Initial revision

1 files changed, 151 insertions, 0 deletions

diff --git a/sudoers.pod b/sudoers.pod
new file mode 100644
index 000000000..4b718c888
--- /dev/null
+++ b/sudoers.pod
@@ -0,0 +1,151 @@
+=cut
+$Id$
+=pod
+
+=head1 NAME
+
+sudoers - list of which users may execute what as root
+
+=head1 DESCRIPTION
+
+The I<sudoers> file is composed of an optional host alias section,
+an optional command alias section and the user specification section.
+All command or host aliases need to start with their respective keywords
+(ie: Host_Alias, User_Alias, or Cmnd_Alias).
+If there are multiple occurrences of a user, the union of the entries
+will be used.
+
+=head2 user specification format:
+
+  user access_group [: access_group] ...
+
+    access_group ::= host_type = [op]cmnd_type [,[op]cmnd_type] ... 
+       host_type ::= a lower\-case hostname, netgroup, ip address,
+		           network number, or host alias.
+       cmnd_type ::= an command OR a command alias.
+              op ::= the logical '!' NOT operator.
+
+=head2 host alias section format:
+
+  Host_Alias HOSTALIAS = host\-list
+
+      Host_Alias ::= a keyword.
+       HOSTALIAS ::= an upper\-case alias name.
+       host\-list ::= a comma separated list of hosts, netgroups,
+			      ip addresses, networks.
+
+=head2 user alias section format:
+
+  User_Alias USERALIAS = user\-list
+
+      User_Alias ::= a keyword.
+       USERALIAS ::= an upper\-case alias name.
+       user\-list ::= a comma separated list of users, groups and netgroups.
+
+=head2 command alias section format:
+
+  Cmnd_Alias CMNDALIAS = cmnd\-list
+
+      Cmnd_Alias ::= a keyword.
+       CMNDALIAS ::= an upper\-case alias name.
+       cmnd\-list ::= a comma separated list commands.
+
+=head2 command specification:
+
+  path arg1 arg2 .. argn = command
+
+            path ::= a fully qualified pathname.
+       arg[1..n] ::= optional command line arguments.
+
+    Text after a pound sign ('#') is considered a comment.
+    Words that begin with a percent sign ('%') are assumed to
+    be UN*X groups (%staff refers to users in the group "staff").
+    Words that begin with a plus sign ('+') are assumed to
+    be netgroups (+cshosts refers to the netgroup "cshosts").
+    Long lines can be newline escaped with the backslash '\\' character.
+    The reserved alias 'ALL' can be used for both {Host,User,Cmnd}_Alias.
+
+    DO NOT define an alias of 'ALL', it will NOT be used.
+    Note that 'ALL' implies the entire universe of hosts/users/commands.
+    You can subtract elements from the universe by using the syntax:
+       user  host=ALL,!ALIAS1,!/etc/halt...
+    Note that the '!' notation only works in a user's command list.  You
+    may not use it to subtract elements in a User_Alias, Host_Alias, or
+    Cmnd_Alias.
+
+    Commands may have optional command line arguments.  If they do,
+    then the arguments in the sudoers file must exactly match those
+    on the command line.  It is also possible to have a command's
+    arguments span multiple lines as long as the line continuance
+    character '\\' is used.  The following characters must be escaped
+    with a '\\' if used in command arguments: ',', ':', '=', '\\'.
+
+=head1 EXAMPLES
+
+    # Host alias specification
+    Host_Alias  HUB=houdini:\\
+                REMOTE=merlin,kodiakthorn,spirit
+    Host_Alias  SERVERS=houdini,merlin,kodiakthorn,spirit
+    Host_Alias  CSNETS=128.138.243.0,128.138.204.0,\\
+                       128.138.205.192
+
+    # User alias specification
+    User_Alias  FULLTIME=millert,dowdy,mikef
+    User_Alias  PARTTIME=juola,mccreary,tor
+
+    # Command alias specification
+    Cmnd_Alias  LPCS=/usr/etc/lpc,/usr/ucb/lprm
+    Cmnd_Alias  SHELLS=/bin/sh,/bin/csh,/bin/tcsh,/bin/ksh
+    Cmnd_Alias  SU=/bin/su
+    Cmnd_Alias  MISC=/bin/rm,/bin/cat:\\
+                SHUTDOWN=/etc/halt,/etc/shutdown
+
+    # User specification
+    FULLTIME    ALL=ALL
+    %wheel	ALL=ALL
+    PARTTIME    ALL=ALL,!SHELLS,!SU
+    +interns    +openlabs=ALL,!SHELLS,!SU
+    britt       REMOTE=SHUTDOWN:ALL=LPCS
+    nieusma     SERVERS=SHUTDOWN,/etc/reboot:\\
+                HUB=ALL,!SHELLS
+    jill        houdini=/etc/shutdown -r now,MISC
+    markm       HUB=ALL,!MISC,!/etc/shutdown,!/etc/halt
+    davehieb    merlin=ALL:SERVERS=/etc/halt:\\
+                kodiakthorn=ALL
+    steve       CSNETS=/usr/op_commands/,/bin/su operator
+
+The above I<sudoers> file specification is composed of 4 host alias
+specifications, 2 user alias specifications, 4 command alias
+specifications and 8 user specifications.  Full time staff (those
+in the FULLTIME alias) and anyone in group "wheel" are allowed to
+execute any command on any host.  Part time staff (those in the PARTTIME
+alias) are allowed to execute any command except for the group of SHELL
+and SU commands on any machine.  Britt is permitted to execute /etc/halt,
+/etc/shutdown, /usr/etc/lpc and /usr/ucb/lprm on the REMOTE machines (merlin,
+kodiakthorn, and spirit).  Nieusma is allowed to run /etc/halt, /etc/shutdown,
+and /etc/halt on all machines and all commands except for the group of SHELL
+commands on the HUB machines.  Jill is permitted to execute /etc/shutdown with
+the "\-r now" flags, /bin/rm, and /bin/cat on houdini.  Davehieb can execute
+any command on machines merlin and kodiakthorn and can halt the SERVERS.  Any
+user in the netgroup "interns" may run any command on the machines in the
+netgroup "openlabs" except for those commands in the groups SHELL and SU.
+Steve can run any command located in the directory /usr/op_commands on all
+machines on the subnets listed in CSNETS (note that the 128.138.192 net has
+a netmask of 255.255.255.192 which is why its network number is
+128.138.192.192).  He may also su to operator but to no one else.
+
+B<sudo> will do a logical and of a machine's ip address(es) with
+its netmask to decide whether that machine is on a given network).
+The I<sudoers> file should B<always> be edited by the B<visudo>
+command which locks the file and does grammatical checking. It is
+imperative that the I<sudoers> be free of syntax errors since sudo
+will not run with a syntactically incorrect sudoers file.
+
+=head1 FILES
+
+F</etc/sudoers>                 file of authorized users.
+F</etc/netgroup>                list of network groups
+
+=head1 SEE ALSO
+
+sudo(8), visudo(8), su(1).