1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
|
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
NNAAMMEE
sudoers - list of which users may execute what
DDEESSCCRRIIPPTTIIOONN
The _s_u_d_o_e_r_s file is composed of two types of entries:
aliases (basically variables) and user specifications
(which specify who may run what).
When multiple entries match for a user, they are applied
in order. Where there are multiple matches, the last
match is used (which is not necessarily the most specific
match).
The _s_u_d_o_e_r_s grammar will be described below in Extended
Backus-Naur Form (EBNF). Don't despair if you don't know
what EBNF is; it is fairly simple, and the definitions
below are annotated.
QQuuiicckk gguuiiddee ttoo EEBBNNFF
EBNF is a concise and exact way of describing the grammar
of a language. Each EBNF definition is made up of
_p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g.,
symbol ::= definition | alternate1 | alternate2 ...
Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a
grammar for the language. EBNF also contains the
following operators, which many readers will recognize
from regular expressions. Do not, however, confuse them
with "wildcard" characters, which have different meanings.
? Means that the preceding symbol (or group of symbols)
is optional. That is, it may appear once or not at
all.
* Means that the preceding symbol (or group of symbols)
may appear zero or more times.
+ Means that the preceding symbol (or group of symbols)
may appear one or more times.
Parentheses may be used to group symbols together. For
clarity, we will use single quotes ('') to designate what
is a verbatim character string (as opposed to a symbol
name).
AAlliiaasseess
There are four kinds of aliases: User_Alias, Runas_Alias,
Host_Alias and Cmnd_Alias.
Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
'Host_Alias' Host_Alias (':' Host_Alias)* |
'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
1.6.9p23 June 1, 2010 1
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
User_Alias ::= NAME '=' User_List
Runas_Alias ::= NAME '=' Runas_List
Host_Alias ::= NAME '=' Host_List
Cmnd_Alias ::= NAME '=' Cmnd_List
NAME ::= [A-Z]([A-Z][0-9]_)*
Each _a_l_i_a_s definition is of the form
Alias_Type NAME = item1, item2, ...
where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias,
Host_Alias, or Cmnd_Alias. A NAME is a string of
uppercase letters, numbers, and underscore characters
('_'). A NAME mmuusstt start with an uppercase letter. It is
possible to put several alias definitions of the same type
on a single line, joined by a colon (':'). E.g.,
Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
The definitions of what constitutes a valid _a_l_i_a_s member
follow.
User_List ::= User |
User ',' User_List
User ::= '!'* username |
'!'* '%'group |
'!'* '+'netgroup |
'!'* User_Alias
A User_List is made up of one or more usernames, system
groups (prefixed with '%'), netgroups (prefixed with '+')
and other aliases. Each list item may be prefixed with
one or more '!' operators. An odd number of '!' operators
negate the value of the item; an even number just cancel
each other out.
Runas_List ::= Runas_User |
Runas_User ',' Runas_List
Runas_User ::= '!'* username |
'!'* '#'uid |
'!'* '%'group |
'!'* +netgroup |
'!'* Runas_Alias
A Runas_List is similar to a User_List except that it can
also contain uids (prefixed with '#') and instead of
User_Aliases it can contain Runas_Aliases. Note that
1.6.9p23 June 1, 2010 2
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
usernames and groups are matched as strings. In other
words, two users (groups) with the same uid (gid) are
considered to be distinct. If you wish to match all
usernames with the same uid (e.g. root and toor), you can
use a uid instead (#0 in the example given).
Host_List ::= Host |
Host ',' Host_List
Host ::= '!'* hostname |
'!'* ip_addr |
'!'* network(/netmask)? |
'!'* '+'netgroup |
'!'* Host_Alias
A Host_List is made up of one or more hostnames, IP
addresses, network numbers, netgroups (prefixed with '+')
and other aliases. Again, the value of an item may be
negated with the '!' operator. If you do not specify a
netmask along with the network number, ssuuddoo will query
each of the local host's network interfaces and, if the
network number corresponds to one of the hosts's network
interfaces, the corresponding netmask will be used. The
netmask may be specified either in standard IP address
notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
CIDR notation (number of bits, e.g. 24 or 64). A hostname
may include shell-style wildcards (see the Wildcards
section below), but unless the hostname command on your
machine returns the fully qualified hostname, you'll need
to use the _f_q_d_n option for wildcards to be useful.
Cmnd_List ::= Cmnd |
Cmnd ',' Cmnd_List
commandname ::= filename |
filename args |
filename '""'
Cmnd ::= '!'* commandname |
'!'* directory |
'!'* "sudoedit" |
'!'* Cmnd_Alias
A Cmnd_List is a list of one or more commandnames,
directories, and other aliases. A commandname is a fully
qualified filename which may include shell-style wildcards
(see the Wildcards section below). A simple filename
allows the user to run the command with any arguments
he/she wishes. However, you may also specify command line
arguments (including wildcards). Alternately, you can
specify "" to indicate that the command may only be run
wwiitthhoouutt command line arguments. A directory is a fully
qualified pathname ending in a '/'. When you specify a
directory in a Cmnd_List, the user will be able to run any
1.6.9p23 June 1, 2010 3
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
file within that directory (but not in any subdirectories
therein).
