| Copyright (c) 1994-1996, 1998-2005, 2007-2010 |
| Todd C. Miller <Todd.Miller@courtesan.com> |
| |
| Permission to use, copy, modify, and distribute this software for any |
| purpose with or without fee is hereby granted, provided that the above |
| copyright notice and this permission notice appear in all copies. |
| |
| THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
| WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
| ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
| ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
| OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| |
| Sponsored in part by the Defense Advanced Research Projects |
| Agency (DARPA) and Air Force Research Laboratory, Air Force |
| Materiel Command, USAF, under agreement number F39502-99-1-0512. |
| |
| =pod |
| |
| =head1 NAME |
| |
| sudoers - list of which users may execute what |
| |
| =head1 DESCRIPTION |
| |
| The I<sudoers> file is composed of two types of entries: aliases |
| (basically variables) and user specifications (which specify who |
| may run what). |
| |
| When multiple entries match for a user, they are applied in order. |
| Where there are multiple matches, the last match is used (which is |
| not necessarily the most specific match). |
| |
| The I<sudoers> grammar will be described below in Extended Backus-Naur |
| Form (EBNF). Don't despair if you don't know what EBNF is; it is |
| fairly simple, and the definitions below are annotated. |
| |
| =head2 Quick guide to EBNF |
| |
| EBNF is a concise and exact way of describing the grammar of a language. |
| Each EBNF definition is made up of I<production rules>. E.g., |
| |
| symbol ::= definition | alternate1 | alternate2 ... |
| |
| Each I<production rule> references others and thus makes up a |
| grammar for the language. EBNF also contains the following |
| operators, which many readers will recognize from regular |
| expressions. Do not, however, confuse them with "wildcard" |
| characters, which have different meanings. |
| |
| =over 4 |
| |
| =item C<?> |
| |
| Means that the preceding symbol (or group of symbols) is optional. |
| That is, it may appear once or not at all. |
| |
| =item C<*> |
| |
| Means that the preceding symbol (or group of symbols) may appear |
| zero or more times. |
| |
| =item C<+> |
| |
| Means that the preceding symbol (or group of symbols) may appear |
| one or more times. |
| |
| =back |
| |
| Parentheses may be used to group symbols together. For clarity, |
| we will use single quotes ('') to designate what is a verbatim character |
| string (as opposed to a symbol name). |
| |
| =head2 Aliases |
| |
| There are four kinds of aliases: C<User_Alias>, C<Runas_Alias>, |
| C<Host_Alias> and C<Cmnd_Alias>. |
| |
| Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | |
| 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | |
| 'Host_Alias' Host_Alias (':' Host_Alias)* | |
| 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* |
| |
| User_Alias ::= NAME '=' User_List |
| |
| Runas_Alias ::= NAME '=' Runas_List |
| |
| Host_Alias ::= NAME '=' Host_List |
| |
| Cmnd_Alias ::= NAME '=' Cmnd_List |
| |
| NAME ::= [A-Z]([A-Z][0-9]_)* |
| |
| Each I<alias> definition is of the form |
| |
| Alias_Type NAME = item1, item2, ... |
| |
| where I<Alias_Type> is one of C<User_Alias>, C<Runas_Alias>, C<Host_Alias>, |
| or C<Cmnd_Alias>. A C<NAME> is a string of uppercase letters, numbers, |
| and underscore characters ('_'). A C<NAME> B<must> start with an |
| uppercase letter. It is possible to put several alias definitions |
| of the same type on a single line, joined by a colon (':'). E.g., |
| |
| Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 |
| |
| The definitions of what constitutes a valid I<alias> member follow. |
| |
| User_List ::= User | |
| User ',' User_List |
| |
| User ::= '!'* user name | |
| '!'* '#'uid | |
| '!'* '%'group | |
| '!'* '+'netgroup | |
| '!'* '%:'nonunix_group | |
| '!'* User_Alias |
| |
| A C<User_List> is made up of one or more user names, uids (prefixed |
| with '#'), system groups (prefixed with '%'), netgroups (prefixed |
| with '+') and C<User_Alias>es. Each list item may be prefixed with |
| zero or more '!' operators. An odd number of '!' operators negate |
| the value of the item; an even number just cancel each other out. |
| |
| A C<user name>, C<group>, C<netgroup> or C<nonunix_group> may |
| be enclosed in double quotes to avoid the need for escaping special |
| characters. Alternately, special characters may be specified in |
| escaped hex mode, e.g. \x20 for space. |
| |
| The C<nonunix_group> syntax depends on the underlying implementation. |
| For instance, the QAS AD backend supports the following formats: |
| |
| =over 4 |
| |
| =item * |
| |
| Group in the same domain: "Group Name" |
| |
| =item * |
| |
| Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN" |
| |
| =item * |
| |
| Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567" |
| |
| =back |
| |
| Note that quotes around group names are optional. Unquoted strings must |
| use a backslash (\) to escape spaces and the '@' symbol. |
| |
| Runas_List ::= Runas_Member | |
| Runas_Member ',' Runas_List |
| |
| Runas_Member ::= '!'* user name | |
| '!'* '#'uid | |
| '!'* '%'group | |
| '!'* +netgroup | |
| '!'* Runas_Alias |
| |
| A C<Runas_List> is similar to a C<User_List> except that instead |
| of C<User_Alias>es it can contain C<Runas_Alias>es. Note that |
| user names and groups are matched as strings. In other words, two |
| users (groups) with the same uid (gid) are considered to be distinct. |
| If you wish to match all user names with the same uid (e.g.E<nbsp>root |
| and toor), you can use a uid instead (#0 in the example given). |
| |
| Host_List ::= Host | |
| Host ',' Host_List |
| |
| Host ::= '!'* host name | |
| '!'* ip_addr | |
| '!'* network(/netmask)? | |
| '!'* '+'netgroup | |
| '!'* Host_Alias |
| |
| A C<Host_List> is made up of one or more host names, IP addresses, |
| network numbers, netgroups (prefixed with '+') and other aliases. |
| Again, the value of an item may be negated with the '!' operator. |
| If you do not specify a netmask along with the network number, |
| B<sudo> will query each of the local host's network interfaces and, |
| if the network number corresponds to one of the hosts's network |
| interfaces, the corresponding netmask will be used. The netmask |
| may be specified either in standard IP address notation |
| (e.g.E<nbsp>255.255.255.0 or ffff:ffff:ffff:ffff::), |
| or CIDR notation (number of bits, e.g.E<nbsp>24 or 64). A host name may |
| include shell-style wildcards (see the L<Wildcards> section below), |
| but unless the C<host name> command on your machine returns the fully |
| qualified host name, you'll need to use the I<fqdn> option for |
| wildcards to be useful. Note B<sudo> only inspects actual network |
| interfaces; this means that IP address 127.0.0.1 (localhost) will |
| never match. Also, the host name "localhost" will only match if |
| that is the actual host name, which is usually only the case for |
| non-networked systems. |
| |
| Cmnd_List ::= Cmnd | |
| Cmnd ',' Cmnd_List |
| |
| commandname ::= file name | |
| file name args | |
| file name '""' |
| |
| Cmnd ::= '!'* commandname | |
| '!'* directory | |
| '!'* "sudoedit" | |
| '!'* Cmnd_Alias |
| |
| A C<Cmnd_List> is a list of one or more commandnames, directories, and other |
| aliases. A commandname is a fully qualified file name which may include |
| shell-style wildcards (see the L<Wildcards> section below). A simple |
| file name allows the user to run the command with any arguments he/she |
| wishes. However, you may also specify command line arguments (including |
| wildcards). Alternately, you can specify C<""> to indicate that the command |
| may only be run B<without> command line arguments. A directory is a |
| fully qualified path name ending in a '/'. When you specify a directory |
| in a C<Cmnd_List>, the user will be able to run any file within that directory |
| (but not in any subdirectories therein). |
| |
| If a C<Cmnd> has associated command line arguments, then the arguments |
| in the C<Cmnd> must match exactly those given by the user on the command line |
| (or match the wildcards if there are any). Note that the following |
