| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| NNAAMMEE |
| sudoers - list of which users may execute what |
| |
| DDEESSCCRRIIPPTTIIOONN |
| The _s_u_d_o_e_r_s file is composed of two types of entries: aliases |
| (basically variables) and user specifications (which specify who may |
| run what). |
| |
| When multiple entries match for a user, they are applied in order. |
| Where there are multiple matches, the last match is used (which is not |
| necessarily the most specific match). |
| |
| The _s_u_d_o_e_r_s grammar will be described below in Extended Backus-Naur |
| Form (EBNF). Don't despair if you don't know what EBNF is; it is |
| fairly simple, and the definitions below are annotated. |
| |
| QQuuiicckk gguuiiddee ttoo EEBBNNFF |
| EBNF is a concise and exact way of describing the grammar of a |
| language. Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g., |
| |
| symbol ::= definition | alternate1 | alternate2 ... |
| |
| Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a grammar for |
| the language. EBNF also contains the following operators, which many |
| readers will recognize from regular expressions. Do not, however, |
| confuse them with "wildcard" characters, which have different meanings. |
| |
| ? Means that the preceding symbol (or group of symbols) is optional. |
| That is, it may appear once or not at all. |
| |
| * Means that the preceding symbol (or group of symbols) may appear |
| zero or more times. |
| |
| + Means that the preceding symbol (or group of symbols) may appear |
| one or more times. |
| |
| Parentheses may be used to group symbols together. For clarity, we |
| will use single quotes ('') to designate what is a verbatim character |
| string (as opposed to a symbol name). |
| |
| AAlliiaasseess |
| There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias |
| and Cmnd_Alias. |
| |
| Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | |
| 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | |
| 'Host_Alias' Host_Alias (':' Host_Alias)* | |
| 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* |
| |
| User_Alias ::= NAME '=' User_List |
| |
| Runas_Alias ::= NAME '=' Runas_List |
| |
| Host_Alias ::= NAME '=' Host_List |
| |
| |
| |
| 1.7.4 July 21, 2010 1 |
| |
| |
| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| |
| Cmnd_Alias ::= NAME '=' Cmnd_List |
| |
| NAME ::= [A-Z]([A-Z][0-9]_)* |
| |
| Each _a_l_i_a_s definition is of the form |
| |
| Alias_Type NAME = item1, item2, ... |
| |
| where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias, Host_Alias, or |
| Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and |
| underscore characters ('_'). A NAME mmuusstt start with an uppercase |
| letter. It is possible to put several alias definitions of the same |
| type on a single line, joined by a colon (':'). E.g., |
| |
| Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 |
| |
| The definitions of what constitutes a valid _a_l_i_a_s member follow. |
| |
| User_List ::= User | |
| User ',' User_List |
| |
| User ::= '!'* user name | |
| '!'* '#'uid | |
| '!'* '%'group | |
| '!'* '+'netgroup | |
| '!'* '%:'nonunix_group | |
| '!'* User_Alias |
| |
| A User_List is made up of one or more user names, uids (prefixed with |
| '#'), system groups (prefixed with '%'), netgroups (prefixed with '+') |
| and User_Aliases. Each list item may be prefixed with zero or more '!' |
| operators. An odd number of '!' operators negate the value of the |
| item; an even number just cancel each other out. |
| |
| A user name, group, netgroup or nonunix_group may be enclosed in double |
| quotes to avoid the need for escaping special characters. Alternately, |
| special characters may be specified in escaped hex mode, e.g. \x20 for |
| space. |
| |
| The nonunix_group syntax depends on the underlying implementation. For |
| instance, the QAS AD backend supports the following formats: |
| |
| +o Group in the same domain: "Group Name" |
| |
| +o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN" |
| |
| +o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567" |
| |
| Note that quotes around group names are optional. Unquoted strings |
| must use a backslash (\) to escape spaces and the '@' symbol. |
| |
| Runas_List ::= Runas_Member | |
| Runas_Member ',' Runas_List |
| |
| |
| |
| 1.7.4 July 21, 2010 2 |
| |
| |
| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| |
| Runas_Member ::= '!'* user name | |
| '!'* '#'uid | |
| '!'* '%'group | |
| '!'* +netgroup | |
| '!'* Runas_Alias |
| |
| A Runas_List is similar to a User_List except that instead of |
| User_Aliases it can contain Runas_Aliases. Note that user names and |
| groups are matched as strings. In other words, two users (groups) with |
| the same uid (gid) are considered to be distinct. If you wish to match |
| all user names with the same uid (e.g. root and toor), you can use a |
| uid instead (#0 in the example given). |
| |
| Host_List ::= Host | |
| Host ',' Host_List |
| |
| Host ::= '!'* host name | |
| '!'* ip_addr | |
| '!'* network(/netmask)? | |
| '!'* '+'netgroup | |
| '!'* Host_Alias |
| |
| A Host_List is made up of one or more host names, IP addresses, network |
| numbers, netgroups (prefixed with '+') and other aliases. Again, the |
| value of an item may be negated with the '!' operator. If you do not |
| specify a netmask along with the network number, ssuuddoo will query each |
| of the local host's network interfaces and, if the network number |
| corresponds to one of the hosts's network interfaces, the corresponding |
| netmask will be used. The netmask may be specified either in standard |
| IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or |
| CIDR notation (number of bits, e.g. 24 or 64). A host name may include |
| shell-style wildcards (see the Wildcards section below), but unless the |
| host name command on your machine returns the fully qualified host |
| name, you'll need to use the _f_q_d_n option for wildcards to be useful. |
| Note ssuuddoo only inspects actual network interfaces; this means that IP |
| address 127.0.0.1 (localhost) will never match. Also, the host name |
| "localhost" will only match if that is the actual host name, which is |
| usually only the case for non-networked systems. |
| |
| Cmnd_List ::= Cmnd | |
| Cmnd ',' Cmnd_List |
| |
| commandname ::= file name | |
| file name args | |
| file name '""' |
| |
| Cmnd ::= '!'* commandname | |
| '!'* directory | |
| '!'* "sudoedit" | |
| '!'* Cmnd_Alias |
| |
| A Cmnd_List is a list of one or more commandnames, directories, and |
| other aliases. A commandname is a fully qualified file name which may |
| |
| |
| |
| 1.7.4 July 21, 2010 3 |
| |
| |
| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| include shell-style wildcards (see the Wildcards section below). A |
| simple file name allows the user to run the command with any arguments |
| he/she wishes. However, you may also specify command line arguments |
| (including wildcards). Alternately, you can specify "" to indicate |
| that the command may only be run wwiitthhoouutt command line arguments. A |
| directory is a fully qualified path name ending in a '/'. When you |
| specify a directory in a Cmnd_List, the user will be able to run any |
| file within that directory (but not in any subdirectories therein). |
| |
| If a Cmnd has associated command line arguments, then the arguments in |
| the Cmnd must match exactly those given by the user on the command line |
| (or match the wildcards if there are any). Note that the following |
| characters must be escaped with a '\' if they are used in command |
| arguments: ',', ':', '=', '\'. The special command "sudoedit" is used |
| to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It |
| may take command line arguments just as a normal command does. |
| |
| DDeeffaauullttss |
| Certain configuration options may be changed from their default values |
| at runtime via one or more Default_Entry lines. These may affect all |
| users on any host, all users on a specific host, a specific user, a |
| specific command, or commands being run as a specific user. Note that |
| per-command entries may not include command line arguments. If you |
| need to specify arguments, define a Cmnd_Alias and reference that |