If a Cmnd has associated command line arguments, then the
arguments in the Cmnd must match exactly those given by
the user on the command line (or match the wildcards if
there are any). Note that the following characters must
be escaped with a '\' if they are used in command
arguments: ',', ':', '=', '\'. The special command
"sudoedit" is used to permit a user to run ssuuddoo with the
--ee option (or as ssuuddooeeddiitt). It may take command line
arguments just as a normal command does.
DDeeffaauullttss
Certain configuration options may be changed from their
default values at runtime via one or more Default_Entry
lines. These may affect all users on any host, all users
on a specific host, a specific user, or commands being run
as a specific user.
Default_Type ::= 'Defaults' |
'Defaults' '@' Host_List |
'Defaults' ':' User_List |
'Defaults' '>' Runas_List
Default_Entry ::= Default_Type Parameter_List
Parameter_List ::= Parameter |
Parameter ',' Parameter_List
Parameter ::= Parameter '=' Value |
Parameter '+=' Value |
Parameter '-=' Value |
'!'* Parameter
Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or
lliissttss. Flags are implicitly boolean and can be turned off
via the '!' operator. Some integer, string and list
parameters may also be used in a boolean context to
disable them. Values may be enclosed in double quotes (")
when they contain multiple words. Special characters may
be escaped with a backslash (\).
Lists have two additional assignment operators, += and -=.
These operators are used to add to and delete from a list
respectively. It is not an error to use the -= operator
to remove an element that does not exist in a list.
See "SUDOERS OPTIONS" for a list of supported Defaults
parameters.
UUsseerr SSppeecciiffiiccaattiioonn
User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
(':' Host_List '=' Cmnd_Spec_List)*
1.6.9p23 June 1, 2010 4
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Cmnd_Spec_List ::= Cmnd_Spec |
Cmnd_Spec ',' Cmnd_Spec_List
Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
Runas_Spec ::= '(' Runas_List ')'
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
'SETENV:' | 'NOSETENV:')
A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may
run (and as what user) on specified hosts. By default,
commands are run as rroooott, but this can be changed on a
per-command basis.
Let's break that down into its constituent parts:
RRuunnaass__SSppeecc
A Runas_Spec is simply a Runas_List (as defined above)
enclosed in a set of parentheses. If you do not specify a
Runas_Spec in the user specification, a default Runas_Spec
of rroooott will be used. A Runas_Spec sets the default for
commands that follow it. What this means is that for the
entry:
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m
-- but only as ooppeerraattoorr. E.g.,
$ sudo -u operator /bin/ls.
It is also possible to override a Runas_Spec later on in
an entry. If we modify the entry like so:
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr,
but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott.
TTaagg__SSppeecc
A command may have zero or more tags associated with it.
There are six possible tag values, NOPASSWD, PASSWD,
NOEXEC, EXEC, SETENV and NOSETENV. Once a tag is set on a
Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the
tag unless it is overridden by the opposite tag (i.e.:
PASSWD overrides NOPASSWD and NOEXEC overrides EXEC).
_N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D
By default, ssuuddoo requires that a user authenticate him or
herself before running a command. This behavior can be
modified via the NOPASSWD tag. Like a Runas_Spec, the
1.6.9p23 June 1, 2010 5
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
NOPASSWD tag sets a default for the commands that follow
it in the Cmnd_Spec_List. Conversely, the PASSWD tag can
be used to reverse things. For example:
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and
_/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott on the machine rushmore without
authenticating himself. If we only want rraayy to be able to
run _/_b_i_n_/_k_i_l_l without a password the entry would be:
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
Note, however, that the PASSWD tag has no effect on users
who are in the group specified by the _e_x_e_m_p_t___g_r_o_u_p option.
By default, if the NOPASSWD tag is applied to any of the
entries for a user on the current host, he or she will be
able to run sudo -l without a password. Additionally, a
user may only run sudo -v without a password if the
NOPASSWD tag is present for all a user's entries that
pertain to the current host. This behavior may be
overridden via the verifypw and listpw options.
_N_O_E_X_E_C _a_n_d _E_X_E_C
If ssuuddoo has been compiled with _n_o_e_x_e_c support and the
underlying operating system supports it, the NOEXEC tag
can be used to prevent a dynamically-linked executable
from running further commands itself.
In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e
and _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled.
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
See the "PREVENTING SHELL ESCAPES" section below for more
details on how NOEXEC works and whether or not it will
work on your system.
_S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V
These tags override the value of the _s_e_t_e_n_v option on a
per-command basis. Note that if SETENV has been set for a
command, any environment variables set on the command line
way are not subject to the restrictions imposed by
_e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only trusted
users should be allowed to set variables in this manner.
If the command matched is AALLLL, the SETENV tag is implied
for that command; this default may be overridden by use of
the UNSETENV tag.
WWiillddccaarrddss
ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob
1.6.9p23 June 1, 2010 6
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
characters) to be used in hostnames, pathnames and command
line arguments in the _s_u_d_o_e_r_s file. Wildcard matching is
done via the PPOOSSIIXX _g_l_o_b(3) and _f_n_m_a_t_c_h(3) routines. Note
that these are _n_o_t regular expressions.
* Matches any set of zero or more characters.
? Matches any single character.
[...] Matches any character in the specified range.
[!...] Matches any character nnoott in the specified range.
\x For any character "x", evaluates to "x". This is
used to escape special characters such as: "*",
"?", "[", and "}".
