diff options
Diffstat (limited to 'docs/sudoers.man.in')
-rw-r--r-- | docs/sudoers.man.in | 1508 |
1 files changed, 962 insertions, 546 deletions
diff --git a/docs/sudoers.man.in b/docs/sudoers.man.in index 5f73f7ca2..dec073b31 100644 --- a/docs/sudoers.man.in +++ b/docs/sudoers.man.in @@ -25,7 +25,7 @@ .nr BA @BAMAN@ .nr LC @LCMAN@ .nr PS @PSMAN@ -.TH "SUDOERS" "@mansectform@" "May 31, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS" "@mansectform@" "October 20, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -60,7 +60,7 @@ file to determine which plugins to load. If no sudo.conf(@mansectform@) file is present, or if it contains no -\fRPlugin\fR +\fIPlugin\fR lines, \fBsudoers\fR will be used for auditing, policy decisions and I/O logging. @@ -179,16 +179,19 @@ security policy requires that most users authenticate themselves before they can use \fBsudo\fR. A password is not required -if the invoking user is root, if the target user is the same as the -invoking user, or if the policy has disabled authentication for the -user or command. +if the invoking user is +\fBroot\fR, +if the target user is the same as the invoking user, or if the +policy has disabled authentication for the user or command. Unlike su(1), when \fBsudoers\fR requires authentication, it validates the invoking user's credentials, not -the target user's (or root's) credentials. +the target user's (or +\fB@runas_default@\fR's) +credentials. This can be changed via the \fIrootpw\fR, @@ -206,7 +209,7 @@ used for such mail is configurable via the \fImailto\fR Defaults entry (described later) and defaults to -\fR@mailto@\fR. +\fI@mailto@\fR. .PP No mail will be sent if an unauthorized user tries to run \fBsudo\fR @@ -230,7 +233,9 @@ are logged, regardless of whether or not mail is sent. .PP If \fBsudo\fR -is run by root and the +is run by +\fBroot\fR +and the \fRSUDO_USER\fR environment variable is set, the @@ -238,7 +243,9 @@ is set, the policy will use this value to determine who the actual user is. This can be used by a user to log commands -through sudo even when a root shell has been invoked. +through sudo even when a +\fBroot\fR +shell has been invoked. It also allows the \fB\-e\fR @@ -246,7 +253,9 @@ option to remain useful even when invoked via a sudo-run script or program. Note, however, that the \fIsudoers\fR -file lookup is still done for root, not the user specified by +file lookup is still done for +\fBroot\fR, +not the user specified by \fRSUDO_USER\fR. .PP \fBsudoers\fR @@ -258,12 +267,10 @@ terminal session ID, the start time of the session leader (using a monotonic clock if one is available). The user may then use \fBsudo\fR -without a password for a short period of time -(\fR@timeout@\fR -minutes unless overridden by the +without a password for a short period of time (@timeout@ minutes +unless overridden by the \fItimestamp_timeout\fR -option) -\&. +option). By default, \fBsudoers\fR uses a separate record for each terminal, which means that @@ -294,27 +301,17 @@ and \fIlogfile\fR settings. See -\fILOG FORMAT\fR +\fIEVENT LOGGING\fR for a description of the log file format. .PP \fBsudoers\fR -is also capable of running a command in a pseudo-terminal and logging all +is also capable of running a command in a pseudo-terminal and logging input and/or output. The standard input, standard output, and standard error can be logged even when not associated with a terminal. -I/O logging is not on by default but can be enabled using -the -\fIlog_input\fR -and -\fIlog_output\fR -options as well as the -\fRLOG_INPUT\fR -and -\fRLOG_OUTPUT\fR -command tags. -See -\fII/O LOG FILES\fR -for details on how I/O log files are stored. +For more information about I/O logging, see the +\fII/O LOGGING\fR +section. .PP Starting with version 1.9, the \fIlog_servers\fR @@ -400,7 +397,7 @@ This avoids an inconsistent environment where one of the variables describing the user name is set to the invoking user and one is set to the target user. Environment variables with a value beginning with -\fR()\fR +\(oq()\(cq are removed unless both the name and value parts are matched by \fIenv_keep\fR or @@ -420,7 +417,7 @@ and options are allowed and their values are inherited from the invoking process. Prior to version 1.8.21, environment variables with a value beginning with -\fR()\fR +\(oq()\(cq were always removed. Beginning with version 1.8.21, a pattern in \fIenv_delete\fR @@ -458,7 +455,7 @@ env_keep += "BASH_FUNC_my_func%%=()*" .fi .PP Without the -\(lq\fR=()*\fR\(rq +\(oq=()*\(cq suffix, this would not match, as \fBbash\fR shell functions are not preserved by default. @@ -468,7 +465,9 @@ as modified by global Defaults parameters in \fIsudoers\fR, is displayed when \fBsudo\fR -is run by root with the +is run by +\fBroot\fR +with the \fB\-V\fR option. The list of environment variables to remove @@ -613,7 +612,7 @@ By default, uses the operating system's native method of setting resource limits for the target user. On Linux systems, resource limits are usually set by the -\fRpam_limits.so\fR +\fIpam_limits.so\fR PAM module. On some BSD systems, the \fI/etc/login.conf\fR @@ -691,9 +690,13 @@ are only supported by version 1.8.7 or higher. EBNF is a concise and exact way of describing the grammar of a language. Each EBNF definition is made up of \fIproduction rules\fR. -E.g., -.PP -\fRsymbol ::= definition\fR | \fRalternate1\fR | \fRalternate2 ...\fR +For example: +.nf +.sp +.RS 4n +symbol ::= definition | alternate1 | alternate2 ... +.RE +.fi .PP Each \fIproduction rule\fR @@ -706,15 +709,15 @@ Do not, however, confuse them with \(lqwildcard\(rq characters, which have different meanings. .TP 6n -\fR\&?\fR +\&? Means that the preceding symbol (or group of symbols) is optional. That is, it may appear once or not at all. .TP 6n -\fR*\fR +* Means that the preceding symbol (or group of symbols) may appear zero or more times. .TP 6n -\fR+\fR ++ Means that the preceding symbol (or group of symbols) may appear one or more times. .PP @@ -725,17 +728,17 @@ we will use single quotes to designate what is a verbatim character string (as opposed to a symbol name). .SS "Aliases" There are four kinds of aliases: -\fRUser_Alias\fR, -\fRRunas_Alias\fR, -\fRHost_Alias\fR +\fIUser_Alias\fR, +\fIRunas_Alias\fR, +\fIHost_Alias\fR and -\fRCmnd_Alias\fR. +\fICmnd_Alias\fR. Beginning with \fBsudo\fR 1.9.0, -\fRCmd_Alias\fR +\fICmd_Alias\fR may be used in place of -\fRCmnd_Alias\fR +\fICmnd_Alias\fR if desired. .nf .sp @@ -779,11 +782,11 @@ Alias_Type NAME = item1, item2, ... where \fIAlias_Type\fR is one of -\fRUser_Alias\fR, -\fRRunas_Alias\fR, -\fRHost_Alias\fR, +\fIUser_Alias\fR, +\fIRunas_Alias\fR, +\fIHost_Alias\fR, or -\fRCmnd_Alias\fR. +\fICmnd_Alias\fR. A \fRNAME\fR is a string of uppercase letters, numbers, @@ -797,7 +800,7 @@ uppercase letter. It is possible to put several alias definitions of the same type on a single line, joined by a colon (\(oq:\&\(cq). -E.g., +For example: .nf .sp .RS 0n @@ -832,7 +835,7 @@ User ::= '!'* user name | .fi .PP A -\fRUser_List\fR +\fIUser_List\fR is made up of one or more user names, user-IDs (prefixed with \(oq#\(cq), @@ -847,7 +850,7 @@ non-Unix group names and IDs (prefixed with and \(oq%:#\(cq respectively), and -\fRUser_Alias\fRes. +\fIUser_Alias\fRes. Each list item may be prefixed with zero or more \(oq\&!\(cq operators. @@ -859,14 +862,14 @@ User netgroups are matched using the user and domain members only; the host member is not used when matching. .PP A -\fRuser name\fR, -\fRuser-ID\fR, -\fRgroup\fR, -\fRgroup-ID\fR, -\fRnetgroup\fR, -\fRnonunix_group\fR +\fIuser name\fR, +\fIuser-ID\fR, +\fIgroup\fR, +\fIgroup-ID\fR, +\fInetgroup\fR, +\fInonunix_group\fR or -\fRnonunix_gid\fR +\fInonunix_gid\fR may be enclosed in double quotes to avoid the need for escaping special characters. Alternately, special characters @@ -876,9 +879,9 @@ using double quotes, any prefix characters must be included inside the quotes. .PP The actual -\fRnonunix_group\fR +\fInonunix_group\fR and -\fRnonunix_gid\fR +\fInonunix_gid\fR syntax depends on the underlying group provider plugin. For instance, the QAS AD plugin supports the following formats: @@ -923,21 +926,24 @@ Runas_Member ::= '!'* user name | .fi .PP A -\fRRunas_List\fR +\fIRunas_List\fR is similar to a -\fRUser_List\fR +\fIUser_List\fR except that instead of -\fRUser_Alias\fRes +\fIUser_Alias\fRes it can contain -\fRRunas_Alias\fRes. +\fIRunas_Alias\fRes. User names and groups are matched as strings. In other words, two users (groups) with the same user (group) ID are considered to be distinct. -If you wish to match all user names with the same user-ID (e.g., root and -toor), you can use a user-ID instead of a name (#0 in the example given). +If you wish to match all user names with the same user-ID (e.g., +\fBroot\fR +and +\fBtoor\fR), +you can use a user-ID instead of a name (#0 in the example given). The user-ID or group-ID specified in a -\fRRunas_Member\fR +\fIRunas_Member\fR need not be listed in the password or group database. .nf .sp @@ -955,7 +961,7 @@ Host ::= '!'* host name | .fi .PP A -\fRHost_List\fR +\fIHost_List\fR is made up of one or more host names, IP addresses, network numbers, netgroups (prefixed with \(oq+\(cq), @@ -977,7 +983,7 @@ A host name may include shell-style wildcards (see the \fIWildcards\fR section below), but unless the -\fRhost name\fR +\fIhostname\fR command on your machine returns the fully qualified host name, you'll need to use the \fIfqdn\fR @@ -1027,7 +1033,7 @@ Cmnd ::= Digest_List? '!'