| instead. |
| |
| Default_Type ::= 'Defaults' | |
| 'Defaults' '@' Host_List | |
| 'Defaults' ':' User_List | |
| 'Defaults' '!' Cmnd_List | |
| 'Defaults' '>' Runas_List |
| |
| Default_Entry ::= Default_Type Parameter_List |
| |
| Parameter_List ::= Parameter | |
| Parameter ',' Parameter_List |
| |
| Parameter ::= Parameter '=' Value | |
| Parameter '+=' Value | |
| Parameter '-=' Value | |
| '!'* Parameter |
| |
| Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are |
| implicitly boolean and can be turned off via the '!' operator. Some |
| integer, string and list parameters may also be used in a boolean |
| context to disable them. Values may be enclosed in double quotes (") |
| when they contain multiple words. Special characters may be escaped |
| with a backslash (\). |
| |
| Lists have two additional assignment operators, += and -=. These |
| operators are used to add to and delete from a list respectively. It |
| is not an error to use the -= operator to remove an element that does |
| not exist in a list. |
| |
| |
| |
| |
| 1.7.4 July 21, 2010 4 |
| |
| |
| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| Defaults entries are parsed in the following order: generic, host and |
| user Defaults first, then runas Defaults and finally command defaults. |
| |
| See "SUDOERS OPTIONS" for a list of supported Defaults parameters. |
| |
| UUsseerr SSppeecciiffiiccaattiioonn |
| User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ |
| (':' Host_List '=' Cmnd_Spec_List)* |
| |
| Cmnd_Spec_List ::= Cmnd_Spec | |
| Cmnd_Spec ',' Cmnd_Spec_List |
| |
| Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd |
| |
| Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' |
| |
| SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') |
| |
| Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | |
| 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' | |
| 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:') |
| |
| A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as |
| what user) on specified hosts. By default, commands are run as rroooott, |
| but this can be changed on a per-command basis. |
| |
| The basic structure of a user specification is `who = where (as_whom) |
| what'. Let's break that down into its constituent parts: |
| |
| RRuunnaass__SSppeecc |
| A Runas_Spec determines the user and/or the group that a command may be |
| run as. A fully-specified Runas_Spec consists of two Runas_Lists (as |
| defined above) separated by a colon (':') and enclosed in a set of |
| parentheses. The first Runas_List indicates which users the command |
| may be run as via ssuuddoo's --uu option. The second defines a list of |
| groups that can be specified via ssuuddoo's --gg option. If both Runas_Lists |
| are specified, the command may be run with any combination of users and |
| groups listed in their respective Runas_Lists. If only the first is |
| specified, the command may be run as any user in the list but no --gg |
| option may be specified. If the first Runas_List is empty but the |
| second is specified, the command may be run as the invoking user with |
| the group set to any listed in the Runas_List. If no Runas_Spec is |
| specified the command may be run as rroooott and no group may be specified. |
| |
| A Runas_Spec sets the default for the commands that follow it. What |
| this means is that for the entry: |
| |
| dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm |
| |
| The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m -- but only |
| as ooppeerraattoorr. E.g., |
| |
| $ sudo -u operator /bin/ls. |
| |
| |
| |
| |
| 1.7.4 July 21, 2010 5 |
| |
| |
| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| It is also possible to override a Runas_Spec later on in an entry. If |
| we modify the entry like so: |
| |
| dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm |
| |
| Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l |
| and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. |
| |
| We can extend this to allow ddggbb to run /bin/ls with either the user or |
| group set to ooppeerraattoorr: |
| |
| dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \ |
| /usr/bin/lprm |
| |
| In the following example, user ttccmm may run commands that access a modem |
| device file with the dialer group. Note that in this example only the |
| group will be set, the command still runs as user ttccmm. |
| |
| tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \ |
| /usr/local/bin/minicom |
| |
| SSEELLiinnuuxx__SSppeecc |
| On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an |
| SELinux role and/or type associated with a command. If a role or type |
| is specified with the command it will override any default values |
| specified in _s_u_d_o_e_r_s. A role or type specified on the command line, |
| however, will supercede the values in _s_u_d_o_e_r_s. |
| |
| TTaagg__SSppeecc |
| A command may have zero or more tags associated with it. There are |
| eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, |
| NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a |
| tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit |
| the tag unless it is overridden by the opposite tag (i.e.: PASSWD |
| overrides NOPASSWD and NOEXEC overrides EXEC). |
| |
| _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D |
| |
| By default, ssuuddoo requires that a user authenticate him or herself |
| before running a command. This behavior can be modified via the |
| NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for |
| the commands that follow it in the Cmnd_Spec_List. Conversely, the |
| PASSWD tag can be used to reverse things. For example: |
| |
| ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm |
| |
| would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m |
| as rroooott on the machine rushmore without authenticating himself. If we |
| only want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry |
| would be: |
| |
| ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm |
| |
| Note, however, that the PASSWD tag has no effect on users who are in |
| |
| |
| |
| 1.7.4 July 21, 2010 6 |
| |
| |
| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| the group specified by the _e_x_e_m_p_t___g_r_o_u_p option. |
| |
| By default, if the NOPASSWD tag is applied to any of the entries for a |
| user on the current host, he or she will be able to run sudo -l without |
| a password. Additionally, a user may only run sudo -v without a |
| password if the NOPASSWD tag is present for all a user's entries that |
| pertain to the current host. This behavior may be overridden via the |
| verifypw and listpw options. |
| |
| _N_O_E_X_E_C _a_n_d _E_X_E_C |
| |
| If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying |
| operating system supports it, the NOEXEC tag can be used to prevent a |
| dynamically-linked executable from running further commands itself. |
| |
| In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and |
| _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. |
| |
| aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi |
| |
| See the "PREVENTING SHELL ESCAPES" section below for more details on |
| how NOEXEC works and whether or not it will work on your system. |
| |
| _S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V |
| |
| These tags override the value of the _s_e_t_e_n_v option on a per-command |
| basis. Note that if SETENV has been set for a command, any environment |
| variables set on the command line way are not subject to the |
| restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, |
| only trusted users should be allowed to set variables in this manner. |
| If the command matched is AALLLL, the SETENV tag is implied for that |
| command; this default may be overridden by use of the NOSETENV tag. |
| |
| _L_O_G___I_N_P_U_T _a_n_d _N_O_L_O_G___I_N_P_U_T |
| |
| These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command |
| basis. For more information, see the description of _l_o_g___i_n_p_u_t in the |
| "SUDOERS OPTIONS" section below. |
| |
| _L_O_G___O_U_T_P_U_T _a_n_d _N_O_L_O_G___O_U_T_P_U_T |
| |
| These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command |
| basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the |
