diff options
author | Todd C. Miller <Todd.Miller@courtesan.com> | 1999-10-11 15:55:11 +0000 |
---|---|---|
committer | Todd C. Miller <Todd.Miller@courtesan.com> | 1999-10-11 15:55:11 +0000 |
commit | e50580310583fea29b49c0e883bbbe77beb59639 (patch) | |
tree | f6d10d40fe7b998c73a794af0141b99f18c0b415 /sudoers.pod | |
parent | 7081a00a4b725eb80fb861c5f9a4133d9118fbe1 (diff) | |
download | sudo-e50580310583fea29b49c0e883bbbe77beb59639.tar.gz |
Docuement "Defaults" lines in /etc/sudoers. Still needs some fleshing
out but this is a start.
Diffstat (limited to 'sudoers.pod')
-rw-r--r-- | sudoers.pod | 228 |
1 files changed, 224 insertions, 4 deletions
diff --git a/sudoers.pod b/sudoers.pod index 654d89b0c..ab3be70ae 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -89,10 +89,10 @@ string (as opposed to a symbol name). There are four kinds of aliases: the C<User_Alias>, C<Runas_Alias>, C<Host_Alias> and C<Cmnd_Alias>. - Alias ::= User_Alias = User_Alias (':' User_Alias)* | - Runas_Alias (':' Runas_Alias)* | - Host_Alias (':' Host_Alias)* | - Cmnd_Alias (':' Cmnd_Alias)* + Alias ::= 'User_Alias' = User_Alias (':' User_Alias)* | + 'Runas_Alias' (':' Runas_Alias)* | + 'Host_Alias' (':' Host_Alias)* | + 'Cmnd_Alias' (':' Cmnd_Alias)* User_Alias ::= NAME '=' User_List @@ -192,6 +192,212 @@ in the C<Cmnd> must match exactly those given by the user on the command line characters must be escaped with a '\' if they are used in command arguments: ',', ':', '=', '\\'. +=head2 Defaults + +Certain configuration options may be changed from their default +values at runtime via one or more C<Default_Entry> lines. These +may affect all users on any host, all users on a specific host, +or just a specific user. When multiple entries match, they are +applied in order. Where there are conflicting values, the last +value on a matching line takes effect. + + Default_Type ::= 'Defaults' || + 'Defaults' ':' User || + 'Defaults' '@' Host + + Default_Entry ::= Default_Type Parameter_List + + Parameter ::= Parameter '=' Value || + '!'* Parameter || + +Parameters may be flags, integer values, or strings. Flags are +implicitly boolean and can be turned off via the '!' operator. +Some integer and string parameters may also be used in a boolean +context to disable them. Values may be enclosed in double quotes +(C<">) when they contain multiple words. Special characters may +be escaped with a backslash (C<\>). + +B<Flags>: + +=over 12 + +=item long_otp_prompt + +Put OTP prompt on its own line + +=item ignore_dot + +Ignore '.' in $PATH + +=item mail_always + +Always send mail when sudo is run + +=item mail_no_user + +Send mail if the user is not in sudoers + +=item mail_no_host + +Send mail if the user is not in sudoers for this host + +=item mail_no_perms + +Send mail if the user is not allowed to run a command + +=item tty_tickets + +Use a separate timestamp for each user/tty combo + +=item lecture + +Lecture user the first time they run sudo + +=item authenticate + +Require users to authenticate by default + +=item root_sudo + +Root may run sudo + +=item log_host + +Log the hostname in the (non-syslog) log file + +=item log_year + +Log the year in the (non-syslog) log file + +=item shell_noargs + +If sudo is invoked with no arguments, start a shell + +=item set_home + +Set $HOME to the target user when starting a shell with C<-s> + +=item path_info + +Allow some information gathering to give useful error messages + +=item fqdn + +Require fully-qualified hostnames in the sudoers file + +=item insults + +Insult the user when they enter an incorrect password + +=item requiretty + +Only allow the user to run sudo if they have a tty + +=back + +B<Integers>: + +=over 12 + +=item passwd_tries + +Number of tries to enter a password + +=back + +B<Integers that can be used in a boolean context>: + +=over 12 + +=item loglinelen + +Length at which to wrap log file lines (use 0 or negate for no wrap) + +=item timestamp_timeout + +Authentication timestamp timeout + +=item passwd_timeout + +Password prompt timeout + +=item umask + +Umask to use or 0777 to use user's + +=back + +B<Strings>: + +=over 12 + +=item mailsub + +Subject line for mail messages + +=item badpass_message + +Incorrect password message + +=item timestampdir + +Path to authentication timestamp dir + +=item passprompt + +Default password prompt + +=item runas_default + +Default user to run commands as + +=item syslog_goodpri + +Syslog priority to use when user authenticates successfully + +=item syslog_badpri + +Syslog priority to use when user authenticates unsuccessfully + +=back 12 + +B<Strings that can be used in a boolean context>: + +=over 12 + +=item syslog + +Syslog facility if syslog is being used for logging (negate to disable syslog) + +=item mailerpath + +Path to mail program + +=item mailerflags + +Flags for mail program + +=item mailto + +Address to send mail to + +=item exempt_group + +Users in this group are exempt from password and PATH requirements + +=item secure_path + +Value to override user's $PATH with + +=back 12 + +When logging via syslog(3), sudo accepts the following values for the syslog +facility (the value of the I<syslog> Parameter): I<authpriv> (if your OS +supports it), I<auth>, I<daemon>, I<user>, I<local0>, I<local1>, I<local2>, +I<local3>, I<local4>, I<local5>, I<local6>, and I<local7>. The following +syslog priorities are supported: I<alert>, I<crit>, I<debug>, I<emerg>, +I<err>, I<info>, I<notice>, and I<warning>. + =head2 User Specification Runas_Spec ::= '(' Runas_List ')' @@ -369,6 +575,20 @@ these are a bit contrived. First, we define our I<aliases>: /usr/local/bin/zsh Cmnd_Alias SU = /usr/bin/su +Here we override some of the compiled in default values. We want +sudo to log via syslog(3) using the I<auth> facility in all cases. +We don't want to subject the full time staff to the B<sudo> lecture, +and user B<millert> need not give a password. In addition, on the +machines in the I<SERVERS> C<Host_Alias>, we keep an additional +local log file and make sure we log the year in each log line since +the log entries will be kept around for several years. + + # Override builtin defaults + Defaults syslog=auth + Defaults:FULLTIMERS !lecture + Defaults:millert !authenticate + Defaults@SERVERS log_year, logfile=/var/log/sudo.log + The I<User specification> is the part that actually determines who may run what. |