in the specified range. + Would match any file name beginning with a letter. - \x For any character "x", evaluates to "x". This is used to - escape special characters such as: "*", "?", "[", and "]". + Note that a forward slash (`/') will nnoott be matched by wildcards used in + the path name. This is to make a path like: - POSIX character classes may also be used if your system's _g_l_o_b(3) and - _f_n_m_a_t_c_h(3) functions support them. However, because the ':' character - has special meaning in _s_u_d_o_e_r_s, it must be escaped. For example: + /usr/bin/* - /bin/ls [[\:alpha\:]]* + match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. - Would match any file name beginning with a letter. + When matching the command line arguments, however, a slash ddooeess get + matched by wildcards since command line arguments may contain arbitrary + strings and not just path names. - Note that a forward slash ('/') will nnoott be matched by wildcards used - in the path name. When matching the command line arguments, however, a - slash ddooeess get matched by wildcards. This is to make a path like: + Wildcards in command line arguments should be used with care. Because + command line arguments are matched as a single, concatenated string, a + wildcard such as `?' or `*' can match multiple words. For example, while + a sudoers entry like: - /usr/bin/* + %operator ALL = /bin/cat /var/log/messages* - match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. + will allow command like: + + $ sudo cat /var/log/messages.1 + + It will also allow: + + $ sudo cat /var/log/messages /etc/shadow + + which is probably not what was intended. EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess - The following exceptions apply to the above rules: + The following exceptions apply to the above rules: - "" If the empty string "" is the only command line argument in the + "" If the empty string "" is the only command line argument in the _s_u_d_o_e_r_s entry it means that command is not allowed to be run with aannyy arguments. + sudoedit Command line arguments to the _s_u_d_o_e_d_i_t built-in command should + always be path names, so a forward slash (`/') will not be + matched by a wildcard. + IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss - It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s - file currently being parsed using the #include and #includedir - directives. + It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s + file currently being parsed using the #include and #includedir + directives. - This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in - addition to a local, per-machine file. For the sake of this example - the site-wide _s_u_d_o_e_r_s will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will - be _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within - _/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s: + This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in + addition to a local, per-machine file. For the sake of this example the + site-wide _s_u_d_o_e_r_s will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will be + _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within + _/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s: - #include /etc/sudoers.local + #include /etc/sudoers.local - When ssuuddoo reaches this line it will suspend processing of the current - file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. Upon reaching - the end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be - processed. Files that are included may themselves include other files. - A hard limit of 128 nested include files is enforced to prevent include - file loops. + When ssuuddoo reaches this line it will suspend processing of the current + file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. Upon reaching the + end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be processed. + Files that are included may themselves include other files. A hard limit + of 128 nested include files is enforced to prevent include file loops. - If the path to the include file is not fully-qualified (does not begin - with a /), it must be located in the same directory as the sudoers file - it was included from. For example, if _/_e_t_c_/_s_u_d_o_e_r_s contains the line: + If the path to the include file is not fully-qualified (does not begin + with a `/', it must be located in the same directory as the sudoers file + it was included from. For example, if _/_e_t_c_/_s_u_d_o_e_r_s contains the line: - #include sudoers.local + #include sudoers.local - the file that will be included is _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. + the file that will be included is _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. - The file name may also include the %h escape, signifying the short form - of the host name. In other words, if the machine's host name is - "xerxes", then + The file name may also include the %h escape, signifying the short form + of the host name. In other words, if the machine's host name is + ``xerxes'', then - #include /etc/sudoers.%h + #include /etc/sudoers.%h - will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s. + will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s. - The #includedir directive can be used to create a _s_u_d_o_._d directory that - the system package manager can drop _s_u_d_o_e_r_s rules into as part of - package installation. For example, given: + The #includedir directive can be used to create a _s_u_d_o_._d directory that + the system package manager can drop _s_u_d_o_e_r_s rules into as part of package + installation. For example, given: - #includedir /etc/sudoers.d + #includedir /etc/sudoers.d - ssuuddoo will read each file in _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that - end in ~ or contain a . character to avoid causing problems with - package manager or editor temporary/backup files. Files are parsed in - sorted lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed - before _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is - lexical, not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr - _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes - in the file names can be used to avoid such problems. + ssuuddoo will read each file in _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that end + in `~' or contain a `.' character to avoid causing problems with package + manager or editor temporary/backup files. Files are parsed in sorted + lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed before + _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is lexical, + not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr + _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes in + the file names can be used to avoid such problems. - Note that unlike files included via #include, vviissuuddoo will not edit the - files in a #includedir directory unless one of them contains a syntax - error. It is still possible to run vviissuuddoo with the --ff flag to edit the - files directly. + Note that unlike files included via #include, vviissuuddoo will not edit the + files in a #includedir directory unless one of them contains a syntax + error. It is still possible to run vviissuuddoo with the --ff flag to edit the + files directly. OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss - The pound sign ('#') is used to indicate a comment (unless it is part - of a #include directive or unless it occurs in the context of a user - name and is followed by one or more digits, in which case it is treated - as a uid). Both the comment character and any text after it, up to the - end of the line, are ignored. - - The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to - succeed. It can be used wherever one might otherwise use a Cmnd_Alias, - User_Alias, Runas_Alias, or Host_Alias. You should not try to define - your own _a_l_i_a_s called AALLLL as the built-in alias will be used in - preference to your own. Please note that using AALLLL can be dangerous - since in a command context, it allows the user to run aannyy command on - the system. - - An exclamation point ('!') can be used as a logical _n_o_t operator both - in an _a_l_i_a_s and in front of a Cmnd. This allows one to exclude certain - values. Note, however, that using a ! in conjunction with the built-in - ALL alias to allow a user to run "all but a few" commands rarely works - as intended (see SECURITY NOTES below). - - Long lines can be continued with a backslash ('\') as the last - character on the line. - - Whitespace between elements in a list as well as special syntactic - characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', '(', ')') is optional. - - The following characters must be escaped with a backslash ('\') when - used as part of a word (e.g. a user name or host name): '!', '=', ':', - ',', '(', ')', '\'. + The pound sign (`#') is used to indicate a comment (unless it is part of + a #include directive or unless it occurs in the context of a user name + and is followed by one or more digits, in which case it is treated as a + uid). Both the comment character and any text after it, up to the end of + the line, are ignored. + + The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to + succeed. It can be used wherever one might otherwise use a Cmnd_Alias, + User_Alias, Runas_Alias, or Host_Alias. You should not try to define + your own _a_l_i_a_s called AALLLL as the built-in alias will be used in + preference to your own. Please note that using AALLLL can be dangerous + since in a command context, it allows the user to run aannyy command on the + system. + + An exclamation point (`!') can be used as a logical _n_o_t operator both in + an _a_l_i_a_s and in front of a Cmnd. This allows one to exclude certain + values. Note, however, that using a `!' in conjunction with the built-in + AALLLL alias to allow a user to run ``all but a few'' commands rarely works + as intended (see _S_E_C_U_R_I_T_Y _N_O_T_E_S below). + + Long lines can be continued with a backslash (`\') as the last character + on the line. + + White space between elements in a list as well as special syntactic + characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n (`=', `:', `(', `)') is optional. + + The following characters must be escaped with a backslash (`\') when used + as part of a word (e.g. a user name or host name): `!', `=', `:', `,', + `(', `)', `\'. SSUUDDOOEERRSS OOPPTTIIOONNSS - ssuuddoo's behavior can be modified by Default_Entry lines, as explained - earlier. A list of all supported Defaults parameters, grouped by type, - are listed below. + ssuuddoo's behavior can be modified by Default_Entry lines, as explained + earlier. A list of all supported Defaults parameters, grouped by type, + are listed below. - BBoooolleeaann FFllaaggss: + BBoooolleeaann FFllaaggss: - always_set_home If enabled, ssuuddoo will set the HOME environment variable + always_set_home If enabled, ssuuddoo will set the HOME environment variable to the home directory of the target user (which is root unless the --uu option is used). This effectively means that the --HH option is always implied. Note that HOME @@ -551,24 +598,24 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS HOME is present in the _e_n_v___k_e_e_p list. This flag is _o_f_f by default. - authenticate If set, users must authenticate themselves via a + authenticate If set, users must authenticate themselves via a password (or other means of authentication) before they may run commands. This default may be overridden via the PASSWD and NOPASSWD tags. This flag is _o_n by default. - closefrom_override + closefrom_override If set, the user may use ssuuddoo's --CC option which overrides the default starting point at which ssuuddoo begins closing open file descriptors. This flag is _o_f_f by default. - compress_io If set, and ssuuddoo is configured to log a command's input + compress_io If set, and ssuuddoo is configured to log a command's input or output, the I/O logs will be compressed using zzlliibb. This flag is _o_n by default when ssuuddoo is compiled with zzlliibb support. - env_editor If set, vviissuuddoo will use the value of the EDITOR or + env_editor If set, vviissuuddoo will use the value of the EDITOR or VISUAL environment variables before falling back on the default editor list. Note that this may create a security hole as it allows the user to run any @@ -578,7 +625,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS use the EDITOR or VISUAL if they match a value specified in editor. This flag is _o_f_f by default. - env_reset If set, ssuuddoo will run the command in a minimal + env_reset If set, ssuuddoo will run the command in a minimal environment containing the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables. Any variables in the caller's environment that match @@ -591,64 +638,93 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS the PATH environment variable. This flag is _o_n by default. - fast_glob Normally, ssuuddoo uses the _g_l_o_b(3) function to do shell- + fast_glob Normally, ssuuddoo uses the glob(3) function to do shell- style globbing when matching path names. However, - since it accesses the file system, _g_l_o_b(3) can take a + since it accesses the file system, glob(3) can take a long time to complete for some patterns, especially when the pattern references a network file system that - is mounted on demand (automounted). The _f_a_s_t___g_l_o_b - option causes ssuuddoo to use the _f_n_m_a_t_c_h(3) function, + is mounted on demand (auto mounted). The _f_a_s_t___g_l_o_b + option causes ssuuddoo to use the fnmatch(3) function, which does not access the file system to do its matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is unable to match relative path names such as _._/_l_s or _._._/_b_i_n_/_l_s. This has security implications when path names that include globbing characters are used with - the negation operator, '!', as such rules can be + the negation operator, `!', as such rules can be trivially bypassed. As such, this option should not be used when _s_u_d_o_e_r_s contains rules that contain negated path names which include globbing characters. This flag is _o_f_f by default. - fqdn Set this flag if you want to put fully qualified host - names in the _s_u_d_o_e_r_s file. In other words, instead of - myhost you would use myhost.mydomain.edu. You may - still use the short form if you wish (and even mix the - two). Beware that turning on _f_q_d_n requires ssuuddoo to - make DNS lookups which may make ssuuddoo unusable if DNS - stops working (for example if the machine is not - plugged into the network). Also note that you must use - the host's official name as DNS knows it. That is, you - may not use a host alias (CNAME entry) due to - performance issues and the fact that there is no way to - get all aliases from DNS. If your machine's host name - (as returned by the hostname command) is already fully - qualified you shouldn't need to set _f_q_d_n. This flag is - _o_f_f by default. + fqdn Set this flag if you want to put fully qualified host + names in the _s_u_d_o_e_r_s file when the local host name (as + returned by the hostname command) does not contain the + domain name. In other words, instead of myhost you + would use myhost.mydomain.edu. You may still use the + short form if you wish (and even mix the two). This + option is only effective when the ``canonical'' host + name, as returned by the ggeettaaddddrriinnffoo() or + ggeetthhoossttbbyynnaammee() function, is a fully-qualified domain + name. This is usually the case when the system is + configured to use DNS for host name resolution. + + If the system is configured to use the _/_e_t_c_/_h_o_s_t_s file + in preference to DNS, the ``canonical'' host name may + not be fully-qualified. The order that sources are + queried for hosts name resolution is usually specified + in the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f, + _/_e_t_c_/_h_o_s_t_._c_o_n_f, or, in some cases, _/_e_t_c_/_r_e_s_o_l_v_._c_o_n_f + file. In the _/_e_t_c_/_h_o_s_t_s file, the first host name of + the entry is considered to be the ``canonical'' name; + subsequent names are aliases that are not used by + ssuuddooeerrss. For example, the following hosts file line + for the machine ``xyzzy'' has the fully-qualified + domain name as the ``canonical'' host name, and the + short version as an alias. + + 192.168.1.1 xyzzy.sudo.ws xyzzy + + If the machine's hosts file entry is not formatted + properly, the _f_q_d_n option will not be effective if it + is queried before DNS. + + Beware that when using DNS for host name resolution, + turning on _f_q_d_n requires ssuuddooeerrss to make DNS lookups + which renders ssuuddoo unusable if DNS stops working (for + example if the machine is disconnected from the + network). Also note that just like with the hosts + file, you must use the ``canonical'' name as DNS knows + it. That is, you may not use a host alias (CNAME + entry) due to performance issues and the fact that + there is no way to get all aliases from DNS. + + This flag is _o_f_f by default. - ignore_dot If set, ssuuddoo will ignore "." or "" (current dir) in the - PATH environment variable; the PATH itself is not - modified. This flag is _o_f_f by default. + ignore_dot If set, ssuuddoo will ignore "." or "" (both denoting + current directory) in the PATH environment variable; + the PATH itself is not modified. This flag is _o_f_f by + default. - ignore_local_sudoers + ignore_local_sudoers If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s will be skipped. This is intended for Enterprises that wish to prevent the usage of local sudoers files so that only LDAP is used. This thwarts the efforts of rogue operators who would attempt to add roles to _/_e_t_c_/_s_u_d_o_e_r_s. When this option is present, - _/_e_t_c_/_s_u_d_o_e_r_s does not even need to exist. Since this + _/_e_t_c_/_s_u_d_o_e_r_s does not even need to exist. Since this option tells ssuuddoo how to behave when no specific LDAP entries have been matched, this sudoOption is only meaningful for the cn=defaults section. This flag is _o_f_f by default. - insults If set, ssuuddoo will insult users when they enter an + insults If set, ssuuddoo will insult users when they enter an incorrect password. This flag is _o_f_f by default. - log_host If set, the host name will be logged in the (non- + log_host If set, the host name will be logged in the (non- syslog) ssuuddoo log file. This flag is _o_f_f by default. - log_input If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and + log_input If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and log all user input. If the standard input is not connected to the user's tty, due to I/O redirection or because the command is part of a pipeline, that input @@ -657,7 +733,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS Input is logged to the directory specified by the _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a unique session ID that is included in the normal ssuuddoo - log line, prefixed with "TSID=". + log line, prefixed with ``TSID=''. Note that user input may contain sensitive information such as passwords (even if they are not echoed to the @@ -665,9 +741,9 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS unencrypted. In most cases, logging the command output via _l_o_g___o_u_t_p_u_t is all that is required. - log_output If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and + log_output If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and log all output that is sent to the screen, similar to - the _s_c_r_i_p_t(1) command. If the standard output or + the script(1) command. If the standard output or standard error is not connected to the user's tty, due to I/O redirection or because the command is part of a pipeline, that output is also captured and stored in @@ -676,51 +752,54 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS Output is logged to the directory specified by the _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a unique session ID that is included in the normal ssuuddoo - log line, prefixed with "TSID=". + log line, prefixed with ``TSID=''. - Output logs may be viewed with the _s_u_d_o_r_e_p_l_a_y(1m) + Output logs may be viewed with the sudoreplay(1m) utility, which can also be used to list or search the available logs. - log_year If set, the four-digit year will be logged in the (non- + log_year If set, the four-digit year will be logged in the (non- syslog) ssuuddoo log file. This flag is _o_f_f by default. - long_otp_prompt When validating with a One Time Password (OTP) scheme + long_otp_prompt When validating with a One Time Password (OTP) scheme such as SS//KKeeyy or OOPPIIEE, a two-line prompt is used to make it easier to cut and paste the challenge to a local window. It's not as pretty as the default but some people find it more convenient. This flag is _o_f_f by default. - mail_always Send mail to the _m_a_i_l_t_o user every time a users runs + mail_always Send mail to the _m_a_i_l_t_o user every time a users runs ssuuddoo. This flag is _o_f_f by default. - mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo - does not enter the correct password. This flag is _o_f_f - by default. + mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo + does not enter the correct password. If the command + the user is attempting to run is not permitted by + _s_u_d_o_e_r_s and one of the _m_a_i_l___a_l_w_a_y_s, _m_a_i_l___n_o___h_o_s_t, + _m_a_i_l___n_o___p_e_r_m_s or _m_a_i_l___n_o___u_s_e_r flags are set, this flag + will have no effect. This flag is _o_f_f by default. - mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the + mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the invoking user exists in the _s_u_d_o_e_r_s file, but is not allowed to run commands on the current host. This flag is _o_f_f by default. - mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the + mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the invoking user is allowed to use ssuuddoo but the command they are trying is not listed in their _s_u_d_o_e_r_s file entry or is explicitly denied. This flag is _o_f_f by default. - mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the + mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the invoking user is not in the _s_u_d_o_e_r_s file. This flag is _o_n by default. - noexec If set, all commands run via ssuuddoo will behave as if the + noexec If set, all commands run via ssuuddoo will behave as if the NOEXEC tag has been set, unless overridden by a EXEC tag. See the description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as - well as the "PREVENTING SHELL ESCAPES" section at the - end of this manual. This flag is _o_f_f by default. + well as the _P_r_e_v_e_n_t_i_n_g _S_h_e_l_l _E_s_c_a_p_e_s section at the end + of this manual. This flag is _o_f_f by default. - path_info Normally, ssuuddoo will tell the user when a command could + path_info Normally, ssuuddoo will tell the user when a command could not be found in their PATH environment variable. Some sites may wish to disable this as it could be used to gather information on the location of executables that @@ -730,21 +809,22 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS not allowed to run it, which can be confusing. This flag is _o_n by default. - passprompt_override + passprompt_override The password prompt specified by _p_a_s_s_p_r_o_m_p_t will normally only be used if the password prompt provided - by systems such as PAM matches the string "Password:". - If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, _p_a_s_s_p_r_o_m_p_t will always - be used. This flag is _o_f_f by default. + by systems such as PAM matches the string + ``Password:''. If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, + _p_a_s_s_p_r_o_m_p_t will always be used. This flag is _o_f_f by + default. - preserve_groups By default, ssuuddoo will initialize the group vector to + preserve_groups By default, ssuuddoo will initialize the group vector to the list of groups the target user is in. When _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's existing group vector is left unaltered. The real and effective group IDs, however, are still set to match the target user. This flag is _o_f_f by default. - pwfeedback By default, ssuuddoo reads the password like most other + pwfeedback By default, ssuuddoo reads the password like most other Unix programs, by turning off echo until the user hits the return (or enter) key. Some users become confused by this as it appears to them that ssuuddoo has hung at @@ -754,31 +834,31 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS able to determine the length of the password being entered. This flag is _o_f_f by default. - requiretty If set, ssuuddoo will only run when the user is logged in + requiretty If set, ssuuddoo will only run when the user is logged in to a real tty. When this flag is set, ssuuddoo can only be run from a login session and not via other means such - as _c_r_o_n(1m) or cgi-bin scripts. This flag is _o_f_f by + as cron(1m) or cgi-bin scripts. This flag is _o_f_f by default. - root_sudo If set, root is allowed to run ssuuddoo too. Disabling - this prevents users from "chaining" ssuuddoo commands to - get a root shell by doing something like "sudo sudo - /bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o + root_sudo If set, root is allowed to run ssuuddoo too. Disabling + this prevents users from ``chaining'' ssuuddoo commands to + get a root shell by doing something like ``sudo sudo + /bin/sh''. Note, however, that turning off _r_o_o_t___s_u_d_o will also prevent root from running ssuuddooeeddiitt. Disabling _r_o_o_t___s_u_d_o provides no real additional security; it exists purely for historical reasons. This flag is _o_n by default. - rootpw If set, ssuuddoo will prompt for the root password instead + rootpw If set, ssuuddoo will prompt for the root password instead of the password of the invoking user. This flag is _o_f_f by default. - runaspw If set, ssuuddoo will prompt for the password of the user + runaspw If set, ssuuddoo will prompt for the password of the user defined by the _r_u_n_a_s___d_e_f_a_u_l_t option (defaults to root) instead of the password of the invoking user. This flag is _o_f_f by default. - set_home If enabled and ssuuddoo is invoked with the --ss option the + set_home If enabled and ssuuddoo is invoked with the --ss option the HOME environment variable will be set to the home directory of the target user (which is root unless the --uu option is used). This effectively makes the --ss @@ -788,7 +868,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS _e_n_v___r_e_s_e_t is disabled or HOME is present in the _e_n_v___k_e_e_p list. This flag is _o_f_f by default. - set_logname Normally, ssuuddoo will set the LOGNAME, USER and USERNAME + set_logname Normally, ssuuddoo will set the LOGNAME, USER and USERNAME environment variables to the name of the target user (usually root unless the --uu option is given). However, since some programs (including the RCS revision control @@ -799,22 +879,22 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS disabled, entries in the _e_n_v___k_e_e_p list will override the value of _s_e_t___l_o_g_n_a_m_e. This flag is _o_n by default. - setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the - command line. Additionally, environment variables set - via the command line are not subject to the - restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or - _e_n_v___k_e_e_p. As such, only trusted users should be - allowed to set variables in this manner. This flag is - _o_f_f by default. + setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the + command line via the --EE option. Additionally, + environment variables set via the command line are not + subject to the restrictions imposed by _e_n_v___c_h_e_c_k, + _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only trusted users + should be allowed to set variables in this manner. + This flag is _o_f_f by default. - shell_noargs If set and ssuuddoo is invoked with no arguments it acts as + shell_noargs If set and ssuuddoo is invoked with no arguments it acts as if the --ss option had been given. That is, it runs a shell as root (the shell is determined by the SHELL environment variable if it is set, falling back on the shell listed in the invoking user's /etc/passwd entry if not). This flag is _o_f_f by default. - stay_setuid Normally, when ssuuddoo executes a command the real and + stay_setuid Normally, when ssuuddoo executes a command the real and effective UIDs are set to the target user (root by default). This option changes that behavior such that the real UID is left as the invoking user's UID. In @@ -822,24 +902,24 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS This can be useful on systems that disable some potentially dangerous functionality when a program is run setuid. This option is only effective on systems - with either the _s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function. - This flag is _o_f_f by default. + that support either the setreuid(2) or setresuid(2) + system call. This flag is _o_f_f by default. - targetpw If set, ssuuddoo will prompt for the password of the user + targetpw If set, ssuuddoo will prompt for the password of the user specified by the --uu option (defaults to root) instead of the password of the invoking user. In addition, the - timestamp file name will include the target user's + time stamp file name will include the target user's name. Note that this flag precludes the use of a uid not listed in the passwd database as an argument to the --uu option. This flag is _o_f_f by default. - tty_tickets If set, users must authenticate on a per-tty basis. + tty_tickets If set, users must authenticate on a per-tty basis. With this flag enabled, ssuuddoo will use a file named for the tty the user is logged in on in the user's time stamp directory. If disabled, the time stamp of the directory is used instead. This flag is _o_n by default. - umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s + umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s without modification. This makes it possible to specify a more permissive umask in _s_u_d_o_e_r_s than the user's own umask and matches historical behavior. If @@ -847,170 +927,182 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS be the union of the user's umask and what is specified in _s_u_d_o_e_r_s. This flag is _o_f_f by default. - use_loginclass If set, ssuuddoo will apply the defaults specified for the + use_loginclass If set, ssuuddoo will apply the defaults specified for the target user's login class if one exists. Only available if ssuuddoo is configured with the --with-logincap option. This flag is _o_f_f by default. - use_pty If set, ssuuddoo will run the command in a pseudo-pty even + use_pty If set, ssuuddoo will run the command in a pseudo-pty even if no I/O logging is being gone. A malicious program run under ssuuddoo could conceivably fork a background process that retains to the user's terminal device after the main program has finished executing. Use of - this option will make that impossible. + this option will make that impossible. This flag is + _o_f_f by default. - visiblepw By default, ssuuddoo will refuse to run if the user must + visiblepw By default, ssuuddoo will refuse to run if the user must enter a password but it is not possible to disable echo on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo will prompt for a password even when it would be visible on the screen. This makes it possible to run - things like "ssh somehost sudo ls" since by default, - _s_s_h(1) does not allocate a tty when running a command. + things like ``ssh somehost sudo ls'' since by default, + ssh(1) does not allocate a tty when running a command. This flag is _o_f_f by default. - IInntteeggeerrss: + IInntteeggeerrss: - closefrom Before it executes a command, ssuuddoo will close all open + closefrom Before it executes a command, ssuuddoo will close all open file descriptors other than standard input, standard output and standard error (ie: file descriptors 0-2). The _c_l_o_s_e_f_r_o_m option can be used to specify a different file descriptor at which to start closing. The default is 3. - passwd_tries The number of tries a user gets to enter his/her + passwd_tries The number of tries a user gets to enter his/her password before ssuuddoo logs the failure and exits. The default is 3. - IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: - loglinelen Number of characters per line for the file log. This + loglinelen Number of characters per line for the file log. This value is used to decide when to wrap lines for nicer log files. This has no effect on the syslog log file, only the file log. The default is 80 (use 0 or negate the option to disable word wrap). - passwd_timeout Number of minutes before the ssuuddoo password prompt times + passwd_timeout Number of minutes before the ssuuddoo password prompt times out, or 0 for no timeout. The timeout may include a fractional component if minute granularity is insufficient, for example 2.5. The default is 5. - timestamp_timeout + timestamp_timeout Number of minutes that can elapse before ssuuddoo will ask for a passwd again. The timeout may include a fractional component if minute granularity is insufficient, for example 2.5. The default is 5. Set this to 0 to always prompt for a password. If set to a - value less than 0 the user's timestamp will never + value less than 0 the user's time stamp will never expire. This can be used to allow users to create or - delete their own timestamps via sudo -v and sudo -k - respectively. + delete their own time stamps via ``sudo -v'' and ``sudo + -k'' respectively. - umask Umask to use when running the command. Negate this + umask Umask to use when running the command. Negate this option or set it to 0777 to preserve the user's umask. The actual umask that is used will be the union of the user's umask and the value of the _u_m_a_s_k option, which defaults to 0022. This guarantees that ssuuddoo never - lowers the umask when running a command. Note on + lowers the umask when running a command. Note: on systems that use PAM, the default PAM configuration may specify its own umask which will override the value set in _s_u_d_o_e_r_s. - SSttrriinnggss: + SSttrriinnggss: - badpass_message Message that is displayed if a user enters an incorrect + badpass_message Message that is displayed if a user enters an incorrect password. The default is Sorry, try again. unless insults are enabled. - editor A colon (':') separated list of editors allowed to be + editor A colon (`:') separated list of editors allowed to be used with vviissuuddoo. vviissuuddoo will choose the editor that matches the user's EDITOR environment variable if possible, or the first editor in the list that exists - and is executable. The default is "vi". + and is executable. The default is _v_i. - iolog_dir The directory in which to store input/output logs when + iolog_dir The directory in which to store input/output logs when the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t options are enabled or when the LOG_INPUT or LOG_OUTPUT tags are present for a - command. The default is "/var/log/sudo-io". + command. The default is _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o. - mailsub Subject of the mail sent to the _m_a_i_l_t_o user. The escape - %h will expand to the host name of the machine. - Default is "*** SECURITY information for %h ***". + mailsub Subject of the mail sent to the _m_a_i_l_t_o user. The + escape %h will expand to the host name of the machine. + Default is ``*** SECURITY information for %h ***''. - noexec_file Path to a shared library containing dummy versions of - the _e_x_e_c_v_(_), _e_x_e_c_v_e_(_) and _f_e_x_e_c_v_e_(_) library functions + noexec_file The _n_o_e_x_e_c option specifies the the fully-qualified + path to a shared library containing dummy versions of + the eexxeeccvv(), eexxeeccvvee() and ffeexxeeccvvee() library functions that just return an error. This is used to implement the _n_o_e_x_e_c functionality on systems that support LD_PRELOAD or its equivalent. Defaults to _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o. - passprompt The default prompt to use when asking for a password; + passprompt The default prompt to use when asking for a password; can be overridden via the --pp option or the SUDO_PROMPT environment variable. The following percent (`%') - escapes are supported: + escape sequences are supported: + + %H expanded to the local host name including the + domain name (only if the machine's host name is + fully qualified or the _f_q_d_n option is set) - %H expanded to the local host name including the - domain name (on if the machine's host name is fully - qualified or the _f_q_d_n option is set) + %h expanded to the local host name without the + domain name - %h expanded to the local host name without the domain - name + %p expanded to the user whose password is being + asked for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and + _r_u_n_a_s_p_w flags in _s_u_d_o_e_r_s) - %p expanded to the user whose password is being asked - for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w - flags in _s_u_d_o_e_r_s) + %U expanded to the login name of the user the + command will be run as (defaults to root) - %U expanded to the login name of the user the command - will be run as (defaults to root) + %u expanded to the invoking user's login name - %u expanded to the invoking user's login name + %% two consecutive % characters are collapsed into a + single % character - %% two consecutive % characters are collapsed into a - single % character + The default value is ``Password:''. - The default value is "Password:". + privs The default Solaris privileges to use when constructing + a new privilege set for a command. This is passed to + the executing process via the inherited privilege set, + but is bounded by the limit privileges. If the _p_r_i_v_s + option is specified but the _l_i_m_i_t_p_r_i_v_s option is not, + the limit privileges of the executing process is set to + _p_r_i_v_s. The default privileges may be overridden on a + per-command basis in _s_u_d_o_e_r_s. This option is only + available if ssuuddooeerrss is built on Solaris 10 or higher. - role The default SELinux role to use when constructing a new + role The default SELinux role to use when constructing a new security context to run the command. The default role may be overridden on a per-command basis in _s_u_d_o_e_r_s or via command line options. This option is only - available whe ssuuddoo is built with SELinux support. + available when ssuuddoo is built with SELinux support. - runas_default The default user to run commands as if the --uu option is + runas_default The default user to run commands as if the --uu option is not specified on the command line. This defaults to root. - syslog_badpri Syslog priority to use when user authenticates + syslog_badpri Syslog priority to use when user authenticates unsuccessfully. Defaults to alert. The following syslog priorities are supported: aalleerrtt, ccrriitt, ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee, and wwaarrnniinngg. - syslog_goodpri Syslog priority to use when user authenticates + syslog_goodpri Syslog priority to use when user authenticates successfully. Defaults to notice. - See syslog_badpri for the list of supported syslog + See _s_y_s_l_o_g___b_a_d_p_r_i for the list of supported syslog priorities. - sudoers_locale Locale to use when parsing the sudoers file, logging + sudoers_locale Locale to use when parsing the sudoers file, logging commands, and sending email. Note that changing the locale may affect how sudoers is interpreted. Defaults - to "C". + to ``C''. - timestampdir The directory in which ssuuddoo stores its timestamp files. - The default is _/_v_a_r_/_a_d_m_/_s_u_d_o. + timestampdir The directory in which ssuuddoo stores its time stamp + files. The default is _/_v_a_r_/_a_d_m_/_s_u_d_o. - timestampowner The owner of the timestamp directory and the timestamps - stored therein. The default is root. + timestampowner The owner of the time stamp directory and the time + stamps stored therein. The default is root. - type The default SELinux type to use when constructing a new + type The default SELinux type to use when constructing a new security context to run the command. The default type may be overridden on a per-command basis in _s_u_d_o_e_r_s or via command line options. This option is only - available whe ssuuddoo is built with SELinux support. + available when ssuuddoo is built with SELinux support. - SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: - askpass The _a_s_k_p_a_s_s option specifies the fully qualified path to a + askpass The _a_s_k_p_a_s_s option specifies the fully qualified path to a helper program used to read the user's password when no terminal is available. This may be the case when ssuuddoo is executed from a graphical (as opposed to text-based) @@ -1020,20 +1112,20 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS _a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS environment variable. - env_file The _e_n_v___f_i_l_e option specifies the fully qualified path to a + env_file The _e_n_v___f_i_l_e option specifies the fully qualified path to a file containing variables to be set in the environment of the program being run. Entries in this file should either - be of the form VARIABLE=value or export VARIABLE=value. - The value may optionally be surrounded by single or double - quotes. Variables in this file are subject to other ssuuddoo - environment settings such as _e_n_v___k_e_e_p and _e_n_v___c_h_e_c_k. + be of the form ``VARIABLE=value'' or ``export + VARIABLE=value''. The value may optionally be surrounded + by single or double quotes. Variables in this file are + subject to other ssuuddoo environment settings such as _e_n_v___k_e_e_p + and _e_n_v___c_h_e_c_k. - exempt_group - Users in this group are exempt from password and PATH + exempt_group Users in this group are exempt from password and PATH requirements. The group name specified should not include a % prefix. This is not set by default. - lecture This option controls when a short lecture will be printed + lecture This option controls when a short lecture will be printed along with the password prompt. It has the following possible values: @@ -1047,67 +1139,66 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS Negating the option results in a value of _n_e_v_e_r being used. The default value is _o_n_c_e. - lecture_file - Path to a file containing an alternate ssuuddoo lecture that + lecture_file Path to a file containing an alternate ssuuddoo lecture that will be used in place of the standard lecture if the named file exists. By default, ssuuddoo uses a built-in lecture. - listpw This option controls when a password will be required when + listpw This option controls when a password will be required when a user runs ssuuddoo with the --ll option. It has the following possible values: - all All the user's _s_u_d_o_e_r_s entries for the current host - must have the NOPASSWD flag set to avoid entering a - password. + all All the user's _s_u_d_o_e_r_s entries for the current + host must have the NOPASSWD flag set to avoid + entering a password. - always The user must always enter a password to use the --ll - option. + always The user must always enter a password to use the + --ll option. - any At least one of the user's _s_u_d_o_e_r_s entries for the - current host must have the NOPASSWD flag set to - avoid entering a password. + any At least one of the user's _s_u_d_o_e_r_s entries for + the current host must have the NOPASSWD flag set + to avoid entering a password. - never The user need never enter a password to use the --ll - option. + never The user need never enter a password to use the + --ll option. If no value is specified, a value of _a_n_y is implied. Negating the option results in a value of _n_e_v_e_r being used. The default value is _a_n_y. - logfile Path to the ssuuddoo log file (not the syslog log file). + logfile Path to the ssuuddoo log file (not the syslog log file). Setting a path turns on logging to a file; negating this option turns it off. By default, ssuuddoo logs via syslog. - mailerflags Flags to use when invoking mailer. Defaults to --tt. + mailerflags Flags to use when invoking mailer. Defaults to --tt. - mailerpath Path to mail program used to send warning mail. Defaults + mailerpath Path to mail program used to send warning mail. Defaults to the path to sendmail found at configure time. - mailfrom Address to use for the "from" address when sending warning - and error mail. The address should be enclosed in double - quotes ("") to protect against ssuuddoo interpreting the @ - sign. Defaults to the name of the user running ssuuddoo. + mailfrom Address to use for the ``from'' address when sending + warning and error mail. The address should be enclosed in + double quotes ("") to protect against ssuuddoo interpreting the + @ sign. Defaults to the name of the user running ssuuddoo. - mailto Address to send warning and error mail to. The address + mailto Address to send warning and error mail to. The address should be enclosed in double quotes ("") to protect against ssuuddoo interpreting the @ sign. Defaults to root. - secure_path Path used for every command run from ssuuddoo. If you don't + secure_path Path used for every command run from ssuuddoo. If you don't trust the people running ssuuddoo to have a sane PATH environment variable you may want to use this. Another use - is if you want to have the "root path" be separate from the - "user path." Users in the group specified by the + is if you want to have the ``root path'' be separate from + the ``user path''. Users in the group specified by the _e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This option is not set by default. - syslog Syslog facility if syslog is being used for logging (negate + syslog Syslog facility if syslog is being used for logging (negate to disable syslog logging). Defaults to auth. The following syslog facilities are supported: aauutthhpprriivv (if your OS supports it), aauutthh, ddaaeemmoonn, uusseerr, llooccaall00, llooccaall11, llooccaall22, llooccaall33, llooccaall44, llooccaall55, llooccaall66, and llooccaall77. - verifypw This option controls when a password will be required when + verifypw This option controls when a password will be required when a user runs ssuuddoo with the --vv option. It has the following possible values: @@ -1129,10 +1220,10 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS Negating the option results in a value of _n_e_v_e_r being used. The default value is _a_l_l. - LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: - env_check Environment variables to be removed from the user's - environment if the variable's value contains % or / + env_check Environment variables to be removed from the user's + environment if the variable's value contains `%' or `/' characters. This can be used to guard against printf- style format vulnerabilities in poorly-written programs. The argument may be a double-quoted, space- @@ -1146,7 +1237,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS environment variables to check is displayed when ssuuddoo is run by root with the --VV option. - env_delete Environment variables to be removed from the user's + env_delete Environment variables to be removed from the user's environment when the _e_n_v___r_e_s_e_t option is not in effect. The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list @@ -1158,7 +1249,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS potentially dangerous variables from the environment of any setuid process (such as ssuuddoo). - env_keep Environment variables to be preserved in the user's + env_keep Environment variables to be preserved in the user's environment when the _e_n_v___r_e_s_e_t option is in effect. This allows fine-grained control over the environment ssuuddoo-spawned processes will receive. The argument may @@ -1170,319 +1261,316 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS with the --VV option. FFIILLEESS - _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what + _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what - _/_e_t_c_/_g_r_o_u_p Local groups file + _/_e_t_c_/_g_r_o_u_p Local groups file - _/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups + _/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files + _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files EEXXAAMMPPLLEESS - Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit - contrived. First, we allow a few environment variables to pass and - then define our _a_l_i_a_s_e_s: - - # Run X applications through sudo; HOME is used to find the - # .Xauthority file. Note that other programs use HOME to find - # configuration files and this may lead to privilege escalation! - Defaults env_keep += "DISPLAY HOME" - - # User alias specification - User_Alias FULLTIMERS = millert, mikef, dowdy - User_Alias PARTTIMERS = bostley, jwfox, crawl - User_Alias WEBMASTERS = will, wendy, wim - - # Runas alias specification - Runas_Alias OP = root, operator - Runas_Alias DB = oracle, sybase - Runas_Alias ADMINGRP = adm, oper - - # Host alias specification - Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ - SGI = grolsch, dandelion, black :\ - ALPHA = widget, thalamus, foobar :\ - HPPA = boa, nag, python - Host_Alias CUNETS = 128.138.0.0/255.255.0.0 - Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 - Host_Alias SERVERS = master, mail, www, ns - Host_Alias CDROM = orion, perseus, hercules - - # Cmnd alias specification - Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ - /usr/sbin/restore, /usr/sbin/rrestore - Cmnd_Alias KILL = /usr/bin/kill - Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm - Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown - Cmnd_Alias HALT = /usr/sbin/halt - Cmnd_Alias REBOOT = /usr/sbin/reboot - Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\ - /usr/local/bin/tcsh, /usr/bin/rsh,\ - /usr/local/bin/zsh - Cmnd_Alias SU = /usr/bin/su - Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less + Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit + contrived. First, we allow a few environment variables to pass and then + define our _a_l_i_a_s_e_s: + + # Run X applications through sudo; HOME is used to find the + # .Xauthority file. Note that other programs use HOME to find + # configuration files and this may lead to privilege escalation! + Defaults env_keep += "DISPLAY HOME" + + # User alias specification + User_Alias FULLTIMERS = millert, mikef, dowdy + User_Alias PARTTIMERS = bostley, jwfox, crawl + User_Alias WEBMASTERS = will, wendy, wim + + # Runas alias specification + Runas_Alias OP = root, operator + Runas_Alias DB = oracle, sybase + Runas_Alias ADMINGRP = adm, oper + + # Host alias specification + Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ + SGI = grolsch, dandelion, black :\ + ALPHA = widget, thalamus, foobar :\ + HPPA = boa, nag, python + Host_Alias CUNETS = 128.138.0.0/255.255.0.0 + Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 + Host_Alias SERVERS = master, mail, www, ns + Host_Alias CDROM = orion, perseus, hercules + + # Cmnd alias specification + Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ + /usr/sbin/restore, /usr/sbin/rrestore + Cmnd_Alias KILL = /usr/bin/kill + Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm + Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown + Cmnd_Alias HALT = /usr/sbin/halt + Cmnd_Alias REBOOT = /usr/sbin/reboot + Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\ + /usr/local/bin/tcsh, /usr/bin/rsh,\ + /usr/local/bin/zsh + Cmnd_Alias SU = /usr/bin/su + Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less - Here we override some of the compiled in default values. We want ssuuddoo - to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility in all cases. We don't - want to subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt - need not give a password, and we don't want to reset the LOGNAME, USER - or USERNAME environment variables when running commands as root. - Additionally, on the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an - additional local log file and make sure we log the year in each log - line since the log entries will be kept around for several years. - Lastly, we disable shell escapes for the commands in the PAGERS - Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and _/_u_s_r_/_b_i_n_/_l_e_s_s). + Here we override some of the compiled in default values. We want ssuuddoo to + log via syslog(3) using the _a_u_t_h facility in all cases. We don't want to + subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt need not + give a password, and we don't want to reset the LOGNAME, USER or USERNAME + environment variables when running commands as root. Additionally, on + the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an additional local log + file and make sure we log the year in each log line since the log entries + will be kept around for several years. Lastly, we disable shell escapes + for the commands in the PAGERS Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and + _/_u_s_r_/_b_i_n_/_l_e_s_s). - # Override built-in defaults - Defaults syslog=auth - Defaults>root !set_logname - Defaults:FULLTIMERS !lecture - Defaults:millert !authenticate - Defaults@SERVERS log_year, logfile=/var/log/sudo.log - Defaults!PAGERS noexec + # Override built-in defaults + Defaults syslog=auth + Defaults>root !set_logname + Defaults:FULLTIMERS !lecture + Defaults:millert !authenticate + Defaults@SERVERS log_year, logfile=/var/log/sudo.log + Defaults!PAGERS noexec - The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run - what. + The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run + what. - root ALL = (ALL) ALL - %wheel ALL = (ALL) ALL + root ALL = (ALL) ALL + %wheel ALL = (ALL) ALL - We let rroooott and any user in group wwhheeeell run any command on any host as - any user. + We let rroooott and any user in group wwhheeeell run any command on any host as + any user. - FULLTIMERS ALL = NOPASSWD: ALL + FULLTIMERS ALL = NOPASSWD: ALL - Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on - any host without authenticating themselves. + Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on + any host without authenticating themselves. - PARTTIMERS ALL = ALL + PARTTIMERS ALL = ALL - Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on - any host but they must authenticate themselves first (since the entry - lacks the NOPASSWD tag). + Part time sysadmins bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on any + host but they must authenticate themselves first (since the entry lacks + the NOPASSWD tag). - jack CSNETS = ALL + jack CSNETS = ALL - The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias - (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of - those networks, only 128.138.204.0 has an explicit netmask (in CIDR - notation) indicating it is a class C network. For the other networks - in _C_S_N_E_T_S, the local machine's netmask will be used during matching. + The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias + (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those + networks, only 128.138.204.0 has an explicit netmask (in CIDR notation) + indicating it is a class C network. For the other networks in _C_S_N_E_T_S, + the local machine's netmask will be used during matching. - lisa CUNETS = ALL + lisa CUNETS = ALL - The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the - class B network 128.138.0.0). + The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the + class B network 128.138.0.0). - operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ - sudoedit /etc/printcap, /usr/oper/bin/ + operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ + sudoedit /etc/printcap, /usr/oper/bin/ - The ooppeerraattoorr user may run commands limited to simple maintenance. - Here, those are commands related to backups, killing processes, the - printing system, shutting down the system, and any commands in the - directory _/_u_s_r_/_o_p_e_r_/_b_i_n_/. + The ooppeerraattoorr user may run commands limited to simple maintenance. Here, + those are commands related to backups, killing processes, the printing + system, shutting down the system, and any commands in the directory + _/_u_s_r_/_o_p_e_r_/_b_i_n_/. - joe ALL = /usr/bin/su operator + joe ALL = /usr/bin/su operator - The user jjooee may only _s_u(1) to operator. + The user jjooee may only su(1) to operator. - pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root + pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root - %opers ALL = (: ADMINGRP) /usr/sbin/ + %opers ALL = (: ADMINGRP) /usr/sbin/ - Users in the ooppeerrss group may run commands in _/_u_s_r_/_s_b_i_n_/ as themselves - with any group in the _A_D_M_I_N_G_R_P Runas_Alias (the aaddmm and ooppeerr groups). + Users in the ooppeerrss group may run commands in _/_u_s_r_/_s_b_i_n_/ as themselves + with any group in the _A_D_M_I_N_G_R_P Runas_Alias (the aaddmm and ooppeerr groups). - The user ppeettee is allowed to change anyone's password except for root on - the _H_P_P_A machines. Note that this assumes _p_a_s_s_w_d(1) does not take - multiple user names on the command line. + The user ppeettee is allowed to change anyone's password except for root on + the _H_P_P_A machines. Note that this assumes passwd(1) does not take + multiple user names on the command line. - bob SPARC = (OP) ALL : SGI = (OP) ALL + bob SPARC = (OP) ALL : SGI = (OP) ALL - The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user - listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr). + The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user + listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr.) - jim +biglab = ALL + jim +biglab = ALL - The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup. - ssuuddoo knows that "biglab" is a netgroup due to the '+' prefix. + The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup. + ssuuddoo knows that ``biglab'' is a netgroup due to the `+' prefix. - +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser + +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser - Users in the sseeccrreettaarriieess netgroup need to help manage the printers as - well as add and remove users, so they are allowed to run those commands - on all machines. + Users in the sseeccrreettaarriieess netgroup need to help manage the printers as + well as add and remove users, so they are allowed to run those commands + on all machines. - fred ALL = (DB) NOPASSWD: ALL + fred ALL = (DB) NOPASSWD: ALL - The user ffrreedd can run commands as any user in the _D_B Runas_Alias - (oorraaccllee or ssyybbaassee) without giving a password. + The user ffrreedd can run commands as any user in the _D_B Runas_Alias (oorraaccllee + or ssyybbaassee) without giving a password. - john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* + john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* - On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is - not allowed to specify any options to the _s_u(1) command. + On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is + not allowed to specify any options to the su(1) command. - jen ALL, !SERVERS = ALL + jen ALL, !SERVERS = ALL - The user jjeenn may run any command on any machine except for those in the - _S_E_R_V_E_R_S Host_Alias (master, mail, www and ns). + The user jjeenn may run any command on any machine except for those in the + _S_E_R_V_E_R_S Host_Alias (master, mail, www and ns). - jill SERVERS = /usr/bin/, !SU, !SHELLS + jill SERVERS = /usr/bin/, !SU, !SHELLS - For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in - the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U - and _S_H_E_L_L_S Cmnd_Aliases. + For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in + the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U and + _S_H_E_L_L_S Cmnd_Aliases. - steve CSNETS = (operator) /usr/local/op_commands/ + steve CSNETS = (operator) /usr/local/op_commands/ - The user sstteevvee may run any command in the directory - /usr/local/op_commands/ but only as user operator. + The user sstteevvee may run any command in the directory + /usr/local/op_commands/ but only as user operator. - matt valkyrie = KILL + matt valkyrie = KILL - On his personal workstation, valkyrie, mmaatttt needs to be able to kill - hung processes. + On his personal workstation, valkyrie, mmaatttt needs to be able to kill hung + processes. - WEBMASTERS www = (www) ALL, (root) /usr/bin/su www + WEBMASTERS www = (www) ALL, (root) /usr/bin/su www - On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias (will, wendy, - and wim), may run any command as user www (which owns the web pages) or - simply _s_u(1) to www. + On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias (will, wendy, and + wim), may run any command as user www (which owns the web pages) or + simply su(1) to www. - ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ - /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM + ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ + /sbin/mount -o nosuid,nodev /dev/cd0a /CDROM - Any user may mount or unmount a CD-ROM on the machines in the CDROM - Host_Alias (orion, perseus, hercules) without entering a password. - This is a bit tedious for users to type, so it is a prime candidate for - encapsulating in a shell script. + Any user may mount or unmount a CD-ROM on the machines in the CDROM + Host_Alias (orion, perseus, hercules) without entering a password. This + is a bit tedious for users to type, so it is a prime candidate for + encapsulating in a shell script. SSEECCUURRIITTYY NNOOTTEESS - It is generally not effective to "subtract" commands from ALL using the - '!' operator. A user can trivially circumvent this by copying the - desired command to a different name and then executing that. For - example: - - bill ALL = ALL, !SU, !SHELLS - - Doesn't really prevent bbiillll from running the commands listed in _S_U or - _S_H_E_L_L_S since he can simply copy those commands to a different name, or - use a shell escape from an editor or other program. Therefore, these - kind of restrictions should be considered advisory at best (and - reinforced by policy). - - Furthermore, if the _f_a_s_t___g_l_o_b option is in use, it is not possible to - reliably negate commands where the path name includes globbing (aka - wildcard) characters. This is because the C library's _f_n_m_a_t_c_h(3) - function cannot resolve relative paths. While this is typically only - an inconvenience for rules that grant privileges, it can result in a - security issue for rules that subtract or revoke privileges. - - For example, given the following _s_u_d_o_e_r_s entry: - - john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\ - /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root - - User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by - changing to _/_u_s_r_/_b_i_n and running ./passwd root instead. - -PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS - Once ssuuddoo executes a program, that program is free to do whatever it - pleases, including run other programs. This can be a security issue - since it is not uncommon for a program to allow shell escapes, which - lets a user bypass ssuuddoo's access control and logging. Common programs - that permit shell escapes include shells (obviously), editors, - paginators, mail and terminal programs. - - There are two basic approaches to this problem: - - restrict Avoid giving users access to commands that allow the user to - run arbitrary commands. Many editors have a restricted mode - where shell escapes are disabled, though ssuuddooeeddiitt is a better - solution to running editors via ssuuddoo. Due to the large - number of programs that offer shell escapes, restricting - users to the set of programs that do not is often unworkable. - - noexec Many systems that support shared libraries have the ability - to override default library functions by pointing an - environment variable (usually LD_PRELOAD) to an alternate - shared library. On such systems, ssuuddoo's _n_o_e_x_e_c functionality - can be used to prevent a program run by ssuuddoo from executing - any other programs. Note, however, that this applies only to - native dynamically-linked executables. Statically-linked - executables and foreign executables running under binary - emulation are not affected. - - To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you can run the - following as root: - - sudo -V | grep "dummy exec" - - If the resulting output contains a line that begins with: - - File containing dummy exec functions: - - then ssuuddoo may be able to replace the exec family of functions - in the standard library with its own that simply return an - error. Unfortunately, there is no foolproof way to know - whether or not _n_o_e_x_e_c will work at compile-time. _n_o_e_x_e_c - should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, - MacOS X, and HP-UX 11.x. It is known nnoott to work on AIX and - UnixWare. _n_o_e_x_e_c is expected to work on most operating - systems that support the LD_PRELOAD environment variable. - Check your operating system's manual pages for the dynamic - linker (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) - to see if LD_PRELOAD is supported. - - To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as - documented in the User Specification section above. Here is - that example again: - - aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi - - This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i - with _n_o_e_x_e_c enabled. This will prevent those two commands - from executing other commands (such as a shell). If you are - unsure whether or not your system is capable of supporting - _n_o_e_x_e_c you can always just try it out and see if it works. - - Note that restricting shell escapes is not a panacea. Programs running - as root are still capable of many potentially hazardous operations - (such as changing or overwriting files) that could lead to unintended - privilege escalation. In the specific case of an editor, a safer - approach is to give the user permission to run ssuuddooeeddiitt. + LLiimmiittaattiioonnss ooff tthhee ``!!'' ooppeerraattoorr + It is generally not effective to ``subtract'' commands from AALLLL using the + `!' operator. A user can trivially circumvent this by copying the + desired command to a different name and then executing that. For + example: + + bill ALL = ALL, !SU, !SHELLS + + Doesn't really prevent bbiillll from running the commands listed in _S_U or + _S_H_E_L_L_S since he can simply copy those commands to a different name, or + use a shell escape from an editor or other program. Therefore, these + kind of restrictions should be considered advisory at best (and + reinforced by policy). + + In general, if a user has sudo AALLLL there is nothing to prevent them from + creating their own program that gives them a root shell (or making their + own copy of a shell) regardless of any `!' elements in the user + specification. + + SSeeccuurriittyy iimmpplliiccaattiioonnss ooff _f_a_s_t___g_l_o_b + If the _f_a_s_t___g_l_o_b option is in use, it is not possible to reliably negate + commands where the path name includes globbing (aka wildcard) characters. + This is because the C library's fnmatch(3) function cannot resolve + relative paths. While this is typically only an inconvenience for rules + that grant privileges, it can result in a security issue for rules that + subtract or revoke privileges. + + For example, given the following _s_u_d_o_e_r_s entry: + + john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\ + /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root + + User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by + changing to _/_u_s_r_/_b_i_n and running ./passwd root instead. + + PPrreevveennttiinngg SShheellll EEssccaappeess + Once ssuuddoo executes a program, that program is free to do whatever it + pleases, including run other programs. This can be a security issue + since it is not uncommon for a program to allow shell escapes, which lets + a user bypass ssuuddoo's access control and logging. Common programs that + permit shell escapes include shells (obviously), editors, paginators, + mail and terminal programs. + + There are two basic approaches to this problem: + + restrict Avoid giving users access to commands that allow the user to + run arbitrary commands. Many editors have a restricted mode + where shell escapes are disabled, though ssuuddooeeddiitt is a better + solution to running editors via ssuuddoo. Due to the large number + of programs that offer shell escapes, restricting users to the + set of programs that do not is often unworkable. + + noexec Many systems that support shared libraries have the ability to + override default library functions by pointing an environment + variable (usually LD_PRELOAD) to an alternate shared library. + On such systems, ssuuddoo's _n_o_e_x_e_c functionality can be used to + prevent a program run by ssuuddoo from executing any other + programs. Note, however, that this applies only to native + dynamically-linked executables. Statically-linked executables + and foreign executables running under binary emulation are not + affected. + + The _n_o_e_x_e_c feature is known to work on SunOS, Solaris, *BSD, + Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and + above. It should be supported on most operating systems that + support the LD_PRELOAD environment variable. Check your + operating system's manual pages for the dynamic linker (usually + ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if + LD_PRELOAD is supported. + + On Solaris 10 and higher, _n_o_e_x_e_c uses Solaris privileges + instead of the LD_PRELOAD environment variable. + + To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as + documented in the User Specification section above. Here is + that example again: + + aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi + + This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i + with _n_o_e_x_e_c enabled. This will prevent those two commands from + executing other commands (such as a shell). If you are unsure + whether or not your system is capable of supporting _n_o_e_x_e_c you + can always just try it out and check whether shell escapes work + when _n_o_e_x_e_c is enabled. + + Note that restricting shell escapes is not a panacea. Programs running + as root are still capable of many potentially hazardous operations (such + as changing or overwriting files) that could lead to unintended privilege + escalation. In the specific case of an editor, a safer approach is to + give the user permission to run ssuuddooeeddiitt. SSEEEE AALLSSOO - _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _g_l_o_b(3), _s_u_d_o(1m), _v_i_s_u_d_o(8) + ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), + sudoers.ldap(4), sudo(1m), visudo(1m) CCAAVVEEAATTSS - The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which - locks the file and does grammatical checking. It is imperative that - _s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a - syntactically incorrect _s_u_d_o_e_r_s file. + The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which + locks the file and does grammatical checking. It is imperative that + _s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a + syntactically incorrect _s_u_d_o_e_r_s file. - When using netgroups of machines (as opposed to users), if you store - fully qualified host name in the netgroup (as is usually the case), you - either need to have the machine's host name be fully qualified as - returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s. + When using netgroups of machines (as opposed to users), if you store + fully qualified host name in the netgroup (as is usually the case), you + either need to have the machine's host name be fully qualified as + returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s. BBUUGGSS - If you feel you have found a bug in ssuuddoo, please submit a bug report at - http://www.sudo.ws/sudo/bugs/ + If you feel you have found a bug in ssuuddoo, please submit a bug report at + http://www.sudo.ws/sudo/bugs/ SSUUPPPPOORRTT - Limited free support is available via the sudo-users mailing list, see - http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search - the archives. + Limited free support is available via the sudo-users mailing list, see + http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the + archives. DDIISSCCLLAAIIMMEERR - ssuuddoo is provided ``AS IS'' and any express or implied warranties, - including, but not limited to, the implied warranties of - merchantability and fitness for a particular purpose are disclaimed. - See the LICENSE file distributed with ssuuddoo or - http://www.sudo.ws/sudo/license.html for complete details. - - + ssuuddoo is provided ``AS IS'' and any express or implied warranties, + including, but not limited to, the implied warranties of merchantability + and fitness for a particular purpose are disclaimed. See the LICENSE + file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for + complete details. -1.7.10 July 18, 2012 SUDOERS(4) +Sudo 1.7.10 July 16, 2012 Sudo 1.7.10 diff --git a/sudoers.ldap.cat b/sudoers.ldap.cat index 10b7c3dcf..be94b7b87 100644 --- a/sudoers.ldap.cat +++ b/sudoers.ldap.cat @@ -1,112 +1,109 @@ -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - +SUDOERS.LDAP(1m) System Manager's Manual SUDOERS.LDAP(1m) NNAAMMEE - sudoers.ldap - sudo LDAP configuration + ssuuddooeerrss..llddaapp - sudo LDAP configuration DDEESSCCRRIIPPTTIIOONN - In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be configured via - LDAP. This can be especially useful for synchronizing _s_u_d_o_e_r_s in a - large, distributed environment. - - Using LDAP for _s_u_d_o_e_r_s has several benefits: - - o ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety. When LDAP is - used, there are only two or three LDAP queries per invocation. - This makes it especially fast and particularly usable in LDAP - environments. - - o ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s. It is not - possible to load LDAP data into the server that does not conform to - the sudoers schema, so proper syntax is guaranteed. It is still - possible to have typos in a user or host name, but this will not - prevent ssuuddoo from running. - - o It is possible to specify per-entry options that override the - global default options. _/_e_t_c_/_s_u_d_o_e_r_s only supports default options - and limited options associated with user/host/commands/aliases. - The syntax is complicated and can be difficult for users to - understand. Placing the options directly in the entry is more - natural. - - o The vviissuuddoo program is no longer needed. vviissuuddoo provides locking - and syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file. Since LDAP updates - are atomic, locking is no longer necessary. Because syntax is - checked when the data is inserted into LDAP, there is no need for a - specialized tool to check syntax. - - Another major difference between LDAP and file-based _s_u_d_o_e_r_s is that in - LDAP, ssuuddoo-specific Aliases are not supported. - - For the most part, there is really no need for ssuuddoo-specific Aliases. - Unix groups or user netgroups can be used in place of User_Aliases and - Runas_Aliases. Host netgroups can be used in place of Host_Aliases. - Since Unix groups and netgroups can also be stored in LDAP there is no - real need for ssuuddoo-specific aliases. - - Cmnd_Aliases are not really required either since it is possible to - have multiple users listed in a sudoRole. Instead of defining a - Cmnd_Alias that is referenced by multiple users, one can create a - sudoRole that contains the commands and assign multiple users to it. + In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be configured via + LDAP. This can be especially useful for synchronizing _s_u_d_o_e_r_s in a + large, distributed environment. + + Using LDAP for _s_u_d_o_e_r_s has several benefits: + + oo ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety. When LDAP is + used, there are only two or three LDAP queries per invocation. This + makes it especially fast and particularly usable in LDAP + environments. + + oo ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s. It is not + possible to load LDAP data into the server that does not conform to + the sudoers schema, so proper syntax is guaranteed. It is still + possible to have typos in a user or host name, but this will not + prevent ssuuddoo from running. + + oo It is possible to specify per-entry options that override the global + default options. _/_e_t_c_/_s_u_d_o_e_r_s only supports default options and + limited options associated with user/host/commands/aliases. The + syntax is complicated and can be difficult for users to understand. + Placing the options directly in the entry is more natural. + + oo The vviissuuddoo program is no longer needed. vviissuuddoo provides locking and + syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file. Since LDAP updates are + atomic, locking is no longer necessary. Because syntax is checked + when the data is inserted into LDAP, there is no need for a + specialized tool to check syntax. + + Another major difference between LDAP and file-based _s_u_d_o_e_r_s is that in + LDAP, ssuuddoo-specific Aliases are not supported. + + For the most part, there is really no need for ssuuddoo-specific Aliases. + Unix groups or user netgroups can be used in place of User_Aliases and + Runas_Aliases. Host netgroups can be used in place of Host_Aliases. + Since Unix groups and netgroups can also be stored in LDAP there is no + real need for ssuuddoo-specific aliases. + + Cmnd_Aliases are not really required either since it is possible to have + multiple users listed in a sudoRole. Instead of defining a Cmnd_Alias + that is referenced by multiple users, one can create a sudoRole that + contains the commands and assign multiple users to it. SSUUDDOOeerrss LLDDAAPP ccoonnttaaiinneerr - The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers LDAP - container. - - Sudo first looks for the cn=default entry in the SUDOers container. If - found, the multi-valued sudoOption attribute is parsed in the same - manner as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following - example, the SSH_AUTH_SOCK variable will be preserved in the - environment for all users. - - dn: cn=defaults,ou=SUDOers,dc=example,dc=com - objectClass: top - objectClass: sudoRole - cn: defaults - description: Default sudoOption's go here - sudoOption: env_keep+=SSH_AUTH_SOCK - - The equivalent of a sudoer in LDAP is a sudoRole. It consists of the - following attributes: - - ssuuddooUUsseerr - A user name, uid (prefixed with '#'), Unix group (prefixed with a - '%') or user netgroup (prefixed with a '+'). - - ssuuddooHHoosstt + The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers LDAP container. + + Sudo first looks for the cn=default entry in the SUDOers container. If + found, the multi-valued sudoOption attribute is parsed in the same manner + as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following example, the + SSH_AUTH_SOCK variable will be preserved in the environment for all + users. + + dn: cn=defaults,ou=SUDOers,dc=example,dc=com + objectClass: top + objectClass: sudoRole + cn: defaults + description: Default sudoOption's go here + sudoOption: env_keep+=SSH_AUTH_SOCK + + The equivalent of a sudoer in LDAP is a sudoRole. It consists of the + following attributes: + + ssuuddooUUsseerr + A user name, user ID (prefixed with `#'), Unix group (prefixed with + `%'), Unix group ID (prefixed with `%#'), or user netgroup + (prefixed with `+'). + + ssuuddooHHoosstt A host name, IP address, IP network, or host netgroup (prefixed - with a '+'). The special value ALL will match any host. + with a `+'). The special value ALL will match any host. - ssuuddooCCoommmmaanndd + ssuuddooCCoommmmaanndd A Unix command with optional command line arguments, potentially including globbing characters (aka wild cards). The special value ALL will match any command. If a command is prefixed with an - exclamation point '!', the user will be prohibited from running + exclamation point `!', the user will be prohibited from running that command. - ssuuddooOOppttiioonn + ssuuddooOOppttiioonn Identical in function to the global options described above, but specific to the sudoRole in which it resides. - ssuuddooRRuunnAAssUUsseerr - A user name or uid (prefixed with '#') that commands may be run as - or a Unix group (prefixed with a '%') or user netgroup (prefixed - with a '+') that contains a list of users that commands may be run + ssuuddooRRuunnAAssUUsseerr + A user name or uid (prefixed with `#') that commands may be run as + or a Unix group (prefixed with a `%') or user netgroup (prefixed + with a `+') that contains a list of users that commands may be run as. The special value ALL will match any user. The sudoRunAsUser attribute is only available in ssuuddoo versions 1.7.0 and higher. Older versions of ssuuddoo use the sudoRunAs attribute instead. - ssuuddooRRuunnAAssGGrroouupp - A Unix group or gid (prefixed with '#') that commands may be run + ssuuddooRRuunnAAssGGrroouupp + A Unix group or gid (prefixed with `#') that commands may be run as. The special value ALL will match any group. The sudoRunAsGroup attribute is only available in ssuuddoo versions 1.7.0 and higher. - ssuuddooNNoottBBeeffoorree + ssuuddooNNoottBBeeffoorree A timestamp in the form yyyymmddHHMMSSZ that can be used to provide a start date/time for when the sudoRole will be valid. If multiple sudoNotBefore entries are present, the earliest is used. Note that @@ -119,7 +116,7 @@ DDEESSCCRRIIPPTTIIOONN 1.7.5 and higher and must be explicitly enabled via the SSUUDDOOEERRSS__TTIIMMEEDD option in _/_e_t_c_/_l_d_a_p_._c_o_n_f. - ssuuddooNNoottAAfftteerr + ssuuddooNNoottAAfftteerr A timestamp in the form yyyymmddHHMMSSZ that indicates an expiration date/time, after which the sudoRole will no longer be valid. If multiple sudoNotBefore entries are present, the last one @@ -132,7 +129,7 @@ DDEESSCCRRIIPPTTIIOONN and higher and must be explicitly enabled via the SSUUDDOOEERRSS__TTIIMMEEDD option in _/_e_t_c_/_l_d_a_p_._c_o_n_f. - ssuuddooOOrrddeerr + ssuuddooOOrrddeerr The sudoRole entries retrieved from the LDAP directory have no inherent order. The sudoOrder attribute is an integer (or floating point value for LDAP servers that support it) that is used to sort @@ -140,150 +137,149 @@ DDEESSCCRRIIPPTTIIOONN more closely mimic the behaviour of the sudoers file, where the of the entries influences the result. If multiple entries match, the entry with the highest sudoOrder attribute is chosen. This - corresponds to the "last match" behavior of the sudoers file. If + corresponds to the ``last match'' behavior of the sudoers file. If the sudoOrder attribute is not present, a value of 0 is assumed. The sudoOrder attribute is only available in ssuuddoo versions 1.7.5 and higher. - Each attribute listed above should contain a single value, but there - may be multiple instances of each attribute type. A sudoRole must - contain at least one sudoUser, sudoHost and sudoCommand. + Each attribute listed above should contain a single value, but there may + be multiple instances of each attribute type. A sudoRole must contain at + least one sudoUser, sudoHost and sudoCommand. - The following example allows users in group wheel to run any command on - any host via ssuuddoo: + The following example allows users in group wheel to run any command on + any host via ssuuddoo: - dn: cn=%wheel,ou=SUDOers,dc=example,dc=com - objectClass: top - objectClass: sudoRole - cn: %wheel - sudoUser: %wheel - sudoHost: ALL - sudoCommand: ALL + dn: cn=%wheel,ou=SUDOers,dc=example,dc=com + objectClass: top + objectClass: sudoRole + cn: %wheel + sudoUser: %wheel + sudoHost: ALL + sudoCommand: ALL AAnnaattoommyy ooff LLDDAAPP ssuuddooeerrss llooookkuupp - When looking up a sudoer using LDAP there are only two or three LDAP - queries per invocation. The first query is to parse the global - options. The second is to match against the user's name and the groups - that the user belongs to. (The special ALL tag is matched in this - query too.) If no match is returned for the user's name and groups, a - third query returns all entries containing user netgroups and checks to - see if the user belongs to any of them. - - If timed entries are enabled with the SSUUDDOOEERRSS__TTIIMMEEDD configuration - directive, the LDAP queries include a subfilter that limits retrieval - to entries that satisfy the time constraints, if any. + When looking up a sudoer using LDAP there are only two or three LDAP + queries per invocation. The first query is to parse the global options. + The second is to match against the user's name and the groups that the + user belongs to. (The special ALL tag is matched in this query too.) If + no match is returned for the user's name and groups, a third query + returns all entries containing user netgroups and checks to see if the + user belongs to any of them. + + If timed entries are enabled with the SSUUDDOOEERRSS__TTIIMMEEDD configuration + directive, the LDAP queries include a subfilter that limits retrieval to + entries that satisfy the time constraints, if any. DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss - There are some subtle differences in the way sudoers is handled once in - LDAP. Probably the biggest is that according to the RFC, LDAP ordering - is arbitrary and you cannot expect that Attributes and Entries are - returned in any specific order. - - The order in which different entries are applied can be controlled - using the sudoOrder attribute, but there is no way to guarantee the - order of attributes within a specific entry. If there are conflicting - command rules in an entry, the negative takes precedence. This is - called paranoid behavior (not necessarily the most specific match). - - Here is an example: - - # /etc/sudoers: - # Allow all commands except shell - johnny ALL=(root) ALL,!/bin/sh - # Always allows all commands because ALL is matched last - puddles ALL=(root) !/bin/sh,ALL - - # LDAP equivalent of johnny - # Allows all commands except shell - dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com - objectClass: sudoRole - objectClass: top - cn: role1 - sudoUser: johnny - sudoHost: ALL - sudoCommand: ALL - sudoCommand: !/bin/sh - - # LDAP equivalent of puddles - # Notice that even though ALL comes last, it still behaves like - # role1 since the LDAP code assumes the more paranoid configuration - dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com - objectClass: sudoRole - objectClass: top - cn: role2 - sudoUser: puddles - sudoHost: ALL - sudoCommand: !/bin/sh - sudoCommand: ALL - - Another difference is that negations on the Host, User or Runas are - currently ignored. For example, the following attributes do not behave - the way one might expect. - - # does not match all but joe - # rather, does not match anyone - sudoUser: !joe - - # does not match all but joe - # rather, matches everyone including Joe - sudoUser: ALL - sudoUser: !joe - - # does not match all but web01 - # rather, matches all hosts including web01 - sudoHost: ALL - sudoHost: !web01 + There are some subtle differences in the way sudoers is handled once in + LDAP. Probably the biggest is that according to the RFC, LDAP ordering + is arbitrary and you cannot expect that Attributes and Entries are + returned in any specific order. + + The order in which different entries are applied can be controlled using + the sudoOrder attribute, but there is no way to guarantee the order of + attributes within a specific entry. If there are conflicting command + rules in an entry, the negative takes precedence. This is called + paranoid behavior (not necessarily the most specific match). + + Here is an example: + + # /etc/sudoers: + # Allow all commands except shell + johnny ALL=(root) ALL,!/bin/sh + # Always allows all commands because ALL is matched last + puddles ALL=(root) !/bin/sh,ALL + + # LDAP equivalent of johnny + # Allows all commands except shell + dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com + objectClass: sudoRole + objectClass: top + cn: role1 + sudoUser: johnny + sudoHost: ALL + sudoCommand: ALL + sudoCommand: !/bin/sh + + # LDAP equivalent of puddles + # Notice that even though ALL comes last, it still behaves like + # role1 since the LDAP code assumes the more paranoid configuration + dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com + objectClass: sudoRole + objectClass: top + cn: role2 + sudoUser: puddles + sudoHost: ALL + sudoCommand: !/bin/sh + sudoCommand: ALL + + Another difference is that negations on the Host, User or Runas are + currently ignored. For example, the following attributes do not behave + the way one might expect. + + # does not match all but joe + # rather, does not match anyone + sudoUser: !joe + + # does not match all but joe + # rather, matches everyone including Joe + sudoUser: ALL + sudoUser: !joe + + # does not match all but web01 + # rather, matches all hosts including web01 + sudoHost: ALL + sudoHost: !web01 SSuuddooeerrss SScchheemmaa - In order to use ssuuddoo's LDAP support, the ssuuddoo schema must be installed - on your LDAP server. In addition, be sure to index the 'sudoUser' - attribute. + In order to use ssuuddoo's LDAP support, the ssuuddoo schema must be installed on + your LDAP server. In addition, be sure to index the sudoUser attribute. - Three versions of the schema: one for OpenLDAP servers - (_s_c_h_e_m_a_._O_p_e_n_L_D_A_P), one for Netscape-derived servers (_s_c_h_e_m_a_._i_P_l_a_n_e_t), - and one for Microsoft Active Directory (_s_c_h_e_m_a_._A_c_t_i_v_e_D_i_r_e_c_t_o_r_y) may be - found in the ssuuddoo distribution. + Three versions of the schema: one for OpenLDAP servers (_s_c_h_e_m_a_._O_p_e_n_L_D_A_P), + one for Netscape-derived servers (_s_c_h_e_m_a_._i_P_l_a_n_e_t), and one for Microsoft + Active Directory (_s_c_h_e_m_a_._A_c_t_i_v_e_D_i_r_e_c_t_o_r_y) may be found in the ssuuddoo + distribution. - The schema for ssuuddoo in OpenLDAP form is included in the EXAMPLES - section. + The schema for ssuuddoo in OpenLDAP form is also included in the _E_X_A_M_P_L_E_S + section. CCoonnffiigguurriinngg llddaapp..ccoonnff - Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration. - Typically, this file is shared amongst different LDAP-aware clients. - As such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo - parses _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from - those described in the system's _l_d_a_p_._c_o_n_f(4) manual. + Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration. + Typically, this file is shared amongst different LDAP-aware clients. As + such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo parses + _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from those + described in the system's ldap.conf(1m) manual. - Also note that on systems using the OpenLDAP libraries, default values - specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are - not used. + Also note that on systems using the OpenLDAP libraries, default values + specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are not + used. - Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f as being - supported by ssuuddoo are honored. Configuration options are listed below - in upper case but are parsed in a case-independent manner. + Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f as being supported + by ssuuddoo are honored. Configuration options are listed below in upper + case but are parsed in a case-independent manner. - UURRII ldap[s]://[hostname[:port]] ... + UURRII _l_d_a_p_[_s_]_:_/_/_[_h_o_s_t_n_a_m_e_[_:_p_o_r_t_]_] _._._. Specifies a whitespace-delimited list of one or more URIs describing the LDAP server(s) to connect to. The _p_r_o_t_o_c_o_l may be - either llddaapp or llddaappss, the latter being for servers that support TLS + either _l_d_a_p _l_d_a_p_s, the latter being for servers that support TLS (SSL) encryption. If no _p_o_r_t is specified, the default is port 389 for ldap:// or port 636 for ldaps://. If no _h_o_s_t_n_a_m_e is specified, - ssuuddoo will connect to llooccaallhhoosstt. Multiple UURRII lines are treated + ssuuddoo will connect to _l_o_c_a_l_h_o_s_t. Multiple UURRII lines are treated identically to a UURRII line containing multiple entries. Only systems using the OpenSSL libraries support the mixing of ldap:// and ldaps:// URIs. Both the Netscape-derived and Tivoli LDAP libraries used on most commercial versions of Unix are only capable of supporting one or the other. - HHOOSSTT name[:port] ... + HHOOSSTT _n_a_m_e_[_:_p_o_r_t_] _._._. If no UURRII is specified, the HHOOSSTT parameter specifies a whitespace- delimited list of LDAP servers to connect to. Each host may - include an optional _p_o_r_t separated by a colon (':'). The HHOOSSTT + include an optional _p_o_r_t separated by a colon (`:'). The HHOOSSTT parameter is deprecated in favor of the UURRII specification and is included for backwards compatibility. - PPOORRTT port_number + PPOORRTT _p_o_r_t___n_u_m_b_e_r If no UURRII is specified, the PPOORRTT parameter specifies the default port to connect to on the LDAP server if a HHOOSSTT parameter does not specify the port itself. If no PPOORRTT parameter is used, the default @@ -291,40 +287,40 @@ DDEESSCCRRIIPPTTIIOONN PPOORRTT parameter is deprecated in favor of the UURRII specification and is included for backwards compatibility. - BBIINNDD__TTIIMMEELLIIMMIITT seconds + BBIINNDD__TTIIMMEELLIIMMIITT _s_e_c_o_n_d_s The BBIINNDD__TTIIMMEELLIIMMIITT parameter specifies the amount of time, in seconds, to wait while trying to connect to an LDAP server. If multiple UURRIIs or HHOOSSTTs are specified, this is the amount of time to wait before trying the next one in the list. - NNEETTWWOORRKK__TTIIMMEEOOUUTT seconds + NNEETTWWOORRKK__TTIIMMEEOOUUTT _s_e_c_o_n_d_s An alias for BBIINNDD__TTIIMMEELLIIMMIITT for OpenLDAP compatibility. - TTIIMMEELLIIMMIITT seconds + TTIIMMEELLIIMMIITT _s_e_c_o_n_d_s The TTIIMMEELLIIMMIITT parameter specifies the amount of time, in seconds, to wait for a response to an LDAP query. - TTIIMMEEOOUUTT seconds + TTIIMMEEOOUUTT _s_e_c_o_n_d_s The TTIIMMEEOOUUTT parameter specifies the amount of time, in seconds, to wait for a response from the various LDAP APIs. - SSUUDDOOEERRSS__BBAASSEE base + SSUUDDOOEERRSS__BBAASSEE _b_a_s_e The base DN to use when performing ssuuddoo LDAP queries. Typically this is of the form ou=SUDOers,dc=example,dc=com for the domain example.com. Multiple SSUUDDOOEERRSS__BBAASSEE lines may be specified, in which case they are queried in the order specified. - SSUUDDOOEERRSS__SSEEAARRCCHH__FFIILLTTEERR ldap_filter + SSUUDDOOEERRSS__SSEEAARRCCHH__FFIILLTTEERR _l_d_a_p___f_i_l_t_e_r An LDAP filter which is used to restrict the set of records returned when performing a ssuuddoo LDAP query. Typically, this is of the form attribute=value or (&(attribute=value)(attribute2=value2)). - SSUUDDOOEERRSS__TTIIMMEEDD on/true/yes/off/false/no + SSUUDDOOEERRSS__TTIIMMEEDD _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes that implement time-dependent sudoers entries. - SSUUDDOOEERRSS__DDEEBBUUGG debug_level + SSUUDDOOEERRSS__DDEEBBUUGG _d_e_b_u_g___l_e_v_e_l This sets the debug level for ssuuddoo LDAP queries. Debugging information is printed to the standard error. A value of 1 results in a moderate amount of debugging information. A value of 2 shows @@ -332,44 +328,45 @@ DDEESSCCRRIIPPTTIIOONN be set in a production environment as the extra information is likely to confuse users. - BBIINNDDDDNN DN + BBIINNDDDDNN _D_N The BBIINNDDDDNN parameter specifies the identity, in the form of a Distinguished Name (DN), to use when performing LDAP operations. If not specified, LDAP operations are performed with an anonymous identity. By default, most LDAP servers will allow anonymous access. - BBIINNDDPPWW secret + BBIINNDDPPWW _s_e_c_r_e_t The BBIINNDDPPWW parameter specifies the password to use when performing LDAP operations. This is typically used in conjunction with the BBIINNDDDDNN parameter. - RROOOOTTBBIINNDDDDNN DN + RROOOOTTBBIINNDDDDNN _D_N The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a Distinguished Name (DN), to use when performing privileged LDAP operations, such as _s_u_d_o_e_r_s queries. The password corresponding to the identity should be stored in _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t. If not specified, the BBIINNDDDDNN identity is used (if any). - LLDDAAPP__VVEERRSSIIOONN number + LLDDAAPP__VVEERRSSIIOONN _n_u_m_b_e_r The version of the LDAP protocol to use when connecting to the server. The default value is protocol version 3. - SSSSLL on/true/yes/off/false/no + SSSSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o If the SSSSLL parameter is set to on, true or yes, TLS (SSL) encryption is always used when communicating with the LDAP server. Typically, this involves connecting to the server on port 636 (ldaps). - SSSSLL start_tls + SSSSLL _s_t_a_r_t___t_l_s If the SSSSLL parameter is set to start_tls, the LDAP server connection is initiated normally and TLS encryption is begun before the bind credentials are sent. This has the advantage of not requiring a dedicated port for encrypted communications. This parameter is only supported by LDAP servers that honor the - start_tls extension, such as the OpenLDAP server. + _s_t_a_r_t___t_l_s extension, such as the OpenLDAP and Tivoli Directory + servers. - TTLLSS__CCHHEECCKKPPEEEERR on/true/yes/off/false/no + TTLLSS__CCHHEECCKKPPEEEERR _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o If enabled, TTLLSS__CCHHEECCKKPPEEEERR will cause the LDAP server's TLS certificated to be verified. If the server's TLS certificate cannot be verified (usually because it is signed by an unknown @@ -381,10 +378,10 @@ DDEESSCCRRIIPPTTIIOONN can be verified. This option is not supported by the Tivoli Directory Server LDAP libraries. - TTLLSS__CCAACCEERRTT file name + TTLLSS__CCAACCEERRTT _f_i_l_e _n_a_m_e An alias for TTLLSS__CCAACCEERRTTFFIILLEE for OpenLDAP compatibility. - TTLLSS__CCAACCEERRTTFFIILLEE file name + TTLLSS__CCAACCEERRTTFFIILLEE _f_i_l_e _n_a_m_e The path to a certificate authority bundle which contains the certificates for all the Certificate Authorities the client knows to be valid, e.g. _/_e_t_c_/_s_s_l_/_c_a_-_b_u_n_d_l_e_._p_e_m. This option is only @@ -392,50 +389,49 @@ DDEESSCCRRIIPPTTIIOONN libraries use the same certificate database for CA and client certificates (see TTLLSS__CCEERRTT). - TTLLSS__CCAACCEERRTTDDIIRR directory + TTLLSS__CCAACCEERRTTDDIIRR _d_i_r_e_c_t_o_r_y Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory containing individual Certificate Authority certificates, e.g. _/_e_t_c_/_s_s_l_/_c_e_r_t_s. The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is checked after TTLLSS__CCAACCEERRTTFFIILLEE. This option is only supported by the OpenLDAP libraries. - TTLLSS__CCEERRTT file name + TTLLSS__CCEERRTT _f_i_l_e _n_a_m_e The path to a file containing the client certificate which can be used to authenticate the client to the LDAP server. The certificate type depends on the LDAP libraries used. OpenLDAP: - tls_cert /etc/ssl/client_cert.pem + tls_cert /etc/ssl/client_cert.pem Netscape-derived: - tls_cert /var/ldap/cert7.db + tls_cert /var/ldap/cert7.db Tivoli Directory Server: - Unused, the key database specified by TTLLSS__KKEEYY contains both - keys and certificates. + Unused, the key database specified by TTLLSS__KKEEYY contains both + keys and certificates. - When using Netscape-derived libraries, this file may also contain - Certificate Authority certificates. + When using Netscape-derived libraries, this file may also + contain Certificate Authority certificates. - TTLLSS__KKEEYY file name + TTLLSS__KKEEYY _f_i_l_e _n_a_m_e The path to a file containing the private key which matches the certificate specified by TTLLSS__CCEERRTT. The private key must not be password-protected. The key type depends on the LDAP libraries used. OpenLDAP: - tls_key /etc/ssl/client_key.pem + tls_key /etc/ssl/client_key.pem Netscape-derived: - tls_key /var/ldap/key3.db + tls_key /var/ldap/key3.db Tivoli Directory Server: - tls_cert /usr/ldap/ldapkey.kdb - + tls_cert /usr/ldap/ldapkey.kdb When using Tivoli LDAP libraries, this file may also contain Certificate Authority and client certificates and may be encrypted. - TTLLSS__KKEEYYPPWW secret + TTLLSS__KKEEYYPPWW _s_e_c_r_e_t The TTLLSS__KKEEYYPPWW contains the password used to decrypt the key database on clients using the Tivoli Directory Server LDAP library. If no TTLLSS__KKEEYYPPWW is specified, a _s_t_a_s_h _f_i_l_e will be used if it @@ -446,328 +442,324 @@ DDEESSCCRRIIPPTTIIOONN ssl_password. This option is only supported by the Tivoli LDAP libraries. - TTLLSS__RRAANNDDFFIILLEE file name + TTLLSS__RRAANNDDFFIILLEE _f_i_l_e _n_a_m_e The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source for systems that lack a random device. It is generally used in conjunction with _p_r_n_g_d or _e_g_d. This option is only supported by the OpenLDAP libraries. - TTLLSS__CCIIPPHHEERRSS cipher list + TTLLSS__CCIIPPHHEERRSS _c_i_p_h_e_r _l_i_s_t The TTLLSS__CCIIPPHHEERRSS parameter allows the administer to restrict which encryption algorithms may be used for TLS (SSL) connections. See the OpenLDAP or Tivoli Directory Server manual for a list of valid ciphers. This option is not supported by Netscape-derived libraries. - UUSSEE__SSAASSLL on/true/yes/off/false/no + UUSSEE__SSAASSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o Enable UUSSEE__SSAASSLL for LDAP servers that support SASL authentication. - SSAASSLL__AAUUTTHH__IIDD identity + SSAASSLL__AAUUTTHH__IIDD _i_d_e_n_t_i_t_y The SASL user name to use when connecting to the LDAP server. By default, ssuuddoo will use an anonymous connection. - RROOOOTTUUSSEE__SSAASSLL on/true/yes/off/false/no + RROOOOTTUUSSEE__SSAASSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting to an LDAP server from a privileged process, such as ssuuddoo. - RROOOOTTSSAASSLL__AAUUTTHH__IIDD identity + RROOOOTTSSAASSLL__AAUUTTHH__IIDD _i_d_e_n_t_i_t_y The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled. - SSAASSLL__SSEECCPPRROOPPSS none/properties + SSAASSLL__SSEECCPPRROOPPSS _n_o_n_e_/_p_r_o_p_e_r_t_i_e_s SASL security properties or _n_o_n_e for no properties. See the SASL programmer's manual for details. - KKRRBB55__CCCCNNAAMMEE file name + KKRRBB55__CCCCNNAAMMEE _f_i_l_e _n_a_m_e The path to the Kerberos 5 credential cache to use when authenticating with the remote server. - DDEERREEFF never/searching/finding/always + DDEERREEFF _n_e_v_e_r_/_s_e_a_r_c_h_i_n_g_/_f_i_n_d_i_n_g_/_a_l_w_a_y_s How alias dereferencing is to be performed when searching. See the - _l_d_a_p_._c_o_n_f(4) manual for a full description of this option. + ldap.conf(1m) manual for a full description of this option. - See the ldap.conf entry in the EXAMPLES section. + See the _l_d_a_p_._c_o_n_f entry in the _E_X_A_M_P_L_E_S section. CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff - Unless it is disabled at build time, ssuuddoo consults the Name Service - Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order. - Sudo looks for a line beginning with sudoers: and uses this to - determine the search order. Note that ssuuddoo does not stop searching - after the first match and later matches take precedence over earlier - ones. + Unless it is disabled at build time, ssuuddoo consults the Name Service + Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order. + Sudo looks for a line beginning with sudoers: and uses this to determine + the search order. Note that ssuuddoo does not stop searching after the first + match and later matches take precedence over earlier ones. The following + sources are recognized: - The following sources are recognized: + files read sudoers from _/_e_t_c_/_s_u_d_o_e_r_s + ldap read sudoers from LDAP - files read sudoers from F - ldap read sudoers from LDAP + In addition, the entry [NOTFOUND=return] will short-circuit the search if + the user was not found in the preceding source. - In addition, the entry [NOTFOUND=return] will short-circuit the search - if the user was not found in the preceding source. + To consult LDAP first followed by the local sudoers file (if it exists), + use: - To consult LDAP first followed by the local sudoers file (if it - exists), use: + sudoers: ldap files - sudoers: ldap files + The local _s_u_d_o_e_r_s file can be ignored completely by using: - The local _s_u_d_o_e_r_s file can be ignored completely by using: + sudoers: ldap - sudoers: ldap + If the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f file is not present or there is no sudoers + line, the following default is assumed: - If the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f file is not present or there is no sudoers - line, the following default is assumed: + sudoers: files - sudoers: files - - Note that _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f is supported even when the underlying - operating system does not use an nsswitch.conf file, except on AIX (see - below). + Note that _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f is supported even when the underlying + operating system does not use an nsswitch.conf file, except on AIX (see + below). CCoonnffiigguurriinngg nneettssvvcc..ccoonnff - On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of - _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f. ssuuddoo simply treats _n_e_t_s_v_c_._c_o_n_f as a variant of - _n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the - file format itself still applies. + On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of + _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f. ssuuddoo simply treats _n_e_t_s_v_c_._c_o_n_f as a variant of + _n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the file + format itself still applies. - To consult LDAP first followed by the local sudoers file (if it - exists), use: + To consult LDAP first followed by the local sudoers file (if it exists), + use: - sudoers = ldap, files + sudoers = ldap, files - The local _s_u_d_o_e_r_s file can be ignored completely by using: + The local _s_u_d_o_e_r_s file can be ignored completely by using: - sudoers = ldap + sudoers = ldap - To treat LDAP as authoratative and only use the local sudoers file if - the user is not present in LDAP, use: + To treat LDAP as authoratative and only use the local sudoers file if the + user is not present in LDAP, use: - sudoers = ldap = auth, files + sudoers = ldap = auth, files - Note that in the above example, the auth qualfier only affects user - lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries. + Note that in the above example, the auth qualfier only affects user + lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries. - If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers - line, the following default is assumed: + If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers line, + the following default is assumed: - sudoers = files + sudoers = files FFIILLEESS - _/_e_t_c_/_l_d_a_p_._c_o_n_f LDAP configuration file + _/_e_t_c_/_l_d_a_p_._c_o_n_f LDAP configuration file - _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f determines sudoers source order + _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f determines sudoers source order - _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f determines sudoers source order on AIX + _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f determines sudoers source order on AIX EEXXAAMMPPLLEESS EExxaammppllee llddaapp..ccoonnff - # Either specify one or more URIs or one or more host:port pairs. - # If neither is specified sudo will default to localhost, port 389. - # - #host ldapserver - #host ldapserver1 ldapserver2:390 - # - # Default port if host is specified without one, defaults to 389. - #port 389 - # - # URI will override the host and port settings. - uri ldap://ldapserver - #uri ldaps://secureldapserver - #uri ldaps://secureldapserver ldap://ldapserver - # - # The amount of time, in seconds, to wait while trying to connect to - # an LDAP server. - bind_timelimit 30 - # - # The amount of time, in seconds, to wait while performing an LDAP query. - timelimit 30 - # - # Must be set or sudo will ignore LDAP; may be specified multiple times. - sudoers_base ou=SUDOers,dc=example,dc=com - # - # verbose sudoers matching from ldap - #sudoers_debug 2 - # - # Enable support for time-based entries in sudoers. - #sudoers_timed yes - # - # optional proxy credentials - #binddn - #bindpw - #rootbinddn - # - # LDAP protocol version, defaults to 3 - #ldap_version 3 - # - # Define if you want to use an encrypted LDAP connection. - # Typically, you must also set the port to 636 (ldaps). - #ssl on - # - # Define if you want to use port 389 and switch to - # encryption before the bind credentials are sent. - # Only supported by LDAP servers that support the start_tls - # extension such as OpenLDAP. - #ssl start_tls - # - # Additional TLS options follow that allow tweaking of the - # SSL/TLS connection. - # - #tls_checkpeer yes # verify server SSL certificate - #tls_checkpeer no # ignore server SSL certificate - # - # If you enable tls_checkpeer, specify either tls_cacertfile - # or tls_cacertdir. Only supported when using OpenLDAP. - # - #tls_cacertfile /etc/certs/trusted_signers.pem - #tls_cacertdir /etc/certs - # - # For systems that don't have /dev/random - # use this along with PRNGD or EGD.pl to seed the - # random number pool to generate cryptographic session keys. - # Only supported when using OpenLDAP. - # - #tls_randfile /etc/egd-pool - # - # You may restrict which ciphers are used. Consult your SSL - # documentation for which options go here. - # Only supported when using OpenLDAP. - # - #tls_ciphers - # - # Sudo can provide a client certificate when communicating to - # the LDAP server. - # Tips: - # * Enable both lines at the same time. - # * Do not password protect the key file. - # * Ensure the keyfile is only readable by root. - # - # For OpenLDAP: - #tls_cert /etc/certs/client_cert.pem - #tls_key /etc/certs/client_key.pem - # - # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either - # a directory, in which case the files in the directory must have the - # default names (e.g. cert8.db and key4.db), or the path to the cert - # and key files themselves. However, a bug in version 5.0 of the LDAP - # SDK will prevent specific file names from working. For this reason - # it is suggested that tls_cert and tls_key be set to a directory, - # not a file name. - # - # The certificate database specified by tls_cert may contain CA certs - # and/or the client's cert. If the client's cert is included, tls_key - # should be specified as well. - # For backward compatibility, "sslpath" may be used in place of tls_cert. - #tls_cert /var/ldap - #tls_key /var/ldap - # - # If using SASL authentication for LDAP (OpenSSL) - # use_sasl yes - # sasl_auth_id - # rootuse_sasl yes - # rootsasl_auth_id - # sasl_secprops none - # krb5_ccname /etc/.ldapcache + # Either specify one or more URIs or one or more host:port pairs. + # If neither is specified sudo will default to localhost, port 389. + # + #host ldapserver + #host ldapserver1 ldapserver2:390 + # + # Default port if host is specified without one, defaults to 389. + #port 389 + # + # URI will override the host and port settings. + uri ldap://ldapserver + #uri ldaps://secureldapserver + #uri ldaps://secureldapserver ldap://ldapserver + # + # The amount of time, in seconds, to wait while trying to connect to + # an LDAP server. + bind_timelimit 30 + # + # The amount of time, in seconds, to wait while performing an LDAP query. + timelimit 30 + # + # Must be set or sudo will ignore LDAP; may be specified multiple times. + sudoers_base ou=SUDOers,dc=example,dc=com + # + # verbose sudoers matching from ldap + #sudoers_debug 2 + # + # Enable support for time-based entries in sudoers. + #sudoers_timed yes + # + # optional proxy credentials + #binddn + #bindpw + #rootbinddn + # + # LDAP protocol version, defaults to 3 + #ldap_version 3 + # + # Define if you want to use an encrypted LDAP connection. + # Typically, you must also set the port to 636 (ldaps). + #ssl on + # + # Define if you want to use port 389 and switch to + # encryption before the bind credentials are sent. + # Only supported by LDAP servers that support the start_tls + # extension such as OpenLDAP. + #ssl start_tls + # + # Additional TLS options follow that allow tweaking of the + # SSL/TLS connection. + # + #tls_checkpeer yes # verify server SSL certificate + #tls_checkpeer no # ignore server SSL certificate + # + # If you enable tls_checkpeer, specify either tls_cacertfile + # or tls_cacertdir. Only supported when using OpenLDAP. + # + #tls_cacertfile /etc/certs/trusted_signers.pem + #tls_cacertdir /etc/certs + # + # For systems that don't have /dev/random + # use this along with PRNGD or EGD.pl to seed the + # random number pool to generate cryptographic session keys. + # Only supported when using OpenLDAP. + # + #tls_randfile /etc/egd-pool + # + # You may restrict which ciphers are used. Consult your SSL + # documentation for which options go here. + # Only supported when using OpenLDAP. + # + #tls_ciphers + # + # Sudo can provide a client certificate when communicating to + # the LDAP server. + # Tips: + # * Enable both lines at the same time. + # * Do not password protect the key file. + # * Ensure the keyfile is only readable by root. + # + # For OpenLDAP: + #tls_cert /etc/certs/client_cert.pem + #tls_key /etc/certs/client_key.pem + # + # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either + # a directory, in which case the files in the directory must have the + # default names (e.g. cert8.db and key4.db), or the path to the cert + # and key files themselves. However, a bug in version 5.0 of the LDAP + # SDK will prevent specific file names from working. For this reason + # it is suggested that tls_cert and tls_key be set to a directory, + # not a file name. + # + # The certificate database specified by tls_cert may contain CA certs + # and/or the client's cert. If the client's cert is included, tls_key + # should be specified as well. + # For backward compatibility, "sslpath" may be used in place of tls_cert. + #tls_cert /var/ldap + #tls_key /var/ldap + # + # If using SASL authentication for LDAP (OpenSSL) + # use_sasl yes + # sasl_auth_id + # rootuse_sasl yes + # rootsasl_auth_id + # sasl_secprops none + # krb5_ccname /etc/.ldapcache SSuuddoo sscchheemmaa ffoorr OOppeennLLDDAAPP - The following schema, in OpenLDAP format, is included with ssuuddoo source - and binary distributions as _s_c_h_e_m_a_._O_p_e_n_L_D_A_P. Simply copy it to the - schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include - line in slapd.conf and restart ssllaappdd. - - attributetype ( 1.3.6.1.4.1.15953.9.1.1 - NAME 'sudoUser' - DESC 'User(s) who may run sudo' - EQUALITY caseExactIA5Match - SUBSTR caseExactIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.2 - NAME 'sudoHost' - DESC 'Host(s) who may run sudo' - EQUALITY caseExactIA5Match - SUBSTR caseExactIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.3 - NAME 'sudoCommand' - DESC 'Command(s) to be executed by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.4 - NAME 'sudoRunAs' - DESC 'User(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.5 - NAME 'sudoOption' - DESC 'Options(s) followed by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.6 - NAME 'sudoRunAsUser' - DESC 'User(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.7 - NAME 'sudoRunAsGroup' - DESC 'Group(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.8 - NAME 'sudoNotBefore' - DESC 'Start of time interval for which the entry is valid' - EQUALITY generalizedTimeMatch - ORDERING generalizedTimeOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.9 - NAME 'sudoNotAfter' - DESC 'End of time interval for which the entry is valid' - EQUALITY generalizedTimeMatch - ORDERING generalizedTimeOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) - - attributeTypes ( 1.3.6.1.4.1.15953.9.1.10 - NAME 'sudoOrder' - DESC 'an integer to order the sudoRole entries' - EQUALITY integerMatch - ORDERING integerOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) - - objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL - DESC 'Sudoer Entries' - MUST ( cn ) - MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ - sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ - sudoOrder $ description ) - ) + The following schema, in OpenLDAP format, is included with ssuuddoo source + and binary distributions as _s_c_h_e_m_a_._O_p_e_n_L_D_A_P. Simply copy it to the + schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include line + in _s_l_a_p_d_._c_o_n_f and restart ssllaappdd. + + attributetype ( 1.3.6.1.4.1.15953.9.1.1 + NAME 'sudoUser' + DESC 'User(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.2 + NAME 'sudoHost' + DESC 'Host(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.3 + NAME 'sudoCommand' + DESC 'Command(s) to be executed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.4 + NAME 'sudoRunAs' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.5 + NAME 'sudoOption' + DESC 'Options(s) followed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.6 + NAME 'sudoRunAsUser' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.7 + NAME 'sudoRunAsGroup' + DESC 'Group(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.8 + NAME 'sudoNotBefore' + DESC 'Start of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.9 + NAME 'sudoNotAfter' + DESC 'End of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) + + attributeTypes ( 1.3.6.1.4.1.15953.9.1.10 + NAME 'sudoOrder' + DESC 'an integer to order the sudoRole entries' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) + + objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL + DESC 'Sudoer Entries' + MUST ( cn ) + MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ + sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ + sudoOrder $ description ) + ) SSEEEE AALLSSOO - _l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(5) + ldap.conf(1m), sudoers(1m) CCAAVVEEAATTSS - Note that there are differences in the way that LDAP-based _s_u_d_o_e_r_s is - parsed compared to file-based _s_u_d_o_e_r_s. See the "Differences between - LDAP and non-LDAP sudoers" section for more information. + Note that there are differences in the way that LDAP-based _s_u_d_o_e_r_s is + parsed compared to file-based _s_u_d_o_e_r_s. See the _D_i_f_f_e_r_e_n_c_e_s _b_e_t_w_e_e_n _L_D_A_P + _a_n_d _n_o_n_-_L_D_A_P _s_u_d_o_e_r_s section for more information. BBUUGGSS - If you feel you have found a bug in ssuuddoo, please submit a bug report at - http://www.sudo.ws/sudo/bugs/ + If you feel you have found a bug in ssuuddoo, please submit a bug report at + http://www.sudo.ws/sudo/bugs/ SSUUPPPPOORRTT - Limited free support is available via the sudo-users mailing list, see - http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search - the archives. + Limited free support is available via the sudo-users mailing list, see + http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the + archives. DDIISSCCLLAAIIMMEERR - ssuuddoo is provided ``AS IS'' and any express or implied warranties, - including, but not limited to, the implied warranties of - merchantability and fitness for a particular purpose are disclaimed. - See the LICENSE file distributed with ssuuddoo or - http://www.sudo.ws/sudo/license.html for complete details. - - + ssuuddoo is provided ``AS IS'' and any express or implied warranties, + including, but not limited to, the implied warranties of merchantability + and fitness for a particular purpose are disclaimed. See the LICENSE + file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for + complete details. -1.7.10 July 18, 2012 SUDOERS.LDAP(4) +Sudo 1.7.10 July 12, 2012 Sudo 1.7.10 diff --git a/sudoers.ldap.man.in b/sudoers.ldap.man.in index e545bf3a8..3ee01ff5a 100644 --- a/sudoers.ldap.man.in +++ b/sudoers.ldap.man.in @@ -1,10 +1,12 @@ -.\" Copyright (c) 2003-2012 -.\" Todd C. Miller -.\" +.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! +.\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in +.\" +.\" Copyright (c) 2003-2012 Todd C. Miller +.\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR @@ -13,934 +15,1186 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` -. ds C' -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.ie \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.el \{\ -. de IX -.. -.\} .\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "SUDOERS.LDAP @mansectform@" -.TH SUDOERS.LDAP @mansectform@ "July 18, 2012" "1.7.10" "MAINTENANCE COMMANDS" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l +.TH "SUDOERS.LDAP" "8" "July 12, 2012" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual" .nh +.if n .ad l .SH "NAME" -sudoers.ldap \- sudo LDAP configuration +\fBsudoers.ldap\fR +\- sudo LDAP configuration .SH "DESCRIPTION" -.IX Header "DESCRIPTION" -In addition to the standard \fIsudoers\fR file, \fBsudo\fR may be configured -via \s-1LDAP\s0. This can be especially useful for synchronizing \fIsudoers\fR +In addition to the standard +\fIsudoers\fR +file, +\fBsudo\fR +may be configured +via LDAP. +This can be especially useful for synchronizing +\fIsudoers\fR in a large, distributed environment. .PP -Using \s-1LDAP\s0 for \fIsudoers\fR has several benefits: -.IP "\(bu" 4 -\&\fBsudo\fR no longer needs to read \fIsudoers\fR in its entirety. When -\&\s-1LDAP\s0 is used, there are only two or three \s-1LDAP\s0 queries per invocation. -This makes it especially fast and particularly usable in \s-1LDAP\s0 -environments. -.IP "\(bu" 4 -\&\fBsudo\fR no longer exits if there is a typo in \fIsudoers\fR. -It is not possible to load \s-1LDAP\s0 data into the server that does +Using LDAP for +\fIsudoers\fR +has several benefits: +.TP 4n +\fBo\fR +\fBsudo\fR +no longer needs to read +\fIsudoers\fR +in its entirety. +When LDAP is used, there are only two or three LDAP queries per invocation. +This makes it especially fast and particularly usable in LDAP environments. +.TP 4n +\fBo\fR +\fBsudo\fR +no longer exits if there is a typo in +\fIsudoers\fR. +It is not possible to load LDAP data into the server that does not conform to the sudoers schema, so proper syntax is guaranteed. It is still possible to have typos in a user or host name, but -this will not prevent \fBsudo\fR from running. -.IP "\(bu" 4 +this will not prevent +\fBsudo\fR +from running. +.TP 4n +\fBo\fR It is possible to specify per-entry options that override the global -default options. \fI@sysconfdir@/sudoers\fR only supports default options and -limited options associated with user/host/commands/aliases. The -syntax is complicated and can be difficult for users to understand. +default options. +\fI@sysconfdir@/sudoers\fR +only supports default options and limited options associated with +user/host/commands/aliases. +The syntax is complicated and can be difficult for users to understand. Placing the options directly in the entry is more natural. -.IP "\(bu" 4 -The \fBvisudo\fR program is no longer needed. \fBvisudo\fR provides -locking and syntax checking of the \fI@sysconfdir@/sudoers\fR file. -Since \s-1LDAP\s0 updates are atomic, locking is no longer necessary. -Because syntax is checked when the data is inserted into \s-1LDAP\s0, there +.TP 4n +\fBo\fR +The +\fBvisudo\fR +program is no longer needed. +\fBvisudo\fR +provides locking and syntax checking of the +\fI@sysconfdir@/sudoers\fR +file. +Since LDAP updates are atomic, locking is no longer necessary. +Because syntax is checked when the data is inserted into LDAP, there is no need for a specialized tool to check syntax. .PP -Another major difference between \s-1LDAP\s0 and file-based \fIsudoers\fR -is that in \s-1LDAP\s0, \fBsudo\fR\-specific Aliases are not supported. +Another major difference between LDAP and file-based +\fIsudoers\fR +is that in LDAP, +\fBsudo\fR-specific +Aliases are not supported. .PP -For the most part, there is really no need for \fBsudo\fR\-specific -Aliases. Unix groups or user netgroups can be used in place of -User_Aliases and Runas_Aliases. Host netgroups can be used in place -of Host_Aliases. Since Unix groups and netgroups can also be stored -in \s-1LDAP\s0 there is no real need for \fBsudo\fR\-specific aliases. +For the most part, there is really no need for +\fBsudo\fR-specific +Aliases. +Unix groups or user netgroups can be used in place of User_Aliases and +Runas_Aliases. +Host netgroups can be used in place of Host_Aliases. +Since Unix groups and netgroups can also be stored in LDAP there is no +real need for +\fBsudo\fR-specific +aliases. .PP Cmnd_Aliases are not really required either since it is possible -to have multiple users listed in a \f(CW\*(C`sudoRole\*(C'\fR. Instead of defining -a Cmnd_Alias that is referenced by multiple users, one can create -a \f(CW\*(C`sudoRole\*(C'\fR that contains the commands and assign multiple users -to it. -.SS "SUDOers \s-1LDAP\s0 container" -.IX Subsection "SUDOers LDAP container" -The \fIsudoers\fR configuration is contained in the \f(CW\*(C`ou=SUDOers\*(C'\fR \s-1LDAP\s0 -container. -.PP -Sudo first looks for the \f(CW\*(C`cn=default\*(C'\fR entry in the SUDOers container. -If found, the multi-valued \f(CW\*(C`sudoOption\*(C'\fR attribute is parsed in the -same manner as a global \f(CW\*(C`Defaults\*(C'\fR line in \fI@sysconfdir@/sudoers\fR. In -the following example, the \f(CW\*(C`SSH_AUTH_SOCK\*(C'\fR variable will be preserved -in the environment for all users. +to have multiple users listed in a +\fRsudoRole\fR. +Instead of defining a Cmnd_Alias that is referenced by multiple users, +one can create a +\fRsudoRole\fR +that contains the commands and assign multiple users to it. +.SS "SUDOers LDAP container" +The +\fIsudoers\fR +configuration is contained in the +\fRou=SUDOers\fR +LDAP container. .PP -.Vb 6 -\& dn: cn=defaults,ou=SUDOers,dc=example,dc=com -\& objectClass: top -\& objectClass: sudoRole -\& cn: defaults -\& description: Default sudoOption\*(Aqs go here -\& sudoOption: env_keep+=SSH_AUTH_SOCK -.Ve +Sudo first looks for the +\fRcn=default\fR +entry in the SUDOers container. +If found, the multi-valued +\fRsudoOption\fR +attribute is parsed in the same manner as a global +\fRDefaults\fR +line in +\fI@sysconfdir@/sudoers\fR. +In the following example, the +\fRSSH_AUTH_SOCK\fR +variable will be preserved in the environment for all users. +.nf +.sp +.RS 4n +dn: cn=defaults,ou=SUDOers,dc=example,dc=com +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOption: env_keep+=SSH_AUTH_SOCK +.RE +.fi .PP -The equivalent of a sudoer in \s-1LDAP\s0 is a \f(CW\*(C`sudoRole\*(C'\fR. It consists of -the following attributes: -.IP "\fBsudoUser\fR" 4 -.IX Item "sudoUser" -A user name, uid (prefixed with \f(CW\*(Aq#\*(Aq\fR), Unix group (prefixed with -a \f(CW\*(Aq%\*(Aq\fR) or user netgroup (prefixed with a \f(CW\*(Aq+\*(Aq\fR). -.IP "\fBsudoHost\fR" 4 -.IX Item "sudoHost" -A host name, \s-1IP\s0 address, \s-1IP\s0 network, or host netgroup (prefixed -with a \f(CW\*(Aq+\*(Aq\fR). -The special value \f(CW\*(C`ALL\*(C'\fR will match any host. -.IP "\fBsudoCommand\fR" 4 -.IX Item "sudoCommand" +The equivalent of a sudoer in LDAP is a +\fRsudoRole\fR. +It consists of the following attributes: +.TP 6n +\fBsudoUser\fR +A user name, user ID (prefixed with +`#'), +Unix group (prefixed with +`%'), +Unix group ID (prefixed with +`%#'), +or user netgroup (prefixed with +`+'). +.TP 6n +\fBsudoHost\fR +A host name, IP address, IP network, or host netgroup (prefixed with a +`+'). +The special value +\fRALL\fR +will match any host. +.TP 6n +\fBsudoCommand\fR A Unix command with optional command line arguments, potentially including globbing characters (aka wild cards). -The special value \f(CW\*(C`ALL\*(C'\fR will match any command. -If a command is prefixed with an exclamation point \f(CW\*(Aq!\*(Aq\fR, the -user will be prohibited from running that command. -.IP "\fBsudoOption\fR" 4 -.IX Item "sudoOption" +The special value +\fRALL\fR +will match any command. +If a command is prefixed with an exclamation point +`\&!', +the user will be prohibited from running that command. +.TP 6n +\fBsudoOption\fR Identical in function to the global options described above, but -specific to the \f(CW\*(C`sudoRole\*(C'\fR in which it resides. -.IP "\fBsudoRunAsUser\fR" 4 -.IX Item "sudoRunAsUser" -A user name or uid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run -as or a Unix group (prefixed with a \f(CW\*(Aq%\*(Aq\fR) or user netgroup (prefixed -with a \f(CW\*(Aq+\*(Aq\fR) that contains a list of users that commands may be -run as. -The special value \f(CW\*(C`ALL\*(C'\fR will match any user. -.Sp -The \f(CW\*(C`sudoRunAsUser\*(C'\fR attribute is only available in \fBsudo\fR versions -1.7.0 and higher. Older versions of \fBsudo\fR use the \f(CW\*(C`sudoRunAs\*(C'\fR +specific to the +\fRsudoRole\fR +in which it resides. +.TP 6n +\fBsudoRunAsUser\fR +A user name or uid (prefixed with +`#') +that commands may be run as or a Unix group (prefixed with a +`%') +or user netgroup (prefixed with a +`+') +that contains a list of users that commands may be run as. +The special value +\fRALL\fR +will match any user. +.sp +The +\fRsudoRunAsUser\fR +attribute is only available in +\fBsudo\fR +versions +1.7.0 and higher. +Older versions of +\fBsudo\fR +use the +\fRsudoRunAs\fR attribute instead. -.IP "\fBsudoRunAsGroup\fR" 4 -.IX Item "sudoRunAsGroup" -A Unix group or gid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run as. -The special value \f(CW\*(C`ALL\*(C'\fR will match any group. -.Sp -The \f(CW\*(C`sudoRunAsGroup\*(C'\fR attribute is only available in \fBsudo\fR versions +.TP 6n +\fBsudoRunAsGroup\fR +A Unix group or gid (prefixed with +`#') +that commands may be run as. +The special value +\fRALL\fR +will match any group. +.sp +The +\fRsudoRunAsGroup\fR +attribute is only available in +\fBsudo\fR +versions 1.7.0 and higher. -.IP "\fBsudoNotBefore\fR" 4 -.IX Item "sudoNotBefore" -A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that can be used to provide -a start date/time for when the \f(CW\*(C`sudoRole\*(C'\fR will be valid. If -multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the earliest is used. -Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0), -not the local timezone. The minute and seconds portions are optional, -but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0). -.Sp -The \f(CW\*(C`sudoNotBefore\*(C'\fR attribute is only available in \fBsudo\fR versions -1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR -option in \fI@ldap_conf@\fR. -.IP "\fBsudoNotAfter\fR" 4 -.IX Item "sudoNotAfter" -A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that indicates an expiration -date/time, after which the \f(CW\*(C`sudoRole\*(C'\fR will no longer be valid. If -multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the last one is used. -Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0), -not the local timezone. The minute and seconds portions are optional, -but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0). -.Sp -The \f(CW\*(C`sudoNotAfter\*(C'\fR attribute is only available in \fBsudo\fR versions -1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR -option in \fI@ldap_conf@\fR. -.IP "\fBsudoOrder\fR" 4 -.IX Item "sudoOrder" -The \f(CW\*(C`sudoRole\*(C'\fR entries retrieved from the \s-1LDAP\s0 directory have no -inherent order. The \f(CW\*(C`sudoOrder\*(C'\fR attribute is an integer (or -floating point value for \s-1LDAP\s0 servers that support it) that is used -to sort the matching entries. This allows LDAP-based sudoers entries -to more closely mimic the behaviour of the sudoers file, where the -of the entries influences the result. If multiple entries match, -the entry with the highest \f(CW\*(C`sudoOrder\*(C'\fR attribute is chosen. This -corresponds to the \*(L"last match\*(R" behavior of the sudoers file. If -the \f(CW\*(C`sudoOrder\*(C'\fR attribute is not present, a value of 0 is assumed. -.Sp -The \f(CW\*(C`sudoOrder\*(C'\fR attribute is only available in \fBsudo\fR versions -1.7.5 and higher. +.TP 6n +\fBsudoNotBefore\fR +A timestamp in the form +\fRyyyymmddHHMMSSZ\fR +that can be used to provide a start date/time for when the +\fRsudoRole\fR +will be valid. +If multiple +\fRsudoNotBefore\fR +entries are present, the earliest is used. +Note that timestamps must be in Coordinated Universal Time (UTC), +not the local timezone. +The minute and seconds portions are optional, but some LDAP servers +require that they be present (contrary to the RFC). +.sp +The +\fRsudoNotBefore\fR +attribute is only available in +\fBsudo\fR +versions 1.7.5 and higher and must be explicitly enabled via the +\fBSUDOERS_TIMED\fR +option in +\fI@ldap_conf@\fR. +.TP 6n +\fBsudoNotAfter\fR +A timestamp in the form +\fRyyyymmddHHMMSSZ\fR +that indicates an expiration date/time, after which the +\fRsudoRole\fR +will no longer be valid. +If multiple +\fRsudoNotBefore\fR +entries are present, the last one is used. +Note that timestamps must be in Coordinated Universal Time (UTC), +not the local timezone. +The minute and seconds portions are optional, but some LDAP servers +require that they be present (contrary to the RFC). +.sp +The +\fRsudoNotAfter\fR +attribute is only available in +\fBsudo\fR +versions +1.7.5 and higher and must be explicitly enabled via the +\fBSUDOERS_TIMED\fR +option in +\fI@ldap_conf@\fR. +.TP 6n +\fBsudoOrder\fR +The +\fRsudoRole\fR +entries retrieved from the LDAP directory have no inherent order. +The +\fRsudoOrder\fR +attribute is an integer (or floating point value for LDAP servers +that support it) that is used to sort the matching entries. +This allows LDAP-based sudoers entries to more closely mimic the behaviour +of the sudoers file, where the of the entries influences the result. +If multiple entries match, the entry with the highest +\fRsudoOrder\fR +attribute is chosen. +This corresponds to the +``last match'' +behavior of the sudoers file. +If the +\fRsudoOrder\fR +attribute is not present, a value of 0 is assumed. +.sp +The +\fRsudoOrder\fR +attribute is only available in +\fBsudo\fR +versions 1.7.5 and higher. .PP Each attribute listed above should contain a single value, but there -may be multiple instances of each attribute type. A \f(CW\*(C`sudoRole\*(C'\fR must -contain at least one \f(CW\*(C`sudoUser\*(C'\fR, \f(CW\*(C`sudoHost\*(C'\fR and \f(CW\*(C`sudoCommand\*(C'\fR. +may be multiple instances of each attribute type. +A +\fRsudoRole\fR +must contain at least one +\fRsudoUser\fR, +\fRsudoHost\fR +and +\fRsudoCommand\fR. .PP The following example allows users in group wheel to run any command -on any host via \fBsudo\fR: -.PP -.Vb 7 -\& dn: cn=%wheel,ou=SUDOers,dc=example,dc=com -\& objectClass: top -\& objectClass: sudoRole -\& cn: %wheel -\& sudoUser: %wheel -\& sudoHost: ALL -\& sudoCommand: ALL -.Ve -.SS "Anatomy of \s-1LDAP\s0 sudoers lookup" -.IX Subsection "Anatomy of LDAP sudoers lookup" -When looking up a sudoer using \s-1LDAP\s0 there are only two or three -\&\s-1LDAP\s0 queries per invocation. The first query is to parse the global -options. The second is to match against the user's name and the -groups that the user belongs to. (The special \s-1ALL\s0 tag is matched -in this query too.) If no match is returned for the user's name -and groups, a third query returns all entries containing user -netgroups and checks to see if the user belongs to any of them. +on any host via +\fBsudo\fR: +.nf +.sp +.RS 4n +dn: cn=%wheel,ou=SUDOers,dc=example,dc=com +objectClass: top +objectClass: sudoRole +cn: %wheel +sudoUser: %wheel +sudoHost: ALL +sudoCommand: ALL +.RE +.fi +.SS "Anatomy of LDAP sudoers lookup" +When looking up a sudoer using LDAP there are only two or three +LDAP queries per invocation. +The first query is to parse the global options. +The second is to match against the user's name and the groups that +the user belongs to. +(The special +\fRALL\fR +tag is matched in this query too.) +If no match is returned for the user's name and groups, a third +query returns all entries containing user netgroups and checks +to see if the user belongs to any of them. .PP -If timed entries are enabled with the \fB\s-1SUDOERS_TIMED\s0\fR configuration -directive, the \s-1LDAP\s0 queries include a subfilter that limits retrieval -to entries that satisfy the time constraints, if any. -.SS "Differences between \s-1LDAP\s0 and non-LDAP sudoers" -.IX Subsection "Differences between LDAP and non-LDAP sudoers" +If timed entries are enabled with the +\fBSUDOERS_TIMED\fR +configuration directive, the LDAP queries include a subfilter that +limits retrieval to entries that satisfy the time constraints, if any. +.SS "Differences between LDAP and non-LDAP sudoers" There are some subtle differences in the way sudoers is handled -once in \s-1LDAP\s0. Probably the biggest is that according to the \s-1RFC\s0, -\&\s-1LDAP\s0 ordering is arbitrary and you cannot expect that Attributes -and Entries are returned in any specific order. +once in LDAP. +Probably the biggest is that according to the RFC, LDAP ordering +is arbitrary and you cannot expect that Attributes and Entries are +returned in any specific order. .PP The order in which different entries are applied can be controlled -using the \f(CW\*(C`sudoOrder\*(C'\fR attribute, but there is no way to guarantee -the order of attributes within a specific entry. If there are -conflicting command rules in an entry, the negative takes precedence. +using the +\fRsudoOrder\fR +attribute, but there is no way to guarantee the order of attributes +within a specific entry. +If there are conflicting command rules in an entry, the negative +takes precedence. This is called paranoid behavior (not necessarily the most specific match). .PP Here is an example: -.PP -.Vb 5 -\& # /etc/sudoers: -\& # Allow all commands except shell -\& johnny ALL=(root) ALL,!/bin/sh -\& # Always allows all commands because ALL is matched last -\& puddles ALL=(root) !/bin/sh,ALL -\& -\& # LDAP equivalent of johnny -\& # Allows all commands except shell -\& dn: cn=role1,ou=Sudoers,dc=my\-domain,dc=com -\& objectClass: sudoRole -\& objectClass: top -\& cn: role1 -\& sudoUser: johnny -\& sudoHost: ALL -\& sudoCommand: ALL -\& sudoCommand: !/bin/sh -\& -\& # LDAP equivalent of puddles -\& # Notice that even though ALL comes last, it still behaves like -\& # role1 since the LDAP code assumes the more paranoid configuration -\& dn: cn=role2,ou=Sudoers,dc=my\-domain,dc=com -\& objectClass: sudoRole -\& objectClass: top -\& cn: role2 -\& sudoUser: puddles -\& sudoHost: ALL -\& sudoCommand: !/bin/sh -\& sudoCommand: ALL -.Ve +.nf +.sp +.RS 4n +# /etc/sudoers: +# Allow all commands except shell +johnny ALL=(root) ALL,!/bin/sh +# Always allows all commands because ALL is matched last +puddles ALL=(root) !/bin/sh,ALL + +# LDAP equivalent of johnny +# Allows all commands except shell +dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com +objectClass: sudoRole +objectClass: top +cn: role1 +sudoUser: johnny +sudoHost: ALL +sudoCommand: ALL +sudoCommand: !/bin/sh + +# LDAP equivalent of puddles +# Notice that even though ALL comes last, it still behaves like +# role1 since the LDAP code assumes the more paranoid configuration +dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com +objectClass: sudoRole +objectClass: top +cn: role2 +sudoUser: puddles +sudoHost: ALL +sudoCommand: !/bin/sh +sudoCommand: ALL +.RE +.fi .PP Another difference is that negations on the Host, User or Runas are -currently ignored. For example, the following attributes do not -behave the way one might expect. -.PP -.Vb 3 -\& # does not match all but joe -\& # rather, does not match anyone -\& sudoUser: !joe -\& -\& # does not match all but joe -\& # rather, matches everyone including Joe -\& sudoUser: ALL -\& sudoUser: !joe -\& -\& # does not match all but web01 -\& # rather, matches all hosts including web01 -\& sudoHost: ALL -\& sudoHost: !web01 -.Ve +currently ignored. +For example, the following attributes do not behave the way one might expect. +.nf +.sp +.RS 4n +# does not match all but joe +# rather, does not match anyone +sudoUser: !joe + +# does not match all but joe +# rather, matches everyone including Joe +sudoUser: ALL +sudoUser: !joe + +# does not match all but web01 +# rather, matches all hosts including web01 +sudoHost: ALL +sudoHost: !web01 +.RE +.fi .SS "Sudoers Schema" -.IX Subsection "Sudoers Schema" -In order to use \fBsudo\fR's \s-1LDAP\s0 support, the \fBsudo\fR schema must be -installed on your \s-1LDAP\s0 server. In addition, be sure to index the -\&'sudoUser' attribute. +In order to use +\fBsudo\fR's +LDAP support, the +\fBsudo\fR +schema must be +installed on your LDAP server. +In addition, be sure to index the +\fRsudoUser\fR +attribute. .PP -Three versions of the schema: one for OpenLDAP servers (\fIschema.OpenLDAP\fR), -one for Netscape-derived servers (\fIschema.iPlanet\fR), and one for -Microsoft Active Directory (\fIschema.ActiveDirectory\fR) may -be found in the \fBsudo\fR distribution. +Three versions of the schema: one for OpenLDAP servers +(\fIschema.OpenLDAP\fR), +one for Netscape-derived servers +(\fIschema.iPlanet\fR), +and one for Microsoft Active Directory +(\fIschema.ActiveDirectory\fR) +may be found in the +\fBsudo\fR +distribution. .PP -The schema for \fBsudo\fR in OpenLDAP form is included in the \s-1EXAMPLES\s0 +The schema for +\fBsudo\fR +in OpenLDAP form is also included in the +\fIEXAMPLES\fR section. .SS "Configuring ldap.conf" -.IX Subsection "Configuring ldap.conf" -Sudo reads the \fI@ldap_conf@\fR file for LDAP-specific configuration. +Sudo reads the +\fI@ldap_conf@\fR +file for LDAP-specific configuration. Typically, this file is shared amongst different LDAP-aware clients. -As such, most of the settings are not \fBsudo\fR\-specific. Note that -\&\fBsudo\fR parses \fI@ldap_conf@\fR itself and may support options that -differ from those described in the system's \fIldap.conf\fR\|(@mansectform@) manual. +As such, most of the settings are not +\fBsudo\fR-specific. +Note that +\fBsudo\fR +parses +\fI@ldap_conf@\fR +itself and may support options that differ from those described in the +system's +ldap.conf(@mansectsu@) +manual. .PP Also note that on systems using the OpenLDAP libraries, default -values specified in \fI/etc/openldap/ldap.conf\fR or the user's -\&\fI.ldaprc\fR files are not used. +values specified in +\fI/etc/openldap/ldap.conf\fR +or the user's +\fI.ldaprc\fR +files are not used. .PP -Only those options explicitly listed in \fI@ldap_conf@\fR as being -supported by \fBsudo\fR are honored. Configuration options are listed -below in upper case but are parsed in a case-independent manner. -.IP "\fB\s-1URI\s0\fR ldap[s]://[hostname[:port]] ..." 4 -.IX Item "URI ldap[s]://[hostname[:port]] ..." +Only those options explicitly listed in +\fI@ldap_conf@\fR +as being supported by +\fBsudo\fR +are honored. +Configuration options are listed below in upper case but are parsed +in a case-independent manner. +.TP 6n +\fBURI\fR \fIldap[s]://[hostname[:port]] ...\fR Specifies a whitespace-delimited list of one or more URIs describing -the \s-1LDAP\s0 server(s) to connect to. The \fIprotocol\fR may be either -\&\fBldap\fR or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0 -(\s-1SSL\s0) encryption. If no \fIport\fR is specified, the default is port -389 for \f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR. If no \fIhostname\fR -is specified, \fBsudo\fR will connect to \fBlocalhost\fR. Multiple \fB\s-1URI\s0\fR -lines are treated identically to a \fB\s-1URI\s0\fR line containing multiple -entries. Only systems using the OpenSSL libraries support the -mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs. Both the Netscape-derived -and Tivoli \s-1LDAP\s0 libraries used on most commercial versions of Unix -are only capable of supporting one or the other. -.IP "\fB\s-1HOST\s0\fR name[:port] ..." 4 -.IX Item "HOST name[:port] ..." -If no \fB\s-1URI\s0\fR is specified, the \fB\s-1HOST\s0\fR parameter specifies a -whitespace-delimited list of \s-1LDAP\s0 servers to connect to. Each host -may include an optional \fIport\fR separated by a colon (':'). The -\&\fB\s-1HOST\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR specification -and is included for backwards compatibility. -.IP "\fB\s-1PORT\s0\fR port_number" 4 -.IX Item "PORT port_number" -If no \fB\s-1URI\s0\fR is specified, the \fB\s-1PORT\s0\fR parameter specifies the -default port to connect to on the \s-1LDAP\s0 server if a \fB\s-1HOST\s0\fR parameter -does not specify the port itself. If no \fB\s-1PORT\s0\fR parameter is used, -the default is port 389 for \s-1LDAP\s0 and port 636 for \s-1LDAP\s0 over \s-1TLS\s0 -(\s-1SSL\s0). The \fB\s-1PORT\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR +the LDAP server(s) to connect to. +The +\fIprotocol\fR +may be either +\fIldap\fR +\fIldaps\fR, +the latter being for servers that support TLS (SSL) encryption. +If no +\fIport\fR +is specified, the default is port 389 for +\fRldap://\fR +or port 636 for +\fRldaps://\fR. +If no +\fIhostname\fR +is specified, +\fBsudo\fR +will connect to +\fIlocalhost\fR. +Multiple +\fBURI\fR +lines are treated identically to a +\fBURI\fR +line containing multiple entries. +Only systems using the OpenSSL libraries support the mixing of +\fRldap://\fR +and +\fRldaps://\fR +URIs. +Both the Netscape-derived and Tivoli LDAP libraries used on most commercial +versions of Unix are only capable of supporting one or the other. +.TP 6n +\fBHOST\fR \fIname[:port] ...