* command | .fi .PP A -\fRCmnd_List\fR +\fICmnd_List\fR is a list of one or more commands, directories, or aliases. A command is a fully qualified file name, which may include shell-style wildcards (see the @@ -1044,7 +1050,7 @@ A directory is a fully qualified path name ending in a \(oq/\(cq. When you specify a directory in a -\fRCmnd_List\fR, +\fICmnd_List\fR, the user will be able to run any file within that directory (but not in any sub-directories therein). If no command line arguments are specified, the user may run the @@ -1055,19 +1061,19 @@ expression that starts with and ends with \(oq$\(cq. If the command line arguments consist of -\fR\&""\fR, +\(oq\&""\(cq, the command may only be run with \fIno\fR arguments. .PP If a -\fRCmnd\fR +\fICmnd\fR has associated command line arguments, the arguments in the -\fRCmnd\fR +\fICmnd\fR must match those given by the user on the command line. If the arguments in a -\fRCmnd\fR +\fICmnd\fR begin with the \(oq^\(cq character, they will be interpreted as a regular expression @@ -1082,7 +1088,7 @@ if they are used in command arguments: \(oq=\&\(cq, \(oq\e\(cq. To prevent arguments in a -\fRCmnd\fR +\fICmnd\fR that begin with a \(oq^\(cq character from being interpreted as a regular expression, the @@ -1091,7 +1097,7 @@ must be escaped with a \(oq\e\(cq. .PP The built-in command -\(lq\fRsudoedit\fR\(rq +\(lqsudoedit\(rq is used to permit a user to run \fBsudo\fR with the @@ -1100,7 +1106,7 @@ option (or as \fBsudoedit\fR). It may take command line arguments just as a normal command does. Unlike other commands, -\(lq\fRsudoedit\fR\(rq +\(lqsudoedit\(rq is built into \fBsudo\fR itself and must be specified in the @@ -1111,27 +1117,27 @@ a leading path. If a leading path is present, for example \fI/usr/bin/sudoedit\fR, the path name will be silently converted to -\(lq\fRsudoedit\fR\(rq. +\(lqsudoedit\(rq. A fully-qualified path for \fBsudoedit\fR is treated as an error by \fBvisudo\fR. .PP A -\fRcommand\fR +\fIcommand\fR may be preceded by a -\fRDigest_List\fR, +\fIDigest_List\fR, a comma-separated list of one or more -\fRDigest_Spec\fR +\fIDigest_Spec\fR entries. If a -\fRDigest_List\fR +\fIDigest_List\fR is present, the command will only match successfully if it can be verified using one of the SHA-2 digests in the list. Starting with version 1.9.0, the \fBALL\fR reserved word can be used in conjunction with a -\fRDigest_List\fR. +\fIDigest_List\fR. The following digest formats are supported: sha224, sha256, sha384, and sha512. The string may be specified in either hex or base64 format (base64 is more compact). @@ -1161,7 +1167,7 @@ Warning, if the user has write access to the command itself (directly or via a command), it may be possible for the user to replace the command after the digest check has been performed but before the command is executed. A similar race condition exists on systems that lack the -\fBfexecve\fR() +fexecve(2) system call when the directory in which the command is located is writable by the user. See the description of the @@ -1174,13 +1180,13 @@ Command digests are only supported by version 1.8.7 or higher. .SS "Defaults" Certain configuration options may be changed from their default values at run-time via one or more -\fRDefault_Entry\fR +\fIDefault_Entry\fR lines. These may affect all users on any host, all users on a specific host, a specific user, a specific command, or commands being run as a specific user. Per-command entries may not include command line arguments. If you need to specify arguments, define a -\fRCmnd_Alias\fR +\fICmnd_Alias\fR and reference that instead. .nf @@ -1241,16 +1247,16 @@ regexec(3) function. .PP Lists have two additional assignment operators, -\fR+=\fR +\(oq+=\(cq and -\fR-=\fR. +\(oq-=\(cq. These operators are used to add to and delete from a list respectively. It is not an error to use the -\fR-=\fR +\(oq-=\(cq operator to remove an element that does not exist in a list. .PP -Defaults entries are parsed in the following order: generic, host, +Defaults entries are parsed in the following order: global, host, user, and runas Defaults first, then command defaults. If there are multiple Defaults settings of the same type, the last matching setting is used. @@ -1316,28 +1322,30 @@ A \fBuser specification\fR determines which commands a user may run (and as what user) on specified hosts. -By default, commands are -run as -\fBroot\fR, -but this can be changed on a per-command basis. +By default, commands are run as +\fB@runas_default@\fR +(unless +\fIrunas_default\fR +has been set to a different value) +but this can also be changed on a per-command basis. .PP The basic structure of a user specification is \(lqwho where = (as_whom) what\(rq. Let's break that down into its constituent parts: .SS "Runas_Spec" A -\fRRunas_Spec\fR +\fIRunas_Spec\fR determines the user and/or the group that a command may be run as. A fully-specified -\fRRunas_Spec\fR +\fIRunas_Spec\fR consists of two -\fRRunas_List\fRs +\fIRunas_List\fRs (as defined above) separated by a colon (\(oq:\&\(cq) and enclosed in a set of parentheses. The first -\fRRunas_List\fR +\fIRunas_List\fR indicates which users the command may be run as via the \fB\-u\fR option. @@ -1345,32 +1353,35 @@ The second defines a list of groups that may be specified via the \fB\-g\fR option (in addition to any of the target user's groups). If both -\fRRunas_List\fRs +\fIRunas_List\fRs are specified, the command may be run with any combination of users and groups listed in their respective -\fRRunas_List\fRs. +\fIRunas_List\fRs. If only the first is specified, the command may be run as any user in the list and, optionally, with any group the target user belongs to. If the first -\fRRunas_List\fR +\fIRunas_List\fR is empty but the second is specified, the command may be run as the invoking user with the group set to any listed in the -\fRRunas_List\fR. +\fIRunas_List\fR. If both -\fRRunas_List\fRs +\fIRunas_List\fRs are empty, the command may only be run as the invoking user and the group, if specified, must be one that the invoking user is a member of. If no -\fRRunas_Spec\fR -is specified, the command may only be run as -\fBroot\fR -and the group, if specified, must be one that -\fBroot\fR -is a member of. +\fIRunas_Spec\fR +is specified, the command may only be run as the +\fIrunas_default\fR +user +(\fB@runas_default@\fR +by default) and the group, +if specified, must be one that the +\fIrunas_default\fR +user is a member of. .PP A -\fRRunas_Spec\fR +\fIRunas_Spec\fR sets the default for the commands that follow it. What this means is that for the entry: .nf @@ -1391,7 +1402,7 @@ on the host boulder\(embut only as \fBoperator\fR. -E.g., +For example: .nf .sp .RS 0n @@ -1400,7 +1411,7 @@ $ sudo -u operator /bin/ls .fi .PP It is also possible to override a -\fRRunas_Spec\fR +\fIRunas_Spec\fR later on in an entry. If we modify the entry like so: .nf @@ -1426,7 +1437,7 @@ as We can extend this to allow \fBdgb\fR to run -\fR/bin/ls\fR +\fI/bin/ls\fR with either the user or group set to \fBoperator\fR: @@ -1439,7 +1450,7 @@ dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e .fi .PP While the group portion of the -\fRRunas_Spec\fR +\fIRunas_Spec\fR permits the user to run as command with that group, it does not force the user to do so. @@ -1470,7 +1481,7 @@ tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e .PP In this example only the group will be set, the command still runs as user \fBtcm\fR. -E.g.\& +For example: .nf .sp .RS 0n @@ -1479,7 +1490,7 @@ $ sudo -g dialer /usr/bin/cu .fi .PP Multiple users and groups may be present in a -\fRRunas_Spec\fR, +\fIRunas_Spec\fR, in which case the user may select any combination of users and groups via the \fB\-u\fR and @@ -1495,11 +1506,14 @@ alan ALL = (root, bin : operator, system) ALL .PP user \fBalan\fR -may run any command as either user root or bin, +may run any command as either user +\fBroot\fR +or +\fBbin\fR, optionally setting the group to operator or system. .SS "Option_Spec" A -\fRCmnd\fR +\fICmnd\fR may have zero or more options associated with it. Options may consist of .if \n(SL \{\ @@ -1511,11 +1525,11 @@ Solaris privileges sets, .\} start and/or end dates and command timeouts. Once an option is set for a -\fRCmnd\fR, +\fICmnd\fR, subsequent -\fRCmnd\fRs +\fICmnd\fRs in the -\fRCmnd_Spec_List\fR, +\fICmnd_Spec_List\fR, inherit that option unless it is overridden by another option. Option names are reserved words in \fIsudoers\fR. @@ -1562,10 +1576,13 @@ alice ALL = (root) APPARMOR_PROFILE=my-profile ALL .PP the user \fBalice\fR -may run any command as root under confinement by the profile +may run any command as +\fBroot\fR +under confinement by the profile \(oqmy-profile\(cq. You can also stack profiles, or allow a user to run commands unconfined by -any profile. E.g., +any profile. +For example: .nf .sp .RS 0n @@ -1580,7 +1597,9 @@ entries allow user \fBbob\fR to run \fI/usr/bin/vi\fR -as root under the stacked profiles +as +\fBroot\fR +under the stacked profiles \(oqfoo\(cq and \(oqbar\(cq, @@ -1642,10 +1661,10 @@ and \fRNOTAFTER\fR settings. The time stamp must be specified in -\fIGeneralized Time\fR +\(lqGeneralized Time\(rq as defined by RFC 4517. The format is effectively -\fRyyyymmddHHMMSSZ\fR +\(oqyyyymmddHHMMSSZ\(cq where the minutes and seconds are optional. The \(oqZ\(cq @@ -1679,7 +1698,7 @@ minutes, and seconds with a single-letter case-insensitive suffix that indicates the unit of time. For example, a timeout of 7 days, 8 hours, 30 minutes, and 10 seconds would be written as -\fR7d8h30m10s\fR. +\(oq7d8h30m10s\(cq. If a number is specified without a unit, seconds are assumed. Any of the days, minutes, hours, or seconds may be omitted. The order must be from largest to smallest unit and a unit @@ -1688,17 +1707,17 @@ may not be specified more than once. The following are all \fIvalid\fR timeout values: -\fR7d8h30m10s\fR, -\fR14d\fR, -\fR8h30m\fR, -\fR600s\fR, -\fR3600\fR. +\(oq7d8h30m10s\(cq, +\(oq14d\(cq, +\(oq8h30m\(cq, +\(oq600s\(cq, +\(oq3600\(cq. The following are \fIinvalid\fR timeout values: -\fR12m2w1d\fR, -\fR30s10m4h\fR, -\fR1d2d3h\fR. +\(oq12m2w1d\(cq, +\(oq30s10m4h\(cq, +\(oq1d2d3h\(cq. .PP This setting is only supported by version 1.8.20 or higher. .SS "Chdir_Spec" @@ -1726,7 +1745,7 @@ directory, unless the \fB\-i\fR option is given. Path names of the form -\fR~user/path/name\fR +\fI~user/path/name\fR are interpreted as being relative to the named user's home directory. If the user name is omitted, the path will be relative to the runas user's home directory. @@ -1759,7 +1778,7 @@ similar to the chroot(@mansectsu@) utility. Path names of the form -\fR~user/path/name\fR +\fI~user/path/name\fR are interpreted as being relative to the named user's home directory. If the user name is omitted, the path will be relative to the runas user's home directory. @@ -1786,11 +1805,11 @@ The following tag values are supported: and \fRNOSETENV\fR. Once a tag is set on a -\fRCmnd\fR, +\fICmnd\fR, subsequent -\fRCmnd\fRs +\fICmnd\fRs in the -\fRCmnd_Spec_List\fR, +\fICmnd_Spec_List\fR, inherit the tag unless it is overridden by the opposite tag (in other words, \fRPASSWD\fR overrides @@ -1800,7 +1819,7 @@ and overrides \fREXEC\fR). .TP 2n -\fIEXEC\fR and \fINOEXEC\fR +\fREXEC\fR and \fRNOEXEC\fR .sp If \fBsudo\fR @@ -1833,16 +1852,17 @@ section below for more details on how works and whether or not it will work on your system. .RE .TP 2n -\fIFOLLOW\fR and \fINOFOLLOW\fR +\fRFOLLOW\fR and \fRNOFOLLOW\fR +.sp Starting with version 1.8.15, \fBsudoedit\fR will not open a file that is