Note that a forward slash ('/') will nnoott be matched by
wildcards used in the pathname. When matching the command
line arguments, however, a slash ddooeess get matched by
wildcards. This is to make a path like:
/usr/bin/*
match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m.
EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess
The following exceptions apply to the above rules:
"" If the empty string "" is the only command line
argument in the _s_u_d_o_e_r_s entry it means that
command is not allowed to be run with aannyy
arguments.
OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss
The pound sign ('#') is used to indicate a comment (unless
it is part of a #include directive or unless it occurs in
the context of a user name and is followed by one or more
digits, in which case it is treated as a uid). Both the
comment character and any text after it, up to the end of
the line, are ignored.
The reserved word AALLLL is a built-in _a_l_i_a_s that always
causes a match to succeed. It can be used wherever one
might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias,
or Host_Alias. You should not try to define your own
_a_l_i_a_s called AALLLL as the built-in alias will be used in
preference to your own. Please note that using AALLLL can be
dangerous since in a command context, it allows the user
to run aannyy command on the system.
An exclamation point ('!') can be used as a logical _n_o_t
operator both in an _a_l_i_a_s and in front of a Cmnd. This
allows one to exclude certain values. Note, however, that
1.6.9p23 June 1, 2010 7
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
using a ! in conjunction with the built-in ALL alias to
allow a user to run "all but a few" commands rarely works
as intended (see SECURITY NOTES below).
Long lines can be continued with a backslash ('\') as the
last character on the line.
Whitespace between elements in a list as well as special
syntactic characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':',
'(', ')') is optional.
The following characters must be escaped with a backslash
('\') when used as part of a word (e.g. a username or
hostname): '@', '!', '=', ':', ',', '(', ')', '\'.
SSUUDDOOEERRSS OOPPTTIIOONNSS
ssuuddoo's behavior can be modified by Default_Entry lines, as
explained earlier. A list of all supported Defaults
parameters, grouped by type, are listed below.
FFllaaggss:
always_set_home If set, ssuuddoo will set the HOME environment
variable to the home directory of the
target user (which is root unless the --uu
option is used). This effectively means
that the --HH option is always implied.
This flag is _o_f_f by default.
authenticate If set, users must authenticate themselves
via a password (or other means of
authentication) before they may run
commands. This default may be overridden
via the PASSWD and NOPASSWD tags. This
flag is _o_n by default.
env_editor If set, vviissuuddoo will use the value of the
EDITOR or VISUAL environment variables
before falling back on the default editor
list. Note that this may create a
security hole as it allows the user to run
any arbitrary command as root without
logging. A safer alternative is to place
a colon-separated list of editors in the
editor variable. vviissuuddoo will then only
use the EDITOR or VISUAL if they match a
value specified in editor. This flag is
_o_f_f by default.
env_reset If set, ssuuddoo will reset the environment to
only contain the LOGNAME, SHELL, USER,
USERNAME and the SUDO_* variables. Any
variables in the caller's environment that
match the env_keep and env_check lists are
1.6.9p23 June 1, 2010 8
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
then added. The default contents of the
env_keep and env_check lists are displayed
when ssuuddoo is run by root with the _-_V
option. If ssuuddoo was compiled with the
SECURE_PATH option, its value will be used
for the PATH environment variable. This
flag is _o_n by default.
fqdn Set this flag if you want to put fully
qualified hostnames in the _s_u_d_o_e_r_s file.
I.e., instead of myhost you would use
myhost.mydomain.edu. You may still use
the short form if you wish (and even mix
the two). Beware that turning on _f_q_d_n
requires ssuuddoo to make DNS lookups which
may make ssuuddoo unusable if DNS stops
working (for example if the machine is not
plugged into the network). Also note that
you must use the host's official name as
DNS knows it. That is, you may not use a
host alias (CNAME entry) due to
performance issues and the fact that there
is no way to get all aliases from DNS. If
your machine's hostname (as returned by
the hostname command) is already fully
qualified you shouldn't need to set _f_q_d_n.
This flag is _o_f_f by default.
ignore_dot If set, ssuuddoo will ignore '.' or ''
(current dir) in the PATH environment
variable; the PATH itself is not modified.
This flag is _o_f_f by default. Currently,
while it is possible to set _i_g_n_o_r_e___d_o_t in
_s_u_d_o_e_r_s, its value is not used. This
option should be considered read-only (it
will be fixed in a future version of
ssuuddoo).
ignore_local_sudoers
If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s
will be skipped. This is intended for
Enterprises that wish to prevent the usage
of local sudoers files so that only LDAP
is used. This thwarts the efforts of
rogue operators who would attempt to add
roles to _/_e_t_c_/_s_u_d_o_e_r_s. When this option
is present, _/_e_t_c_/_s_u_d_o_e_r_s does not even
need to exist. Since this option tells
ssuuddoo how to behave when no specific LDAP
entries have been matched, this sudoOption
is only meaningful for the cn=defaults
section. This flag is _o_f_f by default.
insults If set, ssuuddoo will insult users when they
1.6.9p23 June 1, 2010 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
enter an incorrect password. This flag is
_o_f_f by default.
log_host If set, the hostname will be logged in the
(non-syslog) ssuuddoo log file. This flag is
_o_f_f by default.
log_year If set, the four-digit year will be logged
in the (non-syslog) ssuuddoo log file. This
flag is _o_f_f by default.
long_otp_prompt When validating with a One Time Password
(OPT) scheme such as SS//KKeeyy or OOPPIIEE, a two-
line prompt is used to make it easier to
cut and paste the challenge to a local
window. It's not as pretty as the default
but some people find it more convenient.