\fR +If no +\fBURI\fR +is specified, the +\fBHOST\fR +parameter specifies a whitespace-delimited list of LDAP servers to connect to. +Each host may include an optional +\fIport\fR +separated by a colon +(`:\&'). +The +\fBHOST\fR +parameter is deprecated in favor of the +\fBURI\fR specification and is included for backwards compatibility. -.IP "\fB\s-1BIND_TIMELIMIT\s0\fR seconds" 4 -.IX Item "BIND_TIMELIMIT seconds" -The \fB\s-1BIND_TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds, -to wait while trying to connect to an \s-1LDAP\s0 server. If multiple \fB\s-1URI\s0\fRs or -\&\fB\s-1HOST\s0\fRs are specified, this is the amount of time to wait before trying +.TP 6n +\fBPORT\fR \fIport_number\fR +If no +\fBURI\fR +is specified, the +\fBPORT\fR +parameter specifies the default port to connect to on the LDAP server if a +\fBHOST\fR +parameter does not specify the port itself. +If no +\fBPORT\fR +parameter is used, the default is port 389 for LDAP and port 636 for LDAP +over TLS (SSL). +The +\fBPORT\fR +parameter is deprecated in favor of the +\fBURI\fR +specification and is included for backwards compatibility. +.TP 6n +\fBBIND_TIMELIMIT\fR \fIseconds\fR +The +\fBBIND_TIMELIMIT\fR +parameter specifies the amount of time, in seconds, to wait while trying +to connect to an LDAP server. +If multiple +\fBURI\fRs +or +\fBHOST\fRs +are specified, this is the amount of time to wait before trying the next one in the list. -.IP "\fB\s-1NETWORK_TIMEOUT\s0\fR seconds" 4 -.IX Item "NETWORK_TIMEOUT seconds" -An alias for \fB\s-1BIND_TIMELIMIT\s0\fR for OpenLDAP compatibility. -.IP "\fB\s-1TIMELIMIT\s0\fR seconds" 4 -.IX Item "TIMELIMIT seconds" -The \fB\s-1TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds, -to wait for a response to an \s-1LDAP\s0 query. -.IP "\fB\s-1TIMEOUT\s0\fR seconds" 4 -.IX Item "TIMEOUT seconds" -The \fB\s-1TIMEOUT\s0\fR parameter specifies the amount of time, in seconds, -to wait for a response from the various \s-1LDAP\s0 APIs. -.IP "\fB\s-1SUDOERS_BASE\s0\fR base" 4 -.IX Item "SUDOERS_BASE base" -The base \s-1DN\s0 to use when performing \fBsudo\fR \s-1LDAP\s0 queries. Typically -this is of the form \f(CW\*(C`ou=SUDOers,dc=example,dc=com\*(C'\fR for the domain -\&\f(CW\*(C`example.com\*(C'\fR. Multiple \fB\s-1SUDOERS_BASE\s0\fR lines may be specified, -in which case they are queried in the order specified. -.IP "\fB\s-1SUDOERS_SEARCH_FILTER\s0\fR ldap_filter" 4 -.IX Item "SUDOERS_SEARCH_FILTER ldap_filter" -An \s-1LDAP\s0 filter which is used to restrict the set of records returned -when performing a \fBsudo\fR \s-1LDAP\s0 query. Typically, this is of the -form \f(CW\*(C`attribute=value\*(C'\fR or \f(CW\*(C`(&(attribute=value)(attribute2=value2))\*(C'\fR. -.IP "\fB\s-1SUDOERS_TIMED\s0\fR on/true/yes/off/false/no" 4 -.IX Item "SUDOERS_TIMED on/true/yes/off/false/no" -Whether or not to evaluate the \f(CW\*(C`sudoNotBefore\*(C'\fR and \f(CW\*(C`sudoNotAfter\*(C'\fR +.TP 6n +\fBNETWORK_TIMEOUT\fR \fIseconds\fR +An alias for +\fBBIND_TIMELIMIT\fR +for OpenLDAP compatibility. +.TP 6n +\fBTIMELIMIT\fR \fIseconds\fR +The +\fBTIMELIMIT\fR +parameter specifies the amount of time, in seconds, to wait for a +response to an LDAP query. +.TP 6n +\fBTIMEOUT\fR \fIseconds\fR +The +\fBTIMEOUT\fR +parameter specifies the amount of time, in seconds, to wait for a +response from the various LDAP APIs. +.TP 6n +\fBSUDOERS_BASE\fR \fIbase\fR +The base DN to use when performing +\fBsudo\fR +LDAP queries. +Typically this is of the form +\fRou=SUDOers,dc=example,dc=com\fR +for the domain +\fRexample.com\fR. +Multiple +\fBSUDOERS_BASE\fR +lines may be specified, in which case they are queried in the order specified. +.TP 6n +\fBSUDOERS_SEARCH_FILTER\fR \fIldap_filter\fR +An LDAP filter which is used to restrict the set of records returned +when performing a +\fBsudo\fR +LDAP query. +Typically, this is of the +form +\fRattribute=value\fR +or +\fR(&(attribute=value)(attribute2=value2))\fR. +.TP 6n +\fBSUDOERS_TIMED\fR \fIon/true/yes/off/false/no\fR +Whether or not to evaluate the +\fRsudoNotBefore\fR +and +\fRsudoNotAfter\fR attributes that implement time-dependent sudoers entries. -.IP "\fB\s-1SUDOERS_DEBUG\s0\fR debug_level" 4 -.IX Item "SUDOERS_DEBUG debug_level" -This sets the debug level for \fBsudo\fR \s-1LDAP\s0 queries. Debugging -information is printed to the standard error. A value of 1 results -in a moderate amount of debugging information. A value of 2 shows -the results of the matches themselves. This parameter should not -be set in a production environment as the extra information is -likely to confuse users. -.IP "\fB\s-1BINDDN\s0\fR \s-1DN\s0" 4 -.IX Item "BINDDN DN" -The \fB\s-1BINDDN\s0\fR parameter specifies the identity, in the form of a -Distinguished Name (\s-1DN\s0), to use when performing \s-1LDAP\s0 operations. -If not specified, \s-1LDAP\s0 operations are performed with an anonymous -identity. By default, most \s-1LDAP\s0 servers will allow anonymous access. -.IP "\fB\s-1BINDPW\s0\fR secret" 4 -.IX Item "BINDPW secret" -The \fB\s-1BINDPW\s0\fR parameter specifies the password to use when performing -\&\s-1LDAP\s0 operations. This is typically used in conjunction with the -\&\fB\s-1BINDDN\s0\fR parameter. -.IP "\fB\s-1ROOTBINDDN\s0\fR \s-1DN\s0" 4 -.IX Item "ROOTBINDDN DN" -The \fB\s-1ROOTBINDDN\s0\fR parameter specifies the identity, in the form of -a Distinguished Name (\s-1DN\s0), to use when performing privileged \s-1LDAP\s0 -operations, such as \fIsudoers\fR queries. The password corresponding -to the identity should be stored in \fI@ldap_secret@\fR. -If not specified, the \fB\s-1BINDDN\s0\fR identity is used (if any). -.IP "\fB\s-1LDAP_VERSION\s0\fR number" 4 -.IX Item "LDAP_VERSION number" -The version of the \s-1LDAP\s0 protocol to use when connecting to the server. +.TP 6n +\fBSUDOERS_DEBUG\fR \fIdebug_level\fR +This sets the debug level for +\fBsudo\fR +LDAP queries. +Debugging information is printed to the standard error. +A value of 1 results in a moderate amount of debugging information. +A value of 2 shows the results of the matches themselves. +This parameter should not be set in a production environment as the +extra information is likely to confuse users. +.TP 6n +\fBBINDDN\fR \fIDN\fR +The +\fBBINDDN\fR +parameter specifies the identity, in the form of a Distinguished Name (DN), +to use when performing LDAP operations. +If not specified, LDAP operations are performed with an anonymous identity. +By default, most LDAP servers will allow anonymous access. +.TP 6n +\fBBINDPW\fR \fIsecret\fR +The +\fBBINDPW\fR +parameter specifies the password to use when performing LDAP operations. +This is typically used in conjunction with the +\fBBINDDN\fR +parameter. +.TP 6n +\fBROOTBINDDN\fR \fIDN\fR +The +\fBROOTBINDDN\fR +parameter specifies the identity, in the form of a Distinguished Name (DN), +to use when performing privileged LDAP operations, such as +\fIsudoers\fR +queries. +The password corresponding +to the identity should be stored in +\fI@ldap_secret@\fR. +If not specified, the +\fBBINDDN\fR +identity is used (if any). +.TP 6n +\fBLDAP_VERSION\fR \fInumber\fR +The version of the LDAP protocol to use when connecting to the server. The default value is protocol version 3. -.IP "\fB\s-1SSL\s0\fR on/true/yes/off/false/no" 4 -.IX Item "SSL on/true/yes/off/false/no" -If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`on\*(C'\fR, \f(CW\*(C`true\*(C'\fR or \f(CW\*(C`yes\*(C'\fR, \s-1TLS\s0 -(\s-1SSL\s0) encryption is always used when communicating with the \s-1LDAP\s0 -server. Typically, this involves connecting to the server on port -636 (ldaps). -.IP "\fB\s-1SSL\s0\fR start_tls" 4 -.IX Item "SSL start_tls" -If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`start_tls\*(C'\fR, the \s-1LDAP\s0 server -connection is initiated normally and \s-1TLS\s0 encryption is begun before -the bind credentials are sent. This has the advantage of not -requiring a dedicated port for encrypted communications. This -parameter is only supported by \s-1LDAP\s0 servers that honor the \f(CW\*(C`start_tls\*(C'\fR -extension, such as the OpenLDAP server. -.IP "\fB\s-1TLS_CHECKPEER\s0\fR on/true/yes/off/false/no" 4 -.IX Item "TLS_CHECKPEER on/true/yes/off/false/no" -If enabled, \fB\s-1TLS_CHECKPEER\s0\fR will cause the \s-1LDAP\s0 server's \s-1TLS\s0 -certificated to be verified. If the server's \s-1TLS\s0 certificate cannot -be verified (usually because it is signed by an unknown certificate -authority), \fBsudo\fR will be unable to connect to it. If \fB\s-1TLS_CHECKPEER\s0\fR -is disabled, no check is made. Note that disabling the check creates -an opportunity for man-in-the-middle attacks since the server's -identity will not be authenticated. If possible, the \s-1CA\s0's certificate -should be installed locally so it can be verified. This option is -not supported by the Tivoli Directory Server \s-1LDAP\s0 libraries. -.IP "\fB\s-1TLS_CACERT\s0\fR file name" 4 -.IX Item "TLS_CACERT file name" -An alias for \fB\s-1TLS_CACERTFILE\s0\fR for OpenLDAP compatibility. -.IP "\fB\s-1TLS_CACERTFILE\s0\fR file name" 4 -.IX Item "TLS_CACERTFILE file name" +.TP 6n +\fBSSL\fR \fIon/true/yes/off/false/no\fR +If the +\fBSSL\fR +parameter is set to +\fRon\fR, +\fRtrue\fR +\fRor\fR +\fRyes\fR, +TLS (SSL) encryption is always used when communicating with the LDAP server. +Typically, this involves connecting to the server on port 636 (ldaps). +.TP 6n +\fBSSL\fR \fIstart_tls\fR +If the +\fBSSL\fR +parameter is set to +\fRstart_tls\fR, +the LDAP server connection is initiated normally and TLS encryption is +begun before the bind credentials are sent. +This has the advantage of not requiring a dedicated port for encrypted +communications. +This parameter is only supported by LDAP servers that honor the +\fIstart_tls\fR +extension, such as the OpenLDAP and Tivoli Directory servers. +.TP 6n +\fBTLS_CHECKPEER\fR \fIon/true/yes/off/false/no\fR +If enabled, +\fBTLS_CHECKPEER\fR +will cause the LDAP server's TLS certificated to be verified. +If the server's TLS certificate cannot be verified (usually because it +is signed by an unknown certificate authority), +\fBsudo\fR +will be unable to connect to it. +If +\fBTLS_CHECKPEER\fR +is disabled, no check is made. +Note that disabling the check creates an opportunity for man-in-the-middle +attacks since the server's identity will not be authenticated. +If possible, the CA's certificate should be installed locally so it can +be verified. +This option is not supported by the Tivoli Directory Server LDAP libraries. +.TP 6n +\fBTLS_CACERT\fR \fIfile name\fR +An alias for +\fBTLS_CACERTFILE\fR +for OpenLDAP compatibility. +.TP 6n +\fBTLS_CACERTFILE\fR \fIfile name\fR The path to a certificate authority bundle which contains the certificates -for all the Certificate Authorities the client knows to be valid, -e.g. \fI/etc/ssl/ca\-bundle.pem\fR. +for all the Certificate Authorities the client knows to be valid, e.g.\& +\fI/etc/ssl/ca-bundle.pem\fR. This option is only supported by the OpenLDAP libraries. -Netscape-derived \s-1LDAP\s0 libraries use the same certificate -database for \s-1CA\s0 and client certificates (see \fB\s-1TLS_CERT\s0\fR). -.IP "\fB\s-1TLS_CACERTDIR\s0\fR directory" 4 -.IX Item "TLS_CACERTDIR directory" -Similar to \fB\s-1TLS_CACERTFILE\s0\fR but instead of a file, it is a -directory containing individual Certificate Authority certificates, -e.g. \fI/etc/ssl/certs\fR. -The directory specified by \fB\s-1TLS_CACERTDIR\s0\fR is checked after -\&\fB\s-1TLS_CACERTFILE\s0\fR. +Netscape-derived LDAP libraries use the same certificate +database for CA and client certificates (see +\fBTLS_CERT\fR). +.TP 6n +\fBTLS_CACERTDIR\fR \fIdirectory\fR +Similar to +\fBTLS_CACERTFILE\fR +but instead of a file, it is a directory containing individual +Certificate Authority certificates, e.g.\& +\fI/etc/ssl/certs\fR. +The directory specified by +\fBTLS_CACERTDIR\fR +is checked after +\fBTLS_CACERTFILE\fR. This option is only supported by the OpenLDAP libraries. -.IP "\fB\s-1TLS_CERT\s0\fR file name" 4 -.IX Item "TLS_CERT file name" +.TP 6n +\fBTLS_CERT\fR \fIfile name\fR The path to a file containing the client certificate which can -be used to authenticate the client to the \s-1LDAP\s0 server. -The certificate type depends on the \s-1LDAP\s0 libraries used. -.Sp +be used to authenticate the client to the LDAP server. +The certificate type depends on the LDAP libraries used. +.RS +.TP 6n OpenLDAP: - \f(CW\*(C`tls_cert /etc/ssl/client_cert.pem\*(C'\fR -.Sp +\fRtls_cert /etc/ssl/client_cert.pem\fR +.TP 6n Netscape-derived: - \f(CW\*(C`tls_cert /var/ldap/cert7.db\*(C'\fR -.Sp +\fRtls_cert /var/ldap/cert7.db\fR +.TP 6n Tivoli Directory Server: - Unused, the key database specified by \fB\s-1TLS_KEY\s0\fR contains both - keys and certificates. -.Sp +Unused, the key database specified by +\fBTLS_KEY\fR +contains both keys and certificates. +.sp When using Netscape-derived libraries, this file may also contain Certificate Authority certificates. -.IP "\fB\s-1TLS_KEY\s0\fR file name" 4 -.IX Item "TLS_KEY file name" +.PP +.RE +.PD 0 +.TP 6n +\fBTLS_KEY\fR \fIfile name\fR The path to a file containing the private key which matches the -certificate specified by \fB\s-1TLS_CERT\s0\fR. The private key must not be -password-protected. The key type depends on the \s-1LDAP\s0 libraries -used. -.Sp +certificate specified by +\fBTLS_CERT\fR. +The private key must not be password-protected. +The key type depends on the LDAP libraries used. +.RS +.PD +.TP 6n OpenLDAP: - \f(CW\*(C`tls_key /etc/ssl/client_key.pem\*(C'\fR -.Sp +\fRtls_key /etc/ssl/client_key.pem\fR +.TP 6n Netscape-derived: - \f(CW\*(C`tls_key /var/ldap/key3.db\*(C'\fR -.Sp +\fRtls_key /var/ldap/key3.db\fR +.TP 6n Tivoli Directory Server: - \f(CW\*(C`tls_cert /usr/ldap/ldapkey.kdb\*(C'\fR -.Sp -When using Tivoli \s-1LDAP\s0 libraries, this file may also contain +\fRtls_cert /usr/ldap/ldapkey.kdb\fR +.PD 0 +.PP +.PD +When using Tivoli LDAP libraries, this file may also contain Certificate Authority and client certificates and may be encrypted. -.IP "\fB\s-1TLS_KEYPW\s0\fR secret" 4 -.IX Item "TLS_KEYPW secret" -The \fB\s-1TLS_KEYPW\s0\fR contains the password used to decrypt the key -database on clients using the Tivoli Directory Server \s-1LDAP\s0 library. -If no \fB\s-1TLS_KEYPW\s0\fR is specified, a \fIstash file\fR will be used if -it exists. The \fIstash file\fR must have the same path as the file -specified by \fB\s-1TLS_KEY\s0\fR, but use a \f(CW\*(C`.sth\*(C'\fR file extension instead -of \f(CW\*(C`.kdb\*(C'\fR, e.g. \f(CW\*(C`ldapkey.sth\*(C'\fR. The default \f(CW\*(C`ldapkey.kdb\*(C'\fR that -ships with Tivoli Directory Server is encrypted with the password -\&\f(CW\*(C`ssl_password\*(C'\fR. This option is only supported by the Tivoli \s-1LDAP\s0 -libraries. -.IP "\fB\s-1TLS_RANDFILE\s0\fR file name" 4 -.IX Item "TLS_RANDFILE file name" -The \fB\s-1TLS_RANDFILE\s0\fR parameter specifies the path to an entropy -source for systems that lack a random device. It is generally used -in conjunction with \fIprngd\fR or \fIegd\fR. +.PP +.RE +.PD 0 +.TP 6n +\fBTLS_KEYPW\fR \fIsecret\fR +The +\fBTLS_KEYPW\fR +contains the password used to decrypt the key database on clients +using the Tivoli Directory Server LDAP library. +If no +\fBTLS_KEYPW\fR +is specified, a +\fIstash file\fR +will be used if it exists. +The +\fIstash file\fR +must have the same path as the file specified by +\fBTLS_KEY\fR, +but use a +\fR.sth\fR +file extension instead of +\fR.kdb\fR, +e.g.\& +\fRldapkey.sth\fR. +The default +\fRldapkey.kdb\fR +that ships with Tivoli Directory Server is encrypted with the password +\fRssl_password\fR. +This option is only supported by the Tivoli LDAP libraries. +.PD +.TP 6n +\fBTLS_RANDFILE\fR \fIfile name\fR +The +\fBTLS_RANDFILE\fR +parameter specifies the path to an entropy source for systems that lack +a random device. +It is generally used in conjunction with +\fIprngd\fR +or +\fIegd\fR. This option is only supported by the OpenLDAP libraries. -.IP "\fB\s-1TLS_CIPHERS\s0\fR cipher list" 4 -.IX Item "TLS_CIPHERS cipher list" -The \fB\s-1TLS_CIPHERS\s0\fR parameter allows the administer to restrict which -encryption algorithms may be used for \s-1TLS\s0 (\s-1SSL\s0) connections. See -the OpenLDAP or Tivoli Directory Server manual for a list of valid -ciphers. This option is not supported by Netscape-derived libraries. -.IP "\fB\s-1USE_SASL\s0\fR on/true/yes/off/false/no" 4 -.IX Item "USE_SASL on/true/yes/off/false/no" -Enable \fB\s-1USE_SASL\s0\fR for \s-1LDAP\s0 servers that support \s-1SASL\s0 authentication. -.IP "\fB\s-1SASL_AUTH_ID\s0\fR identity" 4 -.IX Item "SASL_AUTH_ID identity" -The \s-1SASL\s0 user name to use when connecting to the \s-1LDAP\s0 server. -By default, \fBsudo\fR will use an anonymous connection. -.IP "\fB\s-1ROOTUSE_SASL\s0\fR on/true/yes/off/false/no" 4 -.IX Item "ROOTUSE_SASL on/true/yes/off/false/no" -Enable \fB\s-1ROOTUSE_SASL\s0\fR to enable \s-1SASL\s0 authentication when connecting -to an \s-1LDAP\s0 server from a privileged process, such as \fBsudo\fR. -.IP "\fB\s-1ROOTSASL_AUTH_ID\s0\fR identity" 4 -.IX Item "ROOTSASL_AUTH_ID identity" -The \s-1SASL\s0 user name to use when \fB\s-1ROOTUSE_SASL\s0\fR is enabled. -.IP "\fB\s-1SASL_SECPROPS\s0\fR none/properties" 4 -.IX Item "SASL_SECPROPS none/properties" -\&\s-1SASL\s0 security properties or \fInone\fR for no properties. See the -\&\s-1SASL\s0 programmer's manual for details. -.IP "\fB\s-1KRB5_CCNAME\s0\fR file name" 4 -.IX Item "KRB5_CCNAME file name" +.TP 6n +\fBTLS_CIPHERS\fR \fIcipher list\fR +The +\fBTLS_CIPHERS\fR +parameter allows the administer to restrict which encryption algorithms +may be used for TLS (SSL) connections. +See the OpenLDAP or Tivoli Directory Server manual for a list of valid +ciphers. +This option is not supported by Netscape-derived libraries. +.TP 6n +\fBUSE_SASL\fR \fIon/true/yes/off/false/no\fR +Enable +\fBUSE_SASL\fR +for LDAP servers that support SASL authentication. +.TP 6n +\fBSASL_AUTH_ID\fR \fIidentity\fR +The SASL user name to use when connecting to the LDAP server. +By default, +\fBsudo\fR +will use an anonymous connection. +.TP 6n +\fBROOTUSE_SASL\fR \fIon/true/yes/off/false/no\fR +Enable +\fBROOTUSE_SASL\fR +to enable SASL authentication when connecting +to an LDAP server from a privileged process, such as +\fBsudo\fR. +.TP 6n +\fBROOTSASL_AUTH_ID\fR \fIidentity\fR +The SASL user name to use when +\fBROOTUSE_SASL\fR +is enabled. +.TP 6n +\fBSASL_SECPROPS\fR \fInone/properties\fR +SASL security properties or +\fInone\fR +for no properties. +See the SASL programmer's manual for details. +.TP 6n +\fBKRB5_CCNAME\fR \fIfile name\fR The path to the Kerberos 5 credential cache to use when authenticating with the remote server. -.IP "\fB\s-1DEREF\s0\fR never/searching/finding/always" 4 -.IX Item "DEREF never/searching/finding/always" -How alias dereferencing is to be performed when searching. See the -\&\fIldap.conf\fR\|(@mansectform@) manual for a full description of this option. +.TP 6n +\fBDEREF\fR \fInever/searching/finding/always\fR +How alias dereferencing is to be performed when searching. +See the +ldap.conf(@mansectsu@) +manual for a full description of this option. .PP -See the \f(CW\*(C`ldap.conf\*(C'\fR entry in the \s-1EXAMPLES\s0 section. +See the +\fIldap.conf\fR +entry in the +\fIEXAMPLES\fR +section. .SS "Configuring nsswitch.conf" -.IX Subsection "Configuring nsswitch.conf" -Unless it is disabled at build time, \fBsudo\fR consults the Name -Service Switch file, \fI@nsswitch_conf@\fR, to specify the \fIsudoers\fR -search order. Sudo looks for a line beginning with \f(CW\*(C`sudoers\*(C'\fR: and -uses this to determine the search order. Note that \fBsudo\fR does +Unless it is disabled at build time, +\fBsudo\fR +consults the Name Service Switch file, +\fI@nsswitch_conf@\fR, +to specify the +\fIsudoers\fR +search order. +Sudo looks for a line beginning with +\fRsudoers\fR: +and uses this to determine the search order. +Note that +\fBsudo\fR +does not stop searching after the first match and later matches take precedence over earlier ones. -.PP The following sources are recognized: +.TP 10n +files +read sudoers from +\fI@sysconfdir@/sudoers\fR +.PD 0 +.TP 10n +ldap +read sudoers from LDAP +.PD .PP -.Vb 2 -\& files read sudoers from F<@sysconfdir@/sudoers> -\& ldap read sudoers from LDAP -.Ve -.PP -In addition, the entry \f(CW\*(C`[NOTFOUND=return]\*(C'\fR will short-circuit the -search if the user was not found in the preceding source. +In addition, the entry +\fR[NOTFOUND=return]\fR +will short-circuit the search if the user was not found in the +preceding source. .PP -To consult \s-1LDAP\s0 first followed by the local sudoers file (if it +To consult LDAP first followed by the local sudoers file (if it exists), use: +.nf +.sp +.RS 4n +sudoers: ldap files +.RE +.fi .PP -.Vb 1 -\& sudoers: ldap files -.Ve -.PP -The local \fIsudoers\fR file can be ignored completely by using: -.PP -.Vb 1 -\& sudoers: ldap -.Ve -.PP -If the \fI@nsswitch_conf@\fR file is not present or there is no -sudoers line, the following default is assumed: +The local +\fIsudoers\fR +file can be ignored completely by using: +.nf +.sp +.RS 4n +sudoers: ldap +.RE +.fi .PP -.Vb 1 -\& sudoers: files -.Ve +If the +\fI@nsswitch_conf@\fR +file is not present or there is no sudoers line, the following +default is assumed: +.nf +.sp +.RS 4n +sudoers: files +.RE +.fi .PP -Note that \fI@nsswitch_conf@\fR is supported even when the underlying -operating system does not use an nsswitch.conf file, except on \s-1AIX\s0 (see below). +Note that +\fI@nsswitch_conf@\fR +is supported even when the underlying operating system does not use +an nsswitch.conf file, except on AIX (see below). .SS "Configuring netsvc.conf" -.IX Subsection "Configuring netsvc.conf" -On \s-1AIX\s0 systems, the \fI@netsvc_conf@\fR file is consulted instead of -\&\fI@nsswitch_conf@\fR. \fBsudo\fR simply treats \fInetsvc.conf\fR as a -variant of \fInsswitch.conf\fR; information in the previous section -unrelated to the file format itself still applies. +On AIX systems, the +\fI@netsvc_conf@\fR +file is consulted instead of +\fI@nsswitch_conf@\fR. +\fBsudo\fR +simply treats +\fInetsvc.conf\fR +as a variant of +\fInsswitch.conf\fR; +information in the previous section unrelated to the file format +itself still applies. .PP -To consult \s-1LDAP\s0 first followed by the local sudoers file (if it +To consult LDAP first followed by the local sudoers file (if it exists), use: +.nf +.sp +.RS 4n +sudoers = ldap, files +.RE +.fi .PP -.Vb 1 -\& sudoers = ldap, files -.Ve -.PP -The local \fIsudoers\fR file can be ignored completely by using: -.PP -.Vb 1 -\& sudoers = ldap -.Ve -.PP -To treat \s-1LDAP\s0 as authoratative and only use the local sudoers file -if the user is not present in \s-1LDAP\s0, use: +The local +\fIsudoers\fR +file can be ignored completely by using: +.nf +.sp +.RS 4n +sudoers = ldap +.RE +.fi .PP -.Vb 1 -\& sudoers = ldap = auth, files -.Ve +To treat LDAP as authoratative and only use the local sudoers file +if the user is not present in LDAP, use: +.nf +.sp +.RS 4n +sudoers = ldap = auth, files +.RE +.fi .PP -Note that in the above example, the \f(CW\*(C`auth\*(C'\fR qualfier only affects -user lookups; both \s-1LDAP\s0 and \fIsudoers\fR will be queried for \f(CW\*(C`Defaults\*(C'\fR +Note that in the above example, the +\fRauth\fR +qualfier only affects user lookups; both LDAP and +\fIsudoers\fR +will be queried for +\fRDefaults\fR entries. .PP -If the \fI@netsvc_conf@\fR file is not present or there is no -sudoers line, the following default is assumed: -.PP -.Vb 1 -\& sudoers = files -.Ve +If the +\fI@netsvc_conf@\fR +file is not present or there is no sudoers line, the following +default is assumed: +.nf +.sp +.RS 4n +sudoers = files +.RE +.fi .SH "FILES" -.IX Header "FILES" -.ie n .IP "\fI@ldap_conf@\fR" 24 -.el .IP "\fI@ldap_conf@\fR" 24 -.IX Item "@ldap_conf@" -\&\s-1LDAP\s0 configuration file -.ie n .IP "\fI@nsswitch_conf@\fR" 24 -.el .IP "\fI@nsswitch_conf@\fR" 24 -.IX Item "@nsswitch_conf@" +.TP 26n +\fI@ldap_conf@\fR +LDAP configuration file +.TP 26n +\fI@nsswitch_conf@\fR determines sudoers source order -.ie n .IP "\fI@netsvc_conf@\fR" 24 -.el .IP "\fI@netsvc_conf@\fR" 24 -.IX Item "@netsvc_conf@" -determines sudoers source order on \s-1AIX\s0 +.TP 26n +\fI@netsvc_conf@\fR +determines sudoers source order on AIX .SH "EXAMPLES" -.IX Header "EXAMPLES" .SS "Example ldap.conf" -.IX Subsection "Example ldap.conf" -.Vb 10 -\& # Either specify one or more URIs or one or more host:port pairs. -\& # If neither is specified sudo will default to localhost, port 389. -\& # -\& #host ldapserver -\& #host ldapserver1 ldapserver2:390 -\& # -\& # Default port if host is specified without one, defaults to 389. -\& #port 389 -\& # -\& # URI will override the host and port settings. -\& uri ldap://ldapserver -\& #uri ldaps://secureldapserver -\& #uri ldaps://secureldapserver ldap://ldapserver -\& # -\& # The amount of time, in seconds, to wait while trying to connect to -\& # an LDAP server. -\& bind_timelimit 30 -\& # -\& # The amount of time, in seconds, to wait while performing an LDAP query. -\& timelimit 30 -\& # -\& # Must be set or sudo will ignore LDAP; may be specified multiple times. -\& sudoers_base ou=SUDOers,dc=example,dc=com -\& # -\& # verbose sudoers matching from ldap -\& #sudoers_debug 2 -\& # -\& # Enable support for time\-based entries in sudoers. -\& #sudoers_timed yes -\& # -\& # optional proxy credentials -\& #binddn -\& #bindpw -\& #rootbinddn -\& # -\& # LDAP protocol version, defaults to 3 -\& #ldap_version 3 -\& # -\& # Define if you want to use an encrypted LDAP connection. -\& # Typically, you must also set the port to 636 (ldaps). -\& #ssl on -\& # -\& # Define if you want to use port 389 and switch to -\& # encryption before the bind credentials are sent. -\& # Only supported by LDAP servers that support the start_tls -\& # extension such as OpenLDAP. -\& #ssl start_tls -\& # -\& # Additional TLS options follow that allow tweaking of the -\& # SSL/TLS connection. -\& # -\& #tls_checkpeer yes # verify server SSL certificate -\& #tls_checkpeer no # ignore server SSL certificate -\& # -\& # If you enable tls_checkpeer, specify either tls_cacertfile -\& # or tls_cacertdir. Only supported when using OpenLDAP. -\& # -\& #tls_cacertfile /etc/certs/trusted_signers.pem -\& #tls_cacertdir /etc/certs -\& # -\& # For systems that don\*(Aqt have /dev/random -\& # use this along with PRNGD or EGD.pl to seed the -\& # random number pool to generate cryptographic session keys. -\& # Only supported when using OpenLDAP. -\& # -\& #tls_randfile /etc/egd\-pool -\& # -\& # You may restrict which ciphers are used. Consult your SSL -\& # documentation for which options go here. -\& # Only supported when using OpenLDAP. -\& # -\& #tls_ciphers -\& # -\& # Sudo can provide a client certificate when communicating to -\& # the LDAP server. -\& # Tips: -\& # * Enable both lines at the same time. -\& # * Do not password protect the key file. -\& # * Ensure the keyfile is only readable by root. -\& # -\& # For OpenLDAP: -\& #tls_cert /etc/certs/client_cert.pem -\& #tls_key /etc/certs/client_key.pem -\& # -\& # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either -\& # a directory, in which case the files in the directory must have the -\& # default names (e.g. cert8.db and key4.db), or the path to the cert -\& # and key files themselves. However, a bug in version 5.0 of the LDAP -\& # SDK will prevent specific file names from working. For this reason -\& # it is suggested that tls_cert and tls_key be set to a directory, -\& # not a file name. -\& # -\& # The certificate database specified by tls_cert may contain CA certs -\& # and/or the client\*(Aqs cert. If the client\*(Aqs cert is included, tls_key -\& # should be specified as well. -\& # For backward compatibility, "sslpath" may be used in place of tls_cert. -\& #tls_cert /var/ldap -\& #tls_key /var/ldap -\& # -\& # If using SASL authentication for LDAP (OpenSSL) -\& # use_sasl yes -\& # sasl_auth_id -\& # rootuse_sasl yes -\& # rootsasl_auth_id -\& # sasl_secprops none -\& # krb5_ccname /etc/.ldapcache -.Ve +.nf +.RS 2n +# Either specify one or more URIs or one or more host:port pairs. +# If neither is specified sudo will default to localhost, port 389. +# +#host ldapserver +#host ldapserver1 ldapserver2:390 +# +# Default port if host is specified without one, defaults to 389. +#port 389 +# +# URI will override the host and port settings. +uri ldap://ldapserver +#uri ldaps://secureldapserver +#uri ldaps://secureldapserver ldap://ldapserver +# +# The amount of time, in seconds, to wait while trying to connect to +# an LDAP server. +bind_timelimit 30 +# +# The amount of time, in seconds, to wait while performing an LDAP query. +timelimit 30 +# +# Must be set or sudo will ignore LDAP; may be specified multiple times. +sudoers_base ou=SUDOers,dc=example,dc=com +# +# verbose sudoers matching from ldap +#sudoers_debug 2 +# +# Enable support for time-based entries in sudoers. +#sudoers_timed yes +# +# optional proxy credentials +#binddn +#bindpw +#rootbinddn +# +# LDAP protocol version, defaults to 3 +#ldap_version 3 +# +# Define if you want to use an encrypted LDAP connection. +# Typically, you must also set the port to 636 (ldaps). +#ssl on +# +# Define if you want to use port 389 and switch to +# encryption before the bind credentials are sent. +# Only supported by LDAP servers that support the start_tls +# extension such as OpenLDAP. +#ssl start_tls +# +# Additional TLS options follow that allow tweaking of the +# SSL/TLS connection. +# +#tls_checkpeer yes # verify server SSL certificate +#tls_checkpeer no # ignore server SSL certificate +# +# If you enable tls_checkpeer, specify either tls_cacertfile +# or tls_cacertdir. Only supported when using OpenLDAP. +# +#tls_cacertfile /etc/certs/trusted_signers.pem +#tls_cacertdir /etc/certs +# +# For systems that don't have /dev/random +# use this along with PRNGD or EGD.pl to seed the +# random number pool to generate cryptographic session keys. +# Only supported when using OpenLDAP. +# +#tls_randfile /etc/egd-pool +# +# You may restrict which ciphers are used. Consult your SSL +# documentation for which options go here. +# Only supported when using OpenLDAP. +# +#tls_ciphers +# +# Sudo can provide a client certificate when communicating to +# the LDAP server. +# Tips: +# * Enable both lines at the same time. +# * Do not password protect the key file. +# * Ensure the keyfile is only readable by root. +# +# For OpenLDAP: +#tls_cert /etc/certs/client_cert.pem +#tls_key /etc/certs/client_key.pem +# +# For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either +# a directory, in which case the files in the directory must have the +# default names (e.g. cert8.db and key4.db), or the path to the cert +# and key files themselves. However, a bug in version 5.0 of the LDAP +# SDK will prevent specific file names from working. For this reason +# it is suggested that tls_cert and tls_key be set to a directory, +# not a file name. +# +# The certificate database specified by tls_cert may contain CA certs +# and/or the client's cert. If the client's cert is included, tls_key +# should be specified as well. +# For backward compatibility, "sslpath" may be used in place of tls_cert. +#tls_cert /var/ldap +#tls_key /var/ldap +# +# If using SASL authentication for LDAP (OpenSSL) +# use_sasl yes +# sasl_auth_id +# rootuse_sasl yes +# rootsasl_auth_id +# sasl_secprops none +# krb5_ccname /etc/.ldapcache +.RE +.fi .SS "Sudo schema for OpenLDAP" -.IX Subsection "Sudo schema for OpenLDAP" -The following schema, in OpenLDAP format, is included with \fBsudo\fR -source and binary distributions as \fIschema.OpenLDAP\fR. Simply copy -it to the schema directory (e.g. \fI/etc/openldap/schema\fR), add the -proper \f(CW\*(C`include\*(C'\fR line in \f(CW\*(C`slapd.conf\*(C'\fR and restart \fBslapd\fR. -.PP -.Vb 6 -\& attributetype ( 1.3.6.1.4.1.15953.9.1.1 -\& NAME \*(AqsudoUser\*(Aq -\& DESC \*(AqUser(s) who may run sudo\*(Aq -\& EQUALITY caseExactIA5Match -\& SUBSTR caseExactIA5SubstringsMatch -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -\& -\& attributetype ( 1.3.6.1.4.1.15953.9.1.2 -\& NAME \*(AqsudoHost\*(Aq -\& DESC \*(AqHost(s) who may run sudo\*(Aq -\& EQUALITY caseExactIA5Match -\& SUBSTR caseExactIA5SubstringsMatch -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -\& -\& attributetype ( 1.3.6.1.4.1.15953.9.1.3 -\& NAME \*(AqsudoCommand\*(Aq -\& DESC \*(AqCommand(s) to be executed by sudo\*(Aq -\& EQUALITY caseExactIA5Match -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -\& -\& attributetype ( 1.3.6.1.4.1.15953.9.1.4 -\& NAME \*(AqsudoRunAs\*(Aq -\& DESC \*(AqUser(s) impersonated by sudo\*(Aq -\& EQUALITY caseExactIA5Match -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -\& -\& attributetype ( 1.3.6.1.4.1.15953.9.1.5 -\& NAME \*(AqsudoOption\*(Aq -\& DESC \*(AqOptions(s) followed by sudo\*(Aq -\& EQUALITY caseExactIA5Match -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -\& -\& attributetype ( 1.3.6.1.4.1.15953.9.1.6 -\& NAME \*(AqsudoRunAsUser\*(Aq -\& DESC \*(AqUser(s) impersonated by sudo\*(Aq -\& EQUALITY caseExactIA5Match -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -\& -\& attributetype ( 1.3.6.1.4.1.15953.9.1.7 -\& NAME \*(AqsudoRunAsGroup\*(Aq -\& DESC \*(AqGroup(s) impersonated by sudo\*(Aq -\& EQUALITY caseExactIA5Match -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -\& -\& attributetype ( 1.3.6.1.4.1.15953.9.1.8 -\& NAME \*(AqsudoNotBefore\*(Aq -\& DESC \*(AqStart of time interval for which the entry is valid\*(Aq -\& EQUALITY generalizedTimeMatch -\& ORDERING generalizedTimeOrderingMatch -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) -\& -\& attributetype ( 1.3.6.1.4.1.15953.9.1.9 -\& NAME \*(AqsudoNotAfter\*(Aq -\& DESC \*(AqEnd of time interval for which the entry is valid\*(Aq -\& EQUALITY generalizedTimeMatch -\& ORDERING generalizedTimeOrderingMatch -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) -\& -\& attributeTypes ( 1.3.6.1.4.1.15953.9.1.10 -\& NAME \*(AqsudoOrder\*(Aq -\& DESC \*(Aqan integer to order the sudoRole entries\*(Aq -\& EQUALITY integerMatch -\& ORDERING integerOrderingMatch -\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) -\& -\& objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME \*(AqsudoRole\*(Aq SUP top STRUCTURAL -\& DESC \*(AqSudoer Entries\*(Aq -\& MUST ( cn ) -\& MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ -\& sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ -\& sudoOrder $ description ) -\& ) -.Ve +The following schema, in OpenLDAP format, is included with +\fBsudo\fR +source and binary distributions as +\fIschema.OpenLDAP\fR. +Simply copy +it to the schema directory (e.g.\& +\fI/etc/openldap/schema\fR), +add the proper +\fRinclude\fR +line in +\fIslapd.conf\fR +and restart +\fBslapd\fR. +.nf +.sp +.RS 2n +attributetype ( 1.3.6.1.4.1.15953.9.1.1 + NAME 'sudoUser' + DESC 'User(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.2 + NAME 'sudoHost' + DESC 'Host(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.3 + NAME 'sudoCommand' + DESC 'Command(s) to be executed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.4 + NAME 'sudoRunAs' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.5 + NAME 'sudoOption' + DESC 'Options(s) followed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.6 + NAME 'sudoRunAsUser' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.7 + NAME 'sudoRunAsGroup' + DESC 'Group(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.8 + NAME 'sudoNotBefore' + DESC 'Start of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.9 + NAME 'sudoNotAfter' + DESC 'End of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) + +attributeTypes ( 1.3.6.1.4.1.15953.9.1.10 + NAME 'sudoOrder' + DESC 'an integer to order the sudoRole entries' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) + +objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL + DESC 'Sudoer Entries' + MUST ( cn ) + MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ + sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ + sudoOrder $ description ) + ) +.RE +.fi .SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIldap.conf\fR\|(@mansectform@), \fIsudoers\fR\|(5) +ldap.conf(@mansectsu@), +sudoers(@mansectsu@) .SH "CAVEATS" -.IX Header "CAVEATS" -Note that there are differences in the way that LDAP-based \fIsudoers\fR -is parsed compared to file-based \fIsudoers\fR. See the \*(L"Differences -between \s-1LDAP\s0 and non-LDAP sudoers\*(R" section for more information. +Note that there are differences in the way that LDAP-based +\fIsudoers\fR +is parsed compared to file-based +\fIsudoers\fR. +See the +\fIDifferences between LDAP and non-LDAP sudoers\fR +section for more information. .SH "BUGS" -.IX Header "BUGS" -If you feel you have found a bug in \fBsudo\fR, please submit a bug report -at http://www.sudo.ws/sudo/bugs/ +If you feel you have found a bug in +\fBsudo\fR, +please submit a bug report at http://www.sudo.ws/sudo/bugs/ .SH "SUPPORT" -.IX Header "SUPPORT" Limited free support is available via the sudo-users mailing list, -see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or +see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives. .SH "DISCLAIMER" -.IX Header "DISCLAIMER" -\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, -including, but not limited to, the implied warranties of merchantability -and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 -file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html -for complete details. +\fBsudo\fR +is provided +``AS IS'' +and any express or implied warranties, including, but not limited +to, the implied warranties of merchantability and fitness for a +particular purpose are disclaimed. +See the LICENSE file distributed with +\fBsudo\fR +or http://www.sudo.ws/sudo/license.html for complete details. diff --git a/sudoers.ldap.mdoc.in b/sudoers.ldap.mdoc.in new file mode 100644 index 000000000..b43187ad5 --- /dev/null +++ b/sudoers.ldap.mdoc.in @@ -0,0 +1,1103 @@ +.\" +.\" Copyright (c) 2003-2012 Todd C. Miller +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd July 12, 2012 +.Dt SUDOERS.LDAP @mansectsu@ +.Os Sudo @PACKAGE_VERSION@ +.Sh NAME +.Nm sudoers.ldap +.Nd sudo LDAP configuration +.Sh DESCRIPTION +In addition to the standard +.Em sudoers +file, +.Nm sudo +may be configured +via LDAP. +This can be especially useful for synchronizing +.Em sudoers +in a large, distributed environment. +.Pp +Using LDAP for +.Em sudoers +has several benefits: +.Bl -bullet +.It +.Nm sudo +no longer needs to read +.Em sudoers +in its entirety. +When LDAP is used, there are only two or three LDAP queries per invocation. +This makes it especially fast and particularly usable in LDAP environments. +.It +.Nm sudo +no longer exits if there is a typo in +.Em sudoers . +It is not possible to load LDAP data into the server that does +not conform to the sudoers schema, so proper syntax is guaranteed. +It is still possible to have typos in a user or host name, but +this will not prevent +.Nm sudo +from running. +.It +It is possible to specify per-entry options that override the global +default options. +.Pa @sysconfdir@/sudoers +only supports default options and limited options associated with +user/host/commands/aliases. +The syntax is complicated and can be difficult for users to understand. +Placing the options directly in the entry is more natural. +.It +The +.Nm visudo +program is no longer needed. +.Nm visudo +provides locking and syntax checking of the +.Pa @sysconfdir@/sudoers +file. +Since LDAP updates are atomic, locking is no longer necessary. +Because syntax is checked when the data is inserted into LDAP, there +is no need for a specialized tool to check syntax. +.El +.Pp +Another major difference between LDAP and file-based +.Em sudoers +is that in LDAP, +.Nm sudo Ns No -specific +Aliases are not supported. +.Pp +For the most part, there is really no need for +.Nm sudo Ns No -specific +Aliases. +Unix groups or user netgroups can be used in place of User_Aliases and +Runas_Aliases. +Host netgroups can be used in place of Host_Aliases. +Since Unix groups and netgroups can also be stored in LDAP there is no +real need for +.Nm sudo Ns No -specific +aliases. +.Pp +Cmnd_Aliases are not really required either since it is possible +to have multiple users listed in a +.Li sudoRole . +Instead of defining a Cmnd_Alias that is referenced by multiple users, +one can create a +.Li sudoRole +that contains the commands and assign multiple users to it. +.Ss SUDOers LDAP container +The +.Em sudoers +configuration is contained in the +.Li ou=SUDOers +LDAP container. +.Pp +Sudo first looks for the +.Li cn=default +entry in the SUDOers container. +If found, the multi-valued +.Li sudoOption +attribute is parsed in the same manner as a global +.Li Defaults +line in +.Pa @sysconfdir@/sudoers . +In the following example, the +.Ev SSH_AUTH_SOCK +variable will be preserved in the environment for all users. +.Bd -literal -offset 4n +dn: cn=defaults,ou=SUDOers,dc=example,dc=com +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOption: env_keep+=SSH_AUTH_SOCK +.Ed +.Pp +The equivalent of a sudoer in LDAP is a +.Li sudoRole . +It consists of the following attributes: +.Bl -tag -width 4n +.It Sy sudoUser +A user name, user ID (prefixed with +.Ql # ) , +Unix group (prefixed with +.Ql % ) , +Unix group ID (prefixed with +.Ql %# ) , +or user netgroup (prefixed with +.Ql + ) . +.It Sy sudoHost +A host name, IP address, IP network, or host netgroup (prefixed with a +.Ql + ) . +The special value +.Li ALL +will match any host. +.It Sy sudoCommand +A Unix command with optional command line arguments, potentially +including globbing characters (aka wild cards). +The special value +.Li ALL +will match any command. +If a command is prefixed with an exclamation point +.Ql \&! , +the user will be prohibited from running that command. +.It Sy sudoOption +Identical in function to the global options described above, but +specific to the +.Li sudoRole +in which it resides. +.It Sy sudoRunAsUser +A user name or uid (prefixed with +.Ql # ) +that commands may be run as or a Unix group (prefixed with a +.Ql % ) +or user netgroup (prefixed with a +.Ql + ) +that contains a list of users that commands may be run as. +The special value +.Li ALL +will match any user. +.Pp +The +.Li sudoRunAsUser +attribute is only available in +.Nm sudo +versions +1.7.0 and higher. +Older versions of +.Nm sudo +use the +.Li sudoRunAs +attribute instead. +.It Sy sudoRunAsGroup +A Unix group or gid (prefixed with +.Ql # ) +that commands may be run as. +The special value +.Li ALL +will match any group. +.Pp +The +.Li sudoRunAsGroup +attribute is only available in +.Nm sudo +versions +1.7.0 and higher. +.It Sy sudoNotBefore +A timestamp in the form +.Li yyyymmddHHMMSSZ +that can be used to provide a start date/time for when the +.Li sudoRole +will be valid. +If multiple +.Li sudoNotBefore +entries are present, the earliest is used. +Note that timestamps must be in Coordinated Universal Time (UTC), +not the local timezone. +The minute and seconds portions are optional, but some LDAP servers +require that they be present (contrary to the RFC). +.Pp +The +.Li sudoNotBefore +attribute is only available in +.Nm sudo +versions 1.7.5 and higher and must be explicitly enabled via the +.Sy SUDOERS_TIMED +option in +.Pa @ldap_conf@ . +.It Sy sudoNotAfter +A timestamp in the form +.Li yyyymmddHHMMSSZ +that indicates an expiration date/time, after which the +.Li sudoRole +will no longer be valid. +If multiple +.Li sudoNotBefore +entries are present, the last one is used. +Note that timestamps must be in Coordinated Universal Time (UTC), +not the local timezone. +The minute and seconds portions are optional, but some LDAP servers +require that they be present (contrary to the RFC). +.Pp +The +.Li sudoNotAfter +attribute is only available in +.Nm sudo +versions +1.7.5 and higher and must be explicitly enabled via the +.Sy SUDOERS_TIMED +option in +.Pa @ldap_conf@ . +.It Sy sudoOrder +The +.Li sudoRole +entries retrieved from the LDAP directory have no inherent order. +The +.Li sudoOrder +attribute is an integer (or floating point value for LDAP servers +that support it) that is used to sort the matching entries. +This allows LDAP-based sudoers entries to more closely mimic the behaviour +of the sudoers file, where the of the entries influences the result. +If multiple entries match, the entry with the highest +.Li sudoOrder +attribute is chosen. +This corresponds to the +.Dq last match +behavior of the sudoers file. +If the +.Li sudoOrder +attribute is not present, a value of 0 is assumed. +.Pp +The +.Li sudoOrder +attribute is only available in +.Nm sudo +versions 1.7.5 and higher. +.El +.Pp +Each attribute listed above should contain a single value, but there +may be multiple instances of each attribute type. +A +.Li sudoRole +must contain at least one +.Li sudoUser , +.Li sudoHost +and +.Li sudoCommand . +.Pp +The following example allows users in group wheel to run any command +on any host via +.Nm sudo : +.Bd -literal -offset 4n +dn: cn=%wheel,ou=SUDOers,dc=example,dc=com +objectClass: top +objectClass: sudoRole +cn: %wheel +sudoUser: %wheel +sudoHost: ALL +sudoCommand: ALL +.Ed +.Ss Anatomy of LDAP sudoers lookup +When looking up a sudoer using LDAP there are only two or three +LDAP queries per invocation. +The first query is to parse the global options. +The second is to match against the user's name and the groups that +the user belongs to. +(The special +.Li ALL +tag is matched in this query too.) +If no match is returned for the user's name and groups, a third +query returns all entries containing user netgroups and checks +to see if the user belongs to any of them. +.Pp +If timed entries are enabled with the +.Sy SUDOERS_TIMED +configuration directive, the LDAP queries include a subfilter that +limits retrieval to entries that satisfy the time constraints, if any. +.Ss Differences between LDAP and non-LDAP sudoers +There are some subtle differences in the way sudoers is handled +once in LDAP. +Probably the biggest is that according to the RFC, LDAP ordering +is arbitrary and you cannot expect that Attributes and Entries are +returned in any specific order. +.Pp +The order in which different entries are applied can be controlled +using the +.Li sudoOrder +attribute, but there is no way to guarantee the order of attributes +within a specific entry. +If there are conflicting command rules in an entry, the negative +takes precedence. +This is called paranoid behavior (not necessarily the most specific +match). +.Pp +Here is an example: +.Bd -literal -offset 4n +# /etc/sudoers: +# Allow all commands except shell +johnny ALL=(root) ALL,!/bin/sh +# Always allows all commands because ALL is matched last +puddles ALL=(root) !/bin/sh,ALL + +# LDAP equivalent of johnny +# Allows all commands except shell +dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com +objectClass: sudoRole +objectClass: top +cn: role1 +sudoUser: johnny +sudoHost: ALL +sudoCommand: ALL +sudoCommand: !/bin/sh + +# LDAP equivalent of puddles +# Notice that even though ALL comes last, it still behaves like +# role1 since the LDAP code assumes the more paranoid configuration +dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com +objectClass: sudoRole +objectClass: top +cn: role2 +sudoUser: puddles +sudoHost: ALL +sudoCommand: !/bin/sh +sudoCommand: ALL +.Ed +.Pp +Another difference is that negations on the Host, User or Runas are +currently ignored. +For example, the following attributes do not behave the way one might expect. +.Bd -literal -offset 4n +# does not match all but joe +# rather, does not match anyone +sudoUser: !joe + +# does not match all but joe +# rather, matches everyone including Joe +sudoUser: ALL +sudoUser: !joe + +# does not match all but web01 +# rather, matches all hosts including web01 +sudoHost: ALL +sudoHost: !web01 +.Ed +.Ss Sudoers Schema +In order to use +.Nm sudo Ns No 's +LDAP support, the +.Nm sudo +schema must be +installed on your LDAP server. +In addition, be sure to index the +.Li sudoUser +attribute. +.Pp +Three versions of the schema: one for OpenLDAP servers +.Pq Pa schema.OpenLDAP , +one for Netscape-derived servers +.Pq Pa schema.iPlanet , +and one for Microsoft Active Directory +.Pq Pa schema.ActiveDirectory +may be found in the +.Nm sudo +distribution. +.Pp +The schema for +.Nm sudo +in OpenLDAP form is also included in the +.Sx EXAMPLES +section. +.Ss Configuring ldap.conf +Sudo reads the +.Pa @ldap_conf@ +file for LDAP-specific configuration. +Typically, this file is shared amongst different LDAP-aware clients. +As such, most of the settings are not +.Nm sudo Ns No -specific. +Note that +.Nm sudo +parses +.Pa @ldap_conf@ +itself and may support options that differ from those described in the +system's +.Xr ldap.conf @mansectsu@ +manual. +.Pp +Also note that on systems using the OpenLDAP libraries, default +values specified in +.Pa /etc/openldap/ldap.conf +or the user's +.Pa .ldaprc +files are not used. +.Pp +Only those options explicitly listed in +.Pa @ldap_conf@ +as being supported by +.Nm sudo +are honored. +Configuration options are listed below in upper case but are parsed +in a case-independent manner. +.Bl -tag -width 4n +.It Sy URI Ar ldap[s]://[hostname[:port]] ... +Specifies a whitespace-delimited list of one or more URIs describing +the LDAP server(s) to connect to. +The +.Em protocol +may be either +.Em ldap +.Em ldaps , +the latter being for servers that support TLS (SSL) encryption. +If no +.Em port +is specified, the default is port 389 for +.Li ldap:// +or port 636 for +.Li ldaps:// . +If no +.Em hostname +is specified, +.Nm sudo +will connect to +.Em localhost . +Multiple +.Sy URI +lines are treated identically to a +.Sy URI +line containing multiple entries. +Only systems using the OpenSSL libraries support the mixing of +.Li ldap:// +and +.Li ldaps:// +URIs. +Both the Netscape-derived and Tivoli LDAP libraries used on most commercial +versions of Unix are only capable of supporting one or the other. +.It Sy HOST Ar name[:port] ... +If no +.Sy URI +is specified, the +.Sy HOST +parameter specifies a whitespace-delimited list of LDAP servers to connect to. +Each host may include an optional +.Em port +separated by a colon +.Pq Ql :\& . +The +.Sy HOST +parameter is deprecated in favor of the +.Sy URI +specification and is included for backwards compatibility. +.It Sy PORT Ar port_number +If no +.Sy URI +is specified, the +.Sy PORT +parameter specifies the default port to connect to on the LDAP server if a +.Sy HOST +parameter does not specify the port itself. +If no +.Sy PORT +parameter is used, the default is port 389 for LDAP and port 636 for LDAP +over TLS (SSL). +The +.Sy PORT +parameter is deprecated in favor of the +.Sy URI +specification and is included for backwards compatibility. +.It Sy BIND_TIMELIMIT Ar seconds +The +.Sy BIND_TIMELIMIT +parameter specifies the amount of time, in seconds, to wait while trying +to connect to an LDAP server. +If multiple +.Sy URI Ns No s +or +.Sy HOST Ns No s +are specified, this is the amount of time to wait before trying +the next one in the list. +.It Sy NETWORK_TIMEOUT Ar seconds +An alias for +.Sy BIND_TIMELIMIT +for OpenLDAP compatibility. +.It Sy TIMELIMIT Ar seconds +The +.Sy TIMELIMIT +parameter specifies the amount of time, in seconds, to wait for a +response to an LDAP query. +.It Sy TIMEOUT Ar seconds +The +.Sy TIMEOUT +parameter specifies the amount of time, in seconds, to wait for a +response from the various LDAP APIs. +.It Sy SUDOERS_BASE Ar base +The base DN to use when performing +.Nm sudo +LDAP queries. +Typically this is of the form +.Li ou=SUDOers,dc=example,dc=com +for the domain +.Li example.com . +Multiple +.Sy SUDOERS_BASE +lines may be specified, in which case they are queried in the order specified. +.It Sy SUDOERS_SEARCH_FILTER Ar ldap_filter +An LDAP filter which is used to restrict the set of records returned +when performing a +.Nm sudo +LDAP query. +Typically, this is of the +form +.Li attribute=value +or +.Li (&(attribute=value)(attribute2=value2)) . +.It Sy SUDOERS_TIMED Ar on/true/yes/off/false/no +Whether or not to evaluate the +.Li sudoNotBefore +and +.Li sudoNotAfter +attributes that implement time-dependent sudoers entries. +.It Sy SUDOERS_DEBUG Ar debug_level +This sets the debug level for +.Nm sudo +LDAP queries. +Debugging information is printed to the standard error. +A value of 1 results in a moderate amount of debugging information. +A value of 2 shows the results of the matches themselves. +This parameter should not be set in a production environment as the +extra information is likely to confuse users. +.It Sy BINDDN Ar DN +The +.Sy BINDDN +parameter specifies the identity, in the form of a Distinguished Name (DN), +to use when performing LDAP operations. +If not specified, LDAP operations are performed with an anonymous identity. +By default, most LDAP servers will allow anonymous access. +.It Sy BINDPW Ar secret +The +.Sy BINDPW +parameter specifies the password to use when performing LDAP operations. +This is typically used in conjunction with the +.Sy BINDDN +parameter. +.It Sy ROOTBINDDN Ar DN +The +.Sy ROOTBINDDN +parameter specifies the identity, in the form of a Distinguished Name (DN), +to use when performing privileged LDAP operations, such as +.Em sudoers +queries. +The password corresponding +to the identity should be stored in +.Pa @ldap_secret@ . +If not specified, the +.Sy BINDDN +identity is used (if any). +.It Sy LDAP_VERSION Ar number +The version of the LDAP protocol to use when connecting to the server. +The default value is protocol version 3. +.It Sy SSL Ar on/true/yes/off/false/no +If the +.Sy SSL +parameter is set to +.Li on , +.Li true +.Li or +.Li yes , +TLS (SSL) encryption is always used when communicating with the LDAP server. +Typically, this involves connecting to the server on port 636 (ldaps). +.It Sy SSL Ar start_tls +If the +.Sy SSL +parameter is set to +.Li start_tls , +the LDAP server connection is initiated normally and TLS encryption is +begun before the bind credentials are sent. +This has the advantage of not requiring a dedicated port for encrypted +communications. +This parameter is only supported by LDAP servers that honor the +.Em start_tls +extension, such as the OpenLDAP and Tivoli Directory servers. +.It Sy TLS_CHECKPEER Ar on/true/yes/off/false/no +If enabled, +.Sy TLS_CHECKPEER +will cause the LDAP server's TLS certificated to be verified. +If the server's TLS certificate cannot be verified (usually because it +is signed by an unknown certificate authority), +.Nm sudo +will be unable to connect to it. +If +.Sy TLS_CHECKPEER +is disabled, no check is made. +Note that disabling the check creates an opportunity for man-in-the-middle +attacks since the server's identity will not be authenticated. +If possible, the CA's certificate should be installed locally so it can +be verified. +This option is not supported by the Tivoli Directory Server LDAP libraries. +.It Sy TLS_CACERT Ar file name +An alias for +.Sy TLS_CACERTFILE +for OpenLDAP compatibility. +.It Sy TLS_CACERTFILE Ar file name +The path to a certificate authority bundle which contains the certificates +for all the Certificate Authorities the client knows to be valid, e.g.\& +.Pa /etc/ssl/ca-bundle.pem . +This option is only supported by the OpenLDAP libraries. +Netscape-derived LDAP libraries use the same certificate +database for CA and client certificates (see +.Sy TLS_CERT ) . +.It Sy TLS_CACERTDIR Ar directory +Similar to +.Sy TLS_CACERTFILE +but instead of a file, it is a directory containing individual +Certificate Authority certificates, e.g.\& +.Pa /etc/ssl/certs . +The directory specified by +.Sy TLS_CACERTDIR +is checked after +.Sy TLS_CACERTFILE . +This option is only supported by the OpenLDAP libraries. +.It Sy TLS_CERT Ar file name +The path to a file containing the client certificate which can +be used to authenticate the client to the LDAP server. +The certificate type depends on the LDAP libraries used. +.Bl -tag -width 4n +.It OpenLDAP: +.Li tls_cert /etc/ssl/client_cert.pem +.It Netscape-derived: +.Li tls_cert /var/ldap/cert7.db +.It Tivoli Directory Server: +Unused, the key database specified by +.Sy TLS_KEY +contains both keys and certificates. +.Pp +When using Netscape-derived libraries, this file may also contain +Certificate Authority certificates. +.El +.It Sy TLS_KEY Ar file name +The path to a file containing the private key which matches the +certificate specified by +.Sy TLS_CERT . +The private key must not be password-protected. +The key type depends on the LDAP libraries used. +.Bl -tag -width 4n +.It OpenLDAP: +.Li tls_key /etc/ssl/client_key.pem +.It Netscape-derived: +.Li tls_key /var/ldap/key3.db +.It Tivoli Directory Server: +.Li tls_cert /usr/ldap/ldapkey.kdb +.El +When using Tivoli LDAP libraries, this file may also contain +Certificate Authority and client certificates and may be encrypted. +.It Sy TLS_KEYPW Ar secret +The +.Sy TLS_KEYPW +contains the password used to decrypt the key database on clients +using the Tivoli Directory Server LDAP library. +If no +.Sy TLS_KEYPW +is specified, a +.Em stash file +will be used if it exists. +The +.Em stash file +must have the same path as the file specified by +.Sy TLS_KEY , +but use a +.Li .sth +file extension instead of +.Li .kdb , +e.g.\& +.Li ldapkey.sth . +The default +.Li ldapkey.kdb +that ships with Tivoli Directory Server is encrypted with the password +.Li ssl_password . +This option is only supported by the Tivoli LDAP libraries. +.It Sy TLS_RANDFILE Ar file name +The +.Sy TLS_RANDFILE +parameter specifies the path to an entropy source for systems that lack +a random device. +It is generally used in conjunction with +.Em prngd +or +.Em egd . +This option is only supported by the OpenLDAP libraries. +.It Sy TLS_CIPHERS Ar cipher list +The +.Sy TLS_CIPHERS +parameter allows the administer to restrict which encryption algorithms +may be used for TLS (SSL) connections. +See the OpenLDAP or Tivoli Directory Server manual for a list of valid +ciphers. +This option is not supported by Netscape-derived libraries. +.It Sy USE_SASL Ar on/true/yes/off/false/no +Enable +.Sy USE_SASL +for LDAP servers that support SASL authentication. +.It Sy SASL_AUTH_ID Ar identity +The SASL user name to use when connecting to the LDAP server. +By default, +.Nm sudo +will use an anonymous connection. +.It Sy ROOTUSE_SASL Ar on/true/yes/off/false/no +Enable +.Sy ROOTUSE_SASL +to enable SASL authentication when connecting +to an LDAP server from a privileged process, such as +.Nm sudo . +.It Sy ROOTSASL_AUTH_ID Ar identity +The SASL user name to use when +.Sy ROOTUSE_SASL +is enabled. +.It Sy SASL_SECPROPS Ar none/properties +SASL security properties or +.Em none +for no properties. +See the SASL programmer's manual for details. +.It Sy KRB5_CCNAME Ar file name +The path to the Kerberos 5 credential cache to use when authenticating +with the remote server. +.It Sy DEREF Ar never/searching/finding/always +How alias dereferencing is to be performed when searching. +See the +.Xr ldap.conf @mansectsu@ +manual for a full description of this option. +.El +.Pp +See the +.Pa ldap.conf +entry in the +.Sx EXAMPLES +section. +.Ss Configuring nsswitch.conf +Unless it is disabled at build time, +.Nm sudo +consults the Name Service Switch file, +.Pa @nsswitch_conf@ , +to specify the +.Em sudoers +search order. +Sudo looks for a line beginning with +.Li sudoers : +and uses this to determine the search order. +Note that +.Nm sudo +does +not stop searching after the first match and later matches take +precedence over earlier ones. +The following sources are recognized: +.Pp +.Bl -tag -width 8n -offset 4n -compact +.It files +read sudoers from +.Pa @sysconfdir@/sudoers +.It ldap +read sudoers from LDAP +.El +.Pp +In addition, the entry +.Li [NOTFOUND=return] +will short-circuit the search if the user was not found in the +preceding source. +.Pp +To consult LDAP first followed by the local sudoers file (if it +exists), use: +.Bd -literal -offset 4n +sudoers: ldap files +.Ed +.Pp +The local +.Em sudoers +file can be ignored completely by using: +.Bd -literal -offset 4n +sudoers: ldap +.Ed +.Pp +If the +.Pa @nsswitch_conf@ +file is not present or there is no sudoers line, the following +default is assumed: +.Bd -literal -offset 4n +sudoers: files +.Ed +.Pp +Note that +.Pa @nsswitch_conf@ +is supported even when the underlying operating system does not use +an nsswitch.conf file, except on AIX (see below). +.Ss Configuring netsvc.conf +On AIX systems, the +.Pa @netsvc_conf@ +file is consulted instead of +.Pa @nsswitch_conf@ . +.Nm sudo +simply treats +.Pa netsvc.conf +as a variant of +.Pa nsswitch.conf ; +information in the previous section unrelated to the file format +itself still applies. +.Pp +To consult LDAP first followed by the local sudoers file (if it +exists), use: +.Bd -literal -offset 4n +sudoers = ldap, files +.Ed +.Pp +The local +.Em sudoers +file can be ignored completely by using: +.Bd -literal -offset 4n +sudoers = ldap +.Ed +.Pp +To treat LDAP as authoratative and only use the local sudoers file +if the user is not present in LDAP, use: +.Bd -literal -offset 4n +sudoers = ldap = auth, files +.Ed +.Pp +Note that in the above example, the +.Li auth +qualfier only affects user lookups; both LDAP and +.Em sudoers +will be queried for +.Li Defaults +entries. +.Pp +If the +.Pa @netsvc_conf@ +file is not present or there is no sudoers line, the following +default is assumed: +.Bd -literal -offset 4n +sudoers = files +.Ed +.Sh FILES +.Bl -tag -width 24n +.It Pa @ldap_conf@ +LDAP configuration file +.It Pa @nsswitch_conf@ +determines sudoers source order +.It Pa @netsvc_conf@ +determines sudoers source order on AIX +.El +.Sh EXAMPLES +.Ss Example ldap.conf +.Bd -literal -offset 2n +# Either specify one or more URIs or one or more host:port pairs. +# If neither is specified sudo will default to localhost, port 389. +# +#host ldapserver +#host ldapserver1 ldapserver2:390 +# +# Default port if host is specified without one, defaults to 389. +#port 389 +# +# URI will override the host and port settings. +uri ldap://ldapserver +#uri ldaps://secureldapserver +#uri ldaps://secureldapserver ldap://ldapserver +# +# The amount of time, in seconds, to wait while trying to connect to +# an LDAP server. +bind_timelimit 30 +# +# The amount of time, in seconds, to wait while performing an LDAP query. +timelimit 30 +# +# Must be set or sudo will ignore LDAP; may be specified multiple times. +sudoers_base ou=SUDOers,dc=example,dc=com +# +# verbose sudoers matching from ldap +#sudoers_debug 2 +# +# Enable support for time-based entries in sudoers. +#sudoers_timed yes +# +# optional proxy credentials +#binddn +#bindpw +#rootbinddn +# +# LDAP protocol version, defaults to 3 +#ldap_version 3 +# +# Define if you want to use an encrypted LDAP connection. +# Typically, you must also set the port to 636 (ldaps). +#ssl on +# +# Define if you want to use port 389 and switch to +# encryption before the bind credentials are sent. +# Only supported by LDAP servers that support the start_tls +# extension such as OpenLDAP. +#ssl start_tls +# +# Additional TLS options follow that allow tweaking of the +# SSL/TLS connection. +# +#tls_checkpeer yes # verify server SSL certificate +#tls_checkpeer no # ignore server SSL certificate +# +# If you enable tls_checkpeer, specify either tls_cacertfile +# or tls_cacertdir. Only supported when using OpenLDAP. +# +#tls_cacertfile /etc/certs/trusted_signers.pem +#tls_cacertdir /etc/certs +# +# For systems that don't have /dev/random +# use this along with PRNGD or EGD.pl to seed the +# random number pool to generate cryptographic session keys. +# Only supported when using OpenLDAP. +# +#tls_randfile /etc/egd-pool +# +# You may restrict which ciphers are used. Consult your SSL +# documentation for which options go here. +# Only supported when using OpenLDAP. +# +#tls_ciphers +# +# Sudo can provide a client certificate when communicating to +# the LDAP server. +# Tips: +# * Enable both lines at the same time. +# * Do not password protect the key file. +# * Ensure the keyfile is only readable by root. +# +# For OpenLDAP: +#tls_cert /etc/certs/client_cert.pem +#tls_key /etc/certs/client_key.pem +# +# For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either +# a directory, in which case the files in the directory must have the +# default names (e.g. cert8.db and key4.db), or the path to the cert +# and key files themselves. However, a bug in version 5.0 of the LDAP +# SDK will prevent specific file names from working. For this reason +# it is suggested that tls_cert and tls_key be set to a directory, +# not a file name. +# +# The certificate database specified by tls_cert may contain CA certs +# and/or the client's cert. If the client's cert is included, tls_key +# should be specified as well. +# For backward compatibility, "sslpath" may be used in place of tls_cert. +#tls_cert /var/ldap +#tls_key /var/ldap +# +# If using SASL authentication for LDAP (OpenSSL) +# use_sasl yes +# sasl_auth_id +# rootuse_sasl yes +# rootsasl_auth_id +# sasl_secprops none +# krb5_ccname /etc/.ldapcache +.Ed +.Ss Sudo schema for OpenLDAP +The following schema, in OpenLDAP format, is included with +.Nm sudo +source and binary distributions as +.Pa schema.OpenLDAP . +Simply copy +it to the schema directory (e.g.\& +.Pa /etc/openldap/schema ) , +add the proper +.Li include +line in +.Pa slapd.conf +and restart +.Nm slapd . +.Bd -literal -offset 2n +attributetype ( 1.3.6.1.4.1.15953.9.1.1 + NAME 'sudoUser' + DESC 'User(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.2 + NAME 'sudoHost' + DESC 'Host(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.3 + NAME 'sudoCommand' + DESC 'Command(s) to be executed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.4 + NAME 'sudoRunAs' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.5 + NAME 'sudoOption' + DESC 'Options(s) followed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.6 + NAME 'sudoRunAsUser' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.7 + NAME 'sudoRunAsGroup' + DESC 'Group(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.8 + NAME 'sudoNotBefore' + DESC 'Start of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.9 + NAME 'sudoNotAfter' + DESC 'End of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) + +attributeTypes ( 1.3.6.1.4.1.15953.9.1.10 + NAME 'sudoOrder' + DESC 'an integer to order the sudoRole entries' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) + +objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL + DESC 'Sudoer Entries' + MUST ( cn ) + MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ + sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ + sudoOrder $ description ) + ) +.Ed +.Sh SEE ALSO +.Xr ldap.conf @mansectsu@ , +.Xr sudoers @mansectsu@ +.Sh CAVEATS +Note that there are differences in the way that LDAP-based +.Em sudoers +is parsed compared to file-based +.Em sudoers . +See the +.Sx Differences between LDAP and non-LDAP sudoers +section for more information. +.Sh BUGS +If you feel you have found a bug in +.Nm sudo , +please submit a bug report at http://www.sudo.ws/sudo/bugs/ +.Sh SUPPORT +Limited free support is available via the sudo-users mailing list, +see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or +search the archives. +.Sh DISCLAIMER +.Nm sudo +is provided +.Dq AS IS +and any express or implied warranties, including, but not limited +to, the implied warranties of merchantability and fitness for a +particular purpose are disclaimed. +See the LICENSE file distributed with +.Nm sudo +or http://www.sudo.ws/sudo/license.html for complete details. diff --git a/sudoers.ldap.pod b/sudoers.ldap.pod deleted file mode 100644 index 1c67ca045..000000000 --- a/sudoers.ldap.pod +++ /dev/null @@ -1,871 +0,0 @@ -Copyright (c) 2003-2012 - Todd C. Miller - -Permission to use, copy, modify, and distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -=pod - -=head1 NAME - -sudoers.ldap - sudo LDAP configuration - -=head1 DESCRIPTION - -In addition to the standard I file, B may be configured -via LDAP. This can be especially useful for synchronizing I -in a large, distributed environment. - -Using LDAP for I has several benefits: - -=over 4 - -=item * - -B no longer needs to read I in its entirety. When -LDAP is used, there are only two or three LDAP queries per invocation. -This makes it especially fast and particularly usable in LDAP -environments. - -=item * - -B no longer exits if there is a typo in I. -It is not possible to load LDAP data into the server that does -not conform to the sudoers schema, so proper syntax is guaranteed. -It is still possible to have typos in a user or host name, but -this will not prevent B from running. - -=item * - -It is possible to specify per-entry options that override the global -default options. F<@sysconfdir@/sudoers> only supports default options and -limited options associated with user/host/commands/aliases. The -syntax is complicated and can be difficult for users to understand. -Placing the options directly in the entry is more natural. - -=item * - -The B program is no longer needed. B provides -locking and syntax checking of the F<@sysconfdir@/sudoers> file. -Since LDAP updates are atomic, locking is no longer necessary. -Because syntax is checked when the data is inserted into LDAP, there -is no need for a specialized tool to check syntax. - -=back - -Another major difference between LDAP and file-based I -is that in LDAP, B-specific Aliases are not supported. - -For the most part, there is really no need for B-specific -Aliases. Unix groups or user netgroups can be used in place of -User_Aliases and Runas_Aliases. Host netgroups can be used in place -of Host_Aliases. Since Unix groups and netgroups can also be stored -in LDAP there is no real need for B-specific aliases. - -Cmnd_Aliases are not really required either since it is possible -to have multiple users listed in a C. Instead of defining -a Cmnd_Alias that is referenced by multiple users, one can create -a C that contains the commands and assign multiple users -to it. - -=head2 SUDOers LDAP container - -The I configuration is contained in the C LDAP -container. - -Sudo first looks for the C entry in the SUDOers container. -If found, the multi-valued C attribute is parsed in the -same manner as a global C line in F<@sysconfdir@/sudoers>. In -the following example, the C variable will be preserved -in the environment for all users. - - dn: cn=defaults,ou=SUDOers,dc=example,dc=com - objectClass: top - objectClass: sudoRole - cn: defaults - description: Default sudoOption's go here - sudoOption: env_keep+=SSH_AUTH_SOCK - -The equivalent of a sudoer in LDAP is a C. It consists of -the following attributes: - -=over 4 - -=item B - -A user name, uid (prefixed with C<'#'>), Unix group (prefixed with -a C<'%'>) or user netgroup (prefixed with a C<'+'>). - -=item B - -A host name, IP address, IP network, or host netgroup (prefixed -with a C<'+'>). -The special value C will match any host. - -=item B - -A Unix command with optional command line arguments, potentially -including globbing characters (aka wild cards). -The special value C will match any command. -If a command is prefixed with an exclamation point C<'!'>, the -user will be prohibited from running that command. - -=item B - -Identical in function to the global options described above, but -specific to the C in which it resides. - -=item B - -A user name or uid (prefixed with C<'#'>) that commands may be run -as or a Unix group (prefixed with a C<'%'>) or user netgroup (prefixed -with a C<'+'>) that contains a list of users that commands may be -run as. -The special value C will match any user. - -The C attribute is only available in B versions -1.7.0 and higher. Older versions of B use the C -attribute instead. - -=item B - -A Unix group or gid (prefixed with C<'#'>) that commands may be run as. -The special value C will match any group. - -The C attribute is only available in B versions -1.7.0 and higher. - -=item B - -A timestamp in the form C that can be used to provide -a start date/time for when the C will be valid. If -multiple C entries are present, the earliest is used. -Note that timestamps must be in Coordinated Universal Time (UTC), -not the local timezone. The minute and seconds portions are optional, -but some LDAP servers require that they be present (contrary to the RFC). - -The C attribute is only available in B versions -1.7.5 and higher and must be explicitly enabled via the B -option in F<@ldap_conf@>. - -=item B - -A timestamp in the form C that indicates an expiration -date/time, after which the C will no longer be valid. If -multiple C entries are present, the last one is used. -Note that timestamps must be in Coordinated Universal Time (UTC), -not the local timezone. The minute and seconds portions are optional, -but some LDAP servers require that they be present (contrary to the RFC). - -The C attribute is only available in B versions -1.7.5 and higher and must be explicitly enabled via the B -option in F<@ldap_conf@>. - -=item B - -The C entries retrieved from the LDAP directory have no -inherent order. The C attribute is an integer (or -floating point value for LDAP servers that support it) that is used -to sort the matching entries. This allows LDAP-based sudoers entries -to more closely mimic the behaviour of the sudoers file, where the -of the entries influences the result. If multiple entries match, -the entry with the highest C attribute is chosen. This -corresponds to the "last match" behavior of the sudoers file. If -the C attribute is not present, a value of 0 is assumed. - -The C attribute is only available in B versions -1.7.5 and higher. - -=back - -Each attribute listed above should contain a single value, but there -may be multiple instances of each attribute type. A C must -contain at least one C, C and C. - -The following example allows users in group wheel to run any command -on any host via B: - - dn: cn=%wheel,ou=SUDOers,dc=example,dc=com - objectClass: top - objectClass: sudoRole - cn: %wheel - sudoUser: %wheel - sudoHost: ALL - sudoCommand: ALL - -=head2 Anatomy of LDAP sudoers lookup - -When looking up a sudoer using LDAP there are only two or three -LDAP queries per invocation. The first query is to parse the global -options. The second is to match against the user's name and the -groups that the user belongs to. (The special ALL tag is matched -in this query too.) If no match is returned for the user's name -and groups, a third query returns all entries containing user -netgroups and checks to see if the user belongs to any of them. - -If timed entries are enabled with the B configuration -directive, the LDAP queries include a subfilter that limits retrieval -to entries that satisfy the time constraints, if any. - -=head2 Differences between LDAP and non-LDAP sudoers - -There are some subtle differences in the way sudoers is handled -once in LDAP. Probably the biggest is that according to the RFC, -LDAP ordering is arbitrary and you cannot expect that Attributes -and Entries are returned in any specific order. - -The order in which different entries are applied can be controlled -using the C attribute, but there is no way to guarantee -the order of attributes within a specific entry. If there are -conflicting command rules in an entry, the negative takes precedence. -This is called paranoid behavior (not necessarily the most specific -match). - -Here is an example: - - # /etc/sudoers: - # Allow all commands except shell - johnny ALL=(root) ALL,!/bin/sh - # Always allows all commands because ALL is matched last - puddles ALL=(root) !/bin/sh,ALL - - # LDAP equivalent of johnny - # Allows all commands except shell - dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com - objectClass: sudoRole - objectClass: top - cn: role1 - sudoUser: johnny - sudoHost: ALL - sudoCommand: ALL - sudoCommand: !/bin/sh - - # LDAP equivalent of puddles - # Notice that even though ALL comes last, it still behaves like - # role1 since the LDAP code assumes the more paranoid configuration - dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com - objectClass: sudoRole - objectClass: top - cn: role2 - sudoUser: puddles - sudoHost: ALL - sudoCommand: !