| characters must be escaped with a '\' if they are used in command |
| arguments: ',', ':', '=', '\'. The special command C<"sudoedit"> |
| is used to permit a user to run B<sudo> with the B<-e> option (or |
| as B<sudoedit>). It may take command line arguments just as |
| a normal command does. |
| |
| =head2 Defaults |
| |
| Certain configuration options may be changed from their default |
| values at runtime via one or more C<Default_Entry> lines. These |
| may affect all users on any host, all users on a specific host, a |
| specific user, a specific command, or commands being run as a specific user. |
| Note that per-command entries may not include command line arguments. |
| If you need to specify arguments, define a C<Cmnd_Alias> and reference |
| that instead. |
| |
| Default_Type ::= 'Defaults' | |
| 'Defaults' '@' Host_List | |
| 'Defaults' ':' User_List | |
| 'Defaults' '!' Cmnd_List | |
| 'Defaults' '>' Runas_List |
| |
| Default_Entry ::= Default_Type Parameter_List |
| |
| Parameter_List ::= Parameter | |
| Parameter ',' Parameter_List |
| |
| Parameter ::= Parameter '=' Value | |
| Parameter '+=' Value | |
| Parameter '-=' Value | |
| '!'* Parameter |
| |
| Parameters may be B<flags>, B<integer> values, B<strings>, or B<lists>. |
| Flags are implicitly boolean and can be turned off via the '!' |
| operator. Some integer, string and list parameters may also be |
| used in a boolean context to disable them. Values may be enclosed |
| in double quotes (C<">) when they contain multiple words. Special |
| characters may be escaped with a backslash (C<\>). |
| |
| Lists have two additional assignment operators, C<+=> and C<-=>. |
| These operators are used to add to and delete from a list respectively. |
| It is not an error to use the C<-=> operator to remove an element |
| that does not exist in a list. |
| |
| Defaults entries are parsed in the following order: generic, host |
| and user Defaults first, then runas Defaults and finally command |
| defaults. |
| |
| See L<"SUDOERS OPTIONS"> for a list of supported Defaults parameters. |
| |
| =head2 User Specification |
| |
| User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ |
| (':' Host_List '=' Cmnd_Spec_List)* |
| |
| Cmnd_Spec_List ::= Cmnd_Spec | |
| Cmnd_Spec ',' Cmnd_Spec_List |
| |
| Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd |
| |
| Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' |
| |
| SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') |
| |
| Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | |
| 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' | |
| 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:') |
| |
| A B<user specification> determines which commands a user may run |
| (and as what user) on specified hosts. By default, commands are |
| run as B<root>, but this can be changed on a per-command basis. |
| |
| The basic structure of a user specification is `who = where (as_whom) |
| what'. Let's break that down into its constituent parts: |
| |
| =head2 Runas_Spec |
| |
| A C<Runas_Spec> determines the user and/or the group that a command |
| may be run as. A fully-specified C<Runas_Spec> consists of two |
| C<Runas_List>s (as defined above) separated by a colon (':') and |
| enclosed in a set of parentheses. The first C<Runas_List> indicates |
| which users the command may be run as via B<sudo>'s B<-u> option. |
| The second defines a list of groups that can be specified via |
| B<sudo>'s B<-g> option. If both C<Runas_List>s are specified, the |
| command may be run with any combination of users and groups listed |
| in their respective C<Runas_List>s. If only the first is specified, |
| the command may be run as any user in the list but no B<-g> option |
| may be specified. If the first C<Runas_List> is empty but the |
| second is specified, the command may be run as the invoking user |
| with the group set to any listed in the C<Runas_List>. If no |
| C<Runas_Spec> is specified the command may be run as B<root> and |
| no group may be specified. |
| |
| A C<Runas_Spec> sets the default for the commands that follow it. |
| What this means is that for the entry: |
| |
| dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm |
| |
| The user B<dgb> may run F</bin/ls>, F</bin/kill>, and |
| F</usr/bin/lprm> -- but only as B<operator>. E.g., |
| |
| $ sudo -u operator /bin/ls. |
| |
| It is also possible to override a C<Runas_Spec> later on in an |
| entry. If we modify the entry like so: |
| |
| dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm |
| |
| Then user B<dgb> is now allowed to run F</bin/ls> as B<operator>, |
| but F</bin/kill> and F</usr/bin/lprm> as B<root>. |
| |
| We can extend this to allow B<dgb> to run C</bin/ls> with either |
| the user or group set to B<operator>: |
| |
| dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \ |
| /usr/bin/lprm |
| |
| In the following example, user B<tcm> may run commands that access |
| a modem device file with the dialer group. Note that in this example |
| only the group will be set, the command still runs as user B<tcm>. |
| |
| tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \ |
| /usr/local/bin/minicom |
| |
| =head2 SELinux_Spec |
| |
| On systems with SELinux support, I<sudoers> entries may optionally have |
| an SELinux role and/or type associated with a command. If a role or |
| type is specified with the command it will override any default values |
| specified in I<sudoers>. A role or type specified on the command line, |
| however, will supercede the values in I<sudoers>. |
| |
| =head2 Tag_Spec |
| |
| A command may have zero or more tags associated with it. There are |
| eight possible tag values, C<NOPASSWD>, C<PASSWD>, C<NOEXEC>, |
| C<EXEC>, C<SETENV>, C<NOSETENV>, C<LOG_INPUT>, C<NOLOG_INPUT>, |
| C<LOG_OUTPUT> and C<NOLOG_OUTPUT>. Once a tag is set on a C<Cmnd>, |
| subsequent C<Cmnd>s in the C<Cmnd_Spec_List>, inherit the tag unless |
| it is overridden by the opposite tag (i.e.: C<PASSWD> overrides |
| C<NOPASSWD> and C<NOEXEC> overrides C<EXEC>). |
| |
| =head3 NOPASSWD and PASSWD |
| |
| By default, B<sudo> requires that a user authenticate him or herself |
| before running a command. This behavior can be modified via the |
| C<NOPASSWD> tag. Like a C<Runas_Spec>, the C<NOPASSWD> tag sets |
| a default for the commands that follow it in the C<Cmnd_Spec_List>. |
| Conversely, the C<PASSWD> tag can be used to reverse things. |
| For example: |
| |
| ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm |
| |
| would allow the user B<ray> to run F</bin/kill>, F</bin/ls>, and |
| F</usr/bin/lprm> as B<root> on the machine rushmore without |
| authenticating himself. If we only want B<ray> to be able to |
| run F</bin/kill> without a password the entry would be: |
| |
| ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm |
| |
| Note, however, that the C<PASSWD> tag has no effect on users who are |
| in the group specified by the I<exempt_group> option. |
| |
| By default, if the C<NOPASSWD> tag is applied to any of the entries |
| for a user on the current host, he or she will be able to run |
| C<sudo -l> without a password. Additionally, a user may only run |
| C<sudo -v> without a password if the C<NOPASSWD> tag is present |
| for all a user's entries that pertain to the current host. |
| This behavior may be overridden via the verifypw and listpw options. |
| |
| =head3 NOEXEC and EXEC |
| |
| If B<sudo> has been compiled with I<noexec> support and the underlying |
| operating system supports it, the C<NOEXEC> tag can be used to prevent |
| a dynamically-linked executable from running further commands itself. |
| |
| In the following example, user B<aaron> may run F</usr/bin/more> |
| and F</usr/bin/vi> but shell escapes will be disabled. |
| |
| aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi |
| |
| See the L<PREVENTING SHELL ESCAPES> section below for more details |
| on how C<NOEXEC> works and whether or not it will work on your system. |
| |
| =head3 SETENV and NOSETENV |
| |
| These tags override the value of the I<setenv> option on a per-command |
| basis. Note that if C<SETENV> has been set for a command, any |
| environment variables set on the command line way are not subject |
| to the restrictions imposed by I<env_check>, I<env_delete>, or |
| I<env_keep>. As such, only trusted users should be allowed to set |