a symbolic link unless the \fIsudoedit_follow\fR flag is enabled. The -\fIFOLLOW\fR +\fRFOLLOW\fR and -\fINOFOLLOW\fR +\fRNOFOLLOW\fR tags override the value of \fIsudoedit_follow\fR and can be used to permit (or deny) the editing of symbolic links @@ -1851,29 +1871,23 @@ These tags are only effective for the \fIsudoedit\fR command and are ignored for all other commands. .TP 2n -\fILOG_INPUT\fR and \fINOLOG_INPUT\fR +\fRLOG_INPUT\fR and \fRNOLOG_INPUT\fR .sp These tags override the value of the \fIlog_input\fR flag on a per-command basis. -For more information, see the description of -\fIlog_input\fR -in the -\fISUDOERS OPTIONS\fR -section below. +For more information, see +\fII/O LOGGING\fR. .TP 2n -\fILOG_OUTPUT\fR and \fINOLOG_OUTPUT\fR +\fRLOG_OUTPUT\fR and \fRNOLOG_OUTPUT\fR .sp These tags override the value of the \fIlog_output\fR flag on a per-command basis. -For more information, see the description of -\fIlog_output\fR -in the -\fISUDOERS OPTIONS\fR -section below. +For more information, see +\fII/O LOGGING\fR. .TP 2n -\fIMAIL\fR and \fINOMAIL\fR +\fRMAIL\fR and \fRNOMAIL\fR .sp These tags provide fine-grained control over whether mail will be sent when a user runs a command by @@ -1888,7 +1902,7 @@ or \fB\-v\fR options. A -\fINOMAIL\fR +\fRNOMAIL\fR tag will also override the \fImail_always\fR and @@ -1903,7 +1917,7 @@ in the \fISUDOERS OPTIONS\fR section below. .TP 2n -\fIPASSWD\fR and \fINOPASSWD\fR +\fRPASSWD\fR and \fRNOPASSWD\fR .sp By default, \fBsudo\fR @@ -1913,12 +1927,12 @@ This behavior can be modified via the \fRNOPASSWD\fR tag. Like a -\fRRunas_Spec\fR, +\fIRunas_Spec\fR, the \fRNOPASSWD\fR tag sets a default for the commands that follow it in the -\fRCmnd_Spec_List\fR. +\fICmnd_Spec_List\fR. Conversely, the \fRPASSWD\fR tag can be used to reverse things. @@ -1939,7 +1953,7 @@ to run and \fI/usr/bin/lprm\fR as -\fBroot\fR +\fB@runas_default@\fR on the machine \(lqrushmore\(rq without authenticating himself. @@ -1966,10 +1980,10 @@ By default, if the \fRNOPASSWD\fR tag is applied to any of a user's entries for the current host, the user will be able to run -\(lq\fRsudo -l\fR\(rq +\(oqsudo -l\(cq without a password. Additionally, a user may only run -\(lq\fRsudo -v\fR\(rq +\(oqsudo -v\(cq without a password if all of the user's entries for the current host have the \fRNOPASSWD\fR @@ -1981,7 +1995,7 @@ and options. .RE .TP 2n -\fISETENV\fR and \fINOSETENV\fR +\fRSETENV\fR and \fRNOSETENV\fR .sp These tags override the value of the \fIsetenv\fR @@ -2008,7 +2022,7 @@ tag is implied for that command; this default may be overridden by use of the \fRNOSETENV\fR tag. .TP 2n -\fIINTERCEPT\fR and \fINOINTERCEPT\fR +\fRINTERCEPT\fR and \fRNOINTERCEPT\fR .sp If \fBsudo\fR @@ -2023,6 +2037,11 @@ and logged just like they would be if run through directly. This is useful in conjunction with commands that allow shell escapes such as editors, shells, and paginators. +There is additional overhead due to the policy check that may add +latency when running commands such as shell scripts that execute a +large number of sub-commands. +For interactive commands, such as a shell or editor, +the overhead is not usually noticeable. .sp In the following example, user \fBchuck\fR @@ -2058,21 +2077,21 @@ fnmatch(3) functions as specified by IEEE Std 1003.1 (\(lqPOSIX.1\(rq). .TP 10n -\fR*\fR +* Matches any set of zero or more characters (including white space). .TP 10n -\fR\&?\fR +\&? Matches any single character (including white space). .TP 10n -\fR[...]\fR +[...] Matches any character in the specified range. .TP 10n -\fR[!...]\fR +[!...] Matches any character \fInot\fR in the specified range. .TP 10n -\fR\ex\fR +\ex For any character \(oqx\(cq, evaluates to @@ -2144,9 +2163,9 @@ below. .SS "Exceptions to wildcard rules" The following exceptions apply to the above rules: .TP 10n -\fR\&""\fR +\&"" If the empty string -\fR\&""\fR +\(oq\&""\(cq is the only command line argument in the \fIsudoers\fR file entry it means that command is not allowed to be run with @@ -2207,7 +2226,11 @@ In the following example, user \fBjohn\fR can run the passwd(1) -command as root on any host but is not allowed to change root's password. +command as +\fB@runas_default@\fR +on any host but is not allowed to change +\fBroot\fR's +password. This kind of rule is impossible to express safely using wildcards. .nf .sp @@ -2244,7 +2267,8 @@ to run the \fI/usr/sbin/usermod\fR, and \fI/usr/sbin/userdel\fR -commands as root. +commands as +\fB@runas_default@\fR. .nf .sp .RS 4n @@ -2274,14 +2298,14 @@ It is possible to include other files from within the \fIsudoers\fR file currently being parsed using the -\fR@include\fR +\fI@include\fR and -\fR@includedir\fR +\fI@includedir\fR directives. For compatibility with sudo versions prior to 1.9.1, -\fR#include\fR +\fI#include\fR and -\fR#includedir\fR +\fI#includedir\fR are also accepted. .PP An include file can be used, for example, to keep a site-wide @@ -2342,7 +2366,7 @@ contains the line: .nf .sp .RS 4n -\fR@include sudoers.local\fR +@include sudoers.local .RE .fi .PP @@ -2350,7 +2374,7 @@ the file that will be included is \fI/etc/sudoers.local\fR. .PP The file name may also include the -\fR%h\fR +\(oq%h\(cq escape, signifying the short form of the host name. In other words, if the machine's host name is \(lqxerxes\(rq, @@ -2368,7 +2392,7 @@ to include the file \fI/etc/sudoers.xerxes\fR. .PP The -\fR@includedir\fR +\fI@includedir\fR directive can be used to create a \fIsudoers.d\fR directory that the system package manager can drop @@ -2391,6 +2415,7 @@ or contain a \(oq.\&\(cq character to avoid causing problems with package manager or editor temporary/backup files. +.PP Files are parsed in sorted lexical order. That is, \fI/etc/sudoers.d/01_first\fR @@ -2405,14 +2430,14 @@ Using a consistent number of leading zeroes in the file names can be used to avoid such problems. After parsing the files in the directory, control returns to the file that contained the -\fR@includedir\fR +\fI@includedir\fR directive. .PP Unlike files included via -\fR@include\fR, +\fI@include\fR, \fBvisudo\fR will not edit the files in a -\fR@includedir\fR +\fI@includedir\fR directory unless one of them contains a syntax error. It is still possible to run \fBvisudo\fR @@ -2438,11 +2463,11 @@ is a built-in \fIalias\fR that always causes a match to succeed. It can be used wherever one might otherwise use a -\fRCmnd_Alias\fR, -\fRUser_Alias\fR, -\fRRunas_Alias\fR, +\fICmnd_Alias\fR, +\fIUser_Alias\fR, +\fIRunas_Alias\fR, or -\fRHost_Alias\fR. +\fIHost_Alias\fR. Attempting to define an \fIalias\fR named @@ -2455,7 +2480,7 @@ can be dangerous since in a command context, it allows the user to run command on the system. .PP The following option names permitted in an -\fROption_Spec\fR +\fIOption_Spec\fR are also considered reserved words: \fRCHROOT\fR, .if \n(PS \{\ @@ -2486,16 +2511,18 @@ can be used as a logical operator in a list or \fIalias\fR as well as in front of a -\fRCmnd\fR. +\fICmnd\fR. This allows one to exclude certain values. For the \(oq\&!\(cq operator to be effective, there must be something for it to exclude. -For example, to match all users except for root one would use: +For example, to match all users except for +\fBroot\fR +one would use: .nf .sp .RS 4n -ALL,!root +ALL, !root .RE .fi .PP @@ -2509,7 +2536,9 @@ is omitted, as in: .RE .fi .PP -it would explicitly deny root but not match any other users. +it would explicitly deny +\fBroot\fR +but not match any other users. This is different from a true \(lqnegation\(rq operator. @@ -2550,7 +2579,7 @@ when used as part of a word (e.g., a user name or host name): .SH "SUDOERS OPTIONS" \fBsudo\fR's behavior can be modified by -\fRDefault_Entry\fR +\fIDefault_Entry\fR lines, as explained earlier. A list of all supported Defaults parameters, grouped by type, are listed below. .PP @@ -2559,9 +2588,12 @@ A list of all supported Defaults parameters, grouped by type, are listed below. always_query_group_plugin If a \fIgroup_plugin\fR -is configured, use it to resolve groups of the form %group as long -as there is not also a system group of the same name. -Normally, only groups of the form %:group are passed to the +is configured, use it to resolve groups of the form +\(oq%group\(cq +as long as there is not also a system group of the same name. +Normally, only groups of the form +\(oq%:group\(cq +are passed to the \fIgroup_plugin\fR. This flag is \fIoff\fR @@ -2573,7 +2605,9 @@ If enabled, will set the \fRHOME\fR environment variable to the home directory of the target user -(which is the root user unless the +(which is the +\fIrunas_default\fR +user unless the \fB\-u\fR option is used). This flag is largely obsolete and has no effect unless the @@ -2678,10 +2712,10 @@ automatic restarting of system calls. Unfortunately, not all operating systems do this by default, and even those that do may have bugs. For example, macOS fails to restart the -\fBtcgetattr\fR() +tcgetattr(3) and -\fBtcsetattr\fR() -system calls (this is a bug in macOS). +tcsetattr(3) +functions (this is a bug in macOS). Furthermore, because this behavior depends on the command stopping with the \fRSIGTTIN\fR or @@ -2712,9 +2746,13 @@ or \fREDITOR\fR environment variables before falling back on the default editor list. \fBvisudo\fR -is typically run as root so this flag may allow a user with +is typically run as +\fBroot\fR +so this flag may allow a user with \fBvisudo\fR -privileges to run arbitrary commands as root without logging. +privileges to run arbitrary commands as +\fBroot\fR +without logging. An alternative is to place a colon-separated list of \(lqsafe\(rq editors int the @@ -2765,22 +2803,24 @@ Any variables in the caller's environment or in the file specified by the \fIrestricted_env_file\fR setting that match the -\fRenv_keep\fR +\fIenv_keep\fR and -\fRenv_check\fR +\fIenv_check\fR lists are then added, followed by any variables present in the file specified by the \fIenv_file\fR setting (if any). The contents of the -\fRenv_keep\fR +\fIenv_keep\fR and -\fRenv_check\fR +\fIenv_check\fR lists, as modified by global Defaults parameters in \fIsudoers\fR, are displayed when \fBsudo\fR -is run by root with the +is run by +\fBroot\fR +with the \fB\-V\fR option. If the @@ -2833,7 +2873,7 @@ Most programs that require a user's password will disable echo before reading the password to avoid displaying the plaintext password on the screen. However, if terminal input is being logged (see -\fIlog_input\fR), +\fII/O LOGGING\fR), the password will still be present in