| "SUDOERS OPTIONS" section below. |
| |
| WWiillddccaarrddss |
| ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be |
| used in host names, path names and command line arguments in the |
| _s_u_d_o_e_r_s file. Wildcard matching is done via the PPOOSSIIXX _g_l_o_b(3) and |
| _f_n_m_a_t_c_h(3) routines. Note that these are _n_o_t regular expressions. |
| |
| * Matches any set of zero or more characters. |
| |
| ? Matches any single character. |
| |
| |
| |
| 1.7.4 July 21, 2010 7 |
| |
| |
| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| [...] Matches any character in the specified range. |
| |
| [!...] Matches any character nnoott in the specified range. |
| |
| \x For any character "x", evaluates to "x". This is used to |
| escape special characters such as: "*", "?", "[", and "}". |
| |
| POSIX character classes may also be used if your system's _g_l_o_b(3) and |
| _f_n_m_a_t_c_h(3) functions support them. However, because the ':' character |
| has special meaning in _s_u_d_o_e_r_s, it must be escaped. For example: |
| |
| /bin/ls [[\:alpha\:]]* |
| |
| Would match any file name beginning with a letter. |
| |
| Note that a forward slash ('/') will nnoott be matched by wildcards used |
| in the path name. When matching the command line arguments, however, a |
| slash ddooeess get matched by wildcards. This is to make a path like: |
| |
| /usr/bin/* |
| |
| match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. |
| |
| EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess |
| The following exceptions apply to the above rules: |
| |
| "" If the empty string "" is the only command line argument in the |
| _s_u_d_o_e_r_s entry it means that command is not allowed to be run |
| with aannyy arguments. |
| |
| IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss |
| It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s |
| file currently being parsed using the #include and #includedir |
| directives. |
| |
| This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in |
| addition to a local, per-machine file. For the sake of this example |
| the site-wide _s_u_d_o_e_r_s will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will |
| be _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within |
| _/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s: |
| |
| #include /etc/sudoers.local |
| |
| When ssuuddoo reaches this line it will suspend processing of the current |
| file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. Upon reaching |
| the end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be |
| processed. Files that are included may themselves include other files. |
| A hard limit of 128 nested include files is enforced to prevent include |
| file loops. |
| |
| The file name may include the %h escape, signifying the short form of |
| the host name. I.e., if the machine's host name is "xerxes", then |
| |
| #include /etc/sudoers.%h |
| |
| |
| |
| 1.7.4 July 21, 2010 8 |
| |
| |
| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s. |
| |
| The #includedir directive can be used to create a _s_u_d_o_._d directory that |
| the system package manager can drop _s_u_d_o_e_r_s rules into as part of |
| package installation. For example, given: |
| |
| #includedir /etc/sudoers.d |
| |
| ssuuddoo will read each file in _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that |
| end in ~ or contain a . character to avoid causing problems with |
| package manager or editor temporary/backup files. Files are parsed in |
| sorted lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed |
| before _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is |
| lexical, not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr |
| _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes |
| in the file names can be used to avoid such problems. |
| |
| Note that unlike files included via #include, vviissuuddoo will not edit the |
| files in a #includedir directory unless one of them contains a syntax |
| error. It is still possible to run vviissuuddoo with the -f flag to edit the |
| files directly. |
| |
| OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss |
| The pound sign ('#') is used to indicate a comment (unless it is part |
| of a #include directive or unless it occurs in the context of a user |
| name and is followed by one or more digits, in which case it is treated |
| as a uid). Both the comment character and any text after it, up to the |
| end of the line, are ignored. |
| |
| The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to |
| succeed. It can be used wherever one might otherwise use a Cmnd_Alias, |
| User_Alias, Runas_Alias, or Host_Alias. You should not try to define |
| your own _a_l_i_a_s called AALLLL as the built-in alias will be used in |
| preference to your own. Please note that using AALLLL can be dangerous |
| since in a command context, it allows the user to run aannyy command on |
| the system. |
| |
| An exclamation point ('!') can be used as a logical _n_o_t operator both |
| in an _a_l_i_a_s and in front of a Cmnd. This allows one to exclude certain |
| values. Note, however, that using a ! in conjunction with the built-in |
| ALL alias to allow a user to run "all but a few" commands rarely works |
| as intended (see SECURITY NOTES below). |
| |
| Long lines can be continued with a backslash ('\') as the last |
| character on the line. |
| |
| Whitespace between elements in a list as well as special syntactic |
| characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', '(', ')') is optional. |
| |
| The following characters must be escaped with a backslash ('\') when |
| used as part of a word (e.g. a user name or host name): '@', '!', '=', |
| ':', ',', '(', ')', '\'. |
| |
| |
| |
| |
| |
| 1.7.4 July 21, 2010 9 |
| |
| |
| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| SSUUDDOOEERRSS OOPPTTIIOONNSS |
| ssuuddoo's behavior can be modified by Default_Entry lines, as explained |
| earlier. A list of all supported Defaults parameters, grouped by type, |
| are listed below. |
| |
| BBoooolleeaann FFllaaggss: |
| |
| always_set_home If enabled, ssuuddoo will set the HOME environment variable |
| to the home directory of the target user (which is root |
| unless the --uu option is used). This effectively means |
| that the --HH option is always implied. Note that HOME |
| is already set when the the _e_n_v___r_e_s_e_t option is |
| enabled, so _a_l_w_a_y_s___s_e_t___h_o_m_e is only effective for |
| configurations where _e_n_v___r_e_s_e_t is disabled. This flag |
| is _o_f_f by default. |
| |
| authenticate If set, users must authenticate themselves via a |
| password (or other means of authentication) before they |
| may run commands. This default may be overridden via |
| the PASSWD and NOPASSWD tags. This flag is _o_n by |
| default. |
| |
| closefrom_override |
| If set, the user may use ssuuddoo's --CC option which |
| overrides the default starting point at which ssuuddoo |
| begins closing open file descriptors. This flag is _o_f_f |
| by default. |
| |
| compress_io If set, and ssuuddoo is configured to log a command's input |
| or output, the I/O logs will be compressed using zzlliibb. |
| This flag is _o_n by default when ssuuddoo is compiled with |
| zzlliibb support. |
| |
| env_editor If set, vviissuuddoo will use the value of the EDITOR or |
| VISUAL environment variables before falling back on the |
| default editor list. Note that this may create a |
| security hole as it allows the user to run any |
| arbitrary command as root without logging. A safer |
| alternative is to place a colon-separated list of |
| editors in the editor variable. vviissuuddoo will then only |
| use the EDITOR or VISUAL if they match a value |
| specified in editor. This flag is _o_f_f by default. |
| |
| env_reset If set, ssuuddoo will reset the environment to only contain |
| the LOGNAME, MAIL, SHELL, USER, USERNAME and the SUDO_* |
| variables. Any variables in the caller's environment |
| that match the env_keep and env_check lists are then |
| added. The default contents of the env_keep and |
| env_check lists are displayed when ssuuddoo is run by root |
| with the _-_V option. If the _s_e_c_u_r_e___p_a_t_h option is set, |
| its value will be used for the PATH environment |