| variables in this manner. If the command matched is B<ALL>, the |
| C<SETENV> tag is implied for that command; this default may |
| be overridden by use of the C<NOSETENV> tag. |
| |
| =head3 LOG_INPUT and NOLOG_INPUT |
| |
| These tags override the value of the I<log_input> option on a |
| per-command basis. For more information, see the description of |
| I<log_input> in the L<"SUDOERS OPTIONS"> section below. |
| |
| =head3 LOG_OUTPUT and NOLOG_OUTPUT |
| |
| These tags override the value of the I<log_output> option on a |
| per-command basis. For more information, see the description of |
| I<log_output> in the L<"SUDOERS OPTIONS"> section below. |
| |
| =head2 Wildcards |
| |
| B<sudo> allows shell-style I<wildcards> (aka meta or glob characters) |
| to be used in host names, path names and command line arguments in |
| the I<sudoers> file. Wildcard matching is done via the B<POSIX> |
| L<glob(3)> and L<fnmatch(3)> routines. Note that these are I<not> |
| regular expressions. |
| |
| =over 8 |
| |
| =item C<*> |
| |
| Matches any set of zero or more characters. |
| |
| =item C<?> |
| |
| Matches any single character. |
| |
| =item C<[...]> |
| |
| Matches any character in the specified range. |
| |
| =item C<[!...]> |
| |
| Matches any character B<not> in the specified range. |
| |
| =item C<\x> |
| |
| For any character "x", evaluates to "x". This is used to |
| escape special characters such as: "*", "?", "[", and "}". |
| |
| =back |
| |
| POSIX character classes may also be used if your system's L<glob(3)> |
| and L<fnmatch(3)> functions support them. However, because the |
| C<':'> character has special meaning in I<sudoers>, it must be |
| escaped. For example: |
| |
| /bin/ls [[\:alpha\:]]* |
| |
| Would match any file name beginning with a letter. |
| |
| Note that a forward slash ('/') will B<not> be matched by |
| wildcards used in the path name. When matching the command |
| line arguments, however, a slash B<does> get matched by |
| wildcards. This is to make a path like: |
| |
| /usr/bin/* |
| |
| match F</usr/bin/who> but not F</usr/bin/X11/xterm>. |
| |
| =head2 Exceptions to wildcard rules |
| |
| The following exceptions apply to the above rules: |
| |
| =over 8 |
| |
| =item C<""> |
| |
| If the empty string C<""> is the only command line argument in the |
| I<sudoers> entry it means that command is not allowed to be run |
| with B<any> arguments. |
| |
| =back |
| |
| =head2 Including other files from within sudoers |
| |
| It is possible to include other I<sudoers> files from within the |
| I<sudoers> file currently being parsed using the C<#include> and |
| C<#includedir> directives. |
| |
| This can be used, for example, to keep a site-wide I<sudoers> file |
| in addition to a local, per-machine file. For the sake of this |
| example the site-wide I<sudoers> will be F</etc/sudoers> and the |
| per-machine one will be F</etc/sudoers.local>. To include |
| F</etc/sudoers.local> from within F</etc/sudoers> we would use the |
| following line in F</etc/sudoers>: |
| |
| =over 4 |
| |
| C<#include /etc/sudoers.local> |
| |
| =back |
| |
| When B<sudo> reaches this line it will suspend processing of the |
| current file (F</etc/sudoers>) and switch to F</etc/sudoers.local>. |
| Upon reaching the end of F</etc/sudoers.local>, the rest of |
| F</etc/sudoers> will be processed. Files that are included may |
| themselves include other files. A hard limit of 128 nested include |
| files is enforced to prevent include file loops. |
| |
| The file name may include the C<%h> escape, signifying the short form |
| of the host name. I.e., if the machine's host name is "xerxes", then |
| |
| C<#include /etc/sudoers.%h> |
| |
| will cause B<sudo> to include the file F</etc/sudoers.xerxes>. |
| |
| The C<#includedir> directive can be used to create a F<sudo.d> |
| directory that the system package manager can drop I<sudoers> rules |
| into as part of package installation. For example, given: |
| |
| C<#includedir /etc/sudoers.d> |
| |
| B<sudo> will read each file in F</etc/sudoers.d>, skipping file |
| names that end in C<~> or contain a C<.> character to avoid causing |
| problems with package manager or editor temporary/backup files. |
| Files are parsed in sorted lexical order. That is, |
| F</etc/sudoers.d/01_first> will be parsed before |
| F</etc/sudoers.d/10_second>. Be aware that because the sorting is |
| lexical, not numeric, F</etc/sudoers.d/1_whoops> would be loaded |
| B<after> F</etc/sudoers.d/10_second>. Using a consistent number |
| of leading zeroes in the file names can be used to avoid such |
| problems. |
| |
| Note that unlike files included via C<#include>, B<visudo> will not |
| edit the files in a C<#includedir> directory unless one of them |
| contains a syntax error. It is still possible to run B<visudo> |
| with the C<-f> flag to edit the files directly. |
| |
| =head2 Other special characters and reserved words |
| |
| The pound sign ('#') is used to indicate a comment (unless it is |
| part of a #include directive or unless it occurs in the context of |
| a user name and is followed by one or more digits, in which case |
| it is treated as a uid). Both the comment character and any text |
| after it, up to the end of the line, are ignored. |
| |
| The reserved word B<ALL> is a built-in I<alias> that always causes |
| a match to succeed. It can be used wherever one might otherwise |
| use a C<Cmnd_Alias>, C<User_Alias>, C<Runas_Alias>, or C<Host_Alias>. |
| You should not try to define your own I<alias> called B<ALL> as the |
| built-in alias will be used in preference to your own. Please note |
| that using B<ALL> can be dangerous since in a command context, it |
| allows the user to run B<any> command on the system. |
| |
| An exclamation point ('!') can be used as a logical I<not> operator |
| both in an I<alias> and in front of a C<Cmnd>. This allows one to |
| exclude certain values. Note, however, that using a C<!> in |
| conjunction with the built-in C<ALL> alias to allow a user to |
| run "all but a few" commands rarely works as intended (see SECURITY |
| NOTES below). |
| |
| Long lines can be continued with a backslash ('\') as the last |
| character on the line. |
| |
| Whitespace between elements in a list as well as special syntactic |
| characters in a I<User Specification> ('=', ':', '(', ')') is optional. |
| |
| The following characters must be escaped with a backslash ('\') when |
| used as part of a word (e.g.E<nbsp>a user name or host name): |
| '@', '!', '=', ':', ',', '(', ')', '\'. |
| |
| =head1 SUDOERS OPTIONS |
| |
| B<sudo>'s behavior can be modified by C<Default_Entry> lines, as |
| explained earlier. A list of all supported Defaults parameters, |
| grouped by type, are listed below. |
| |
| B<Boolean Flags>: |
| |
| =over 16 |
| |
| =item always_set_home |
| |
| If enabled, B<sudo> will set the C<HOME> environment variable to the |
| home directory of the target user (which is root unless the B<-u> |
| option is used). This effectively means that the B<-H> option is |
| always implied. Note that C<HOME> is already set when the the |
| I<env_reset> option is enabled, so I<always_set_home> is only |
| effective for configurations where I<env_reset> is disabled. |
| This flag is I<off> by default. |
| |
| =item authenticate |
| |
| If set, users must authenticate themselves via a password (or other |
| means of authentication) before they may run commands. This default |
| may be overridden via the C<PASSWD> and C<NOPASSWD> tags. |
| This flag is I<on> by default. |
| |
| =item closefrom_override |
| |
| If set, the user may use B<sudo>'s B<-C> option which |
| overrides the default starting point at which B<sudo> begins |
| closing open file descriptors. This flag is I<off> by default. |
| |
| =item compress_io |
| |
| If set, and B<sudo> is configured to log a command's input or output, |
| the I/O logs will be compressed using B<zlib>. This flag is I<on> |
| by default when B<sudo> is compiled with B<zlib> support. |
| |
| =item env_editor |
| |
| If set, B<visudo> will use the value of the EDITOR or VISUAL |
| environment variables before falling back on the default editor list. |
| Note that this may create a security hole as it allows the user to |
| run any arbitrary command as root without logging. A safer alternative |
