diff options
author | Todd C. Miller <Todd.Miller@courtesan.com> | 1996-01-21 04:47:08 +0000 |
---|---|---|
committer | Todd C. Miller <Todd.Miller@courtesan.com> | 1996-01-21 04:47:08 +0000 |
commit | 1420abc3d1972e7f38aa15c337fd0949a9e208e7 (patch) | |
tree | f1d3d7c3afd6c65df86ef930d016750a7aaae4d5 /sudoers.pod | |
parent | ffb43ec0f407f1d2be138c54c6fec050c7499dd2 (diff) | |
download | sudo-1420abc3d1972e7f38aa15c337fd0949a9e208e7.tar.gz |
Initial revision
Diffstat (limited to 'sudoers.pod')
-rw-r--r-- | sudoers.pod | 151 |
1 files changed, 151 insertions, 0 deletions
diff --git a/sudoers.pod b/sudoers.pod new file mode 100644 index 000000000..4b718c888 --- /dev/null +++ b/sudoers.pod @@ -0,0 +1,151 @@ +=cut +$Id$ +=pod + +=head1 NAME + +sudoers - list of which users may execute what as root + +=head1 DESCRIPTION + +The I<sudoers> file is composed of an optional host alias section, +an optional command alias section and the user specification section. +All command or host aliases need to start with their respective keywords +(ie: Host_Alias, User_Alias, or Cmnd_Alias). +If there are multiple occurrences of a user, the union of the entries +will be used. + +=head2 user specification format: + + user access_group [: access_group] ... + + access_group ::= host_type = [op]cmnd_type [,[op]cmnd_type] ... + host_type ::= a lower\-case hostname, netgroup, ip address, + network number, or host alias. + cmnd_type ::= an command OR a command alias. + op ::= the logical '!' NOT operator. + +=head2 host alias section format: + + Host_Alias HOSTALIAS = host\-list + + Host_Alias ::= a keyword. + HOSTALIAS ::= an upper\-case alias name. + host\-list ::= a comma separated list of hosts, netgroups, + ip addresses, networks. + +=head2 user alias section format: + + User_Alias USERALIAS = user\-list + + User_Alias ::= a keyword. + USERALIAS ::= an upper\-case alias name. + user\-list ::= a comma separated list of users, groups and netgroups. + +=head2 command alias section format: + + Cmnd_Alias CMNDALIAS = cmnd\-list + + Cmnd_Alias ::= a keyword. + CMNDALIAS ::= an upper\-case alias name. + cmnd\-list ::= a comma separated list commands. + +=head2 command specification: + + path arg1 arg2 .. argn = command + + path ::= a fully qualified pathname. + arg[1..n] ::= optional command line arguments. + + Text after a pound sign ('#') is considered a comment. + Words that begin with a percent sign ('%') are assumed to + be UN*X groups (%staff refers to users in the group "staff"). + Words that begin with a plus sign ('+') are assumed to + be netgroups (+cshosts refers to the netgroup "cshosts"). + Long lines can be newline escaped with the backslash '\\' character. + The reserved alias 'ALL' can be used for both {Host,User,Cmnd}_Alias. + + DO NOT define an alias of 'ALL', it will NOT be used. + Note that 'ALL' implies the entire universe of hosts/users/commands. + You can subtract elements from the universe by using the syntax: + user host=ALL,!ALIAS1,!/etc/halt... + Note that the '!' notation only works in a user's command list. You + may not use it to subtract elements in a User_Alias, Host_Alias, or + Cmnd_Alias. + + Commands may have optional command line arguments. If they do, + then the arguments in the sudoers file must exactly match those + on the command line. It is also possible to have a command's + arguments span multiple lines as long as the line continuance + character '\\' is used. The following characters must be escaped + with a '\\' if used in command arguments: ',', ':', '=', '\\'. + +=head1 EXAMPLES + + # Host alias specification + Host_Alias HUB=houdini:\\ + REMOTE=merlin,kodiakthorn,spirit + Host_Alias SERVERS=houdini,merlin,kodiakthorn,spirit + Host_Alias CSNETS=128.138.243.0,128.138.204.0,\\ + 128.138.205.192 + + # User alias specification + User_Alias FULLTIME=millert,dowdy,mikef + User_Alias PARTTIME=juola,mccreary,tor + + # Command alias specification + Cmnd_Alias LPCS=/usr/etc/lpc,/usr/ucb/lprm + Cmnd_Alias SHELLS=/bin/sh,/bin/csh,/bin/tcsh,/bin/ksh + Cmnd_Alias SU=/bin/su + Cmnd_Alias MISC=/bin/rm,/bin/cat:\\ + SHUTDOWN=/etc/halt,/etc/shutdown + + # User specification + FULLTIME ALL=ALL + %wheel ALL=ALL + PARTTIME ALL=ALL,!SHELLS,!SU + +interns +openlabs=ALL,!SHELLS,!SU + britt REMOTE=SHUTDOWN:ALL=LPCS + nieusma SERVERS=SHUTDOWN,/etc/reboot:\\ + HUB=ALL,!SHELLS + jill houdini=/etc/shutdown -r now,MISC + markm HUB=ALL,!MISC,!/etc/shutdown,!/etc/halt + davehieb merlin=ALL:SERVERS=/etc/halt:\\ + kodiakthorn=ALL + steve CSNETS=/usr/op_commands/,/bin/su operator + +The above I<sudoers> file specification is composed of 4 host alias +specifications, 2 user alias specifications, 4 command alias +specifications and 8 user specifications. Full time staff (those +in the FULLTIME alias) and anyone in group "wheel" are allowed to +execute any command on any host. Part time staff (those in the PARTTIME +alias) are allowed to execute any command except for the group of SHELL +and SU commands on any machine. Britt is permitted to execute /etc/halt, +/etc/shutdown, /usr/etc/lpc and /usr/ucb/lprm on the REMOTE machines (merlin, +kodiakthorn, and spirit). Nieusma is allowed to run /etc/halt, /etc/shutdown, +and /etc/halt on all machines and all commands except for the group of SHELL +commands on the HUB machines. Jill is permitted to execute /etc/shutdown with +the "\-r now" flags, /bin/rm, and /bin/cat on houdini. Davehieb can execute +any command on machines merlin and kodiakthorn and can halt the SERVERS. Any +user in the netgroup "interns" may run any command on the machines in the +netgroup "openlabs" except for those commands in the groups SHELL and SU. +Steve can run any command located in the directory /usr/op_commands on all +machines on the subnets listed in CSNETS (note that the 128.138.192 net has +a netmask of 255.255.255.192 which is why its network number is +128.138.192.192). He may also su to operator but to no one else. + +B<sudo> will do a logical and of a machine's ip address(es) with +its netmask to decide whether that machine is on a given network). +The I<sudoers> file should B<always> be edited by the B<visudo> +command which locks the file and does grammatical checking. It is +imperative that the I<sudoers> be free of syntax errors since sudo +will not run with a syntactically incorrect sudoers file. + +=head1 FILES + +F</etc/sudoers> file of authorized users. +F</etc/netgroup> list of network groups + +=head1 SEE ALSO + +sudo(8), visudo(8), su(1). |