| variable. This flag is _o_n by default. |
| |
| fast_glob Normally, ssuuddoo uses the _g_l_o_b(3) function to do shell- |
| |
| |
| |
| 1.7.4 July 21, 2010 10 |
| |
| |
| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| style globbing when matching path names. However, |
| since it accesses the file system, _g_l_o_b(3) can take a |
| long time to complete for some patterns, especially |
| when the pattern references a network file system that |
| is mounted on demand (automounted). The _f_a_s_t___g_l_o_b |
| option causes ssuuddoo to use the _f_n_m_a_t_c_h(3) function, |
| which does not access the file system to do its |
| matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is |
| unable to match relative path names such as _._/_l_s or |
| _._._/_b_i_n_/_l_s. This has security implications when path |
| names that include globbing characters are used with |
| the negation operator, '!', as such rules can be |
| trivially bypassed. As such, this option should not be |
| used when _s_u_d_o_e_r_s contains rules that contain negated |
| path names which include globbing characters. This |
| flag is _o_f_f by default. |
| |
| fqdn Set this flag if you want to put fully qualified host |
| names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you |
| would use myhost.mydomain.edu. You may still use the |
| short form if you wish (and even mix the two). Beware |
| that turning on _f_q_d_n requires ssuuddoo to make DNS lookups |
| which may make ssuuddoo unusable if DNS stops working (for |
| example if the machine is not plugged into the |
| network). Also note that you must use the host's |
| official name as DNS knows it. That is, you may not |
| use a host alias (CNAME entry) due to performance |
| issues and the fact that there is no way to get all |
| aliases from DNS. If your machine's host name (as |
| returned by the hostname command) is already fully |
| qualified you shouldn't need to set _f_q_d_n. This flag is |
| _o_f_f by default. |
| |
| ignore_dot If set, ssuuddoo will ignore '.' or '' (current dir) in the |
| PATH environment variable; the PATH itself is not |
| modified. This flag is _o_f_f by default. |
| |
| ignore_local_sudoers |
| If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s will be |
| skipped. This is intended for Enterprises that wish to |
| prevent the usage of local sudoers files so that only |
| LDAP is used. This thwarts the efforts of rogue |
| operators who would attempt to add roles to |
| _/_e_t_c_/_s_u_d_o_e_r_s. When this option is present, |
| _/_e_t_c_/_s_u_d_o_e_r_s does not even need to exist. Since this |
| option tells ssuuddoo how to behave when no specific LDAP |
| entries have been matched, this sudoOption is only |
| meaningful for the cn=defaults section. This flag is |
| _o_f_f by default. |
| |
| insults If set, ssuuddoo will insult users when they enter an |
| incorrect password. This flag is _o_f_f by default. |
| |
| log_host If set, the host name will be logged in the (non- |
| |
| |
| |
| 1.7.4 July 21, 2010 11 |
| |
| |
| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| syslog) ssuuddoo log file. This flag is _o_f_f by default. |
| |
| log_year If set, the four-digit year will be logged in the (non- |
| syslog) ssuuddoo log file. This flag is _o_f_f by default. |
| |
| long_otp_prompt When validating with a One Time Password (OPT) scheme |
| such as SS//KKeeyy or OOPPIIEE, a two-line prompt is used to |
| make it easier to cut and paste the challenge to a |
| local window. It's not as pretty as the default but |
| some people find it more convenient. This flag is _o_f_f |
| by default. |
| |
| mail_always Send mail to the _m_a_i_l_t_o user every time a users runs |
| ssuuddoo. This flag is _o_f_f by default. |
| |
| mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo |
| does not enter the correct password. This flag is _o_f_f |
| by default. |
| |
| mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the |
| invoking user exists in the _s_u_d_o_e_r_s file, but is not |
| allowed to run commands on the current host. This flag |
| is _o_f_f by default. |
| |
| mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the |
| invoking user is allowed to use ssuuddoo but the command |
| they are trying is not listed in their _s_u_d_o_e_r_s file |
| entry or is explicitly denied. This flag is _o_f_f by |
| default. |
| |
| mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the |
| invoking user is not in the _s_u_d_o_e_r_s file. This flag is |
| _o_n by default. |
| |
| noexec If set, all commands run via ssuuddoo will behave as if the |
| NOEXEC tag has been set, unless overridden by a EXEC |
| tag. See the description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as |
| well as the "PREVENTING SHELL ESCAPES" section at the |
| end of this manual. This flag is _o_f_f by default. |
| |
| path_info Normally, ssuuddoo will tell the user when a command could |
| not be found in their PATH environment variable. Some |
| sites may wish to disable this as it could be used to |
| gather information on the location of executables that |
| the normal user does not have access to. The |
| disadvantage is that if the executable is simply not in |
| the user's PATH, ssuuddoo will tell the user that they are |
| not allowed to run it, which can be confusing. This |
| flag is _o_n by default. |
| |
| passprompt_override |
| The password prompt specified by _p_a_s_s_p_r_o_m_p_t will |
| normally only be used if the password prompt provided |
| by systems such as PAM matches the string "Password:". |
| |
| |
| |
| 1.7.4 July 21, 2010 12 |
| |
| |
| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, _p_a_s_s_p_r_o_m_p_t will always |
| be used. This flag is _o_f_f by default. |
| |
| preserve_groups By default, ssuuddoo will initialize the group vector to |
| the list of groups the target user is in. When |
| _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's existing group |
| vector is left unaltered. The real and effective group |
| IDs, however, are still set to match the target user. |
| This flag is _o_f_f by default. |
| |
| pwfeedback By default, ssuuddoo reads the password like most other |
| Unix programs, by turning off echo until the user hits |
| the return (or enter) key. Some users become confused |
| by this as it appears to them that ssuuddoo has hung at |
| this point. When _p_w_f_e_e_d_b_a_c_k is set, ssuuddoo will provide |
| visual feedback when the user presses a key. Note that |
| this does have a security impact as an onlooker may be |
| able to determine the length of the password being |
| entered. This flag is _o_f_f by default. |
| |
| requiretty If set, ssuuddoo will only run when the user is logged in |
| to a real tty. When this flag is set, ssuuddoo can only be |
| run from a login session and not via other means such |
| as _c_r_o_n(1m) or cgi-bin scripts. This flag is _o_f_f by |
| default. |
| |
| root_sudo If set, root is allowed to run ssuuddoo too. Disabling |
| this prevents users from "chaining" ssuuddoo commands to |
| get a root shell by doing something like "sudo sudo |
| /bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o |
| will also prevent root from running ssuuddooeeddiitt. |
| Disabling _r_o_o_t___s_u_d_o provides no real additional |
| security; it exists purely for historical reasons. |
| This flag is _o_n by default. |
| |
| rootpw If set, ssuuddoo will prompt for the root password instead |
| of the password of the invoking user. This flag is _o_f_f |
| by default. |
| |
| runaspw If set, ssuuddoo will prompt for the password of the user |
| defined by the _r_u_n_a_s___d_e_f_a_u_l_t option (defaults to root) |
| instead of the password of the invoking user. This |
| flag is _o_f_f by default. |
| |
| set_home If enabled and ssuuddoo is invoked with the --ss option the |
| HOME environment variable will be set to the home |
| directory of the target user (which is root unless the |
| --uu option is used). This effectively makes the --ss |
| option imply --HH. Note that HOME is already set when |
| the the _e_n_v___r_e_s_e_t option is enabled, so _s_e_t___h_o_m_e is |
| only effective for configurations where _e_n_v___r_e_s_e_t is |
| disabled. This flag is _o_f_f by default. |
| |