| is to place a colon-separated list of editors in the C<editor> |
| variable. B<visudo> will then only use the EDITOR or VISUAL if |
| they match a value specified in C<editor>. This flag is I<@env_editor@> by |
| default. |
| |
| =item env_reset |
| |
| If set, B<sudo> will reset the environment to only contain the |
| LOGNAME, MAIL, SHELL, USER, USERNAME and the C<SUDO_*> variables. Any |
| variables in the caller's environment that match the C<env_keep> |
| and C<env_check> lists are then added. The default contents of the |
| C<env_keep> and C<env_check> lists are displayed when B<sudo> is |
| run by root with the I<-V> option. If the I<secure_path> option |
| is set, its value will be used for the C<PATH> environment variable. |
| This flag is I<on> by default. |
| |
| =item fast_glob |
| |
| Normally, B<sudo> uses the L<glob(3)> function to do shell-style |
| globbing when matching path names. However, since it accesses the |
| file system, L<glob(3)> can take a long time to complete for some |
| patterns, especially when the pattern references a network file |
| system that is mounted on demand (automounted). The I<fast_glob> |
| option causes B<sudo> to use the L<fnmatch(3)> function, which does |
| not access the file system to do its matching. The disadvantage |
| of I<fast_glob> is that it is unable to match relative path names |
| such as F<./ls> or F<../bin/ls>. This has security implications |
| when path names that include globbing characters are used with the |
| negation operator, C<'!'>, as such rules can be trivially bypassed. |
| As such, this option should not be used when I<sudoers> contains rules |
| that contain negated path names which include globbing characters. |
| This flag is I<off> by default. |
| |
| =item fqdn |
| |
| Set this flag if you want to put fully qualified host names in the |
| I<sudoers> file. I.e., instead of myhost you would use myhost.mydomain.edu. |
| You may still use the short form if you wish (and even mix the two). |
| Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups |
| which may make B<sudo> unusable if DNS stops working (for example |
| if the machine is not plugged into the network). Also note that |
| you must use the host's official name as DNS knows it. That is, |
| you may not use a host alias (C<CNAME> entry) due to performance |
| issues and the fact that there is no way to get all aliases from |
| DNS. If your machine's host name (as returned by the C<hostname> |
| command) is already fully qualified you shouldn't need to set |
| I<fqdn>. This flag is I<@fqdn@> by default. |
| |
| =item ignore_dot |
| |
| If set, B<sudo> will ignore '.' or '' (current dir) in the C<PATH> |
| environment variable; the C<PATH> itself is not modified. This |
| flag is I<@ignore_dot@> by default. |
| |
| =item ignore_local_sudoers |
| |
| If set via LDAP, parsing of F<@sysconfdir@/sudoers> will be skipped. |
| This is intended for Enterprises that wish to prevent the usage of local |
| sudoers files so that only LDAP is used. This thwarts the efforts of |
| rogue operators who would attempt to add roles to F<@sysconfdir@/sudoers>. |
| When this option is present, F<@sysconfdir@/sudoers> does not even need to |
| exist. Since this option tells B<sudo> how to behave when no specific LDAP |
| entries have been matched, this sudoOption is only meaningful for the |
| C<cn=defaults> section. This flag is I<off> by default. |
| |
| =item insults |
| |
| If set, B<sudo> will insult users when they enter an incorrect |
| password. This flag is I<@insults@> by default. |
| |
| =item log_host |
| |
| If set, the host name will be logged in the (non-syslog) B<sudo> log file. |
| This flag is I<off> by default. |
| |
| =item log_year |
| |
| If set, the four-digit year will be logged in the (non-syslog) B<sudo> log file. |
| This flag is I<off> by default. |
| |
| =item long_otp_prompt |
| |
| When validating with a One Time Password (OPT) scheme such as |
| B<S/Key> or B<OPIE>, a two-line prompt is used to make it easier |
| to cut and paste the challenge to a local window. It's not as |
| pretty as the default but some people find it more convenient. This |
| flag is I<@long_otp_prompt@> by default. |
| |
| =item mail_always |
| |
| Send mail to the I<mailto> user every time a users runs B<sudo>. |
| This flag is I<off> by default. |
| |
| =item mail_badpass |
| |
| Send mail to the I<mailto> user if the user running B<sudo> does not |
| enter the correct password. This flag is I<off> by default. |
| |
| =item mail_no_host |
| |
| If set, mail will be sent to the I<mailto> user if the invoking |
| user exists in the I<sudoers> file, but is not allowed to run |
| commands on the current host. This flag is I<@mail_no_host@> by default. |
| |
| =item mail_no_perms |
| |
| If set, mail will be sent to the I<mailto> user if the invoking |
| user is allowed to use B<sudo> but the command they are trying is not |
| listed in their I<sudoers> file entry or is explicitly denied. |
| This flag is I<@mail_no_perms@> by default. |
| |
| =item mail_no_user |
| |
| If set, mail will be sent to the I<mailto> user if the invoking |
| user is not in the I<sudoers> file. This flag is I<@mail_no_user@> |
| by default. |
| |
| =item noexec |
| |
| If set, all commands run via B<sudo> will behave as if the C<NOEXEC> |
| tag has been set, unless overridden by a C<EXEC> tag. See the |
| description of I<NOEXEC and EXEC> below as well as the L<PREVENTING SHELL |
| ESCAPES> section at the end of this manual. This flag is I<off> by default. |
| |
| =item path_info |
| |
| Normally, B<sudo> will tell the user when a command could not be |
| found in their C<PATH> environment variable. Some sites may wish |
| to disable this as it could be used to gather information on the |
| location of executables that the normal user does not have access |
| to. The disadvantage is that if the executable is simply not in |
| the user's C<PATH>, B<sudo> will tell the user that they are not |
| allowed to run it, which can be confusing. This flag is I<@path_info@> |
| by default. |
| |
| =item passprompt_override |
| |
| The password prompt specified by I<passprompt> will normally only |
| be used if the password prompt provided by systems such as PAM matches |
| the string "Password:". If I<passprompt_override> is set, I<passprompt> |
| will always be used. This flag is I<off> by default. |
| |
| =item preserve_groups |
| |
| By default, B<sudo> will initialize the group vector to the list of |
| groups the target user is in. When I<preserve_groups> is set, the |
| user's existing group vector is left unaltered. The real and |
| effective group IDs, however, are still set to match the target |
| user. This flag is I<off> by default. |
| |
| =item pwfeedback |
| |
| By default, B<sudo> reads the password like most other Unix programs, |
| by turning off echo until the user hits the return (or enter) key. |
| Some users become confused by this as it appears to them that B<sudo> |
| has hung at this point. When I<pwfeedback> is set, B<sudo> will |
| provide visual feedback when the user presses a key. Note that |
| this does have a security impact as an onlooker may be able to |
| determine the length of the password being entered. |
| This flag is I<off> by default. |
| |
| =item requiretty |
| |
| If set, B<sudo> will only run when the user is logged in to a real |
| tty. When this flag is set, B<sudo> can only be run from a login |
| session and not via other means such as L<cron(8)> or cgi-bin scripts. |
| This flag is I<off> by default. |
| |
| =item root_sudo |
| |
| If set, root is allowed to run B<sudo> too. Disabling this prevents users |
| from "chaining" B<sudo> commands to get a root shell by doing something |
| like C<"sudo sudo /bin/sh">. Note, however, that turning off I<root_sudo> |
| will also prevent root from running B<sudoedit>. |
| Disabling I<root_sudo> provides no real additional security; it |
| exists purely for historical reasons. |
| This flag is I<@root_sudo@> by default. |
| |
| =item rootpw |
| |
| If set, B<sudo> will prompt for the root password instead of the password |
| of the invoking user. This flag is I<off> by default. |
| |
| =item runaspw |
| |
| If set, B<sudo> will prompt for the password of the user defined by the |