/bin/sh - sudoCommand: ALL - -Another difference is that negations on the Host, User or Runas are -currently ignored. For example, the following attributes do not -behave the way one might expect. - - # does not match all but joe - # rather, does not match anyone - sudoUser: !joe - - # does not match all but joe - # rather, matches everyone including Joe - sudoUser: ALL - sudoUser: !joe - - # does not match all but web01 - # rather, matches all hosts including web01 - sudoHost: ALL - sudoHost: !web01 - -=head2 Sudoers Schema - -In order to use B's LDAP support, the B schema must be -installed on your LDAP server. In addition, be sure to index the -'sudoUser' attribute. - -Three versions of the schema: one for OpenLDAP servers (F), -one for Netscape-derived servers (F), and one for -Microsoft Active Directory (F) may -be found in the B distribution. - -The schema for B in OpenLDAP form is included in the L -section. - -=head2 Configuring ldap.conf - -Sudo reads the F<@ldap_conf@> file for LDAP-specific configuration. -Typically, this file is shared amongst different LDAP-aware clients. -As such, most of the settings are not B-specific. Note that -B parses F<@ldap_conf@> itself and may support options that -differ from those described in the system's L manual. - -Also note that on systems using the OpenLDAP libraries, default -values specified in F or the user's -F<.ldaprc> files are not used. - -Only those options explicitly listed in F<@ldap_conf@> as being -supported by B are honored. Configuration options are listed -below in upper case but are parsed in a case-independent manner. - -=over 4 - -=item B ldap[s]://[hostname[:port]] ... - -Specifies a whitespace-delimited list of one or more URIs describing -the LDAP server(s) to connect to. The I may be either -B or B, the latter being for servers that support TLS -(SSL) encryption. If no I is specified, the default is port -389 for C or port 636 for C. If no I -is specified, B will connect to B. Multiple B -lines are treated identically to a B line containing multiple -entries. Only systems using the OpenSSL libraries support the -mixing of C and C URIs. Both the Netscape-derived -and Tivoli LDAP libraries used on most commercial versions of Unix -are only capable of supporting one or the other. - -=item B name[:port] ... - -If no B is specified, the B parameter specifies a -whitespace-delimited list of LDAP servers to connect to. Each host -may include an optional I separated by a colon (':'). The -B parameter is deprecated in favor of the B specification -and is included for backwards compatibility. - -=item B port_number - -If no B is specified, the B parameter specifies the -default port to connect to on the LDAP server if a B parameter -does not specify the port itself. If no B parameter is used, -the default is port 389 for LDAP and port 636 for LDAP over TLS -(SSL). The B parameter is deprecated in favor of the B -specification and is included for backwards compatibility. - -=item B seconds - -The B parameter specifies the amount of time, in seconds, -to wait while trying to connect to an LDAP server. If multiple Bs or -Bs are specified, this is the amount of time to wait before trying -the next one in the list. - -=item B seconds - -An alias for B for OpenLDAP compatibility. - -=item B seconds - -The B parameter specifies the amount of time, in seconds, -to wait for a response to an LDAP query. - -=item B seconds - -The B parameter specifies the amount of time, in seconds, -to wait for a response from the various LDAP APIs. - -=item B base - -The base DN to use when performing B LDAP queries. Typically -this is of the form C for the domain -C. Multiple B lines may be specified, -in which case they are queried in the order specified. - -=item B ldap_filter - -An LDAP filter which is used to restrict the set of records returned -when performing a B LDAP query. Typically, this is of the -form C or C<(&(attribute=value)(attribute2=value2))>. - -=item B on/true/yes/off/false/no - -Whether or not to evaluate the C and C -attributes that implement time-dependent sudoers entries. - -=item B debug_level - -This sets the debug level for B LDAP queries. Debugging -information is printed to the standard error. A value of 1 results -in a moderate amount of debugging information. A value of 2 shows -the results of the matches themselves. This parameter should not -be set in a production environment as the extra information is -likely to confuse users. - -=item B DN - -The B parameter specifies the identity, in the form of a -Distinguished Name (DN), to use when performing LDAP operations. -If not specified, LDAP operations are performed with an anonymous -identity. By default, most LDAP servers will allow anonymous access. - -=item B secret - -The B parameter specifies the password to use when performing -LDAP operations. This is typically used in conjunction with the -B parameter. - -=item B DN - -The B parameter specifies the identity, in the form of -a Distinguished Name (DN), to use when performing privileged LDAP -operations, such as I queries. The password corresponding -to the identity should be stored in F<@ldap_secret@>. -If not specified, the B identity is used (if any). - -=item B number - -The version of the LDAP protocol to use when connecting to the server. -The default value is protocol version 3. - -=item B on/true/yes/off/false/no - -If the B parameter is set to C, C or C, TLS -(SSL) encryption is always used when communicating with the LDAP -server. Typically, this involves connecting to the server on port -636 (ldaps). - -=item B start_tls - -If the B parameter is set to C, the LDAP server -connection is initiated normally and TLS encryption is begun before -the bind credentials are sent. This has the advantage of not -requiring a dedicated port for encrypted communications. This -parameter is only supported by LDAP servers that honor the C -extension, such as the OpenLDAP server. - -=item B on/true/yes/off/false/no - -If enabled, B will cause the LDAP server's TLS -certificated to be verified. If the server's TLS certificate cannot -be verified (usually because it is signed by an unknown certificate -authority), B will be unable to connect to it. If B -is disabled, no check is made. Note that disabling the check creates -an opportunity for man-in-the-middle attacks since the server's -identity will not be authenticated. If possible, the CA's certificate -should be installed locally so it can be verified. This option is -not supported by the Tivoli Directory Server LDAP libraries. - -=item B file name - -An alias for B for OpenLDAP compatibility. - -=item B file name - -The path to a certificate authority bundle which contains the certificates -for all the Certificate Authorities the client knows to be valid, -e.g. F. -This option is only supported by the OpenLDAP libraries. -Netscape-derived LDAP libraries use the same certificate -database for CA and client certificates (see B). - -=item B directory - -Similar to B but instead of a file, it is a -directory containing individual Certificate Authority certificates, -e.g. F. -The directory specified by B is checked after -B. -This option is only supported by the OpenLDAP libraries. - -=item B file name - -The path to a file containing the client certificate which can -be used to authenticate the client to the LDAP server. -The certificate type depends on the LDAP libraries used. - -OpenLDAP: - C - -Netscape-derived: - C - -Tivoli Directory Server: - Unused, the key database specified by B contains both - keys and certificates. - -When using Netscape-derived libraries, this file may also contain -Certificate Authority certificates. - -=item B file name - -The path to a file containing the private key which matches the -certificate specified by B. The private key must not be -password-protected. The key type depends on the LDAP libraries -used. - -OpenLDAP: - C - -Netscape-derived: - C - -Tivoli Directory Server: - C - -When using Tivoli LDAP libraries, this file may also contain -Certificate Authority and client certificates and may be encrypted. - -=item B secret - -The B contains the password used to decrypt the key -database on clients using the Tivoli Directory Server LDAP library. -If no B is specified, a I will be used if -it exists. The I must have the same path as the file -specified by B, but use a C<.sth> file extension instead -of C<.kdb>, e.g. C. The default C that -ships with Tivoli Directory Server is encrypted with the password -C. This option is only supported by the Tivoli LDAP -libraries. - -=item B file name - -The B parameter specifies the path to an entropy -source for systems that lack a random device. It is generally used -in conjunction with I or I. -This option is only supported by the OpenLDAP libraries. - -=item B cipher list - -The B parameter allows the administer to restrict which -encryption algorithms may be used for TLS (SSL) connections. See -the OpenLDAP or Tivoli Directory Server manual for a list of valid -ciphers. This option is not supported by Netscape-derived libraries. - -=item B on/true/yes/off/false/no - -Enable B for LDAP servers that support SASL authentication. - -=item B identity - -The SASL user name to use when connecting to the LDAP server. -By default, B will use an anonymous connection. - -=item B on/true/yes/off/false/no - -Enable B to enable SASL authentication when connecting -to an LDAP server from a privileged process, such as B. - -=item B identity - -The SASL user name to use when B is enabled. - -=item B none/properties - -SASL security properties or I for no properties. See the -SASL programmer's manual for details. - -=item B file name - -The path to the Kerberos 5 credential cache to use when authenticating -with the remote server. - -=item B never/searching/finding/always - -How alias dereferencing is to be performed when searching. See the -L manual for a full description of this option. - -=back - -See the C entry in the L section. - -=head2 Configuring nsswitch.conf - -Unless it is disabled at build time, B consults the Name -Service Switch file, F<@nsswitch_conf@>, to specify the I -search order. Sudo looks for a line beginning with C: and -uses this to determine the search order. Note that B does -not stop searching after the first match and later matches take -precedence over earlier ones. - -The following sources are recognized: - - files read sudoers from F<@sysconfdir@/sudoers> - ldap read sudoers from LDAP - -In addition, the entry C<[NOTFOUND=return]> will short-circuit the -search if the user was not found in the preceding source. - -To consult LDAP first followed by the local sudoers file (if it -exists), use: - - sudoers: ldap files - -The local I file can be ignored completely by using: - - sudoers: ldap - -If the F<@nsswitch_conf@> file is not present or there is no -sudoers line, the following default is assumed: - - sudoers: files - -Note that F<@nsswitch_conf@> is supported even when the underlying -operating system does not use an nsswitch.conf file, except on AIX (see below). - -=head2 Configuring netsvc.conf - -On AIX systems, the F<@netsvc_conf@> file is consulted instead of -F<@nsswitch_conf@>. B simply treats I as a -variant of I; information in the previous section -unrelated to the file format itself still applies. - -To consult LDAP first followed by the local sudoers file (if it -exists), use: - - sudoers = ldap, files - -The local I file can be ignored completely by using: - - sudoers = ldap - -To treat LDAP as authoratative and only use the local sudoers file -if the user is not present in LDAP, use: - - sudoers = ldap = auth, files - -Note that in the above example, the C qualfier only affects -user lookups; both LDAP and I will be queried for C -entries. - -If the F<@netsvc_conf@> file is not present or there is no -sudoers line, the following default is assumed: - - sudoers = files - -=head1 FILES - -=over 24 - -=item F<@ldap_conf@> - -LDAP configuration file - -=item F<@nsswitch_conf@> - -determines sudoers source order - -=item F<@netsvc_conf@> - -determines sudoers source order on AIX - -=back - -=head1 EXAMPLES - -=head2 Example ldap.conf - - # Either specify one or more URIs or one or more host:port pairs. - # If neither is specified sudo will default to localhost, port 389. - # - #host ldapserver - #host ldapserver1 ldapserver2:390 - # - # Default port if host is specified without one, defaults to 389. - #port 389 - # - # URI will override the host and port settings. - uri ldap://ldapserver - #uri ldaps://secureldapserver - #uri ldaps://secureldapserver ldap://ldapserver - # - # The amount of time, in seconds, to wait while trying to connect to - # an LDAP server. - bind_timelimit 30 - # - # The amount of time, in seconds, to wait while performing an LDAP query. - timelimit 30 - # - # Must be set or sudo will ignore LDAP; may be specified multiple times. - sudoers_base ou=SUDOers,dc=example,dc=com - # - # verbose sudoers matching from ldap - #sudoers_debug 2 - # - # Enable support for time-based entries in sudoers. - #sudoers_timed yes - # - # optional proxy credentials - #binddn - #bindpw - #rootbinddn - # - # LDAP protocol version, defaults to 3 - #ldap_version 3 - # - # Define if you want to use an encrypted LDAP connection. - # Typically, you must also set the port to 636 (ldaps). - #ssl on - # - # Define if you want to use port 389 and switch to - # encryption before the bind credentials are sent. - # Only supported by LDAP servers that support the start_tls - # extension such as OpenLDAP. - #ssl start_tls - # - # Additional TLS options follow that allow tweaking of the - # SSL/TLS connection. - # - #tls_checkpeer yes # verify server SSL certificate - #tls_checkpeer no # ignore server SSL certificate - # - # If you enable tls_checkpeer, specify either tls_cacertfile - # or tls_cacertdir. Only supported when using OpenLDAP. - # - #tls_cacertfile /etc/certs/trusted_signers.pem - #tls_cacertdir /etc/certs - # - # For systems that don't have /dev/random - # use this along with PRNGD or EGD.pl to seed the - # random number pool to generate cryptographic session keys. - # Only supported when using OpenLDAP. - # - #tls_randfile /etc/egd-pool - # - # You may restrict which ciphers are used. Consult your SSL - # documentation for which options go here. - # Only supported when using OpenLDAP. - # - #tls_ciphers - # - # Sudo can provide a client certificate when communicating to - # the LDAP server. - # Tips: - # * Enable both lines at the same time. - # * Do not password protect the key file. - # * Ensure the keyfile is only readable by root. - # - # For OpenLDAP: - #tls_cert /etc/certs/client_cert.pem - #tls_key /etc/certs/client_key.pem - # - # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either - # a directory, in which case the files in the directory must have the - # default names (e.g. cert8.db and key4.db), or the path to the cert - # and key files themselves. However, a bug in version 5.0 of the LDAP - # SDK will prevent specific file names from working. For this reason - # it is suggested that tls_cert and tls_key be set to a directory, - # not a file name. - # - # The certificate database specified by tls_cert may contain CA certs - # and/or the client's cert. If the client's cert is included, tls_key - # should be specified as well. - # For backward compatibility, "sslpath" may be used in place of tls_cert. - #tls_cert /var/ldap - #tls_key /var/ldap - # - # If using SASL authentication for LDAP (OpenSSL) - # use_sasl yes - # sasl_auth_id - # rootuse_sasl yes - # rootsasl_auth_id - # sasl_secprops none - # krb5_ccname /etc/.ldapcache - -=head2 Sudo schema for OpenLDAP - -The following schema, in OpenLDAP format, is included with B -source and binary distributions as F. Simply copy -it to the schema directory (e.g. F), add the -proper C line in C and restart B. - - attributetype ( 1.3.6.1.4.1.15953.9.1.1 - NAME 'sudoUser' - DESC 'User(s) who may run sudo' - EQUALITY caseExactIA5Match - SUBSTR caseExactIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.2 - NAME 'sudoHost' - DESC 'Host(s) who may run sudo' - EQUALITY caseExactIA5Match - SUBSTR caseExactIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.3 - NAME 'sudoCommand' - DESC 'Command(s) to be executed by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.4 - NAME 'sudoRunAs' - DESC 'User(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.5 - NAME 'sudoOption' - DESC 'Options(s) followed by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.6 - NAME 'sudoRunAsUser' - DESC 'User(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.7 - NAME 'sudoRunAsGroup' - DESC 'Group(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.8 - NAME 'sudoNotBefore' - DESC 'Start of time interval for which the entry is valid' - EQUALITY generalizedTimeMatch - ORDERING generalizedTimeOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.9 - NAME 'sudoNotAfter' - DESC 'End of time interval for which the entry is valid' - EQUALITY generalizedTimeMatch - ORDERING generalizedTimeOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) - - attributeTypes ( 1.3.6.1.4.1.15953.9.1.10 - NAME 'sudoOrder' - DESC 'an integer to order the sudoRole entries' - EQUALITY integerMatch - ORDERING integerOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) - - objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL - DESC 'Sudoer Entries' - MUST ( cn ) - MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ - sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ - sudoOrder $ description ) - ) - -=head1 SEE ALSO - -L, L - -=head1 CAVEATS - -Note that there are differences in the way that LDAP-based I -is parsed compared to file-based I. See the L section for more information. - -=head1 BUGS - -If you feel you have found a bug in B, please submit a bug report -at http://www.sudo.ws/sudo/bugs/ - -=head1 SUPPORT - -Limited free support is available via the sudo-users mailing list, -see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or -search the archives. - -=head1 DISCLAIMER - -B is provided ``AS IS'' and any express or implied warranties, -including, but not limited to, the implied warranties of merchantability -and fitness for a particular purpose are disclaimed. See the LICENSE -file distributed with B or http://www.sudo.ws/sudo/license.html -for complete details. diff --git a/sudoers.man.in b/sudoers.man.in index 0e24d6952..22ad5a043 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -1,10 +1,13 @@ -.\" Copyright (c) 1994-1996, 1998-2005, 2007-2011 -.\" Todd C. Miller -.\" +.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! +.\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in +.\" +.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012 +.\" Todd C. Miller +.\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR @@ -13,151 +16,21 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" +.\" .\" Sponsored in part by the Defense Advanced Research Projects .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. -.\" -.nr SL @SEMAN@ -.nr BA @BAMAN@ -.nr LC @LCMAN@ -.\" -.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` -. ds C' -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' .\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.ie \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.el \{\ -. de IX -.. -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "July 18, 2012" "1.7.10" "MAINTENANCE COMMANDS" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l +.TH "SUDOERS" "@mansectsu@" "July 16, 2012" "Sudo @PACKAGE_VERSION@" "Programmer's Manual" .nh +.if n .ad l .SH "NAME" -sudoers \- list of which users may execute what +\fBsudoers\fR +\- list of which users may execute what .SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fIsudoers\fR file is composed of two types of entries: aliases +The +\fIsudoers\fR +file is composed of two types of entries: aliases (basically variables) and user specifications (which specify who may run what). .PP @@ -165,1665 +38,3229 @@ When multiple entries match for a user, they are applied in order. Where there are multiple matches, the last match is used (which is not necessarily the most specific match). .PP -The \fIsudoers\fR grammar will be described below in Extended Backus-Naur -Form (\s-1EBNF\s0). Don't despair if you don't know what \s-1EBNF\s0 is; it is -fairly simple, and the definitions below are annotated. -.SS "Quick guide to \s-1EBNF\s0" -.IX Subsection "Quick guide to EBNF" -\&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language. -Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g., -.PP -.Vb 1 -\& symbol ::= definition | alternate1 | alternate2 ... -.Ve -.PP -Each \fIproduction rule\fR references others and thus makes up a -grammar for the language. \s-1EBNF\s0 also contains the following +The +\fIsudoers\fR +grammar will be described below in Extended Backus-Naur +Form (EBNF). +Don't despair if you are unfamiliar with EBNF; it is fairly simple, +and the definitions below are annotated. +.SS "Quick guide to EBNF" +EBNF is a concise and exact way of describing the grammar of a language. +Each EBNF definition is made up of +\fIproduction rules\fR. +E.g., +.PP +\fRsymbol ::= definition\fR | \fRalternate1\fR | \fRalternate2 ...\fR +.PP +Each +\fIproduction rule\fR +references others and thus makes up a +grammar for the language. +EBNF also contains the following operators, which many readers will recognize from regular -expressions. Do not, however, confuse them with \*(L"wildcard\*(R" +expressions. +Do not, however, confuse them with +``wildcard'' characters, which have different meanings. -.ie n .IP "\*(C`?\*(C'" 4 -.el .IP "\f(CW\*(C`?\*(C'\fR" 4 -.IX Item "?" +.TP 6n +\fR\&?\fR Means that the preceding symbol (or group of symbols) is optional. That is, it may appear once or not at all. -.ie n .IP "\*(C`*\*(C'" 4 -.el .IP "\f(CW\*(C`*\*(C'\fR" 4 -.IX Item "*" +.TP 6n +\fR*\fR Means that the preceding symbol (or group of symbols) may appear zero or more times. -.ie n .IP "\*(C`+\*(C'" 4 -.el .IP "\f(CW\*(C`+\*(C'\fR" 4 -.IX Item "+" +.TP 6n +\fR+\fR Means that the preceding symbol (or group of symbols) may appear one or more times. .PP -Parentheses may be used to group symbols together. For clarity, -we will use single quotes ('') to designate what is a verbatim character -string (as opposed to a symbol name). +Parentheses may be used to group symbols together. +For clarity, +we will use single quotes +('') +to designate what is a verbatim character string (as opposed to a symbol name). .SS "Aliases" -.IX Subsection "Aliases" -There are four kinds of aliases: \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, -\&\f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR. -.PP -.Vb 4 -\& Alias ::= \*(AqUser_Alias\*(Aq User_Alias (\*(Aq:\*(Aq User_Alias)* | -\& \*(AqRunas_Alias\*(Aq Runas_Alias (\*(Aq:\*(Aq Runas_Alias)* | -\& \*(AqHost_Alias\*(Aq Host_Alias (\*(Aq:\*(Aq Host_Alias)* | -\& \*(AqCmnd_Alias\*(Aq Cmnd_Alias (\*(Aq:\*(Aq Cmnd_Alias)* -\& -\& User_Alias ::= NAME \*(Aq=\*(Aq User_List -\& -\& Runas_Alias ::= NAME \*(Aq=\*(Aq Runas_List -\& -\& Host_Alias ::= NAME \*(Aq=\*(Aq Host_List -\& -\& Cmnd_Alias ::= NAME \*(Aq=\*(Aq Cmnd_List -\& -\& NAME ::= [A\-Z]([A\-Z][0\-9]_)* -.Ve -.PP -Each \fIalias\fR definition is of the form -.PP -.Vb 1 -\& Alias_Type NAME = item1, item2, ... -.Ve -.PP -where \fIAlias_Type\fR is one of \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, \f(CW\*(C`Host_Alias\*(C'\fR, -or \f(CW\*(C`Cmnd_Alias\*(C'\fR. A \f(CW\*(C`NAME\*(C'\fR is a string of uppercase letters, numbers, -and underscore characters ('_'). A \f(CW\*(C`NAME\*(C'\fR \fBmust\fR start with an -uppercase letter. It is possible to put several alias definitions -of the same type on a single line, joined by a colon (':'). E.g., -.PP -.Vb 1 -\& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 -.Ve -.PP -The definitions of what constitutes a valid \fIalias\fR member follow. -.PP -.Vb 2 -\& User_List ::= User | -\& User \*(Aq,\*(Aq User_List -\& -\& User ::= \*(Aq!\*(Aq* user name | -\& \*(Aq!\*(Aq* #uid | -\& \*(Aq!\*(Aq* %group | -\& \*(Aq!\*(Aq* %#gid | -\& \*(Aq!\*(Aq* +netgroup | -\& \*(Aq!\*(Aq* %:nonunix_group | -\& \*(Aq!\*(Aq* %:#nonunix_gid | -\& \*(Aq!\*(Aq* User_Alias -.Ve -.PP -A \f(CW\*(C`User_List\*(C'\fR is made up of one or more user names, user ids -(prefixed with '#'), system group names and ids (prefixed with '%' -and '%#' respectively), netgroups (prefixed with '+'), non-Unix -group names and IDs (prefixed with '%:' and '%:#' respectively) and -\&\f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with zero or more -\&'!' operators. An odd number of '!' operators negate the value of +There are four kinds of aliases: +\fRUser_Alias\fR, +\fRRunas_Alias\fR, +\fRHost_Alias\fR +and +\fRCmnd_Alias\fR. +.nf +.sp +.RS 0n +Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | + 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | + 'Host_Alias' Host_Alias (':' Host_Alias)* | + 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* + +User_Alias ::= NAME '=' User_List + +Runas_Alias ::= NAME '=' Runas_List + +Host_Alias ::= NAME '=' Host_List + +Cmnd_Alias ::= NAME '=' Cmnd_List + +NAME ::= [A-Z]([A-Z][0-9]_)* +.RE +.fi +.PP +Each +\fIalias\fR +definition is of the form +.nf +.sp +.RS 0n +Alias_Type NAME = item1, item2, ... +.RE +.fi +.PP +where +\fIAlias_Type\fR +is one of +\fRUser_Alias\fR, +\fRRunas_Alias\fR, +\fRHost_Alias\fR, +or +\fRCmnd_Alias\fR. +A +\fRNAME\fR +is a string of uppercase letters, numbers, +and underscore characters +(`_'). +A +\fRNAME\fR +\fBmust\fR +start with an +uppercase letter. +It is possible to put several alias definitions +of the same type on a single line, joined by a colon +(`:\&'). +E.g., +.nf +.sp +.RS 0n +Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 +.RE +.fi +.PP +The definitions of what constitutes a valid +\fIalias\fR +member follow. +.nf +.sp +.RS 0n +User_List ::= User | + User ',' User_List + +User ::= '!'* user name | + '!'* #uid | + '!'* %group | + '!'* %#gid | + '!'* +netgroup | + '!'* %:nonunix_group | + '!'* %:#nonunix_gid | + '!'* User_Alias +.RE +.fi +.PP +A +\fRUser_List\fR +is made up of one or more user names, user ids +(prefixed with +`#'), +system group names and ids (prefixed with +`%' +and +`%#' +respectively), netgroups (prefixed with +`+'), +non-Unix group names and IDs (prefixed with +`%:' +and +`%:#' +respectively) and +\fRUser_Alias\fRes. +Each list item may be prefixed with zero or more +`\&!' +operators. +An odd number of +`\&!' +operators negate the value of the item; an even number just cancel each other out. .PP -A \f(CW\*(C`user name\*(C'\fR, \f(CW\*(C`uid\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`gid\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR, \f(CW\*(C`nonunix_group\*(C'\fR -or \f(CW\*(C`nonunix_gid\*(C'\fR may be enclosed in double quotes to avoid the -need for escaping special characters. Alternately, special characters -may be specified in escaped hex mode, e.g. \ex20 for space. When +A +\fRuser name\fR, +\fRuid\fR, +\fRgroup\fR, +\fRgid\fR, +\fRnetgroup\fR, +\fRnonunix_group\fR +or +\fRnonunix_gid\fR +may be enclosed in double quotes to avoid the +need for escaping special characters. +Alternately, special characters +may be specified in escaped hex mode, e.g.\& \ex20 for space. +When using double quotes, any prefix characters must be included inside the quotes. .PP -The \f(CW\*(C`nonunix_group\*(C'\fR and \f(CW\*(C`nonunix_gid\*(C'\fR syntax depends on the -underlying implementation. For instance, the \s-1QAS\s0 \s-1AD\s0 backend supports -the following formats: -.IP "\(bu" 4 -Group in the same domain: \*(L"%:Group Name\*(R" -.IP "\(bu" 4 -Group in any domain: \*(L"%:Group Name@FULLY.QUALIFIED.DOMAIN\*(R" -.IP "\(bu" 4 -Group \s-1SID:\s0 \*(L"%:S\-1\-2\-34\-5678901234\-5678901234\-5678901234\-567\*(R" -.PP -Note that quotes around group names are optional. Unquoted strings -must use a backslash (\e) to escape spaces and special characters. -See \*(L"Other special characters and reserved words\*(R" for a list of +The actual +\fRnonunix_group\fR +and +\fRnonunix_gid\fR +syntax depends on +the underlying implementation. +For instance, the QAS AD backend supports the following formats: +.TP 6n +\fBo\fR +Group in the same domain: "%:Group Name" +.TP 6n +\fBo\fR +Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN" +.TP 6n +\fBo\fR +Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567" +.PP +Note that quotes around group names are optional. +Unquoted strings must use a backslash +(`\e') +to escape spaces and special characters. +See +\fIOther special characters and reserved words\fR +for a list of characters that need to be escaped. +.nf +.sp +.RS 0n +Runas_List ::= Runas_Member | + Runas_Member ',' Runas_List + +Runas_Member ::= '!'* user name | + '!'* #uid | + '!'* %group | + '!'* %#gid | + '!'* %:nonunix_group | + '!'* %:#nonunix_gid | + '!'* +netgroup | + '!'* Runas_Alias +.RE +.fi .PP -.Vb 2 -\& Runas_List ::= Runas_Member | -\& Runas_Member \*(Aq,\*(Aq Runas_List -\& -\& Runas_Member ::= \*(Aq!\*(Aq* user name | -\& \*(Aq!\*(Aq* #uid | -\& \*(Aq!\*(Aq* %group | -\& \*(Aq!\*(Aq* %#gid | -\& \*(Aq!\*(Aq* %:nonunix_group | -\& \*(Aq!\*(Aq* %:#nonunix_gid | -\& \*(Aq!\*(Aq* +netgroup | -\& \*(Aq!\*(Aq* Runas_Alias -.Ve -.PP -A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that instead -of \f(CW\*(C`User_Alias\*(C'\fRes it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that -user names and groups are matched as strings. In other words, two +A +\fRRunas_List\fR +is similar to a +\fRUser_List\fR +except that instead +of +\fRUser_Alias\fRes +it can contain +\fRRunas_Alias\fRes. +Note that +user names and groups are matched as strings. +In other words, two users (groups) with the same uid (gid) are considered to be distinct. -If you wish to match all user names with the same uid (e.g.\ root -and toor), you can use a uid instead (#0 in the example given). -.PP -.Vb 2 -\& Host_List ::= Host | -\& Host \*(Aq,\*(Aq Host_List -\& -\& Host ::= \*(Aq!\*(Aq* host name | -\& \*(Aq!\*(Aq* ip_addr | -\& \*(Aq!\*(Aq* network(/netmask)? | -\& \*(Aq!\*(Aq* +netgroup | -\& \*(Aq!\*(Aq* Host_Alias -.Ve -.PP -A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more host names, \s-1IP\s0 addresses, -network numbers, netgroups (prefixed with '+') and other aliases. -Again, the value of an item may be negated with the '!' operator. +If you wish to match all user names with the same uid (e.g.\& +root and toor), you can use a uid instead (#0 in the example given). +.nf +.sp +.RS 0n +Host_List ::= Host | + Host ',' Host_List + +Host ::= '!'* host name | + '!'* ip_addr | + '!'* network(/netmask)? | + '!'* +netgroup | + '!'* Host_Alias +.RE +.fi +.PP +A +\fRHost_List\fR +is made up of one or more host names, IP addresses, +network numbers, netgroups (prefixed with +`+') +and other aliases. +Again, the value of an item may be negated with the +`\&!' +operator. If you do not specify a netmask along with the network number, -\&\fBsudo\fR will query each of the local host's network interfaces and, +\fBsudo\fR +will query each of the local host's network interfaces and, if the network number corresponds to one of the hosts's network -interfaces, the corresponding netmask will be used. The netmask -may be specified either in standard \s-1IP\s0 address notation -(e.g.\ 255.255.255.0 or ffff:ffff:ffff:ffff::), -or \s-1CIDR\s0 notation (number of bits, e.g.\ 24 or 64). A host name may -include shell-style wildcards (see the Wildcards section below), -but unless the \f(CW\*(C`host name\*(C'\fR command on your machine returns the fully -qualified host name, you'll need to use the \fIfqdn\fR option for -wildcards to be useful. Note \fBsudo\fR only inspects actual network -interfaces; this means that \s-1IP\s0 address 127.0.0.1 (localhost) will -never match. Also, the host name \*(L"localhost\*(R" will only match if -that is the actual host name, which is usually only the case for -non-networked systems. -.PP -.Vb 2 -\& Cmnd_List ::= Cmnd | -\& Cmnd \*(Aq,\*(Aq Cmnd_List -\& -\& commandname ::= file name | -\& file name args | -\& file name \*(Aq""\*(Aq -\& -\& Cmnd ::= \*(Aq!\*(Aq* commandname | -\& \*(Aq!\*(Aq* directory | -\& \*(Aq!\*(Aq* "sudoedit" | -\& \*(Aq!\*(Aq* Cmnd_Alias -.Ve -.PP -A \f(CW\*(C`Cmnd_List\*(C'\fR is a list of one or more commandnames, directories, and other -aliases. A commandname is a fully qualified file name which may include -shell-style wildcards (see the Wildcards section below). A simple -file name allows the user to run the command with any arguments he/she -wishes. However, you may also specify command line arguments (including -wildcards). Alternately, you can specify \f(CW""\fR to indicate that the command -may only be run \fBwithout\fR command line arguments. A directory is a -fully qualified path name ending in a '/'. When you specify a directory -in a \f(CW\*(C`Cmnd_List\*(C'\fR, the user will be able to run any file within that directory -(but not in any subdirectories therein). -.PP -If a \f(CW\*(C`Cmnd\*(C'\fR has associated command line arguments, then the arguments -in the \f(CW\*(C`Cmnd\*(C'\fR must match exactly those given by the user on the command line -(or match the wildcards if there are any). Note that the following -characters must be escaped with a '\e' if they are used in command -arguments: ',', ':', '=', '\e'. The special command \f(CW"sudoedit"\fR -is used to permit a user to run \fBsudo\fR with the \fB\-e\fR option (or -as \fBsudoedit\fR). It may take command line arguments just as -a normal command does. +interfaces, the corresponding netmask will be used. +The netmask +may be specified either in standard IP address notation +(e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::), +or CIDR notation (number of bits, e.g.\& 24 or 64). +A host name may include shell-style wildcards (see the +\fIWildcards\fR +section below), +but unless the +\fRhost name\fR +command on your machine returns the fully +qualified host name, you'll need to use the +\fIfqdn\fR +option for wildcards to be useful. +Note that +\fBsudo\fR +only inspects actual network interfaces; this means that IP address +127.0.0.1 (localhost) will never match. +Also, the host name +``localhost'' +will only match if that is the actual host name, which is usually +only the case for non-networked systems. +.nf +.sp +.RS 0n +Cmnd_List ::= Cmnd | + Cmnd ',' Cmnd_List + +command name ::= file name | + file name args | + file name '""' + +Cmnd ::= '!'* command name | + '!'* directory | + '!'* "sudoedit" | + '!'* Cmnd_Alias +.RE +.fi +.PP +A +\fRCmnd_List\fR +is a list of one or more command names, directories, and other aliases. +A command name is a fully qualified file name which may include +shell-style wildcards (see the +\fIWildcards\fR +section below). +A simple file name allows the user to run the command with any +arguments he/she wishes. +However, you may also specify command line arguments (including +wildcards). +Alternately, you can specify +\fR\&""\fR +to indicate that the command +may only be run +\fBwithout\fR +command line arguments. +A directory is a +fully qualified path name ending in a +`/'. +When you specify a directory in a +\fRCmnd_List\fR, +the user will be able to run any file within that directory +(but not in any sub-directories therein). +.PP +If a +\fRCmnd\fR +has associated command line arguments, then the arguments +in the +\fRCmnd\fR +must match exactly those given by the user on the command line +(or match the wildcards if there are any). +Note that the following characters must be escaped with a +`\e' +if they are used in command arguments: +`,\&', +`:\&', +`=\&', +`\e'. +The special command +``\fRsudoedit\fR'' +is used to permit a user to run +\fBsudo\fR +with the +\fB\-e\fR +option (or as +\fBsudoedit\fR). +It may take command line arguments just as a normal command does. .SS "Defaults" -.IX Subsection "Defaults" Certain configuration options may be changed from their default -values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These -may affect all users on any host, all users on a specific host, a +values at run-time via one or more +\fRDefault_Entry\fR +lines. +These may affect all users on any host, all users on a specific host, a specific user, a specific command, or commands being run as a specific user. Note that per-command entries may not include command line arguments. -If you need to specify arguments, define a \f(CW\*(C`Cmnd_Alias\*(C'\fR and reference +If you need to specify arguments, define a +\fRCmnd_Alias\fR +and reference that instead. +.nf +.sp +.RS 0n +Default_Type ::= 'Defaults' | + 'Defaults' '@' Host_List | + 'Defaults' ':' User_List | + 'Defaults' '!' Cmnd_List | + 'Defaults' '>' Runas_List + +Default_Entry ::= Default_Type Parameter_List + +Parameter_List ::= Parameter | + Parameter ',' Parameter_List + +Parameter ::= Parameter '=' Value | + Parameter '+=' Value | + Parameter '-=' Value | + '!'* Parameter +.RE +.fi .PP -.Vb 5 -\& Default_Type ::= \*(AqDefaults\*(Aq | -\& \*(AqDefaults\*(Aq \*(Aq@\*(Aq Host_List | -\& \*(AqDefaults\*(Aq \*(Aq:\*(Aq User_List | -\& \*(AqDefaults\*(Aq \*(Aq!\*(Aq Cmnd_List | -\& \*(AqDefaults\*(Aq \*(Aq>\*(Aq Runas_List -\& -\& Default_Entry ::= Default_Type Parameter_List -\& -\& Parameter_List ::= Parameter | -\& Parameter \*(Aq,\*(Aq Parameter_List -\& -\& Parameter ::= Parameter \*(Aq=\*(Aq Value | -\& Parameter \*(Aq+=\*(Aq Value | -\& Parameter \*(Aq\-=\*(Aq Value | -\& \*(Aq!\*(Aq* Parameter -.Ve -.PP -Parameters may be \fBflags\fR, \fBinteger\fR values, \fBstrings\fR, or \fBlists\fR. -Flags are implicitly boolean and can be turned off via the '!' -operator. Some integer, string and list parameters may also be -used in a boolean context to disable them. Values may be enclosed -in double quotes (\f(CW""\fR) when they contain multiple words. Special -characters may be escaped with a backslash (\f(CW\*(C`\e\*(C'\fR). -.PP -Lists have two additional assignment operators, \f(CW\*(C`+=\*(C'\fR and \f(CW\*(C`\-=\*(C'\fR. +Parameters may be +\fBflags\fR, +\fBinteger\fR +values, +\fBstrings\fR, +or +\fBlists\fR. +Flags are implicitly boolean and can be turned off via the +`\&!' +operator. +Some integer, string and list parameters may also be +used in a boolean context to disable them. +Values may be enclosed +in double quotes +(\&"") +when they contain multiple words. +Special characters may be escaped with a backslash +(`\e'). +.PP +Lists have two additional assignment operators, +\fR+=\fR +and +\fR-=\fR. These operators are used to add to and delete from a list respectively. -It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element +It is not an error to use the +\fR-=\fR +operator to remove an element that does not exist in a list. .PP Defaults entries are parsed in the following order: generic, host and user Defaults first, then runas Defaults and finally command defaults. .PP -See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults parameters. +See +\fISUDOERS OPTIONS\fR +for a list of supported Defaults parameters. .SS "User Specification" -.IX Subsection "User Specification" -.Vb 2 -\& User_Spec ::= User_List Host_List \*(Aq=\*(Aq Cmnd_Spec_List \e -\& (\*(Aq:\*(Aq Host_List \*(Aq=\*(Aq Cmnd_Spec_List)* -\& -\& Cmnd_Spec_List ::= Cmnd_Spec | -\& Cmnd_Spec \*(Aq,\*(Aq Cmnd_Spec_List -\& -.ie \n(SL \& Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd -.el \& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd -\& -\& Runas_Spec ::= \*(Aq(\*(Aq Runas_List? (\*(Aq:\*(Aq Runas_List)? \*(Aq)\*(Aq -\& -.if \n(SL \{\ -\& SELinux_Spec ::= (\*(AqROLE=role\*(Aq | \*(AqTYPE=type\*(Aq) -\& -\} -\& Tag_Spec ::= (\*(AqNOPASSWD:\*(Aq | \*(AqPASSWD:\*(Aq | \*(AqNOEXEC:\*(Aq | \*(AqEXEC:\*(Aq | -\& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq | \*(AqLOG_INPUT:\*(Aq | \*(AqNOLOG_INPUT:\*(Aq | -\& \*(AqLOG_OUTPUT:\*(Aq | \*(AqNOLOG_OUTPUT:\*(Aq) -.Ve -.PP -A \fBuser specification\fR determines which commands a user may run -(and as what user) on specified hosts. By default, commands are -run as \fBroot\fR, but this can be changed on a per-command basis. -.PP -The basic structure of a user specification is `who where = (as_whom) -what'. Let's break that down into its constituent parts: +.nf +.RS 0n +User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e + (':' Host_List '=' Cmnd_Spec_List)* + +Cmnd_Spec_List ::= Cmnd_Spec | + Cmnd_Spec ',' Cmnd_Spec_List + +Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd + +Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' + +SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') + +Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset') + +Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | + 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' | + 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:') +.RE +.fi +.PP +A +\fBuser specification\fR +determines which commands a user may run +(and as what user) on specified hosts. +By default, commands are +run as +\fBroot\fR, +but this can be changed on a per-command basis. +.PP +The basic structure of a user specification is +``who where = (as_whom) what''. +Let's break that down into its constituent parts: .SS "Runas_Spec" -.IX Subsection "Runas_Spec" -A \f(CW\*(C`Runas_Spec\*(C'\fR determines the user and/or the group that a command -may be run as. A fully-specified \f(CW\*(C`Runas_Spec\*(C'\fR consists of two -\&\f(CW\*(C`Runas_List\*(C'\fRs (as defined above) separated by a colon (':') and -enclosed in a set of parentheses. The first \f(CW\*(C`Runas_List\*(C'\fR indicates -which users the command may be run as via \fBsudo\fR's \fB\-u\fR option. +A +\fRRunas_Spec\fR +determines the user and/or the group that a command +may be run as. +A fully-specified +\fRRunas_Spec\fR +consists of two +\fRRunas_List\fRs +(as defined above) separated by a colon +(`:\&') +and enclosed in a set of parentheses. +The first +\fRRunas_List\fR +indicates +which users the command may be run as via +\fBsudo\fR's +\fB\-u\fR +option. The second defines a list of groups that can be specified via -\&\fBsudo\fR's \fB\-g\fR option. If both \f(CW\*(C`Runas_List\*(C'\fRs are specified, the -command may be run with any combination of users and groups listed -in their respective \f(CW\*(C`Runas_List\*(C'\fRs. If only the first is specified, -the command may be run as any user in the list but no \fB\-g\fR option -may be specified. If the first \f(CW\*(C`Runas_List\*(C'\fR is empty but the +\fBsudo\fR's +\fB\-g\fR +option. +If both +\fRRunas_List\fRs +are specified, the command may be run with any combination of users +and groups listed in their respective +\fRRunas_List\fRs. +If only the first is specified, the command may be run as any user +in the list but no +\fB\-g\fR +option +may be specified. +If the first +\fRRunas_List\fR +is empty but the second is specified, the command may be run as the invoking user -with the group set to any listed in the \f(CW\*(C`Runas_List\*(C'\fR. If no -\&\f(CW\*(C`Runas_Spec\*(C'\fR is specified the command may be run as \fBroot\fR and +with the group set to any listed in the +\fRRunas_List\fR. +If no +\fRRunas_Spec\fR +is specified the command may be run as +\fBroot\fR +and no group may be specified. .PP -A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for the commands that follow it. +A +\fRRunas_Spec\fR +sets the default for the commands that follow it. What this means is that for the entry: +.nf +.sp +.RS 0n +dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm +.RE +.fi .PP -.Vb 1 -\& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm -.Ve -.PP -The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and -\&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g., -.PP -.Vb 1 -\& $ sudo \-u operator /bin/ls -.Ve -.PP -It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an -entry. If we modify the entry like so: -.PP -.Vb 1 -\& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm -.Ve -.PP -Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR, -but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR. +The user +\fBdgb\fR +may run +\fI/bin/ls\fR, +\fI/bin/kill\fR, +and +\fI/usr/bin/lprm\fR\(embut +only as +\fBoperator\fR. +E.g., +.nf +.sp +.RS 0n +$ sudo -u operator /bin/ls +.RE +.fi .PP -We can extend this to allow \fBdgb\fR to run \f(CW\*(C`/bin/ls\*(C'\fR with either -the user or group set to \fBoperator\fR: +It is also possible to override a +\fRRunas_Spec\fR +later on in an entry. +If we modify the entry like so: +.nf +.sp +.RS 0n +dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm +.RE +.fi .PP -.Vb 2 -\& dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e -\& /usr/bin/lprm -.Ve +Then user +\fBdgb\fR +is now allowed to run +\fI/bin/ls\fR +as +\fBoperator\fR, +but +\fI/bin/kill\fR +and +\fI/usr/bin/lprm\fR +as +\fBroot\fR. +.PP +We can extend this to allow +\fBdgb\fR +to run +\fR/bin/ls\fR +with either +the user or group set to +\fBoperator\fR: +.nf +.sp +.RS 0n +dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e + /usr/bin/lprm +.RE +.fi .PP -Note that while the group portion of the \f(CW\*(C`Runas_Spec\*(C'\fR permits the +Note that while the group portion of the +\fRRunas_Spec\fR +permits the user to run as command with that group, it does not force the user -to do so. If no group is specified on the command line, the command +to do so. +If no group is specified on the command line, the command will run with the group listed in the target user's password database -entry. The following would all be permitted by the sudoers entry above: -.PP -.Vb 3 -\& $ sudo \-u operator /bin/ls -\& $ sudo \-u operator \-g operator /bin/ls -\& $ sudo \-g operator /bin/ls -.Ve +entry. +The following would all be permitted by the sudoers entry above: +.nf +.sp +.RS 0n +$ sudo -u operator /bin/ls +$ sudo -u operator -g operator /bin/ls +$ sudo -g operator /bin/ls +.RE +.fi .PP -In the following example, user \fBtcm\fR may run commands that access +In the following example, user +\fBtcm\fR +may run commands that access a modem device file with the dialer group. -.PP -.Vb 2 -\& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e -\& /usr/local/bin/minicom -.Ve +.nf +.sp +.RS 0n +tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e + /usr/local/bin/minicom +.RE +.fi .PP Note that in this example only the group will be set, the command -still runs as user \fBtcm\fR. E.g. -.PP -.Vb 1 -\& $ sudo \-g dialer /usr/bin/cu -.Ve -.PP -Multiple users and groups may be present in a \f(CW\*(C`Runas_Spec\*(C'\fR, in -which case the user may select any combination of users and groups -via the \fB\-u\fR and \fB\-g\fR options. In this example: +still runs as user +\fBtcm\fR. +E.g.\& +.nf +.sp +.RS 0n +$ sudo -g dialer /usr/bin/cu +.RE +.fi .PP -.Vb 1 -\& alan ALL = (root, bin : operator, system) ALL -.Ve +Multiple users and groups may be present in a +\fRRunas_Spec\fR, +in which case the user may select any combination of users and groups via the +\fB\-u\fR +and +\fB\-g\fR +options. +In this example: +.nf +.sp +.RS 0n +alan ALL = (root, bin : operator, system) ALL +.RE +.fi .PP -user \fBalan\fR may run any command as either user root or bin, +user +\fBalan\fR +may run any command as either user root or bin, optionally setting the group to operator or system. -.if \n(SL \{\ .SS "SELinux_Spec" -.IX Subsection "SELinux_Spec" -On systems with SELinux support, \fIsudoers\fR entries may optionally have -an SELinux role and/or type associated with a command. If a role or +On systems with SELinux support, +\fIsudoers\fR +entries may optionally have an SELinux role and/or type associated +with a command. +If a role or type is specified with the command it will override any default values -specified in \fIsudoers\fR. A role or type specified on the command line, -however, will supercede the values in \fIsudoers\fR. -\} -.SS "Tag_Spec" -.IX Subsection "Tag_Spec" -A command may have zero or more tags associated with it. There are -ten possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, -\&\f(CW\*(C`EXEC\*(C'\fR, \f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`LOG_INPUT\*(C'\fR, \f(CW\*(C`NOLOG_INPUT\*(C'\fR, -\&\f(CW\*(C`LOG_OUTPUT\*(C'\fR and \f(CW\*(C`NOLOG_OUTPUT\*(C'\fR. Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, -subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless -it is overridden by the opposite tag (in other words, \f(CW\*(C`PASSWD\*(C'\fR overrides -\&\f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR overrides \f(CW\*(C`EXEC\*(C'\fR). -.PP -\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR -.IX Subsection "NOPASSWD and PASSWD" -.PP -By default, \fBsudo\fR requires that a user authenticate him or herself -before running a command. This behavior can be modified via the -\&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets -a default for the commands that follow it in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR. -Conversely, the \f(CW\*(C`PASSWD\*(C'\fR tag can be used to reverse things. +specified in +\fIsudoers\fR. +A role or type specified on the command line, +however, will supersede the values in +\fIsudoers\fR. +.SS "Solaris_Priv_Spec" +On Solaris systems, +\fIsudoers\fR +entries may optionally specify Solaris privilege set and/or limit +privilege set associated with a command. +If privileges or limit privileges are specified with the command +it will override any default values specified in +\fIsudoers\fR. +.PP +A privilege set is a comma-separated list of privilege names. +The +ppriv(1) +command can be used to list all privileges known to the system. For example: +.nf +.sp +.RS 0n +$ ppriv -l +.RE +.fi .PP -.Vb 1 -\& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm -.Ve -.PP -would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and -\&\fI/usr/bin/lprm\fR as \fBroot\fR on the machine rushmore without -authenticating himself. If we only want \fBray\fR to be able to -run \fI/bin/kill\fR without a password the entry would be: -.PP -.Vb 1 -\& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm -.Ve -.PP -Note, however, that the \f(CW\*(C`PASSWD\*(C'\fR tag has no effect on users who are -in the group specified by the \fIexempt_group\fR option. -.PP -By default, if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is applied to any of the entries -for a user on the current host, he or she will be able to run -\&\f(CW\*(C`sudo \-l\*(C'\fR without a password. Additionally, a user may only run -\&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present -for all a user's entries that pertain to the current host. -This behavior may be overridden via the verifypw and listpw options. -.PP -\fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR -.IX Subsection "NOEXEC and EXEC" -.PP -If \fBsudo\fR has been compiled with \fInoexec\fR support and the underlying -operating system supports it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent -a dynamically-linked executable from running further commands itself. -.PP -In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR -and \fI/usr/bin/vi\fR but shell escapes will be disabled. -.PP -.Vb 1 -\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi -.Ve -.PP -See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details -on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system. -.PP -\fI\s-1SETENV\s0 and \s-1NOSETENV\s0\fR -.IX Subsection "SETENV and NOSETENV" -.PP -These tags override the value of the \fIsetenv\fR option on a per-command -basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, the user -may disable the \fIenv_reset\fR option from the command line via the -\&\fB\-E\fR option. Additionally, environment variables set on the command -line are not subject to the restrictions imposed by \fIenv_check\fR, -\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should -be allowed to set variables in this manner. If the command matched -is \fB\s-1ALL\s0\fR, the \f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this -default may be overridden by use of the \f(CW\*(C`NOSETENV\*(C'\fR tag. -.PP -\fI\s-1LOG_INPUT\s0 and \s-1NOLOG_INPUT\s0\fR -.IX Subsection "LOG_INPUT and NOLOG_INPUT" +In addition, there are several +``special'' +privilege strings: +.TP 10n +none +the empty set +.TP 10n +all +the set of all privileges +.TP 10n +zone +the set of all privileges available in the current zone +.TP 10n +basic +the default set of privileges normal users are granted at login time +.PP +Privileges can be excluded from a set by prefixing the privilege +name with either an +`\&!' +or +`\-' +character. +.SS "Tag_Spec" +A command may have zero or more tags associated with it. +There are +ten possible tag values: +\fRNOPASSWD\fR, +\fRPASSWD\fR, +\fRNOEXEC\fR, +\fREXEC\fR, +\fRSETENV\fR, +\fRNOSETENV\fR, +\fRLOG_INPUT\fR, +\fRNOLOG_INPUT\fR, +\fRLOG_OUTPUT\fR +and +\fRNOLOG_OUTPUT\fR. +Once a tag is set on a +\fRCmnd\fR, +subsequent +\fRCmnd\fRs +in the +\fRCmnd_Spec_List\fR, +inherit the tag unless it is overridden by the opposite tag (in other words, +\fRPASSWD\fR +overrides +\fRNOPASSWD\fR +and +\fRNOEXEC\fR +overrides +\fREXEC\fR). +.PP +\fINOPASSWD and PASSWD\fR +.PP +By default, +\fBsudo\fR +requires that a user authenticate him or herself +before running a command. +This behavior can be modified via the +\fRNOPASSWD\fR +tag. +Like a +\fRRunas_Spec\fR, +the +\fRNOPASSWD\fR +tag sets +a default for the commands that follow it in the +\fRCmnd_Spec_List\fR. +Conversely, the +\fRPASSWD\fR +tag can be used to reverse things. +For example: +.nf +.sp +.RS 0n +ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm +.RE +.fi .PP -These tags override the value of the \fIlog_input\fR option on a -per-command basis. For more information, see the description of -\&\fIlog_input\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below. +would allow the user +\fBray\fR +to run +\fI/bin/kill\fR, +\fI/bin/ls\fR, +and +\fI/usr/bin/lprm\fR +as +\fBroot\fR +on the machine rushmore without authenticating himself. +If we only want +\fBray\fR +to be able to +run +\fI/bin/kill\fR +without a password the entry would be: +.nf +.sp +.RS 0n +ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm +.RE +.fi .PP -\fI\s-1LOG_OUTPUT\s0 and \s-1NOLOG_OUTPUT\s0\fR -.IX Subsection "LOG_OUTPUT and NOLOG_OUTPUT" +Note, however, that the +\fRPASSWD\fR +tag has no effect on users who are in the group specified by the +\fIexempt_group\fR +option. +.PP +By default, if the +\fRNOPASSWD\fR +tag is applied to any of the entries for a user on the current host, +he or she will be able to run +``\fRsudo -l\fR'' +without a password. +Additionally, a user may only run +``\fRsudo -v\fR'' +without a password if the +\fRNOPASSWD\fR +tag is present for all a user's entries that pertain to the current host. +This behavior may be overridden via the +\fIverifypw\fR +and +\fIlistpw\fR +options. +.PP +\fINOEXEC and EXEC\fR +.PP +If +\fBsudo\fR +has been compiled with +\fInoexec\fR +support and the underlying operating system supports it, the +\fRNOEXEC\fR +tag can be used to prevent a dynamically-linked executable from +running further commands itself. +.PP +In the following example, user +\fBaaron\fR +may run +\fI/usr/bin/more\fR +and +\fI/usr/bin/vi\fR +but shell escapes will be disabled. +.nf +.sp +.RS 0n +aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi +.RE +.fi .PP -These tags override the value of the \fIlog_output\fR option on a -per-command basis. For more information, see the description of -\&\fIlog_output\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below. +See the +\fIPreventing Shell Escapes\fR +section below for more details on how +\fRNOEXEC\fR +works and whether or not it will work on your system. +.PP +\fISETENV and NOSETENV\fR +.PP +These tags override the value of the +\fIsetenv\fR +option on a per-command basis. +Note that if +\fRSETENV\fR +has been set for a command, the user may disable the +\fIenv_reset\fR +option from the command line via the +\fB\-E\fR +option. +Additionally, environment variables set on the command +line are not subject to the restrictions imposed by +\fIenv_check\fR, +\fIenv_delete\fR, +or +\fIenv_keep\fR. +As such, only trusted users should be allowed to set variables in this manner. +If the command matched is +\fBALL\fR, +the +\fRSETENV\fR +tag is implied for that command; this default may be overridden by use of the +\fRNOSETENV\fR +tag. +.PP +\fILOG_INPUT and NOLOG_INPUT\fR +.PP +These tags override the value of the +\fIlog_input\fR +option on a per-command basis. +For more information, see the description of +\fIlog_input\fR +in the +\fISUDOERS OPTIONS\fR +section below. +.PP +\fILOG_OUTPUT and NOLOG_OUTPUT\fR +.PP +These tags override the value of the +\fIlog_output\fR +option on a per-command basis. +For more information, see the description of +\fIlog_output\fR +in the +\fISUDOERS OPTIONS\fR +section below. .SS "Wildcards" -.IX Subsection "Wildcards" -\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters) -to be used in host names, path names and command line arguments in -the \fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR -\&\fIglob\fR\|(3) and \fIfnmatch\fR\|(3) routines. Note that these are \fInot\fR +\fBsudo\fR +allows shell-style +\fIwildcards\fR +(aka meta or glob characters) +to be used in host names, path names and command line arguments in the +\fIsudoers\fR +file. +Wildcard matching is done via the +\fBPOSIX\fR +glob(3) +and +fnmatch(3) +routines. +Note that these are +\fInot\fR regular expressions. -.ie n .IP "\*(C`*\*(C'" 8 -.el .IP "\f(CW\*(C`*\*(C'\fR" 8 -.IX Item "*" +.TP 10n +\fR*\fR Matches any set of zero or more characters. -.ie n .IP "\*(C`?\*(C'" 8 -.el .IP "\f(CW\*(C`?\*(C'\fR" 8 -.IX Item "?" +.TP 10n +\fR\&?\fR Matches any single character. -.ie n .IP "\*(C`[...]\*(C'" 8 -.el .IP "\f(CW\*(C`[...]\*(C'\fR" 8 -.IX Item "[...]" +.TP 10n +\fR[...]\fR Matches any character in the specified range. -.ie n .IP "\*(C`[!...]\*(C'" 8 -.el .IP "\f(CW\*(C`[!...]\*(C'\fR" 8 -.IX Item "[!...]" -Matches any character \fBnot\fR in the specified range. -.ie n .IP "\*(C`\ex\*(C'" 8 -.el .IP "\f(CW\*(C`\ex\*(C'\fR" 8 -.IX Item "x" -For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to -escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"]\*(R". -.PP -\&\s-1POSIX\s0 character classes may also be used if your system's \fIglob\fR\|(3) -and \fIfnmatch\fR\|(3) functions support them. However, because the -\&\f(CW\*(Aq:\*(Aq\fR character has special meaning in \fIsudoers\fR, it must be -escaped. For example: -.PP -.Vb 1 -\& /bin/ls [[\e:alpha\e:]]* -.Ve +.TP 10n +\fR[!...]\fR +Matches any character +\fBnot\fR +in the specified range. +.TP 10n +\fR\ex\fR +For any character +`x', +evaluates to +`x'. +This is used to escape special characters such as: +`*', +`\&?', +`[\&', +and +`]\&'. +.PP +POSIX character classes may also be used if your system's +glob(3) +and +fnmatch(3) +functions support them. +However, because the +`:\&' +character has special meaning in +\fIsudoers\fR, +it must be +escaped. +For example: +.nf +.sp +.RS 4n +/bin/ls [[\:alpha\:]]* +.RE +.fi .PP Would match any file name beginning with a letter. .PP -Note that a forward slash ('/') will \fBnot\fR be matched by -wildcards used in the path name. When matching the command -line arguments, however, a slash \fBdoes\fR get matched by -wildcards. This is to make a path like: +Note that a forward slash +(`/') +will +\fBnot\fR +be matched by +wildcards used in the path name. +This is to make a path like: +.nf +.sp +.RS 4n +/usr/bin/* +.RE +.fi +.PP +match +\fI/usr/bin/who\fR +but not +\fI/usr/bin/X11/xterm\fR. +.PP +When matching the command line arguments, however, a slash +\fBdoes\fR +get matched by wildcards since command line arguments may contain +arbitrary strings and not just path names. +.PP +Wildcards in command line arguments should be used with care. +Because command line arguments are matched as a single, concatenated +string, a wildcard such as +`\&?' +or +`*' +can match multiple words. +For example, while a sudoers entry like: +.nf +.sp +.RS 4n +%operator ALL = /bin/cat /var/log/messages* +.RE +.fi .PP -.Vb 1 -\& /usr/bin/* -.Ve +will allow command like: +.nf +.sp +.RS 4n +$ sudo cat /var/log/messages.1 +.RE +.fi .PP -match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR. +It will also allow: +.nf +.sp +.RS 4n +$ sudo cat /var/log/messages /etc/shadow +.RE +.fi +.PP +which is probably not what was intended. .SS "Exceptions to wildcard rules" -.IX Subsection "Exceptions to wildcard rules" The following exceptions apply to the above rules: -.ie n .IP """""" 8 -.el .IP "\f(CW``''\fR" 8 -.IX Item """""" -If the empty string \f(CW""\fR is the only command line argument in the -\&\fIsudoers\fR entry it means that command is not allowed to be run -with \fBany\fR arguments. +.TP 10n +\fR\&""\fR +If the empty string +\fR\&""\fR +is the only command line argument in the +\fIsudoers\fR +entry it means that command is not allowed to be run with +\fBany\fR +arguments. +.TP 10n +sudoedit +Command line arguments to the +\fIsudoedit\fR +built-in command should always be path names, so a forward slash +(`/') +will not be matched by a wildcard. .SS "Including other files from within sudoers" -.IX Subsection "Including other files from within sudoers" -It is possible to include other \fIsudoers\fR files from within the -\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR and -\&\f(CW\*(C`#includedir\*(C'\fR directives. -.PP -This can be used, for example, to keep a site-wide \fIsudoers\fR file -in addition to a local, per-machine file. For the sake of this -example the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the -per-machine one will be \fI/etc/sudoers.local\fR. To include -\&\fI/etc/sudoers.local\fR from within \fI/etc/sudoers\fR we would use the -following line in \fI/etc/sudoers\fR: -.Sp -.RS 4 -\&\f(CW\*(C`#include /etc/sudoers.local\*(C'\fR +It is possible to include other +\fIsudoers\fR +files from within the +\fIsudoers\fR +file currently being parsed using the +\fR#include\fR +and +\fR#includedir\fR +directives. +.PP +This can be used, for example, to keep a site-wide +\fIsudoers\fR +file in addition to a local, per-machine file. +For the sake of this example the site-wide +\fIsudoers\fR +will be +\fI/etc/sudoers\fR +and the per-machine one will be +\fI/etc/sudoers.local\fR. +To include +\fI/etc/sudoers.local\fR +from within +\fI/etc/sudoers\fR +we would use the +following line in +\fI/etc/sudoers\fR: +.nf +.sp +.RS 4n +#include /etc/sudoers.local .RE +.fi .PP -When \fBsudo\fR reaches this line it will suspend processing of the -current file (\fI/etc/sudoers\fR) and switch to \fI/etc/sudoers.local\fR. -Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of -\&\fI/etc/sudoers\fR will be processed. Files that are included may -themselves include other files. A hard limit of 128 nested include -files is enforced to prevent include file loops. +When +\fBsudo\fR +reaches this line it will suspend processing of the current file +(\fI/etc/sudoers\fR) +and switch to +\fI/etc/sudoers.local\fR. +Upon reaching the end of +\fI/etc/sudoers.local\fR, +the rest of +\fI/etc/sudoers\fR +will be processed. +Files that are included may themselves include other files. +A hard limit of 128 nested include files is enforced to prevent include +file loops. .PP If the path to the include file is not fully-qualified (does not -begin with a \f(CW\*(C`/\*(C'\fR), it must be located in the same directory as the -sudoers file it was included from. For example, if \fI/etc/sudoers\fR +begin with a +`/', +it must be located in the same directory as the sudoers file it was +included from. +For example, if +\fI/etc/sudoers\fR contains the line: -.Sp -.RS 4 -\&\f(CW\*(C`#include sudoers.local\*(C'\fR +.nf +.sp +.RS 4n +\fR#include sudoers.local\fR .RE +.fi .PP -the file that will be included is \fI/etc/sudoers.local\fR. -.PP -The file name may also include the \f(CW%h\fR escape, signifying the short form -of the host name. In other words, if the machine's host name is \*(L"xerxes\*(R", then -.PP -\&\f(CW\*(C`#include /etc/sudoers.%h\*(C'\fR -.PP -will cause \fBsudo\fR to include the file \fI/etc/sudoers.xerxes\fR. -.PP -The \f(CW\*(C`#includedir\*(C'\fR directive can be used to create a \fIsudo.d\fR -directory that the system package manager can drop \fIsudoers\fR rules -into as part of package installation. For example, given: +the file that will be included is +\fI/etc/sudoers.local\fR. .PP -\&\f(CW\*(C`#includedir /etc/sudoers.d\*(C'\fR +The file name may also include the +\fR%h\fR +escape, signifying the short form of the host name. +In other words, if the machine's host name is +``xerxes'', +then +.nf +.sp +.RS 4n +#include /etc/sudoers.%h +.RE +.fi .PP -\&\fBsudo\fR will read each file in \fI/etc/sudoers.d\fR, skipping file -names that end in \f(CW\*(C`~\*(C'\fR or contain a \f(CW\*(C`.\*(C'\fR character to avoid causing -problems with package manager or editor temporary/backup files. -Files are parsed in sorted lexical order. That is, -\&\fI/etc/sudoers.d/01_first\fR will be parsed before -\&\fI/etc/sudoers.d/10_second\fR. Be aware that because the sorting is -lexical, not numeric, \fI/etc/sudoers.d/1_whoops\fR would be loaded -\&\fBafter\fR \fI/etc/sudoers.d/10_second\fR. Using a consistent number -of leading zeroes in the file names can be used to avoid such -problems. +will cause +\fBsudo\fR +to include the file +\fI/etc/sudoers.xerxes\fR. +.PP +The +\fR#includedir\fR +directive can be used to create a +\fIsudo.d\fR +directory that the system package manager can drop +\fIsudoers\fR +rules +into as part of package installation. +For example, given: +.nf +.sp +.RS 4n +#includedir /etc/sudoers.d +.RE +.fi .PP -Note that unlike files included via \f(CW\*(C`#include\*(C'\fR, \fBvisudo\fR will not -edit the files in a \f(CW\*(C`#includedir\*(C'\fR directory unless one of them -contains a syntax error. It is still possible to run \fBvisudo\fR -with the \fB\-f\fR flag to edit the files directly. +\fBsudo\fR +will read each file in +\fI/etc/sudoers.d\fR, +skipping file names that end in +`~' +or contain a +`.\&' +character to avoid causing problems with package manager or editor +temporary/backup files. +Files are parsed in sorted lexical order. +That is, +\fI/etc/sudoers.d/01_first\fR +will be parsed before +\fI/etc/sudoers.d/10_second\fR. +Be aware that because the sorting is lexical, not numeric, +\fI/etc/sudoers.d/1_whoops\fR +would be loaded +\fBafter\fR +\fI/etc/sudoers.d/10_second\fR. +Using a consistent number of leading zeroes in the file names can be used +to avoid such problems. +.PP +Note that unlike files included via +\fR#include\fR, +\fBvisudo\fR +will not edit the files in a +\fR#includedir\fR +directory unless one of them contains a syntax error. +It is still possible to run +\fBvisudo\fR +with the +\fB\-f\fR +flag to edit the files directly. .SS "Other special characters and reserved words" -.IX Subsection "Other special characters and reserved words" -The pound sign ('#') is used to indicate a comment (unless it is -part of a #include directive or unless it occurs in the context of -a user name and is followed by one or more digits, in which case -it is treated as a uid). Both the comment character and any text -after it, up to the end of the line, are ignored. -.PP -The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes -a match to succeed. It can be used wherever one might otherwise -use a \f(CW\*(C`Cmnd_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, or \f(CW\*(C`Host_Alias\*(C'\fR. -You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the -built-in alias will be used in preference to your own. Please note -that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it -allows the user to run \fBany\fR command on the system. -.PP -An exclamation point ('!') can be used as a logical \fInot\fR operator -both in an \fIalias\fR and in front of a \f(CW\*(C`Cmnd\*(C'\fR. This allows one to -exclude certain values. Note, however, that using a \f(CW\*(C`!\*(C'\fR in -conjunction with the built-in \f(CW\*(C`ALL\*(C'\fR alias to allow a user to -run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0 -\&\s-1NOTES\s0 below). -.PP -Long lines can be continued with a backslash ('\e') as the last -character on the line. -.PP -Whitespace between elements in a list as well as special syntactic -characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional. -.PP -The following characters must be escaped with a backslash ('\e') when -used as part of a word (e.g.\ a user name or host name): -\&'!', '=', ':', ',', '(', ')', '\e'. +The pound sign +(`#') +is used to indicate a comment (unless it is part of a #include +directive or unless it occurs in the context of a user name and is +followed by one or more digits, in which case it is treated as a +uid). +Both the comment character and any text after it, up to the end of +the line, are ignored. +.PP +The reserved word +\fBALL\fR +is a built-in +\fIalias\fR +that always causes a match to succeed. +It can be used wherever one might otherwise use a +\fRCmnd_Alias\fR, +\fRUser_Alias\fR, +\fRRunas_Alias\fR, +or +\fRHost_Alias\fR. +You should not try to define your own +\fIalias\fR +called +\fBALL\fR +as the built-in alias will be used in preference to your own. +Please note that using +\fBALL\fR +can be dangerous since in a command context, it allows the user to run +\fBany\fR +command on the system. +.PP +An exclamation point +(`\&!') +can be used as a logical +\fInot\fR +operator both in an +\fIalias\fR +and in front of a +\fRCmnd\fR. +This allows one to exclude certain values. +Note, however, that using a +`\&!' +in conjunction with the built-in +\fBALL\fR +alias to allow a user to run +``all but a few'' +commands rarely works as intended (see +\fISECURITY NOTES\fR +below). +.PP +Long lines can be continued with a backslash +(`\e') +as the last character on the line. +.PP +White space between elements in a list as well as special syntactic +characters in a +\fIUser Specification\fR +(`=\&', +`:\&', +`(\&', +`)\&') +is optional. +.PP +The following characters must be escaped with a backslash +(`\e') +when used as part of a word (e.g.\& a user name or host name): +`\&!', +`=\&', +`:\&', +`,\&', +`(\&', +`)\&', +`\e'. .SH "SUDOERS OPTIONS" -.IX Header "SUDOERS OPTIONS" -\&\fBsudo\fR's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as -explained earlier. A list of all supported Defaults parameters, -grouped by type, are listed below. -.PP -\&\fBBoolean Flags\fR: -.IP "always_set_home" 16 -.IX Item "always_set_home" -If enabled, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the -home directory of the target user (which is root unless the \fB\-u\fR -option is used). This effectively means that the \fB\-H\fR option is -always implied. Note that \f(CW\*(C`HOME\*(C'\fR is already set when the the -\&\fIenv_reset\fR option is enabled, so \fIalways_set_home\fR is only -effective for configurations where either \fIenv_reset\fR is disabled -or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list. -This flag is \fIoff\fR by default. -.IP "authenticate" 16 -.IX Item "authenticate" +\fBsudo\fR's +behavior can be modified by +\fRDefault_Entry\fR +lines, as explained earlier. +A list of all supported Defaults parameters, grouped by type, are listed below. +.PP +\fBBoolean Flags\fR: +.TP 18n +always_set_home +If enabled, +\fBsudo\fR +will set the +\fRHOME\fR +environment variable to the home directory of the target user +(which is root unless the +\fB\-u\fR +option is used). +This effectively means that the +\fB\-H\fR +option is always implied. +Note that +\fRHOME\fR +is already set when the the +\fIenv_reset\fR +option is enabled, so +\fIalways_set_home\fR +is only effective for configurations where either +\fIenv_reset\fR +is disabled or +\fRHOME\fR +is present in the +\fIenv_keep\fR +list. +This flag is +\fIoff\fR +by default. +.TP 18n +authenticate If set, users must authenticate themselves via a password (or other -means of authentication) before they may run commands. This default -may be overridden via the \f(CW\*(C`PASSWD\*(C'\fR and \f(CW\*(C`NOPASSWD\*(C'\fR tags. -This flag is \fIon\fR by default. -.IP "closefrom_override" 16 -.IX Item "closefrom_override" -If set, the user may use \fBsudo\fR's \fB\-C\fR option which -overrides the default starting point at which \fBsudo\fR begins -closing open file descriptors. This flag is \fIoff\fR by default. -.IP "compress_io" 16 -.IX Item "compress_io" -If set, and \fBsudo\fR is configured to log a command's input or output, -the I/O logs will be compressed using \fBzlib\fR. This flag is \fIon\fR -by default when \fBsudo\fR is compiled with \fBzlib\fR support. -.IP "env_editor" 16 -.IX Item "env_editor" -If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0 +means of authentication) before they may run commands. +This default may be overridden via the +\fRPASSWD\fR +and +\fRNOPASSWD\fR +tags. +This flag is +\fIon\fR +by default. +.TP 18n +closefrom_override +If set, the user may use +\fBsudo\fR's +\fB\-C\fR +option which overrides the default starting point at which +\fBsudo\fR +begins closing open file descriptors. +This flag is +\fIoff\fR +by default. +.TP 18n +compress_io +If set, and +\fBsudo\fR +is configured to log a command's input or output, +the I/O logs will be compressed using +\fBzlib\fR. +This flag is +\fIon\fR +by default when +\fBsudo\fR +is compiled with +\fBzlib\fR +support. +.TP 18n +env_editor +If set, +\fBvisudo\fR +will use the value of the +\fREDITOR\fR +or +\fRVISUAL\fR environment variables before falling back on the default editor list. Note that this may create a security hole as it allows the user to -run any arbitrary command as root without logging. A safer alternative -is to place a colon-separated list of editors in the \f(CW\*(C`editor\*(C'\fR -variable. \fBvisudo\fR will then only use the \s-1EDITOR\s0 or \s-1VISUAL\s0 if -they match a value specified in \f(CW\*(C`editor\*(C'\fR. This flag is \fI@env_editor@\fR by -default. -.IP "env_reset" 16 -.IX Item "env_reset" -If set, \fBsudo\fR will run the command in a minimal environment -containing the \f(CW\*(C`TERM\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`MAIL\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR, -\&\f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR, \f(CW\*(C`USERNAME\*(C'\fR and \f(CW\*(C`SUDO_*\*(C'\fR variables. Any -variables in the caller's environment that match the \f(CW\*(C`env_keep\*(C'\fR -and \f(CW\*(C`env_check\*(C'\fR lists are then added, followed by any variables -present in the file specified by the \fIenv_file\fR option (if any). -The default contents of the \f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are -displayed when \fBsudo\fR is run by root with the \fB\-V\fR option. If -the \fIsecure_path\fR option is set, its value will be used for the -\&\f(CW\*(C`PATH\*(C'\fR environment variable. This flag is \fI@env_reset@\fR by +run any arbitrary command as root without logging. +A safer alternative is to place a colon-separated list of editors +in the +\fReditor\fR +variable. +\fBvisudo\fR +will then only use the +\fREDITOR\fR +or +\fRVISUAL\fR +if they match a value specified in +\fReditor\fR. +This flag is +\fI@env_editor@\fR +by default. -.IP "fast_glob" 16 -.IX Item "fast_glob" -Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style -globbing when matching path names. However, since it accesses the -file system, \fIglob\fR\|(3) can take a long time to complete for some -patterns, especially when the pattern references a network file -system that is mounted on demand (automounted). The \fIfast_glob\fR -option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does -not access the file system to do its matching. The disadvantage -of \fIfast_glob\fR is that it is unable to match relative path names -such as \fI./ls\fR or \fI../bin/ls\fR. This has security implications -when path names that include globbing characters are used with the -negation operator, \f(CW\*(Aq!\*(Aq\fR, as such rules can be trivially bypassed. -As such, this option should not be used when \fIsudoers\fR contains rules -that contain negated path names which include globbing characters. -This flag is \fIoff\fR by default. -.IP "fqdn" 16 -.IX Item "fqdn" +.TP 18n +env_reset +If set, +\fBsudo\fR +will run the command in a minimal environment containing the +\fRTERM\fR, +\fRPATH\fR, +\fRHOME\fR, +\fRMAIL\fR, +\fRSHELL\fR, +\fRLOGNAME\fR, +\fRUSER\fR, +\fRUSERNAME\fR +and +\fRSUDO_*\fR +variables. +Any +variables in the caller's environment that match the +\fRenv_keep\fR +and +\fRenv_check\fR +lists are then added, followed by any variables present in the file +specified by the +\fIenv_file\fR +option (if any). +The default contents of the +\fRenv_keep\fR +and +\fRenv_check\fR +lists are displayed when +\fBsudo\fR +is run by root with the +\fB\-V\fR +option. +If the +\fIsecure_path\fR +option is set, its value will be used for the +\fRPATH\fR +environment variable. +This flag is +\fI@env_reset@\fR +by default. +.TP 18n +fast_glob +Normally, +\fBsudo\fR +uses the +glob(3) +function to do shell-style globbing when matching path names. +However, since it accesses the file system, +glob(3) +can take a long time to complete for some patterns, especially +when the pattern references a network file system that is mounted +on demand (auto mounted). +The +\fIfast_glob\fR +option causes +\fBsudo\fR +to use the +fnmatch(3) +function, which does not access the file system to do its matching. +The disadvantage of +\fIfast_glob\fR +is that it is unable to match relative path names such as +\fI./ls\fR +or +\fI../bin/ls\fR. +This has security implications when path names that include globbing +characters are used with the negation operator, +`!