| set_logname Normally, ssuuddoo will set the LOGNAME, USER and USERNAME |
| |
| |
| |
| 1.7.4 July 21, 2010 13 |
| |
| |
| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| environment variables to the name of the target user |
| (usually root unless the --uu option is given). However, |
| since some programs (including the RCS revision control |
| system) use LOGNAME to determine the real identity of |
| the user, it may be desirable to change this behavior. |
| This can be done by negating the set_logname option. |
| Note that if the _e_n_v___r_e_s_e_t option has not been |
| disabled, entries in the _e_n_v___k_e_e_p list will override |
| the value of _s_e_t___l_o_g_n_a_m_e. This flag is _o_n by default. |
| |
| setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the |
| command line. Additionally, environment variables set |
| via the command line are not subject to the |
| restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or |
| _e_n_v___k_e_e_p. As such, only trusted users should be |
| allowed to set variables in this manner. This flag is |
| _o_f_f by default. |
| |
| shell_noargs If set and ssuuddoo is invoked with no arguments it acts as |
| if the --ss option had been given. That is, it runs a |
| shell as root (the shell is determined by the SHELL |
| environment variable if it is set, falling back on the |
| shell listed in the invoking user's /etc/passwd entry |
| if not). This flag is _o_f_f by default. |
| |
| stay_setuid Normally, when ssuuddoo executes a command the real and |
| effective UIDs are set to the target user (root by |
| default). This option changes that behavior such that |
| the real UID is left as the invoking user's UID. In |
| other words, this makes ssuuddoo act as a setuid wrapper. |
| This can be useful on systems that disable some |
| potentially dangerous functionality when a program is |
| run setuid. This option is only effective on systems |
| with either the _s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function. |
| This flag is _o_f_f by default. |
| |
| targetpw If set, ssuuddoo will prompt for the password of the user |
| specified by the --uu option (defaults to root) instead |
| of the password of the invoking user. In addition, the |
| timestamp file name will include the target user's |
| name. Note that this flag precludes the use of a uid |
| not listed in the passwd database as an argument to the |
| --uu option. This flag is _o_f_f by default. |
| |
| log_input If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and |
| log all user input. If the standard input is not |
| connected to the user's tty, due to I/O redirection or |
| because the command is part of a pipeline, that input |
| is also captured and stored in a separate log file. |
| |
| Input is logged to the _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o directory using |
| a unique session ID that is included in the normal ssuuddoo |
| log line, prefixed with _T_S_I_D_=. |
| |
| |
| |
| |
| 1.7.4 July 21, 2010 14 |
| |
| |
| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| log_output If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and |
| log all output that is sent to the screen, similar to |
| the _s_c_r_i_p_t(1) command. If the standard output or |
| standard error is not connected to the user's tty, due |
| to I/O redirection or because the command is part of a |
| pipeline, that output is also captured and stored in |
| separate log files. |
| |
| Output is logged to the _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o directory |
| using a unique session ID that is included in the |
| normal ssuuddoo log line, prefixed with _T_S_I_D_=. |
| |
| Output logs may be viewed with the _s_u_d_o_r_e_p_l_a_y(1m) |
| utility, which can also be used to list or search the |
| available logs. |
| |
| tty_tickets If set, users must authenticate on a per-tty basis. |
| With this flag enabled, ssuuddoo will use a file named for |
| the tty the user is logged in on in the user's time |
| stamp directory. If disabled, the time stamp of the |
| directory is used instead. This flag is _o_n by default. |
| |
| umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s |
| without modification. This makes it possible to |
| specify a more permissive umask in _s_u_d_o_e_r_s than the |
| user's own umask and matches historical behavior. If |
| _u_m_a_s_k___o_v_e_r_r_i_d_e is not set, ssuuddoo will set the umask to |
| be the union of the user's umask and what is specified |
| in _s_u_d_o_e_r_s. This flag is _o_f_f by default. |
| |
| use_loginclass If set, ssuuddoo will apply the defaults specified for the |
| target user's login class if one exists. Only |
| available if ssuuddoo is configured with the |
| --with-logincap option. This flag is _o_f_f by default. |
| |
| use_pty If set, ssuuddoo will run the command in a pseudo-pty even |
| if no I/O logging is being gone. A malicious program |
| run under ssuuddoo could conceivably fork a background |
| process that retains to the user's terminal device |
| after the main program has finished executing. Use of |
| this option will make that impossible. |
| |
| visiblepw By default, ssuuddoo will refuse to run if the user must |
| enter a password but it is not possible to disable echo |
| on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo |
| will prompt for a password even when it would be |
| visible on the screen. This makes it possible to run |
| things like "rsh somehost sudo ls" since _r_s_h(1) does |
| not allocate a tty. This flag is _o_f_f by default. |
| |
| IInntteeggeerrss: |
| |
| closefrom Before it executes a command, ssuuddoo will close all open |
| file descriptors other than standard input, standard |
| |
| |
| |
| 1.7.4 July 21, 2010 15 |
| |
| |
| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| output and standard error (ie: file descriptors 0-2). |
| The _c_l_o_s_e_f_r_o_m option can be used to specify a different |
| file descriptor at which to start closing. The default |
| is 3. |
| |
| passwd_tries The number of tries a user gets to enter his/her |
| password before ssuuddoo logs the failure and exits. The |
| default is 3. |
| |
| IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: |
| |
| loglinelen Number of characters per line for the file log. This |
| value is used to decide when to wrap lines for nicer |
| log files. This has no effect on the syslog log file, |
| only the file log. The default is 80 (use 0 or negate |
| the option to disable word wrap). |
| |
| passwd_timeout Number of minutes before the ssuuddoo password prompt times |
| out, or 0 for no timeout. The timeout may include a |
| fractional component if minute granularity is |
| insufficient, for example 2.5. The default is 5. |
| |
| timestamp_timeout |
| Number of minutes that can elapse before ssuuddoo will ask |
| for a passwd again. The timeout may include a |
| fractional component if minute granularity is |
| insufficient, for example 2.5. The default is 5. Set |
| this to 0 to always prompt for a password. If set to a |
| value less than 0 the user's timestamp will never |
| expire. This can be used to allow users to create or |
| delete their own timestamps via sudo -v and sudo -k |
| respectively. |
| |
| umask Umask to use when running the command. Negate this |
| option or set it to 0777 to preserve the user's umask. |
| The actual umask that is used will be the union of the |
| user's umask and 0022. This guarantees that ssuuddoo never |
| lowers the umask when running a command. Note on |
| systems that use PAM, the default PAM configuration may |
| specify its own umask which will override the value set |
| in _s_u_d_o_e_r_s. |
| |
| SSttrriinnggss: |
| |
| badpass_message Message that is displayed if a user enters an incorrect |
| password. The default is Sorry, try again. unless |
| insults are enabled. |
| |
| editor A colon (':') separated list of editors allowed to be |
| used with vviissuuddoo. vviissuuddoo will choose the editor that |
| matches the user's EDITOR environment variable if |
| possible, or the first editor in the list that exists |
| and is executable. The default is "vi". |
| |
| |
| |
| |
| 1.7.4 July 21, 2010 16 |
| |
| |
| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| mailsub Subject of the mail sent to the _m_a_i_l_t_o user. The escape |