| I<runas_default> option (defaults to C<@runas_default@>) instead of the |
| password of the invoking user. This flag is I<off> by default. |
| |
| =item set_home |
| |
| If enabled and B<sudo> is invoked with the B<-s> option the C<HOME> |
| environment variable will be set to the home directory of the target |
| user (which is root unless the B<-u> option is used). This effectively |
| makes the B<-s> option imply B<-H>. Note that C<HOME> is already |
| set when the the I<env_reset> option is enabled, so I<set_home> is |
| only effective for configurations where I<env_reset> is disabled. |
| This flag is I<off> by default. |
| |
| =item set_logname |
| |
| Normally, B<sudo> will set the C<LOGNAME>, C<USER> and C<USERNAME> |
| environment variables to the name of the target user (usually root |
| unless the B<-u> option is given). However, since some programs |
| (including the RCS revision control system) use C<LOGNAME> to |
| determine the real identity of the user, it may be desirable to |
| change this behavior. This can be done by negating the set_logname |
| option. Note that if the I<env_reset> option has not been disabled, |
| entries in the I<env_keep> list will override the value of |
| I<set_logname>. This flag is I<on> by default. |
| |
| =item setenv |
| |
| Allow the user to disable the I<env_reset> option from the command |
| line. Additionally, environment variables set via the command line |
| are not subject to the restrictions imposed by I<env_check>, |
| I<env_delete>, or I<env_keep>. As such, only trusted users should |
| be allowed to set variables in this manner. This flag is I<off> |
| by default. |
| |
| =item shell_noargs |
| |
| If set and B<sudo> is invoked with no arguments it acts as if the |
| B<-s> option had been given. That is, it runs a shell as root (the |
| shell is determined by the C<SHELL> environment variable if it is |
| set, falling back on the shell listed in the invoking user's |
| /etc/passwd entry if not). This flag is I<off> by default. |
| |
| =item stay_setuid |
| |
| Normally, when B<sudo> executes a command the real and effective |
| UIDs are set to the target user (root by default). This option |
| changes that behavior such that the real UID is left as the invoking |
| user's UID. In other words, this makes B<sudo> act as a setuid |
| wrapper. This can be useful on systems that disable some potentially |
| dangerous functionality when a program is run setuid. This option |
| is only effective on systems with either the setreuid() or setresuid() |
| function. This flag is I<off> by default. |
| |
| =item targetpw |
| |
| If set, B<sudo> will prompt for the password of the user specified |
| by the B<-u> option (defaults to C<root>) instead of the password |
| of the invoking user. In addition, the timestamp file name will |
| include the target user's name. Note that this flag precludes the |
| use of a uid not listed in the passwd database as an argument to |
| the B<-u> option. This flag is I<off> by default. |
| |
| =item log_input |
| |
| If set, B<sudo> will run the command in a I<pseudo tty> and log all |
| user input. |
| If the standard input is not connected to the user's tty, due to |
| I/O redirection or because the command is part of a pipeline, that |
| input is also captured and stored in a separate log file. |
| |
| Input is logged to the F</var/log/sudo-io> directory using a unique |
| session ID that is included in the normal B<sudo> log line, prefixed |
| with I<TSID=>. |
| |
| =item log_output |
| |
| If set, B<sudo> will run the command in a I<pseudo tty> and log all |
| output that is sent to the screen, similar to the script(1) command. |
| If the standard output or standard error is not connected to the |
| user's tty, due to I/O redirection or because the command is part |
| of a pipeline, that output is also captured and stored in separate |
| log files. |
| |
| Output is logged to the |
| F</var/log/sudo-io> directory using a unique session ID that is |
| included in the normal B<sudo> log line, prefixed with I<TSID=>. |
| |
| Output logs may be viewed with the L<sudoreplay(8)> utility, which |
| can also be used to list or search the available logs. |
| |
| =item tty_tickets |
| |
| If set, users must authenticate on a per-tty basis. With this flag |
| enabled, B<sudo> will use a file named for the tty the user is |
| logged in on in the user's time stamp directory. If disabled, the |
| time stamp of the directory is used instead. This flag is |
| I<@tty_tickets@> by default. |
| |
| =item umask_override |
| |
| If set, B<sudo> will set the umask as specified by I<sudoers> without |
| modification. This makes it possible to specify a more permissive |
| umask in I<sudoers> than the user's own umask and matches historical |
| behavior. If I<umask_override> is not set, B<sudo> will set the |
| umask to be the union of the user's umask and what is specified in |
| I<sudoers>. This flag is I<off> by default. |
| |
| =item use_loginclass |
| |
| If set, B<sudo> will apply the defaults specified for the target user's |
| login class if one exists. Only available if B<sudo> is configured with |
| the --with-logincap option. This flag is I<off> by default. |
| |
| =item use_pty |
| |
| If set, B<sudo> will run the command in a pseudo-pty even if no I/O |
| logging is being gone. A malicious program run under B<sudo> could |
| conceivably fork a background process that retains to the user's |
| terminal device after the main program has finished executing. Use |
| of this option will make that impossible. |
| |
| =item visiblepw |
| |
| By default, B<sudo> will refuse to run if the user must enter a |
| password but it is not possible to disable echo on the terminal. |
| If the I<visiblepw> flag is set, B<sudo> will prompt for a password |
| even when it would be visible on the screen. This makes it possible |
| to run things like C<"rsh somehost sudo ls"> since L<rsh(1)> does |
| not allocate a tty. This flag is I<off> by default. |
| |
| =back |
| |
| B<Integers>: |
| |
| =over 16 |
| |
| =item closefrom |
| |
| Before it executes a command, B<sudo> will close all open file |
| descriptors other than standard input, standard output and standard |
| error (ie: file descriptors 0-2). The I<closefrom> option can be used |
| to specify a different file descriptor at which to start closing. |
| The default is C<3>. |
| |
| =item passwd_tries |
| |
| The number of tries a user gets to enter his/her password before |
| B<sudo> logs the failure and exits. The default is C<@passwd_tries@>. |
| |
| =back |
| |
| B<Integers that can be used in a boolean context>: |
| |
| =over 16 |
| |
| =item loglinelen |
| |
| Number of characters per line for the file log. This value is used |
| to decide when to wrap lines for nicer log files. This has no |
| effect on the syslog log file, only the file log. The default is |
| C<@loglen@> (use 0 or negate the option to disable word wrap). |
| |
| =item passwd_timeout |
| |
| Number of minutes before the B<sudo> password prompt times out, or |
| C<0> for no timeout. The timeout may include a fractional component |
| if minute granularity is insufficient, for example C<2.5>. The |
| default is C<@password_timeout@>. |
| |
| =item timestamp_timeout |
| |
| Number of minutes that can elapse before B<sudo> will ask for a |
| passwd again. The timeout may include a fractional component if |
| minute granularity is insufficient, for example C<2.5>. The default |
| is C<@timeout@>. Set this to C<0> to always prompt for a password. |
| If set to a value less than C<0> the user's timestamp will never |
| expire. This can be used to allow users to create or delete their |
| own timestamps via C<sudo -v> and C<sudo -k> respectively. |
| |
| =item umask |
| |
| Umask to use when running the command. Negate this option or set |
| it to 0777 to preserve the user's umask. The actual umask that is |
| used will be the union of the user's umask and C<@sudo_umask@>. |
| This guarantees that B<sudo> never lowers the umask when running a |
| command. Note on systems that use PAM, the default PAM configuration |
| may specify its own umask which will override the value set in |
| I<sudoers>. |
| |
| =back |
| |
| B<Strings>: |
| |
| =over 16 |
| |
| =item badpass_message |
| |
| Message that is displayed if a user enters an incorrect password. |