\&', +as such rules can be trivially bypassed. +As such, this option should not be used when +\fIsudoers\fR +contains rules that contain negated path names which include globbing +characters. +This flag is +\fIoff\fR +by default. +.TP 18n +fqdn Set this flag if you want to put fully qualified host names in the -\&\fIsudoers\fR file. +\fIsudoers\fR +file when the local host name (as returned by the +\fRhostname\fR +command) does not contain the domain name. In other words, instead of myhost you would use myhost.mydomain.edu. You may still use the short form if you wish (and even mix the two). -Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups -which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example -if the machine is not plugged into the network). Also note that -you must use the host's official name as \s-1DNS\s0 knows it. That is, -you may not use a host alias (\f(CW\*(C`CNAME\*(C'\fR entry) due to performance -issues and the fact that there is no way to get all aliases from -\&\s-1DNS\s0. If your machine's host name (as returned by the \f(CW\*(C`hostname\*(C'\fR -command) is already fully qualified you shouldn't need to set -\&\fIfqdn\fR. This flag is \fI@fqdn@\fR by default. -.IP "ignore_dot" 16 -.IX Item "ignore_dot" -If set, \fBsudo\fR will ignore \*(L".\*(R" or "" (current dir) in the \f(CW\*(C`PATH\*(C'\fR -environment variable; the \f(CW\*(C`PATH\*(C'\fR itself is not modified. This -flag is \fI@ignore_dot@\fR by default. -.IP "ignore_local_sudoers" 16 -.IX Item "ignore_local_sudoers" -If set via \s-1LDAP\s0, parsing of \fI@sysconfdir@/sudoers\fR will be skipped. +This option is only effective when the +``canonical'' +host name, as returned by the +\fBgetaddrinfo\fR() +or +\fBgethostbyname\fR() +function, is a fully-qualified domain name. +This is usually the case when the system is configured to use DNS +for host name resolution. +.sp +If the system is configured to use the +\fI/etc/hosts\fR +file in preference to DNS, the +``canonical'' +host name may not be fully-qualified. +The order that sources are queried for hosts name resolution +is usually specified in the +\fI@nsswitch_conf@\fR, +\fI@netsvc_conf@\fR, +\fI/etc/host.conf\fR, +or, in some cases, +\fI/etc/resolv.conf\fR +file. +In the +\fI/etc/hosts\fR +file, the first host name of the entry is considered to be the +``canonical'' +name; subsequent names are aliases that are not used by +\fBsudoers\fR. +For example, the following hosts file line for the machine +``xyzzy'' +has the fully-qualified domain name as the +``canonical'' +host name, and the short version as an alias. +.sp +.RS 6n +192.168.1.1 xyzzy.sudo.ws xyzzy +.RE +.sp +If the machine's hosts file entry is not formatted properly, the +\fIfqdn\fR +option will not be effective if it is queried before DNS. +.sp +Beware that when using DNS for host name resolution, turning on +\fIfqdn\fR +requires +\fBsudoers\fR +to make DNS lookups which renders +\fBsudo\fR +unusable if DNS stops working (for example if the machine is disconnected +from the network). +Also note that just like with the hosts file, you must use the +``canonical'' +name as DNS knows it. +That is, you may not use a host alias +(\fRCNAME\fR +entry) +due to performance issues and the fact that there is no way to get all +aliases from DNS. +.sp +This flag is +\fI@fqdn@\fR +by default. +.TP 18n +ignore_dot +If set, +\fBsudo\fR +will ignore "." or "" (both denoting current directory) in the +\fRPATH\fR +environment variable; the +\fRPATH\fR +itself is not modified. +This flag is +\fI@ignore_dot@\fR +by default. +.TP 18n +ignore_local_sudoers +If set via LDAP, parsing of +\fI@sysconfdir@/sudoers\fR +will be skipped. This is intended for Enterprises that wish to prevent the usage of local -sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of -rogue operators who would attempt to add roles to \fI@sysconfdir@/sudoers\fR. -When this option is present, \fI@sysconfdir@/sudoers\fR does not even need to -exist. Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0 -entries have been matched, this sudoOption is only meaningful for the -\&\f(CW\*(C`cn=defaults\*(C'\fR section. This flag is \fIoff\fR by default. -.IP "insults" 16 -.IX Item "insults" -If set, \fBsudo\fR will insult users when they enter an incorrect -password. This flag is \fI@insults@\fR by default. -.IP "log_host" 16 -.IX Item "log_host" -If set, the host name will be logged in the (non-syslog) \fBsudo\fR log file. -This flag is \fIoff\fR by default. -.IP "log_input" 16 -.IX Item "log_input" -If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all -user input. +sudoers files so that only LDAP is used. +This thwarts the efforts of rogue operators who would attempt to add roles to +\fI@sysconfdir@/sudoers\fR. +When this option is present, +\fI@sysconfdir@/sudoers\fR +does not even need to exist. +Since this option tells +\fBsudo\fR +how to behave when no specific LDAP entries have been matched, this +sudoOption is only meaningful for the +\fRcn=defaults\fR +section. +This flag is +\fIoff\fR +by default. +.TP 18n +insults +If set, +\fBsudo\fR +will insult users when they enter an incorrect password. +This flag is +\fI@insults@\fR +by default. +.TP 18n +log_host +If set, the host name will be logged in the (non-syslog) +\fBsudo\fR +log file. +This flag is +\fIoff\fR +by default. +.TP 18n +log_input +If set, +\fBsudo\fR +will run the command in a +\fIpseudo tty\fR +and log all user input. If the standard input is not connected to the user's tty, due to I/O redirection or because the command is part of a pipeline, that input is also captured and stored in a separate log file. -.Sp -Input is logged to the directory specified by the \fIiolog_dir\fR -option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that -is included in the normal \fBsudo\fR log line, prefixed with "\f(CW\*(C`TSID=\*(C'\fR". -.Sp +.sp +Input is logged to the directory specified by the +\fIiolog_dir\fR +option +(\fI@iolog_dir@\fR +by default) +using a unique session ID that is included in the normal +\fBsudo\fR +log line, prefixed with +``\fRTSID=\fR''. +.sp Note that user input may contain sensitive information such as passwords (even if they are not echoed to the screen), which will -be stored in the log file unencrypted. In most cases, logging the -command output via \fIlog_output\fR is all that is required. -.IP "log_output" 16 -.IX Item "log_output" -If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all -output that is sent to the screen, similar to the \fIscript\fR\|(1) command. +be stored in the log file unencrypted. +In most cases, logging the command output via +\fIlog_output\fR +is all that is required. +.TP 18n +log_output +If set, +\fBsudo\fR +will run the command in a +\fIpseudo tty\fR +and log all output that is sent to the screen, similar to the +script(1) +command. If the standard output or standard error is not connected to the user's tty, due to I/O redirection or because the command is part of a pipeline, that output is also captured and stored in separate log files. -.Sp -Output is logged to the directory specified by the \fIiolog_dir\fR -option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that -is included in the normal \fBsudo\fR log line, prefixed with "\f(CW\*(C`TSID=\*(C'\fR". -.Sp -Output logs may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which -can also be used to list or search the available logs. -.IP "log_year" 16 -.IX Item "log_year" -If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file. -This flag is \fIoff\fR by default. -.IP "long_otp_prompt" 16 -.IX Item "long_otp_prompt" -When validating with a One Time Password (\s-1OTP\s0) scheme such as -\&\fBS/Key\fR or \fB\s-1OPIE\s0\fR, a two-line prompt is used to make it easier -to cut and paste the challenge to a local window. It's not as -pretty as the default but some people find it more convenient. This -flag is \fI@long_otp_prompt@\fR by default. -.IP "mail_always" 16 -.IX Item "mail_always" -Send mail to the \fImailto\fR user every time a users runs \fBsudo\fR. -This flag is \fIoff\fR by default. -.IP "mail_badpass" 16 -.IX Item "mail_badpass" -Send mail to the \fImailto\fR user if the user running \fBsudo\fR does not -enter the correct password. This flag is \fIoff\fR by default. -.IP "mail_no_host" 16 -.IX Item "mail_no_host" -If set, mail will be sent to the \fImailto\fR user if the invoking -user exists in the \fIsudoers\fR file, but is not allowed to run -commands on the current host. This flag is \fI@mail_no_host@\fR by default. -.IP "mail_no_perms" 16 -.IX Item "mail_no_perms" -If set, mail will be sent to the \fImailto\fR user if the invoking -user is allowed to use \fBsudo\fR but the command they are trying is not -listed in their \fIsudoers\fR file entry or is explicitly denied. -This flag is \fI@mail_no_perms@\fR by default. -.IP "mail_no_user" 16 -.IX Item "mail_no_user" -If set, mail will be sent to the \fImailto\fR user if the invoking -user is not in the \fIsudoers\fR file. This flag is \fI@mail_no_user@\fR +.sp +Output is logged to the directory specified by the +\fIiolog_dir\fR +option +(\fI@iolog_dir@\fR +by default) +using a unique session ID that is included in the normal +\fBsudo\fR +log line, prefixed with +``\fRTSID=\fR''. +.sp +Output logs may be viewed with the +sudoreplay(@mansectsu@) +utility, which can also be used to list or search the available logs. +.TP 18n +log_year +If set, the four-digit year will be logged in the (non-syslog) +\fBsudo\fR +log file. +This flag is +\fIoff\fR +by default. +.TP 18n +long_otp_prompt +When validating with a One Time Password (OTP) scheme such as +\fBS/Key\fR +or +\fBOPIE\fR, +a two-line prompt is used to make it easier +to cut and paste the challenge to a local window. +It's not as pretty as the default but some people find it more convenient. +This flag is +\fI@long_otp_prompt@\fR +by default. +.TP 18n +mail_always +Send mail to the +\fImailto\fR +user every time a users runs +\fBsudo\fR. +This flag is +\fIoff\fR +by default. +.TP 18n +mail_badpass +Send mail to the +\fImailto\fR +user if the user running +\fBsudo\fR +does not enter the correct password. +If the command the user is attempting to run is not permitted by +\fIsudoers\fR +and one of the +\fImail_always\fR, +\fImail_no_host\fR, +\fImail_no_perms\fR +or +\fImail_no_user\fR +flags are set, this flag will have no effect. +This flag is +\fIoff\fR +by default. +.TP 18n +mail_no_host +If set, mail will be sent to the +\fImailto\fR +user if the invoking user exists in the +\fIsudoers\fR +file, but is not allowed to run commands on the current host. +This flag is +\fI@mail_no_host@\fR +by default. +.TP 18n +mail_no_perms +If set, mail will be sent to the +\fImailto\fR +user if the invoking user is allowed to use +\fBsudo\fR +but the command they are trying is not listed in their +\fIsudoers\fR +file entry or is explicitly denied. +This flag is +\fI@mail_no_perms@\fR +by default. +.TP 18n +mail_no_user +If set, mail will be sent to the +\fImailto\fR +user if the invoking user is not in the +\fIsudoers\fR +file. +This flag is +\fI@mail_no_user@\fR by default. -.IP "noexec" 16 -.IX Item "noexec" -If set, all commands run via \fBsudo\fR will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR -tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the -description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 -\&\s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default. -.IP "path_info" 16 -.IX Item "path_info" -Normally, \fBsudo\fR will tell the user when a command could not be -found in their \f(CW\*(C`PATH\*(C'\fR environment variable. Some sites may wish -to disable this as it could be used to gather information on the -location of executables that the normal user does not have access -to. The disadvantage is that if the executable is simply not in -the user's \f(CW\*(C`PATH\*(C'\fR, \fBsudo\fR will tell the user that they are not -allowed to run it, which can be confusing. This flag is \fI@path_info@\fR +.TP 18n +noexec +If set, all commands run via +\fBsudo\fR +will behave as if the +\fRNOEXEC\fR +tag has been set, unless overridden by a +\fREXEC\fR +tag. +See the description of +\fINOEXEC and EXEC\fR +below as well as the +\fIPreventing Shell Escapes\fR +section at the end of this manual. +This flag is +\fIoff\fR by default. -.IP "passprompt_override" 16 -.IX Item "passprompt_override" -The password prompt specified by \fIpassprompt\fR will normally only -be used if the password prompt provided by systems such as \s-1PAM\s0 matches -the string \*(L"Password:\*(R". If \fIpassprompt_override\fR is set, \fIpassprompt\fR -will always be used. This flag is \fIoff\fR by default. -.IP "preserve_groups" 16 -.IX Item "preserve_groups" -By default, \fBsudo\fR will initialize the group vector to the list of -groups the target user is in. When \fIpreserve_groups\fR is set, the -user's existing group vector is left unaltered. The real and -effective group IDs, however, are still set to match the target -user. This flag is \fIoff\fR by default. -.IP "pwfeedback" 16 -.IX Item "pwfeedback" -By default, \fBsudo\fR reads the password like most other Unix programs, +.TP 18n +path_info +Normally, +\fBsudo\fR +will tell the user when a command could not be +found in their +\fRPATH\fR +environment variable. +Some sites may wish to disable this as it could be used to gather +information on the location of executables that the normal user does +not have access to. +The disadvantage is that if the executable is simply not in the user's +\fRPATH\fR, +\fBsudo\fR +will tell the user that they are not allowed to run it, which can be confusing. +This flag is +\fI@path_info@\fR +by default. +.TP 18n +passprompt_override +The password prompt specified by +\fIpassprompt\fR +will normally only be used if the password prompt provided by systems +such as PAM matches the string +``Password:''. +If +\fIpassprompt_override\fR +is set, +\fIpassprompt\fR +will always be used. +This flag is +\fIoff\fR +by default. +.TP 18n +preserve_groups +By default, +\fBsudo\fR +will initialize the group vector to the list of groups the target user is in. +When +\fIpreserve_groups\fR +is set, the user's existing group vector is left unaltered. +The real and effective group IDs, however, are still set to match the +target user. +This flag is +\fIoff\fR +by default. +.TP 18n +pwfeedback +By default, +\fBsudo\fR +reads the password like most other Unix programs, by turning off echo until the user hits the return (or enter) key. -Some users become confused by this as it appears to them that \fBsudo\fR -has hung at this point. When \fIpwfeedback\fR is set, \fBsudo\fR will -provide visual feedback when the user presses a key. Note that -this does have a security impact as an onlooker may be able to +Some users become confused by this as it appears to them that +\fBsudo\fR +has hung at this point. +When +\fIpwfeedback\fR +is set, +\fBsudo\fR +will provide visual feedback when the user presses a key. +Note that this does have a security impact as an onlooker may be able to determine the length of the password being entered. -This flag is \fIoff\fR by default. -.IP "requiretty" 16 -.IX Item "requiretty" -If set, \fBsudo\fR will only run when the user is logged in to a real -tty. When this flag is set, \fBsudo\fR can only be run from a login -session and not via other means such as \fIcron\fR\|(@mansectsu@) or cgi-bin scripts. -This flag is \fIoff\fR by default. -.IP "root_sudo" 16 -.IX Item "root_sudo" -If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users -from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something -like \f(CW"sudo sudo /bin/sh"\fR. Note, however, that turning off \fIroot_sudo\fR -will also prevent root from running \fBsudoedit\fR. -Disabling \fIroot_sudo\fR provides no real additional security; it -exists purely for historical reasons. -This flag is \fI@root_sudo@\fR by default. -.IP "rootpw" 16 -.IX Item "rootpw" -If set, \fBsudo\fR will prompt for the root password instead of the password -of the invoking user. This flag is \fIoff\fR by default. -.IP "runaspw" 16 -.IX Item "runaspw" -If set, \fBsudo\fR will prompt for the password of the user defined by the -\&\fIrunas_default\fR option (defaults to \f(CW\*(C`@runas_default@\*(C'\fR) instead of the -password of the invoking user. This flag is \fIoff\fR by default. -.IP "set_home" 16 -.IX Item "set_home" -If enabled and \fBsudo\fR is invoked with the \fB\-s\fR option the \f(CW\*(C`HOME\*(C'\fR +This flag is +\fIoff\fR +by default. +.TP 18n +requiretty +If set, +\fBsudo\fR +will only run when the user is logged in to a real tty. +When this flag is set, +\fBsudo\fR +can only be run from a login session and not via other means such as +cron(@mansectsu@) +or cgi-bin scripts. +This flag is +\fIoff\fR +by default. +.TP 18n +root_sudo +If set, root is allowed to run +\fBsudo\fR +too. +Disabling this prevents users from +``chaining'' +\fBsudo\fR +commands to get a root shell by doing something like +``\fRsudo sudo /bin/sh\fR''. +Note, however, that turning off +\fIroot_sudo\fR +will also prevent root from running +\fBsudoedit\fR. +Disabling +\fIroot_sudo\fR +provides no real additional security; it exists purely for historical reasons. +This flag is +\fI@root_sudo@\fR +by default. +.TP 18n +rootpw +If set, +\fBsudo\fR +will prompt for the root password instead of the password of the invoking user. +This flag is +\fIoff\fR +by default. +.TP 18n +runaspw +If set, +\fBsudo\fR +will prompt for the password of the user defined by the +\fIrunas_default\fR +option (defaults to +\fR@runas_default@\fR) +instead of the password of the invoking user. +This flag is +\fIoff\fR +by default. +.TP 18n +set_home +If enabled and +\fBsudo\fR +is invoked with the +\fB\-s\fR +option the +\fRHOME\fR environment variable will be set to the home directory of the target -user (which is root unless the \fB\-u\fR option is used). This effectively -makes the \fB\-s\fR option imply \fB\-H\fR. Note that \f(CW\*(C`HOME\*(C'\fR is already -set when the the \fIenv_reset\fR option is enabled, so \fIset_home\fR is -only effective for configurations where either \fIenv_reset\fR is disabled -or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list. -This flag is \fIoff\fR by default. -.IP "set_logname" 16 -.IX Item "set_logname" -Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR -environment variables to the name of the target user (usually root -unless the \fB\-u\fR option is given). However, since some programs -(including the \s-1RCS\s0 revision control system) use \f(CW\*(C`LOGNAME\*(C'\fR to -determine the real identity of the user, it may be desirable to -change this behavior. This can be done by negating the set_logname -option. Note that if the \fIenv_reset\fR option has not been disabled, -entries in the \fIenv_keep\fR list will override the value of -\&\fIset_logname\fR. This flag is \fIon\fR by default. -.IP "setenv" 16 -.IX Item "setenv" -Allow the user to disable the \fIenv_reset\fR option from the command -line. Additionally, environment variables set via the command line -are not subject to the restrictions imposed by \fIenv_check\fR, -\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should -be allowed to set variables in this manner. This flag is \fIoff\fR +user (which is root unless the +\fB\-u\fR +option is used). +This effectively makes the +\fB\-s\fR +option imply +\fB\-H\fR. +Note that +\fRHOME\fR +is already set when the the +\fIenv_reset\fR +option is enabled, so +\fIset_home\fR +is only effective for configurations where either +\fIenv_reset\fR +is disabled +or +\fRHOME\fR +is present in the +\fIenv_keep\fR +list. +This flag is +\fIoff\fR +by default. +.TP 18n +set_logname +Normally, +\fBsudo\fR +will set the +\fRLOGNAME\fR, +\fRUSER\fR +and +\fRUSERNAME\fR +environment variables to the name of the target user (usually root unless the +\fB\-u\fR +option is given). +However, since some programs (including the RCS revision control system) use +\fRLOGNAME\fR +to determine the real identity of the user, it may be desirable to +change this behavior. +This can be done by negating the set_logname option. +Note that if the +\fIenv_reset\fR +option has not been disabled, entries in the +\fIenv_keep\fR +list will override the value of +\fIset_logname\fR. +This flag is +\fIon\fR +by default. +.TP 18n +setenv +Allow the user to disable the +\fIenv_reset\fR +option from the command line via the +\fB\-E\fR +option. +Additionally, environment variables set via the command line are +not subject to the restrictions imposed by +\fIenv_check\fR, +\fIenv_delete\fR, +or +\fIenv_keep\fR. +As such, only trusted users should be allowed to set variables in this manner. +This flag is +\fIoff\fR +by default. +.TP 18n +shell_noargs +If set and +\fBsudo\fR +is invoked with no arguments it acts as if the +\fB\-s\fR +option had been given. +That is, it runs a shell as root (the shell is determined by the +\fRSHELL\fR +environment variable if it is set, falling back on the shell listed +in the invoking user's /etc/passwd entry if not). +This flag is +\fIoff\fR +by default. +.TP 18n +stay_setuid +Normally, when +\fBsudo\fR +executes a command the real and effective UIDs are set to the target +user (root by default). +This option changes that behavior such that the real UID is left +as the invoking user's UID. +In other words, this makes +\fBsudo\fR +act as a setuid wrapper. +This can be useful on systems that disable some potentially +dangerous functionality when a program is run setuid. +This option is only effective on systems that support either the +setreuid(2) +or +setresuid(2) +system call. +This flag is +\fIoff\fR +by default. +.TP 18n +targetpw +If set, +\fBsudo\fR +will prompt for the password of the user specified +by the +\fB\-u\fR +option (defaults to +\fRroot\fR) +instead of the password of the invoking user. +In addition, the time stamp file name will include the target user's name. +Note that this flag precludes the use of a uid not listed in the passwd +database as an argument to the +\fB\-u\fR +option. +This flag is +\fIoff\fR +by default. +.TP 18n +tty_tickets +If set, users must authenticate on a per-tty basis. +With this flag enabled, +\fBsudo\fR +will use a file named for the tty the user is +logged in on in the user's time stamp directory. +If disabled, the time stamp of the directory is used instead. +This flag is +\fI@tty_tickets@\fR +by default. +.TP 18n +umask_override +If set, +\fBsudo\fR +will set the umask as specified by +\fIsudoers\fR +without modification. +This makes it possible to specify a more permissive umask in +\fIsudoers\fR +than the user's own umask and matches historical behavior. +If +\fIumask_override\fR +is not set, +\fBsudo\fR +will set the umask to be the union of the user's umask and what is specified in +\fIsudoers\fR. +This flag is +\fI@umask_override@\fR +by default. +.TP 18n +use_loginclass +If set, +\fBsudo\fR +will apply the defaults specified for the target user's login class +if one exists. +Only available if +\fBsudo\fR +is configured with the +\fR--with-logincap\fR +option. +This flag is +\fIoff\fR +by default. +.TP 18n +use_pty +If set, +\fBsudo\fR +will run the command in a pseudo-pty even if no I/O logging is being gone. +A malicious program run under +\fBsudo\fR +could conceivably fork a background process that retains to the user's +terminal device after the main program has finished executing. +Use of this option will make that impossible. +This flag is +\fIoff\fR by default. -.IP "shell_noargs" 16 -.IX Item "shell_noargs" -If set and \fBsudo\fR is invoked with no arguments it acts as if the -\&\fB\-s\fR option had been given. That is, it runs a shell as root (the -shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is -set, falling back on the shell listed in the invoking user's -/etc/passwd entry if not). This flag is \fIoff\fR by default. -.IP "stay_setuid" 16 -.IX Item "stay_setuid" -Normally, when \fBsudo\fR executes a command the real and effective -UIDs are set to the target user (root by default). This option -changes that behavior such that the real \s-1UID\s0 is left as the invoking -user's \s-1UID\s0. In other words, this makes \fBsudo\fR act as a setuid -wrapper. This can be useful on systems that disable some potentially -dangerous functionality when a program is run setuid. This option -is only effective on systems with either the \fIsetreuid()\fR or \fIsetresuid()\fR -function. This flag is \fIoff\fR by default. -.IP "targetpw" 16 -.IX Item "targetpw" -If set, \fBsudo\fR will prompt for the password of the user specified -by the \fB\-u\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password -of the invoking user. In addition, the timestamp file name will -include the target user's name. Note that this flag precludes the -use of a uid not listed in the passwd database as an argument to -the \fB\-u\fR option. This flag is \fIoff\fR by default. -.IP "tty_tickets" 16 -.IX Item "tty_tickets" -If set, users must authenticate on a per-tty basis. With this flag -enabled, \fBsudo\fR will use a file named for the tty the user is -logged in on in the user's time stamp directory. If disabled, the -time stamp of the directory is used instead. This flag is -\&\fI@tty_tickets@\fR by default. -.IP "umask_override" 16 -.IX Item "umask_override" -If set, \fBsudo\fR will set the umask as specified by \fIsudoers\fR without -modification. This makes it possible to specify a more permissive -umask in \fIsudoers\fR than the user's own umask and matches historical -behavior. If \fIumask_override\fR is not set, \fBsudo\fR will set the -umask to be the union of the user's umask and what is specified in -\&\fIsudoers\fR. This flag is \fI@umask_override@\fR by default. -.if \n(LC \{\ -.IP "use_loginclass" 16 -.IX Item "use_loginclass" -If set, \fBsudo\fR will apply the defaults specified for the target user's -login class if one exists. Only available if \fBsudo\fR is configured with -the \-\-with\-logincap option. This flag is \fIoff\fR by default. -\} -.IP "use_pty" 16 -.IX Item "use_pty" -If set, \fBsudo\fR will run the command in a pseudo-pty even if no I/O -logging is being gone. A malicious program run under \fBsudo\fR could -conceivably fork a background process that retains to the user's -terminal device after the main program has finished executing. Use -of this option will make that impossible. -.IP "visiblepw" 16 -.IX Item "visiblepw" -By default, \fBsudo\fR will refuse to run if the user must enter a -password but it is not possible to disable echo on the terminal. -If the \fIvisiblepw\fR flag is set, \fBsudo\fR will prompt for a password -even when it would be visible on the screen. This makes it possible -to run things like \f(CW"ssh somehost sudo ls"\fR since by default, \fIssh\fR\|(1) does -not allocate a tty when running a command. This flag is \fIoff\fR by default. -.PP -\&\fBIntegers\fR: -.IP "closefrom" 16 -.IX Item "closefrom" -Before it executes a command, \fBsudo\fR will close all open file -descriptors other than standard input, standard output and standard -error (ie: file descriptors 0\-2). The \fIclosefrom\fR option can be used -to specify a different file descriptor at which to start closing. -The default is \f(CW3\fR. -.IP "passwd_tries" 16 -.IX Item "passwd_tries" +.TP 18n +visiblepw +By default, +\fBsudo\fR +will refuse to run if the user must enter a password but it is not +possible to disable echo on the terminal. +If the +\fIvisiblepw\fR +flag is set, +\fBsudo\fR +will prompt for a password even when it would be visible on the screen. +This makes it possible to run things like +``\fRssh somehost sudo ls\fR'' +since by default, +ssh(1) +does +not allocate a tty when running a command. +This flag is +\fIoff\fR +by default. +.PP +\fBIntegers\fR: +.TP 18n +closefrom +Before it executes a command, +\fBsudo\fR +will close all open file descriptors other than standard input, +standard output and standard error (ie: file descriptors 0-2). +The +\fIclosefrom\fR +option can be used to specify a different file descriptor at which +to start closing. +The default is +\fR3\fR. +.TP 18n +passwd_tries The number of tries a user gets to enter his/her password before -\&\fBsudo\fR logs the failure and exits. The default is \f(CW\*(C`@passwd_tries@\*(C'\fR. -.PP -\&\fBIntegers that can be used in a boolean context\fR: -.IP "loglinelen" 16 -.IX Item "loglinelen" -Number of characters per line for the file log. This value is used -to decide when to wrap lines for nicer log files. This has no -effect on the syslog log file, only the file log. The default is -\&\f(CW\*(C`@loglen@\*(C'\fR (use 0 or negate the option to disable word wrap). -.IP "passwd_timeout" 16 -.IX Item "passwd_timeout" -Number of minutes before the \fBsudo\fR password prompt times out, or -\&\f(CW0\fR for no timeout. The timeout may include a fractional component -if minute granularity is insufficient, for example \f(CW2.5\fR. The -default is \f(CW\*(C`@password_timeout@\*(C'\fR. -.IP "timestamp_timeout" 16 -.IX Item "timestamp_timeout" -Number of minutes that can elapse before \fBsudo\fR will ask for a -passwd again. The timeout may include a fractional component if -minute granularity is insufficient, for example \f(CW2.5\fR. The default -is \f(CW\*(C`@timeout@\*(C'\fR. Set this to \f(CW0\fR to always prompt for a password. -If set to a value less than \f(CW0\fR the user's timestamp will never -expire. This can be used to allow users to create or delete their -own timestamps via \f(CW\*(C`sudo \-v\*(C'\fR and \f(CW\*(C`sudo \-k\*(C'\fR respectively. -.IP "umask" 16 -.IX Item "umask" -Umask to use when running the command. Negate this option or set -it to 0777 to preserve the user's umask. The actual umask that is -used will be the union of the user's umask and the value of the -\&\fIumask\fR option, which defaults to \f(CW\*(C`@sudo_umask@\*(C'\fR. This guarantees -that \fBsudo\fR never lowers the umask when running a command. Note -on systems that use \s-1PAM\s0, the default \s-1PAM\s0 configuration may specify -its own umask which will override the value set in \fIsudoers\fR. -.PP -\&\fBStrings\fR: -.IP "badpass_message" 16 -.IX Item "badpass_message" +\fBsudo\fR +logs the failure and exits. +The default is +\fR@passwd_tries@\fR. +.PP +\fBIntegers that can be used in a boolean context\fR: +.TP 18n +loglinelen +Number of characters per line for the file log. +This value is used to decide when to wrap lines for nicer log files. +This has no effect on the syslog log file, only the file log. +The default is +\fR@loglen@\fR +(use 0 or negate the option to disable word wrap). +.TP 18n +passwd_timeout +Number of minutes before the +\fBsudo\fR +password prompt times out, or +\fR0\fR +for no timeout. +The timeout may include a fractional component +if minute granularity is insufficient, for example +\fR2.5\fR. +The +default is +\fR@password_timeout@\fR. +.TP 18n +timestamp_timeout +.br +Number of minutes that can elapse before +\fBsudo\fR +will ask for a passwd again. +The timeout may include a fractional component if +minute granularity is insufficient, for example +\fR2.5\fR. +The default is +\fR@timeout@\fR. +Set this to +\fR0\fR +to always prompt for a password. +If set to a value less than +\fR0\fR +the user's time stamp will never expire. +This can be used to allow users to create or delete their own time stamps via +``\fRsudo -v\fR'' +and +``\fRsudo -k\fR'' +respectively. +.TP 18n +umask +Umask to use when running the command. +Negate this option or set it to 0777 to preserve the user's umask. +The actual umask that is used will be the union of the user's umask +and the value of the +\fIumask\fR +option, which defaults to +\fR@sudo_umask@\fR. +This guarantees +that +\fBsudo\fR +never lowers the umask when running a command. +Note: on systems that use PAM, the default PAM configuration may specify +its own umask which will override the value set in +\fIsudoers\fR. +.PP +\fBStrings\fR: +.TP 18n +badpass_message Message that is displayed if a user enters an incorrect password. -The default is \f(CW\*(C`@badpass_message@\*(C'\fR unless insults are enabled. -.IP "editor" 16 -.IX Item "editor" -A colon (':') separated list of editors allowed to be used with -\&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's -\&\s-1EDITOR\s0 environment variable if possible, or the first editor in the -list that exists and is executable. The default is \f(CW"@editor@"\fR. -.IP "iolog_dir" 16 -.IX Item "iolog_dir" -The directory in which to store input/output logs when the \fIlog_input\fR -or \fIlog_output\fR options are enabled or when the \f(CW\*(C`LOG_INPUT\*(C'\fR or -\&\f(CW\*(C`LOG_OUTPUT\*(C'\fR tags are present for a command. -The default is \f(CW"@iolog_dir@"\fR. -.IP "mailsub" 16 -.IX Item "mailsub" -Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR +The default is +\fR@badpass_message@\fR +unless insults are enabled. +.TP 18n +editor +A colon +(`:\&') +separated list of editors allowed to be used with +\fBvisudo\fR. +\fBvisudo\fR +will choose the editor that matches the user's +\fREDITOR\fR +environment variable if possible, or the first editor in the +list that exists and is executable. +The default is +\fI@editor@\fR. +.TP 18n +iolog_dir +The directory in which to store input/output logs when the +\fIlog_input\fR +or +\fIlog_output\fR +options are enabled or when the +\fRLOG_INPUT\fR +or +\fRLOG_OUTPUT\fR +tags are present for a command. +The default is +\fI@iolog_dir@\fR. +.TP 18n +mailsub +Subject of the mail sent to the +\fImailto\fR +user. +The escape +\fR%h\fR will expand to the host name of the machine. -Default is "\f(CW\*(C`@mailsub@\*(C'\fR". -.IP "noexec_file" 16 -.IX Item "noexec_file" -Path to a shared library containing dummy versions of the \fIexecv()\fR, -\&\fIexecve()\fR and \fIfexecve()\fR library functions that just return an error. -This is used to implement the \fInoexec\fR functionality on systems that -support \f(CW\*(C`LD_PRELOAD\*(C'\fR or its equivalent. Defaults to \fI@noexec_file@\fR. -.IP "passprompt" 16 -.IX Item "passprompt" -The default prompt to use when asking for a password; can be overridden -via the \fB\-p\fR option or the \f(CW\*(C`SUDO_PROMPT\*(C'\fR environment variable. -The following percent (`\f(CW\*(C`%\*(C'\fR') escapes are supported: -.RS 16 -.ie n .IP "%H" 4 -.el .IP "\f(CW%H\fR" 4 -.IX Item "%H" +Default is +``\fR@mailsub@\fR''. +.TP 18n +noexec_file +The +\fInoexec\fR +option specifies the the fully-qualified path to a shared library +containing dummy versions of the +\fBexecv\fR(), +\fBexecve\fR() +and +\fBfexecve\fR() +library functions that just return an error. +This is used to implement the +\fInoexec\fR +functionality on systems that support +\fRLD_PRELOAD\fR +or its equivalent. +Defaults to +\fI@noexec_file@\fR. +.TP 18n +passprompt +The default prompt to use when asking for a password; can be overridden via the +\fB\-p\fR +option or the +\fRSUDO_PROMPT\fR +environment variable. +The following percent +(`%') +escape sequences are supported: +.RS +.TP 6n +\fR%H\fR expanded to the local host name including the domain name -(on if the machine's host name is fully qualified or the \fIfqdn\fR +(only if the machine's host name is fully qualified or the +\fIfqdn\fR option is set) -.ie n .IP "%h" 4 -.el .IP "\f(CW%h\fR" 4 -.IX Item "%h" +.TP 6n +\fR%h\fR expanded to the local host name without the domain name -.ie n .IP "%p" 4 -.el .IP "\f(CW%p\fR" 4 -.IX Item "%p" -expanded to the user whose password is being asked for (respects the -\&\fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags in \fIsudoers\fR) -.ie n .IP "%U" 4 -.el .IP "\f(CW%U\fR" 4 -.IX Item "%U" +.TP 6n +\fR%p\fR +expanded to the user whose password is being asked for (respects the +\fIrootpw\fR, +\fItargetpw\fR +and +\fIrunaspw\fR +flags in +\fIsudoers\fR) +.TP 6n +\fR\&%U\fR expanded to the login name of the user the command will be run as (defaults to root) -.ie n .IP "%u" 4 -.el .IP "\f(CW%u\fR" 4 -.IX Item "%u" +.TP 6n +\fR%u\fR expanded to the invoking user's login name -.ie n .IP "\*(C`%%\*(C'" 4 -.el .IP "\f(CW\*(C`%%\*(C'\fR" 4 -.IX Item "%%" -two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character -.RE -.RS 16 -.Sp -The default value is "\f(CW\*(C`@passprompt@\*(C'\fR". +.TP 6n +\fR%%\fR +two consecutive +\fR%\fR +characters are collapsed into a single +\fR%\fR +character +.PP +The default value is +``\fR@passprompt@\fR''. +.PP .RE -.if \n(SL \{\ -.IP "role" 16 -.IX Item "role" +.PD 0 +.TP 18n +privs +The default Solaris privileges to use when constructing a new +privilege set for a command. +This is passed to the executing process via the inherited privilege set, +but is bounded by the limit privileges. +If the +\fIprivs\fR +option is specified but the +\fIlimitprivs\fR +option is not, the limit privileges of the executing process is set to +\fIprivs\fR. +The default privileges may be overridden on a per-command basis in +\fIsudoers\fR. +This option is only available if +\fBsudoers\fR +is built on Solaris 10 or higher. +.PD +.TP 18n +role The default SELinux role to use when constructing a new security -context to run the command. The default role may be overridden on -a per-command basis in \fIsudoers\fR or via command line options. -This option is only available whe \fBsudo\fR is built with SELinux support. -\} -.IP "runas_default" 16 -.IX Item "runas_default" -The default user to run commands as if the \fB\-u\fR option is not specified -on the command line. This defaults to \f(CW\*(C`@runas_default@\*(C'\fR. -.IP "syslog_badpri" 16 -.IX Item "syslog_badpri" +context to run the command. +The default role may be overridden on a per-command basis in +\fIsudoers\fR +or via command line options. +This option is only available when +\fBsudo\fR +is built with SELinux support. +.TP 18n +runas_default +The default user to run commands as if the +\fB\-u\fR +option is not specified on the command line. +This defaults to +\fR@runas_default@\fR. +.TP 18n +syslog_badpri Syslog priority to use when user authenticates unsuccessfully. -Defaults to \f(CW\*(C`@badpri@\*(C'\fR. -.Sp -The following syslog priorities are supported: \fBalert\fR, \fBcrit\fR, -\&\fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR, \fBnotice\fR, and \fBwarning\fR. -.IP "syslog_goodpri" 16 -.IX Item "syslog_goodpri" +Defaults to +\fR@badpri@\fR. +.sp +The following syslog priorities are supported: +\fBalert\fR, +\fBcrit\fR, +\fBdebug\fR, +\fBemerg\fR, +\fBerr\fR, +\fBinfo\fR, +\fBnotice\fR, +and +\fBwarning\fR. +.TP 18n +syslog_goodpri Syslog priority to use when user authenticates successfully. -Defaults to \f(CW\*(C`@goodpri@\*(C'\fR. -.Sp -See syslog_badpri for the list of supported syslog priorities. -.IP "sudoers_locale" 16 -.IX Item "sudoers_locale" +Defaults to +\fR@goodpri@\fR. +.sp +See +\fIsyslog_badpri\fR +for the list of supported syslog priorities. +.TP 18n +sudoers_locale Locale to use when parsing the sudoers file, logging commands, and -sending email. Note that changing the locale may affect how sudoers -is interpreted. Defaults to \f(CW"C"\fR. -.IP "timestampdir" 16 -.IX Item "timestampdir" -The directory in which \fBsudo\fR stores its timestamp files. -The default is \fI@timedir@\fR. -.IP "timestampowner" 16 -.IX Item "timestampowner" -The owner of the timestamp directory and the timestamps stored therein. -The default is \f(CW\*(C`root\*(C'\fR. -.if \n(SL \{\ -.IP "type" 16 -.IX Item "type" +sending email. +Note that changing the locale may affect how sudoers is interpreted. +Defaults to +``\fRC\fR''. +.TP 18n +timestampdir +The directory in which +\fBsudo\fR +stores its time stamp files. +The default is +\fI@timedir@\fR. +.TP 18n +timestampowner +The owner of the time stamp directory and the time stamps stored therein. +The default is +\fRroot\fR. +.TP 18n +type The default SELinux type to use when constructing a new security -context to run the command. The default type may be overridden on -a per-command basis in \fIsudoers\fR or via command line options. -This option is only available whe \fBsudo\fR is built with SELinux support. -\} -.PP -\&\fBStrings that can be used in a boolean context\fR: -.IP "askpass" 12 -.IX Item "askpass" -The \fIaskpass\fR option specifies the fully qualified path to a helper -program used to read the user's password when no terminal is -available. This may be the case when \fBsudo\fR is executed from a -graphical (as opposed to text-based) application. The program -specified by \fIaskpass\fR should display the argument passed to it -as the prompt and write the user's password to the standard output. -The value of \fIaskpass\fR may be overridden by the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR +context to run the command. +The default type may be overridden on a per-command basis in +\fIsudoers\fR +or via command line options. +This option is only available when +\fBsudo\fR +is built with SELinux support. +.PP +\fBStrings that can be used in a boolean context\fR: +.TP 14n +askpass +The +\fIaskpass\fR +option specifies the fully qualified path to a helper program used +to read the user's password when no terminal is available. +This may be the case when +\fBsudo\fR +is executed from a graphical (as opposed to text-based) application. +The program specified by +\fIaskpass\fR +should display the argument passed to it as the prompt and write +the user's password to the standard output. +The value of +\fIaskpass\fR +may be overridden by the +\fRSUDO_ASKPASS\fR environment variable. -.IP "env_file" 12 -.IX Item "env_file" -The \fIenv_file\fR option specifies the fully qualified path to a -file containing variables to be set in the environment of the program -being run. Entries in this file should either be of the form -\&\f(CW\*(C`VARIABLE=value\*(C'\fR or \f(CW\*(C`export VARIABLE=value\*(C'\fR. The value may -optionally be surrounded by single or double quotes. Variables in -this file are subject to other \fBsudo\fR environment settings such -as \fIenv_keep\fR and \fIenv_check\fR. -.IP "exempt_group" 12 -.IX Item "exempt_group" -Users in this group are exempt from password and \s-1PATH\s0 requirements. -The group name specified should not include a \f(CW\*(C`%\*(C'\fR prefix. +.TP 14n +env_file +The +\fIenv_file\fR +option specifies the fully qualified path to a file containing variables +to be set in the environment of the program being run. +Entries in this file should either be of the form +``\fRVARIABLE=value\fR'' +or +``\fRexport VARIABLE=value\fR''. +The value may optionally be surrounded by single or double quotes. +Variables in this file are subject to other +\fBsudo\fR +environment settings such as +\fIenv_keep\fR +and +\fIenv_check\fR. +.TP 14n +exempt_group +Users in this group are exempt from password and PATH requirements. +The group name specified should not include a +\fR%\fR +prefix. This is not set by default. -.IP "lecture" 12 -.IX Item "lecture" +.TP 14n +lecture This option controls when a short lecture will be printed along with -the password prompt. It has the following possible values: -.RS 12 -.IP "always" 8 -.IX Item "always" +the password prompt. +It has the following possible values: +.RS +.TP 8n +always Always lecture the user. -.IP "never" 8 -.IX Item "never" +.TP 8n +never Never lecture the user. -.IP "once" 8 -.IX Item "once" -Only lecture the user the first time they run \fBsudo\fR. -.RE -.RS 12 -.Sp -If no value is specified, a value of \fIonce\fR is implied. -Negating the option results in a value of \fInever\fR being used. -The default value is \fI@lecture@\fR. -.RE -.IP "lecture_file" 12 -.IX Item "lecture_file" -Path to a file containing an alternate \fBsudo\fR lecture that will -be used in place of the standard lecture if the named file exists. -By default, \fBsudo\fR uses a built-in lecture. -.IP "listpw" 12 -.IX Item "listpw" -This option controls when a password will be required when a -user runs \fBsudo\fR with the \fB\-l\fR option. It has the following possible values: -.RS 12 -.IP "all" 8 -.IX Item "all" -All the user's \fIsudoers\fR entries for the current host must have -the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password. -.IP "always" 8 -.IX Item "always" -The user must always enter a password to use the \fB\-l\fR option. -.IP "any" 8 -.IX Item "any" -At least one of the user's \fIsudoers\fR entries for the current host -must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password. -.IP "never" 8 -.IX Item "never" -The user need never enter a password to use the \fB\-l\fR option. +.TP 8n +once +Only lecture the user the first time they run +\fBsudo\fR. +.PP +If no value is specified, a value of +\fIonce\fR +is implied. +Negating the option results in a value of +\fInever\fR +being used. +The default value is +\fI@lecture@\fR. +.PP .RE -.RS 12 -.Sp -If no value is specified, a value of \fIany\fR is implied. -Negating the option results in a value of \fInever\fR being used. -The default value is \fIany\fR. +.PD 0 +.TP 14n +lecture_file +Path to a file containing an alternate +\fBsudo\fR +lecture that will be used in place of the standard lecture if the named +file exists. +By default, +\fBsudo\fR +uses a built-in lecture. +.PD +.TP 14n +listpw +This option controls when a password will be required when a user runs +\fBsudo\fR +with the +\fB\-l\fR +option. +It has the following possible values: +.RS +.TP 10n +all +All the user's +\fIsudoers\fR +entries for the current host must have +the +\fRNOPASSWD\fR +flag set to avoid entering a password. +.TP 10n +always +The user must always enter a password to use the +\fB\-l\fR +option. +.TP 10n +any +At least one of the user's +\fIsudoers\fR +entries for the current host +must have the +\fRNOPASSWD\fR +flag set to avoid entering a password. +.TP 10n +never +The user need never enter a password to use the +\fB\-l\fR +option. +.PP +If no value is specified, a value of +\fIany\fR +is implied. +Negating the option results in a value of +\fInever\fR +being used. +The default value is +\fIany\fR. +.PP .RE -.IP "logfile" 12 -.IX Item "logfile" -Path to the \fBsudo\fR log file (not the syslog log file). Setting a path -turns on logging to a file; negating this option turns it off. -By default, \fBsudo\fR logs via syslog. -.IP "mailerflags" 12 -.IX Item "mailerflags" -Flags to use when invoking mailer. Defaults to \fB\-t\fR. -.IP "mailerpath" 12 -.IX Item "mailerpath" +.PD 0 +.TP 14n +logfile +Path to the +\fBsudo\fR +log file (not the syslog log file). +Setting a path turns on logging to a file; +negating this option turns it off. +By default, +\fBsudo\fR +logs via syslog. +.PD +.TP 14n +mailerflags +Flags to use when invoking mailer. Defaults to +\fB\-t\fR. +.TP 14n +mailerpath Path to mail program used to send warning mail. Defaults to the path to sendmail found at configure time. -.IP "mailfrom" 12 -.IX Item "mailfrom" -Address to use for the \*(L"from\*(R" address when sending warning and error -mail. The address should be enclosed in double quotes (\f(CW""\fR) to -protect against \fBsudo\fR interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to -the name of the user running \fBsudo\fR. -.IP "mailto" 12 -.IX Item "mailto" -Address to send warning and error mail to. The address should -be enclosed in double quotes (\f(CW""\fR) to protect against \fBsudo\fR -interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`@mailto@\*(C'\fR. -.IP "secure_path" 12 -.IX Item "secure_path" -Path used for every command run from \fBsudo\fR. If you don't trust the -people running \fBsudo\fR to have a sane \f(CW\*(C`PATH\*(C'\fR environment variable you may -want to use this. Another use is if you want to have the \*(L"root path\*(R" -be separate from the \*(L"user path.\*(R" Users in the group specified by the -\&\fIexempt_group\fR option are not affected by \fIsecure_path\fR. +.TP 14n +mailfrom +Address to use for the +``from'' +address when sending warning and error mail. +The address should be enclosed in double quotes +(\&"") +to protect against +\fBsudo\fR +interpreting the +\fR@\fR +sign. +Defaults to the name of the user running +\fBsudo\fR. +.TP 14n +mailto +Address to send warning and error mail to. +The address should be enclosed in double quotes +(\&"") +to protect against +\fBsudo\fR +interpreting the +\fR@\fR +sign. +Defaults to +\fR@mailto@\fR. +.TP 14n +secure_path +Path used for every command run from +\fBsudo\fR. +If you don't trust the +people running +\fBsudo\fR +to have a sane +\fRPATH\fR +environment variable you may want to use this. +Another use is if you want to have the +``root path'' +be separate from the +``user path''. +Users in the group specified by the +\fIexempt_group\fR +option are not affected by +\fIsecure_path\fR. This option is @secure_path@ by default. -.IP "syslog" 12 -.IX Item "syslog" +.TP 14n +syslog Syslog facility if syslog is being used for logging (negate to -disable syslog logging). Defaults to \f(CW\*(C`@logfac@\*(C'\fR. -.Sp -The following syslog facilities are supported: \fBauthpriv\fR (if your -\&\s-1OS\s0 supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, \fBlocal0\fR, \fBlocal1\fR, -\&\fBlocal2\fR, \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR, and \fBlocal7\fR. -.IP "verifypw" 12 -.IX Item "verifypw" +disable syslog logging). +Defaults to +\fR@logfac@\fR. +.sp +The following syslog facilities are supported: +\fBauthpriv\fR +(if your +OS supports it), +\fBauth\fR, +\fBdaemon\fR, +\fBuser\fR, +\fBlocal0\fR, +\fBlocal1\fR, +\fBlocal2\fR, +\fBlocal3\fR, +\fBlocal4\fR, +\fBlocal5\fR, +\fBlocal6\fR, +and +\fBlocal7\fR. +.TP 14n +verifypw This option controls when a password will be required when a user runs -\&\fBsudo\fR with the \fB\-v\fR option. It has the following possible values: -.RS 12 -.IP "all" 8 -.IX Item "all" -All the user's \fIsudoers\fR entries for the current host must have -the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password. -.IP "always" 8 -.IX Item "always" -The user must always enter a password to use the \fB\-v\fR option. -.IP "any" 8 -.IX Item "any" -At least one of the user's \fIsudoers\fR entries for the current host -must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password. -.IP "never" 8 -.IX Item "never" -The user need never enter a password to use the \fB\-v\fR option. -.RE -.RS 12 -.Sp -If no value is specified, a value of \fIall\fR is implied. -Negating the option results in a value of \fInever\fR being used. -The default value is \fIall\fR. +\fBsudo\fR +with the +\fB\-v\fR +option. +It has the following possible values: +.RS +.TP 8n +all +All the user's +\fIsudoers\fR +entries for the current host must have the +\fRNOPASSWD\fR +flag set to avoid entering a password. +.TP 8n +always +The user must always enter a password to use the +\fB\-v\fR +option. +.TP 8n +any +At least one of the user's +\fIsudoers\fR +entries for the current host must have the +\fRNOPASSWD\fR +flag set to avoid entering a password. +.TP 8n +never +The user need never enter a password to use the +\fB\-v\fR +option. +.PP +If no value is specified, a value of +\fIall\fR +is implied. +Negating the option results in a value of +\fInever\fR +being used. +The default value is +\fIall\fR. .RE .PP -\&\fBLists that can be used in a boolean context\fR: -.IP "env_check" 16 -.IX Item "env_check" +\fBLists that can be used in a boolean context\fR: +.TP 18n +env_check Environment variables to be removed from the user's environment if -the variable's value contains \f(CW\*(C`%\*(C'\fR or \f(CW\*(C`/\*(C'\fR characters. This can -be used to guard against printf-style format vulnerabilities in -poorly-written programs. The argument may be a double-quoted, -space-separated list or a single value without double-quotes. The -list can be replaced, added to, deleted from, or disabled by using -the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators respectively. Regardless -of whether the \f(CW\*(C`env_reset\*(C'\fR option is enabled or disabled, variables -specified by \f(CW\*(C`env_check\*(C'\fR will be preserved in the environment if -they pass the aforementioned check. The default list of environment -variables to check is displayed when \fBsudo\fR is run by root with -the \fB\-V\fR option. -.IP "env_delete" 16 -.IX Item "env_delete" -Environment variables to be removed from the user's environment -when the \fIenv_reset\fR option is not in effect. The argument may -be a double-quoted, space-separated list or a single value without -double-quotes. The list can be replaced, added to, deleted from, -or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators -respectively. The default list of environment variables to remove -is displayed when \fBsudo\fR is run by root with the \fB\-V\fR option. +the variable's value contains +`%' +or +`/' +characters. +This can be used to guard against printf-style format vulnerabilities +in poorly-written programs. +The argument may be a double-quoted, space-separated list or a +single value without double-quotes. +The list can be replaced, added to, deleted from, or disabled by using +the +\fR=\fR, +\fR+=\fR, +\fR-=\fR, +and +\fR\&!\fR +operators respectively. +Regardless of whether the +\fRenv_reset\fR +option is enabled or disabled, variables specified by +\fRenv_check\fR +will be preserved in the environment if they pass the aforementioned check. +The default list of environment variables to check is displayed when +\fBsudo\fR +is run by root with +the +\fB\-V\fR +option. +.TP 18n +env_delete +Environment variables to be removed from the user's environment when the +\fIenv_reset\fR +option is not in effect. +The argument may be a double-quoted, space-separated list or a +single value without double-quotes. +The list can be replaced, added to, deleted from, or disabled by using the +\fR=\fR, +\fR+=\fR, +\fR-=\fR, +and +\fR\&!\fR +operators respectively. +The default list of environment variables to remove is displayed when +\fBsudo\fR +is run by root with the +\fB\-V\fR +option. Note that many operating systems will remove potentially dangerous variables from the environment of any setuid process (such as -\&\fBsudo\fR). -.IP "env_keep" 16 -.IX Item "env_keep" -Environment variables to be preserved in the user's environment -when the \fIenv_reset\fR option is in effect. This allows fine-grained -control over the environment \fBsudo\fR\-spawned processes will receive. +\fBsudo\fR). +.TP 18n +env_keep +Environment variables to be preserved in the user's environment when the +\fIenv_reset\fR +option is in effect. +This allows fine-grained control over the environment +\fBsudo\fR-spawned +processes will receive. The argument may be a double-quoted, space-separated list or a -single value without double-quotes. The list can be replaced, added -to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and -\&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of variables to keep -is displayed when \fBsudo\fR is run by root with the \fB\-V\fR option. +single value without double-quotes. +The list can be replaced, added to, deleted from, or disabled by using the +\fR=\fR, +\fR+=\fR, +\fR-=\fR, +and +\fR\&!\fR +operators respectively. +The default list of variables to keep +is displayed when +\fBsudo\fR +is run by root with the +\fB\-V\fR +option. .SH "FILES" -.IX Header "FILES" -.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24 -.el .IP "\fI@sysconfdir@/sudoers\fR" 24 -.IX Item "@sysconfdir@/sudoers" +.TP 26n +\fI@sysconfdir@/sudoers\fR List of who can run what -.IP "\fI/etc/group\fR" 24 -.IX Item "/etc/group" +.TP 26n +\fI/etc/group\fR Local groups file -.IP "\fI/etc/netgroup\fR" 24 -.IX Item "/etc/netgroup" +.TP 26n +\fI/etc/netgroup\fR List of network groups -.ie n .IP "\fI@iolog_dir@\fR" 24 -.el .IP "\fI@iolog_dir@\fR" 24 -.IX Item "@iolog_dir@" +.TP 26n +\fI@iolog_dir@\fR I/O log files .SH "EXAMPLES" -.IX Header "EXAMPLES" -Below are example \fIsudoers\fR entries. Admittedly, some of -these are a bit contrived. First, we allow a few environment -variables to pass and then define our \fIaliases\fR: -.PP -.Vb 4 -\& # Run X applications through sudo; HOME is used to find the -\& # .Xauthority file. Note that other programs use HOME to find -\& # configuration files and this may lead to privilege escalation! -\& Defaults env_keep += "DISPLAY HOME" -\& -\& # User alias specification -\& User_Alias FULLTIMERS = millert, mikef, dowdy -\& User_Alias PARTTIMERS = bostley, jwfox, crawl -\& User_Alias WEBMASTERS = will, wendy, wim -\& -\& # Runas alias specification -\& Runas_Alias OP = root, operator -\& Runas_Alias DB = oracle, sybase -\& Runas_Alias ADMINGRP = adm, oper -\& -\& # Host alias specification -\& Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e -\& SGI = grolsch, dandelion, black :\e -\& ALPHA = widget, thalamus, foobar :\e -\& HPPA = boa, nag, python -\& Host_Alias CUNETS = 128.138.0.0/255.255.0.0 -\& Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 -\& Host_Alias SERVERS = master, mail, www, ns -\& Host_Alias CDROM = orion, perseus, hercules -\& -\& # Cmnd alias specification -\& Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e -\& /usr/sbin/restore, /usr/sbin/rrestore -\& Cmnd_Alias KILL = /usr/bin/kill -\& Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm -\& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown -\& Cmnd_Alias HALT = /usr/sbin/halt -\& Cmnd_Alias REBOOT = /usr/sbin/reboot -\& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e -\& /usr/local/bin/tcsh, /usr/bin/rsh,\e -\& /usr/local/bin/zsh -\& Cmnd_Alias SU = /usr/bin/su -\& Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less -.Ve -.PP -Here we override some of the compiled in default values. We want -\&\fBsudo\fR to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all -cases. We don't want to subject the full time staff to the \fBsudo\fR -lecture, user \fBmillert\fR need not give a password, and we don't -want to reset the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR or \f(CW\*(C`USERNAME\*(C'\fR environment -variables when running commands as root. Additionally, on the -machines in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, we keep an additional -local log file and make sure we log the year in each log line since -the log entries will be kept around for several years. Lastly, we -disable shell escapes for the commands in the \s-1PAGERS\s0 \f(CW\*(C`Cmnd_Alias\*(C'\fR -(\fI/usr/bin/more\fR, \fI/usr/bin/pg\fR and \fI/usr/bin/less\fR). -.PP -.Vb 7 -\& # Override built\-in defaults -\& Defaults syslog=auth -\& Defaults>root !set_logname -\& Defaults:FULLTIMERS !lecture -\& Defaults:millert !authenticate -\& Defaults@SERVERS log_year, logfile=/var/log/sudo.log -\& Defaults!PAGERS noexec -.Ve -.PP -The \fIUser specification\fR is the part that actually determines who may -run what. -.PP -.Vb 2 -\& root ALL = (ALL) ALL -\& %wheel ALL = (ALL) ALL -.Ve -.PP -We let \fBroot\fR and any user in group \fBwheel\fR run any command on any -host as any user. -.PP -.Vb 1 -\& FULLTIMERS ALL = NOPASSWD: ALL -.Ve -.PP -Full time sysadmins (\fBmillert\fR, \fBmikef\fR, and \fBdowdy\fR) may run any -command on any host without authenticating themselves. -.PP -.Vb 1 -\& PARTTIMERS ALL = ALL -.Ve -.PP -Part time sysadmins (\fBbostley\fR, \fBjwfox\fR, and \fBcrawl\fR) may run any -command on any host but they must authenticate themselves first -(since the entry lacks the \f(CW\*(C`NOPASSWD\*(C'\fR tag). -.PP -.Vb 1 -\& jack CSNETS = ALL -.Ve -.PP -The user \fBjack\fR may run any command on the machines in the \fI\s-1CSNETS\s0\fR alias -(the networks \f(CW128.138.243.0\fR, \f(CW128.138.204.0\fR, and \f(CW128.138.242.0\fR). -Of those networks, only \f(CW128.138.204.0\fR has an explicit netmask (in -\&\s-1CIDR\s0 notation) indicating it is a class C network. For the other -networks in \fI\s-1CSNETS\s0\fR, the local machine's netmask will be used -during matching. -.PP -.Vb 1 -\& lisa CUNETS = ALL -.Ve -.PP -The user \fBlisa\fR may run any command on any host in the \fI\s-1CUNETS\s0\fR alias -(the class B network \f(CW128.138.0.0\fR). -.PP -.Vb 2 -\& operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e -\& sudoedit /etc/printcap, /usr/oper/bin/ -.Ve -.PP -The \fBoperator\fR user may run commands limited to simple maintenance. -Here, those are commands related to backups, killing processes, the -printing system, shutting down the system, and any commands in the -directory \fI/usr/oper/bin/\fR. -.PP -.Vb 1 -\& joe ALL = /usr/bin/su operator -.Ve -.PP -The user \fBjoe\fR may only \fIsu\fR\|(1) to operator. +Below are example +\fIsudoers\fR +entries. +Admittedly, some of these are a bit contrived. +First, we allow a few environment variables to pass and then define our +\fIaliases\fR: +.nf +.sp +.RS 0n +# Run X applications through sudo; HOME is used to find the +# .Xauthority file. Note that other programs use HOME to find +# configuration files and this may lead to privilege escalation! +Defaults env_keep += "DISPLAY HOME" + +# User alias specification +User_Alias FULLTIMERS = millert, mikef, dowdy +User_Alias PARTTIMERS = bostley, jwfox, crawl +User_Alias WEBMASTERS = will, wendy, wim + +# Runas alias specification +Runas_Alias OP = root, operator +Runas_Alias DB = oracle, sybase +Runas_Alias ADMINGRP = adm, oper + +# Host alias specification +Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e + SGI = grolsch, dandelion, black :\e + ALPHA = widget, thalamus, foobar :\e + HPPA = boa, nag, python +Host_Alias CUNETS = 128.138.0.0/255.255.0.0 +Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 +Host_Alias SERVERS = master, mail, www, ns +Host_Alias CDROM = orion, perseus, hercules + +# Cmnd alias specification +Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e + /usr/sbin/restore, /usr/sbin/rrestore +Cmnd_Alias KILL = /usr/bin/kill +Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm +Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown +Cmnd_Alias HALT = /usr/sbin/halt +Cmnd_Alias REBOOT = /usr/sbin/reboot +Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e + /usr/local/bin/tcsh, /usr/bin/rsh,\e + /usr/local/bin/zsh +Cmnd_Alias SU = /usr/bin/su +Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less +.RE +.fi .PP -.Vb 1 -\& pete HPPA = /usr/bin/passwd [A\-Za\-z]*, !/usr/bin/passwd root -\& -\& %opers ALL = (: ADMINGRP) /usr/sbin/ -.Ve +Here we override some of the compiled in default values. +We want +\fBsudo\fR +to log via +syslog(3) +using the +\fIauth\fR +facility in all cases. +We don't want to subject the full time staff to the +\fBsudo\fR +lecture, user +\fBmillert\fR +need not give a password, and we don't want to reset the +\fRLOGNAME\fR, +\fRUSER\fR +or +\fRUSERNAME\fR +environment variables when running commands as root. +Additionally, on the machines in the +\fISERVERS\fR +\fRHost_Alias\fR, +we keep an additional local log file and make sure we log the year +in each log line since the log entries will be kept around for several years. +Lastly, we disable shell escapes for the commands in the PAGERS +\fRCmnd_Alias\fR +(\fI/usr/bin/more\fR, +\fI/usr/bin/pg\fR +and +\fI/usr/bin/less\fR) +\&. +.nf +.sp +.RS 0n +# Override built-in defaults +Defaults syslog=auth +Defaults>root !set_logname +Defaults:FULLTIMERS !lecture +Defaults:millert !authenticate +Defaults@SERVERS log_year, logfile=/var/log/sudo.log +Defaults!PAGERS noexec +.RE +.fi .PP -Users in the \fBopers\fR group may run commands in \fI/usr/sbin/\fR as themselves -with any group in the \fI\s-1ADMINGRP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (the \fBadm\fR and \fBoper\fR -groups). +The +\fIUser specification\fR +is the part that actually determines who may run what. +.nf +.sp +.RS 0n +root ALL = (ALL) ALL +%wheel ALL = (ALL) ALL +.RE +.fi .PP -The user \fBpete\fR is allowed to change anyone's password except for -root on the \fI\s-1HPPA\s0\fR machines. Note that this assumes \fIpasswd\fR\|(1) -does not take multiple user names on the command line. +We let +\fBroot\fR +and any user in group +\fBwheel\fR +run any command on any host as any user. +.nf +.sp +.RS 0n +FULLTIMERS ALL = NOPASSWD: ALL +.RE +.fi .PP -.Vb 1 -\& bob SPARC = (OP) ALL : SGI = (OP) ALL -.Ve +Full time sysadmins +(\fBmillert\fR, +\fBmikef\fR, +and +\fBdowdy\fR) +may run any command on any host without authenticating themselves. +.nf +.sp +.RS 0n +PARTTIMERS ALL = ALL +.RE +.fi .PP -The user \fBbob\fR may run anything on the \fI\s-1SPARC\s0\fR and \fI\s-1SGI\s0\fR machines -as any user listed in the \fI\s-1OP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (\fBroot\fR and \fBoperator\fR). +Part time sysadmins +\fBbostley\fR, +\fBjwfox\fR, +and +\fBcrawl\fR) +may run any command on any host but they must authenticate themselves +first (since the entry lacks the +\fRNOPASSWD\fR +tag). +.nf +.sp +.RS 0n +jack CSNETS = ALL +.RE +.fi .PP -.Vb 1 -\& jim +biglab = ALL -.Ve +The user +\fBjack\fR +may run any command on the machines in the +\fICSNETS\fR +alias (the networks +\fR128.138.243.0\fR, +\fR128.138.204.0\fR, +and +\fR128.138.242.0\fR). +Of those networks, only +\fR128.138.204.0\fR +has an explicit netmask (in CIDR notation) indicating it is a class C network. +For the other networks in +\fICSNETS\fR, +the local machine's netmask will be used during matching. +.nf +.sp +.RS 0n +lisa CUNETS = ALL +.RE +.fi .PP -The user \fBjim\fR may run any command on machines in the \fIbiglab\fR netgroup. -\&\fBsudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the '+' prefix. +The user +\fBlisa\fR +may run any command on any host in the +\fICUNETS\fR +alias (the class B network +\fR128.138.0.0\fR). +.nf +.sp +.RS 0n +operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e + sudoedit /etc/printcap, /usr/oper/bin/ +.RE +.fi .PP -.Vb 1 -\& +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser -.Ve +The +\fBoperator\fR +user may run commands limited to simple maintenance. +Here, those are commands related to backups, killing processes, the +printing system, shutting down the system, and any commands in the +directory +\fI/usr/oper/bin/\fR. +.nf +.sp +.RS 0n +joe ALL = /usr/bin/su operator +.RE +.fi .PP -Users in the \fBsecretaries\fR netgroup need to help manage the printers -as well as add and remove users, so they are allowed to run those -commands on all machines. +The user +\fBjoe\fR +may only +su(1) +to operator. +.nf +.sp +.RS 0n +pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root + +%opers ALL = (: ADMINGRP) /usr/sbin/ +.RE +.fi .PP -.Vb 1 -\& fred ALL = (DB) NOPASSWD: ALL -.Ve +Users in the +\fBopers\fR +group may run commands in +\fI/usr/sbin/\fR +as themselves +with any group in the +\fIADMINGRP\fR +\fRRunas_Alias\fR +(the +\fBadm\fR +and +\fBoper\fR +groups). .PP -The user \fBfred\fR can run commands as any user in the \fI\s-1DB\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR -(\fBoracle\fR or \fBsybase\fR) without giving a password. +The user +\fBpete\fR +is allowed to change anyone's password except for +root on the +\fIHPPA\fR +machines. +Note that this assumes +passwd(1) +does not take multiple user names on the command line. +.nf +.sp +.RS 0n +bob SPARC = (OP) ALL : SGI = (OP) ALL +.RE +.fi .PP -.Vb 1 -\& john ALPHA = /usr/bin/su [!\-]*, !/usr/bin/su *root* -.Ve +The user +\fBbob\fR +may run anything on the +\fISPARC\fR +and +\fISGI\fR +machines as any user listed in the +\fIOP\fR +\fRRunas_Alias\fR +(\fBroot\fR +and +\fBoperator\fR.) +.nf +.sp +.RS 0n +jim +biglab = ALL +.RE +.fi .PP -On the \fI\s-1ALPHA\s0\fR machines, user \fBjohn\fR may su to anyone except root -but he is not allowed to specify any options to the \fIsu\fR\|(1) command. +The user +\fBjim\fR +may run any command on machines in the +\fIbiglab\fR +netgroup. +\fBsudo\fR +knows that +``biglab'' +is a netgroup due to the +`+' +prefix. +.nf +.sp +.RS 0n ++secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser +.RE +.fi .PP -.Vb 1 -\& jen ALL, !SERVERS = ALL -.Ve +Users in the +\fBsecretaries\fR +netgroup need to help manage the printers as well as add and remove users, +so they are allowed to run those commands on all machines. +.nf +.sp +.RS 0n +fred ALL = (DB) NOPASSWD: ALL +.RE +.fi .PP -The user \fBjen\fR may run any command on any machine except for those -in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR (master, mail, www and ns). +The user +\fBfred\fR +can run commands as any user in the +\fIDB\fR +\fRRunas_Alias\fR +(\fBoracle\fR +or +\fBsybase\fR) +without giving a password. +.nf +.sp +.RS 0n +john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* +.RE +.fi .PP -.Vb 1 -\& jill SERVERS = /usr/bin/, !SU, !SHELLS -.Ve +On the +\fIALPHA\fR +machines, user +\fBjohn\fR +may su to anyone except root but he is not allowed to specify any options +to the +su(1) +command. +.nf +.sp +.RS 0n +jen ALL, !SERVERS = ALL +.RE +.fi .PP -For any machine in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, \fBjill\fR may run -any commands in the directory \fI/usr/bin/\fR except for those commands -belonging to the \fI\s-1SU\s0\fR and \fI\s-1SHELLS\s0\fR \f(CW\*(C`Cmnd_Aliases\*(C'\fR. +The user +\fBjen\fR +may run any command on any machine except for those in the +\fISERVERS\fR +\fRHost_Alias\fR +(master, mail, www and ns). +.nf +.sp +.RS 0n +jill SERVERS = /usr/bin/, !SU, !SHELLS +.RE +.fi .PP -.Vb 1 -\& steve CSNETS = (operator) /usr/local/op_commands/ -.Ve +For any machine in the +\fISERVERS\fR +\fRHost_Alias\fR, +\fBjill\fR +may run +any commands in the directory +\fI/usr/bin/\fR +except for those commands +belonging to the +\fISU\fR +and +\fISHELLS\fR +\fRCmnd_Aliases\fR. +.nf +.sp +.RS 0n +steve CSNETS = (operator) /usr/local/op_commands/ +.RE +.fi .PP -The user \fBsteve\fR may run any command in the directory /usr/local/op_commands/ +The user +\fBsteve\fR +may run any command in the directory /usr/local/op_commands/ but only as user operator. +.nf +.sp +.RS 0n +matt valkyrie = KILL +.RE +.fi .PP -.Vb 1 -\& matt valkyrie = KILL -.Ve -.PP -On his personal workstation, valkyrie, \fBmatt\fR needs to be able to -kill hung processes. -.PP -.Vb 1 -\& WEBMASTERS www = (www) ALL, (root) /usr/bin/su www -.Ve -.PP -On the host www, any user in the \fI\s-1WEBMASTERS\s0\fR \f(CW\*(C`User_Alias\*(C'\fR (will, -wendy, and wim), may run any command as user www (which owns the -web pages) or simply \fIsu\fR\|(1) to www. +On his personal workstation, valkyrie, +\fBmatt\fR +needs to be able to kill hung processes. +.nf +.sp +.RS 0n +WEBMASTERS www = (www) ALL, (root) /usr/bin/su www +.RE +.fi .PP -.Vb 2 -\& ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e -\& /sbin/mount \-o nosuid\e,nodev /dev/cd0a /CDROM -.Ve +On the host www, any user in the +\fIWEBMASTERS\fR +\fRUser_Alias\fR +(will, wendy, and wim), may run any command as user www (which owns the +web pages) or simply +su(1) +to www. +.nf +.sp +.RS 0n +ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e + /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM +.RE +.fi .PP -Any user may mount or unmount a CD-ROM on the machines in the \s-1CDROM\s0 -\&\f(CW\*(C`Host_Alias\*(C'\fR (orion, perseus, hercules) without entering a password. +Any user may mount or unmount a CD-ROM on the machines in the CDROM +\fRHost_Alias\fR +(orion, perseus, hercules) without entering a password. This is a bit tedious for users to type, so it is a prime candidate for encapsulating in a shell script. .SH "SECURITY NOTES" -.IX Header "SECURITY NOTES" -It is generally not effective to \*(L"subtract\*(R" commands from \f(CW\*(C`ALL\*(C'\fR -using the '!' operator. A user can trivially circumvent this -by copying the desired command to a different name and then -executing that. For example: -.PP -.Vb 1 -\& bill ALL = ALL, !SU, !SHELLS -.Ve -.PP -Doesn't really prevent \fBbill\fR from running the commands listed in -\&\fI\s-1SU\s0\fR or \fI\s-1SHELLS\s0\fR since he can simply copy those commands to a -different name, or use a shell escape from an editor or other -program. Therefore, these kind of restrictions should be considered +.SS "Limitations of the `!\&' operator" +It is generally not effective to +``subtract'' +commands from +\fBALL\fR +using the +`!\&' +operator. +A user can trivially circumvent this by copying the desired command +to a different name and then executing that. +For example: +.nf +.sp +.RS 0n +bill ALL = ALL, !SU, !SHELLS +.RE +.fi +.PP +Doesn't really prevent +\fBbill\fR +from running the commands listed in +\fISU\fR +or +\fISHELLS\fR +since he can simply copy those commands to a different name, or use +a shell escape from an editor or other program. +Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy). .PP -Furthermore, if the \fIfast_glob\fR option is in use, it is not possible -to reliably negate commands where the path name includes globbing -(aka wildcard) characters. This is because the C library's -\&\fIfnmatch\fR\|(3) function cannot resolve relative paths. While this -is typically only an inconvenience for rules that grant privileges, -it can result in a security issue for rules that subtract or revoke -privileges. -.PP -For example, given the following \fIsudoers\fR entry: -.PP -.Vb 2 -\& john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*,\e -\& /usr/bin/chfn [a\-zA\-Z0\-9]*, !/usr/bin/* root -.Ve -.PP -User \fBjohn\fR can still run \f(CW\*(C`/usr/bin/passwd root\*(C'\fR if \fIfast_glob\fR is -enabled by changing to \fI/usr/bin\fR and running \f(CW\*(C`./passwd root\*(C'\fR instead. -.SH "PREVENTING SHELL ESCAPES" -.IX Header "PREVENTING SHELL ESCAPES" -Once \fBsudo\fR executes a program, that program is free to do whatever -it pleases, including run other programs. This can be a security -issue since it is not uncommon for a program to allow shell escapes, -which lets a user bypass \fBsudo\fR's access control and logging. +In general, if a user has sudo +\fBALL\fR +there is nothing to prevent them from creating their own program that gives +them a root shell (or making their own copy of a shell) regardless of any +`!