the I/O log. If the \fIlog_passwords\fR @@ -2856,8 +2896,8 @@ is set), only the first character of the password will be replaced in the I/O log. This option has no effect unless \fIlog_input\fR -and -\fIlog_input\fR +or +\fIlog_ttyin\fR are also set. This flag is \fIon\fR @@ -2869,16 +2909,16 @@ fqdn Set this flag if you want to put fully qualified host names in the \fIsudoers\fR file when the local host name (as returned by the -\fRhostname\fR +\(oqhostname\(cq command) does not contain the domain name. In other words, instead of myhost you would use myhost.mydomain.edu. You may still use the short form if you wish (and even mix the two). This flag is only effective when the \(lqcanonical\(rq host name, as returned by the -\fBgetaddrinfo\fR() +getaddrinfo(3) or -\fBgethostbyname\fR() +gethostbyname(3) function, is a fully-qualified domain name. This is usually the case when the system is configured to use DNS for host name resolution. @@ -2928,11 +2968,8 @@ from the network). Just like with the hosts file, you must use the \(lqcanonical\(rq name as DNS knows it. -That is, you may not use a host alias -(\fRCNAME\fR -entry) -due to performance issues and the fact that there is no way to get all -aliases from DNS. +That is, you may not use a host alias (CNAME entry) due to performance +issues and the fact that there is no way to get all aliases from DNS. .sp This flag is \fI@fqdn@\fR @@ -2958,7 +2995,7 @@ by default. ignore_dot If set, \fBsudo\fR -will ignore "." or "" (both denoting current directory) in the +will ignore "." or "" (both denoting the current directory) in the \fRPATH\fR environment variable; the \fRPATH\fR @@ -2997,7 +3034,7 @@ ignore_local_sudoers If set via LDAP, parsing of \fI@sysconfdir@/sudoers\fR will be skipped. -This is intended for Enterprises that wish to prevent the usage of local +This is intended for sites that wish to prevent the usage of local sudoers files so that only LDAP is used. This thwarts the efforts of rogue operators who would attempt to add roles to \fI@sysconfdir@/sudoers\fR. @@ -3008,7 +3045,7 @@ Since this flag tells \fBsudo\fR how to behave when no specific LDAP entries have been matched, this sudoOption is only meaningful for the -\fRcn=defaults\fR +\(oqcn=defaults\(cq section. This flag is \fIoff\fR @@ -3078,19 +3115,14 @@ by default. log_input If set, \fBsudo\fR -will run the command in a pseudo-terminal and log all user input. -If the standard input is not connected to the user's tty, due to -I/O redirection or because the command is part of a pipeline, that -input is also captured and stored in a separate log file. -Anything sent to the standard input will be consumed, regardless of -whether or not the command run via +will run the command in a pseudo-terminal (if \fBsudo\fR -is actually reading the standard input. -This may have unexpected results when using -\fBsudo\fR -in a shell script that expects to process the standard input. +was run from a terminal) and log all user input. +If the standard input is not connected to the user's terminal, due +to I/O redirection or because the command is part of a pipeline, +that input is also logged. For more information about I/O logging, see the -\fII/O LOG FILES\fR +\fII/O LOGGING\fR section. This flag is \fIoff\fR @@ -3099,12 +3131,15 @@ by default. log_output If set, \fBsudo\fR -will run the command in a pseudo-terminal and log all output that is sent -to the screen, similar to the -script(1) -command. +will run the command in a pseudo-terminal (if +\fBsudo\fR +was run from a terminal) and log all output that is sent to the +user's terminal, the standard output or the standard error. +If the standard output or standard error is not connected to the +user's terminal, due to I/O redirection or because the command is +part of a pipeline, that output is also logged. For more information about I/O logging, see the -\fII/O LOG FILES\fR +\fII/O LOGGING\fR section. This flag is \fIoff\fR @@ -3140,20 +3175,59 @@ by default. .sp This setting is only supported by version 1.9.0 or higher. .TP 18n +log_stderr +If set, +\fBsudo\fR +will log the standard error if it is not connected to the user's terminal. +This can be used to log output to a pipe or redirected to a file. +This flag is +\fIoff\fR +by default but is enabled when either the +\fIlog_output\fR +flag or the +\fRLOG_OUTPUT\fR +command tag is set. +.TP 18n +log_stdin +If set, +\fBsudo\fR +will log the standard input if it is not connected to the user's terminal. +This can be used to log input from a pipe or redirected from a file. +This flag is +\fIoff\fR +by default but is enabled when either the +\fIlog_input\fR +flag or the +\fRLOG_INPUT\fR +command tag is set. +.TP 18n +log_stdout +If set, +\fBsudo\fR +will log the standard output if it is not connected to the user's terminal. +This can be used to log output to a pipe or redirected to a file. +This flag is +\fIoff\fR +by default but is enabled when either the +\fIlog_output\fR +flag or the +\fRLOG_OUTPUT\fR +command tag is set. +.TP 18n log_subcmds If set, \fBsudoers\fR will log when a command spawns a child process and executes a program using the -\fBexecl\fR(), -\fBexecle\fR(), -\fBexeclp\fR(), -\fBexecv\fR(), -\fBexecve\fR(), -\fBexecvp\fR(), -\fBexecvpe\fR(), +execve(2), +execl(3), +execle(3), +execlp(3), +execv(3), +execvp(3), +execvpe(3), or -\fBsystem\fR() +system(3) library functions. For example, if a shell is run by \fBsudo\fR, @@ -3175,6 +3249,38 @@ and is incompatible with SELinux RBAC support unless the system supports seccomp(2) filter mode. .TP 18n +log_ttyin +If set, +\fBsudo\fR +will run the command in a pseudo-terminal and log user keystrokes +sent to the user's terminal, if one is present. +This flag is +\fIoff\fR +by default but is enabled when either the +\fIlog_input\fR +flag or the +\fRLOG_INPUT\fR +command tag is set. +If no terminal is present, for example when running a remote command using +ssh(1), +this flag will have no effect. +.TP 18n +log_ttyout +If set, +\fBsudo\fR +will run the command in a pseudo-terminal and log all output displayed +on the user's terminal, if one is present. +This flag is +\fIoff\fR +by default but is enabled when either the +\fIlog_output\fR +flag or the +\fRLOG_OUTPUT\fR +command tag is set. +If no terminal is present, for example when running a remote command using +ssh(1), +this flag will have no effect. +.TP 18n log_year If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR @@ -3289,7 +3395,7 @@ This works well on systems where the number of groups listed in the \fIsudoers\fR file is larger than the number of groups a typical user belongs to. On systems where group lookups are slow, where users may belong -to a large number of groups, and where the number of groups listed +to a large number of groups, or where the number of groups listed in the \fIsudoers\fR file is relatively small, it may be prohibitively expensive and @@ -3341,7 +3447,7 @@ tag has been set, unless overridden by an \fRNOINTERCEPT\fR tag. See the description of -\fIINTERCEPT and NOINTERCEPT\fR +\fRINTERCEPT and NOINTERCEPT\fR above as well as the \fIPreventing shell escapes\fR section at the end of this manual. @@ -3368,7 +3474,7 @@ is enable. This flag has no effect unless the \fIintercept\fR flag is enabled or the -\fIINTERCEPT\fR +\fRINTERCEPT\fR tag has been set for the command. This flag is \fIon\fR @@ -3391,7 +3497,7 @@ subsequent commands will need to be authenticated. This flag has no effect unless the \fIintercept\fR flag is enabled or the -\fIINTERCEPT\fR +\fRINTERCEPT\fR tag has been set for the command. This flag is \fIoff\fR @@ -3399,15 +3505,58 @@ by default. .sp This setting is only supported by version 1.9.8 or higher. .TP 18n +intercept_verify +If set, +\fBsudo\fR +will attempt to verify that a command run in intercept mode has +the expected path name, command line arguments and environment. +.sp +The process will be stopped after +execve(2) +has completed but before the new command has had a chance to run. +To verify the command, +\fBsudo\fR +will read the command's path from +\fI/proc/PID/exe\fR, +the command line arguments and environment from the process's memory, +and compare them against the arguments that were passed to +execve(2). +In the event of a mismatch, the command will be sent a +\fRSIGKILL\fR +signal and terminated. +.sp +This can help prevent a time of check versus time of use issue with +intercept mode where the +execve(2) +arguments could be altered after the +\fBsudoers\fR +policy check. +The checks can only be performed if the +proc(@mansectform@) +file system is available. +This flag has no effect unless the +\fIintercept\fR +flag is enabled or the +\fRINTERCEPT\fR +tag has been set for the command and the +\fIintercept_type\fR +option is set to +\fItrace\fR. +This flag is +\fIon\fR +by default. +.sp +This setting is only supported by version 1.9.12 or higher. +.TP 18n netgroup_tuple If set, netgroup lookups will be performed using the full netgroup tuple: host name, user name, and domain (if one is set). Historically, \fBsudo\fR only matched the user name and domain for netgroups used in a -\fRUser_List\fR +\fIUser_List\fR and only matched the host name and domain for netgroups used in a -\fRHost_List\fR. +\fIHost_List\fR. This flag is \fIoff\fR by default. @@ -3421,7 +3570,7 @@ tag has been set, unless overridden by an \fREXEC\fR tag. See the description of -\fIEXEC and NOEXEC\fR +\fREXEC and NOEXEC\fR above as well as the \fIPreventing shell escapes\fR section at the end of this manual. @@ -3630,17 +3779,23 @@ This flag is by default. .TP 18n root_sudo -If set, root is allowed to run +If set, +\fBroot\fR +is allowed to run \fBsudo\fR too. Disabling this prevents users from \(lqchaining\(rq \fBsudo\fR -commands to get a root shell by doing something like -\(lq\fRsudo sudo /bin/sh\fR\(rq. +commands to get a +\fBroot\fR +shell by doing something like +\(oqsudo sudo /bin/sh\(cq. Note, however, that turning off \fIroot_sudo\fR -will also prevent root from running +will also prevent +\fBroot\fR +from running \fBsudoedit\fR. Disabling \fIroot_sudo\fR @@ -3652,7 +3807,9 @@ by default. rootpw If set, \fBsudo\fR -will prompt for the root password instead of the password of the invoking user +will prompt for the +\fBroot\fR +password instead of the password of the invoking user when running a command or editing a file. This flag is \fIoff\fR @@ -3662,7 +3819,7 @@ runas_allow_unknown_id If enabled, allow matching of runas user and group IDs that are not present in the password or group databases. In addition to