| The default is C<@badpass_message@> unless insults are enabled. |
| |
| =item editor |
| |
| A colon (':') separated list of editors allowed to be used with |
| B<visudo>. B<visudo> will choose the editor that matches the user's |
| EDITOR environment variable if possible, or the first editor in the |
| list that exists and is executable. The default is C<"@editor@">. |
| |
| =item mailsub |
| |
| Subject of the mail sent to the I<mailto> user. The escape C<%h> |
| will expand to the host name of the machine. |
| Default is C<@mailsub@>. |
| |
| =item noexec_file |
| |
| Path to a shared library containing dummy versions of the execv(), |
| execve() and fexecve() library functions that just return an error. |
| This is used to implement the I<noexec> functionality on systems that |
| support C<LD_PRELOAD> or its equivalent. Defaults to F<@noexec_file@>. |
| |
| =item passprompt |
| |
| The default prompt to use when asking for a password; can be overridden |
| via the B<-p> option or the C<SUDO_PROMPT> environment variable. |
| The following percent (`C<%>') escapes are supported: |
| |
| =over 4 |
| |
| =item C<%H> |
| |
| expanded to the local host name including the domain name |
| (on if the machine's host name is fully qualified or the I<fqdn> |
| option is set) |
| |
| =item C<%h> |
| |
| expanded to the local host name without the domain name |
| |
| =item C<%p> |
| |
| expanded to the user whose password is being asked for (respects the |
| I<rootpw>, I<targetpw> and I<runaspw> flags in I<sudoers>) |
| |
| =item C<%U> |
| |
| expanded to the login name of the user the command will |
| be run as (defaults to root) |
| |
| =item C<%u> |
| |
| expanded to the invoking user's login name |
| |
| =item C<%%> |
| |
| two consecutive C<%> characters are collapsed into a single C<%> character |
| |
| =back |
| |
| The default value is C<@passprompt@>. |
| |
| =item role |
| |
| The default SELinux role to use when constructing a new security |
| context to run the command. The default role may be overridden on |
| a per-command basis in I<sudoers> or via command line options. |
| This option is only available whe B<sudo> is built with SELinux support. |
| |
| =item runas_default |
| |
| The default user to run commands as if the B<-u> option is not specified |
| on the command line. This defaults to C<@runas_default@>. |
| Note that if I<runas_default> is set it B<must> occur before |
| any C<Runas_Alias> specifications. |
| |
| =item syslog_badpri |
| |
| Syslog priority to use when user authenticates unsuccessfully. |
| Defaults to C<@badpri@>. |
| |
| =item syslog_goodpri |
| |
| Syslog priority to use when user authenticates successfully. |
| Defaults to C<@goodpri@>. |
| |
| =item sudoers_locale |
| |
| Locale to use when parsing the sudoers file. Note that changing |
| the locale may affect how sudoers is interpreted. |
| Defaults to C<"C">. |
| |
| =item timestampdir |
| |
| The directory in which B<sudo> stores its timestamp files. |
| The default is F<@timedir@>. |
| |
| =item timestampowner |
| |
| The owner of the timestamp directory and the timestamps stored therein. |
| The default is C<root>. |
| |
| =item type |
| |
| The default SELinux type to use when constructing a new security |
| context to run the command. The default type may be overridden on |
| a per-command basis in I<sudoers> or via command line options. |
| This option is only available whe B<sudo> is built with SELinux support. |
| |
| =back |
| |
| B<Strings that can be used in a boolean context>: |
| |
| =over 12 |
| |
| =item askpass |
| |
| The I<askpass> option specifies the fully qualified path to a helper |
| program used to read the user's password when no terminal is |
| available. This may be the case when B<sudo> is executed from a |
| graphical (as opposed to text-based) application. The program |
| specified by I<askpass> should display the argument passed to it |
| as the prompt and write the user's password to the standard output. |
| The value of I<askpass> may be overridden by the C<SUDO_ASKPASS> |
| environment variable. |
| |
| =item env_file |
| |
| The I<env_file> options specifies the fully qualified path to a |
| file containing variables to be set in the environment of the program |
| being run. Entries in this file should either be of the form |
| C<VARIABLE=value> or C<export VARIABLE=value>. The value may |
| optionally be surrounded by single or double quotes. Variables in |
| this file are subject to other B<sudo> environment settings such |
| as I<env_keep> and I<env_check>. |
| |
| =item exempt_group |
| |
| Users in this group are exempt from password and PATH requirements. |
| This is not set by default. |
| |
| =item lecture |
| |
| This option controls when a short lecture will be printed along with |
| the password prompt. It has the following possible values: |
| |
| =over 8 |
| |
| =item always |
| |
| Always lecture the user. |
| |
| =item never |
| |
| Never lecture the user. |
| |
| =item once |
| |
| Only lecture the user the first time they run B<sudo>. |
| |
| =back |
| |
| If no value is specified, a value of I<once> is implied. |
| Negating the option results in a value of I<never> being used. |
| The default value is I<@lecture@>. |
| |
| =item lecture_file |
| |
| Path to a file containing an alternate B<sudo> lecture that will |
| be used in place of the standard lecture if the named file exists. |
| By default, B<sudo> uses a built-in lecture. |
| |
| =item listpw |
| |
| This option controls when a password will be required when a |
| user runs B<sudo> with the B<-l> option. It has the following possible values: |
| |
| =over 8 |
| |
| =item all |
| |
| All the user's I<sudoers> entries for the current host must have |
| the C<NOPASSWD> flag set to avoid entering a password. |
| |
| =item always |
| |
| The user must always enter a password to use the B<-l> option. |
| |
| =item any |
| |
| At least one of the user's I<sudoers> entries for the current host |
| must have the C<NOPASSWD> flag set to avoid entering a password. |
| |
| =item never |
| |
| The user need never enter a password to use the B<-l> option. |
| |
| =back |
| |
| If no value is specified, a value of I<any> is implied. |
| Negating the option results in a value of I<never> being used. |
| The default value is I<any>. |
| |
| =item logfile |
| |
| Path to the B<sudo> log file (not the syslog log file). Setting a path |
| turns on logging to a file; negating this option turns it off. |
| By default, B<sudo> logs via syslog. |
| |
| =item mailerflags |
| |
| Flags to use when invoking mailer. Defaults to B<-t>. |
| |
| =item mailerpath |
| |
| Path to mail program used to send warning mail. |
| Defaults to the path to sendmail found at configure time. |
| |
| =item mailfrom |
| |
| Address to use for the "from" address when sending warning and error |
| mail. The address should be enclosed in double quotes (C<">) to |
| protect against B<sudo> interpreting the C<@> sign. Defaults to |
| the name of the user running B<sudo>. |
| |
| =item mailto |
| |
| Address to send warning and error mail to. The address should |
| be enclosed in double quotes (C<">) to protect against B<sudo> |
| interpreting the C<@> sign. Defaults to C<@mailto@>. |
| |
| =item secure_path |
| |
| Path used for every command run from B<sudo>. If you don't trust the |
| people running B<sudo> to have a sane C<PATH> environment variable you may |
| want to use this. Another use is if you want to have the "root path" |
| be separate from the "user path." Users in the group specified by the |
| I<exempt_group> option are not affected by I<secure_path>. |
| This option is @secure_path@ by default. |
| |
| =item syslog |
| |
| Syslog facility if syslog is being used for logging (negate to |
| disable syslog logging). Defaults to C<@logfac@>. |
| |
| =item verifypw |
| |
| This option controls when a password will be required when a user runs |
| B<sudo> with the B<-v> option. It has the following possible values: |
| |
| =over 8 |
| |
| =item all |
| |
| All the user's I<sudoers> entries for the current host must have |
| the C<NOPASSWD> flag set to avoid entering a password. |
| |
| =item always |
| |
| The user must always enter a password to use the B<-v> option. |
| |
| =item any |
| |
| At least one of the user's I<sudoers> entries for the current host |