\&' +elements in the user specification. +.SS "Security implications of \fIfast_glob\fR" +If the +\fIfast_glob\fR +option is in use, it is not possible to reliably negate commands where the +path name includes globbing (aka wildcard) characters. +This is because the C library's +fnmatch(3) +function cannot resolve relative paths. +While this is typically only an inconvenience for rules that grant privileges, +it can result in a security issue for rules that subtract or revoke privileges. +.PP +For example, given the following +\fIsudoers\fR +entry: +.nf +.sp +.RS 0n +john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e + /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root +.RE +.fi +.PP +User +\fBjohn\fR +can still run +\fR/usr/bin/passwd root\fR +if +\fIfast_glob\fR +is enabled by changing to +\fI/usr/bin\fR +and running +\fR./passwd root\fR +instead. +.SS "Preventing Shell Escapes" +Once +\fBsudo\fR +executes a program, that program is free to do whatever +it pleases, including run other programs. +This can be a security issue since it is not uncommon for a program to +allow shell escapes, which lets a user bypass +\fBsudo\fR's +access control and logging. Common programs that permit shell escapes include shells (obviously), editors, paginators, mail and terminal programs. .PP There are two basic approaches to this problem: -.IP "restrict" 10 -.IX Item "restrict" +.TP 10n +restrict Avoid giving users access to commands that allow the user to run -arbitrary commands. Many editors have a restricted mode where shell -escapes are disabled, though \fBsudoedit\fR is a better solution to -running editors via \fBsudo\fR. Due to the large number of programs that +arbitrary commands. +Many editors have a restricted mode where shell +escapes are disabled, though +\fBsudoedit\fR +is a better solution to +running editors via +\fBsudo\fR. +Due to the large number of programs that offer shell escapes, restricting users to the set of programs that do not is often unworkable. -.IP "noexec" 10 -.IX Item "noexec" +.TP 10n +noexec Many systems that support shared libraries have the ability to override default library functions by pointing an environment -variable (usually \f(CW\*(C`LD_PRELOAD\*(C'\fR) to an alternate shared library. -On such systems, \fBsudo\fR's \fInoexec\fR functionality can be used to -prevent a program run by \fBsudo\fR from executing any other programs. +variable (usually +\fRLD_PRELOAD\fR) +to an alternate shared library. +On such systems, +\fBsudo\fR's +\fInoexec\fR +functionality can be used to prevent a program run by +\fBsudo\fR +from executing any other programs. Note, however, that this applies only to native dynamically-linked -executables. Statically-linked executables and foreign executables +executables. +Statically-linked executables and foreign executables running under binary emulation are not affected. -.Sp -To tell whether or not \fBsudo\fR supports \fInoexec\fR, you can run -the following as root: -.Sp -.Vb 1 -\& sudo \-V | grep "dummy exec" -.Ve -.Sp -If the resulting output contains a line that begins with: -.Sp -.Vb 1 -\& File containing dummy exec functions: -.Ve -.Sp -then \fBsudo\fR may be able to replace the exec family of functions -in the standard library with its own that simply return an error. -Unfortunately, there is no foolproof way to know whether or not -\&\fInoexec\fR will work at compile-time. \fInoexec\fR should work on -SunOS, Solaris, *BSD, Linux, \s-1IRIX\s0, Tru64 \s-1UNIX\s0, MacOS X, and HP-UX -11.x. It is known \fBnot\fR to work on \s-1AIX\s0 and UnixWare. \fInoexec\fR -is expected to work on most operating systems that support the -\&\f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. Check your operating system's -manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld, -dld.sl, rld, or loader) to see if \f(CW\*(C`LD_PRELOAD\*(C'\fR is supported. -.Sp -To enable \fInoexec\fR for a command, use the \f(CW\*(C`NOEXEC\*(C'\fR tag as documented -in the User Specification section above. Here is that example again: -.Sp -.Vb 1 -\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi -.Ve -.Sp -This allows user \fBaaron\fR to run \fI/usr/bin/more\fR and \fI/usr/bin/vi\fR -with \fInoexec\fR enabled. This will prevent those two commands from -executing other commands (such as a shell). If you are unsure -whether or not your system is capable of supporting \fInoexec\fR you -can always just try it out and see if it works. -.PP -Note that restricting shell escapes is not a panacea. Programs -running as root are still capable of many potentially hazardous +.sp +The +\fInoexec\fR +feature is known to work on SunOS, Solaris, *BSD, +Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above. +It should be supported on most operating systems that support the +\fRLD_PRELOAD\fR +environment variable. +Check your operating system's manual pages for the dynamic linker +(usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if +\fRLD_PRELOAD\fR +is supported. +.sp +On Solaris 10 and higher, +\fInoexec\fR +uses Solaris privileges instead of the +\fRLD_PRELOAD\fR +environment variable. +.sp +To enable +\fInoexec\fR +for a command, use the +\fRNOEXEC\fR +tag as documented +in the User Specification section above. +Here is that example again: +.RS +.nf +.sp +.RS 0n +aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi +.RE +.fi +.sp +This allows user +\fBaaron\fR +to run +\fI/usr/bin/more\fR +and +\fI/usr/bin/vi\fR +with +\fInoexec\fR +enabled. +This will prevent those two commands from +executing other commands (such as a shell). +If you are unsure whether or not your system is capable of supporting +\fInoexec\fR +you can always just try it out and check whether shell escapes work when +\fInoexec\fR +is enabled. +.RE +.PP +Note that restricting shell escapes is not a panacea. +Programs running as root are still capable of many potentially hazardous operations (such as changing or overwriting files) that could lead -to unintended privilege escalation. In the specific case of an -editor, a safer approach is to give the user permission to run -\&\fBsudoedit\fR. +to unintended privilege escalation. +In the specific case of an editor, a safer approach is to give the +user permission to run +\fBsudoedit\fR. .SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIglob\fR\|(3), \fIsudo\fR\|(@mansectsu@), \fIvisudo\fR\|(8) +ssh(1), +su(1), +fnmatch(3), +glob(3), +mktemp(3), +strftime(3), +sudoers.ldap(@mansectform@), +sudo(@mansectsu@), +visudo(@mansectsu@) .SH "CAVEATS" -.IX Header "CAVEATS" -The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR -command which locks the file and does grammatical checking. It is -imperative that \fIsudoers\fR be free of syntax errors since \fBsudo\fR -will not run with a syntactically incorrect \fIsudoers\fR file. +The +\fIsudoers\fR +file should +\fBalways\fR +be edited by the +\fBvisudo\fR +command which locks the file and does grammatical checking. +It is +imperative that +\fIsudoers\fR +be free of syntax errors since +\fBsudo\fR +will not run with a syntactically incorrect +\fIsudoers\fR +file. .PP When using netgroups of machines (as opposed to users), if you store fully qualified host name in the netgroup (as is usually the case), you either need to have the machine's host name be fully qualified -as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in -\&\fIsudoers\fR. +as returned by the +\fRhostname\fR +command or use the +\fIfqdn\fR +option in +\fIsudoers\fR. .SH "BUGS" -.IX Header "BUGS" -If you feel you have found a bug in \fBsudo\fR, please submit a bug report -at http://www.sudo.ws/sudo/bugs/ +If you feel you have found a bug in +\fBsudo\fR, +please submit a bug report at http://www.sudo.ws/sudo/bugs/ .SH "SUPPORT" -.IX Header "SUPPORT" Limited free support is available via the sudo-users mailing list, -see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or +see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives. .SH "DISCLAIMER" -.IX Header "DISCLAIMER" -\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, -including, but not limited to, the implied warranties of merchantability -and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 -file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html -for complete details. +\fBsudo\fR +is provided +``AS IS'' +and any express or implied warranties, including, but not limited +to, the implied warranties of merchantability and fitness for a +particular purpose are disclaimed. +See the LICENSE file distributed with +\fBsudo\fR +or http://www.sudo.ws/sudo/license.html for complete details. diff --git a/sudoers.mdoc.in b/sudoers.mdoc.in new file mode 100644 index 000000000..2a5406d8c --- /dev/null +++ b/sudoers.mdoc.in @@ -0,0 +1,2955 @@ +.\" +.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012 +.\" Todd C. Miller +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" Sponsored in part by the Defense Advanced Research Projects +.\" Agency (DARPA) and Air Force Research Laboratory, Air Force +.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. +.\" +.Dd July 16, 2012 +.Dt SUDOERS @mansectform@ +.Os Sudo @PACKAGE_VERSION@ +.Sh NAME +.Nm sudoers +.Nd list of which users may execute what +.Sh DESCRIPTION +The +.Em sudoers +file is composed of two types of entries: aliases +(basically variables) and user specifications (which specify who +may run what). +.Pp +When multiple entries match for a user, they are applied in order. +Where there are multiple matches, the last match is used (which is +not necessarily the most specific match). +.Pp +The +.Em sudoers +grammar will be described below in Extended Backus-Naur +Form (EBNF). +Don't despair if you are unfamiliar with EBNF; it is fairly simple, +and the definitions below are annotated. +.Ss Quick guide to EBNF +EBNF is a concise and exact way of describing the grammar of a language. +Each EBNF definition is made up of +.Em production rules . +E.g., +.Pp +.Li symbol ::= definition | alternate1 | alternate2 ... +.Pp +Each +.Em production rule +references others and thus makes up a +grammar for the language. +EBNF also contains the following +operators, which many readers will recognize from regular +expressions. +Do not, however, confuse them with +.Dq wildcard +characters, which have different meanings. +.Bl -tag -width 4n +.It Li \&? +Means that the preceding symbol (or group of symbols) is optional. +That is, it may appear once or not at all. +.It Li * +Means that the preceding symbol (or group of symbols) may appear +zero or more times. +.It Li + +Means that the preceding symbol (or group of symbols) may appear +one or more times. +.El +.Pp +Parentheses may be used to group symbols together. +For clarity, +we will use single quotes +.Pq '' +to designate what is a verbatim character string (as opposed to a symbol name). +.Ss Aliases +There are four kinds of aliases: +.Li User_Alias , +.Li Runas_Alias , +.Li Host_Alias +and +.Li Cmnd_Alias . +.Bd -literal +Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | + 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | + 'Host_Alias' Host_Alias (':' Host_Alias)* | + 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* + +User_Alias ::= NAME '=' User_List + +Runas_Alias ::= NAME '=' Runas_List + +Host_Alias ::= NAME '=' Host_List + +Cmnd_Alias ::= NAME '=' Cmnd_List + +NAME ::= [A-Z]([A-Z][0-9]_)* +.Ed +.Pp +Each +.Em alias +definition is of the form +.Bd -literal +Alias_Type NAME = item1, item2, ... +.Ed +.Pp +where +.Em Alias_Type +is one of +.Li User_Alias , +.Li Runas_Alias , +.Li Host_Alias , +or +.Li Cmnd_Alias . +A +.Li NAME +is a string of uppercase letters, numbers, +and underscore characters +.Pq Ql _ . +A +.Li NAME +.Sy must +start with an +uppercase letter. +It is possible to put several alias definitions +of the same type on a single line, joined by a colon +.Pq Ql :\& . +E.g., +.Bd -literal +Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 +.Ed +.Pp +The definitions of what constitutes a valid +.Em alias +member follow. +.Bd -literal +User_List ::= User | + User ',' User_List + +User ::= '!'* user name | + '!'* #uid | + '!'* %group | + '!'* %#gid | + '!'* +netgroup | + '!'* %:nonunix_group | + '!'* %:#nonunix_gid | + '!'* User_Alias +.Ed +.Pp +A +.Li User_List +is made up of one or more user names, user ids +(prefixed with +.Ql # ) , +system group names and ids (prefixed with +.Ql % +and +.Ql %# +respectively), netgroups (prefixed with +.Ql + ) , +non-Unix group names and IDs (prefixed with +.Ql %: +and +.Ql %:# +respectively) and +.Li User_Alias Ns No es. +Each list item may be prefixed with zero or more +.Ql \&! +operators. +An odd number of +.Ql \&! +operators negate the value of +the item; an even number just cancel each other out. +.Pp +A +.Li user name , +.Li uid , +.Li group , +.Li gid , +.Li netgroup , +.Li nonunix_group +or +.Li nonunix_gid +may be enclosed in double quotes to avoid the +need for escaping special characters. +Alternately, special characters +may be specified in escaped hex mode, e.g.\& \ex20 for space. +When +using double quotes, any prefix characters must be included inside +the quotes. +.Pp +The actual +.Li nonunix_group +and +.Li nonunix_gid +syntax depends on +the underlying implementation. +For instance, the QAS AD backend supports the following formats: +.Bl -bullet -width 4n +.It +Group in the same domain: "%:Group Name" +.It +Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN" +.It +Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567" +.El +.Pp +Note that quotes around group names are optional. +Unquoted strings must use a backslash +.Pq Ql \e +to escape spaces and special characters. +See +.Sx Other special characters and reserved words +for a list of +characters that need to be escaped. +.Bd -literal +Runas_List ::= Runas_Member | + Runas_Member ',' Runas_List + +Runas_Member ::= '!'* user name | + '!'* #uid | + '!'* %group | + '!'* %#gid | + '!'* %:nonunix_group | + '!'* %:#nonunix_gid | + '!'* +netgroup | + '!'* Runas_Alias +.Ed +.Pp +A +.Li Runas_List +is similar to a +.Li User_List +except that instead +of +.Li User_Alias Ns No es +it can contain +.Li Runas_Alias Ns No es . +Note that +user names and groups are matched as strings. +In other words, two +users (groups) with the same uid (gid) are considered to be distinct. +If you wish to match all user names with the same uid (e.g.\& +root and toor), you can use a uid instead (#0 in the example given). +.Bd -literal +Host_List ::= Host | + Host ',' Host_List + +Host ::= '!'* host name | + '!'* ip_addr | + '!'* network(/netmask)? | + '!'* +netgroup | + '!'* Host_Alias +.Ed +.Pp +A +.Li Host_List +is made up of one or more host names, IP addresses, +network numbers, netgroups (prefixed with +.Ql + ) +and other aliases. +Again, the value of an item may be negated with the +.Ql \&! +operator. +If you do not specify a netmask along with the network number, +.Nm sudo +will query each of the local host's network interfaces and, +if the network number corresponds to one of the hosts's network +interfaces, the corresponding netmask will be used. +The netmask +may be specified either in standard IP address notation +(e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::), +or CIDR notation (number of bits, e.g.\& 24 or 64). +A host name may include shell-style wildcards (see the +.Sx Wildcards +section below), +but unless the +.Li host name +command on your machine returns the fully +qualified host name, you'll need to use the +.Em fqdn +option for wildcards to be useful. +Note that +.Nm sudo +only inspects actual network interfaces; this means that IP address +127.0.0.1 (localhost) will never match. +Also, the host name +.Dq localhost +will only match if that is the actual host name, which is usually +only the case for non-networked systems. +.Bd -literal +Cmnd_List ::= Cmnd | + Cmnd ',' Cmnd_List + +command name ::= file name | + file name args | + file name '""' + +Cmnd ::= '!'* command name | + '!'* directory | + '!'* "sudoedit" | + '!'* Cmnd_Alias +.Ed +.Pp +A +.Li Cmnd_List +is a list of one or more command names, directories, and other aliases. +A command name is a fully qualified file name which may include +shell-style wildcards (see the +.Sx Wildcards +section below). +A simple file name allows the user to run the command with any +arguments he/she wishes. +However, you may also specify command line arguments (including +wildcards). +Alternately, you can specify +.Li \&"" +to indicate that the command +may only be run +.Sy without +command line arguments. +A directory is a +fully qualified path name ending in a +.Ql / . +When you specify a directory in a +.Li Cmnd_List , +the user will be able to run any file within that directory +(but not in any sub-directories therein). +.Pp +If a +.Li Cmnd +has associated command line arguments, then the arguments +in the +.Li Cmnd +must match exactly those given by the user on the command line +(or match the wildcards if there are any). +Note that the following characters must be escaped with a +.Ql \e +if they are used in command arguments: +.Ql ,\& , +.Ql :\& , +.Ql =\& , +.Ql \e . +The special command +.Dq Li sudoedit +is used to permit a user to run +.Nm sudo +with the +.Fl e +option (or as +.Nm sudoedit ) . +It may take command line arguments just as a normal command does. +.Ss Defaults +Certain configuration options may be changed from their default +values at run-time via one or more +.Li Default_Entry +lines. +These may affect all users on any host, all users on a specific host, a +specific user, a specific command, or commands being run as a specific user. +Note that per-command entries may not include command line arguments. +If you need to specify arguments, define a +.Li Cmnd_Alias +and reference +that instead. +.Bd -literal +Default_Type ::= 'Defaults' | + 'Defaults' '@' Host_List | + 'Defaults' ':' User_List | + 'Defaults' '!' Cmnd_List | + 'Defaults' '>' Runas_List + +Default_Entry ::= Default_Type Parameter_List + +Parameter_List ::= Parameter | + Parameter ',' Parameter_List + +Parameter ::= Parameter '=' Value | + Parameter '+=' Value | + Parameter '-=' Value | + '!'* Parameter +.Ed +.Pp +Parameters may be +.Sy flags , +.Sy integer +values, +.Sy strings , +or +.Sy lists . +Flags are implicitly boolean and can be turned off via the +.Ql \&! +operator. +Some integer, string and list parameters may also be +used in a boolean context to disable them. +Values may be enclosed +in double quotes +.Pq \&"" +when they contain multiple words. +Special characters may be escaped with a backslash +.Pq Ql \e . +.Pp +Lists have two additional assignment operators, +.Li += +and +.Li -= . +These operators are used to add to and delete from a list respectively. +It is not an error to use the +.Li -= +operator to remove an element +that does not exist in a list. +.Pp +Defaults entries are parsed in the following order: generic, host +and user Defaults first, then runas Defaults and finally command +defaults. +.Pp +See +.Sx SUDOERS OPTIONS +for a list of supported Defaults parameters. +.Ss User Specification +.Bd -literal +User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e + (':' Host_List '=' Cmnd_Spec_List)* + +Cmnd_Spec_List ::= Cmnd_Spec | + Cmnd_Spec ',' Cmnd_Spec_List + +Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd + +Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' + +SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') + +Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | + 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' | + 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:') +.Ed +.Pp +A +.Sy user specification +determines which commands a user may run +(and as what user) on specified hosts. +By default, commands are +run as +.Sy root , +but this can be changed on a per-command basis. +.Pp +The basic structure of a user specification is +.Dq who where = (as_whom) what . +Let's break that down into its constituent parts: +.Ss Runas_Spec +A +.Li Runas_Spec +determines the user and/or the group that a command +may be run as. +A fully-specified +.Li Runas_Spec +consists of two +.Li Runas_List Ns No s +(as defined above) separated by a colon +.Pq Ql :\& +and enclosed in a set of parentheses. +The first +.Li Runas_List +indicates +which users the command may be run as via +.Nm sudo Ns No 's +.Fl u +option. +The second defines a list of groups that can be specified via +.Nm sudo Ns No 's +.Fl g +option. +If both +.Li Runas_List Ns No s +are specified, the command may be run with any combination of users +and groups listed in their respective +.Li Runas_List Ns No s. +If only the first is specified, the command may be run as any user +in the list but no +.Fl g +option +may be specified. +If the first +.Li Runas_List +is empty but the +second is specified, the command may be run as the invoking user +with the group set to any listed in the +.Li Runas_List . +If no +.Li Runas_Spec +is specified the command may be run as +.Sy root +and +no group may be specified. +.Pp +A +.Li Runas_Spec +sets the default for the commands that follow it. +What this means is that for the entry: +.Bd -literal +dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm +.Ed +.Pp +The user +.Sy dgb +may run +.Pa /bin/ls , +.Pa /bin/kill , +and +.Pa /usr/bin/lprm Ns No \(em Ns but +only as +.Sy operator . +E.g., +.Bd -literal +$ sudo -u operator /bin/ls +.Ed +.Pp +It is also possible to override a +.Li Runas_Spec +later on in an entry. +If we modify the entry like so: +.Bd -literal +dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm +.Ed +.Pp +Then user +.Sy dgb +is now allowed to run +.Pa /bin/ls +as +.Sy operator , +but +.Pa /bin/kill +and +.Pa /usr/bin/lprm +as +.Sy root . +.Pp +We can extend this to allow +.Sy dgb +to run +.Li /bin/ls +with either +the user or group set to +.Sy operator : +.Bd -literal +dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e + /usr/bin/lprm +.Ed +.Pp +Note that while the group portion of the +.Li Runas_Spec +permits the +user to run as command with that group, it does not force the user +to do so. +If no group is specified on the command line, the command +will run with the group listed in the target user's password database +entry. +The following would all be permitted by the sudoers entry above: +.Bd -literal +$ sudo -u operator /bin/ls +$ sudo -u operator -g operator /bin/ls +$ sudo -g operator /bin/ls +.Ed +.Pp +In the following example, user +.Sy tcm +may run commands that access +a modem device file with the dialer group. +.Bd -literal +tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e + /usr/local/bin/minicom +.Ed +.Pp +Note that in this example only the group will be set, the command +still runs as user +.Sy tcm . +E.g.\& +.Bd -literal +$ sudo -g dialer /usr/bin/cu +.Ed +.Pp +Multiple users and groups may be present in a +.Li Runas_Spec , +in which case the user may select any combination of users and groups via the +.Fl u +and +.Fl g +options. +In this example: +.Bd -literal +alan ALL = (root, bin : operator, system) ALL +.Ed +.Pp +user +.Sy alan +may run any command as either user root or bin, +optionally setting the group to operator or system. +.Ss SELinux_Spec +On systems with SELinux support, +.Em sudoers +entries may optionally have an SELinux role and/or type associated +with a command. +If a role or +type is specified with the command it will override any default values +specified in +.Em sudoers . +A role or type specified on the command line, +however, will supersede the values in +.Em sudoers . +.Ss Tag_Spec +A command may have zero or more tags associated with it. +There are +ten possible tag values: +.Li NOPASSWD , +.Li PASSWD , +.Li NOEXEC , +.Li EXEC , +.Li SETENV , +.Li NOSETENV , +.Li LOG_INPUT , +.Li NOLOG_INPUT , +.Li LOG_OUTPUT +and +.Li NOLOG_OUTPUT . +Once a tag is set on a +.Li Cmnd , +subsequent +.Li Cmnd Ns No s +in the +.Li Cmnd_Spec_List , +inherit the tag unless it is overridden by the opposite tag (in other words, +.Li PASSWD +overrides +.Li NOPASSWD +and +.Li NOEXEC +overrides +.Li EXEC ) . +.Pp +.Em NOPASSWD and PASSWD +.Pp +By default, +.Nm sudo +requires that a user authenticate him or herself +before running a command. +This behavior can be modified via the +.Li NOPASSWD +tag. +Like a +.Li Runas_Spec , +the +.Li NOPASSWD +tag sets +a default for the commands that follow it in the +.Li Cmnd_Spec_List . +Conversely, the +.Li PASSWD +tag can be used to reverse things. +For example: +.Bd -literal +ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm +.Ed +.Pp +would allow the user +.Sy ray +to run +.Pa /bin/kill , +.Pa /bin/ls , +and +.Pa /usr/bin/lprm +as +.Sy root +on the machine rushmore without authenticating himself. +If we only want +.Sy ray +to be able to +run +.Pa /bin/kill +without a password the entry would be: +.Bd -literal +ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm +.Ed +.Pp +Note, however, that the +.Li PASSWD +tag has no effect on users who are in the group specified by the +.Em exempt_group +option. +.Pp +By default, if the +.Li NOPASSWD +tag is applied to any of the entries for a user on the current host, +he or she will be able to run +.Dq Li sudo -l +without a password. +Additionally, a user may only run +.Dq Li sudo -v +without a password if the +.Li NOPASSWD +tag is present for all a user's entries that pertain to the current host. +This behavior may be overridden via the +.Em verifypw +and +.Em listpw +options. +.Pp +.Em NOEXEC and EXEC +.Pp +If +.Nm sudo +has been compiled with +.Em noexec +support and the underlying operating system supports it, the +.Li NOEXEC +tag can be used to prevent a dynamically-linked executable from +running further commands itself. +.Pp +In the following example, user +.Sy aaron +may run +.Pa /usr/bin/more +and +.Pa /usr/bin/vi +but shell escapes will be disabled. +.Bd -literal +aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi +.Ed +.Pp +See the +.Sx Preventing Shell Escapes +section below for more details on how +.Li NOEXEC +works and whether or not it will work on your system. +.Pp +.Em SETENV and NOSETENV +.Pp +These tags override the value of the +.Em setenv +option on a per-command basis. +Note that if +.Li SETENV +has been set for a command, the user may disable the +.Em env_reset +option from the command line via the +.Fl E +option. +Additionally, environment variables set on the command +line are not subject to the restrictions imposed by +.Em env_check , +.Em env_delete , +or +.Em env_keep . +As such, only trusted users should be allowed to set variables in this manner. +If the command matched is +.Sy ALL , +the +.Li SETENV +tag is implied for that command; this default may be overridden by use of the +.Li NOSETENV +tag. +.Pp +.Em LOG_INPUT and NOLOG_INPUT +.Pp +These tags override the value of the +.Em log_input +option on a per-command basis. +For more information, see the description of +.Em log_input +in the +.Sx SUDOERS OPTIONS +section below. +.Pp +.Em LOG_OUTPUT and NOLOG_OUTPUT +.Pp +These tags override the value of the +.Em log_output +option on a per-command basis. +For more information, see the description of +.Em log_output +in the +.Sx SUDOERS OPTIONS +section below. +.Ss Wildcards +.Nm sudo +allows shell-style +.Em wildcards +(aka meta or glob characters) +to be used in host names, path names and command line arguments in the +.Em sudoers +file. +Wildcard matching is done via the +.Sy POSIX +.Xr glob 3 +and +.Xr fnmatch 3 +routines. +Note that these are +.Em not +regular expressions. +.Bl -tag -width 8n +.It Li * +Matches any set of zero or more characters. +.It Li \&? +Matches any single character. +.It Li [...] +Matches any character in the specified range. +.It Li [!...] +Matches any character +.Sy not +in the specified range. +.It Li \ex +For any character +.Sq x , +evaluates to +.Sq x . +This is used to escape special characters such as: +.Ql * , +.Ql \&? , +.Ql [\& , +and +.Ql ]\& . +.El +.Pp +POSIX character classes may also be used if your system's +.Xr glob 3 +and +.Xr fnmatch 3 +functions support them. +However, because the +.Ql :\& +character has special meaning in +.Em sudoers , +it must be +escaped. +For example: +.Bd -literal -offset 4n +/bin/ls [[\:alpha\:]]* +.Ed +.Pp +Would match any file name beginning with a letter. +.Pp +Note that a forward slash +.Pq Ql / +will +.Sy not +be matched by +wildcards used in the path name. +This is to make a path like: +.Bd -literal -offset 4n +/usr/bin/* +.Ed +.Pp +match +.Pa /usr/bin/who +but not +.Pa /usr/bin/X11/xterm . +.Pp +When matching the command line arguments, however, a slash +.Sy does +get matched by wildcards since command line arguments may contain +arbitrary strings and not just path names. +.Pp +Wildcards in command line arguments should be used with care. +Because command line arguments are matched as a single, concatenated +string, a wildcard such as +.Ql \&? +or +.Ql * +can match multiple words. +For example, while a sudoers entry like: +.Bd -literal -offset 4n +%operator ALL = /bin/cat /var/log/messages* +.Ed +.Pp +will allow command like: +.Bd -literal -offset 4n +$ sudo cat /var/log/messages.1 +.Ed +.Pp +It will also allow: +.Bd -literal -offset 4n +$ sudo cat /var/log/messages /etc/shadow +.Ed +.Pp +which is probably not what was intended. +.Ss Exceptions to wildcard rules +The following exceptions apply to the above rules: +.Bl -tag -width 8n +.It Li \&"" +If the empty string +.Li \&"" +is the only command line argument in the +.Em sudoers +entry it means that command is not allowed to be run with +.Sy any +arguments. +.It sudoedit +Command line arguments to the +.Em sudoedit +built-in command should always be path names, so a forward slash +.Pq Ql / +will not be matched by a wildcard. +.El +.Ss Including other files from within sudoers +It is possible to include other +.Em sudoers +files from within the +.Em sudoers +file currently being parsed using the +.Li #include +and +.Li #includedir +directives. +.Pp +This can be used, for example, to keep a site-wide +.Em sudoers +file in addition to a local, per-machine file. +For the sake of this example the site-wide +.Em sudoers +will be +.Pa /etc/sudoers +and the per-machine one will be +.Pa /etc/sudoers.local . +To include +.Pa /etc/sudoers.local +from within +.Pa /etc/sudoers +we would use the +following line in +.Pa /etc/sudoers : +.Bd -literal -offset 4n +#include /etc/sudoers.local +.Ed +.Pp +When +.Nm sudo +reaches this line it will suspend processing of the current file +.Pq Pa /etc/sudoers +and switch to +.Pa /etc/sudoers.local . +Upon reaching the end of +.Pa /etc/sudoers.local , +the rest of +.Pa /etc/sudoers +will be processed. +Files that are included may themselves include other files. +A hard limit of 128 nested include files is enforced to prevent include +file loops. +.Pp +If the path to the include file is not fully-qualified (does not +begin with a +.Ql / , +it must be located in the same directory as the sudoers file it was +included from. +For example, if +.Pa /etc/sudoers +contains the line: +.Bd -literal -offset 4n +.Li #include sudoers.local +.Ed +.Pp +the file that will be included is +.Pa /etc/sudoers.local . +.Pp +The file name may also include the +.Li %h +escape, signifying the short form of the host name. +In other words, if the machine's host name is +.Dq xerxes , +then +.Bd -literal -offset 4n +#include /etc/sudoers.%h +.Ed +.Pp +will cause +.Nm sudo +to include the file +.Pa /etc/sudoers.xerxes . +.Pp +The +.Li #includedir +directive can be used to create a +.Pa sudo.d +directory that the system package manager can drop +.Em sudoers +rules +into as part of package installation. +For example, given: +.Bd -literal -offset 4n +#includedir /etc/sudoers.d +.Ed +.Pp +.Nm sudo +will read each file in +.Pa /etc/sudoers.d , +skipping file names that end in +.Ql ~ +or contain a +.Ql .\& +character to avoid causing problems with package manager or editor +temporary/backup files. +Files are parsed in sorted lexical order. +That is, +.Pa /etc/sudoers.d/01_first +will be parsed before +.Pa /etc/sudoers.d/10_second . +Be aware that because the sorting is lexical, not numeric, +.Pa /etc/sudoers.d/1_whoops +would be loaded +.Sy after +.Pa /etc/sudoers.d/10_second . +Using a consistent number of leading zeroes in the file names can be used +to avoid such problems. +.Pp +Note that unlike files included via +.Li #include , +.Nm visudo +will not edit the files in a +.Li #includedir +directory unless one of them contains a syntax error. +It is still possible to run +.Nm visudo +with the +.Fl f +flag to edit the files directly. +.Ss Other special characters and reserved words +The pound sign +.Pq Ql # +is used to indicate a comment (unless it is part of a #include +directive or unless it occurs in the context of a user name and is +followed by one or more digits, in which case it is treated as a +uid). +Both the comment character and any text after it, up to the end of +the line, are ignored. +.Pp +The reserved word +.Sy ALL +is a built-in +.Em alias +that always causes a match to succeed. +It can be used wherever one might otherwise use a +.Li Cmnd_Alias , +.Li User_Alias , +.Li Runas_Alias , +or +.Li Host_Alias . +You should not try to define your own +.Em alias +called +.Sy ALL +as the built-in alias will be used in preference to your own. +Please note that using +.Sy ALL +can be dangerous since in a command context, it allows the user to run +.Sy any +command on the system. +.Pp +An exclamation point +.Pq Ql \&! +can be used as a logical +.Em not +operator both in an +.Em alias +and in front of a +.Li Cmnd . +This allows one to exclude certain values. +Note, however, that using a +.Ql \&! +in conjunction with the built-in +.Sy ALL +alias to allow a user to run +.Dq all but a few +commands rarely works as intended (see +.Sx SECURITY NOTES +below). +.Pp +Long lines can be continued with a backslash +.Pq Ql \e +as the last character on the line. +.Pp +White space between elements in a list as well as special syntactic +characters in a +.Em User Specification +.Po +.Ql =\& , +.Ql :\& , +.Ql (\& , +.Ql )\& +.Pc +is optional. +.Pp +The following characters must be escaped with a backslash +.Pq Ql \e +when used as part of a word (e.g.\& a user name or host name): +.Ql \&! , +.Ql =\& , +.Ql :\& , +.Ql ,\& , +.Ql (\& , +.Ql )\& , +.Ql \e . +.Sh SUDOERS OPTIONS +.Nm sudo Ns No 's +behavior can be modified by +.Li Default_Entry +lines, as explained earlier. +A list of all supported Defaults parameters, grouped by type, are listed below. +.Pp +.Sy Boolean Flags : +.Bl -tag -width 16n +.It always_set_home +If enabled, +.Nm sudo +will set the +.Ev HOME +environment variable to the home directory of the target user +(which is root unless the +.Fl u +option is used). +This effectively means that the +.Fl H +option is always implied. +Note that +.Ev HOME +is already set when the the +.Em env_reset +option is enabled, so +.Em always_set_home +is only effective for configurations where either +.Em env_reset +is disabled or +.Ev HOME +is present in the +.Em env_keep +list. +This flag is +.Em off +by default. +.It authenticate +If set, users must authenticate themselves via a password (or other +means of authentication) before they may run commands. +This default may be overridden via the +.Li PASSWD +and +.Li NOPASSWD +tags. +This flag is +.Em on +by default. +.It closefrom_override +If set, the user may use +.Nm sudo Ns No 's +.Fl C +option which overrides the default starting point at which +.Nm sudo +begins closing open file descriptors. +This flag is +.Em off +by default. +.It compress_io +If set, and +.Nm sudo +is configured to log a command's input or output, +the I/O logs will be compressed using +.Sy zlib . +This flag is +.Em on +by default when +.Nm sudo +is compiled with +.Sy zlib +support. +.It env_editor +If set, +.Nm visudo +will use the value of the +.Ev EDITOR +or +.Ev VISUAL +environment variables before falling back on the default editor list. +Note that this may create a security hole as it allows the user to +run any arbitrary command as root without logging. +A safer alternative is to place a colon-separated list of editors +in the +.Li editor +variable. +.Nm visudo +will then only use the +.Ev EDITOR +or +.Ev VISUAL +if they match a value specified in +.Li editor . +This flag is +.Em @env_editor@ +by +default. +.It env_reset +If set, +.Nm sudo +will run the command in a minimal environment containing the +.Ev TERM , +.Ev PATH , +.Ev HOME , +.Ev MAIL , +.Ev SHELL , +.Ev LOGNAME , +.Ev USER , +.Ev USERNAME +and +.Ev SUDO_* +variables. +Any +variables in the caller's environment that match the +.Li env_keep +and +.Li env_check +lists are then added, followed by any variables present in the file +specified by the +.Em env_file +option (if any). +The default contents of the +.Li env_keep +and +.Li env_check +lists are displayed when +.Nm sudo +is run by root with the +.Fl V +option. +If the +.Em secure_path +option is set, its value will be used for the +.Ev PATH +environment variable. +This flag is +.Em @env_reset@ +by default. +.It fast_glob +Normally, +.Nm sudo +uses the +.Xr glob 3 +function to do shell-style globbing when matching path names. +However, since it accesses the file system, +.Xr glob 3 +can take a long time to complete for some patterns, especially +when the pattern references a network file system that is mounted +on demand (auto mounted). +The +.Em fast_glob +option causes +.Nm sudo +to use the +.Xr fnmatch 3 +function, which does not access the file system to do its matching. +The disadvantage of +.Em fast_glob +is that it is unable to match relative path names such as +.Pa ./ls +or +.Pa ../bin/ls . +This has security implications when path names that include globbing +characters are used with the negation operator, +.Ql !\& , +as such rules can be trivially bypassed. +As such, this option should not be used when +.Em sudoers +contains rules that contain negated path names which include globbing +characters. +This flag is +.Em off +by default. +.It fqdn +Set this flag if you want to put fully qualified host names in the +.Em sudoers +file when the local host name (as returned by the +.Li hostname +command) does not contain the domain name. +In other words, instead of myhost you would use myhost.mydomain.edu. +You may still use the short form if you wish (and even mix the two). +This option is only effective when the +.Dq canonical +host name, as returned by the +.Fn getaddrinfo +or +.Fn gethostbyname +function, is a fully-qualified domain name. +This is usually the case when the system is configured to use DNS +for host name resolution. +.Pp +If the system is configured to use the +.Pa /etc/hosts +file in preference to DNS, the +.Dq canonical +host name may not be fully-qualified. +The order that sources are queried for hosts name resolution +is usually specified in the +.Pa @nsswitch_conf@ , +.Pa @netsvc_conf@ , +.Pa /etc/host.conf , +or, in some cases, +.Pa /etc/resolv.conf +file. +In the +.Pa /etc/hosts +file, the first host name of the entry is considered to be the +.Dq canonical +name; subsequent names are aliases that are not used by +.Nm sudoers . +For example, the following hosts file line for the machine +.Dq xyzzy +has the fully-qualified domain name as the +.Dq canonical +host name, and the short version as an alias. +.sp +.Dl 192.168.1.1 xyzzy.sudo.ws xyzzy +.sp +If the machine's hosts file entry is not formatted properly, the +.Em fqdn +option will not be effective if it is queried before DNS. +.Pp +Beware that when using DNS for host name resolution, turning on +.Em fqdn +requires +.Nm sudoers +to make DNS lookups which renders +.Nm sudo +unusable if DNS stops working (for example if the machine is disconnected +from the network). +Also note that just like with the hosts file, you must use the +.Dq canonical +name as DNS knows it. +That is, you may not use a host alias +.Po +.Li CNAME +entry +.Pc +due to performance issues and the fact that there is no way to get all +aliases from DNS. +.Pp +This flag is +.Em @fqdn@ +by default. +.It ignore_dot +If set, +.Nm sudo +will ignore "." or "" (both denoting current directory) in the +.Ev PATH +environment variable; the +.Ev PATH +itself is not modified. +This flag is +.Em @ignore_dot@ +by default. +.It ignore_local_sudoers +If set via LDAP, parsing of +.Pa @sysconfdir@/sudoers +will be skipped. +This is intended for Enterprises that wish to prevent the usage of local +sudoers files so that only LDAP is used. +This thwarts the efforts of rogue operators who would attempt to add roles to +.Pa @sysconfdir@/sudoers . +When this option is present, +.Pa @sysconfdir@/sudoers +does not even need to exist. +Since this option tells +.Nm sudo +how to behave when no specific LDAP entries have been matched, this +sudoOption is only meaningful for the +.Li cn=defaults +section. +This flag is +.Em off +by default. +.It insults +If set, +.Nm sudo +will insult users when they enter an incorrect password. +This flag is +.Em @insults@ +by default. +.It log_host +If set, the host name will be logged in the (non-syslog) +.Nm sudo +log file. +This flag is +.Em off +by default. +.It log_input +If set, +.Nm sudo +will run the command in a +.Em pseudo tty +and log all user input. +If the standard input is not connected to the user's tty, due to +I/O redirection or because the command is part of a pipeline, that +input is also captured and stored in a separate log file. +.Pp +Input is logged to the directory specified by the +.Em iolog_dir +option +.Po +.Pa @iolog_dir@ +by default +.Pc +using a unique session ID that is included in the normal +.Nm sudo +log line, prefixed with +.Dq Li TSID= . +.Pp +Note that user input may contain sensitive information such as +passwords (even if they are not echoed to the screen), which will +be stored in the log file unencrypted. +In most cases, logging the command output via +.Em log_output +is all that is required. +.It log_output +If set, +.Nm sudo +will run the command in a +.Em pseudo tty +and log all output that is sent to the screen, similar to the +.Xr script 1 +command. +If the standard output or standard error is not connected to the +user's tty, due to I/O redirection or because the command is part +of a pipeline, that output is also captured and stored in separate +log files. +.Pp +Output is logged to the directory specified by the +.Em iolog_dir +option +.Po +.Pa @iolog_dir@ +by default +.Pc +using a unique session ID that is included in the normal +.Nm sudo +log line, prefixed with +.Dq Li TSID= . +.Pp +Output logs may be viewed with the +.Xr sudoreplay @mansectsu@ +utility, which can also be used to list or search the available logs. +.It log_year +If set, the four-digit year will be logged in the (non-syslog) +.Nm sudo +log file. +This flag is +.Em off +by default. +.It long_otp_prompt +When validating with a One Time Password (OTP) scheme such as +.Sy S/Key +or +.Sy OPIE , +a two-line prompt is used to make it easier +to cut and paste the challenge to a local window. +It's not as pretty as the default but some people find it more convenient. +This flag is +.Em @long_otp_prompt@ +by default. +.It mail_always +Send mail to the +.Em mailto +user every time a users runs +.Nm sudo . +This flag is +.Em off +by default. +.It mail_badpass +Send mail to the +.Em mailto +user if the user running +.Nm sudo +does not enter the correct password. +If the command the user is attempting to run is not permitted by +.Em sudoers +and one of the +.Em mail_always , +.Em mail_no_host , +.Em mail_no_perms +or +.Em mail_no_user +flags are set, this flag will have no effect. +This flag is +.Em off +by default. +.It mail_no_host +If set, mail will be sent to the +.Em mailto +user if the invoking user exists in the +.Em sudoers +file, but is not allowed to run commands on the current host. +This flag is +.Em @mail_no_host@ +by default. +.It mail_no_perms +If set, mail will be sent to the +.Em mailto +user if the invoking user is allowed to use +.Nm sudo +but the command they are trying is not listed in their +.Em sudoers +file entry or is explicitly denied. +This flag is +.Em @mail_no_perms@ +by default. +.It mail_no_user +If set, mail will be sent to the +.Em mailto +user if the invoking user is not in the +.Em sudoers +file. +This flag is +.Em @mail_no_user@ +by default. +.It noexec +If set, all commands run via +.Nm sudo +will behave as if the +.Li NOEXEC +tag has been set, unless overridden by a +.Li EXEC +tag. +See the description of +.Em NOEXEC and EXEC +below as well as the +.Sx Preventing Shell Escapes +section at the end of this manual. +This flag is +.Em off +by default. +.It path_info +Normally, +.Nm sudo +will tell the user when a command could not be +found in their +.Ev PATH +environment variable. +Some sites may wish to disable this as it could be used to gather +information on the location of executables that the normal user does +not have access to. +The disadvantage is that if the executable is simply not in the user's +.Ev PATH , +.Nm sudo +will tell the user that they are not allowed to run it, which can be confusing. +This flag is +.Em @path_info@ +by default. +.It passprompt_override +The password prompt specified by +.Em passprompt +will normally only be used if the password prompt provided by systems +such as PAM matches the string +.Dq Password: . +If +.Em passprompt_override +is set, +.Em passprompt +will always be used. +This flag is +.Em off +by default. +.It preserve_groups +By default, +.Nm sudo +will initialize the group vector to the list of groups the target user is in. +When +.Em preserve_groups +is set, the user's existing group vector is left unaltered. +The real and effective group IDs, however, are still set to match the +target user. +This flag is +.Em off +by default. +.It pwfeedback +By default, +.Nm sudo +reads the password like most other Unix programs, +by turning off echo until the user hits the return (or enter) key. +Some users become confused by this as it appears to them that +.Nm sudo +has hung at this point. +When +.Em pwfeedback +is set, +.Nm sudo +will provide visual feedback when the user presses a key. +Note that this does have a security impact as an onlooker may be able to +determine the length of the password being entered. +This flag is +.Em off +by default. +.It requiretty +If set, +.Nm sudo +will only run when the user is logged in to a real tty. +When this flag is set, +.Nm sudo +can only be run from a login session and not via other means such as +.Xr cron @mansectsu@ +or cgi-bin scripts. +This flag is +.Em off +by default. +.It root_sudo +If set, root is allowed to run +.Nm sudo +too. +Disabling this prevents users from +.Dq chaining +.Nm sudo +commands to get a root shell by doing something like +.Dq Li sudo sudo /bin/sh . +Note, however, that turning off +.Em root_sudo +will also prevent root from running +.Nm sudoedit . +Disabling +.Em root_sudo +provides no real additional security; it exists purely for historical reasons. +This flag is +.Em @root_sudo@ +by default. +.It rootpw +If set, +.Nm sudo +will prompt for the root password instead of the password of the invoking user. +This flag is +.Em off +by default. +.It runaspw +If set, +.Nm sudo +will prompt for the password of the user defined by the +.Em runas_default +option (defaults to +.Li @runas_default@ ) +instead of the password of the invoking user. +This flag is +.Em off +by default. +.It set_home +If enabled and +.Nm sudo +is invoked with the +.Fl s +option the +.Ev HOME +environment variable will be set to the home directory of the target +user (which is root unless the +.Fl u +option is used). +This effectively makes the +.Fl s +option imply +.Fl H . +Note that +.Ev HOME +is already set when the the +.Em env_reset +option is enabled, so +.Em set_home +is only effective for configurations where either +.Em env_reset +is disabled +or +.Ev HOME +is present in the +.Em env_keep +list. +This flag is +.Em off +by default. +.It set_logname +Normally, +.Nm sudo +will set the +.Ev LOGNAME , +.Ev USER +and +.Ev USERNAME +environment variables to the name of the target user (usually root unless the +.Fl u +option is given). +However, since some programs (including the RCS revision control system) use +.Ev LOGNAME +to determine the real identity of the user, it may be desirable to +change this behavior. +This can be done by negating the set_logname option. +Note that if the +.Em env_reset +option has not been disabled, entries in the +.Em env_keep +list will override the value of +.Em set_logname . +This flag is +.Em on +by default. +.It setenv +Allow the user to disable the +.Em env_reset +option from the command line via the +.Fl E +option. +Additionally, environment variables set via the command line are +not subject to the restrictions imposed by +.Em env_check , +.Em env_delete , +or +.Em env_keep . +As such, only trusted users should be allowed to set variables in this manner. +This flag is +.Em off +by default. +.It shell_noargs +If set and +.Nm sudo +is invoked with no arguments it acts as if the +.Fl s +option had been given. +That is, it runs a shell as root (the shell is determined by the +.Ev SHELL +environment variable if it is set, falling back on the shell listed +in the invoking user's /etc/passwd entry if not). +This flag is +.Em off +by default. +.It stay_setuid +Normally, when +.Nm sudo +executes a command the real and effective UIDs are set to the target +user (root by default). +This option changes that behavior such that the real UID is left +as the invoking user's UID. +In other words, this makes +.Nm sudo +act as a setuid wrapper. +This can be useful on systems that disable some potentially +dangerous functionality when a program is run setuid. +This option is only effective on systems that support either the +.Xr setreuid 2 +or +.Xr setresuid 2 +system call. +This flag is +.Em off +by default. +.It targetpw +If set, +.Nm sudo +will prompt for the password of the user specified +by the +.Fl u +option (defaults to +.Li root ) +instead of the password of the invoking user. +In addition, the time stamp file name will include the target user's name. +Note that this flag precludes the use of a uid not listed in the passwd +database as an argument to the +.Fl u +option. +This flag is +.Em off +by default. +.It tty_tickets +If set, users must authenticate on a per-tty basis. +With this flag enabled, +.Nm sudo +will use a file named for the tty the user is +logged in on in the user's time stamp directory. +If disabled, the time stamp of the directory is used instead. +This flag is +.Em @tty_tickets@ +by default. +.It umask_override +If set, +.Nm sudo +will set the umask as specified by +.Em sudoers +without modification. +This makes it possible to specify a more permissive umask in +.Em sudoers +than the user's own umask and matches historical behavior. +If +.Em umask_override +is not set, +.Nm sudo +will set the umask to be the union of the user's umask and what is specified in +.Em sudoers . +This flag is +.Em @umask_override@ +by default. +.It use_loginclass +If set, +.Nm sudo +will apply the defaults specified for the target user's login class +if one exists. +Only available if +.Nm sudo +is configured with the +.Li --with-logincap +option. +This flag is +.Em off +by default. +.It use_pty +If set, +.Nm sudo +will run the command in a pseudo-pty even if no I/O logging is being gone. +A malicious program run under +.Nm sudo +could conceivably fork a background process that retains to the user's +terminal device after the main program has finished executing. +Use of this option will make that impossible. +This flag is +.Em off +by default. +.It visiblepw +By default, +.Nm sudo +will refuse to run if the user must enter a password but it is not +possible to disable echo on the terminal. +If the +.Em visiblepw +flag is set, +.Nm sudo +will prompt for a password even when it would be visible on the screen. +This makes it possible to run things like +.Dq Li ssh somehost sudo ls +since by default, +.Xr ssh 1 +does +not allocate a tty when running a command. +This flag is +.Em off +by default. +.El +.Pp +.Sy Integers : +.Bl -tag -width 16n +.It closefrom +Before it executes a command, +.Nm sudo +will close all open file descriptors other than standard input, +standard output and standard error (ie: file descriptors 0-2). +The +.Em closefrom +option can be used to specify a different file descriptor at which +to start closing. +The default is +.Li 3 . +.It passwd_tries +The number of tries a user gets to enter his/her password before +.Nm sudo +logs the failure and exits. +The default is +.Li @passwd_tries@ . +.El +.Pp +.Sy Integers that can be used in a boolean context : +.Bl -tag -width 16n +.It loglinelen +Number of characters per line for the file log. +This value is used to decide when to wrap lines for nicer log files. +This has no effect on the syslog log file, only the file log. +The default is +.Li @loglen@ +(use 0 or negate the option to disable word wrap). +.It passwd_timeout +Number of minutes before the +.Nm sudo +password prompt times out, or +.Li 0 +for no timeout. +The timeout may include a fractional component +if minute granularity is insufficient, for example +.Li 2.5 . +The +default is +.Li @password_timeout@ . +.It timestamp_timeout +Number of minutes that can elapse before +.Nm sudo +will ask for a passwd again. +The timeout may include a fractional component if +minute granularity is insufficient, for example +.Li 2.5 . +The default is +.Li @timeout@ . +Set this to +.Li 0 +to always prompt for a password. +If set to a value less than +.Li 0 +the user's time stamp will never expire. +This can be used to allow users to create or delete their own time stamps via +.Dq Li sudo -v +and +.Dq Li sudo -k +respectively. +.It umask +Umask to use when running the command. +Negate this option or set it to 0777 to preserve the user's umask. +The actual umask that is used will be the union of the user's umask +and the value of the +.Em umask +option, which defaults to +.Li @sudo_umask@ . +This guarantees +that +.Nm sudo +never lowers the umask when running a command. +Note: on systems that use PAM, the default PAM configuration may specify +its own umask which will override the value set in +.Em sudoers . +.El +.Pp +.Sy Strings : +.Bl -tag -width 16n +.It badpass_message +Message that is displayed if a user enters an incorrect password. +The default is +.Li @badpass_message@ +unless insults are enabled. +.It editor +A colon +.Pq Ql :\& +separated list of editors allowed to be used with +.Nm visudo . +.Nm visudo +will choose the editor that matches the user's +.Ev EDITOR +environment variable if possible, or the first editor in the +list that exists and is executable. +The default is +.Pa @editor@ . +.It iolog_dir +The directory in which to store input/output logs when the +.Em log_input +or +.Em log_output +options are enabled or when the +.Li LOG_INPUT +or +.Li LOG_OUTPUT +tags are present for a command. +The default is +.Pa @iolog_dir@ . +.It mailsub +Subject of the mail sent to the +.Em mailto +user. +The escape +.Li %h +will expand to the host name of the machine. +Default is +.Dq Li @mailsub@ . +.It noexec_file +The +.Em noexec +option specifies the the fully-qualified path to a shared library +containing dummy versions of the +.Fn execv , +.Fn execve +and +.Fn fexecve +library functions that just return an error. +This is used to implement the +.Em noexec +functionality on systems that support +.Ev LD_PRELOAD +or its equivalent. +Defaults to +.Pa @noexec_file@ . +.It passprompt +The default prompt to use when asking for a password; can be overridden via the +.Fl p +option or the +.Ev SUDO_PROMPT +environment variable. +The following percent +.Pq Ql % +escape sequences are supported: +.Bl -tag -width 4n +.It Li %H +expanded to the local host name including the domain name +(only if the machine's host name is fully qualified or the +.Em fqdn +option is set) +.It Li %h +expanded to the local host name without the domain name +.It Li %p +expanded to the user whose password is being asked for (respects the +.Em rootpw , +.Em targetpw +and +.Em runaspw +flags in +.Em sudoers ) +.It Li \&%U +expanded to the login name of the user the command will +be run as (defaults to root) +.It Li %u +expanded to the invoking user's login name +.It Li %% +two consecutive +.Li % +characters are collapsed into a single +.Li % +character +.El +.Pp +The default value is +.Dq Li @passprompt@ . +.It role +The default SELinux role to use when constructing a new security +context to run the command. +The default role may be overridden on a per-command basis in +.Em sudoers +or via command line options. +This option is only available when +.Nm sudo +is built with SELinux support. +.It runas_default +The default user to run commands as if the +.Fl u +option is not specified on the command line. +This defaults to +.Li @runas_default@ . +.It syslog_badpri +Syslog priority to use when user authenticates unsuccessfully. +Defaults to +.Li @badpri@ . +.Pp +The following syslog priorities are supported: +.Sy alert , +.Sy crit , +.Sy debug , +.Sy emerg , +.Sy err , +.Sy info , +.Sy notice , +and +.Sy warning . +.It syslog_goodpri +Syslog priority to use when user authenticates successfully. +Defaults to +.Li @goodpri@ . +.Pp +See +.Sx syslog_badpri +for the list of supported syslog priorities. +.It sudoers_locale +Locale to use when parsing the sudoers file, logging commands, and +sending email. +Note that changing the locale may affect how sudoers is interpreted. +Defaults to +.Dq Li C . +.It timestampdir +The directory in which +.Nm sudo +stores its time stamp files. +The default is +.Pa @timedir@ . +.It timestampowner +The owner of the time stamp directory and the time stamps stored therein. +The default is +.Li root . +.It type +The default SELinux type to use when constructing a new security +context to run the command. +The default type may be overridden on a per-command basis in +.Em sudoers +or via command line options. +This option is only available when +.Nm sudo +is built with SELinux support. +.El +.Pp +.Sy Strings that can be used in a boolean context : +.Bl -tag -width 12n +.It askpass +The +.Em askpass +option specifies the fully qualified path to a helper program used +to read the user's password when no terminal is available. +This may be the case when +.Nm sudo +is executed from a graphical (as opposed to text-based) application. +The program specified by +.Em askpass +should display the argument passed to it as the prompt and write +the user's password to the standard output. +The value of +.Em askpass +may be overridden by the +.Ev SUDO_ASKPASS +environment variable. +.It env_file +The +.Em env_file +option specifies the fully qualified path to a file containing variables +to be set in the environment of the program being run. +Entries in this file should either be of the form +.Dq Li VARIABLE=value +or +.Dq Li export VARIABLE=value . +The value may optionally be surrounded by single or double quotes. +Variables in this file are subject to other +.Nm sudo +environment settings such as +.Em env_keep +and +.Em env_check . +.It exempt_group +Users in this group are exempt from password and PATH requirements. +The group name specified should not include a +.Li % +prefix. +This is not set by default. +.It lecture +This option controls when a short lecture will be printed along with +the password prompt. +It has the following possible values: +.Bl -tag -width 6n +.It always +Always lecture the user. +.It never +Never lecture the user. +.It once +Only lecture the user the first time they run +.Nm sudo . +.El +.Pp +If no value is specified, a value of +.Em once +is implied. +Negating the option results in a value of +.Em never +being used. +The default value is +.Em @lecture@ . +.It lecture_file +Path to a file containing an alternate +.Nm sudo +lecture that will be used in place of the standard lecture if the named +file exists. +By default, +.Nm sudo +uses a built-in lecture. +.It listpw +This option controls when a password will be required when a user runs +.Nm sudo +with the +.Fl l +option. +It has the following possible values: +.Bl -tag -width 8n +.It all +All the user's +.Em sudoers +entries for the current host must have +the +.Li NOPASSWD +flag set to avoid entering a password. +.It always +The user must always enter a password to use the +.Fl l +option. +.It any +At least one of the user's +.Em sudoers +entries for the current host +must have the +.Li NOPASSWD +flag set to avoid entering a password. +.It never +The user need never enter a password to use the +.Fl l +option. +.El +.Pp +If no value is specified, a value of +.Em any +is implied. +Negating the option results in a value of +.Em never +being used. +The default value is +.Em any . +.It logfile +Path to the +.Nm sudo +log file (not the syslog log file). +Setting a path turns on logging to a file; +negating this option turns it off. +By default, +.Nm sudo +logs via syslog. +.It mailerflags +Flags to use when invoking mailer. Defaults to +.Fl t . +.It mailerpath +Path to mail program used to send warning mail. +Defaults to the path to sendmail found at configure time. +.It mailfrom +Address to use for the +.Dq from +address when sending warning and error mail. +The address should be enclosed in double quotes +.Pq \&"" +to protect against +.Nm sudo +interpreting the +.Li @ +sign. +Defaults to the name of the user running +.Nm sudo . +.It mailto +Address to send warning and error mail to. +The address should be enclosed in double quotes +.Pq \&"" +to protect against +.Nm sudo +interpreting the +.Li @ +sign. +Defaults to +.Li @mailto@ . +.It secure_path +Path used for every command run from +.Nm sudo . +If you don't trust the +people running +.Nm sudo +to have a sane +.Ev PATH +environment variable you may want to use this. +Another use is if you want to have the +.Dq root path +be separate from the +.Dq user path . +Users in the group specified by the +.Em exempt_group +option are not affected by +.Em secure_path . +This option is @secure_path@ by default. +.It syslog +Syslog facility if syslog is being used for logging (negate to +disable syslog logging). +Defaults to +.Li @logfac@ . +.Pp +The following syslog facilities are supported: +.Sy authpriv +(if your +OS supports it), +.Sy auth , +.Sy daemon , +.Sy user , +.Sy local0 , +.Sy local1 , +.Sy local2 , +.Sy local3 , +.Sy local4 , +.Sy local5 , +.Sy local6 , +and +.Sy local7 . +.It verifypw +This option controls when a password will be required when a user runs +.Nm sudo +with the +.Fl v +option. +It has the following possible values: +.Bl -tag -width 6n +.It all +All the user's +.Em sudoers +entries for the current host must have the +.Li NOPASSWD +flag set to avoid entering a password. +.It always +The user must always enter a password to use the +.Fl v +option. +.It any +At least one of the user's +.Em sudoers +entries for the current host must have the +.Li NOPASSWD +flag set to avoid entering a password. +.It never +The user need never enter a password to use the +.Fl v +option. +.El +.Pp +If no value is specified, a value of +.Em all +is implied. +Negating the option results in a value of +.Em never +being used. +The default value is +.Em all . +.El +.Pp +.Sy Lists that can be used in a boolean context : +.Bl -tag -width 16n +.It env_check +Environment variables to be removed from the user's environment if +the variable's value contains +.Ql % +or +.Ql / +characters. +This can be used to guard against printf-style format vulnerabilities +in poorly-written programs. +The argument may be a double-quoted, space-separated list or a +single value without double-quotes. +The list can be replaced, added to, deleted from, or disabled by using +the +.Li = , +.Li += , +.Li -= , +and +.Li \&! +operators respectively. +Regardless of whether the +.Li env_reset +option is enabled or disabled, variables specified by +.Li env_check +will be preserved in the environment if they pass the aforementioned check. +The default list of environment variables to check is displayed when +.Nm sudo +is run by root with +the +.Fl V +option. +.It env_delete +Environment variables to be removed from the user's environment when the +.Em env_reset +option is not in effect. +The argument may be a double-quoted, space-separated list or a +single value without double-quotes. +The list can be replaced, added to, deleted from, or disabled by using the +.Li = , +.Li += , +.Li -= , +and +.Li \&! +operators respectively. +The default list of environment variables to remove is displayed when +.Nm sudo +is run by root with the +.Fl V +option. +Note that many operating systems will remove potentially dangerous +variables from the environment of any setuid process (such as +.Nm sudo ) . +.It env_keep +Environment variables to be preserved in the user's environment when the +.Em env_reset +option is in effect. +This allows fine-grained control over the environment +.Nm sudo Ns No -spawned +processes will receive. +The argument may be a double-quoted, space-separated list or a +single value without double-quotes. +The list can be replaced, added to, deleted from, or disabled by using the +.Li = , +.Li += , +.Li -= , +and +.Li \&! +operators respectively. +The default list of variables to keep +is displayed when +.Nm sudo +is run by root with the +.Fl V +option. +.El +.Sh FILES +.Bl -tag -width 24n +.It Pa @sysconfdir@/sudoers +List of who can run what +.It Pa /etc/group +Local groups file +.It Pa /etc/netgroup +List of network groups +.It Pa @iolog_dir@ +I/O log files +.El +.Sh EXAMPLES +Below are example +.Em sudoers +entries. +Admittedly, some of these are a bit contrived. +First, we allow a few environment variables to pass and then define our +.Em aliases : +.Bd -literal +# Run X applications through sudo; HOME is used to find the +# .Xauthority file. Note that other programs use HOME to find +# configuration files and this may lead to privilege escalation! +Defaults env_keep += "DISPLAY HOME" + +# User alias specification +User_Alias FULLTIMERS = millert, mikef, dowdy +User_Alias PARTTIMERS = bostley, jwfox, crawl +User_Alias WEBMASTERS = will, wendy, wim + +# Runas alias specification +Runas_Alias OP = root, operator +Runas_Alias DB = oracle, sybase +Runas_Alias ADMINGRP = adm, oper + +# Host alias specification +Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e + SGI = grolsch, dandelion, black :\e + ALPHA = widget, thalamus, foobar :\e + HPPA = boa, nag, python +Host_Alias CUNETS = 128.138.0.0/255.255.0.0 +Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 +Host_Alias SERVERS = master, mail, www, ns +Host_Alias CDROM = orion, perseus, hercules + +# Cmnd alias specification +Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e + /usr/sbin/restore, /usr/sbin/rrestore +Cmnd_Alias KILL = /usr/bin/kill +Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm +Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown +Cmnd_Alias HALT = /usr/sbin/halt +Cmnd_Alias REBOOT = /usr/sbin/reboot +Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e + /usr/local/bin/tcsh, /usr/bin/rsh,\e + /usr/local/bin/zsh +Cmnd_Alias SU = /usr/bin/su +Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less +.Ed +.Pp +Here we override some of the compiled in default values. +We want +.Nm sudo +to log via +.Xr syslog 3 +using the +.Em auth +facility in all cases. +We don't want to subject the full time staff to the +.Nm sudo +lecture, user +.Sy millert +need not give a password, and we don't want to reset the +.Ev LOGNAME , +.Ev USER +or +.Ev USERNAME +environment variables when running commands as root. +Additionally, on the machines in the +.Em SERVERS +.Li Host_Alias , +we keep an additional local log file and make sure we log the year +in each log line since the log entries will be kept around for several years. +Lastly, we disable shell escapes for the commands in the PAGERS +.Li Cmnd_Alias +.Po +.Pa /usr/bin/more , +.Pa /usr/bin/pg +and +.Pa /usr/bin/less +.Pc . +.Bd -literal +# Override built-in defaults +Defaults syslog=auth +Defaults>root !set_logname +Defaults:FULLTIMERS !lecture +Defaults:millert !authenticate +Defaults@SERVERS log_year, logfile=/var/log/sudo.log +Defaults!PAGERS noexec +.Ed +.Pp +The +.Em User specification +is the part that actually determines who may run what. +.Bd -literal +root ALL = (ALL) ALL +%wheel ALL = (ALL) ALL +.Ed +.Pp +We let +.Sy root +and any user in group +.Sy wheel +run any command on any host as any user. +.Bd -literal +FULLTIMERS ALL = NOPASSWD: ALL +.Ed +.Pp +Full time sysadmins +.Po +.Sy millert , +.Sy mikef , +and +.Sy dowdy +.Pc +may run any command on any host without authenticating themselves. +.Bd -literal +PARTTIMERS ALL = ALL +.Ed +.Pp +Part time sysadmins +.Sy bostley , +.Sy jwfox , +and +.Sy crawl ) +may run any command on any host but they must authenticate themselves +first (since the entry lacks the +.Li NOPASSWD +tag). +.Bd -literal +jack CSNETS = ALL +.Ed +.Pp +The user +.Sy jack +may run any command on the machines in the +.Em CSNETS +alias (the networks +.Li 128.138.243.0 , +.Li 128.138.204.0 , +and +.Li 128.138.242.0 ) . +Of those networks, only +.Li 128.138.204.0 +has an explicit netmask (in CIDR notation) indicating it is a class C network. +For the other networks in +.Em CSNETS , +the local machine's netmask will be used during matching. +.Bd -literal +lisa CUNETS = ALL +.Ed +.Pp +The user +.Sy lisa +may run any command on any host in the +.Em CUNETS +alias (the class B network +.Li 128.138.0.0 ) . +.Bd -literal +operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e + sudoedit /etc/printcap, /usr/oper/bin/ +.Ed +.Pp +The +.Sy operator +user may run commands limited to simple maintenance. +Here, those are commands related to backups, killing processes, the +printing system, shutting down the system, and any commands in the +directory +.Pa /usr/oper/bin/ . +.Bd -literal +joe ALL = /usr/bin/su operator +.Ed +.Pp +The user +.Sy joe +may only +.Xr su 1 +to operator. +.Bd -literal +pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root + +%opers ALL = (: ADMINGRP) /usr/sbin/ +.Ed +.Pp +Users in the +.Sy opers +group may run commands in +.Pa /usr/sbin/ +as themselves +with any group in the +.Em ADMINGRP +.Li Runas_Alias +(the +.Sy adm +and +.Sy oper +groups). +.Pp +The user +.Sy pete +is allowed to change anyone's password except for +root on the +.Em HPPA +machines. +Note that this assumes +.Xr passwd 1 +does not take multiple user names on the command line. +.Bd -literal +bob SPARC = (OP) ALL : SGI = (OP) ALL +.Ed +.Pp +The user +.Sy bob +may run anything on the +.Em SPARC +and +.Em SGI +machines as any user listed in the +.Em OP +.Li Runas_Alias +.Po +.Sy root +and +.Sy operator . +.Pc +.Bd -literal +jim +biglab = ALL +.Ed +.Pp +The user +.Sy jim +may run any command on machines in the +.Em biglab +netgroup. +.Nm sudo +knows that +.Dq biglab +is a netgroup due to the +.Ql + +prefix. +.Bd -literal ++secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser +.Ed +.Pp +Users in the +.Sy secretaries +netgroup need to help manage the printers as well as add and remove users, +so they are allowed to run those commands on all machines. +.Bd -literal +fred ALL = (DB) NOPASSWD: ALL +.Ed +.Pp +The user +.Sy fred +can run commands as any user in the +.Em DB +.Li Runas_Alias +.Po +.Sy oracle +or +.Sy sybase +.Pc +without giving a password. +.Bd -literal +john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* +.Ed +.Pp +On the +.Em ALPHA +machines, user +.Sy john +may su to anyone except root but he is not allowed to specify any options +to the +.Xr su 1 +command. +.Bd -literal +jen ALL, !SERVERS = ALL +.Ed +.Pp +The user +.Sy jen +may run any command on any machine except for those in the +.Em SERVERS +.Li Host_Alias +(master, mail, www and ns). +.Bd -literal +jill SERVERS = /usr/bin/, !SU, !SHELLS +.Ed +.Pp +For any machine in the +.Em SERVERS +.Li Host_Alias , +.Sy jill +may run +any commands in the directory +.Pa /usr/bin/ +except for those commands +belonging to the +.Em SU +and +.Em SHELLS +.Li Cmnd_Aliases . +.Bd -literal +steve CSNETS = (operator) /usr/local/op_commands/ +.Ed +.Pp +The user +.Sy steve +may run any command in the directory /usr/local/op_commands/ +but only as user operator. +.Bd -literal +matt valkyrie = KILL +.Ed +.Pp +On his personal workstation, valkyrie, +.Sy matt +needs to be able to kill hung processes. +.Bd -literal +WEBMASTERS www = (www) ALL, (root) /usr/bin/su www +.Ed +.Pp +On the host www, any user in the +.Em WEBMASTERS +.Li User_Alias +(will, wendy, and wim), may run any command as user www (which owns the +web pages) or simply +.Xr su 1 +to www. +.Bd -literal +ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e + /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM +.Ed +.Pp +Any user may mount or unmount a CD-ROM on the machines in the CDROM +.Li Host_Alias +(orion, perseus, hercules) without entering a password. +This is a bit tedious for users to type, so it is a prime candidate +for encapsulating in a shell script. +.Sh SECURITY NOTES +.Ss Limitations of the So !\& Sc operator +It is generally not effective to +.Dq subtract +commands from +.Sy ALL +using the +.Ql !\& +operator. +A user can trivially circumvent this by copying the desired command +to a different name and then executing that. +For example: +.Bd -literal +bill ALL = ALL, !SU, !SHELLS +.Ed +.Pp +Doesn't really prevent +.Sy bill +from running the commands listed in +.Em SU +or +.Em SHELLS +since he can simply copy those commands to a different name, or use +a shell escape from an editor or other program. +Therefore, these kind of restrictions should be considered +advisory at best (and reinforced by policy). +.Pp +In general, if a user has sudo +.Sy ALL +there is nothing to prevent them from creating their own program that gives +them a root shell (or making their own copy of a shell) regardless of any +.Ql !