This flag is _o_f_f by default.
mail_always Send mail to the _m_a_i_l_t_o user every time a
users runs ssuuddoo. This flag is _o_f_f by
default.
mail_badpass Send mail to the _m_a_i_l_t_o user if the user
running ssuuddoo does not enter the correct
password. This flag is _o_f_f by default.
mail_no_host If set, mail will be sent to the _m_a_i_l_t_o
user if the invoking user exists in the
_s_u_d_o_e_r_s file, but is not allowed to run
commands on the current host. This flag
is _o_f_f by default.
mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o
user if the invoking user is allowed to
use ssuuddoo but the command they are trying
is not listed in their _s_u_d_o_e_r_s file entry
or is explicitly denied. This flag is _o_f_f
by default.
mail_no_user If set, mail will be sent to the _m_a_i_l_t_o
user if the invoking user is not in the
_s_u_d_o_e_r_s file. This flag is _o_n by default.
noexec If set, all commands run via ssuuddoo will
behave as if the NOEXEC tag has been set,
unless overridden by a EXEC tag. See the
description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as
well as the "PREVENTING SHELL ESCAPES"
section at the end of this manual. This
flag is _o_f_f by default.
path_info Normally, ssuuddoo will tell the user when a
command could not be found in their PATH
1.6.9p23 June 1, 2010 10
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
environment variable. Some sites may wish
to disable this as it could be used to
gather information on the location of
executables that the normal user does not
have access to. The disadvantage is that
if the executable is simply not in the
user's PATH, ssuuddoo will tell the user that
they are not allowed to run it, which can
be confusing. This flag is _o_n by default.
passprompt_override
The password prompt specified by
_p_a_s_s_p_r_o_m_p_t will normally only be used if
the password prompt provided by systems
such as PAM matches the string
"Password:". If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is
set, _p_a_s_s_p_r_o_m_p_t will always be used. This
flag is _o_f_f by default.
preserve_groups By default ssuuddoo will initialize the group
vector to the list of groups the target
user is in. When _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set,
the user's existing group vector is left
unaltered. The real and effective group
IDs, however, are still set to match the
target user. This flag is _o_f_f by default.
requiretty If set, ssuuddoo will only run when the user
is logged in to a real tty. This will
disallow things like "rsh somehost sudo
ls" since _r_s_h(1) does not allocate a tty.
Because it is not possible to turn off
echo when there is no tty present, some
sites may wish to set this flag to prevent
a user from entering a visible password.
This flag is _o_f_f by default.
root_sudo If set, root is allowed to run ssuuddoo too.
Disabling this prevents users from
"chaining" ssuuddoo commands to get a root
shell by doing something like "sudo sudo
/bin/sh". Note, however, that turning off
_r_o_o_t___s_u_d_o will also prevent root and from
running ssuuddooeeddiitt. Disabling _r_o_o_t___s_u_d_o
provides no real additional security; it
exists purely for historical reasons.
This flag is _o_n by default.
rootpw If set, ssuuddoo will prompt for the root
password instead of the password of the
invoking user. This flag is _o_f_f by
default.
runaspw If set, ssuuddoo will prompt for the password
1.6.9p23 June 1, 2010 11
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
of the user defined by the _r_u_n_a_s___d_e_f_a_u_l_t
option (defaults to root) instead of the
password of the invoking user. This flag
is _o_f_f by default.
set_home If set and ssuuddoo is invoked with the --ss
option the HOME environment variable will
be set to the home directory of the target
user (which is root unless the --uu option
is used). This effectively makes the --ss
option imply --HH. This flag is _o_f_f by
default.
set_logname Normally, ssuuddoo will set the LOGNAME, USER
and USERNAME environment variables to the
name of the target user (usually root
unless the --uu option is given). However,
since some programs (including the RCS
revision control system) use LOGNAME to
determine the real identity of the user,
it may be desirable to change this
behavior. This can be done by negating
the set_logname option. Note that if the
_e_n_v___r_e_s_e_t option has not been disabled,
entries in the _e_n_v___k_e_e_p list will override
the value of _s_e_t___l_o_g_n_a_m_e. This flag is
_o_f_f by default.
setenv Allow the user to disable the _e_n_v___r_e_s_e_t
option from the command line.
Additionally, environment variables set
via the command line are not subject to
the restrictions imposed by _e_n_v___c_h_e_c_k,
_e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only
trusted users should be allowed to set
variables in this manner. This flag is
_o_f_f by default.
shell_noargs If set and ssuuddoo is invoked with no
arguments it acts as if the --ss option had
been given. That is, it runs a shell as
root (the shell is determined by the SHELL
environment variable if it is set, falling
back on the shell listed in the invoking
user's /etc/passwd entry if not). This
flag is _o_f_f by default.
fast_glob Normally, ssuuddoo uses the _g_l_o_b(3) function
to do shell-style globbing when matching
pathnames. However, since it accesses the
file system, _g_l_o_b(3) can take a long time
to complete for some patterns, especially
when the pattern references a network file
system that is mounted on demand
1.6.9p23 June 1, 2010 12
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
(automounted). The _f_a_s_t___g_l_o_b option
causes ssuuddoo to use the _f_n_m_a_t_c_h(3)
function, which does not access the file
system to do its matching. The
disadvantage of _f_a_s_t___g_l_o_b is that it is
unable to match relative pathnames such as
_._/_l_s or _._._/_b_i_n_/_l_s. This has security
implications when path names that include
globbing characters are used with the
negation operator, '!', as such rules can
be trivially bypassed. As such, this
option should not be used when _s_u_d_o_e_r_s
contains rules that contain negated path
names which include globbing characters.