| must have the C<NOPASSWD> flag set to avoid entering a password. |
| |
| =item never |
| |
| The user need never enter a password to use the B<-v> option. |
| |
| =back |
| |
| If no value is specified, a value of I<all> is implied. |
| Negating the option results in a value of I<never> being used. |
| The default value is I<all>. |
| |
| =back |
| |
| B<Lists that can be used in a boolean context>: |
| |
| =over 16 |
| |
| =item env_check |
| |
| Environment variables to be removed from the user's environment if |
| the variable's value contains C<%> or C</> characters. This can |
| be used to guard against printf-style format vulnerabilities in |
| poorly-written programs. The argument may be a double-quoted, |
| space-separated list or a single value without double-quotes. The |
| list can be replaced, added to, deleted from, or disabled by using |
| the C<=>, C<+=>, C<-=>, and C<!> operators respectively. Regardless |
| of whether the C<env_reset> option is enabled or disabled, variables |
| specified by C<env_check> will be preserved in the environment if |
| they pass the aforementioned check. The default list of environment |
| variables to check is displayed when B<sudo> is run by root with |
| the I<-V> option. |
| |
| =item env_delete |
| |
| Environment variables to be removed from the user's environment |
| when the I<env_reset> option is not in effect. The argument may |
| be a double-quoted, space-separated list or a single value without |
| double-quotes. The list can be replaced, added to, deleted from, |
| or disabled by using the C<=>, C<+=>, C<-=>, and C<!> operators |
| respectively. The default list of environment variables to remove |
| is displayed when B<sudo> is run by root with the I<-V> option. |
| Note that many operating systems will remove potentially dangerous |
| variables from the environment of any setuid process (such as |
| B<sudo>). |
| |
| =item env_keep |
| |
| Environment variables to be preserved in the user's environment |
| when the I<env_reset> option is in effect. This allows fine-grained |
| control over the environment B<sudo>-spawned processes will receive. |
| The argument may be a double-quoted, space-separated list or a |
| single value without double-quotes. The list can be replaced, added |
| to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and |
| C<!> operators respectively. The default list of variables to keep |
| is displayed when B<sudo> is run by root with the I<-V> option. |
| |
| =back |
| |
| When logging via L<syslog(3)>, B<sudo> accepts the following values |
| for the syslog facility (the value of the B<syslog> Parameter): |
| B<authpriv> (if your OS supports it), B<auth>, B<daemon>, B<user>, |
| B<local0>, B<local1>, B<local2>, B<local3>, B<local4>, B<local5>, |
| B<local6>, and B<local7>. The following syslog priorities are |
| supported: B<alert>, B<crit>, B<debug>, B<emerg>, B<err>, B<info>, |
| B<notice>, and B<warning>. |
| |
| =head1 FILES |
| |
| =over 24 |
| |
| =item F<@sysconfdir@/sudoers> |
| |
| List of who can run what |
| |
| =item F</etc/group> |
| |
| Local groups file |
| |
| =item F</etc/netgroup> |
| |
| List of network groups |
| |
| =item F</var/log/sudo-io> |
| |
| I/O log files |
| |
| =back |
| |
| =head1 EXAMPLES |
| |
| Below are example I<sudoers> entries. Admittedly, some of |
| these are a bit contrived. First, we allow a few environment |
| variables to pass and then define our I<aliases>: |
| |
| # Run X applications through sudo; HOME is used to find the |
| # .Xauthority file. Note that other programs use HOME to find |
| # configuration files and this may lead to privilege escalation! |
| Defaults env_keep += "DISPLAY HOME" |
| |
| # User alias specification |
| User_Alias FULLTIMERS = millert, mikef, dowdy |
| User_Alias PARTTIMERS = bostley, jwfox, crawl |
| User_Alias WEBMASTERS = will, wendy, wim |
| |
| # Runas alias specification |
| Runas_Alias OP = root, operator |
| Runas_Alias DB = oracle, sybase |
| Runas_Alias ADMINGRP = adm, oper |
| |
| # Host alias specification |
| Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ |
| SGI = grolsch, dandelion, black :\ |
| ALPHA = widget, thalamus, foobar :\ |
| HPPA = boa, nag, python |
| Host_Alias CUNETS = 128.138.0.0/255.255.0.0 |
| Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 |
| Host_Alias SERVERS = master, mail, www, ns |
| Host_Alias CDROM = orion, perseus, hercules |
| |
| # Cmnd alias specification |
| Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ |
| /usr/sbin/restore, /usr/sbin/rrestore |
| Cmnd_Alias KILL = /usr/bin/kill |
| Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm |
| Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown |
| Cmnd_Alias HALT = /usr/sbin/halt |
| Cmnd_Alias REBOOT = /usr/sbin/reboot |
| Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ |
| /usr/local/bin/tcsh, /usr/bin/rsh, \ |
| /usr/local/bin/zsh |
| Cmnd_Alias SU = /usr/bin/su |
| Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less |
| |
| Here we override some of the compiled in default values. We want |
| B<sudo> to log via L<syslog(3)> using the I<auth> facility in all |
| cases. We don't want to subject the full time staff to the B<sudo> |
| lecture, user B<millert> need not give a password, and we don't |
| want to reset the C<LOGNAME>, C<USER> or C<USERNAME> environment |
| variables when running commands as root. Additionally, on the |
| machines in the I<SERVERS> C<Host_Alias>, we keep an additional |
| local log file and make sure we log the year in each log line since |
| the log entries will be kept around for several years. Lastly, we |
| disable shell escapes for the commands in the PAGERS C<Cmnd_Alias> |
| (F</usr/bin/more>, F</usr/bin/pg> and F</usr/bin/less>). |
| |
| # Override built-in defaults |
| Defaults syslog=auth |
| Defaults>root !set_logname |
| Defaults:FULLTIMERS !lecture |
| Defaults:millert !authenticate |
| Defaults@SERVERS log_year, logfile=/var/log/sudo.log |
| Defaults!PAGERS noexec |
| |
| The I<User specification> is the part that actually determines who may |
| run what. |
| |
| root ALL = (ALL) ALL |
| %wheel ALL = (ALL) ALL |
| |
| We let B<root> and any user in group B<wheel> run any command on any |
| host as any user. |
| |
| FULLTIMERS ALL = NOPASSWD: ALL |
| |
| Full time sysadmins (B<millert>, B<mikef>, and B<dowdy>) may run any |
| command on any host without authenticating themselves. |
| |
| PARTTIMERS ALL = ALL |
| |
| Part time sysadmins (B<bostley>, B<jwfox>, and B<crawl>) may run any |
| command on any host but they must authenticate themselves first |
| (since the entry lacks the C<NOPASSWD> tag). |
| |
| jack CSNETS = ALL |
| |
| The user B<jack> may run any command on the machines in the I<CSNETS> alias |
| (the networks C<128.138.243.0>, C<128.138.204.0>, and C<128.138.242.0>). |
| Of those networks, only C<128.138.204.0> has an explicit netmask (in |
| CIDR notation) indicating it is a class C network. For the other |
| networks in I<CSNETS>, the local machine's netmask will be used |
| during matching. |
| |
| lisa CUNETS = ALL |
| |
| The user B<lisa> may run any command on any host in the I<CUNETS> alias |
| (the class B network C<128.138.0.0>). |
| |
| operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ |
| sudoedit /etc/printcap, /usr/oper/bin/ |
| |
| The B<operator> user may run commands limited to simple maintenance. |
| Here, those are commands related to backups, killing processes, the |
| printing system, shutting down the system, and any commands in the |
| directory F</usr/oper/bin/>. |
| |
| joe ALL = /usr/bin/su operator |
| |
| The user B<joe> may only L<su(1)> to operator. |
| |
| pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root |
| |
| %opers ALL = (: ADMINGRP) /usr/sbin/ |
| |
| Users in the B<opers> group may run commands in F</usr/sbin/> as themselves |
| with any group in the I<ADMINGRP> C<Runas_Alias> (the B<adm> and B<oper> |
| groups). |
| |
| The user B<pete> is allowed to change anyone's password except for |
| root on the I<HPPA> machines. Note that this assumes L<passwd(1)> |
| does not take multiple user names on the command line. |
| |
| bob SPARC = (OP) ALL : SGI = (OP) ALL |
| |
| The user B<bob> may run anything on the I<SPARC> and I<SGI> machines |
| as any user listed in the I<OP> C<Runas_Alias> (B<root> and B<operator>). |