explicitly matching unknown user or group IDs in a -\fRRunas_List\fR, +\fIRunas_List\fR, this option also allows the \fBALL\fR alias to match unknown IDs. @@ -3682,7 +3839,7 @@ If enabled, will only run commands as a user whose shell appears in the \fI/etc/shells\fR file, even if the invoking user's -\fRRunas_List\fR +\fIRunas_List\fR would otherwise permit it. If no \fI/etc/shells\fR @@ -3703,7 +3860,7 @@ If set, will prompt for the password of the user defined by the \fIrunas_default\fR option (defaults to -\fR@runas_default@\fR) +\fB@runas_default@\fR) instead of the password of the invoking user when running a command or editing a file. This flag is @@ -3728,7 +3885,9 @@ is invoked with the option, the \fRHOME\fR environment variable will be set to the home directory of the target -user (which is the root user unless the +user (which is the +\fIrunas_default\fR +user unless the \fB\-u\fR option is used). This flag is largely obsolete and has no effect unless the @@ -3749,7 +3908,9 @@ will set the \fRLOGNAME\fR and \fRUSER\fR -environment variables to the name of the target user (usually root unless the +environment variables to the name of the target user (the user specified by +\fIrunas_default\fR +unless the \fB\-u\fR option is given). However, since some programs (including the RCS revision control system) use @@ -3782,6 +3943,11 @@ A pseudo-terminal is allocated by when it is running in a terminal and one or more of the \fIlog_input\fR, \fIlog_output\fR, +\fIlog_stdin\fR, +\fIlog_stdout\fR, +\fIlog_stderr\fR, +\fIlog_ttyin\fR, +\fIlog_ttyout\fR, or \fIuse_pty\fR flags is enabled. @@ -3814,7 +3980,9 @@ If set and is invoked with no arguments it acts as if the \fB\-s\fR option had been given. -That is, it runs a shell as root (the shell is determined by the +That is, it runs a shell as +\fBroot\fR +(the shell is determined by the \fRSHELL\fR environment variable if it is set, falling back on the shell listed in the invoking user's /etc/passwd entry if not). @@ -3826,7 +3994,9 @@ stay_setuid Normally, when \fBsudo\fR executes a command the real and effective user-IDs are set to the target -user (root by default). +user +(\fB@runas_default@\fR +by default). This option changes that behavior such that the real user-ID is left as the invoking user's user-ID. In other words, this makes @@ -3854,7 +4024,8 @@ Symbolic links will not be followed in writable directories and will refuse to edit a file located in a writable directory. These restrictions are not enforced when \fBsudoedit\fR -is run by root. +is run by +\fBroot\fR. On some systems, if all directory components of the path to be edited are not readable by the target user, \fBsudoedit\fR @@ -3878,9 +4049,9 @@ option can be enabled to allow \fBsudoedit\fR to open symbolic links. It may be overridden on a per-command basis by the -\fIFOLLOW\fR +\fRFOLLOW\fR and -\fINOFOLLOW\fR +\fRNOFOLLOW\fR tags. This flag is \fIoff\fR @@ -3904,8 +4075,8 @@ If set, will prompt for the password of the user specified by the \fB\-u\fR -option (defaults to -\fRroot\fR) +option (defaults to the value of +\fIrunas_default\fR) instead of the password of the invoking user when running a command or editing a file. This flag precludes the use of a user-ID not listed in the passwd @@ -4010,7 +4181,7 @@ If a timeout is specified both in the \fIsudoers\fR file and on the command line, the smaller of the two timeouts will be used. See the -\fRTimeout_Spec\fR +\fITimeout_Spec\fR section for a description of the timeout syntax. This flag is \fIoff\fR @@ -4040,7 +4211,7 @@ flag is set, \fBsudo\fR will prompt for a password even when it would be visible on the screen. This makes it possible to run things like -\(lq\fRssh somehost sudo ls\fR\(rq +\(oqssh somehost sudo ls\(cq since by default, ssh(1) does @@ -4060,14 +4231,13 @@ The \fIclosefrom\fR option can be used to specify a different file descriptor at which to start closing. -The default is -\fR3\fR. +The default is 3. .TP 18n command_timeout The maximum amount of time a command is allowed to run before it is terminated. See the -\fRTimeout_Spec\fR +\fITimeout_Spec\fR section for a description of the timeout syntax. .sp This setting is only supported by version 1.8.20 or higher. @@ -4076,7 +4246,7 @@ log_server_timeout The maximum amount of time to wait when connecting to a log server or waiting for a server response. See the -\fRTimeout_Spec\fR +\fITimeout_Spec\fR section for a description of the timeout syntax. The default value is 30 seconds. .sp @@ -4084,12 +4254,12 @@ This setting is only supported by version 1.9.0 or higher. .TP 18n maxseq The maximum sequence number that will be substituted for the -\(lq\fR%{seq}\fR\(rq +\(oq%{seq}\(cq escape in the I/O log file (see the \fIiolog_dir\fR description below for more information). While the value substituted for -\(lq\fR%{seq}\fR\(rq +\(oq%{seq}\(cq is in base 36, \fImaxseq\fR itself should be expressed in decimal. @@ -4113,8 +4283,7 @@ passwd_tries The number of tries a user gets to enter his/her password before \fBsudo\fR logs the failure and exits. -The default is -\fR@passwd_tries@\fR. +The default is @passwd_tries@. .TP 18n syslog_maxlen On many systems, @@ -4146,22 +4315,15 @@ loglinelen Number of characters per line for the file log. This value is used to decide when to wrap lines for nicer log files. This has no effect on the syslog log file, only the file log. -The default is -\fR@loglen@\fR -(use 0 or negate the option to disable word wrap). +The default is @loglen@ (use 0 or negate the option to disable word wrap). .TP 18n passwd_timeout Number of minutes before the \fBsudo\fR -password prompt times out, or -\fR0\fR -for no timeout. +password prompt times out, or 0 for no timeout. The timeout may include a fractional component -if minute granularity is insufficient, for example -\fR2.5\fR. -The -default is -\fR@password_timeout@\fR. +if minute granularity is insufficient, for example 2.5. +The default is @password_timeout@. .TP 18n timestamp_timeout .br @@ -4169,20 +4331,15 @@ Number of minutes that can elapse before \fBsudo\fR will ask for a password again. The timeout may include a fractional component if -minute granularity is insufficient, for example -\fR2.5\fR. -The default is -\fR@timeout@\fR. -Set this to -\fR0\fR -to always prompt for a password. -If set to a value less than -\fR0\fR -the user's time stamp will not expire until the system is rebooted. +minute granularity is insufficient, for example 2.5. +The default is @timeout@. +Set this to 0 to always prompt for a password. +If set to a value less than 0 the user's time stamp will not expire +until the system is rebooted. This can be used to allow users to create or delete their own time stamps via -\(lq\fRsudo -v\fR\(rq +\(oqsudo -v\(cq and -\(lq\fRsudo -k\fR\(rq +\(oqsudo -k\(cq respectively. .TP 18n umask @@ -4195,10 +4352,8 @@ Unless the flag is set, the actual umask will be the union of the user's umask and the value of the \fIumask\fR -setting, which defaults to -\fR@sudo_umask@\fR. -This guarantees -that +setting, which defaults to @sudo_umask@. +This guarantees that \fBsudo\fR never lowers the umask when running a command. .sp @@ -4226,7 +4381,7 @@ The default can be overridden for individual \fIsudoers\fR entries by specifying the -\fIAPPARMOR_PROFILE\fR +\fRAPPARMOR_PROFILE\fR option. This option is only available when sudo is built with AppArmor support. @@ -4237,18 +4392,18 @@ The message may include the \(oq%d\(cq escape which will expand to the number of failed password attempts. If set, it overrides the default message, -\fR%d incorrect password attempt(s)\fR. +\(lq%d incorrect password attempt(s)\(rq. .TP 18n badpass_message Message that is displayed if a user enters an incorrect password. The default is -\fR@badpass_message@\fR +\(lq@badpass_message@\(rq unless insults are enabled. .TP 18n editor A colon (\(oq:\&\(cq) -separated list of editors path names used by +separated list of editor path names used by \fBsudoedit\fR and \fBvisudo\fR. @@ -4300,15 +4455,15 @@ It has the following possible values: .TP 8n dso Preload a dynamic shared object (shared library) that intercepts the -\fBexecl\fR(), -\fBexecle\fR(), -\fBexeclp\fR(), -\fBexecv\fR(), -\fBexecve\fR(), -\fBexecvp\fR(), -\fBexecvpe\fR(), +execve(2), +execl(3), +execle(3), +execlp(3), +execv(3), +execvp(3), +execvpe(3), and -\fBsystem\fR() +system(3) library functions. A value of \fIdso\fR @@ -4368,30 +4523,32 @@ escape sequences are supported: .RS 18n .PD 0 .TP 6n -\fR%{seq}\fR +%{seq} expanded to a monotonically increasing base-36 sequence number, such as 0100A5, where every two digits are used to form a new directory, e.g., \fI01/00/A5\fR .PD .TP 6n -\fR%{user}\fR +%{user} expanded to the invoking user's login name .TP 6n -\fR%{group}\fR +%{group} expanded to the name of the invoking user's real group-ID .TP 6n -\fR%{runas_user}\fR +%{runas_user} expanded to the login name of the user the command will -be run as (e.g., root) +be run as (e.g., +\fBroot\fR) .TP 6n -\fR%{runas_group}\fR +%{runas_group} expanded to the group name of the user the command will -be run as (e.g., wheel) +be run as (e.g., +\fBwheel\fR) .TP 6n -\fR%{hostname}\fR +%{hostname} expanded to the local host name without the domain name .TP 6n -\fR%{command}\fR +%{command} expanded to the base name of the command being run .PP In addition, any escape sequences supported by the system's @@ -4420,7 +4577,7 @@ tags are present for a command. \fIiolog_file\fR may contain directory components. The default is -\(lq\fR%{seq}\fR\(rq. +\(oq%{seq}\(cq. .sp See the \fIiolog_dir\fR @@ -4430,9 +4587,9 @@ escape sequences. .sp In addition to the escape sequences, path names that end in six or more -\fRX\fRs +\fIX\fRs will have the -\fRX\fRs +\fIX\fRs replaced with a unique combination of digits and letters, similar to the mktemp(3) function. @@ -4446,7 +4603,7 @@ overwritten unless \fIiolog_file\fR ends in six or more -\fRX\fRs. +\fIX\fRs. .TP 18n iolog_flush If set, @@ -4571,7 +4728,7 @@ For \fBsudo_logsrvd\fR, client certificate validation is controlled by the \fItls_checkpeer\fR -option, which defaults to +flag, which defaults to \fIfalse\fR. .sp This setting is only supported by version 1.9.0 or higher. @@ -4581,10 +4738,10 @@ Subject of the mail sent to the \fImailto\fR user. The escape -\fR%h\fR +\(oq%h\(cq will expand to the host name of the machine. Default is -\(lq\fR@mailsub@\fR\(rq. +\(lq@mailsub@\(rq. .TP 18n noexec_file As of @@ -4600,9 +4757,9 @@ name used when the \fB\-A\fR option is specified. The default value is either -\(lq\fR@pam_service@\fR\(rq +\(oq@pam_service@\(cq or -\(lq\fR@pam_login_service@\fR\(rq, +\(oq@pam_login_service@\(cq, depending on whether or not the \fB\-i\fR option is also specified. @@ -4619,7 +4776,7 @@ name used when the \fB\-i\fR option is specified. The default value is -\(lq\fR@pam_login_service@\fR\(rq. +\(oq@pam_login_service@\(cq. See the description of \fIpam_service\fR for more information. @@ -4635,7 +4792,7 @@ file or a file in the \fI/etc/pam.d\fR directory. The default value is -\(lq\fRsudo\fR\(rq. +\(oqsudo\(cq. .sp This setting is only supported by version 1.8.8 or higher. .TP 18n @@ -4652,17 +4809,17 @@ escape sequences are supported: .RS 18n .PD 0 .TP 6n -\fR%H\fR +%H expanded to the local host name including the domain name (only if the machine's host name is fully qualified or the \fIfqdn\fR option is set) .PD .TP 6n -\fR%h\fR +%h expanded to the local host name without the domain name .TP 6n -\fR%p\fR +%p expanded to the user whose password is being asked for (respects the \fIrootpw\fR, \fItargetpw\fR @@ -4671,18 +4828,19 @@ and flags in \fIsudoers\fR) .TP 6n -\fR\&%U\fR +\&%U expanded to the login name of the user the command will -be run as (defaults to root) +be run as (defaults to +\fB@runas_default@\fR) .TP 6n -\fR%u\fR +%u expanded to the invoking user's login name .TP 6n -\fR%%\fR +%% two consecutive -\fR%\fR +\(oq%\(cq characters are collapsed into a single -\fR%\fR +\(oq%\(cq character .PP On systems that use PAM for authentication, @@ -4699,7 +4857,7 @@ The flag can be used to change this behavior. .sp The default value is -\(lq\fR@passprompt@\fR\(rq. +\(oq@passprompt@\(cq. .RE .if \n(PS \{\ .TP 18n @@ -4738,14 +4896,14 @@ The default user to run commands as if the \fB\-u\fR option is not specified on the command line. This defaults to -\fR@runas_default@\fR. +\fB@runas_default@\fR. .TP 18n sudoers_locale Locale to use when parsing the sudoers file, logging commands, and sending email. Changing the locale may affect how sudoers is interpreted. Defaults to -\(lq\fRC\fR\(rq. +\(oqC\(cq. .TP 18n timestamp_type \fBsudoers\fR @@ -4772,10 +4930,7 @@ process ID (usually the shell). Commands run from the same shell (or other common parent process) will not require a password for \fItimestamp_timeout\fR -minutes -(\fR@timeout@\fR -by default) -\&. +minutes (@timeout@ by default). Commands run via \fBsudo\fR with a different parent process ID, for example from a shell script, @@ -4788,10 +4943,7 @@ If no terminal is present, the behavior is the same as \fIppid\fR. Commands run from the same terminal will not require a password for \fItimestamp_timeout\fR -minutes -(\fR@timeout@\fR -by default) -\&. +minutes (@timeout@ by default). .TP 8n kernel The time stamp is stored in the kernel as an attribute of the terminal @@ -4823,7 +4975,7 @@ timestampowner The owner of the lecture status directory, time stamp directory and all files stored therein. The default is -\fRroot\fR. +\fBroot\fR. .if \n(SL \{\ .TP 18n type @@ -4854,7 +5006,7 @@ is configured with the \fR--enable-admin-flag\fR option. The default value is -\fR~/.sudo_as_admin_successful\fR. +\fI~/.sudo_as_admin_successful\fR. .TP 14n env_file The @@ -4862,9 +5014,9 @@ The option specifies the fully qualified path to a file containing variables to be set in the environment of the program being run. Entries in this file should either be of the form -\(lq\fRVARIABLE=value\fR\(rq +\(oqVARIABLE=value\(cq or -\(lq\fRexport VARIABLE=value\fR\(rq. +\(oqexport VARIABLE=value\(cq. The value may optionally be enclosed in single or double quotes. Variables in this file are only added if the variable does not already exist in the environment. @@ -4879,7 +5031,7 @@ and exempt_group Users in this group are exempt from password and PATH requirements. The group name specified should not include a -\fR%\fR +\(oq%\(cq prefix. This is not set by default. .TP 14n @@ -4932,7 +5084,7 @@ alias. .sp This setting is only supported by version 1.8.20 or higher. If the operating system does not support the -\fBfexecve\fR() +fexecve(2) system call, this setting has no effect. .RE .TP 14n @@ -4948,6 +5100,34 @@ These arguments (if any) will be passed to the plugin's initialization function. If arguments are present, the string must be enclosed in double quotes (\&""). .sp +On 64-bit systems, if the plugin is present but cannot be loaded, +\fBsudoers\fR +will look for a 64-bit version and, if it exists, load that as a fallback. +The exact rules for this vary by system. +On Solaris, if the plugin is stored in a directory ending in +\(lqlib\(rq, +\fBsudoers\fR +will create a fallback path by appending +\(lq/64\(rq +to the directory name; +\fI/usr/lib/sudo_plugin.so\fR +becomes +\fI/usr/lib/64/sudo_plugin.so\fR. +On Linux, a directory ending in +\(lqlib\(rq +will be transformed to +\(lqlib64\(rq +as the fallback path; +\fI/usr/lib/sudo_plugin.so\fR +becomes +\fI/usr/lib64/sudo_plugin.so\fR. +On all other systems, the fallback path is generated by adding a +\(lq64\(rq +before the file extension; +\fIsudo_plugin.so\fR +becomes +\fIsudo_plugin64.so\fR. +.sp For more information see \fIGROUP PROVIDER PLUGINS\fR. .TP 14n @@ -5055,7 +5235,7 @@ may be truncated. .TP 10n sudo Traditional sudo-style logs, see -\fILOG FORMAT\fR +\fIEVENT LOGGING\fR for a description of the log file format. .PP This setting affects logs sent via @@ -5097,7 +5277,7 @@ The address should be enclosed in double quotes to protect against \fBsudo\fR interpreting the -\fR@\fR +\(oq@\(cq sign. Defaults to the name of the user running \fBsudo\fR. @@ -5111,10 +5291,9 @@ The address should be enclosed in double quotes to protect against \fBsudo\fR interpreting the -\fR@\fR +\(oq@\(cq sign. -Defaults to -\fR@mailto@\fR. +Defaults to @mailto@. .TP 14n rlimit_as The maximum size to which the process's address space may grow (in bytes), @@ -5193,9 +5372,9 @@ The option specifies the fully qualified path to a file containing variables to be set in the environment of the program being run. Entries in this file should either be of the form -\(lq\fRVARIABLE=value\fR\(rq +\(oqVARIABLE=value\(cq or -\(lq\fRexport VARIABLE=value\fR\(rq. +\(oqexport VARIABLE=value\(cq. The value may optionally be enclosed in single or double quotes. Variables in this file are only added if the variable does not already exist in the environment. @@ -5240,7 +5419,7 @@ It is only possible to use \fIrunchroot\fR as a command-specific Defaults setting if the command exists with the same path both inside and outside the chroot jail. -This restriction does not apply to generic, host, or user-based +This restriction does not apply to global, host, or user-based Defaults settings or to a \fICmnd_Spec\fR that includes a @@ -5285,8 +5464,7 @@ This option is @secure_path@ by default. syslog Syslog facility if syslog is being used for logging (negate to disable syslog logging). -Defaults to -\fR@logfac@\fR. +Defaults to @logfac@. .sp The following syslog facilities are supported: \fBauthpriv\fR @@ -5309,8 +5487,7 @@ syslog_badpri .br Syslog priority to use when the user is not allowed to run a command or when authentication is unsuccessful. -Defaults to -\fR@badpri@\fR. +Defaults to @badpri@. .sp The following syslog priorities are supported: \fBalert\fR, @@ -5330,8 +5507,7 @@ will disable logging of unsuccessful commands. syslog_goodpri Syslog priority to use when the user is allowed to run a command and authentication is successful. -Defaults to -\fR@goodpri@\fR. +Defaults to @goodpri@. .sp See \fIsyslog_badpri\fR @@ -5435,21 +5611,22 @@ The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the -\fR=\fR, -\fR+=\fR, -\fR-=\fR, +\(oq=\(cq, +\(oq+=\(cq, +\(oq-=\(cq, and -\fR\&!\fR +\(oq\&!\(cq operators respectively. Regardless of whether the -\fRenv_reset\fR +\fIenv_reset\fR option is enabled or disabled, variables specified by -\fRenv_check\fR +\fIenv_check\fR will be preserved in the environment if they pass the aforementioned check. The global list of environment variables to check is displayed when \fBsudo\fR -is run by root with -the +is run by +\fBroot\fR +with the \fB\-V\fR option. .RE @@ -5461,15 +5638,17 @@ option is not in effect. The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the -\fR=\fR, -\fR+=\fR, -\fR-=\fR, +\(oq=\(cq, +\(oq+=\(cq, +\(oq-=\(cq, and -\fR\&!\fR +\(oq\&!\(cq operators respectively. The global list of environment variables to remove is displayed when \fBsudo\fR -is run by root with the +is run by +\fBroot\fR +with the \fB\-V\fR option. Many operating systems will remove potentially dangerous variables @@ -5486,16 +5665,18 @@ processes will receive. The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the -\fR=\fR, -\fR+=\fR, -\fR-=\fR, +\(oq=\(cq, +\(oq+=\(cq, +\(oq-=\(cq, and -\fR\&!\fR +\(oq\&!\(cq operators respectively. The global list of variables to keep is displayed when \fBsudo\fR -is run by root with the +is run by +\fBroot\fR +with the \fB\-V\fR option. .sp @@ -5588,7 +5769,7 @@ plugin supports its own plugin interface to allow non-Unix group lookups which can query a group source other than the standard Unix group database. This can be used to implement support for the -\fRnonunix_group\fR +\fInonunix_group\fR syntax described earlier. .PP Group provider plugins are specified via the @@ -5627,9 +5808,9 @@ system_group The \fIsystem_group\fR plugin supports group lookups via the standard C library functions -\fBgetgrnam\fR() +getgrnam(3) and -\fBgetgrid\fR(). +getgrid(3). This plugin can be used in instances where the user belongs to groups not present in the user's supplemental group vector. This plugin takes no options: @@ -5642,7 +5823,7 @@ Defaults group_plugin=system_group.so .PP The group provider plugin API is described in detail in sudo_plugin(@mansectform@). -.SH "LOG FORMAT" +.SH "EVENT LOGGING" \fBsudoers\fR can log events in either JSON or \fIsudo\fR @@ -5743,7 +5924,7 @@ The actual command that was executed. Messages are logged using the locale specified by \fIsudoers_locale\fR, which defaults to the -\(lq\fRC\fR\(rq +\(oqC\(cq locale. .SS "Denied command log entries" If the user is not allowed to run the command, the reason for the denial @@ -5833,12 +6014,12 @@ is the user-ID that owns the \fIsudoers\fR file) to the end of the \fBsudoers\fR -\fRPlugin\fR +\fIPlugin\fR line in the sudo.conf(@mansectform@) file. .TP 3n -unable to stat @sysconfdir@/sudoers +unable to open @sysconfdir@/sudoers The \fI@sysconfdir@/sudoers\fR file is missing. @@ -5862,7 +6043,7 @@ is the user-ID that owns the \fIsudoers\fR file) to the \fBsudoers\fR -\fRPlugin\fR +\fIPlugin\fR line in the sudo.conf(@mansectform@) file. @@ -5879,7 +6060,7 @@ The default mode may be changed via the \(lqsudoers_mode\(rq option to the \fBsudoers\fR -\fRPlugin\fR +\fIPlugin\fR line in the sudo.conf(@mansectform@) file. @@ -5898,7 +6079,7 @@ is the group-ID that owns the \fIsudoers\fR file) to the \fBsudoers\fR -\fRPlugin\fR +\fIPlugin\fR line in the sudo.conf(@mansectform@) file. @@ -5908,7 +6089,9 @@ unable to open @rundir@/ts/username was unable to read or create the user's time stamp file. This can happen when \fItimestampowner\fR -is set to a user other than root and the mode on +is set to a user other than +\fBroot\fR +and the mode on \fI@rundir@\fR is not searchable by group or other. The default mode for @@ -5945,7 +6128,7 @@ The and \fIprogname\fR fields are added by the system's -\fBsyslog\fR() +syslog(3) function, not \fBsudoers\fR itself. @@ -5998,11 +6181,60 @@ If the option is set to 0 (or negated with a \(oq\&!