This flag is _o_f_f by default.
stay_setuid Normally, when ssuuddoo executes a command the
real and effective UIDs are set to the
target user (root by default). This
option changes that behavior such that the
real UID is left as the invoking user's
UID. In other words, this makes ssuuddoo act
as a setuid wrapper. This can be useful
on systems that disable some potentially
dangerous functionality when a program is
run setuid. This option is only effective
on systems with either the _s_e_t_r_e_u_i_d_(_) or
_s_e_t_r_e_s_u_i_d_(_) function. This flag is _o_f_f by
default.
targetpw If set, ssuuddoo will prompt for the password
of the user specified by the --uu option
(defaults to root) instead of the password
of the invoking user. Note that this
precludes the use of a uid not listed in
the passwd database as an argument to the
--uu option. This flag is _o_f_f by default.
tty_tickets If set, users must authenticate on a per-
tty basis. Normally, ssuuddoo uses a
directory in the ticket dir with the same
name as the user running it. With this
flag enabled, ssuuddoo will use a file named
for the tty the user is logged in on in
that directory. This flag is _o_f_f by
default.
umask_override If set, ssuuddoo will set the umask as
specified by _s_u_d_o_e_r_s without modification.
This makes it possible to specify a more
permissive umask in _s_u_d_o_e_r_s than the
user's own umask and matches historical
behavior. If _u_m_a_s_k___o_v_e_r_r_i_d_e is not set,
ssuuddoo will set the umask to be the union of
1.6.9p23 June 1, 2010 13
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
the user's umask and what is specified in
_s_u_d_o_e_r_s. This flag is _o_f_f by default.
use_loginclass If set, ssuuddoo will apply the defaults
specified for the target user's login
class if one exists. Only available if
ssuuddoo is configured with the
--with-logincap option. This flag is _o_f_f
by default.
IInntteeggeerrss:
passwd_tries The number of tries a user gets to enter
his/her password before ssuuddoo logs the
failure and exits. The default is 3.
IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
loglinelen Number of characters per line for the file
log. This value is used to decide when to
wrap lines for nicer log files. This has
no effect on the syslog log file, only the
file log. The default is 80 (use 0 or
negate the option to disable word wrap).
passwd_timeout Number of minutes before the ssuuddoo password
prompt times out. The default is 5; set
this to 0 for no password timeout.
timestamp_timeout
Number of minutes that can elapse before
ssuuddoo will ask for a passwd again. The
default is 5. Set this to 0 to always
prompt for a password. If set to a value
less than 0 the user's timestamp will
never expire. This can be used to allow
users to create or delete their own
timestamps via sudo -v and sudo -k
respectively.
umask Umask to use when running the command.
Negate this option or set it to 0777 to
preserve the user's umask. The actual
umask that is used will be the union of
the user's umask and 0022. This
guarantees that ssuuddoo never lowers the
umask when running a command. Note on
systems that use PAM, the default PAM
configuration may specify its own umask
which will override the value set in
_s_u_d_o_e_r_s.
SSttrriinnggss:
1.6.9p23 June 1, 2010 14
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
badpass_message Message that is displayed if a user enters
an incorrect password. The default is
Sorry, try again. unless insults are
enabled.
editor A colon (':') separated list of editors
allowed to be used with vviissuuddoo. vviissuuddoo
will choose the editor that matches the
user's EDITOR environment variable if
possible, or the first editor in the list
that exists and is executable. The
default is the path to vi on your system.
mailsub Subject of the mail sent to the _m_a_i_l_t_o
user. The escape %h will expand to the
hostname of the machine. Default is ***
SECURITY information for %h ***.
noexec_file Path to a shared library containing dummy
versions of the _e_x_e_c_v_(_), _e_x_e_c_v_e_(_) and
_f_e_x_e_c_v_e_(_) library functions that just
return an error. This is used to
implement the _n_o_e_x_e_c functionality on
systems that support LD_PRELOAD or its
equivalent. Defaults to
_/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o.
passprompt The default prompt to use when asking for
a password; can be overridden via the --pp
option or the SUDO_PROMPT environment
variable. The following percent (`%')
escapes are supported:
%H expanded to the local hostname
including the domain name (on if the
machine's hostname is fully qualified
or the _f_q_d_n option is set)
%h expanded to the local hostname without
the domain name
%p expanded to the user whose password is
being asked for (respects the _r_o_o_t_p_w,
_t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w flags in _s_u_d_o_e_r_s)
%U expanded to the login name of the user
the command will be run as (defaults
to root)
%u expanded to the invoking user's login
name
%% two consecutive % characters are
collapsed into a single % character
1.6.9p23 June 1, 2010 15
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
The default value is Password:.
runas_default The default user to run commands as if the
--uu option is not specified on the command
line. This defaults to root. Note that
if _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur
before any Runas_Alias specifications.
syslog_badpri Syslog priority to use when user
authenticates unsuccessfully. Defaults to
alert.
syslog_goodpri Syslog priority to use when user
authenticates successfully. Defaults to
notice.
timestampdir The directory in which ssuuddoo stores its
timestamp files. The default is
_/_v_a_r_/_r_u_n_/_s_u_d_o.
timestampowner The owner of the timestamp directory and
the timestamps stored therein. The
default is root.
SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
exempt_group
Users in this group are exempt from password
and PATH requirements. This is not set by
default.
lecture This option controls when a short lecture will
be printed along with the password prompt. It
has the following possible values:
always Always lecture the user.
never Never lecture the user.
once Only lecture the user the first time
they run ssuuddoo.
If no value is specified, a value of _o_n_c_e is
implied. Negating the option results in a
value of _n_e_v_e_r being used. The default value
is _o_n_c_e.
lecture_file
Path to a file containing an alternate ssuuddoo
lecture that will be used in place of the
standard lecture if the named file exists. By
default, ssuuddoo uses a built-in lecture.
listpw This option controls when a password will be
1.6.9p23 June 1, 2010 16
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
required when a user runs ssuuddoo with the --ll
option. It has the following possible values:
all All the user's _s_u_d_o_e_r_s entries for the
current host must have the NOPASSWD
flag set to avoid entering a password.
always The user must always enter a password
to use the --ll option.
any At least one of the user's _s_u_d_o_e_r_s
entries for the current host must have
the NOPASSWD flag set to avoid
entering a password.
never The user need never enter a password
to use the --ll option.
If no value is specified, a value of _a_n_y is
implied. Negating the option results in a
value of _n_e_v_e_r being used. The default value
is _a_n_y.
logfile Path to the ssuuddoo log file (not the syslog log
file). Setting a path turns on logging to a
file; negating this option turns it off. By
default, ssuuddoo logs via syslog.
mailerflags Flags to use when invoking mailer. Defaults to
--tt.
mailerpath Path to mail program used to send warning
mail. Defaults to the path to sendmail found
at configure time.
mailto Address to send warning and error mail to.
The address should be enclosed in double
quotes (") to protect against ssuuddoo
interpreting the @ sign. Defaults to root.
syslog Syslog facility if syslog is being used for
logging (negate to disable syslog logging).
Defaults to local2.
verifypw This option controls when a password will be
required when a user runs ssuuddoo with the --vv
option. It has the following possible values:
all All the user's _s_u_d_o_e_r_s entries for the
current host must have the NOPASSWD
flag set to avoid entering a password.
always The user must always enter a password
to use the --vv option.
1.6.9p23 June 1, 2010 17
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
any At least one of the user's _s_u_d_o_e_r_s
entries for the current host must have
the NOPASSWD flag set to avoid
entering a password.
never The user need never enter a password
to use the --vv option.
If no value is specified, a value of _a_l_l is
implied. Negating the option results in a
value of _n_e_v_e_r being used. The default value
is _a_l_l.
LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
env_check Environment variables to be removed from
the user's environment if the variable's
value contains % or / characters. This
can be used to guard against printf-style
format vulnerabilities in poorly-written
programs. The argument may be a double-
quoted, space-separated list or a single
value without double-quotes. The list can
be replaced, added to, deleted from, or
disabled by using the =, +=, -=, and !
operators respectively. Regardless of
whether the env_reset option is enabled or
disabled, variables specified by env_check
will be preserved in the environment if
they pass the aforementioned check. The
default list of environment variables to
check is displayed when ssuuddoo is run by
root with the _-_V option.
env_delete Environment variables to be removed from
the user's environment. The argument may
be a double-quoted, space-separated list
or a single value without double-quotes.
The list can be replaced, added to,
deleted from, or disabled by using the =,
+=, -=, and ! operators respectively. The
default list of environment variables to
remove is displayed when ssuuddoo is run by
root with the _-_V option. Note that many
operating systems will remove potentially
dangerous variables from the environment
of any setuid process (such as ssuuddoo).
env_keep Environment variables to be preserved in
the user's environment when the _e_n_v___r_e_s_e_t
option is in effect. This allows fine-
grained control over the environment
ssuuddoo-spawned processes will receive. The
argument may be a double-quoted, space-
1.6.9p23 June 1, 2010 18
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
separated list or a single value without
double-quotes. The list can be replaced,
added to, deleted from, or disabled by
using the =, +=, -=, and ! operators
respectively. The default list of
variables to keep is displayed when ssuuddoo
is run by root with the _-_V option.
When logging via _s_y_s_l_o_g(3), ssuuddoo accepts the following
values for the syslog facility (the value of the ssyysslloogg
Parameter): aauutthhpprriivv (if your OS supports it), aauutthh,
ddaaeemmoonn, uusseerr, llooccaall00, llooccaall11, llooccaall22, llooccaall33, llooccaall44,
llooccaall55, llooccaall66, and llooccaall77. The following syslog
priorities are supported: aalleerrtt, ccrriitt, ddeebbuugg, eemmeerrgg, eerrrr,
iinnffoo, nnoottiiccee, and wwaarrnniinngg.