| |
| jim +biglab = ALL |
| |
| The user B<jim> may run any command on machines in the I<biglab> netgroup. |
| B<sudo> knows that "biglab" is a netgroup due to the '+' prefix. |
| |
| +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser |
| |
| Users in the B<secretaries> netgroup need to help manage the printers |
| as well as add and remove users, so they are allowed to run those |
| commands on all machines. |
| |
| fred ALL = (DB) NOPASSWD: ALL |
| |
| The user B<fred> can run commands as any user in the I<DB> C<Runas_Alias> |
| (B<oracle> or B<sybase>) without giving a password. |
| |
| john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* |
| |
| On the I<ALPHA> machines, user B<john> may su to anyone except root |
| but he is not allowed to specify any options to the L<su(1)> command. |
| |
| jen ALL, !SERVERS = ALL |
| |
| The user B<jen> may run any command on any machine except for those |
| in the I<SERVERS> C<Host_Alias> (master, mail, www and ns). |
| |
| jill SERVERS = /usr/bin/, !SU, !SHELLS |
| |
| For any machine in the I<SERVERS> C<Host_Alias>, B<jill> may run |
| any commands in the directory F</usr/bin/> except for those commands |
| belonging to the I<SU> and I<SHELLS> C<Cmnd_Aliases>. |
| |
| steve CSNETS = (operator) /usr/local/op_commands/ |
| |
| The user B<steve> may run any command in the directory /usr/local/op_commands/ |
| but only as user operator. |
| |
| matt valkyrie = KILL |
| |
| On his personal workstation, valkyrie, B<matt> needs to be able to |
| kill hung processes. |
| |
| WEBMASTERS www = (www) ALL, (root) /usr/bin/su www |
| |
| On the host www, any user in the I<WEBMASTERS> C<User_Alias> (will, |
| wendy, and wim), may run any command as user www (which owns the |
| web pages) or simply L<su(1)> to www. |
| |
| ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ |
| /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM |
| |
| Any user may mount or unmount a CD-ROM on the machines in the CDROM |
| C<Host_Alias> (orion, perseus, hercules) without entering a password. |
| This is a bit tedious for users to type, so it is a prime candidate |
| for encapsulating in a shell script. |
| |
| =head1 SECURITY NOTES |
| |
| It is generally not effective to "subtract" commands from C<ALL> |
| using the '!' operator. A user can trivially circumvent this |
| by copying the desired command to a different name and then |
| executing that. For example: |
| |
| bill ALL = ALL, !SU, !SHELLS |
| |
| Doesn't really prevent B<bill> from running the commands listed in |
| I<SU> or I<SHELLS> since he can simply copy those commands to a |
| different name, or use a shell escape from an editor or other |
| program. Therefore, these kind of restrictions should be considered |
| advisory at best (and reinforced by policy). |
| |
| Furthermore, if the I<fast_glob> option is in use, it is not possible |
| to reliably negate commands where the path name includes globbing |
| (aka wildcard) characters. This is because the C library's |
| L<fnmatch(3)> function cannot resolve relative paths. While this |
| is typically only an inconvenience for rules that grant privileges, |
| it can result in a security issue for rules that subtract or revoke |
| privileges. |
| |
| For example, given the following I<sudoers> entry: |
| |
| john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*, |
| /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root |
| |
| User B<john> can still run C</usr/bin/passwd root> if I<fast_glob> is |
| enabled by changing to F</usr/bin> and running C<./passwd root> instead. |
| |
| =head1 PREVENTING SHELL ESCAPES |
| |
| Once B<sudo> executes a program, that program is free to do whatever |
| it pleases, including run other programs. This can be a security |
| issue since it is not uncommon for a program to allow shell escapes, |
| which lets a user bypass B<sudo>'s access control and logging. |
| Common programs that permit shell escapes include shells (obviously), |
| editors, paginators, mail and terminal programs. |
| |
| There are two basic approaches to this problem: |
| |
| =over 10 |
| |
| =item restrict |
| |
| Avoid giving users access to commands that allow the user to run |
| arbitrary commands. Many editors have a restricted mode where shell |
| escapes are disabled, though B<sudoedit> is a better solution to |
| running editors via B<sudo>. Due to the large number of programs that |
| offer shell escapes, restricting users to the set of programs that |
| do not if often unworkable. |
| |
| =item noexec |
| |
| Many systems that support shared libraries have the ability to |
| override default library functions by pointing an environment |
| variable (usually C<LD_PRELOAD>) to an alternate shared library. |
| On such systems, B<sudo>'s I<noexec> functionality can be used to |
| prevent a program run by B<sudo> from executing any other programs. |
| Note, however, that this applies only to native dynamically-linked |
| executables. Statically-linked executables and foreign executables |
| running under binary emulation are not affected. |
| |
| To tell whether or not B<sudo> supports I<noexec>, you can run |
| the following as root: |
| |
| sudo -V | grep "dummy exec" |
| |
| If the resulting output contains a line that begins with: |
| |
| File containing dummy exec functions: |
| |
| then B<sudo> may be able to replace the exec family of functions |
| in the standard library with its own that simply return an error. |
| Unfortunately, there is no foolproof way to know whether or not |
| I<noexec> will work at compile-time. I<noexec> should work on |
| SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, MacOS X, and HP-UX |
| 11.x. It is known B<not> to work on AIX and UnixWare. I<noexec> |
| is expected to work on most operating systems that support the |
| C<LD_PRELOAD> environment variable. Check your operating system's |
| manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld, |
| dld.sl, rld, or loader) to see if C<LD_PRELOAD> is supported. |
| |
| To enable I<noexec> for a command, use the C<NOEXEC> tag as documented |
| in the User Specification section above. Here is that example again: |
| |
| aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi |
| |
| This allows user B<aaron> to run F</usr/bin/more> and F</usr/bin/vi> |
| with I<noexec> enabled. This will prevent those two commands from |
| executing other commands (such as a shell). If you are unsure |
| whether or not your system is capable of supporting I<noexec> you |
| can always just try it out and see if it works. |
| |
| =back |
| |
| Note that restricting shell escapes is not a panacea. Programs |
| running as root are still capable of many potentially hazardous |
| operations (such as changing or overwriting files) that could lead |
| to unintended privilege escalation. In the specific case of an |
| editor, a safer approach is to give the user permission to run |
| B<sudoedit>. |
| |
| =head1 SEE ALSO |
| |
| L<rsh(1)>, L<su(1)>, L<fnmatch(3)>, L<glob(3)>, L<sudo(8)>, L<visudo(8)> |
| |
| =head1 CAVEATS |
| |
| The I<sudoers> file should B<always> be edited by the B<visudo> |
| command which locks the file and does grammatical checking. It is |
| imperative that I<sudoers> be free of syntax errors since B<sudo> |
| will not run with a syntactically incorrect I<sudoers> file. |
| |
| When using netgroups of machines (as opposed to users), if you |
| store fully qualified host name in the netgroup (as is usually the |
| case), you either need to have the machine's host name be fully qualified |
| as returned by the C<hostname> command or use the I<fqdn> option in |
| I<sudoers>. |
| |
| =head1 BUGS |
| |
| If you feel you have found a bug in B<sudo>, please submit a bug report |
| at http://www.sudo.ws/sudo/bugs/ |
| |
| =head1 SUPPORT |
| |
| Limited free support is available via the sudo-users mailing list, |
| see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or |
| search the archives. |
| |
| =head1 DISCLAIMER |
| |
| B<sudo> is provided ``AS IS'' and any express or implied warranties, |
| including, but not limited to, the implied warranties of merchantability |
| and fitness for a particular purpose are disclaimed. See the LICENSE |
| file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html |
| for complete details. |