| %h will expand to the host name of the machine. |
| Default is *** SECURITY information for %h ***. |
| |
| noexec_file Path to a shared library containing dummy versions of |
| the _e_x_e_c_v_(_), _e_x_e_c_v_e_(_) and _f_e_x_e_c_v_e_(_) library functions |
| that just return an error. This is used to implement |
| the _n_o_e_x_e_c functionality on systems that support |
| LD_PRELOAD or its equivalent. Defaults to |
| _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o. |
| |
| passprompt The default prompt to use when asking for a password; |
| can be overridden via the --pp option or the SUDO_PROMPT |
| environment variable. The following percent (`%') |
| escapes are supported: |
| |
| %H expanded to the local host name including the |
| domain name (on if the machine's host name is fully |
| qualified or the _f_q_d_n option is set) |
| |
| %h expanded to the local host name without the domain |
| name |
| |
| %p expanded to the user whose password is being asked |
| for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w |
| flags in _s_u_d_o_e_r_s) |
| |
| %U expanded to the login name of the user the command |
| will be run as (defaults to root) |
| |
| %u expanded to the invoking user's login name |
| |
| %% two consecutive % characters are collapsed into a |
| single % character |
| |
| The default value is Password:. |
| |
| role The default SELinux role to use when constructing a new |
| security context to run the command. The default role |
| may be overridden on a per-command basis in _s_u_d_o_e_r_s or |
| via command line options. This option is only |
| available whe ssuuddoo is built with SELinux support. |
| |
| runas_default The default user to run commands as if the --uu option is |
| not specified on the command line. This defaults to |
| root. Note that if _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur |
| before any Runas_Alias specifications. |
| |
| syslog_badpri Syslog priority to use when user authenticates |
| unsuccessfully. Defaults to alert. |
| |
| syslog_goodpri Syslog priority to use when user authenticates |
| successfully. Defaults to notice. |
| |
| |
| |
| |
| 1.7.4 July 21, 2010 17 |
| |
| |
| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| sudoers_locale Locale to use when parsing the sudoers file. Note that |
| changing the locale may affect how sudoers is |
| interpreted. Defaults to "C". |
| |
| timestampdir The directory in which ssuuddoo stores its timestamp files. |
| The default is _/_v_a_r_/_a_d_m_/_s_u_d_o. |
| |
| timestampowner The owner of the timestamp directory and the timestamps |
| stored therein. The default is root. |
| |
| type The default SELinux type to use when constructing a new |
| security context to run the command. The default type |
| may be overridden on a per-command basis in _s_u_d_o_e_r_s or |
| via command line options. This option is only |
| available whe ssuuddoo is built with SELinux support. |
| |
| SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: |
| |
| askpass The _a_s_k_p_a_s_s option specifies the fully qualified path to a |
| helper program used to read the user's password when no |
| terminal is available. This may be the case when ssuuddoo is |
| executed from a graphical (as opposed to text-based) |
| application. The program specified by _a_s_k_p_a_s_s should |
| display the argument passed to it as the prompt and write |
| the user's password to the standard output. The value of |
| _a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS environment |
| variable. |
| |
| env_file The _e_n_v___f_i_l_e options specifies the fully qualified path to |
| a file containing variables to be set in the environment of |
| the program being run. Entries in this file should either |
| be of the form VARIABLE=value or export VARIABLE=value. |
| The value may optionally be surrounded by single or double |
| quotes. Variables in this file are subject to other ssuuddoo |
| environment settings such as _e_n_v___k_e_e_p and _e_n_v___c_h_e_c_k. |
| |
| exempt_group |
| Users in this group are exempt from password and PATH |
| requirements. This is not set by default. |
| |
| lecture This option controls when a short lecture will be printed |
| along with the password prompt. It has the following |
| possible values: |
| |
| always Always lecture the user. |
| |
| never Never lecture the user. |
| |
| once Only lecture the user the first time they run ssuuddoo. |
| |
| If no value is specified, a value of _o_n_c_e is implied. |
| Negating the option results in a value of _n_e_v_e_r being used. |
| The default value is _o_n_c_e. |
| |
| |
| |
| |
| 1.7.4 July 21, 2010 18 |
| |
| |
| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| lecture_file |
| Path to a file containing an alternate ssuuddoo lecture that |
| will be used in place of the standard lecture if the named |
| file exists. By default, ssuuddoo uses a built-in lecture. |
| |
| listpw This option controls when a password will be required when |
| a user runs ssuuddoo with the --ll option. It has the following |
| possible values: |
| |
| all All the user's _s_u_d_o_e_r_s entries for the current host |
| must have the NOPASSWD flag set to avoid entering a |
| password. |
| |
| always The user must always enter a password to use the --ll |
| option. |
| |
| any At least one of the user's _s_u_d_o_e_r_s entries for the |
| current host must have the NOPASSWD flag set to |
| avoid entering a password. |
| |
| never The user need never enter a password to use the --ll |
| option. |
| |
| If no value is specified, a value of _a_n_y is implied. |
| Negating the option results in a value of _n_e_v_e_r being used. |
| The default value is _a_n_y. |
| |
| logfile Path to the ssuuddoo log file (not the syslog log file). |
| Setting a path turns on logging to a file; negating this |
| option turns it off. By default, ssuuddoo logs via syslog. |
| |
| mailerflags Flags to use when invoking mailer. Defaults to --tt. |
| |
| mailerpath Path to mail program used to send warning mail. Defaults |
| to the path to sendmail found at configure time. |
| |
| mailfrom Address to use for the "from" address when sending warning |
| and error mail. The address should be enclosed in double |
| quotes (") to protect against ssuuddoo interpreting the @ sign. |
| Defaults to the name of the user running ssuuddoo. |
| |
| mailto Address to send warning and error mail to. The address |
| should be enclosed in double quotes (") to protect against |
| ssuuddoo interpreting the @ sign. Defaults to root. |
| |
| secure_path Path used for every command run from ssuuddoo. If you don't |
| trust the people running ssuuddoo to have a sane PATH |
| environment variable you may want to use this. Another use |
| is if you want to have the "root path" be separate from the |
| "user path." Users in the group specified by the |
| _e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This |
| option is not set by default. |
| |
| syslog Syslog facility if syslog is being used for logging (negate |
| |
| |
| |
| 1.7.4 July 21, 2010 19 |
| |
| |
| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| to disable syslog logging). Defaults to auth. |
| |
| verifypw This option controls when a password will be required when |
| a user runs ssuuddoo with the --vv option. It has the following |
| possible values: |
| |
| all All the user's _s_u_d_o_e_r_s entries for the current host |
| must have the NOPASSWD flag set to avoid entering a |
| password. |
| |
| always The user must always enter a password to use the --vv |
| option. |
| |
| any At least one of the user's _s_u_d_o_e_r_s entries for the |
| current host must have the NOPASSWD flag set to |
| avoid entering a password. |
| |
| never The user need never enter a password to use the --vv |
| option. |
| |
| If no value is specified, a value of _a_l_l is implied. |
| Negating the option results in a value of _n_e_v_e_r being used. |
| The default value is _a_l_l. |
| |
| LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: |
| |
| env_check Environment variables to be removed from the user's |
| environment if the variable's value contains % or / |
| characters. This can be used to guard against printf- |
| style format vulnerabilities in poorly-written |