FFIILLEESS
_/_e_t_c_/_s_u_d_o_e_r_s List of who can run what
_/_e_t_c_/_g_r_o_u_p Local groups file
_/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups
EEXXAAMMPPLLEESS
Since the _s_u_d_o_e_r_s file is parsed in a single pass, order
is important. In general, you should structure _s_u_d_o_e_r_s
such that the Host_Alias, User_Alias, and Cmnd_Alias
specifications come first, followed by any Default_Entry
lines, and finally the Runas_Alias and user
specifications. The basic rule of thumb is you cannot
reference an Alias that has not already been defined.
Below are example _s_u_d_o_e_r_s entries. Admittedly, some of
these are a bit contrived. First, we define our _a_l_i_a_s_e_s:
# User alias specification
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
User_Alias WEBMASTERS = will, wendy, wim
# Runas alias specification
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
# Host alias specification
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
SGI = grolsch, dandelion, black :\
ALPHA = widget, thalamus, foobar :\
HPPA = boa, nag, python
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
1.6.9p23 June 1, 2010 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt
Cmnd_Alias REBOOT = /usr/sbin/reboot
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
/usr/local/bin/tcsh, /usr/bin/rsh, \
/usr/local/bin/zsh
Cmnd_Alias SU = /usr/bin/su
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
Here we override some of the compiled in default values.
We want ssuuddoo to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility
in all cases. We don't want to subject the full time
staff to the ssuuddoo lecture, user mmiilllleerrtt need not give a
password, and we don't want to reset the LOGNAME, USER or
USERNAME environment variables when running commands as
root. Additionally, on the machines in the _S_E_R_V_E_R_S
Host_Alias, we keep an additional local log file and make
sure we log the year in each log line since the log
entries will be kept around for several years. Lastly, we
disable shell escapes for the commands in the PAGERS
Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and _/_u_s_r_/_b_i_n_/_l_e_s_s).
# Override built-in defaults
Defaults syslog=auth
Defaults>root !set_logname
Defaults:FULLTIMERS !lecture
Defaults:millert !authenticate
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
Defaults!PAGERS noexec
The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually
determines who may run what.
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
We let rroooott and any user in group wwhheeeell run any command on
any host as any user.
FULLTIMERS ALL = NOPASSWD: ALL
Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run
any command on any host without authenticating themselves.
PARTTIMERS ALL = ALL
Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run
any command on any host but they must authenticate
themselves first (since the entry lacks the NOPASSWD tag).
1.6.9p23 June 1, 2010 20
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
jack CSNETS = ALL
The user jjaacckk may run any command on the machines in the
_C_S_N_E_T_S alias (the networks 128.138.243.0, 128.138.204.0,
and 128.138.242.0). Of those networks, only 128.138.204.0
has an explicit netmask (in CIDR notation) indicating it
is a class C network. For the other networks in _C_S_N_E_T_S,
the local machine's netmask will be used during matching.
lisa CUNETS = ALL
The user lliissaa may run any command on any host in the
_C_U_N_E_T_S alias (the class B network 128.138.0.0).
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
sudoedit /etc/printcap, /usr/oper/bin/
The ooppeerraattoorr user may run commands limited to simple
maintenance. Here, those are commands related to backups,
killing processes, the printing system, shutting down the
system, and any commands in the directory _/_u_s_r_/_o_p_e_r_/_b_i_n_/.
joe ALL = /usr/bin/su operator
The user jjooee may only _s_u(1) to operator.
pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
The user ppeettee is allowed to change anyone's password
except for root on the _H_P_P_A machines. Note that this
assumes _p_a_s_s_w_d(1) does not take multiple usernames on the
command line.
bob SPARC = (OP) ALL : SGI = (OP) ALL
The user bboobb may run anything on the _S_P_A_R_C and _S_G_I
machines as any user listed in the _O_P Runas_Alias (rroooott
and ooppeerraattoorr).
jim +biglab = ALL
The user jjiimm may run any command on machines in the _b_i_g_l_a_b
netgroup. ssuuddoo knows that "biglab" is a netgroup due to
the '+' prefix.
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
Users in the sseeccrreettaarriieess netgroup need to help manage the
printers as well as add and remove users, so they are
allowed to run those commands on all machines.
fred ALL = (DB) NOPASSWD: ALL
The user ffrreedd can run commands as any user in the _D_B
1.6.9p23 June 1, 2010 21
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Runas_Alias (oorraaccllee or ssyybbaassee) without giving a password.
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except
root but he is not allowed to specify any options to the
_s_u(1) command.
jen ALL, !SERVERS = ALL
The user jjeenn may run any command on any machine except for
those in the _S_E_R_V_E_R_S Host_Alias (master, mail, www and
ns).
jill SERVERS = /usr/bin/, !SU, !SHELLS
For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run
any commands in the directory _/_u_s_r_/_b_i_n_/ except for those
commands belonging to the _S_U and _S_H_E_L_L_S Cmnd_Aliases.
steve CSNETS = (operator) /usr/local/op_commands/
The user sstteevvee may run any command in the directory
/usr/local/op_commands/ but only as user operator.
matt valkyrie = KILL
On his personal workstation, valkyrie, mmaatttt needs to be
able to kill hung processes.
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias
(will, wendy, and wim), may run any command as user www
(which owns the web pages) or simply _s_u(1) to www.