\& +elements in the user specification. +.Ss Security implications of Em fast_glob +If the +.Em fast_glob +option is in use, it is not possible to reliably negate commands where the +path name includes globbing (aka wildcard) characters. +This is because the C library's +.Xr fnmatch 3 +function cannot resolve relative paths. +While this is typically only an inconvenience for rules that grant privileges, +it can result in a security issue for rules that subtract or revoke privileges. +.Pp +For example, given the following +.Em sudoers +entry: +.Bd -literal +john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e + /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root +.Ed +.Pp +User +.Sy john +can still run +.Li /usr/bin/passwd root +if +.Em fast_glob +is enabled by changing to +.Pa /usr/bin +and running +.Li ./passwd root +instead. +.Ss Preventing Shell Escapes +Once +.Nm sudo +executes a program, that program is free to do whatever +it pleases, including run other programs. +This can be a security issue since it is not uncommon for a program to +allow shell escapes, which lets a user bypass +.Nm sudo Ns No 's +access control and logging. +Common programs that permit shell escapes include shells (obviously), +editors, paginators, mail and terminal programs. +.Pp +There are two basic approaches to this problem: +.Bl -tag -width 8n +.It restrict +Avoid giving users access to commands that allow the user to run +arbitrary commands. +Many editors have a restricted mode where shell +escapes are disabled, though +.Nm sudoedit +is a better solution to +running editors via +.Nm sudo . +Due to the large number of programs that +offer shell escapes, restricting users to the set of programs that +do not is often unworkable. +.It noexec +Many systems that support shared libraries have the ability to +override default library functions by pointing an environment +variable (usually +.Ev LD_PRELOAD ) +to an alternate shared library. +On such systems, +.Nm sudo Ns No 's +.Em noexec +functionality can be used to prevent a program run by +.Nm sudo +from executing any other programs. +Note, however, that this applies only to native dynamically-linked +executables. +Statically-linked executables and foreign executables +running under binary emulation are not affected. +.Pp +The +.Em noexec +feature is known to work on SunOS, Solaris, *BSD, +Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above. +It should be supported on most operating systems that support the +.Ev LD_PRELOAD +environment variable. +Check your operating system's manual pages for the dynamic linker +(usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if +.Ev LD_PRELOAD +is supported. +.Pp +On Solaris 10 and higher, +.Em noexec +uses Solaris privileges instead of the +.Ev LD_PRELOAD +environment variable. +.Pp +To enable +.Em noexec +for a command, use the +.Li NOEXEC +tag as documented +in the User Specification section above. +Here is that example again: +.Bd -literal +aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi +.Ed +.Pp +This allows user +.Sy aaron +to run +.Pa /usr/bin/more +and +.Pa /usr/bin/vi +with +.Em noexec +enabled. +This will prevent those two commands from +executing other commands (such as a shell). +If you are unsure whether or not your system is capable of supporting +.Em noexec +you can always just try it out and check whether shell escapes work when +.Em noexec +is enabled. +.El +.Pp +Note that restricting shell escapes is not a panacea. +Programs running as root are still capable of many potentially hazardous +operations (such as changing or overwriting files) that could lead +to unintended privilege escalation. +In the specific case of an editor, a safer approach is to give the +user permission to run +.Nm sudoedit . +.Sh SEE ALSO +.Xr ssh 1 , +.Xr su 1 , +.Xr fnmatch 3 , +.Xr glob 3 , +.Xr mktemp 3 , +.Xr strftime 3 , +.Xr sudoers.ldap @mansectform@ , +.Xr sudo @mansectsu@ , +.Xr visudo @mansectsu@ +.Sh CAVEATS +The +.Em sudoers +file should +.Sy always +be edited by the +.Nm visudo +command which locks the file and does grammatical checking. +It is +imperative that +.Em sudoers +be free of syntax errors since +.Nm sudo +will not run with a syntactically incorrect +.Em sudoers +file. +.Pp +When using netgroups of machines (as opposed to users), if you +store fully qualified host name in the netgroup (as is usually the +case), you either need to have the machine's host name be fully qualified +as returned by the +.Li hostname +command or use the +.Em fqdn +option in +.Em sudoers . +.Sh BUGS +If you feel you have found a bug in +.Nm sudo , +please submit a bug report at http://www.sudo.ws/sudo/bugs/ +.Sh SUPPORT +Limited free support is available via the sudo-users mailing list, +see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or +search the archives. +.Sh DISCLAIMER +.Nm sudo +is provided +.Dq AS IS +and any express or implied warranties, including, but not limited +to, the implied warranties of merchantability and fitness for a +particular purpose are disclaimed. +See the LICENSE file distributed with +.Nm sudo +or http://www.sudo.ws/sudo/license.html for complete details. diff --git a/sudoers.pod b/sudoers.pod deleted file mode 100644 index 4e08ebf9b..000000000 --- a/sudoers.pod +++ /dev/null @@ -1,1755 +0,0 @@ -Copyright (c) 1994-1996, 1998-2005, 2007-2011 - Todd C. Miller - -Permission to use, copy, modify, and distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -Sponsored in part by the Defense Advanced Research Projects -Agency (DARPA) and Air Force Research Laboratory, Air Force -Materiel Command, USAF, under agreement number F39502-99-1-0512. - -=pod - -=head1 NAME - -sudoers - list of which users may execute what - -=head1 DESCRIPTION - -The I file is composed of two types of entries: aliases -(basically variables) and user specifications (which specify who -may run what). - -When multiple entries match for a user, they are applied in order. -Where there are multiple matches, the last match is used (which is -not necessarily the most specific match). - -The I grammar will be described below in Extended Backus-Naur -Form (EBNF). Don't despair if you don't know what EBNF is; it is -fairly simple, and the definitions below are annotated. - -=head2 Quick guide to EBNF - -EBNF is a concise and exact way of describing the grammar of a language. -Each EBNF definition is made up of I. E.g., - - symbol ::= definition | alternate1 | alternate2 ... - -Each I references others and thus makes up a -grammar for the language. EBNF also contains the following -operators, which many readers will recognize from regular -expressions. Do not, however, confuse them with "wildcard" -characters, which have different meanings. - -=over 4 - -=item C - -Means that the preceding symbol (or group of symbols) is optional. -That is, it may appear once or not at all. - -=item C<*> - -Means that the preceding symbol (or group of symbols) may appear -zero or more times. - -=item C<+> - -Means that the preceding symbol (or group of symbols) may appear -one or more times. - -=back - -Parentheses may be used to group symbols together. For clarity, -we will use single quotes ('') to designate what is a verbatim character -string (as opposed to a symbol name). - -=head2 Aliases - -There are four kinds of aliases: C, C, -C and C. - - Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | - 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | - 'Host_Alias' Host_Alias (':' Host_Alias)* | - 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* - - User_Alias ::= NAME '=' User_List - - Runas_Alias ::= NAME '=' Runas_List - - Host_Alias ::= NAME '=' Host_List - - Cmnd_Alias ::= NAME '=' Cmnd_List - - NAME ::= [A-Z]([A-Z][0-9]_)* - -Each I definition is of the form - - Alias_Type NAME = item1, item2, ... - -where I is one of C, C, C, -or C. A C is a string of uppercase letters, numbers, -and underscore characters ('_'). A C B start with an -uppercase letter. It is possible to put several alias definitions -of the same type on a single line, joined by a colon (':'). E.g., - - Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 - -The definitions of what constitutes a valid I member follow. - - User_List ::= User | - User ',' User_List - - User ::= '!'* user name | - '!'* #uid | - '!'* %group | - '!'* %#gid | - '!'* +netgroup | - '!'* %:nonunix_group | - '!'* %:#nonunix_gid | - '!'* User_Alias - -A C is made up of one or more user names, user ids -(prefixed with '#'), system group names and ids (prefixed with '%' -and '%#' respectively), netgroups (prefixed with '+'), non-Unix -group names and IDs (prefixed with '%:' and '%:#' respectively) and -Ces. Each list item may be prefixed with zero or more -'!' operators. An odd number of '!' operators negate the value of -the item; an even number just cancel each other out. - -A C, C, C, C, C, C -or C may be enclosed in double quotes to avoid the -need for escaping special characters. Alternately, special characters -may be specified in escaped hex mode, e.g. \x20 for space. When -using double quotes, any prefix characters must be included inside -the quotes. - -The C and C syntax depends on the -underlying implementation. For instance, the QAS AD backend supports -the following formats: - -=over 4 - -=item * - -Group in the same domain: "%:Group Name" - -=item * - -Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN" - -=item * - -Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567" - -=back - -Note that quotes around group names are optional. Unquoted strings -must use a backslash (\) to escape spaces and special characters. -See L<"Other special characters and reserved words"> for a list of -characters that need to be escaped. - - Runas_List ::= Runas_Member | - Runas_Member ',' Runas_List - - Runas_Member ::= '!'* user name | - '!'* #uid | - '!'* %group | - '!'* %#gid | - '!'* %:nonunix_group | - '!'* %:#nonunix_gid | - '!'* +netgroup | - '!'* Runas_Alias - -A C is similar to a C except that instead -of Ces it can contain Ces. Note that -user names and groups are matched as strings. In other words, two -users (groups) with the same uid (gid) are considered to be distinct. -If you wish to match all user names with the same uid (e.g.Eroot -and toor), you can use a uid instead (#0 in the example given). - - Host_List ::= Host | - Host ',' Host_List - - Host ::= '!'* host name | - '!'* ip_addr | - '!'* network(/netmask)? | - '!'* +netgroup | - '!'* Host_Alias - -A C is made up of one or more host names, IP addresses, -network numbers, netgroups (prefixed with '+') and other aliases. -Again, the value of an item may be negated with the '!' operator. -If you do not specify a netmask along with the network number, -B will query each of the local host's network interfaces and, -if the network number corresponds to one of the hosts's network -interfaces, the corresponding netmask will be used. The netmask -may be specified either in standard IP address notation -(e.g.E255.255.255.0 or ffff:ffff:ffff:ffff::), -or CIDR notation (number of bits, e.g.E24 or 64). A host name may -include shell-style wildcards (see the L section below), -but unless the C command on your machine returns the fully -qualified host name, you'll need to use the I option for -wildcards to be useful. Note B only inspects actual network -interfaces; this means that IP address 127.0.0.1 (localhost) will -never match. Also, the host name "localhost" will only match if -that is the actual host name, which is usually only the case for -non-networked systems. - - Cmnd_List ::= Cmnd | - Cmnd ',' Cmnd_List - - commandname ::= file name | - file name args | - file name '""' - - Cmnd ::= '!'* commandname | - '!'* directory | - '!'* "sudoedit" | - '!'* Cmnd_Alias - -A C is a list of one or more commandnames, directories, and other -aliases. A commandname is a fully qualified file name which may include -shell-style wildcards (see the L section below). A simple -file name allows the user to run the command with any arguments he/she -wishes. However, you may also specify command line arguments (including -wildcards). Alternately, you can specify C<""> to indicate that the command -may only be run B command line arguments. A directory is a -fully qualified path name ending in a '/'. When you specify a directory -in a C, the user will be able to run any file within that directory -(but not in any subdirectories therein). - -If a C has associated command line arguments, then the arguments -in the C must match exactly those given by the user on the command line -(or match the wildcards if there are any). Note that the following -characters must be escaped with a '\' if they are used in command -arguments: ',', ':', '=', '\'. The special command C<"sudoedit"> -is used to permit a user to run B with the B<-e> option (or -as B). It may take command line arguments just as -a normal command does. - -=head2 Defaults - -Certain configuration options may be changed from their default -values at runtime via one or more C lines. These -may affect all users on any host, all users on a specific host, a -specific user, a specific command, or commands being run as a specific user. -Note that per-command entries may not include command line arguments. -If you need to specify arguments, define a C and reference -that instead. - - Default_Type ::= 'Defaults' | - 'Defaults' '@' Host_List | - 'Defaults' ':' User_List | - 'Defaults' '!' Cmnd_List | - 'Defaults' '>' Runas_List - - Default_Entry ::= Default_Type Parameter_List - - Parameter_List ::= Parameter | - Parameter ',' Parameter_List - - Parameter ::= Parameter '=' Value | - Parameter '+=' Value | - Parameter '-=' Value | - '!'* Parameter - -Parameters may be B, B values, B, or B. -Flags are implicitly boolean and can be turned off via the '!' -operator. Some integer, string and list parameters may also be -used in a boolean context to disable them. Values may be enclosed -in double quotes (C<"">) when they contain multiple words. Special -characters may be escaped with a backslash (C<\>). - -Lists have two additional assignment operators, C<+=> and C<-=>. -These operators are used to add to and delete from a list respectively. -It is not an error to use the C<-=> operator to remove an element -that does not exist in a list. - -Defaults entries are parsed in the following order: generic, host -and user Defaults first, then runas Defaults and finally command -defaults. - -See L<"SUDOERS OPTIONS"> for a list of supported Defaults parameters. - -=head2 User Specification - - User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ - (':' Host_List '=' Cmnd_Spec_List)* - - Cmnd_Spec_List ::= Cmnd_Spec | - Cmnd_Spec ',' Cmnd_Spec_List - - Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd - - Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' - - SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') - - Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | - 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' | - 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:') - -A B determines which commands a user may run -(and as what user) on specified hosts. By default, commands are -run as B, but this can be changed on a per-command basis. - -The basic structure of a user specification is `who where = (as_whom) -what'. Let's break that down into its constituent parts: - -=head2 Runas_Spec - -A C determines the user and/or the group that a command -may be run as. A fully-specified C consists of two -Cs (as defined above) separated by a colon (':') and -enclosed in a set of parentheses. The first C indicates -which users the command may be run as via B's B<-u> option. -The second defines a list of groups that can be specified via -B's B<-g> option. If both Cs are specified, the -command may be run with any combination of users and groups listed -in their respective Cs. If only the first is specified, -the command may be run as any user in the list but no B<-g> option -may be specified. If the first C is empty but the -second is specified, the command may be run as the invoking user -with the group set to any listed in the C. If no -C is specified the command may be run as B and -no group may be specified. - -A C sets the default for the commands that follow it. -What this means is that for the entry: - - dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm - -The user B may run F, F, and -F -- but only as B. E.g., - - $ sudo -u operator /bin/ls - -It is also possible to override a C later on in an -entry. If we modify the entry like so: - - dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm - -Then user B is now allowed to run F as B, -but F and F as B. - -We can extend this to allow B to run C with either -the user or group set to B: - - dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\ - /usr/bin/lprm - -Note that while the group portion of the C permits the -user to run as command with that group, it does not force the user -to do so. If no group is specified on the command line, the command -will run with the group listed in the target user's password database -entry. The following would all be permitted by the sudoers entry above: - - $ sudo -u operator /bin/ls - $ sudo -u operator -g operator /bin/ls - $ sudo -g operator /bin/ls - -In the following example, user B may run commands that access -a modem device file with the dialer group. - - tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\ - /usr/local/bin/minicom - -Note that in this example only the group will be set, the command -still runs as user B. E.g. - - $ sudo -g dialer /usr/bin/cu - -Multiple users and groups may be present in a C, in -which case the user may select any combination of users and groups -via the B<-u> and B<-g> options. In this example: - - alan ALL = (root, bin : operator, system) ALL - -user B may run any command as either user root or bin, -optionally setting the group to operator or system. - -=head2 SELinux_Spec - -On systems with SELinux support, I entries may optionally have -an SELinux role and/or type associated with a command. If a role or -type is specified with the command it will override any default values -specified in I. A role or type specified on the command line, -however, will supercede the values in I. - -=head2 Tag_Spec - -A command may have zero or more tags associated with it. There are -ten possible tag values, C, C, C, -C, C, C, C, C, -C and C. Once a tag is set on a C, -subsequent Cs in the C, inherit the tag unless -it is overridden by the opposite tag (in other words, C overrides -C and C overrides C). - -=head3 NOPASSWD and PASSWD - -By default, B requires that a user authenticate him or herself -before running a command. This behavior can be modified via the -C tag. Like a C, the C tag sets -a default for the commands that follow it in the C. -Conversely, the C tag can be used to reverse things. -For example: - - ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm - -would allow the user B to run F, F, and -F as B on the machine rushmore without -authenticating himself. If we only want B to be able to -run F without a password the entry would be: - - ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm - -Note, however, that the C tag has no effect on users who are -in the group specified by the I option. - -By default, if the C tag is applied to any of the entries -for a user on the current host, he or she will be able to run -C without a password. Additionally, a user may only run -C without a password if the C tag is present -for all a user's entries that pertain to the current host. -This behavior may be overridden via the verifypw and listpw options. - -=head3 NOEXEC and EXEC - -If B has been compiled with I support and the underlying -operating system supports it, the C tag can be used to prevent -a dynamically-linked executable from running further commands itself. - -In the following example, user B may run F -and F but shell escapes will be disabled. - - aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi - -See the L section below for more details -on how C works and whether or not it will work on your system. - -=head3 SETENV and NOSETENV - -These tags override the value of the I option on a per-command -basis. Note that if C has been set for a command, the user -may disable the I option from the command line via the -B<-E> option. Additionally, environment variables set on the command -line are not subject to the restrictions imposed by I, -I, or I. As such, only trusted users should -be allowed to set variables in this manner. If the command matched -is B, the C tag is implied for that command; this -default may be overridden by use of the C tag. - -=head3 LOG_INPUT and NOLOG_INPUT - -These tags override the value of the I option on a -per-command basis. For more information, see the description of -I in the L<"SUDOERS OPTIONS"> section below. - -=head3 LOG_OUTPUT and NOLOG_OUTPUT - -These tags override the value of the I option on a -per-command basis. For more information, see the description of -I in the L<"SUDOERS OPTIONS"> section below. - -=head2 Wildcards - -B allows shell-style I (aka meta or glob characters) -to be used in host names, path names and command line arguments in -the I file. Wildcard matching is done via the B -L and L routines. Note that these are I -regular expressions. - -=over 8 - -=item C<*> - -Matches any set of zero or more characters. - -=item C - -Matches any single character. - -=item C<[...]> - -Matches any character in the specified range. - -=item C<[!...]> - -Matches any character B in the specified range. - -=item C<\x> - -For any character "x", evaluates to "x". This is used to -escape special characters such as: "*", "?", "[", and "]". - -=back - -POSIX character classes may also be used if your system's L -and L functions support them. However, because the -C<':'> character has special meaning in I, it must be -escaped. For example: - - /bin/ls [[\:alpha\:]]* - -Would match any file name beginning with a letter. - -Note that a forward slash ('/') will B be matched by -wildcards used in the path name. When matching the command -line arguments, however, a slash B get matched by -wildcards. This is to make a path like: - - /usr/bin/* - -match F but not F. - -=head2 Exceptions to wildcard rules - -The following exceptions apply to the above rules: - -=over 8 - -=item C<""> - -If the empty string C<""> is the only command line argument in the -I entry it means that command is not allowed to be run -with B arguments. - -=back - -=head2 Including other files from within sudoers - -It is possible to include other I files from within the -I file currently being parsed using the C<#include> and -C<#includedir> directives. - -This can be used, for example, to keep a site-wide I file -in addition to a local, per-machine file. For the sake of this -example the site-wide I will be F and the -per-machine one will be F. To include -F from within F we would use the -following line in F: - -=over 4 - -C<#include /etc/sudoers.local> - -=back - -When B reaches this line it will suspend processing of the -current file (F) and switch to F. -Upon reaching the end of F, the rest of -F will be processed. Files that are included may -themselves include other files. A hard limit of 128 nested include -files is enforced to prevent include file loops. - -If the path to the include file is not fully-qualified (does not -begin with a C), it must be located in the same directory as the -sudoers file it was included from. For example, if F -contains the line: - -=over 4 - -C<#include sudoers.local> - -=back - -the file that will be included is F. - -The file name may also include the C<%h> escape, signifying the short form -of the host name. In other words, if the machine's host name is "xerxes", then - -C<#include /etc/sudoers.%h> - -will cause B to include the file F. - -The C<#includedir> directive can be used to create a F -directory that the system package manager can drop I rules -into as part of package installation. For example, given: - -C<#includedir /etc/sudoers.d> - -B will read each file in F, skipping file -names that end in C<~> or contain a C<.> character to avoid causing -problems with package manager or editor temporary/backup files. -Files are parsed in sorted lexical order. That is, -F will be parsed before -F. Be aware that because the sorting is -lexical, not numeric, F would be loaded -B F. Using a consistent number -of leading zeroes in the file names can be used to avoid such -problems. - -Note that unlike files included via C<#include>, B will not -edit the files in a C<#includedir> directory unless one of them -contains a syntax error. It is still possible to run B -with the B<-f> flag to edit the files directly. - -=head2 Other special characters and reserved words - -The pound sign ('#') is used to indicate a comment (unless it is -part of a #include directive or unless it occurs in the context of -a user name and is followed by one or more digits, in which case -it is treated as a uid). Both the comment character and any text -after it, up to the end of the line, are ignored. - -The reserved word B is a built-in I that always causes -a match to succeed. It can be used wherever one might otherwise -use a C, C, C, or C. -You should not try to define your own I called B as the -built-in alias will be used in preference to your own. Please note -that using B can be dangerous since in a command context, it -allows the user to run B command on the system. - -An exclamation point ('!') can be used as a logical I operator -both in an I and in front of a C. This allows one to -exclude certain values. Note, however, that using a C in -conjunction with the built-in C alias to allow a user to -run "all but a few" commands rarely works as intended (see SECURITY -NOTES below). - -Long lines can be continued with a backslash ('\') as the last -character on the line. - -Whitespace between elements in a list as well as special syntactic -characters in a I ('=', ':', '(', ')') is optional. - -The following characters must be escaped with a backslash ('\') when -used as part of a word (e.g.Ea user name or host name): -'!', '=', ':', ',', '(', ')', '\'. - -=head1 SUDOERS OPTIONS - -B's behavior can be modified by C lines, as -explained earlier. A list of all supported Defaults parameters, -grouped by type, are listed below. - -B: - -=over 16 - -=item always_set_home - -If enabled, B will set the C environment variable to the -home directory of the target user (which is root unless the B<-u> -option is used). This effectively means that the B<-H> option is -always implied. Note that C is already set when the the -I option is enabled, so I is only -effective for configurations where either I is disabled -or C is present in the I list. -This flag is I by default. - -=item authenticate - -If set, users must authenticate themselves via a password (or other -means of authentication) before they may run commands. This default -may be overridden via the C and C tags. -This flag is I by default. - -=item closefrom_override - -If set, the user may use B's B<-C> option which -overrides the default starting point at which B begins -closing open file descriptors. This flag is I by default. - -=item compress_io - -If set, and B is configured to log a command's input or output, -the I/O logs will be compressed using B. This flag is I -by default when B is compiled with B support. - -=item env_editor - -If set, B will use the value of the EDITOR or VISUAL -environment variables before falling back on the default editor list. -Note that this may create a security hole as it allows the user to -run any arbitrary command as root without logging. A safer alternative -is to place a colon-separated list of editors in the C -variable. B will then only use the EDITOR or VISUAL if -they match a value specified in C. This flag is I<@env_editor@> by -default. - -=item env_reset - -If set, B will run the command in a minimal environment -containing the C, C, C, C, C, -C, C, C and C variables. Any -variables in the caller's environment that match the C -and C lists are then added, followed by any variables -present in the file specified by the I option (if any). -The default contents of the C and C lists are -displayed when B is run by root with the B<-V> option. If -the I option is set, its value will be used for the -C environment variable. This flag is I<@env_reset@> by -default. - -=item fast_glob - -Normally, B uses the L function to do shell-style -globbing when matching path names. However, since it accesses the -file system, L can take a long time to complete for some -patterns, especially when the pattern references a network file -system that is mounted on demand (automounted). The I -option causes B to use the L function, which does -not access the file system to do its matching. The disadvantage -of I is that it is unable to match relative path names -such as F<./ls> or F<../bin/ls>. This has security implications -when path names that include globbing characters are used with the -negation operator, C<'!'>, as such rules can be trivially bypassed. -As such, this option should not be used when I contains rules -that contain negated path names which include globbing characters. -This flag is I by default. - -=item fqdn - -Set this flag if you want to put fully qualified host names in the -I file. -In other words, instead of myhost you would use myhost.mydomain.edu. -You may still use the short form if you wish (and even mix the two). -Beware that turning on I requires B to make DNS lookups -which may make B unusable if DNS stops working (for example -if the machine is not plugged into the network). Also note that -you must use the host's official name as DNS knows it. That is, -you may not use a host alias (C entry) due to performance -issues and the fact that there is no way to get all aliases from -DNS. If your machine's host name (as returned by the C -command) is already fully qualified you shouldn't need to set -I. This flag is I<@fqdn@> by default. - -=item ignore_dot - -If set, B will ignore "." or "" (current dir) in the C -environment variable; the C itself is not modified. This -flag is I<@ignore_dot@> by default. - -=item ignore_local_sudoers - -If set via LDAP, parsing of F<@sysconfdir@/sudoers> will be skipped. -This is intended for Enterprises that wish to prevent the usage of local -sudoers files so that only LDAP is used. This thwarts the efforts of -rogue operators who would attempt to add roles to F<@sysconfdir@/sudoers>. -When this option is present, F<@sysconfdir@/sudoers> does not even need to -exist. Since this option tells B how to behave when no specific LDAP -entries have been matched, this sudoOption is only meaningful for the -C section. This flag is I by default. - -=item insults - -If set, B will insult users when they enter an incorrect -password. This flag is I<@insults@> by default. - -=item log_host - -If set, the host name will be logged in the (non-syslog) B log file. -This flag is I by default. - -=item log_input - -If set, B will run the command in a I and log all -user input. -If the standard input is not connected to the user's tty, due to -I/O redirection or because the command is part of a pipeline, that -input is also captured and stored in a separate log file. - -Input is logged to the directory specified by the I -option (F<@iolog_dir@> by default) using a unique session ID that -is included in the normal B log line, prefixed with "C". - -Note that user input may contain sensitive information such as -passwords (even if they are not echoed to the screen), which will -be stored in the log file unencrypted. In most cases, logging the -command output via I is all that is required. - -=item log_output - -If set, B will run the command in a I and log all -output that is sent to the screen, similar to the script(1) command. -If the standard output or standard error is not connected to the -user's tty, due to I/O redirection or because the command is part -of a pipeline, that output is also captured and stored in separate -log files. - -Output is logged to the directory specified by the I -option (F<@iolog_dir@> by default) using a unique session ID that -is included in the normal B log line, prefixed with "C". - -Output logs may be viewed with the L utility, which -can also be used to list or search the available logs. - -=item log_year - -If set, the four-digit year will be logged in the (non-syslog) B log file. -This flag is I by default. - -=item long_otp_prompt - -When validating with a One Time Password (OTP) scheme such as -B or B, a two-line prompt is used to make it easier -to cut and paste the challenge to a local window. It's not as -pretty as the default but some people find it more convenient. This -flag is I<@long_otp_prompt@> by default. - -=item mail_always - -Send mail to the I user every time a users runs B. -This flag is I by default. - -=item mail_badpass - -Send mail to the I user if the user running B does not -enter the correct password. This flag is I by default. - -=item mail_no_host - -If set, mail will be sent to the I user if the invoking -user exists in the I file, but is not allowed to run -commands on the current host. This flag is I<@mail_no_host@> by default. - -=item mail_no_perms - -If set, mail will be sent to the I user if the invoking -user is allowed to use B but the command they are trying is not -listed in their I file entry or is explicitly denied. -This flag is I<@mail_no_perms@> by default. - -=item mail_no_user - -If set, mail will be sent to the I user if the invoking -user is not in the I file. This flag is I<@mail_no_user@> -by default. - -=item noexec - -If set, all commands run via B will behave as if the C -tag has been set, unless overridden by a C tag. See the -description of I below as well as the L section at the end of this manual. This flag is I by default. - -=item path_info - -Normally, B will tell the user when a command could not be -found in their C environment variable. Some sites may wish -to disable this as it could be used to gather information on the -location of executables that the normal user does not have access -to. The disadvantage is that if the executable is simply not in -the user's C, B will tell the user that they are not -allowed to run it, which can be confusing. This flag is I<@path_info@> -by default. - -=item passprompt_override - -The password prompt specified by I will normally only -be used if the password prompt provided by systems such as PAM matches -the string "Password:". If I is set, I -will always be used. This flag is I by default. - -=item preserve_groups - -By default, B will initialize the group vector to the list of -groups the target user is in. When I is set, the -user's existing group vector is left unaltered. The real and -effective group IDs, however, are still set to match the target -user. This flag is I by default. - -=item pwfeedback - -By default, B reads the password like most other Unix programs, -by turning off echo until the user hits the return (or enter) key. -Some users become confused by this as it appears to them that B -has hung at this point. When I is set, B will -provide visual feedback when the user presses a key. Note that -this does have a security impact as an onlooker may be able to -determine the length of the password being entered. -This flag is I by default. - -=item requiretty - -If set, B will only run when the user is logged in to a real -tty. When this flag is set, B can only be run from a login -session and not via other means such as L or cgi-bin scripts. -This flag is I by default. - -=item root_sudo - -If set, root is allowed to run B too. Disabling this prevents users -from "chaining" B commands to get a root shell by doing something -like C<"sudo sudo /bin/sh">. Note, however, that turning off I -will also prevent root from running B. -Disabling I provides no real additional security; it -exists purely for historical reasons. -This flag is I<@root_sudo@> by default. - -=item rootpw - -If set, B will prompt for the root password instead of the password -of the invoking user. This flag is I by default. - -=item runaspw - -If set, B will prompt for the password of the user defined by the -I option (defaults to C<@runas_default@>) instead of the -password of the invoking user. This flag is I by default. - -=item set_home - -If enabled and B is invoked with the B<-s> option the C -environment variable will be set to the home directory of the target -user (which is root unless the B<-u> option is used). This effectively -makes the B<-s> option imply B<-H>. Note that C is already -set when the the I option is enabled, so I is -only effective for configurations where either I is disabled -or C is present in the I list. -This flag is I by default. - -=item set_logname - -Normally, B will set the C, C and C -environment variables to the name of the target user (usually root -unless the B<-u> option is given). However, since some programs -(including the RCS revision control system) use C to -determine the real identity of the user, it may be desirable to -change this behavior. This can be done by negating the set_logname -option. Note that if the I option has not been disabled, -entries in the I list will override the value of -I. This flag is I by default. - -=item setenv - -Allow the user to disable the I option from the command -line. Additionally, environment variables set via the command line -are not subject to the restrictions imposed by I, -I, or I. As such, only trusted users should -be allowed to set variables in this manner. This flag is I -by default. - -=item shell_noargs - -If set and B is invoked with no arguments it acts as if the -B<-s> option had been given. That is, it runs a shell as root (the -shell is determined by the C environment variable if it is -set, falling back on the shell listed in the invoking user's -/etc/passwd entry if not). This flag is I by default. - -=item stay_setuid - -Normally, when B executes a command the real and effective -UIDs are set to the target user (root by default). This option -changes that behavior such that the real UID is left as the invoking -user's UID. In other words, this makes B act as a setuid -wrapper. This can be useful on systems that disable some potentially -dangerous functionality when a program is run setuid. This option -is only effective on systems with either the setreuid() or setresuid() -function. This flag is I by default. - -=item targetpw - -If set, B will prompt for the password of the user specified -by the B<-u> option (defaults to C) instead of the password -of the invoking user. In addition, the timestamp file name will -include the target user's name. Note that this flag precludes the -use of a uid not listed in the passwd database as an argument to -the B<-u> option. This flag is I by default. - -=item tty_tickets - -If set, users must authenticate on a per-tty basis. With this flag -enabled, B will use a file named for the tty the user is -logged in on in the user's time stamp directory. If disabled, the -time stamp of the directory is used instead. This flag is -I<@tty_tickets@> by default. - -=item umask_override - -If set, B will set the umask as specified by I without -modification. This makes it possible to specify a more permissive -umask in I than the user's own umask and matches historical -behavior. If I is not set, B will set the -umask to be the union of the user's umask and what is specified in -I. This flag is I<@umask_override@> by default. - -=item use_loginclass - -If set, B will apply the defaults specified for the target user's -login class if one exists. Only available if B is configured with -the --with-logincap option. This flag is I by default. - -=item use_pty - -If set, B will run the command in a pseudo-pty even if no I/O -logging is being gone. A malicious program run under B could -conceivably fork a background process that retains to the user's -terminal device after the main program has finished executing. Use -of this option will make that impossible. - -=item visiblepw - -By default, B will refuse to run if the user must enter a -password but it is not possible to disable echo on the terminal. -If the I flag is set, B will prompt for a password -even when it would be visible on the screen. This makes it possible -to run things like C<"ssh somehost sudo ls"> since by default, L does -not allocate a tty when running a command. This flag is I by default. - -=back - -B: - -=over 16 - -=item closefrom - -Before it executes a command, B will close all open file -descriptors other than standard input, standard output and standard -error (ie: file descriptors 0-2). The I option can be used -to specify a different file descriptor at which to start closing. -The default is C<3>. - -=item passwd_tries - -The number of tries a user gets to enter his/her password before -B logs the failure and exits. The default is C<@passwd_tries@>. - -=back - -B: - -=over 16 - -=item loglinelen - -Number of characters per line for the file log. This value is used -to decide when to wrap lines for nicer log files. This has no -effect on the syslog log file, only the file log. The default is -C<@loglen@> (use 0 or negate the option to disable word wrap). - -=item passwd_timeout - -Number of minutes before the B password prompt times out, or -C<0> for no timeout. The timeout may include a fractional component -if minute granularity is insufficient, for example C<2.5>. The -default is C<@password_timeout@>. - -=item timestamp_timeout - -Number of minutes that can elapse before B will ask for a -passwd again. The timeout may include a fractional component if -minute granularity is insufficient, for example C<2.5>. The default -is C<@timeout@>. Set this to C<0> to always prompt for a password. -If set to a value less than C<0> the user's timestamp will never -expire. This can be used to allow users to create or delete their -own timestamps via C and C respectively. - -=item umask - -Umask to use when running the command. Negate this option or set -it to 0777 to preserve the user's umask. The actual umask that is -used will be the union of the user's umask and the value of the -I option, which defaults to C<@sudo_umask@>. This guarantees -that B never lowers the umask when running a command. Note -on systems that use PAM, the default PAM configuration may specify -its own umask which will override the value set in I. - -=back - -B: - -=over 16 - -=item badpass_message - -Message that is displayed if a user enters an incorrect password. -The default is C<@badpass_message@> unless insults are enabled. - -=item editor - -A colon (':') separated list of editors allowed to be used with -B. B will choose the editor that matches the user's -EDITOR environment variable if possible, or the first editor in the -list that exists and is executable. The default is C<"@editor@">. - -=item iolog_dir - -The directory in which to store input/output logs when the I -or I options are enabled or when the C or -C tags are present for a command. -The default is C<"@iolog_dir@">. - -=item mailsub - -Subject of the mail sent to the I user. The escape C<%h> -will expand to the host name of the machine. -Default is "C<@mailsub@>". - -=item noexec_file - -Path to a shared library containing dummy versions of the execv(), -execve() and fexecve() library functions that just return an error. -This is used to implement the I functionality on systems that -support C or its equivalent. Defaults to F<@noexec_file@>. - -=item passprompt - -The default prompt to use when asking for a password; can be overridden -via the B<-p> option or the C environment variable. -The following percent (`C<%>') escapes are supported: - -=over 4 - -=item C<%H> - -expanded to the local host name including the domain name -(on if the machine's host name is fully qualified or the I -option is set) - -=item C<%h> - -expanded to the local host name without the domain name - -=item C<%p> - -expanded to the user whose password is being asked for (respects the -I, I and I flags in I) - -=item C<%U> - -expanded to the login name of the user the command will -be run as (defaults to root) - -=item C<%u> - -expanded to the invoking user's login name - -=item C<%%> - -two consecutive C<%> characters are collapsed into a single C<%> character - -=back - -The default value is "C<@passprompt@>". - -=item role - -The default SELinux role to use when constructing a new security -context to run the command. The default role may be overridden on -a per-command basis in I or via command line options. -This option is only available whe B is built with SELinux support. - -=item runas_default - -The default user to run commands as if the B<-u> option is not specified -on the command line. This defaults to C<@runas_default@>. - -=item syslog_badpri - -Syslog priority to use when user authenticates unsuccessfully. -Defaults to C<@badpri@>. - -The following syslog priorities are supported: B, B, -B, B, B, B, B, and B. - -=item syslog_goodpri - -Syslog priority to use when user authenticates successfully. -Defaults to C<@goodpri@>. - -See L for the list of supported syslog priorities. - -=item sudoers_locale - -Locale to use when parsing the sudoers file, logging commands, and -sending email. Note that changing the locale may affect how sudoers -is interpreted. Defaults to C<"C">. - -=item timestampdir - -The directory in which B stores its timestamp files. -The default is F<@timedir@>. - -=item timestampowner - -The owner of the timestamp directory and the timestamps stored therein. -The default is C. - -=item type - -The default SELinux type to use when constructing a new security -context to run the command. The default type may be overridden on -a per-command basis in I or via command line options. -This option is only available whe B is built with SELinux support. - -=back - -B: - -=over 12 - -=item askpass - -The I option specifies the fully qualified path to a helper -program used to read the user's password when no terminal is -available. This may be the case when B is executed from a -graphical (as opposed to text-based) application. The program -specified by I should display the argument passed to it -as the prompt and write the user's password to the standard output. -The value of I may be overridden by the C -environment variable. - -=item env_file - -The I option specifies the fully qualified path to a -file containing variables to be set in the environment of the program -being run. Entries in this file should either be of the form -C or C. The value may -optionally be surrounded by single or double quotes. Variables in -this file are subject to other B environment settings such -as I and I. - -=item exempt_group - -Users in this group are exempt from password and PATH requirements. -The group name specified should not include a C<%> prefix. -This is not set by default. - -=item lecture - -This option controls when a short lecture will be printed along with -the password prompt. It has the following possible values: - -=over 8 - -=item always - -Always lecture the user. - -=item never - -Never lecture the user. - -=item once - -Only lecture the user the first time they run B. - -=back - -If no value is specified, a value of I is implied. -Negating the option results in a value of I being used. -The default value is I<@lecture@>. - -=item lecture_file - -Path to a file containing an alternate B lecture that will -be used in place of the standard lecture if the named file exists. -By default, B uses a built-in lecture. - -=item listpw - -This option controls when a password will be required when a -user runs B with the B<-l> option. It has the following possible values: - -=over 8 - -=item all - -All the user's I entries for the current host must have -the C flag set to avoid entering a password. - -=item always - -The user must always enter a password to use the B<-l> option. - -=item any - -At least one of the user's I entries for the current host -must have the C flag set to avoid entering a password. - -=item never - -The user need never enter a password to use the B<-l> option. - -=back - -If no value is specified, a value of I is implied. -Negating the option results in a value of I being used. -The default value is I. - -=item logfile - -Path to the B log file (not the syslog log file). Setting a path -turns on logging to a file; negating this option turns it off. -By default, B logs via syslog. - -=item mailerflags - -Flags to use when invoking mailer. Defaults to B<-t>. - -=item mailerpath - -Path to mail program used to send warning mail. -Defaults to the path to sendmail found at configure time. - -=item mailfrom - -Address to use for the "from" address when sending warning and error -mail. The address should be enclosed in double quotes (C<"">) to -protect against B interpreting the C<@> sign. Defaults to -the name of the user running B. - -=item mailto - -Address to send warning and error mail to. The address should -be enclosed in double quotes (C<"">) to protect against B -interpreting the C<@> sign. Defaults to C<@mailto@>. - -=item secure_path - -Path used for every command run from B. If you don't trust the -people running B to have a sane C environment variable you may -want to use this. Another use is if you want to have the "root path" -be separate from the "user path." Users in the group specified by the -I option are not affected by I. -This option is @secure_path@ by default. - -=item syslog - -Syslog facility if syslog is being used for logging (negate to -disable syslog logging). Defaults to C<@logfac@>. - -The following syslog facilities are supported: B (if your -OS supports it), B, B, B, B, B, -B, B, B, B, B, and B. - -=item verifypw - -This option controls when a password will be required when a user runs -B with the B<-v> option. It has the following possible values: - -=over 8 - -=item all - -All the user's I entries for the current host must have -the C flag set to avoid entering a password. - -=item always - -The user must always enter a password to use the B<-v> option. - -=item any - -At least one of the user's I entries for the current host -must have the C flag set to avoid entering a password. - -=item never - -The user need never enter a password to use the B<-v> option. - -=back - -If no value is specified, a value of I is implied. -Negating the option results in a value of I being used. -The default value is I. - -=back - -B: - -=over 16 - -=item env_check - -Environment variables to be removed from the user's environment if -the variable's value contains C<%> or C characters. This can -be used to guard against printf-style format vulnerabilities in -poorly-written programs. The argument may be a double-quoted, -space-separated list or a single value without double-quotes. The -list can be replaced, added to, deleted from, or disabled by using -the C<=>, C<+=>, C<-=>, and C operators respectively. Regardless -of whether the C option is enabled or disabled, variables -specified by C will be preserved in the environment if -they pass the aforementioned check. The default list of environment -variables to check is displayed when B is run by root with -the B<-V> option. - -=item env_delete - -Environment variables to be removed from the user's environment -when the I option is not in effect. The argument may -be a double-quoted, space-separated list or a single value without -double-quotes. The list can be replaced, added to, deleted from, -or disabled by using the C<=>, C<+=>, C<-=>, and C operators -respectively. The default list of environment variables to remove -is displayed when B is run by root with the B<-V> option. -Note that many operating systems will remove potentially dangerous -variables from the environment of any setuid process (such as -B). - -=item env_keep - -Environment variables to be preserved in the user's environment -when the I option is in effect. This allows fine-grained -control over the environment B-spawned processes will receive. -The argument may be a double-quoted, space-separated list or a -single value without double-quotes. The list can be replaced, added -to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and -C operators respectively. The default list of variables to keep -is displayed when B is run by root with the B<-V> option. - -=back - -=head1 FILES - -=over 24 - -=item F<@sysconfdir@/sudoers> - -List of who can run what - -=item F - -Local groups file - -=item F - -List of network groups - -=item F<@iolog_dir@> - -I/O log files - -=back - -=head1 EXAMPLES - -Below are example I entries. Admittedly, some of -these are a bit contrived. First, we allow a few environment -variables to pass and then define our I: - - # Run X applications through sudo; HOME is used to find the - # .Xauthority file. Note that other programs use HOME to find - # configuration files and this may lead to privilege escalation! - Defaults env_keep += "DISPLAY HOME" - - # User alias specification - User_Alias FULLTIMERS = millert, mikef, dowdy - User_Alias PARTTIMERS = bostley, jwfox, crawl - User_Alias WEBMASTERS = will, wendy, wim - - # Runas alias specification - Runas_Alias OP = root, operator - Runas_Alias DB = oracle, sybase - Runas_Alias ADMINGRP = adm, oper - - # Host alias specification - Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ - SGI = grolsch, dandelion, black :\ - ALPHA = widget, thalamus, foobar :\ - HPPA = boa, nag, python - Host_Alias CUNETS = 128.138.0.0/255.255.0.0 - Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 - Host_Alias SERVERS = master, mail, www, ns - Host_Alias CDROM = orion, perseus, hercules - - # Cmnd alias specification - Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ - /usr/sbin/restore, /usr/sbin/rrestore - Cmnd_Alias KILL = /usr/bin/kill - Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm - Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown - Cmnd_Alias HALT = /usr/sbin/halt - Cmnd_Alias REBOOT = /usr/sbin/reboot - Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\ - /usr/local/bin/tcsh, /usr/bin/rsh,\ - /usr/local/bin/zsh - Cmnd_Alias SU = /usr/bin/su - Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less - -Here we override some of the compiled in default values. We want -B to log via L using the I facility in all -cases. We don't want to subject the full time staff to the B -lecture, user B need not give a password, and we don't -want to reset the C, C or C environment -variables when running commands as root. Additionally, on the -machines in the I C, we keep an additional -local log file and make sure we log the year in each log line since -the log entries will be kept around for several years. Lastly, we -disable shell escapes for the commands in the PAGERS C -(F, F and F). - - # Override built-in defaults - Defaults syslog=auth - Defaults>root !set_logname - Defaults:FULLTIMERS !lecture - Defaults:millert !authenticate - Defaults@SERVERS log_year, logfile=/var/log/sudo.log - Defaults!PAGERS noexec - -The I is the part that actually determines who may -run what. - - root ALL = (ALL) ALL - %wheel ALL = (ALL) ALL - -We let B and any user in group B run any command on any -host as any user. - - FULLTIMERS ALL = NOPASSWD: ALL - -Full time sysadmins (B, B, and B) may run any -command on any host without authenticating themselves. - - PARTTIMERS ALL = ALL - -Part time sysadmins (B, B, and B) may run any -command on any host but they must authenticate themselves first -(since the entry lacks the C tag). - - jack CSNETS = ALL - -The user B may run any command on the machines in the I alias -(the networks C<128.138.243.0>, C<128.138.204.0>, and C<128.138.242.0>). -Of those networks, only C<128.138.204.0> has an explicit netmask (in -CIDR notation) indicating it is a class C network. For the other -networks in I, the local machine's netmask will be used -during matching. - - lisa CUNETS = ALL - -The user B may run any command on any host in the I alias -(the class B network C<128.138.0.0>). - - operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ - sudoedit /etc/printcap, /usr/oper/bin/ - -The B user may run commands limited to simple maintenance. -Here, those are commands related to backups, killing processes, the -printing system, shutting down the system, and any commands in the -directory F. - - joe ALL = /usr/bin/su operator - -The user B may only L to operator. - - pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root - - %opers ALL = (: ADMINGRP) /usr/sbin/ - -Users in the B group may run commands in F as themselves -with any group in the I C (the B and B -groups). - -The user B is allowed to change anyone's password except for -root on the I machines. Note that this assumes L -does not take multiple user names on the command line. - - bob SPARC = (OP) ALL : SGI = (OP) ALL - -The user B may run anything on the I and I machines -as any user listed in the I C (B and B). - - jim +biglab = ALL - -The user B may run any command on machines in the I netgroup. -B knows that "biglab" is a netgroup due to the '+' prefix. - - +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser - -Users in the B netgroup need to help manage the printers -as well as add and remove users, so they are allowed to run those -commands on all machines. - - fred ALL = (DB) NOPASSWD: ALL - -The user B can run commands as any user in the I C -(B or B) without giving a password. - - john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* - -On the I machines, user B may su to anyone except root -but he is not allowed to specify any options to the L command. - - jen ALL, !SERVERS = ALL - -The user B may run any command on any machine except for those -in the I C (master, mail, www and ns). - - jill SERVERS = /usr/bin/, !SU, !SHELLS - -For any machine in the I C, B may run -any commands in the directory F except for those commands -belonging to the I and I C. - - steve CSNETS = (operator) /usr/local/op_commands/ - -The user B may run any command in the directory /usr/local/op_commands/ -but only as user operator. - - matt valkyrie = KILL - -On his personal workstation, valkyrie, B needs to be able to -kill hung processes. - - WEBMASTERS www = (www) ALL, (root) /usr/bin/su www - -On the host www, any user in the I C (will, -wendy, and wim), may run any command as user www (which owns the -web pages) or simply L to www. - - ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ - /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM - -Any user may mount or unmount a CD-ROM on the machines in the CDROM -C (orion, perseus, hercules) without entering a password. -This is a bit tedious for users to type, so it is a prime candidate -for encapsulating in a shell script. - -=head1 SECURITY NOTES - -It is generally not effective to "subtract" commands from C -using the '!' operator. A user can trivially circumvent this -by copying the desired command to a different name and then -executing that. For example: - - bill ALL = ALL, !SU, !SHELLS - -Doesn't really prevent B from running the commands listed in -I or I since he can simply copy those commands to a -different name, or use a shell escape from an editor or other -program. Therefore, these kind of restrictions should be considered -advisory at best (and reinforced by policy). - -Furthermore, if the I option is in use, it is not possible -to reliably negate commands where the path name includes globbing -(aka wildcard) characters. This is because the C library's -L function cannot resolve relative paths. While this -is typically only an inconvenience for rules that grant privileges, -it can result in a security issue for rules that subtract or revoke -privileges. - -For example, given the following I entry: - - john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\ - /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root - -User B can still run C if I is -enabled by changing to F and running C<./passwd root> instead. - -=head1 PREVENTING SHELL ESCAPES - -Once B executes a program, that program is free to do whatever -it pleases, including run other programs. This can be a security -issue since it is not uncommon for a program to allow shell escapes, -which lets a user bypass B's access control and logging. -Common programs that permit shell escapes include shells (obviously), -editors, paginators, mail and terminal programs. - -There are two basic approaches to this problem: - -=over 10 - -=item restrict - -Avoid giving users access to commands that allow the user to run -arbitrary commands. Many editors have a restricted mode where shell -escapes are disabled, though B is a better solution to -running editors via B. Due to the large number of programs that -offer shell escapes, restricting users to the set of programs that -do not is often unworkable. - -=item noexec - -Many systems that support shared libraries have the ability to -override default library functions by pointing an environment -variable (usually C) to an alternate shared library. -On such systems, B's I functionality can be used to -prevent a program run by B from executing any other programs. -Note, however, that this applies only to native dynamically-linked -executables. Statically-linked executables and foreign executables -running under binary emulation are not affected. - -To tell whether or not B supports I, you can run -the following as root: - - sudo -V | grep "dummy exec" - -If the resulting output contains a line that begins with: - - File containing dummy exec functions: - -then B may be able to replace the exec family of functions -in the standard library with its own that simply return an error. -Unfortunately, there is no foolproof way to know whether or not -I will work at compile-time. I should work on -SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, MacOS X, and HP-UX -11.x. It is known B to work on AIX and UnixWare. I -is expected to work on most operating systems that support the -C environment variable. Check your operating system's -manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld, -dld.sl, rld, or loader) to see if C is supported. - -To enable I for a command, use the C tag as documented -in the User Specification section above. Here is that example again: - - aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi - -This allows user B to run F and F -with I enabled. This will prevent those two commands from -executing other commands (such as a shell). If you are unsure -whether or not your system is capable of supporting I you -can always just try it out and see if it works. - -=back - -Note that restricting shell escapes is not a panacea. Programs -running as root are still capable of many potentially hazardous -operations (such as changing or overwriting files) that could lead -to unintended privilege escalation. In the specific case of an -editor, a safer approach is to give the user permission to run -B. - -=head1 SEE ALSO - -L, L, L, L, L, L - -=head1 CAVEATS - -The I file should B be edited by the B -command which locks the file and does grammatical checking. It is -imperative that I be free of syntax errors since B -will not run with a syntactically incorrect I file. - -When using netgroups of machines (as opposed to users), if you -store fully qualified host name in the netgroup (as is usually the -case), you either need to have the machine's host name be fully qualified -as returned by the C command or use the I option in -I. - -=head1 BUGS - -If you feel you have found a bug in B, please submit a bug report -at http://www.sudo.ws/sudo/bugs/ - -=head1 SUPPORT - -Limited free support is available via the sudo-users mailing list, -see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or -search the archives. - -=head1 DISCLAIMER - -B is provided ``AS IS'' and any express or implied warranties, -including, but not limited to, the implied warranties of merchantability -and fitness for a particular purpose are disclaimed. See the LICENSE -file distributed with B or http://www.sudo.ws/sudo/license.html -for complete details. diff --git a/sudoreplay.cat b/sudoreplay.cat index 6d63485a9..997493b47 100644 --- a/sudoreplay.cat +++ b/sudoreplay.cat @@ -1,55 +1,54 @@ -SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m) - - +SUDOREPLAY(1m) System Manager's Manual SUDOREPLAY(1m) NNAAMMEE - sudoreplay - replay sudo session logs + ssuuddoorreeppllaayy - replay sudo session logs SSYYNNOOPPSSIISS - ssuuddoorreeppllaayy [--hh] [--dd _d_i_r_e_c_t_o_r_y] [--ff _f_i_l_t_e_r] [--mm _m_a_x___w_a_i_t] - [--ss _s_p_e_e_d___f_a_c_t_o_r] ID + ssuuddoorreeppllaayy [--hh] [--dd _d_i_r_e_c_t_o_r_y] [--ff _f_i_l_t_e_r] [--mm _m_a_x___w_a_i_t] + [--ss _s_p_e_e_d___f_a_c_t_o_r] ID - ssuuddoorreeppllaayy [--hh] [--dd _d_i_r_e_c_t_o_r_y] -l [search expression] + ssuuddoorreeppllaayy [--hh] [--dd _d_i_r_e_c_t_o_r_y] --ll [search expression] DDEESSCCRRIIPPTTIIOONN - ssuuddoorreeppllaayy plays back or lists the session logs created by ssuuddoo. When - replaying, ssuuddoorreeppllaayy can play the session back in real-time, or the - playback speed may be adjusted (faster or slower) based on the command - line options. The _I_D should be a six character sequence of digits and - upper case letters, e.g. 0100A5, which is logged by ssuuddoo when a - command is run with session logging enabled. + ssuuddoorreeppllaayy plays back or lists the output logs created by ssuuddoo. When + replaying, ssuuddoorreeppllaayy can play the session back in real-time, or the + playback speed may be adjusted (faster or slower) based on the command + line options. + + The _I_D should be a six character sequence of digits and upper case + letters, e.g. 0100A5. When a command is run via ssuuddoo with _l_o_g___o_u_t_p_u_t + enabled in the _s_u_d_o_e_r_s file, a TSID=ID string is logged via syslog or to + the ssuuddoo log file. The _I_D may also be determined using ssuuddoorreeppllaayy's list + mode. - In list mode, ssuuddoorreeppllaayy can be used to find the ID of a session based - on a number of criteria such as the user, tty or command run. + In list mode, ssuuddoorreeppllaayy can be used to find the ID of a session based on + a number of criteria such as the user, tty or command run. - In replay mode, if the standard output has not been redirected, - ssuuddoorreeppllaayy will act on the following keys: + In replay mode, if the standard output has not been redirected, + ssuuddoorreeppllaayy will act on the following keys: - ' ' (space) - Pause output; press any key to resume. + ` ' (space) Pause output; press any key to resume. - '<' Reduce the playback speed by one half. + `<' Reduce the playback speed by one half. - '>' Double the playback speed. + `>' Double the playback speed. -OOPPTTIIOONNSS - ssuuddoorreeppllaayy accepts the following command line options: + The options are as follows: - -d _d_i_r_e_c_t_o_r_y - Use _d_i_r_e_c_t_o_r_y to for the session logs instead of the + --dd _d_i_r_e_c_t_o_r_y Use _d_i_r_e_c_t_o_r_y to for the session logs instead of the default, _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o. - -f _f_i_l_t_e_r By default, ssuuddoorreeppllaayy will play back the command's - standard output, standard error and tty output. The _-_f + --ff _f_i_l_t_e_r By default, ssuuddoorreeppllaayy will play back the command's + standard output, standard error and tty output. The --ff option can be used to select which of these to output. The _f_i_l_t_e_r argument is a comma-separated list, consisting of one or more of following: _s_t_d_o_u_t, _s_t_d_e_r_r, and _t_t_y_o_u_t. - -h The --hh (_h_e_l_p) option causes ssuuddoorreeppllaayy to print a short + --hh The --hh (_h_e_l_p) option causes ssuuddoorreeppllaayy to print a short help message to the standard output and exit. - -l [_s_e_a_r_c_h _e_x_p_r_e_s_s_i_o_n] - Enable "list mode". In this mode, ssuuddoorreeppllaayy will list + --ll [_s_e_a_r_c_h _e_x_p_r_e_s_s_i_o_n] + Enable ``list mode''. In this mode, ssuuddoorreeppllaayy will list available sessions in a format similar to the ssuuddoo log file format, sorted by file name (or sequence number). If a _s_e_a_r_c_h _e_x_p_r_e_s_s_i_o_n is specified, it will be used to restrict @@ -70,7 +69,7 @@ OOPPTTIIOONNSS fromdate _d_a_t_e Evaluates to true if the command was run on or - after _d_a_t_e. See "Date and time format" for a + after _d_a_t_e. See _D_a_t_e _a_n_d _t_i_m_e _f_o_r_m_a_t for a description of supported date and time formats. group _r_u_n_a_s___g_r_o_u_p @@ -86,13 +85,13 @@ OOPPTTIIOONNSS todate _d_a_t_e Evaluates to true if the command was run on or - prior to _d_a_t_e. See "Date and time format" for a + prior to _d_a_t_e. See _D_a_t_e _a_n_d _t_i_m_e _f_o_r_m_a_t for a description of supported date and time formats. tty _t_t_y _n_a_m_e Evaluates to true if the command was run on the specified terminal device. The _t_t_y _n_a_m_e should be - specified without the _/_d_e_v_/ prefix, e.g. _t_t_y_0_1 + specified without the _/_d_e_v_/ prefix, e.g. _t_t_y_0_1 instead of _/_d_e_v_/_t_t_y_0_1. user _u_s_e_r _n_a_m_e @@ -104,21 +103,21 @@ OOPPTTIIOONNSS character). Predicates may be combined using _a_n_d, _o_r and _! operators as - well as '(' and ')' for grouping (note that parentheses - must generally be escaped from the shell). The _a_n_d - operator is optional, adjacent predicates have an implied - _a_n_d unless separated by an _o_r. + well as `(' and `)' grouping (note that parentheses must + generally be escaped from the shell). The _a_n_d operator is + optional, adjacent predicates have an implied _a_n_d unless + separated by an _o_r. - -m _m_a_x___w_a_i_t Specify an upper bound on how long to wait between key + --mm _m_a_x___w_a_i_t Specify an upper bound on how long to wait between key presses or output data. By default, ssuuddoorreeppllaayy will accurately reproduce the delays between key presses or program output. However, this can be tedious when the - session includes long pauses. When the _-_m option is + session includes long pauses. When the --mm option is specified, ssuuddoorreeppllaayy will limit these pauses to at most _m_a_x___w_a_i_t seconds. The value may be specified as a floating point number, e.g. _2_._5. - -s _s_p_e_e_d___f_a_c_t_o_r + --ss _s_p_e_e_d___f_a_c_t_o_r This option causes ssuuddoorreeppllaayy to adjust the number of seconds it will wait between key presses or program output. This can be used to slow down or speed up the display. For @@ -126,135 +125,132 @@ OOPPTTIIOONNSS fast whereas a _s_p_e_e_d___f_a_c_t_o_r of _._5 would make the output twice as slow. - -V The --VV (version) option causes ssuuddoorreeppllaayy to print its + --VV The --VV (_v_e_r_s_i_o_n) option causes ssuuddoorreeppllaayy to print its version number and exit. DDaattee aanndd ttiimmee ffoorrmmaatt - The time and date may be specified multiple ways, common formats - include: + The time and date may be specified multiple ways, common formats include: - HH:MM:SS am MM/DD/CCYY timezone - 24 hour time may be used in place of am/pm. + HH:MM:SS am MM/DD/CCYY timezone + 24 hour time may be used in place of am/pm. - HH:MM:SS am Month, Day Year timezone - 24 hour time may be used in place of am/pm, and month and day - names may be abbreviated. Note that month and day of the week - names must be specified in English. + HH:MM:SS am Month, Day Year timezone + 24 hour time may be used in place of am/pm, and month and day + names may be abbreviated. Note that month and day of the week + names must be specified in English. - CCYY-MM-DD HH:MM:SS - ISO time format + CCYY-MM-DD HH:MM:SS + ISO time format - DD Month CCYY HH:MM:SS - The month name may be abbreviated. + DD Month CCYY HH:MM:SS + The month name may be abbreviated. - Either time or date may be omitted, the am/pm and timezone are - optional. If no date is specified, the current day is assumed; if no - time is specified, the first second of the specified date is used. The - less significant parts of both time and date may also be omitted, in - which case zero is assumed. + Either time or date may be omitted, the am/pm and timezone are optional. + If no date is specified, the current day is assumed; if no time is + specified, the first second of the specified date is used. The less + significant parts of both time and date may also be omitted, in which + case zero is assumed. - The following are all valid time and date specifications: + The following are all valid time and date specifications: - now The current time and date. + now The current time and date. - tomorrow - Exactly one day from now. + tomorrow + Exactly one day from now. - yesterday - 24 hours ago. + yesterday + 24 hours ago. - 2 hours ago - 2 hours ago. + 2 hours ago + 2 hours ago. - next Friday - The first second of the next Friday. + next Friday + The first second of the next Friday. - this week - The current time but the first day of the coming week. + this week + The current time but the first day of the coming week. - a fortnight ago - The current time but 14 days ago. + a fortnight ago + The current time but 14 days ago. - 10:01 am 9/17/2009 - 10:01 am, September 17, 2009. + 10:01 am 9/17/2009 + 10:01 am, September 17, 2009. - 10:01 am - 10:01 am on the current day. + 10:01 am + 10:01 am on the current day. - 10 10:00 am on the current day. + 10 10:00 am on the current day. - 9/17/2009 - 00:00 am, September 17, 2009. + 9/17/2009 + 00:00 am, September 17, 2009. - 10:01 am Sep 17, 2009 - 10:01 am, September 17, 2009. + 10:01 am Sep 17, 2009 + 10:01 am, September 17, 2009. FFIILLEESS - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o The default I/O log directory. + _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o The default I/O log directory. - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_l_o_g + _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_l_o_g Example session log info. - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_s_t_d_i_n + _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_s_t_d_i_n Example session standard input log. - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_s_t_d_o_u_t + _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_s_t_d_o_u_t Example session standard output log. - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_s_t_d_e_r_r + _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_s_t_d_e_r_r Example session standard error log. - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_t_t_y_i_n + _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_t_t_y_i_n Example session tty input file. - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_t_t_y_o_u_t + _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_t_t_y_o_u_t Example session tty output file. - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_t_i_m_i_n_g + _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o_/_0_0_/_0_0_/_0_1_/_t_i_m_i_n_g Example session timing file. - Note that the _s_t_d_i_n, _s_t_d_o_u_t and _s_t_d_e_r_r files will be empty unless ssuuddoo - was used as part of a pipeline for a particular command. + Note that the _s_t_d_i_n, _s_t_d_o_u_t and _s_t_d_e_r_r files will be empty unless ssuuddoo + was used as part of a pipeline for a particular command. EEXXAAMMPPLLEESS - List sessions run by user _m_i_l_l_e_r_t: + List sessions run by user _m_i_l_l_e_r_t: - # sudoreplay -l user millert + # sudoreplay -l user millert - List sessions run by user _b_o_b with a command containing the string vi: + List sessions run by user _b_o_b with a command containing the string vi: - # sudoreplay -l user bob command vi + # sudoreplay -l user bob command vi - List sessions run by user _j_e_f_f that match a regular expression: + List sessions run by user _j_e_f_f that match a regular expression: - # sudoreplay -l user jeff command '/bin/[a-z]*sh' + # sudoreplay -l user jeff command '/bin/[a-z]*sh' - List sessions run by jeff or bob on the console: + List sessions run by jeff or bob on the console: - # sudoreplay -l ( user jeff or user bob ) tty console + # sudoreplay -l ( user jeff or user bob ) tty console SSEEEE AALLSSOO - _s_u_d_o(1m), _s_c_r_i_p_t(1) + sudo(1m), script(1) AAUUTTHHOORRSS - Todd C. Miller + Todd C. Miller BBUUGGSS - If you feel you have found a bug in ssuuddoorreeppllaayy, please submit a bug - report at http://www.sudo.ws/sudo/bugs/ + If you feel you have found a bug in ssuuddoorreeppllaayy, please submit a bug + report at http://www.sudo.ws/sudo/bugs/ SSUUPPPPOORRTT - Limited free support is available via the sudo-users mailing list, see - http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search - the archives. + Limited free support is available via the sudo-users mailing list, see + http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the + archives. DDIISSCCLLAAIIMMEERR - ssuuddoorreeppllaayy is provided ``AS IS'' and any express or implied warranties, - including, but not limited to, the implied warranties of - merchantability and fitness for a particular purpose are disclaimed. - See the LICENSE file distributed with ssuuddoo or - http://www.sudo.ws/sudo/license.html for complete details. - - + ssuuddoorreeppllaayy is provided ``AS IS'' and any express or implied warranties, + including, but not limited to, the implied warranties of merchantability + and fitness for a particular purpose are disclaimed. See the LICENSE + file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for + complete details. -1.7.10 July 18, 2012 SUDOREPLAY(1m) +Sudo 1.7.10 July 12, 2012 Sudo 1.7.10 diff --git a/sudoreplay.man.in b/sudoreplay.man.in index a8c6f04ad..62fb61f03 100644 --- a/sudoreplay.man.in +++ b/sudoreplay.man.in @@ -1,9 +1,12 @@ -.\" Copyright (c) 2009-2010 Todd C. Miller -.\" +.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! +.\" IT IS GENERATED AUTOMATICALLY FROM sudoreplay.mdoc.in +.\" +.\" Copyright (c) 2009-2012 Todd C. Miller +.