| programs. The argument may be a double-quoted, space- |
| separated list or a single value without double-quotes. |
| The list can be replaced, added to, deleted from, or |
| disabled by using the =, +=, -=, and ! operators |
| respectively. Regardless of whether the env_reset |
| option is enabled or disabled, variables specified by |
| env_check will be preserved in the environment if they |
| pass the aforementioned check. The default list of |
| environment variables to check is displayed when ssuuddoo |
| is run by root with the _-_V option. |
| |
| env_delete Environment variables to be removed from the user's |
| environment when the _e_n_v___r_e_s_e_t option is not in effect. |
| The argument may be a double-quoted, space-separated |
| list or a single value without double-quotes. The list |
| can be replaced, added to, deleted from, or disabled by |
| using the =, +=, -=, and ! operators respectively. The |
| default list of environment variables to remove is |
| displayed when ssuuddoo is run by root with the _-_V option. |
| Note that many operating systems will remove |
| potentially dangerous variables from the environment of |
| any setuid process (such as ssuuddoo). |
| |
| env_keep Environment variables to be preserved in the user's |
| |
| |
| |
| 1.7.4 July 21, 2010 20 |
| |
| |
| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| environment when the _e_n_v___r_e_s_e_t option is in effect. |
| This allows fine-grained control over the environment |
| ssuuddoo-spawned processes will receive. The argument may |
| be a double-quoted, space-separated list or a single |
| value without double-quotes. The list can be replaced, |
| added to, deleted from, or disabled by using the =, +=, |
| -=, and ! operators respectively. The default list of |
| variables to keep is displayed when ssuuddoo is run by root |
| with the _-_V option. |
| |
| When logging via _s_y_s_l_o_g(3), ssuuddoo accepts the following values for the |
| syslog facility (the value of the ssyysslloogg Parameter): aauutthhpprriivv (if your |
| OS supports it), aauutthh, ddaaeemmoonn, uusseerr, llooccaall00, llooccaall11, llooccaall22, llooccaall33, |
| llooccaall44, llooccaall55, llooccaall66, and llooccaall77. The following syslog priorities |
| are supported: aalleerrtt, ccrriitt, ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee, and |
| wwaarrnniinngg. |
| |
| FFIILLEESS |
| _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what |
| |
| _/_e_t_c_/_g_r_o_u_p Local groups file |
| |
| _/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups |
| |
| _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files |
| |
| EEXXAAMMPPLLEESS |
| Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit |
| contrived. First, we allow a few environment variables to pass and |
| then define our _a_l_i_a_s_e_s: |
| |
| # Run X applications through sudo; HOME is used to find the |
| # .Xauthority file. Note that other programs use HOME to find |
| # configuration files and this may lead to privilege escalation! |
| Defaults env_keep += "DISPLAY HOME" |
| |
| # User alias specification |
| User_Alias FULLTIMERS = millert, mikef, dowdy |
| User_Alias PARTTIMERS = bostley, jwfox, crawl |
| User_Alias WEBMASTERS = will, wendy, wim |
| |
| # Runas alias specification |
| Runas_Alias OP = root, operator |
| Runas_Alias DB = oracle, sybase |
| Runas_Alias ADMINGRP = adm, oper |
| |
| # Host alias specification |
| Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ |
| SGI = grolsch, dandelion, black :\ |
| ALPHA = widget, thalamus, foobar :\ |
| HPPA = boa, nag, python |
| Host_Alias CUNETS = 128.138.0.0/255.255.0.0 |
| Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 |
| Host_Alias SERVERS = master, mail, www, ns |
| |
| |
| |
| 1.7.4 July 21, 2010 21 |
| |
| |
| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| Host_Alias CDROM = orion, perseus, hercules |
| |
| # Cmnd alias specification |
| Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ |
| /usr/sbin/restore, /usr/sbin/rrestore |
| Cmnd_Alias KILL = /usr/bin/kill |
| Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm |
| Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown |
| Cmnd_Alias HALT = /usr/sbin/halt |
| Cmnd_Alias REBOOT = /usr/sbin/reboot |
| Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ |
| /usr/local/bin/tcsh, /usr/bin/rsh, \ |
| /usr/local/bin/zsh |
| Cmnd_Alias SU = /usr/bin/su |
| Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less |
| |
| Here we override some of the compiled in default values. We want ssuuddoo |
| to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility in all cases. We don't |
| want to subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt |
| need not give a password, and we don't want to reset the LOGNAME, USER |
| or USERNAME environment variables when running commands as root. |
| Additionally, on the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an |
| additional local log file and make sure we log the year in each log |
| line since the log entries will be kept around for several years. |
| Lastly, we disable shell escapes for the commands in the PAGERS |
| Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and _/_u_s_r_/_b_i_n_/_l_e_s_s). |
| |
| # Override built-in defaults |
| Defaults syslog=auth |
| Defaults>root !set_logname |
| Defaults:FULLTIMERS !lecture |
| Defaults:millert !authenticate |
| Defaults@SERVERS log_year, logfile=/var/log/sudo.log |
| Defaults!PAGERS noexec |
| |
| The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run |
| what. |
| |
| root ALL = (ALL) ALL |
| %wheel ALL = (ALL) ALL |
| |
| We let rroooott and any user in group wwhheeeell run any command on any host as |
| any user. |
| |
| FULLTIMERS ALL = NOPASSWD: ALL |
| |
| Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on |
| any host without authenticating themselves. |
| |
| PARTTIMERS ALL = ALL |
| |
| Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on |
| any host but they must authenticate themselves first (since the entry |
| lacks the NOPASSWD tag). |
| |
| |
| |
| 1.7.4 July 21, 2010 22 |
| |
| |
| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| jack CSNETS = ALL |
| |
| The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias |
| (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of |
| those networks, only 128.138.204.0 has an explicit netmask (in CIDR |
| notation) indicating it is a class C network. For the other networks |
| in _C_S_N_E_T_S, the local machine's netmask will be used during matching. |
| |
| lisa CUNETS = ALL |
| |
| The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the |
| class B network 128.138.0.0). |
| |
| operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ |
| sudoedit /etc/printcap, /usr/oper/bin/ |
| |
| The ooppeerraattoorr user may run commands limited to simple maintenance. |
| Here, those are commands related to backups, killing processes, the |
| printing system, shutting down the system, and any commands in the |
| directory _/_u_s_r_/_o_p_e_r_/_b_i_n_/. |
| |
| joe ALL = /usr/bin/su operator |
| |
| The user jjooee may only _s_u(1) to operator. |
| |
| pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root |
| |
| %opers ALL = (: ADMINGRP) /usr/sbin/ |
| |
| Users in the ooppeerrss group may run commands in _/_u_s_r_/_s_b_i_n_/ as themselves |
| with any group in the _A_D_M_I_N_G_R_P Runas_Alias (the aaddmm and ooppeerr groups). |
| |
| The user ppeettee is allowed to change anyone's password except for root on |
| the _H_P_P_A machines. Note that this assumes _p_a_s_s_w_d(1) does not take |
| multiple user names on the command line. |
| |
| bob SPARC = (OP) ALL : SGI = (OP) ALL |
| |
| The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user |
| listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr). |
| |
| jim +biglab = ALL |
| |
| The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup. |
| ssuuddoo knows that "biglab" is a netgroup due to the '+' prefix. |
| |
| +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser |
| |
| Users in the sseeccrreettaarriieess netgroup need to help manage the printers as |
| well as add and remove users, so they are allowed to run those commands |
| on all machines. |
| |
| fred ALL = (DB) NOPASSWD: ALL |