\(cq), word wrap will be disabled. -.SH "I/O LOG FILES" +.SH "I/O LOGGING" When I/O logging is enabled, \fBsudo\fR -will run the command in a pseudo-terminal and log all user input and/or output, -depending on which options are enabled. +will runs the command in a pseudo-terminal, logging user input +and/or output, depending on which +\fBsudoers\fR +flags are enabled. +There are five distinct types of I/O that can be logged, each with +a corresponding +\fBsudoers\fR +flag. +.TS +l l l. +.PP +\fBType\fR \fBFlag\fR \fBDescription\fR +.PP +terminal input log_ttyin keystrokes entered by the user +.PP +terminal output log_ttyout command output displayed to the screen +.PP +standard input log_stdin input from a pipe or a file +.PP +standard output log_stdout output to a pipe or a file +.PP +standard error log_stderr output to a pipe or a file +.TE +.PP +In addition to flags described the above, the +\fIlog_input\fR +flag and +\fRLOG_INPUT\fR +command tag set both +\fIlog_ttyin\fR +and +\fIlog_stdin\fR. +The +\fIlog_output\fR +flag and +\fRLOG_OUTPUT\fR +command tag set +\fIlog_ttyout\fR, +\fIlog_stdout\fR, +and +\fIlog_stderr\fR. +.PP +To capture terminal input and output, +\fBsudo\fR +run the command in a pseudo-terminal, logging the input and +output before passing it on to the user. +To capture the standard input, standard output or standard error, +\fBsudo\fR +uses a pipe to interpose itself between the input or output stream, +logging the I/O before passing it to the other end of the pipe. +.PP I/O can be logged either to the local machine or to a remote log server. For local logs, I/O is logged to the directory specified by the \fIiolog_dir\fR @@ -6012,7 +6244,7 @@ by default) using a unique session ID that is included in the \fBsudo\fR log line, prefixed with -\(lq\fRTSID=\fR\(rq. +\(oqTSID=\(cq. The \fIiolog_file\fR option may be used to control the format of the session ID. @@ -6022,7 +6254,121 @@ setting is used to specify one or more log servers running \fBsudo_logsrvd\fR or another server that implements the protocol described by sudo_logsrv.proto(@mansectform@). +.SS "I/O logging pitfals" +When logging standard input, anything sent to the standard input +will be consumed, regardless of whether or not the command run via +\fBsudo\fR +is actively reading the standard input. +This may have unexpected results when using +\fBsudo\fR +in a shell script that expects to process the standard input. +For example, given the following shell script: +.nf +.sp +.RS 4n +#!/bin/sh +sudo echo testing +echo done +.RE +.fi +.PP +It will behave as expected when the script is passed to the shell as a +an argument: +.nf +.sp +.RS 4n +$ sh test.sh +testing +done +.RE +.fi +.PP +However, if the script is passed to the shell on the standard input, the +\(oqsudo echo testing\(cq +command will consume the rest of the script. +This means that the +\(oqecho done\(cq +statement is never executed. +.nf +.sp +.RS 4n +$ sh -s < test.sh +testing +.RE +.fi +.PP +There are several ways to work around this problem: +.TP 5n +1.\& +Redirect the standard input from +\fI/dev/null\fR +when running a command via +\fBsudo\fR +that does not need to read the standard input. +.nf +.sp +.RS 9n +sudo echo testing < /dev/null +.RE +.fi +.TP 5n +2.\& +Pass the script to the shell by path name instead of via the standard input. +.nf +.sp +.RS 9n +sh test.sh +.RE +.fi +.TP 5n +3.\& +Disable logging the standard input for commands that do not need +to read the standard input. +.nf +.sp +.RS 9n +Defaults!/bin/echo !log_stdin +.RE +.fi +.PP +Depending on the command, it may not be desirable to log the +standard input or standard output. +For example, I/O logging of commands that send or receive large +amount of data via the standard output or standard input such as +rsync(1) +and +tar(1) +could fill up the log file system with superfluous data. +It is possible to disable logging of the standard input and standard +output for such commands as follows: +.nf +.sp +.RS 4n +Cmnd_Alias COPY_CMDS = /usr/bin/tar, /usr/bin/cpio, /usr/bin/rsync + +# Log input and output but omit stdin and stdout when copying files. +Defaults log_input, log_output +Defaults!COPY_CMDS !log_stdin, !log_stdout +.RE +.fi .PP +However, be aware that using the +\fIlog_input\fR +flag or the +\fRLOG_INPUT\fR +command tag will also enable +\fIlog_stdin\fR. +Likewise, the +\fIlog_ouput\fR +flag or the +\fRLOG_OUTPUT\fR +command tag will enable +\fIlog_stdout\fR +and +\fIlog_stderr.\fR +Careful ordering of rules may be necessary to achieve the results +that you expect. +.SS "I/O log format" For both local and remote I/O logs, each log is stored in a separate directory that contains the following files: .TP 10n @@ -6079,12 +6425,12 @@ if no terminal was present. .TP 10n runargv A JSON array representing the command's argument vector as passed to the -\fBexecve\fR() +execve(2) system call. .TP 10n runenv A JSON array representing the command's environment as passed to the -\fBexecve\fR() +execve(2) system call. .TP 10n rungid @@ -6168,6 +6514,13 @@ command suspend or resume, signal received .TP 10n \fIttyin\fR Raw input from the user's terminal, exactly as it was received. +This file is only present if the +\fIlog_input\fR +or +\fIlog_ttyin\fR +flags are set and +\fBsudo\fR +was run from a terminal. No post-processing is performed. For manual viewing, you may wish to convert carriage return characters in the log to line feeds. @@ -6177,19 +6530,42 @@ For example: \fIstdin\fR The standard input when no terminal is present, or input redirected from a pipe or file. +This file is only present if the +\fIlog_input\fR +or +\fIlog_stdin\fR +flags are set and the standard input is not connected to a terminal. .TP 10n \fIttyout\fR Output from the pseudo-terminal (what the command writes to the screen). Terminal-specific post-processing is performed before the data is logged. This means that, for example, line feeds are usually converted to line feed/carriage return pairs and tabs may be expanded to spaces. +This file is only present if the +\fIlog_output\fR +or +\fIlog_ttyout\fR +flags are set and +\fBsudo\fR +was run from a terminal. .TP 10n \fIstdout\fR The standard output when no terminal is present, or output redirected to a pipe or file. +This file is only present if the +\fIlog_output\fR +or +\fIlog_stdout\fR +flags are set and the standard output is not connected to a terminal. .TP 10n \fIstderr\fR -The standard error redirected to a pipe or file. +The standard error when no terminal is present, or output redirected to +a pipe or file. +This file is only present if the +\fIlog_output\fR +or +\fIlog_stderr\fR +flags are set and the standard error is not connected to a terminal. .PP All files other than \fIlog\fR @@ -6217,6 +6593,9 @@ In most cases, logging the command output via or \fRLOG_OUTPUT\fR is all that is required. +When logging input, consider disabling the +\fIlog_passwords\fR +flag. .PP Since each session's I/O logs are stored in a separate directory, traditional log rotation utilities cannot be used to limit the @@ -6336,14 +6715,15 @@ need not provide a password and we don't want to reset the \fRLOGNAME\fR or \fRUSER\fR -environment variables when running commands as root. +environment variables when running commands as +\fBroot\fR. Additionally, on the machines in the -\fISERVERS\fR -\fRHost_Alias\fR, +\fRSERVERS\fR +\fIHost_Alias\fR, we keep an additional local log file and make sure we log the year in each log line since the log entries will be kept around for several years. Lastly, we disable shell escapes for the commands in the PAGERS -\fRCmnd_Alias\fR +\fICmnd_Alias\fR (\fI/usr/bin/more\fR, \fI/usr/bin/pg\fR and @@ -6421,17 +6801,12 @@ jack CSNETS = ALL The user \fBjack\fR may run any command on the machines in the -\fICSNETS\fR -alias (the networks -\fR128.138.243.0\fR, -\fR128.138.204.0\fR, -and -\fR128.138.242.0\fR). -Of those networks, only -\fR128.138.204.0\fR -has an explicit netmask (in CIDR notation) indicating it is a class C network. +\fRCSNETS\fR +alias (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). +Of those networks, only 128.138.204.0 has an explicit netmask (in +CIDR notation) indicating it is a class C network. For the other networks in -\fICSNETS\fR, +\fRCSNETS\fR, the local machine's netmask will be used during matching. .nf .sp @@ -6443,9 +6818,8 @@ lisa CUNETS = ALL The user \fBlisa\fR may run any command on any host in the -\fICUNETS\fR -alias (the class B network -\fR128.138.0.0\fR). +\fRCUNETS\fR +alias (the class B network 128.138.0.0). .nf .sp .RS 0n @@ -6497,8 +6871,8 @@ group may run commands in \fI/usr/sbin/\fR as themselves with any group in the -\fIADMINGRP\fR -\fRRunas_Alias\fR +\fRADMINGRP\fR +\fIRunas_Alias\fR (the \fBadm\fR and @@ -6508,8 +6882,9 @@ groups). The user \fBpete\fR is allowed to change anyone's password except for -root on the -\fIHPPA\fR +\fBroot\fR +on the +\fRHPPA\fR machines. Because command line arguments are matched as a single, concatenated string, the @@ -6544,12 +6919,12 @@ bob SPARC = (OP) ALL : SGI = (OP) ALL The user \fBbob\fR may run anything on the -\fISPARC\fR +\fRSPARC\fR and -\fISGI\fR +\fRSGI\fR machines as any user listed in the -\fIOP\fR -\fRRunas_Alias\fR +\fROP\fR +\fIRunas_Alias\fR (\fBroot\fR and \fBoperator\fR.) @@ -6592,8 +6967,8 @@ fred ALL = (DB) NOPASSWD: ALL The user \fBfred\fR can run commands as any user in the -\fIDB\fR -\fRRunas_Alias\fR +\fRDB\fR +\fIRunas_Alias\fR (\fBoracle\fR or \fBsybase\fR) @@ -6606,11 +6981,12 @@ john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* .fi .PP On the -\fIALPHA\fR +\fRALPHA\fR machines, user \fBjohn\fR -may su to anyone except root but he is not allowed to specify any options -to the +may su to anyone except +\fBroot\fR +but he is not allowed to specify any options to the su(1) command. .nf @@ -6623,8 +6999,8 @@ jen ALL, !SERVERS = ALL The user \fBjen\fR may run any command on any machine except for those in the -\fISERVERS\fR -\fRHost_Alias\fR +\fRSERVERS\fR +\fIHost_Alias\fR (primary, mail, www, and ns). .nf .sp @@ -6634,21 +7010,21 @@ jill SERVERS = /usr/bin/, !SU, !SHELLS .fi .PP For any machine in the -\fISERVERS\fR -\fRHost_Alias\fR, +\fRSERVERS\fR +\fIHost_Alias\fR, \fBjill\fR may run any commands in the directory \fI/usr/bin/\fR except for those commands belonging to the -\fISU\fR +\fRSU\fR and -\fISHELLS\fR -\fRCmnd_Aliases\fR. +\fRSHELLS\fR +\fICmnd_Aliases\fR. While not specifically mentioned in the rule, the commands in the -\fIPAGERS\fR -\fRCmnd_Alias\fR +\fRPAGERS\fR +\fICmnd_Alias\fR all reside in \fI/usr/bin\fR and have the @@ -6683,8 +7059,8 @@ WEBADMIN www = (www) ALL, (root) /usr/bin/su www .fi .PP On the host www, any user in the -\fIWEBADMIN\fR -\fRUser_Alias\fR +\fRWEBADMIN\fR +\fIUser_Alias\fR (will, wendy, and wim), may run any command as user www (which owns the web pages) or simply su(1) @@ -6698,7 +7074,7 @@ ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e .fi .PP Any user may mount or unmount a CD-ROM on the machines in the CDROM -\fRHost_Alias\fR +\fIHost_Alias\fR (orion, perseus, hercules) without entering a password. This is a bit tedious for users to type, so it is a prime candidate for encapsulating in a shell script. @@ -6724,9 +7100,9 @@ bill ALL = ALL, !SU, !SHELLS Doesn't really prevent \fBbill\fR from running the commands listed in -\fISU\fR +\fRSU\fR or -\fISHELLS\fR +\fRSHELLS\fR since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered @@ -6735,7 +7111,9 @@ advisory at best (and reinforced by policy). In general, if a user has sudo \fBALL\fR there is nothing to prevent them from creating their own program that gives -them a root shell (or making their own copy of a shell) regardless of any +them a +\fBroot\fR +shell (or making their own copy of a shell) regardless of any \(oq!\&\(cq elements in the user specification. .SS "Security implications of \fIfast_glob\fR" @@ -6763,13 +7141,13 @@ john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e User \fBjohn\fR can still run -\fR/usr/bin/passwd root\fR +\(oq/usr/bin/passwd root\(cq if \fIfast_glob\fR is enabled by changing to \fI/usr/bin\fR and running -\fR./passwd root\fR +\(oq./passwd root\(cq instead. .PP Another potential issue is that when @@ -6878,12 +7256,7 @@ do not is often unworkable. .TP 10n intercept .br -Many systems that support shared libraries have the ability to -override default library functions by pointing an environment -variable (usually -\fRLD_PRELOAD\fR) -to an alternate shared library. -On such systems, +On most systems, \fBsudo\fR's \fIintercept\fR functionality can be used to transparently intercept an attempt to @@ -6891,74 +7264,88 @@ run a new command, allow or deny it based on \fIsudoers\fR rules, and log the result. For example, this can be used to restrict the commands run from -within a privileged shell. +within a privileged shell or editor. +.sp +There are two underlying mechanisms that may be used to implement +\fIintercept\fR +mode: +\fIdso\fR +and +\fItrace\fR. +The +\fIintercept_type\fR +setting can be used to select between them. +.sp +The first mechanism, +\fIdso\fR, +overrides the standard C library functions that are used to execute a +command. +It does this by setting an environment variable (usually +\fRLD_PRELOAD\fR) +to the path of a dynamic shared object, or shared library, +containing custom versions of the +execve(2), +execl(3), +execle(3), +execlp(3), +execv(3), +execvp(3), +execvpe(3), +and +system(3) +library functions that connect back to +\fBsudo\fR +for a policy decision. Note, however, that this applies only to dynamically-linked executables. It is not possible to intercept commands for statically-linked executables -or executables that run under binary emulation. -This implementation of the +or executables that run under binary emulation this way. +Because most dynamic loaders ignore +\fRLD_PRELOAD\fR +(or the equivalent) when running set-user-ID and set-group-ID programs, +\fBsudoers\fR +will not permit such programs to be run in \fIintercept\fR -functionality is incompatible with +mode by default. +The +\fIdso\fR +mechanism is incompatible with \fBsudo\fR's SELinux RBAC support (but see below). SELinux disables \fRLD_PRELOAD\fR -by default and interferes with file descriptor inheritance. +by default and interferes with file descriptor inheritance, which +\fBsudo\fR +relies on. .sp -Linux systems that support +The second mechanism, +\fItrace\fR, +is available on Linux systems that support seccomp(2) -filtering can use a different method involving +filtering. +It uses ptrace(2) -instead of pre-loading a shared library. -This method supports both static and dynamic executables as well as +and +seccomp(2) +to intercept the +execve(2) +system call instead of pre-loading a dynamic shared object. +Both static and dynamic executables are supported and it is compatible with \fBsudo\fR's SELinux RBAC mode. -Because it operates at the system call level, not the library function level, -it is possible to intercept all calls to -execve(2). Functions utilizing the execveat(2) system call, such as fexecve(3), are not currently intercepted. .sp -The shared library-based -\fIintercept\fR -functionality only works for programs that use the -\fBexecl\fR(), -\fBexecle\fR(), -\fBexeclp\fR(), -\fBexecv\fR(), -\fBexecve\fR(), -\fBexecvp\fR(), -\fBexecvpe\fR(), -or -\fBsystem\fR() -library functions to run the new command. -This may be expanded in a future release of -\fBsudo\fR. -Because most dynamic loaders ignore -\fRLD_PRELOAD\fR -(or the equivalent) when running set-user-ID and set-group-ID programs, -\fBsudoers\fR -will not permit such programs to be run in -\fIintercept\fR -mode. -The Linux -seccomp(2)\-based -implementation does not share these restrictions. -.sp The \fIintercept\fR feature is known to work on Solaris, *BSD, Linux, macOS, HP-UX 11.x and AIX 5.3 and above. It should be supported on most operating systems that support the \fRLD_PRELOAD\fR -environment variable. -Check your operating system's manual pages for the dynamic linker -(usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if -\fRLD_PRELOAD\fR -is supported. +environment variable or an equivalent. It is not possible to intercept shell built-in commands or restrict the ability to read or write sensitive files from within a shell. .sp @@ -6987,6 +7374,28 @@ you can always just try it out and check whether or not external commands run via a shell are logged when \fIintercept\fR is enabled. +.sp +There is an inherent race condition between when a command is checked against +\fBsudoers\fR +rules and when it is actually executed. +If a user is allowed to run arbitrary commands, they may be able +to change the +execve(2) +arguments in the program after the +\fBsudoers\fR +policy check has completed but before the new command is executed. +Starting with version 1.9.12, the +\fItrace\fR +method will verify that the command and its arguments have not +changed after +execve(2) +has completed but before execution of the new program has had a chance to run. +This is not the case with the +\fIdso\fR +method. +See the description of the +\fIintercept_verify\fR +setting for more information. .RE .TP 10n log @@ -7027,26 +7436,26 @@ The \fInoexec\fR functionality is capable of blocking execution of commands run via the -\fBexecl\fR(), -\fBexecle\fR(), -\fBexeclp\fR(), -\fBexect\fR(), -\fBexecv\fR(), -\fBexecve\fR(), -\fBexecveat\fR(), -\fBexecvP\fR(), -\fBexecvp\fR(), -\fBexecvpe\fR(), -\fBfexecve\fR(), -\fBpopen\fR(), -\fBposix_spawn\fR(), -\fBposix_spawnp\fR(), -\fBsystem\fR(), +execve(2), +execl(3), +execle(3), +execlp(3), +exect(3), +execv(3), +execveat(3), +execvP(3), +execvp(3), +execvpe(3), +fexecve(3), +popen(3), +posix_spawn(3), +posix_spawnp(3), +system(3), and -\fBwordexp\fR() +wordexp(3) functions. On Linux, a -\fBseccomp\fR() +seccomp(2) filter is used to implement \fInoexec\fR. On Solaris 10 and higher, @@ -7088,9 +7497,11 @@ is enabled. .RE .PP Restricting shell escapes is not a panacea. -Programs running as root are still capable of many potentially hazardous -operations (such as changing or overwriting files) that could lead -to unintended privilege escalation. +Programs running as +\fBroot\fR +are still capable of many potentially hazardous operations (such +as changing or overwriting files) that could lead to unintended +privilege escalation. In the specific case of an editor, a safer approach is to give the user permission to run \fBsudoedit\fR @@ -7143,7 +7554,9 @@ $ sudoedit /etc/motd .RE .fi .PP -The editor will run as the operator user, not root, on a temporary copy of +The editor will run as the operator user, not +\fB@runas_default@\fR, +on a temporary copy of \fI/etc/motd\fR. After the file has been edited, \fI/etc/motd\fR @@ -7164,7 +7577,8 @@ not be followed in writable directories and will refuse to edit a file located in a writable directory unless the \fIsudoedit_checkdir\fR -option has been disabled or the invoking user is root. +option has been disabled or the invoking user is +\fBroot\fR. Additionally, in version 1.8.15 and higher, \fBsudoedit\fR will refuse to open a symbolic link unless either the @@ -7181,8 +7595,10 @@ file. will check the ownership of its time stamp directory (\fI@rundir@/ts\fR by default) -and ignore the directory's contents if it is not owned by root or -if it is writable by a user other than root. +and ignore the directory's contents if it is not owned by +\fBroot\fR +or if it is writable by a user other than +\fBroot\fR. Older versions of \fBsudo\fR stored time stamp files in @@ -7289,11 +7705,11 @@ The following subsystems are used by the plugin: .TP 10n \fIalias\fR -\fRUser_Alias\fR, -\fRRunas_Alias\fR, -\fRHost_Alias\fR +\fIUser_Alias\fR, +\fIRunas_Alias\fR, +\fIHost_Alias\fR and -\fRCmnd_Alias\fR +\fICmnd_Alias\fR processing .TP 10n \fIall\fR @@ -7423,7 +7839,7 @@ When using netgroups of machines (as opposed to users), if you store fully qualified host name in the netgroup (as is usually the case), you either need to have the machine's host name be fully qualified as returned by the -\fRhostname\fR +\fIhostname\fR command or use the \fIfqdn\fR option in |