\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR @@ -12,405 +15,395 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` -. ds C' -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.ie \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.el \{\ -. de IX -.. -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== .\" -.IX Title "SUDOREPLAY @mansectsu@" -.TH SUDOREPLAY @mansectsu@ "July 18, 2012" "1.7.10" "MAINTENANCE COMMANDS" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l +.TH "SUDOREPLAY" "@mansectsu@" "July 12, 2012" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .nh +.if n .ad l .SH "NAME" -sudoreplay \- replay sudo session logs +\fBsudoreplay\fR +\- replay sudo session logs .SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBsudoreplay\fR [\fB\-h\fR] [\fB\-d\fR\ \fIdirectory\fR] [\fB\-f\fR\ \fIfilter\fR] [\fB\-m\fR\ \fImax_wait\fR] [\fB\-s\fR\ \fIspeed_factor\fR] \s-1ID\s0 -.PP -\&\fBsudoreplay\fR [\fB\-h\fR] [\fB\-d\fR\ \fIdirectory\fR] \-l [search\ expression] +.HP 11n +\fBsudoreplay\fR +[\fB\-h\fR] +[\fB\-d\fR\ \fIdirectory\fR] +[\fB\-f\fR\ \fIfilter\fR] +[\fB\-m\fR\ \fImax_wait\fR] +[\fB\-s\fR\ \fIspeed_factor\fR] +ID +.HP 11n +\fBsudoreplay\fR +[\fB\-h\fR] +[\fB\-d\fR\ \fIdirectory\fR] +\fB\-l\fR +[search expression] .SH "DESCRIPTION" -.IX Header "DESCRIPTION" -\&\fBsudoreplay\fR plays back or lists the session logs created by -\&\fBsudo\fR. When replaying, \fBsudoreplay\fR can play the session back -in real-time, or the playback speed may be adjusted (faster or -slower) based on the command line options. The \fI\s-1ID\s0\fR should be -a six character sequence of digits and upper case letters, e.g. -0100A5, which is logged by \fBsudo\fR when a command is run with -session logging enabled. +\fBsudoreplay\fR +plays back or lists the output logs created by +\fBsudo\fR. +When replaying, +\fBsudoreplay\fR +can play the session back in real-time, or the playback speed may be +adjusted (faster or slower) based on the command line options. +.PP +The +\fIID\fR +should be a six character sequence of digits and +upper case letters, e.g.\& +\fR0100A5\fR. +When a command is run via +\fBsudo\fR +with +\fIlog_output\fR +enabled in the +\fIsudoers\fR +file, a +\fRTSID=ID\fR +string is logged via syslog or to the +\fBsudo\fR +log file. +The +\fIID\fR +may also be determined using +\fBsudoreplay\fR's +list mode. .PP -In list mode, \fBsudoreplay\fR can be used to find the \s-1ID\s0 of a session -based on a number of criteria such as the user, tty or command run. +In list mode, +\fBsudoreplay\fR +can be used to find the ID of a session based on a number of criteria +such as the user, tty or command run. .PP In replay mode, if the standard output has not been redirected, -\&\fBsudoreplay\fR will act on the following keys: -.IP "' ' (space)" 8 -.IX Item "' ' (space)" +\fBsudoreplay\fR +will act on the following keys: +.TP 14n +`\fR\ \fR' (space) Pause output; press any key to resume. -.IP "'<'" 8 +.TP 14n +`<' Reduce the playback speed by one half. -.IP "'>'" 8 +.TP 14n +`>' Double the playback speed. -.SH "OPTIONS" -.IX Header "OPTIONS" -\&\fBsudoreplay\fR accepts the following command line options: -.IP "\-d \fIdirectory\fR" 12 -.IX Item "-d directory" -Use \fIdirectory\fR to for the session logs instead of the default, -\&\fI@iolog_dir@\fR. -.IP "\-f \fIfilter\fR" 12 -.IX Item "-f filter" -By default, \fBsudoreplay\fR will play back the command's standard -output, standard error and tty output. The \fI\-f\fR option can be -used to select which of these to output. The \fIfilter\fR argument -is a comma-separated list, consisting of one or more of following: -\&\fIstdout\fR, \fIstderr\fR, and \fIttyout\fR. -.IP "\-h" 12 -.IX Item "-h" -The \fB\-h\fR (\fIhelp\fR) option causes \fBsudoreplay\fR to print a short -help message to the standard output and exit. -.IP "\-l [\fIsearch expression\fR]" 12 -.IX Item "-l [search expression]" -Enable \*(L"list mode\*(R". In this mode, \fBsudoreplay\fR will list available -sessions in a format similar to the \fBsudo\fR log file format, sorted -by file name (or sequence number). If a \fIsearch expression\fR is -specified, it will be used to restrict the IDs that are displayed. +.PP +The options are as follows: +.TP 14n +\fB\-d\fR \fIdirectory\fR +.br +Use +\fIdirectory\fR +to for the session logs instead of the default, +\fI@iolog_dir@\fR. +.TP 14n +\fB\-f\fR \fIfilter\fR +By default, +\fBsudoreplay\fR +will play back the command's standard output, standard error and tty output. +The +\fB\-f\fR +option can be used to select which of these to output. +The +\fIfilter\fR +argument is a comma-separated list, consisting of one or more of following: +\fIstdout\fR, +\fIstderr\fR, +and +\fIttyout\fR. +.TP 14n +\fB\-h\fR +The +\fB\-h\fR (\fIhelp\fR) +option causes +\fBsudoreplay\fR +to print a short help message to the standard output and exit. +.TP 14n +\fB\-l\fR [\fIsearch expression\fR] +Enable +``list mode''. +In this mode, +\fBsudoreplay\fR +will list available sessions in a format similar to the +\fBsudo\fR +log file format, sorted by file name (or sequence number). +If a +\fIsearch expression\fR +is specified, it will be used to restrict the IDs that are displayed. An expression is composed of the following predicates: -.RS 12 -.IP "command \fIpattern\fR" 8 -.IX Item "command pattern" -Evaluates to true if the command run matches \fIpattern\fR. -On systems with \s-1POSIX\s0 regular expression support, the pattern may -be an extended regular expression. On systems without \s-1POSIX\s0 regular -expression support, a simple substring match is performed instead. -.IP "cwd \fIdirectory\fR" 8 -.IX Item "cwd directory" +.RS +.TP 8n +command \fIpattern\fR +Evaluates to true if the command run matches +\fIpattern\fR. +On systems with POSIX regular expression support, the pattern may +be an extended regular expression. +On systems without POSIX regular expression support, a simple substring +match is performed instead. +.TP 8n +cwd \fIdirectory\fR Evaluates to true if the command was run with the specified current working directory. -.IP "fromdate \fIdate\fR" 8 -.IX Item "fromdate date" -Evaluates to true if the command was run on or after \fIdate\fR. -See \*(L"Date and time format\*(R" for a description of supported -date and time formats. -.IP "group \fIrunas_group\fR" 8 -.IX Item "group runas_group" +.TP 8n +fromdate \fIdate\fR +Evaluates to true if the command was run on or after +\fIdate\fR. +See +\fIDate and time format\fR +for a description of supported date and time formats. +.TP 8n +group \fIrunas_group\fR Evaluates to true if the command was run with the specified -\&\fIrunas_group\fR. Note that unless a \fIrunas_group\fR was explicitly -specified when \fBsudo\fR was run this field will be empty in the log. -.IP "runas \fIrunas_user\fR" 8 -.IX Item "runas runas_user" -Evaluates to true if the command was run as the specified \fIrunas_user\fR. -Note that \fBsudo\fR runs commands as user \fIroot\fR by default. -.IP "todate \fIdate\fR" 8 -.IX Item "todate date" -Evaluates to true if the command was run on or prior to \fIdate\fR. -See \*(L"Date and time format\*(R" for a description of supported -date and time formats. -.IP "tty \fItty name\fR" 8 -.IX Item "tty tty name" -Evaluates to true if the command was run on the specified terminal -device. The \fItty name\fR should be specified without the \fI/dev/\fR prefix, -e.g. \fItty01\fR instead of \fI/dev/tty01\fR. -.IP "user \fIuser name\fR" 8 -.IX Item "user user name" -Evaluates to true if the \s-1ID\s0 matches a command run by \fIuser name\fR. -.RE -.RS 12 -.Sp +\fIrunas_group\fR. +Note that unless a +\fIrunas_group\fR +was explicitly specified when +\fBsudo\fR +was run this field will be empty in the log. +.TP 8n +runas \fIrunas_user\fR +Evaluates to true if the command was run as the specified +\fIrunas_user\fR. +Note that +\fBsudo\fR +runs commands as user +\fIroot\fR +by default. +.TP 8n +todate \fIdate\fR +Evaluates to true if the command was run on or prior to +\fIdate\fR. +See +\fIDate and time format\fR +for a description of supported date and time formats. +.TP 8n +tty \fItty name\fR +Evaluates to true if the command was run on the specified terminal device. +The +\fItty name\fR +should be specified without the +\fI/dev/\fR +prefix, e.g.\& +\fItty01\fR +instead of +\fI/dev/tty01\fR. +.TP 8n +user \fIuser name\fR +Evaluates to true if the ID matches a command run by +\fIuser name\fR. +.PP Predicates may be abbreviated to the shortest unique string (currently all predicates may be shortened to a single character). -.Sp -Predicates may be combined using \fIand\fR, \fIor\fR and \fI!\fR operators -as well as \f(CW\*(Aq(\*(Aq\fR and \f(CW\*(Aq)\*(Aq\fR for grouping (note that parentheses -must generally be escaped from the shell). The \fIand\fR operator is -optional, adjacent predicates have an implied \fIand\fR unless separated -by an \fIor\fR. +.sp +Predicates may be combined using +\fIand\fR, +\fIor\fR +and +\fI\&!\fR +operators as well as +`\&(' +and +`\&)' +grouping (note that parentheses must generally be escaped from the shell). +The +\fIand\fR +operator is optional, adjacent predicates have an implied +\fIand\fR +unless separated by an +\fIor\fR. +.PP .RE -.IP "\-m \fImax_wait\fR" 12 -.IX Item "-m max_wait" -Specify an upper bound on how long to wait between key presses or -output data. By default, \fBsudoreplay\fR will accurately reproduce -the delays between key presses or program output. However, this -can be tedious when the session includes long pauses. When the -\&\fI\-m\fR option is specified, \fBsudoreplay\fR will limit these pauses -to at most \fImax_wait\fR seconds. The value may be specified as a -floating point number, e.g. \fI2.5\fR. -.IP "\-s \fIspeed_factor\fR" 12 -.IX Item "-s speed_factor" -This option causes \fBsudoreplay\fR to adjust the number of seconds -it will wait between key presses or program output. This can be -used to slow down or speed up the display. For example, a -\&\fIspeed_factor\fR of \fI2\fR would make the output twice as fast whereas -a \fIspeed_factor\fR of \fI.5\fR would make the output twice as slow. -.IP "\-V" 12 -.IX Item "-V" -The \fB\-V\fR (version) option causes \fBsudoreplay\fR to print its version number +.PD 0 +.TP 14n +\fB\-m\fR \fImax_wait\fR +Specify an upper bound on how long to wait between key presses or output data. +By default, +\fBsudoreplay\fR +will accurately reproduce the delays between key presses or program output. +However, this can be tedious when the session includes long pauses. +When the +\fB\-m\fR +option is specified, +\fBsudoreplay\fR +will limit these pauses to at most +\fImax_wait\fR +seconds. +The value may be specified as a floating point number, e.g.\& +\fI2.5\fR. +.PD +.TP 14n +\fB\-s\fR \fIspeed_factor\fR +This option causes +\fBsudoreplay\fR +to adjust the number of seconds it will wait between key presses or +program output. +This can be used to slow down or speed up the display. +For example, a +\fIspeed_factor\fR +of +\fI2\fR +would make the output twice as fast whereas a +\fIspeed_factor\fR +of +\fI.5\fR +would make the output twice as slow. +.TP 14n +\fB\-V\fR +The +\fB\-V\fR (\fIversion\fR) +option causes +\fBsudoreplay\fR +to print its version number and exit. .SS "Date and time format" -.IX Subsection "Date and time format" The time and date may be specified multiple ways, common formats include: -.IP "\s-1HH:MM:SS\s0 am \s-1MM/DD/CCYY\s0 timezone" 8 -.IX Item "HH:MM:SS am MM/DD/CCYY timezone" +.TP 8n +HH:MM:SS am MM/DD/CCYY timezone 24 hour time may be used in place of am/pm. -.IP "\s-1HH:MM:SS\s0 am Month, Day Year timezone" 8 -.IX Item "HH:MM:SS am Month, Day Year timezone" +.TP 8n +HH:MM:SS am Month, Day Year timezone 24 hour time may be used in place of am/pm, and month and day names -may be abbreviated. Note that month and day of the week names must -be specified in English. -.IP "CCYY-MM-DD \s-1HH:MM:SS\s0" 8 -.IX Item "CCYY-MM-DD HH:MM:SS" -\&\s-1ISO\s0 time format -.IP "\s-1DD\s0 Month \s-1CCYY\s0 \s-1HH:MM:SS\s0" 8 -.IX Item "DD Month CCYY HH:MM:SS" +may be abbreviated. +Note that month and day of the week names must be specified in English. +.TP 8n +CCYY-MM-DD HH:MM:SS +ISO time format +.TP 8n +DD Month CCYY HH:MM:SS The month name may be abbreviated. .PP -Either time or date may be omitted, the am/pm and timezone are -optional. If no date is specified, the current day is assumed; if -no time is specified, the first second of the specified date is -used. The less significant parts of both time and date may also -be omitted, in which case zero is assumed. +Either time or date may be omitted, the am/pm and timezone are optional. +If no date is specified, the current day is assumed; if no time is +specified, the first second of the specified date is used. +The less significant parts of both time and date may also be omitted, +in which case zero is assumed. .PP The following are all valid time and date specifications: -.IP "now" 8 -.IX Item "now" +.TP 8n +now The current time and date. -.IP "tomorrow" 8 -.IX Item "tomorrow" +.TP 8n +tomorrow Exactly one day from now. -.IP "yesterday" 8 -.IX Item "yesterday" +.TP 8n +yesterday 24 hours ago. -.IP "2 hours ago" 8 -.IX Item "2 hours ago" +.TP 8n +2 hours ago 2 hours ago. -.IP "next Friday" 8 -.IX Item "next Friday" +.TP 8n +next Friday The first second of the next Friday. -.IP "this week" 8 -.IX Item "this week" +.TP 8n +this week The current time but the first day of the coming week. -.IP "a fortnight ago" 8 -.IX Item "a fortnight ago" +.TP 8n +a fortnight ago The current time but 14 days ago. -.IP "10:01 am 9/17/2009" 8 -.IX Item "10:01 am 9/17/2009" +.TP 8n +10:01 am 9/17/2009 10:01 am, September 17, 2009. -.IP "10:01 am" 8 -.IX Item "10:01 am" +.TP 8n +10:01 am 10:01 am on the current day. -.IP "10" 8 -.IX Item "10" +.TP 8n +10 10:00 am on the current day. -.IP "9/17/2009" 8 -.IX Item "9/17/2009" +.TP 8n +9/17/2009 00:00 am, September 17, 2009. -.IP "10:01 am Sep 17, 2009" 8 -.IX Item "10:01 am Sep 17, 2009" +.TP 8n +10:01 am Sep 17, 2009 10:01 am, September 17, 2009. .SH "FILES" -.IX Header "FILES" -.ie n .IP "\fI@iolog_dir@\fR" 24 -.el .IP "\fI@iolog_dir@\fR" 24 -.IX Item "@iolog_dir@" +.TP 26n +\fI@iolog_dir@\fR The default I/O log directory. -.ie n .IP "\fI@iolog_dir@/00/00/01/log\fR" 24 -.el .IP "\fI@iolog_dir@/00/00/01/log\fR" 24 -.IX Item "@iolog_dir@/00/00/01/log" +.TP 26n +\fI@iolog_dir@/00/00/01/log\fR Example session log info. -.ie n .IP "\fI@iolog_dir@/00/00/01/stdin\fR" 24 -.el .IP "\fI@iolog_dir@/00/00/01/stdin\fR" 24 -.IX Item "@iolog_dir@/00/00/01/stdin" +.TP 26n +\fI@iolog_dir@/00/00/01/stdin\fR Example session standard input log. -.ie n .IP "\fI@iolog_dir@/00/00/01/stdout\fR" 24 -.el .IP "\fI@iolog_dir@/00/00/01/stdout\fR" 24 -.IX Item "@iolog_dir@/00/00/01/stdout" +.TP 26n +\fI@iolog_dir@/00/00/01/stdout\fR Example session standard output log. -.ie n .IP "\fI@iolog_dir@/00/00/01/stderr\fR" 24 -.el .IP "\fI@iolog_dir@/00/00/01/stderr\fR" 24 -.IX Item "@iolog_dir@/00/00/01/stderr" +.TP 26n +\fI@iolog_dir@/00/00/01/stderr\fR Example session standard error log. -.ie n .IP "\fI@iolog_dir@/00/00/01/ttyin\fR" 24 -.el .IP "\fI@iolog_dir@/00/00/01/ttyin\fR" 24 -.IX Item "@iolog_dir@/00/00/01/ttyin" +.TP 26n +\fI@iolog_dir@/00/00/01/ttyin\fR Example session tty input file. -.ie n .IP "\fI@iolog_dir@/00/00/01/ttyout\fR" 24 -.el .IP "\fI@iolog_dir@/00/00/01/ttyout\fR" 24 -.IX Item "@iolog_dir@/00/00/01/ttyout" +.TP 26n +\fI@iolog_dir@/00/00/01/ttyout\fR Example session tty output file. -.ie n .IP "\fI@iolog_dir@/00/00/01/timing\fR" 24 -.el .IP "\fI@iolog_dir@/00/00/01/timing\fR" 24 -.IX Item "@iolog_dir@/00/00/01/timing" +.TP 26n +\fI@iolog_dir@/00/00/01/timing\fR Example session timing file. .PP -Note that the \fIstdin\fR, \fIstdout\fR and \fIstderr\fR files will be empty -unless \fBsudo\fR was used as part of a pipeline for a particular -command. +Note that the +\fIstdin\fR, +\fIstdout\fR +and +\fIstderr\fR +files will be empty unless +\fBsudo\fR +was used as part of a pipeline for a particular command. .SH "EXAMPLES" -.IX Header "EXAMPLES" -List sessions run by user \fImillert\fR: -.PP -.Vb 1 -\& # sudoreplay \-l user millert -.Ve -.PP -List sessions run by user \fIbob\fR with a command containing the string vi: -.PP -.Vb 1 -\& # sudoreplay \-l user bob command vi -.Ve +List sessions run by user +\fImillert\fR: +.nf +.sp +.RS 6n +# sudoreplay -l user millert +.RE +.fi .PP -List sessions run by user \fIjeff\fR that match a regular expression: +List sessions run by user +\fIbob\fR +with a command containing the string vi: +.nf +.sp +.RS 6n +# sudoreplay -l user bob command vi +.RE +.fi .PP -.Vb 1 -\& # sudoreplay \-l user jeff command \*(Aq/bin/[a\-z]*sh\*(Aq -.Ve +List sessions run by user +\fIjeff\fR +that match a regular expression: +.nf +.sp +.RS 6n +# sudoreplay -l user jeff command '/bin/[a-z]*sh' +.RE +.fi .PP List sessions run by jeff or bob on the console: -.PP -.Vb 1 -\& # sudoreplay \-l ( user jeff or user bob ) tty console -.Ve +.nf +.sp +.RS 6n +# sudoreplay -l ( user jeff or user bob ) tty console +.RE +.fi .SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIsudo\fR\|(@mansectsu@), \fIscript\fR\|(1) +sudo(@mansectsu@), +script(1) .SH "AUTHORS" -.IX Header "AUTHORS" Todd C. Miller .SH "BUGS" -.IX Header "BUGS" -If you feel you have found a bug in \fBsudoreplay\fR, please submit a bug report -at http://www.sudo.ws/sudo/bugs/ +If you feel you have found a bug in +\fBsudoreplay\fR, +please submit a bug report at http://www.sudo.ws/sudo/bugs/ .SH "SUPPORT" -.IX Header "SUPPORT" Limited free support is available via the sudo-users mailing list, -see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or +see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives. .SH "DISCLAIMER" -.IX Header "DISCLAIMER" -\&\fBsudoreplay\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, -including, but not limited to, the implied warranties of merchantability -and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 -file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html -for complete details. +\fBsudoreplay\fR +is provided +``AS IS'' +and any express or implied warranties, including, but not limited +to, the implied warranties of merchantability and fitness for a +particular purpose are disclaimed. +See the LICENSE file distributed with +\fBsudo\fR +or http://www.sudo.ws/sudo/license.html for complete details. diff --git a/sudoreplay.mdoc.in b/sudoreplay.mdoc.in new file mode 100644 index 000000000..ca3ea3684 --- /dev/null +++ b/sudoreplay.mdoc.in @@ -0,0 +1,368 @@ +.\" +.\" Copyright (c) 2009-2012 Todd C. Miller +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd July 12, 2012 +.Dt SUDOREPLAY @mansectsu@ +.Os Sudo @PACKAGE_VERSION@ +.Sh NAME +.Nm sudoreplay +.Nd replay sudo session logs +.Sh SYNOPSIS +.Nm sudoreplay +.Op Fl h +.Bk -words +.Op Fl d Ar directory +.Ek +.Bk -words +.Op Fl f Ar filter +.Ek +.Bk -words +.Op Fl m Ar max_wait +.Ek +.Bk -words +.Op Fl s Ar speed_factor +.Ek +ID +.Pp +.Nm sudoreplay +.Op Fl h +.Bk -words +.Op Fl d Ar directory +.Ek +.Fl l +.Op search expression +.Sh DESCRIPTION +.Nm sudoreplay +plays back or lists the output logs created by +.Nm sudo . +When replaying, +.Nm sudoreplay +can play the session back in real-time, or the playback speed may be +adjusted (faster or slower) based on the command line options. +.Pp +The +.Em ID +should be a six character sequence of digits and +upper case letters, e.g.\& +.Li 0100A5 . +When a command is run via +.Nm sudo +with +.Em log_output +enabled in the +.Em sudoers +file, a +.Li TSID=ID +string is logged via syslog or to the +.Nm sudo +log file. +The +.Em ID +may also be determined using +.Nm sudoreplay Ns No 's +list mode. +.Pp +In list mode, +.Nm sudoreplay +can be used to find the ID of a session based on a number of criteria +such as the user, tty or command run. +.Pp +In replay mode, if the standard output has not been redirected, +.Nm sudoreplay +will act on the following keys: +.Bl -tag -width 12n +.It So Li \ Sc No (space) +Pause output; press any key to resume. +.It Ql < +Reduce the playback speed by one half. +.It Ql > +Double the playback speed. +.El +.Pp +The options are as follows: +.Bl -tag -width 12n +.It Fl d Ar directory +Use +.Ar directory +to for the session logs instead of the default, +.Pa @iolog_dir@ . +.It Fl f Ar filter +By default, +.Nm sudoreplay +will play back the command's standard output, standard error and tty output. +The +.Fl f +option can be used to select which of these to output. +The +.Ar filter +argument is a comma-separated list, consisting of one or more of following: +.Em stdout , +.Em stderr , +and +.Em ttyout . +.It Fl h +The +.Fl h No ( Em help Ns No ) +option causes +.Nm sudoreplay +to print a short help message to the standard output and exit. +.It Fl l Op Ar search expression +Enable +.Dq list mode . +In this mode, +.Nm sudoreplay +will list available sessions in a format similar to the +.Nm sudo +log file format, sorted by file name (or sequence number). +If a +.Ar search expression +is specified, it will be used to restrict the IDs that are displayed. +An expression is composed of the following predicates: +.Bl -tag -width 6n +.It command Ar pattern +Evaluates to true if the command run matches +.Ar pattern . +On systems with POSIX regular expression support, the pattern may +be an extended regular expression. +On systems without POSIX regular expression support, a simple substring +match is performed instead. +.It cwd Ar directory +Evaluates to true if the command was run with the specified current +working directory. +.It fromdate Ar date +Evaluates to true if the command was run on or after +.Ar date . +See +.Sx Date and time format +for a description of supported date and time formats. +.It group Ar runas_group +Evaluates to true if the command was run with the specified +.Ar runas_group . +Note that unless a +.Ar runas_group +was explicitly specified when +.Nm sudo +was run this field will be empty in the log. +.It runas Ar runas_user +Evaluates to true if the command was run as the specified +.Ar runas_user . +Note that +.Nm sudo +runs commands as user +.Em root +by default. +.It todate Ar date +Evaluates to true if the command was run on or prior to +.Ar date . +See +.Sx Date and time format +for a description of supported date and time formats. +.It tty Ar tty name +Evaluates to true if the command was run on the specified terminal device. +The +.Ar tty name +should be specified without the +.Pa /dev/ +prefix, e.g.\& +.Pa tty01 +instead of +.Pa /dev/tty01 . +.It user Ar user name +Evaluates to true if the ID matches a command run by +.Ar user name . +.El +.Pp +Predicates may be abbreviated to the shortest unique string (currently +all predicates may be shortened to a single character). +.Pp +Predicates may be combined using +.Em and , +.Em or +and +.Em \&! +operators as well as +.Ql \&( +and +.Ql \&) +grouping (note that parentheses must generally be escaped from the shell). +The +.Em and +operator is optional, adjacent predicates have an implied +.Em and +unless separated by an +.Em or . +.It Fl m Ar max_wait +Specify an upper bound on how long to wait between key presses or output data. +By default, +.Nm sudoreplay +will accurately reproduce the delays between key presses or program output. +However, this can be tedious when the session includes long pauses. +When the +.Fl m +option is specified, +.Nm sudoreplay +will limit these pauses to at most +.Em max_wait +seconds. +The value may be specified as a floating point number, e.g.\& +.Em 2.5 . +.It Fl s Ar speed_factor +This option causes +.Nm sudoreplay +to adjust the number of seconds it will wait between key presses or +program output. +This can be used to slow down or speed up the display. +For example, a +.Ar speed_factor +of +.Em 2 +would make the output twice as fast whereas a +.Ar speed_factor +of +.Em .5 +would make the output twice as slow. +.It Fl V +The +.Fl V No ( Em version Ns No ) +option causes +.Nm sudoreplay +to print its version number +and exit. +.El +.Ss Date and time format +The time and date may be specified multiple ways, common formats include: +.Bl -tag -width 6n +.It HH:MM:SS am MM/DD/CCYY timezone +24 hour time may be used in place of am/pm. +.It HH:MM:SS am Month, Day Year timezone +24 hour time may be used in place of am/pm, and month and day names +may be abbreviated. +Note that month and day of the week names must be specified in English. +.It CCYY-MM-DD HH:MM:SS +ISO time format +.It DD Month CCYY HH:MM:SS +The month name may be abbreviated. +.El +.Pp +Either time or date may be omitted, the am/pm and timezone are optional. +If no date is specified, the current day is assumed; if no time is +specified, the first second of the specified date is used. +The less significant parts of both time and date may also be omitted, +in which case zero is assumed. +.Pp +The following are all valid time and date specifications: +.Bl -tag -width 6n +.It now +The current time and date. +.It tomorrow +Exactly one day from now. +.It yesterday +24 hours ago. +.It 2 hours ago +2 hours ago. +.It next Friday +The first second of the next Friday. +.It this week +The current time but the first day of the coming week. +.It a fortnight ago +The current time but 14 days ago. +.It 10:01 am 9/17/2009 +10:01 am, September 17, 2009. +.It 10:01 am +10:01 am on the current day. +.It 10 +10:00 am on the current day. +.It 9/17/2009 +00:00 am, September 17, 2009. +.It 10:01 am Sep 17, 2009 +10:01 am, September 17, 2009. +.El +.Sh FILES +.Bl -tag -width 24n +.It Pa @iolog_dir@ +The default I/O log directory. +.It Pa @iolog_dir@/00/00/01/log +Example session log info. +.It Pa @iolog_dir@/00/00/01/stdin +Example session standard input log. +.It Pa @iolog_dir@/00/00/01/stdout +Example session standard output log. +.It Pa @iolog_dir@/00/00/01/stderr +Example session standard error log. +.It Pa @iolog_dir@/00/00/01/ttyin +Example session tty input file. +.It Pa @iolog_dir@/00/00/01/ttyout +Example session tty output file. +.It Pa @iolog_dir@/00/00/01/timing +Example session timing file. +.El +.Pp +Note that the +.Em stdin , +.Em stdout +and +.Em stderr +files will be empty unless +.Nm sudo +was used as part of a pipeline for a particular command. +.Sh EXAMPLES +List sessions run by user +.Em millert : +.Bd -literal -offset indent +# sudoreplay -l user millert +.Ed +.Pp +List sessions run by user +.Em bob +with a command containing the string vi: +.Bd -literal -offset indent +# sudoreplay -l user bob command vi +.Ed +.Pp +List sessions run by user +.Em jeff +that match a regular expression: +.Bd -literal -offset indent +# sudoreplay -l user jeff command '/bin/[a-z]*sh' +.Ed +.Pp +List sessions run by jeff or bob on the console: +.Bd -literal -offset indent +# sudoreplay -l ( user jeff or user bob ) tty console +.Ed +.Sh SEE ALSO +.Xr sudo @mansectsu@ , +.Xr script 1 +.Sh AUTHORS +Todd C. Miller +.Sh BUGS +If you feel you have found a bug in +.Nm sudoreplay , +please submit a bug report at http://www.sudo.ws/sudo/bugs/ +.Sh SUPPORT +Limited free support is available via the sudo-users mailing list, +see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or +search the archives. +.Sh DISCLAIMER +.Nm sudoreplay +is provided +.Dq AS IS +and any express or implied warranties, including, but not limited +to, the implied warranties of merchantability and fitness for a +particular purpose are disclaimed. +See the LICENSE file distributed with +.Nm sudo +or http://www.sudo.ws/sudo/license.html for complete details. diff --git a/sudoreplay.pod b/sudoreplay.pod deleted file mode 100644 index 6418e35f4..000000000 --- a/sudoreplay.pod +++ /dev/null @@ -1,346 +0,0 @@ -Copyright (c) 2009-2010 Todd C. Miller - -Permission to use, copy, modify, and distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -=pod - -=head1 NAME - -sudoreplay - replay sudo session logs - -=head1 SYNOPSIS - -B [B<-h>] S<[B<-d> I]> S<[B<-f> I]> S<[B<-m> I]> S<[B<-s> I]> ID - -B [B<-h>] S<[B<-d> I]> -l S<[search expression]> - -=head1 DESCRIPTION - -B plays back or lists the session logs created by -B. When replaying, B can play the session back -in real-time, or the playback speed may be adjusted (faster or -slower) based on the command line options. The I should be -a six character sequence of digits and upper case letters, e.g. -0100A5, which is logged by B when a command is run with -session logging enabled. - -In list mode, B can be used to find the ID of a session -based on a number of criteria such as the user, tty or command run. - -In replay mode, if the standard output has not been redirected, -B will act on the following keys: - -=over 8 - -=item ' ' (space) - -Pause output; press any key to resume. - -=item '<' - -Reduce the playback speed by one half. - -=item '>' - -Double the playback speed. - -=back - -=head1 OPTIONS - -B accepts the following command line options: - -=over 12 - -=item -d I - -Use I to for the session logs instead of the default, -F<@iolog_dir@>. - -=item -f I - -By default, B will play back the command's standard -output, standard error and tty output. The I<-f> option can be -used to select which of these to output. The I argument -is a comma-separated list, consisting of one or more of following: -I, I, and I. - -=item -h - -The B<-h> (I) option causes B to print a short -help message to the standard output and exit. - -=item -l [I] - -Enable "list mode". In this mode, B will list available -sessions in a format similar to the B log file format, sorted -by file name (or sequence number). If a I is -specified, it will be used to restrict the IDs that are displayed. -An expression is composed of the following predicates: - -=over 8 - -=item command I - -Evaluates to true if the command run matches I. -On systems with POSIX regular expression support, the pattern may -be an extended regular expression. On systems without POSIX regular -expression support, a simple substring match is performed instead. - -=item cwd I - -Evaluates to true if the command was run with the specified current -working directory. - -=item fromdate I - -Evaluates to true if the command was run on or after I. -See L<"Date and time format"> for a description of supported -date and time formats. - -=item group I - -Evaluates to true if the command was run with the specified -I. Note that unless a I was explicitly -specified when B was run this field will be empty in the log. - -=item runas I - -Evaluates to true if the command was run as the specified I. -Note that B runs commands as user I by default. - -=item todate I - -Evaluates to true if the command was run on or prior to I. -See L<"Date and time format"> for a description of supported -date and time formats. - -=item tty I - -Evaluates to true if the command was run on the specified terminal -device. The I should be specified without the F prefix, -e.g. F instead of F. - -=item user I - -Evaluates to true if the ID matches a command run by I. - -=back - -Predicates may be abbreviated to the shortest unique string (currently -all predicates may be shortened to a single character). - -Predicates may be combined using I, I and I operators -as well as C<'('> and C<')'> for grouping (note that parentheses -must generally be escaped from the shell). The I operator is -optional, adjacent predicates have an implied I unless separated -by an I. - -=item -m I - -Specify an upper bound on how long to wait between key presses or -output data. By default, B will accurately reproduce -the delays between key presses or program output. However, this -can be tedious when the session includes long pauses. When the -I<-m> option is specified, B will limit these pauses -to at most I seconds. The value may be specified as a -floating point number, e.g. I<2.5>. - -=item -s I - -This option causes B to adjust the number of seconds -it will wait between key presses or program output. This can be -used to slow down or speed up the display. For example, a -I of I<2> would make the output twice as fast whereas -a I of I<.5> would make the output twice as slow. - -=item -V - -The B<-V> (version) option causes B to print its version number -and exit. - -=back - -=head2 Date and time format - -The time and date may be specified multiple ways, common formats include: - -=over 8 - -=item HH:MM:SS am MM/DD/CCYY timezone - -24 hour time may be used in place of am/pm. - -=item HH:MM:SS am Month, Day Year timezone - -24 hour time may be used in place of am/pm, and month and day names -may be abbreviated. Note that month and day of the week names must -be specified in English. - -=item CCYY-MM-DD HH:MM:SS - -ISO time format - -=item DD Month CCYY HH:MM:SS - -The month name may be abbreviated. - -=back - -Either time or date may be omitted, the am/pm and timezone are -optional. If no date is specified, the current day is assumed; if -no time is specified, the first second of the specified date is -used. The less significant parts of both time and date may also -be omitted, in which case zero is assumed. - -The following are all valid time and date specifications: - -=over 8 - -=item now - -The current time and date. - -=item tomorrow - -Exactly one day from now. - -=item yesterday - -24 hours ago. - -=item 2 hours ago - -2 hours ago. - -=item next Friday - -The first second of the next Friday. - -=item this week - -The current time but the first day of the coming week. - -=item a fortnight ago - -The current time but 14 days ago. - -=item 10:01 am 9/17/2009 - -10:01 am, September 17, 2009. - -=item 10:01 am - -10:01 am on the current day. - -=item 10 - -10:00 am on the current day. - -=item 9/17/2009 - -00:00 am, September 17, 2009. - -=item 10:01 am Sep 17, 2009 - -10:01 am, September 17, 2009. - -=back - -=head1 FILES - -=over 24 - -=item F<@iolog_dir@> - -The default I/O log directory. - -=item F<@iolog_dir@/00/00/01/log> - -Example session log info. - -=item F<@iolog_dir@/00/00/01/stdin> - -Example session standard input log. - -=item F<@iolog_dir@/00/00/01/stdout> - -Example session standard output log. - -=item F<@iolog_dir@/00/00/01/stderr> - -Example session standard error log. - -=item F<@iolog_dir@/00/00/01/ttyin> - -Example session tty input file. - -=item F<@iolog_dir@/00/00/01/ttyout> - -Example session tty output file. - -=item F<@iolog_dir@/00/00/01/timing> - -Example session timing file. - -=back - -Note that the I, I and I files will be empty -unless B was used as part of a pipeline for a particular -command. - -=head1 EXAMPLES - -List sessions run by user I: - - # sudoreplay -l user millert - -List sessions run by user I with a command containing the string vi: - - # sudoreplay -l user bob command vi - -List sessions run by user I that match a regular expression: - - # sudoreplay -l user jeff command '/bin/[a-z]*sh' - -List sessions run by jeff or bob on the console: - - # sudoreplay -l ( user jeff or user bob ) tty console - -=head1 SEE ALSO - -L, L - -=head1 AUTHORS - -Todd C. Miller - -=head1 BUGS - -If you feel you have found a bug in B, please submit a bug report -at http://www.sudo.ws/sudo/bugs/ - -=head1 SUPPORT - -Limited free support is available via the sudo-users mailing list, -see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or -search the archives. - -=head1 DISCLAIMER - -B is provided ``AS IS'' and any express or implied warranties, -including, but not limited to, the implied warranties of merchantability -and fitness for a particular purpose are disclaimed. See the LICENSE -file distributed with B or http://www.sudo.ws/sudo/license.html -for complete details. diff --git a/visudo.cat b/visudo.cat index 8b9a356c6..7c7885e76 100644 --- a/visudo.cat +++ b/visudo.cat @@ -1,146 +1,147 @@ -VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) - - +VISUDO(1m) System Manager's Manual VISUDO(1m) NNAAMMEE - visudo - edit the sudoers file + vviissuuddoo - edit the sudoers file SSYYNNOOPPSSIISS - vviissuuddoo [--cchhqqssVV] [--ff _s_u_d_o_e_r_s] + vviissuuddoo [--cchhqqssVV] [--ff _s_u_d_o_e_r_s] DDEESSCCRRIIPPTTIIOONN - vviissuuddoo edits the _s_u_d_o_e_r_s file in a safe fashion, analogous to _v_i_p_w(1m). - vviissuuddoo locks the _s_u_d_o_e_r_s file against multiple simultaneous edits, - provides basic sanity checks, and checks for parse errors. If the - _s_u_d_o_e_r_s file is currently being edited you will receive a message to - try again later. - - There is a hard-coded list of one or more editors that vviissuuddoo will use - set at compile-time that may be overridden via the _e_d_i_t_o_r _s_u_d_o_e_r_s - Default variable. This list defaults to "vi". Normally, vviissuuddoo does - not honor the VISUAL or EDITOR environment variables unless they - contain an editor in the aforementioned editors list. However, if - vviissuuddoo is configured with the _-_-_w_i_t_h_-_e_n_v_-_e_d_i_t_o_r option or the - _e_n_v___e_d_i_t_o_r Default variable is set in _s_u_d_o_e_r_s, vviissuuddoo will use any the - editor defines by VISUAL or EDITOR. Note that this can be a security - hole since it allows the user to execute any program they wish simply - by setting VISUAL or EDITOR. - - vviissuuddoo parses the _s_u_d_o_e_r_s file after the edit and will not save the - changes if there is a syntax error. Upon finding an error, vviissuuddoo will - print a message stating the line number(s) where the error occurred and - the user will receive the "What now?" prompt. At this point the user - may enter "e" to re-edit the _s_u_d_o_e_r_s file, "x" to exit without saving - the changes, or "Q" to quit and save changes. The "Q" option should be - used with extreme care because if vviissuuddoo believes there to be a parse - error, so will ssuuddoo and no one will be able to ssuuddoo again until the - error is fixed. If "e" is typed to edit the _s_u_d_o_e_r_s file after a - parse error has been detected, the cursor will be placed on the line - where the error occurred (if the editor supports this feature). - -OOPPTTIIOONNSS - vviissuuddoo accepts the following command line options: - - -c Enable cchheecckk--oonnllyy mode. The existing _s_u_d_o_e_r_s file will be - checked for syntax and a message will be printed to the - standard output detailing the status of _s_u_d_o_e_r_s. If the - syntax check completes successfully, vviissuuddoo will exit with - a value of 0. If a syntax error is encountered, vviissuuddoo - will exit with a value of 1. - - -f _s_u_d_o_e_r_s Specify and alternate _s_u_d_o_e_r_s file location. With this - option vviissuuddoo will edit (or check) the _s_u_d_o_e_r_s file of your - choice, instead of the default, _/_e_t_c_/_s_u_d_o_e_r_s. The lock - file used is the specified _s_u_d_o_e_r_s file with ".tmp" - appended to it. In cchheecckk--oonnllyy mode only, the argument to - --ff may be "-", indicating that _s_u_d_o_e_r_s will be read from - the standard input. - - -h The --hh (_h_e_l_p) option causes vviissuuddoo to print a short help - message to the standard output and exit. - - -q Enable qquuiieett mode. In this mode details about syntax - errors are not printed. This option is only useful when - combined with the --cc option. - - -s Enable ssttrriicctt checking of the _s_u_d_o_e_r_s file. If an alias is - used before it is defined, vviissuuddoo will consider this a - parse error. Note that it is not possible to differentiate - between an alias and a host name or user name that consists - solely of uppercase letters, digits, and the underscore - ('_') character. - - -V The --VV (version) option causes vviissuuddoo to print its version - number and exit. + vviissuuddoo edits the _s_u_d_o_e_r_s file in a safe fashion, analogous to vipw(1m). + vviissuuddoo locks the _s_u_d_o_e_r_s file against multiple simultaneous edits, + provides basic sanity checks, and checks for parse errors. If the + _s_u_d_o_e_r_s file is currently being edited you will receive a message to try + again later. + + There is a hard-coded list of one or more editors that vviissuuddoo will use + set at compile-time that may be overridden via the _e_d_i_t_o_r _s_u_d_o_e_r_s Default + variable. This list defaults to vi. Normally, vviissuuddoo does not honor the + VISUAL or EDITOR environment variables unless they contain an editor in + the aforementioned editors list. However, if vviissuuddoo is configured with + the --with-env-editor option or the _e_n_v___e_d_i_t_o_r Default variable is set in + _s_u_d_o_e_r_s, vviissuuddoo will use any the editor defines by VISUAL or EDITOR. + Note that this can be a security hole since it allows the user to execute + any program they wish simply by setting VISUAL or EDITOR. + + vviissuuddoo parses the _s_u_d_o_e_r_s file after the edit and will not save the + changes if there is a syntax error. Upon finding an error, vviissuuddoo will + print a message stating the line number(s) where the error occurred and + the user will receive the ``What now?'' prompt. At this point the user + may enter `e' to re-edit the _s_u_d_o_e_r_s file, `x' to exit without saving the + changes, or `Q' to quit and save changes. The `Q' option should be used + with extreme care because if vviissuuddoo believes there to be a parse error, + so will ssuuddoo and no one will be able to ssuuddoo again until the error is + fixed. If `e' is typed to edit the _s_u_d_o_e_r_s file after a parse error has + been detected, the cursor will be placed on the line where the error + occurred (if the editor supports this feature). + + The options are as follows: + + --cc Enable _c_h_e_c_k_-_o_n_l_y mode. The existing _s_u_d_o_e_r_s file will be + checked for syntax errors, owner and mode. A message will be + printed to the standard output describing the status of + _s_u_d_o_e_r_s unless the --qq option was specified. If the check + completes successfully, vviissuuddoo will exit with a value of 0. + If an error is encountered, vviissuuddoo will exit with a value of + 1. + + --ff _s_u_d_o_e_r_s Specify and alternate _s_u_d_o_e_r_s file location. With this + option vviissuuddoo will edit (or check) the _s_u_d_o_e_r_s file of your + choice, instead of the default, _/_e_t_c_/_s_u_d_o_e_r_s. The lock file + used is the specified _s_u_d_o_e_r_s file with ``.tmp'' appended to + it. In _c_h_e_c_k_-_o_n_l_y mode only, the argument to --ff may be `-', + indicating that _s_u_d_o_e_r_s will be read from the standard input. + + --hh The --hh (_h_e_l_p) option causes vviissuuddoo to print a short help + message to the standard output and exit. + + --qq Enable _q_u_i_e_t mode. In this mode details about syntax errors + are not printed. This option is only useful when combined + with the --cc option. + + --ss Enable _s_t_r_i_c_t checking of the _s_u_d_o_e_r_s file. If an alias is + used before it is defined, vviissuuddoo will consider this a parse + error. Note that it is not possible to differentiate between + an alias and a host name or user name that consists solely of + uppercase letters, digits, and the underscore (`_') + character. + + --VV The --VV (_v_e_r_s_i_o_n) option causes vviissuuddoo to print its version + number and exit. EENNVVIIRROONNMMEENNTT - The following environment variables may be consulted depending on the - value of the _e_d_i_t_o_r and _e_n_v___e_d_i_t_o_r _s_u_d_o_e_r_s variables: + The following environment variables may be consulted depending on the + value of the _e_d_i_t_o_r and _e_n_v___e_d_i_t_o_r _s_u_d_o_e_r_s settings: - VISUAL Invoked by visudo as the editor to use + VISUAL Invoked by vviissuuddoo as the editor to use - EDITOR Used by visudo if VISUAL is not set + EDITOR Used by vviissuuddoo if VISUAL is not set FFIILLEESS - _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what + _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what - _/_e_t_c_/_s_u_d_o_e_r_s_._t_m_p Lock file for visudo + _/_e_t_c_/_s_u_d_o_e_r_s_._t_m_p Lock file for visudo DDIIAAGGNNOOSSTTIICCSS - sudoers file busy, try again later. + sudoers file busy, try again later. Someone else is currently editing the _s_u_d_o_e_r_s file. - /etc/sudoers.tmp: Permission denied + /etc/sudoers.tmp: Permission denied You didn't run vviissuuddoo as root. - Can't find you in the passwd database + Can't find you in the passwd database Your user ID does not appear in the system passwd file. - Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined + Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias or you have a user or host name listed that consists solely of uppercase letters, digits, and the - underscore ('_') character. In the latter case, you can ignore the + underscore (`_') character. In the latter case, you can ignore the warnings (ssuuddoo will not complain). In --ss (strict) mode these are errors, not warnings. - Warning: unused {User,Runas,Host,Cmnd}_Alias + Warning: unused {User,Runas,Host,Cmnd}_Alias The specified {User,Runas,Host,Cmnd}_Alias was defined but never used. You may wish to comment out or remove the unused alias. In --ss (strict) mode this is an error, not a warning. + Warning: cycle in {User,Runas,Host,Cmnd}_Alias + The specified {User,Runas,Host,Cmnd}_Alias includes a reference to + itself, either directly or through an alias it includes. This is + only a warning by default as ssuuddoo will ignore cycles when parsing + the _s_u_d_o_e_r_s file. + SSEEEE AALLSSOO - _v_i(1), _s_u_d_o_e_r_s(4), _s_u_d_o(1m), _v_i_p_w(8) + vi(1), sudoers(4), sudo(1m), vipw(1m) AAUUTTHHOORRSS - Many people have worked on _s_u_d_o over the years; this version of vviissuuddoo - was written by: + Many people have worked on ssuuddoo over the years; this version consists of + code written primarily by: - Todd C. Miller + Todd C. Miller - See the HISTORY file in the sudo distribution or visit - http://www.sudo.ws/sudo/history.html for more details. + See the CONTRIBUTORS file in the ssuuddoo distribution + (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of + people who have contributed to ssuuddoo. CCAAVVEEAATTSS - There is no easy way to prevent a user from gaining a root shell if the - editor used by vviissuuddoo allows shell escapes. + There is no easy way to prevent a user from gaining a root shell if the + editor used by vviissuuddoo allows shell escapes. BBUUGGSS - If you feel you have found a bug in vviissuuddoo, please submit a bug report - at http://www.sudo.ws/sudo/bugs/ + If you feel you have found a bug in vviissuuddoo, please submit a bug report at + http://www.sudo.ws/sudo/bugs/ SSUUPPPPOORRTT - Limited free support is available via the sudo-users mailing list, see - http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search - the archives. + Limited free support is available via the sudo-users mailing list, see + http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the + archives. DDIISSCCLLAAIIMMEERR - vviissuuddoo is provided ``AS IS'' and any express or implied warranties, - including, but not limited to, the implied warranties of - merchantability and fitness for a particular purpose are disclaimed. - See the LICENSE file distributed with ssuuddoo or - http://www.sudo.ws/sudo/license.html for complete details. - - + vviissuuddoo is provided ``AS IS'' and any express or implied warranties, + including, but not limited to, the implied warranties of merchantability + and fitness for a particular purpose are disclaimed. See the LICENSE + file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for + complete details. -1.7.10 July 18, 2012 VISUDO(1m) +Sudo 1.7.10 July 12, 2012 Sudo 1.7.10 diff --git a/visudo.man.in b/visudo.man.in index a27dc08e0..61f08ce7e 100644 --- a/visudo.man.in +++ b/visudo.man.in @@ -1,10 +1,13 @@ -.\" Copyright (c) 1996,1998-2005, 2007-2010 -.\" Todd C. Miller -.\" +.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! +.\" IT IS GENERATED AUTOMATICALLY FROM visudo.mdoc.in +.\" +.\" Copyright (c) 1996,1998-2005, 2007-2012 +.\" Todd C. Miller +.\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. -.\" +.\" .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR @@ -13,295 +16,312 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" +.\" .\" Sponsored in part by the Defense Advanced Research Projects .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. -.\" -.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` -. ds C' -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' .\" -.\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.ie \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.el \{\ -. de IX -.. -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "VISUDO @mansectsu@" -.TH VISUDO @mansectsu@ "July 18, 2012" "1.7.10" "MAINTENANCE COMMANDS" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l +.TH "VISUDO" "@mansectsu@" "July 12, 2012" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .nh +.if n .ad l .SH "NAME" -visudo \- edit the sudoers file +\fBvisudo\fR +\- edit the sudoers file .SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBvisudo\fR [\fB\-chqsV\fR] [\fB\-f\fR \fIsudoers\fR] +.HP 7n +\fBvisudo\fR +[\fB\-chqsV\fR] +[\fB\-f\fR\ \fIsudoers\fR] .SH "DESCRIPTION" -.IX Header "DESCRIPTION" -\&\fBvisudo\fR edits the \fIsudoers\fR file in a safe fashion, analogous to -\&\fIvipw\fR\|(@mansectsu@). \fBvisudo\fR locks the \fIsudoers\fR file against multiple -simultaneous edits, provides basic sanity checks, and checks -for parse errors. If the \fIsudoers\fR file is currently being -edited you will receive a message to try again later. +\fBvisudo\fR +edits the +\fIsudoers\fR +file in a safe fashion, analogous to +vipw(@mansectsu@). +\fBvisudo\fR +locks the +\fIsudoers\fR +file against multiple simultaneous edits, provides basic sanity checks, +and checks for parse errors. +If the +\fIsudoers\fR +file is currently being edited you will receive a message to try again later. .PP -There is a hard-coded list of one or more editors that \fBvisudo\fR will -use set at compile-time that may be overridden via the \fIeditor\fR \fIsudoers\fR -\&\f(CW\*(C`Default\*(C'\fR variable. This list defaults to \f(CW"@editor@"\fR. Normally, -\&\fBvisudo\fR does not honor the \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR environment -variables unless they contain an editor in the aforementioned editors -list. However, if \fBvisudo\fR is configured with the \fI\-\-with\-env\-editor\fR -option or the \fIenv_editor\fR \f(CW\*(C`Default\*(C'\fR variable is set in \fIsudoers\fR, -\&\fBvisudo\fR will use any the editor defines by \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR. +There is a hard-coded list of one or more editors that +\fBvisudo\fR +will use set at compile-time that may be overridden via the +\fIeditor\fR +\fIsudoers\fR +\fRDefault\fR +variable. +This list defaults to +\fR@editor@\fR. +Normally, +\fBvisudo\fR +does not honor the +\fRVISUAL\fR +or +\fREDITOR\fR +environment variables unless they contain an editor in the aforementioned +editors list. +However, if +\fBvisudo\fR +is configured with the +\fR--with-env-editor\fR +option or the +\fIenv_editor\fR +\fRDefault\fR +variable is set in +\fIsudoers\fR, +\fBvisudo\fR +will use any the editor defines by +\fRVISUAL\fR +or +\fREDITOR\fR. Note that this can be a security hole since it allows the user to -execute any program they wish simply by setting \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR. +execute any program they wish simply by setting +\fRVISUAL\fR +or +\fREDITOR\fR. .PP -\&\fBvisudo\fR parses the \fIsudoers\fR file after the edit and will -not save the changes if there is a syntax error. Upon finding -an error, \fBvisudo\fR will print a message stating the line number(s) +\fBvisudo\fR +parses the +\fIsudoers\fR +file after the edit and will +not save the changes if there is a syntax error. +Upon finding an error, +\fBvisudo\fR +will print a message stating the line number(s) where the error occurred and the user will receive the -\&\*(L"What now?\*(R" prompt. At this point the user may enter \*(L"e\*(R" -to re-edit the \fIsudoers\fR file, \*(L"x\*(R" to exit without -saving the changes, or \*(L"Q\*(R" to quit and save changes. The -\&\*(L"Q\*(R" option should be used with extreme care because if \fBvisudo\fR -believes there to be a parse error, so will \fBsudo\fR and no one -will be able to \fBsudo\fR again until the error is fixed. -If \*(L"e\*(R" is typed to edit the \fIsudoers\fR file after a parse error -has been detected, the cursor will be placed on the line where the -error occurred (if the editor supports this feature). -.SH "OPTIONS" -.IX Header "OPTIONS" -\&\fBvisudo\fR accepts the following command line options: -.IP "\-c" 12 -.IX Item "-c" -Enable \fBcheck-only\fR mode. The existing \fIsudoers\fR file will be -checked for syntax and a message will be printed to the -standard output detailing the status of \fIsudoers\fR. -If the syntax check completes successfully, \fBvisudo\fR will -exit with a value of 0. If a syntax error is encountered, -\&\fBvisudo\fR will exit with a value of 1. -.IP "\-f \fIsudoers\fR" 12 -.IX Item "-f sudoers" -Specify and alternate \fIsudoers\fR file location. With this option -\&\fBvisudo\fR will edit (or check) the \fIsudoers\fR file of your choice, -instead of the default, \fI@sysconfdir@/sudoers\fR. The lock file used -is the specified \fIsudoers\fR file with \*(L".tmp\*(R" appended to it. -In \fBcheck-only\fR mode only, the argument to \fB\-f\fR may be \*(L"\-\*(R", -indicating that \fIsudoers\fR will be read from the standard input. -.IP "\-h" 12 -.IX Item "-h" -The \fB\-h\fR (\fIhelp\fR) option causes \fBvisudo\fR to print a short help message +``What now?'' +prompt. +At this point the user may enter +`e' +to re-edit the +\fIsudoers\fR +file, +`x' +to exit without saving the changes, or +`Q' +to quit and save changes. +The +`Q' +option should be used with extreme care because if +\fBvisudo\fR +believes there to be a parse error, so will +\fBsudo\fR +and no one +will be able to +\fBsudo\fR +again until the error is fixed. +If +`e' +is typed to edit the +\fIsudoers\fR +file after a parse error has been detected, the cursor will be placed on +the line where the error occurred (if the editor supports this feature). +.PP +The options are as follows: +.TP 12n +\fB\-c\fR +Enable +\fIcheck-only\fR +mode. +The existing +\fIsudoers\fR +file will be +checked for syntax errors, owner and mode. +A message will be printed to the standard output describing the status of +\fIsudoers\fR +unless the +\fB\-q\fR +option was specified. +If the check completes successfully, +\fBvisudo\fR +will exit with a value of 0. +If an error is encountered, +\fBvisudo\fR +will exit with a value of 1. +.TP 12n +\fB\-f\fR \fIsudoers\fR +.br +Specify and alternate +\fIsudoers\fR +file location. +With this option +\fBvisudo\fR +will edit (or check) the +\fIsudoers\fR +file of your choice, +instead of the default, +\fI@sysconfdir@/sudoers\fR. +The lock file used is the specified +\fIsudoers\fR +file with +``\.tmp'' +appended to it. +In +\fIcheck-only\fR +mode only, the argument to +\fB\-f\fR +may be +`-', +indicating that +\fIsudoers\fR +will be read from the standard input. +.TP 12n +\fB\-h\fR +The +\fB\-h\fR (\fIhelp\fR) +option causes +\fBvisudo\fR +to print a short help message to the standard output and exit. -.IP "\-q" 12 -.IX Item "-q" -Enable \fBquiet\fR mode. In this mode details about syntax errors -are not printed. This option is only useful when combined with -the \fB\-c\fR option. -.IP "\-s" 12 -.IX Item "-s" -Enable \fBstrict\fR checking of the \fIsudoers\fR file. If an alias is -used before it is defined, \fBvisudo\fR will consider this a parse -error. Note that it is not possible to differentiate between an +.TP 12n +\fB\-q\fR +Enable +\fIquiet\fR +mode. +In this mode details about syntax errors are not printed. +This option is only useful when combined with +the +\fB\-c\fR +option. +.TP 12n +\fB\-s\fR +Enable +\fIstrict\fR +checking of the +\fIsudoers\fR +file. +If an alias is used before it is defined, +\fBvisudo\fR +will consider this a parse error. +Note that it is not possible to differentiate between an alias and a host name or user name that consists solely of uppercase -letters, digits, and the underscore ('_') character. -.IP "\-V" 12 -.IX Item "-V" -The \fB\-V\fR (version) option causes \fBvisudo\fR to print its version number +letters, digits, and the underscore +(`_') +character. +.TP 12n +\fB\-V\fR +The +\fB\-V\fR (\fIversion\fR) +option causes +\fBvisudo\fR +to print its version number and exit. .SH "ENVIRONMENT" -.IX Header "ENVIRONMENT" The following environment variables may be consulted depending on -the value of the \fIeditor\fR and \fIenv_editor\fR \fIsudoers\fR variables: -.ie n .IP "\*(C`VISUAL\*(C'" 16 -.el .IP "\f(CW\*(C`VISUAL\*(C'\fR" 16 -.IX Item "VISUAL" -Invoked by visudo as the editor to use -.ie n .IP "\*(C`EDITOR\*(C'" 16 -.el .IP "\f(CW\*(C`EDITOR\*(C'\fR" 16 -.IX Item "EDITOR" -Used by visudo if \s-1VISUAL\s0 is not set +the value of the +\fIeditor\fR +and +\fIenv_editor\fR +\fIsudoers\fR +settings: +.TP 17n +\fRVISUAL\fR +Invoked by +\fBvisudo\fR +as the editor to use +.TP 17n +\fREDITOR\fR +Used by +\fBvisudo\fR +if +\fRVISUAL\fR +is not set .SH "FILES" -.IX Header "FILES" -.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24 -.el .IP "\fI@sysconfdir@/sudoers\fR" 24 -.IX Item "@sysconfdir@/sudoers" +.TP 26n +\fI@sysconfdir@/sudoers\fR List of who can run what -.ie n .IP "\fI@sysconfdir@/sudoers.tmp\fR" 24 -.el .IP "\fI@sysconfdir@/sudoers.tmp\fR" 24 -.IX Item "@sysconfdir@/sudoers.tmp" +.TP 26n +\fI@sysconfdir@/sudoers.tmp\fR Lock file for visudo .SH "DIAGNOSTICS" -.IX Header "DIAGNOSTICS" -.IP "sudoers file busy, try again later." 4 -.IX Item "sudoers file busy, try again later." -Someone else is currently editing the \fIsudoers\fR file. -.ie n .IP "@sysconfdir@/sudoers.tmp: Permission denied" 4 -.el .IP "\f(CW@sysconfdir\fR@/sudoers.tmp: Permission denied" 4 -.IX Item "@sysconfdir@/sudoers.tmp: Permission denied" -You didn't run \fBvisudo\fR as root. -.IP "Can't find you in the passwd database" 4 -.IX Item "Can't find you in the passwd database" -Your user \s-1ID\s0 does not appear in the system passwd file. -.IP "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined" 4 -.IX Item "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined" +.TP 6n +\fRsudoers file busy, try again later.\fR +Someone else is currently editing the +\fIsudoers\fR +file. +.TP 6n +\fR@sysconfdir@/sudoers.tmp: Permission denied\fR +You didn't run +\fBvisudo\fR +as root. +.TP 6n +\fRCan't find you in the passwd database\fR +Your user ID does not appear in the system passwd file. +.TP 6n +\fRWarning: {User,Runas,Host,Cmnd}_Alias referenced but not defined\fR Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias or you have a user or host name listed that consists solely of -uppercase letters, digits, and the underscore ('_') character. In -the latter case, you can ignore the warnings (\fBsudo\fR will not -complain). In \fB\-s\fR (strict) mode these are errors, not warnings. -.IP "Warning: unused {User,Runas,Host,Cmnd}_Alias" 4 -.IX Item "Warning: unused {User,Runas,Host,Cmnd}_Alias" +uppercase letters, digits, and the underscore +(`_') +character. +In the latter case, you can ignore the warnings +(\fBsudo\fR +will not complain) +\&. +In +\fB\-s\fR +(strict) mode these are errors, not warnings. +.TP 6n +\fRWarning: unused {User,Runas,Host,Cmnd}_Alias\fR The specified {User,Runas,Host,Cmnd}_Alias was defined but never -used. You may wish to comment out or remove the unused alias. In -\&\fB\-s\fR (strict) mode this is an error, not a warning. +used. +You may wish to comment out or remove the unused alias. +In +\fB\-s\fR +(strict) mode this is an error, not a warning. +.TP 6n +\fRWarning: cycle in {User,Runas,Host,Cmnd}_Alias\fR +The specified {User,Runas,Host,Cmnd}_Alias includes a reference to +itself, either directly or through an alias it includes. +This is only a warning by default as +\fBsudo\fR +will ignore cycles when parsing +the +\fIsudoers\fR +file. .SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIvi\fR\|(1), \fIsudoers\fR\|(@mansectform@), \fIsudo\fR\|(@mansectsu@), \fIvipw\fR\|(8) +vi(1), +sudoers(@mansectform@), +sudo(@mansectsu@), +vipw(@mansectsu@) .SH "AUTHORS" -.IX Header "AUTHORS" -Many people have worked on \fIsudo\fR over the years; this version of -\&\fBvisudo\fR was written by: -.PP -.Vb 1 -\& Todd C. Miller -.Ve +Many people have worked on +\fBsudo\fR +over the years; this version consists of code written primarily by: +.sp +.RS 6n +Todd C. Miller +.RE .PP -See the \s-1HISTORY\s0 file in the sudo distribution or visit -http://www.sudo.ws/sudo/history.html for more details. +See the CONTRIBUTORS file in the +\fBsudo\fR +distribution (http://www.sudo.ws/sudo/contributors.html) for an +exhaustive list of people who have contributed to +\fBsudo\fR. .SH "CAVEATS" -.IX Header "CAVEATS" -There is no easy way to prevent a user from gaining a root shell if -the editor used by \fBvisudo\fR allows shell escapes. +There is no easy way to prevent a user from gaining a root shell if +the editor used by +\fBvisudo\fR +allows shell escapes. .SH "BUGS" -.IX Header "BUGS" -If you feel you have found a bug in \fBvisudo\fR, please submit a bug report -at http://www.sudo.ws/sudo/bugs/ +If you feel you have found a bug in +\fBvisudo\fR, +please submit a bug report at http://www.sudo.ws/sudo/bugs/ .SH "SUPPORT" -.IX Header "SUPPORT" Limited free support is available via the sudo-users mailing list, -see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or +see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the archives. .SH "DISCLAIMER" -.IX Header "DISCLAIMER" -\&\fBvisudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, -including, but not limited to, the implied warranties of merchantability -and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 -file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html -for complete details. +\fBvisudo\fR +is provided +``AS IS'' +and any express or implied warranties, including, but not limited +to, the implied warranties of merchantability and fitness for a +particular purpose are disclaimed. +See the LICENSE file distributed with +\fBsudo\fR +or http://www.sudo.ws/sudo/license.html for complete details. diff --git a/visudo.mdoc.in b/visudo.mdoc.in new file mode 100644 index 000000000..187c9f3e4 --- /dev/null +++ b/visudo.mdoc.in @@ -0,0 +1,317 @@ +.\" +.\" Copyright (c) 1996,1998-2005, 2007-2012 +.\" Todd C. Miller +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" Sponsored in part by the Defense Advanced Research Projects +.\" Agency (DARPA) and Air Force Research Laboratory, Air Force +.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. +.\" +.Dd July 12, 2012 +.Dt VISUDO @mansectsu@ +.Os Sudo @PACKAGE_VERSION@ +.Sh NAME +.Nm visudo +.Nd edit the sudoers file +.Sh SYNOPSIS +.Nm visudo +.Op Fl chqsV +.Bk -words +.Op Fl f Ar sudoers +.Ek +.Sh DESCRIPTION +.Nm visudo +edits the +.Em sudoers +file in a safe fashion, analogous to +.Xr vipw @mansectsu@ . +.Nm visudo +locks the +.Em sudoers +file against multiple simultaneous edits, provides basic sanity checks, +and checks for parse errors. +If the +.Em sudoers +file is currently being edited you will receive a message to try again later. +.Pp +There is a hard-coded list of one or more editors that +.Nm visudo +will use set at compile-time that may be overridden via the +.Em editor +.Em sudoers +.Li Default +variable. +This list defaults to +.Li "@editor@" . +Normally, +.Nm visudo +does not honor the +.Ev VISUAL +or +.Ev EDITOR +environment variables unless they contain an editor in the aforementioned +editors list. +However, if +.Nm visudo +is configured with the +.Li --with-env-editor +option or the +.Em env_editor +.Li Default +variable is set in +.Em sudoers , +.Nm visudo +will use any the editor defines by +.Ev VISUAL +or +.Ev EDITOR . +Note that this can be a security hole since it allows the user to +execute any program they wish simply by setting +.Ev VISUAL +or +.Ev EDITOR . +.Pp +.Nm visudo +parses the +.Em sudoers +file after the edit and will +not save the changes if there is a syntax error. +Upon finding an error, +.Nm visudo +will print a message stating the line number(s) +where the error occurred and the user will receive the +.Dq What now? +prompt. +At this point the user may enter +.Ql e +to re-edit the +.Em sudoers +file, +.Ql x +to exit without saving the changes, or +.Ql Q +to quit and save changes. +The +.Ql Q +option should be used with extreme care because if +.Nm visudo +believes there to be a parse error, so will +.Nm sudo +and no one +will be able to +.Nm sudo +again until the error is fixed. +If +.Ql e +is typed to edit the +.Em sudoers +file after a parse error has been detected, the cursor will be placed on +the line where the error occurred (if the editor supports this feature). +.Pp +The options are as follows: +.Bl -tag -width Fl +.It Fl c +Enable +.Em check-only +mode. +The existing +.Em sudoers +file will be +checked for syntax errors, owner and mode. +A message will be printed to the standard output describing the status of +.Em sudoers +unless the +.Fl q +option was specified. +If the check completes successfully, +.Nm visudo +will exit with a value of 0. +If an error is encountered, +.Nm visudo +will exit with a value of 1. +.It Fl f Ar sudoers +Specify and alternate +.Em sudoers +file location. +With this option +.Nm visudo +will edit (or check) the +.Em sudoers +file of your choice, +instead of the default, +.Pa @sysconfdir@/sudoers . +The lock file used is the specified +.Em sudoers +file with +.Dq \.tmp +appended to it. +In +.Em check-only +mode only, the argument to +.Fl f +may be +.Ql - , +indicating that +.Em sudoers +will be read from the standard input. +.It Fl h +The +.Fl h No ( Em help Ns No ) +option causes +.Nm visudo +to print a short help message +to the standard output and exit. +.It Fl q +Enable +.Em quiet +mode. +In this mode details about syntax errors are not printed. +This option is only useful when combined with +the +.Fl c +option. +.It Fl s +Enable +.Em strict +checking of the +.Em sudoers +file. +If an alias is used before it is defined, +.Nm visudo +will consider this a parse error. +Note that it is not possible to differentiate between an +alias and a host name or user name that consists solely of uppercase +letters, digits, and the underscore +.Pq Ql _ +character. +.It Fl V +The +.Fl V ( Em version Ns No ) +option causes +.Nm visudo +to print its version number +and exit. +.El +.Sh ENVIRONMENT +The following environment variables may be consulted depending on +the value of the +.Em editor +and +.Em env_editor +.Em sudoers +settings: +.Bl -tag -width 15n +.It Ev VISUAL +Invoked by +.Nm visudo +as the editor to use +.It Ev EDITOR +Used by +.Nm visudo +if +.Ev VISUAL +is not set +.El +.Sh FILES +.Bl -tag -width 24n +.It Pa @sysconfdir@/sudoers +List of who can run what +.It Pa @sysconfdir@/sudoers.tmp +Lock file for visudo +.El +.Sh DIAGNOSTICS +.Bl -tag -width 4n +.It Li sudoers file busy, try again later. +Someone else is currently editing the +.Em sudoers +file. +.It Li @sysconfdir@/sudoers.tmp: Permission denied +You didn't run +.Nm visudo +as root. +.It Li Can't find you in the passwd database +Your user ID does not appear in the system passwd file. +.It Li Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined +Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias +or you have a user or host name listed that consists solely of +uppercase letters, digits, and the underscore +.Pq Ql _ +character. +In the latter case, you can ignore the warnings +.Po +.Nm sudo +will not complain +.Pc . +In +.Fl s +(strict) mode these are errors, not warnings. +.It Li Warning: unused {User,Runas,Host,Cmnd}_Alias +The specified {User,Runas,Host,Cmnd}_Alias was defined but never +used. +You may wish to comment out or remove the unused alias. +In +.Fl s +(strict) mode this is an error, not a warning. +.It Li Warning: cycle in {User,Runas,Host,Cmnd}_Alias +The specified {User,Runas,Host,Cmnd}_Alias includes a reference to +itself, either directly or through an alias it includes. +This is only a warning by default as +.Nm sudo +will ignore cycles when parsing +the +.Em sudoers +file. +.El +.Sh SEE ALSO +.Xr vi 1 , +.Xr sudoers @mansectform@ , +.Xr sudo @mansectsu@ , +.Xr vipw @mansectsu@ +.Sh AUTHORS +Many people have worked on +.Nm sudo +over the years; this version consists of code written primarily by: +.Bd -ragged -offset indent +Todd C. Miller +.Ed +.Pp +See the CONTRIBUTORS file in the +.Nm sudo +distribution (http://www.sudo.ws/sudo/contributors.html) for an +exhaustive list of people who have contributed to +.Nm sudo . +.Sh CAVEATS +There is no easy way to prevent a user from gaining a root shell if +the editor used by +.Nm visudo +allows shell escapes. +.Sh BUGS +If you feel you have found a bug in +.Nm visudo , +please submit a bug report at http://www.sudo.ws/sudo/bugs/ +.Sh SUPPORT +Limited free support is available via the sudo-users mailing list, +see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or +search the archives. +.Sh DISCLAIMER +.Nm visudo +is provided +.Dq AS IS +and any express or implied warranties, including, but not limited +to, the implied warranties of merchantability and fitness for a +particular purpose are disclaimed. +See the LICENSE file distributed with +.Nm sudo +or http://www.sudo.ws/sudo/license.html for complete details. diff --git a/visudo.pod b/visudo.pod deleted file mode 100644 index 23224ee0e..000000000 --- a/visudo.pod +++ /dev/null @@ -1,213 +0,0 @@ -Copyright (c) 1996,1998-2005, 2007-2010 - Todd C. Miller - -Permission to use, copy, modify, and distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -Sponsored in part by the Defense Advanced Research Projects -Agency (DARPA) and Air Force Research Laboratory, Air Force -Materiel Command, USAF, under agreement number F39502-99-1-0512. - -=pod - -=head1 NAME - -visudo - edit the sudoers file - -=head1 SYNOPSIS - -B [B<-chqsV>] [B<-f> I] - -=head1 DESCRIPTION - -B edits the I file in a safe fashion, analogous to -L. B locks the I file against multiple -simultaneous edits, provides basic sanity checks, and checks -for parse errors. If the I file is currently being -edited you will receive a message to try again later. - -There is a hard-coded list of one or more editors that B will -use set at compile-time that may be overridden via the I I -C variable. This list defaults to C<"@editor@">. Normally, -B does not honor the C or C environment -variables unless they contain an editor in the aforementioned editors -list. However, if B is configured with the I<--with-env-editor> -option or the I C variable is set in I, -B will use any the editor defines by C or C. -Note that this can be a security hole since it allows the user to -execute any program they wish simply by setting C or C. - -B parses the I file after the edit and will -not save the changes if there is a syntax error. Upon finding -an error, B will print a message stating the line number(s) -where the error occurred and the user will receive the -"What now?" prompt. At this point the user may enter "e" -to re-edit the I file, "x" to exit without -saving the changes, or "Q" to quit and save changes. The -"Q" option should be used with extreme care because if B -believes there to be a parse error, so will B and no one -will be able to B again until the error is fixed. -If "e" is typed to edit the I file after a parse error -has been detected, the cursor will be placed on the line where the -error occurred (if the editor supports this feature). - -=head1 OPTIONS - -B accepts the following command line options: - -=over 12 - -=item -c - -Enable B mode. The existing I file will be -checked for syntax and a message will be printed to the -standard output detailing the status of I. -If the syntax check completes successfully, B will -exit with a value of 0. If a syntax error is encountered, -B will exit with a value of 1. - -=item -f I - -Specify and alternate I file location. With this option -B will edit (or check) the I file of your choice, -instead of the default, F<@sysconfdir@/sudoers>. The lock file used -is the specified I file with ".tmp" appended to it. -In B mode only, the argument to B<-f> may be "-", -indicating that I will be read from the standard input. - -=item -h - -The B<-h> (I) option causes B to print a short help message -to the standard output and exit. - -=item -q - -Enable B mode. In this mode details about syntax errors -are not printed. This option is only useful when combined with -the B<-c> option. - -=item -s - -Enable B checking of the I file. If an alias is -used before it is defined, B will consider this a parse -error. Note that it is not possible to differentiate between an -alias and a host name or user name that consists solely of uppercase -letters, digits, and the underscore ('_') character. - -=item -V - -The B<-V> (version) option causes B to print its version number -and exit. - -=back - -=head1 ENVIRONMENT - -The following environment variables may be consulted depending on -the value of the I and I I variables: - -=over 16 - -=item C - -Invoked by visudo as the editor to use - -=item C - -Used by visudo if VISUAL is not set - -=back - -=head1 FILES - -=over 24 - -=item F<@sysconfdir@/sudoers> - -List of who can run what - -=item F<@sysconfdir@/sudoers.tmp> - -Lock file for visudo - -=back - -=head1 DIAGNOSTICS - -=over 4 - -=item sudoers file busy, try again later. - -Someone else is currently editing the I file. - -=item @sysconfdir@/sudoers.tmp: Permission denied - -You didn't run B as root. - -=item Can't find you in the passwd database - -Your user ID does not appear in the system passwd file. - -=item Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined - -Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias -or you have a user or host name listed that consists solely of -uppercase letters, digits, and the underscore ('_') character. In -the latter case, you can ignore the warnings (B will not -complain). In B<-s> (strict) mode these are errors, not warnings. - -=item Warning: unused {User,Runas,Host,Cmnd}_Alias - -The specified {User,Runas,Host,Cmnd}_Alias was defined but never -used. You may wish to comment out or remove the unused alias. In -B<-s> (strict) mode this is an error, not a warning. - -=back - -=head1 SEE ALSO - -L, L, L, L - -=head1 AUTHORS - -Many people have worked on I over the years; this version of -B was written by: - - Todd C. Miller - -See the HISTORY file in the sudo distribution or visit -http://www.sudo.ws/sudo/history.html for more details. - -=head1 CAVEATS - -There is no easy way to prevent a user from gaining a root shell if -the editor used by B allows shell escapes. - -=head1 BUGS - -If you feel you have found a bug in B, please submit a bug report -at http://www.sudo.ws/sudo/bugs/ - -=head1 SUPPORT - -Limited free support is available via the sudo-users mailing list, -see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or -search the archives. - -=head1 DISCLAIMER - -B is provided ``AS IS'' and any express or implied warranties, -including, but not limited to, the implied warranties of merchantability -and fitness for a particular purpose are disclaimed. See the LICENSE -file distributed with B or http://www.sudo.ws/sudo/license.html -for complete details. -- 2.40.0