| |
| |
| |
| |
| 1.7.4 July 21, 2010 23 |
| |
| |
| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| The user ffrreedd can run commands as any user in the _D_B Runas_Alias |
| (oorraaccllee or ssyybbaassee) without giving a password. |
| |
| john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* |
| |
| On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is |
| not allowed to specify any options to the _s_u(1) command. |
| |
| jen ALL, !SERVERS = ALL |
| |
| The user jjeenn may run any command on any machine except for those in the |
| _S_E_R_V_E_R_S Host_Alias (master, mail, www and ns). |
| |
| jill SERVERS = /usr/bin/, !SU, !SHELLS |
| |
| For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in |
| the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U |
| and _S_H_E_L_L_S Cmnd_Aliases. |
| |
| steve CSNETS = (operator) /usr/local/op_commands/ |
| |
| The user sstteevvee may run any command in the directory |
| /usr/local/op_commands/ but only as user operator. |
| |
| matt valkyrie = KILL |
| |
| On his personal workstation, valkyrie, mmaatttt needs to be able to kill |
| hung processes. |
| |
| WEBMASTERS www = (www) ALL, (root) /usr/bin/su www |
| |
| On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias (will, wendy, |
| and wim), may run any command as user www (which owns the web pages) or |
| simply _s_u(1) to www. |
| |
| ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ |
| /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM |
| |
| Any user may mount or unmount a CD-ROM on the machines in the CDROM |
| Host_Alias (orion, perseus, hercules) without entering a password. |
| This is a bit tedious for users to type, so it is a prime candidate for |
| encapsulating in a shell script. |
| |
| SSEECCUURRIITTYY NNOOTTEESS |
| It is generally not effective to "subtract" commands from ALL using the |
| '!' operator. A user can trivially circumvent this by copying the |
| desired command to a different name and then executing that. For |
| example: |
| |
| bill ALL = ALL, !SU, !SHELLS |
| |
| Doesn't really prevent bbiillll from running the commands listed in _S_U or |
| _S_H_E_L_L_S since he can simply copy those commands to a different name, or |
| use a shell escape from an editor or other program. Therefore, these |
| |
| |
| |
| 1.7.4 July 21, 2010 24 |
| |
| |
| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| kind of restrictions should be considered advisory at best (and |
| reinforced by policy). |
| |
| Furthermore, if the _f_a_s_t___g_l_o_b option is in use, it is not possible to |
| reliably negate commands where the path name includes globbing (aka |
| wildcard) characters. This is because the C library's _f_n_m_a_t_c_h(3) |
| function cannot resolve relative paths. While this is typically only |
| an inconvenience for rules that grant privileges, it can result in a |
| security issue for rules that subtract or revoke privileges. |
| |
| For example, given the following _s_u_d_o_e_r_s entry: |
| |
| john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*, |
| /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root |
| |
| User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by |
| changing to _/_u_s_r_/_b_i_n and running ./passwd root instead. |
| |
| PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS |
| Once ssuuddoo executes a program, that program is free to do whatever it |
| pleases, including run other programs. This can be a security issue |
| since it is not uncommon for a program to allow shell escapes, which |
| lets a user bypass ssuuddoo's access control and logging. Common programs |
| that permit shell escapes include shells (obviously), editors, |
| paginators, mail and terminal programs. |
| |
| There are two basic approaches to this problem: |
| |
| restrict Avoid giving users access to commands that allow the user to |
| run arbitrary commands. Many editors have a restricted mode |
| where shell escapes are disabled, though ssuuddooeeddiitt is a better |
| solution to running editors via ssuuddoo. Due to the large |
| number of programs that offer shell escapes, restricting |
| users to the set of programs that do not if often unworkable. |
| |
| noexec Many systems that support shared libraries have the ability |
| to override default library functions by pointing an |
| environment variable (usually LD_PRELOAD) to an alternate |
| shared library. On such systems, ssuuddoo's _n_o_e_x_e_c functionality |
| can be used to prevent a program run by ssuuddoo from executing |
| any other programs. Note, however, that this applies only to |
| native dynamically-linked executables. Statically-linked |
| executables and foreign executables running under binary |
| emulation are not affected. |
| |
| To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you can run the |
| following as root: |
| |
| sudo -V | grep "dummy exec" |
| |
| If the resulting output contains a line that begins with: |
| |
| File containing dummy exec functions: |
| |
| |
| |
| |
| 1.7.4 July 21, 2010 25 |
| |
| |
| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| then ssuuddoo may be able to replace the exec family of functions |
| in the standard library with its own that simply return an |
| error. Unfortunately, there is no foolproof way to know |
| whether or not _n_o_e_x_e_c will work at compile-time. _n_o_e_x_e_c |
| should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, |
| MacOS X, and HP-UX 11.x. It is known nnoott to work on AIX and |
| UnixWare. _n_o_e_x_e_c is expected to work on most operating |
| systems that support the LD_PRELOAD environment variable. |
| Check your operating system's manual pages for the dynamic |
| linker (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) |
| to see if LD_PRELOAD is supported. |
| |
| To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as |
| documented in the User Specification section above. Here is |
| that example again: |
| |
| aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi |
| |
| This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i |
| with _n_o_e_x_e_c enabled. This will prevent those two commands |
| from executing other commands (such as a shell). If you are |
| unsure whether or not your system is capable of supporting |
| _n_o_e_x_e_c you can always just try it out and see if it works. |
| |
| Note that restricting shell escapes is not a panacea. Programs running |
| as root are still capable of many potentially hazardous operations |
| (such as changing or overwriting files) that could lead to unintended |
| privilege escalation. In the specific case of an editor, a safer |
| approach is to give the user permission to run ssuuddooeeddiitt. |
| |
| SSEEEE AALLSSOO |
| _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _g_l_o_b(3), _s_u_d_o(1m), _v_i_s_u_d_o(8) |
| |
| CCAAVVEEAATTSS |
| The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which |
| locks the file and does grammatical checking. It is imperative that |
| _s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a |
| syntactically incorrect _s_u_d_o_e_r_s file. |
| |
| When using netgroups of machines (as opposed to users), if you store |
| fully qualified host name in the netgroup (as is usually the case), you |
| either need to have the machine's host name be fully qualified as |
| returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s. |
| |
| BBUUGGSS |
| If you feel you have found a bug in ssuuddoo, please submit a bug report at |
| http://www.sudo.ws/sudo/bugs/ |
| |
| SSUUPPPPOORRTT |
| Limited free support is available via the sudo-users mailing list, see |
| http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search |
| the archives. |
| |
| |
| |
| |
| |
| 1.7.4 July 21, 2010 26 |
| |
| |
| |
| |
| |
| SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) |
| |
| |
| DDIISSCCLLAAIIMMEERR |
| ssuuddoo is provided ``AS IS'' and any express or implied warranties, |
| including, but not limited to, the implied warranties of |
| merchantability and fitness for a particular purpose are disclaimed. |
| See the LICENSE file distributed with ssuuddoo or |
| http://www.sudo.ws/sudo/license.html for complete details. |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| 1.7.4 July 21, 2010 27 |
| |
| |