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
Any user may mount or unmount a CD-ROM on the machines in
the CDROM Host_Alias (orion, perseus, hercules) without
entering a password. This is a bit tedious for users to
type, so it is a prime candidate for encapsulating in a
shell script.
SSEECCUURRIITTYY NNOOTTEESS
It is generally not effective to "subtract" commands from
ALL using the '!' operator. A user can trivially
circumvent this by copying the desired command to a
different name and then executing that. For example:
bill ALL = ALL, !SU, !SHELLS
Doesn't really prevent bbiillll from running the commands
1.6.9p23 June 1, 2010 22
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
listed in _S_U or _S_H_E_L_L_S since he can simply copy those
commands to a different name, or use a shell escape from
an editor or other program. Therefore, these kind of
restrictions should be considered advisory at best (and
reinforced by policy).
Furthermore, if the _f_a_s_t___g_l_o_b option is in use, it is not
possible to reliably negate commands where the path name
includes globbing (aka wildcard) characters. This is
because the C library's _f_n_m_a_t_c_h(3) function cannot resolve
relative paths. While this is typically only an
inconvenience for rules that grant privileges, it can
result in a security issue for rules that subtract or
revoke privileges.
For example, given the following _s_u_d_o_e_r_s entry:
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b
is enabled by changing to _/_u_s_r_/_b_i_n and running ./passwd
root instead.
PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
Once ssuuddoo executes a program, that program is free to do
whatever it pleases, including run other programs. This
can be a security issue since it is not uncommon for a
program to allow shell escapes, which lets a user bypass
ssuuddoo's access control and logging. Common programs that
permit shell escapes include shells (obviously), editors,
paginators, mail and terminal programs.
There are two basic approaches to this problem:
restrict Avoid giving users access to commands that allow
the user to run arbitrary commands. Many
editors have a restricted mode where shell
escapes are disabled, though ssuuddooeeddiitt is a
better solution to running editors via ssuuddoo.
Due to the large number of programs that offer
shell escapes, restricting users to the set of
programs that do not if often unworkable.
noexec Many systems that support shared libraries have
the ability to override default library
functions by pointing an environment variable
(usually LD_PRELOAD) to an alternate shared
library. On such systems, ssuuddoo's _n_o_e_x_e_c
functionality can be used to prevent a program
run by ssuuddoo from executing any other programs.
Note, however, that this applies only to native
dynamically-linked executables. Statically-
linked executables and foreign executables
1.6.9p23 June 1, 2010 23
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
running under binary emulation are not affected.
To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you
can run the following as root:
sudo -V | grep "dummy exec"
If the resulting output contains a line that
begins with:
File containing dummy exec functions:
then ssuuddoo may be able to replace the exec family
of functions in the standard library with its
own that simply return an error. Unfortunately,
there is no foolproof way to know whether or not
_n_o_e_x_e_c will work at compile-time. _n_o_e_x_e_c should
work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64
UNIX, MacOS X, and HP-UX 11.x. It is known nnoott
to work on AIX and UnixWare. _n_o_e_x_e_c is expected
to work on most operating systems that support
the LD_PRELOAD environment variable. Check your
operating system's manual pages for the dynamic
linker (usually ld.so, ld.so.1, dyld, dld.sl,
rld, or loader) to see if LD_PRELOAD is
supported.
To enable _n_o_e_x_e_c for a command, use the NOEXEC
tag as documented in the User Specification
section above. Here is that example again:
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and
_/_u_s_r_/_b_i_n_/_v_i with _n_o_e_x_e_c enabled. This will
prevent those two commands from executing other
commands (such as a shell). If you are unsure
whether or not your system is capable of
supporting _n_o_e_x_e_c you can always just try it out
and see if it works.
Note that restricting shell escapes is not a panacea.
Programs running as root are still capable of many
potentially hazardous operations (such as changing or
overwriting files) that could lead to unintended privilege
escalation. In the specific case of an editor, a safer
approach is to give the user permission to run ssuuddooeeddiitt.
SSEEEE AALLSSOO
_r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _g_l_o_b(3), _s_u_d_o(1m), _v_i_s_u_d_o(8)
CCAAVVEEAATTSS
The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo
command which locks the file and does grammatical
1.6.9p23 June 1, 2010 24
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
checking. It is imperative that _s_u_d_o_e_r_s be free of syntax
errors since ssuuddoo will not run with a syntactically
incorrect _s_u_d_o_e_r_s file.
When using netgroups of machines (as opposed to users), if
you store fully qualified hostnames in the netgroup (as is
usually the case), you either need to have the machine's
hostname be fully qualified as returned by the hostname
command or use the _f_q_d_n option in _s_u_d_o_e_r_s.
BBUUGGSS
If you feel you have found a bug in ssuuddoo, please submit a
bug report at http://www.sudo.ws/sudo/bugs/
SSUUPPPPOORRTT
Limited free support is available via the sudo-users
mailing list, see
http://www.sudo.ws/mailman/listinfo/sudo-users to
subscribe or search the archives.
DDIISSCCLLAAIIMMEERR
ssuuddoo is provided ``AS IS'' and any express or implied
warranties, including, but not limited to, the implied
warranties of merchantability and fitness for a particular
purpose are disclaimed. See the LICENSE file distributed
with ssuuddoo or http://www.sudo.ws/sudo/license.html for
complete details.
1.6.9p23 June 1, 2010 25
|