1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
|
=cut
$Id$
=pod
=head1 NAME
sudoers - list of which users may execute what as root
=head1 DESCRIPTION
The I<sudoers> file is composed of an optional host alias section,
an optional command alias section and the user specification section.
All command or host aliases need to start with their respective keywords
(ie: Host_Alias, User_Alias, Runas_Alias or Cmnd_Alias).
If there are multiple occurrences of a user, the union of the entries
will be used.
=head2 user specification format:
user access_group [: access_group] ...
access_group ::= host_type = [(runas_list)] [NOPASSWD:] [op]cmnd_type
[,[(user_list)] [NOPASSWD:] [op]cmnd_type] ...
host_type ::= a lower-case hostname, netgroup, ip address,
network number, network number/netmask,
or host alias.
runas_list ::= comma-separated list of users, groups,
netgroups or Runas_Aliases the user may run
commands as (default is root).
cmnd_type ::= a command OR a command alias.
op ::= the logical "!" NOT operator.
=head2 host alias section format:
Host_Alias HOSTALIAS = host-list
Host_Alias ::= a keyword.
HOSTALIAS ::= an upper-case alias name.
host-list ::= a comma separated list of hosts, netgroups,
ip addresses, networks.
=head2 user alias section format:
User_Alias USERALIAS = user-list
User_Alias ::= a keyword.
USERALIAS ::= an upper-case alias name.
user-list ::= a comma separated list of users, groups, netgroups.
=head2 runas alias section format:
Runas_Alias RUNASALIAS = runas-list
Runas_Alias ::= a keyword.
RUNASALIAS ::= an upper-case alias name.
runas-list ::= a comma separated list of users, groups, netgroups.
=head2 command alias section format:
Cmnd_Alias CMNDALIAS = cmnd-list
Cmnd_Alias ::= a keyword.
CMNDALIAS ::= an upper-case alias name.
cmnd-list ::= a comma separated list commands.
=head2 command specification:
path arg1 arg2 .. argn = command
path ::= a fully qualified pathname.
arg[1..n] ::= optional command line arguments.
=head2 wildcards (aka meta characters):
B<sudo> allows shell-style I<wildcards> along with command arguments
in the I<sudoers> file. Wildcard matching is done via the B<POSIX>
C<fnmatch(3)> routine.
=over 8
=item C<*>
Matches any set of zero or more characters.
=item C<?>
Matches any single character.
=item C<[...]>
Matches any character in the specified range.
=item C<[!...]>
Matches any character B<not> in the specified range.
=item C<\x>
For any character "x", evaluates to "x". This is used to
escape special characters such as: "*", "?", "[", and "}".
=back
=head2 exceptions to wildcard rules:
The following exceptions apply to the above rules:
=over 8
=item C<"">
If the empty string C<""> is the only command line argument in the
I<sudoers> entry it means that command may take B<no> arguments.
=back
=head2 other special characters and reserved words:
Text after a pound sign (B<#>) is considered a comment.
Words that begin with a percent sign (B<%>) are assumed to
be UN*X groups (%staff refers to users in the group I<staff>).
Words that begin with a plus sign (B<+>) are assumed to
be netgroups (B<+cshosts> refers to the netgroup I<cshosts>).
Long lines can be newline escaped with the backslash B<\> character.
The reserved word B<NOPASSWD> indicates that a user need not
enter a password for the command listed in that entry.
The reserved alias I<ALL> can be used for both {Host,User,Cmnd}_Alias.
B<DO NOT> define an alias of I<ALL>, it will B<NOT> be used.
Note that I<ALL> implies the entire universe of hosts/users/commands.
You can subtract elements from the universe by using the syntax:
user host=ALL,!ALIAS1,!/etc/halt...
Note that the "!" notation only works in a user's command list. You
may not use it to subtract elements in a User_Alias, Host_Alias,
Cmnd_Alias or user list.
Commands may have optional command line arguments. If they do,
then the arguments in the I<sudoers> file must exactly match those
on the command line. It is also possible to have a command's
arguments span multiple lines as long as the line continuance
character "\" is used. The following characters must be escaped
with a "\" if used in command arguments: ",", ":", "=", "\".
=head1 EXAMPLES
# Host alias specification
Host_Alias HUB=houdini:\
REMOTE=merlin,kodiakthorn,spirit
Host_Alias SERVERS=houdini,merlin,kodiakthorn,spirit
Host_Alias CUNETS=128.138.0.0/255.255.0.0
Host_Alias CSNETS=128.138.243.0,128.138.204.0,\
128.138.205.192
# User alias specification
User_Alias FULLTIME=millert,dowdy,mikef
User_Alias PARTTIME=juola,mccreary,tor
# Runas alias specification
Runas_Alias OP=root,operator
# Command alias specification
Cmnd_Alias LPCS=/usr/etc/lpc,/usr/ucb/lprm
Cmnd_Alias SHELLS=/bin/sh,/bin/csh,/bin/tcsh,/bin/ksh
Cmnd_Alias SU=/bin/su
Cmnd_Alias MISC=/bin/rm,/bin/cat:\
SHUTDOWN=/etc/halt,/etc/shutdown
# User specification
FULLTIME ALL=(ALL) NOPASSWD: ALL
%wheel ALL=ALL
PARTTIME ALL=ALL,!SHELLS,!SU
+interns +openlabs=ALL,!SHELLS,!SU
britt REMOTE=SHUTDOWN:ALL=LPCS
jimbo CUNETS=/bin/su ?*,!/bin/su root
nieusma SERVERS=SHUTDOWN,/etc/reboot:\
HUB=ALL,!SHELLS
jill houdini=/etc/shutdown -[hr] now,MISC
markm HUB=ALL,!MISC,!/etc/shutdown,!/etc/halt
davehieb merlin=(OP) ALL:SERVERS=/etc/halt:\
kodiakthorn=NOPASSWD: ALL
steve CSNETS=(operator) /usr/op_commands/
=head2 Host Alias specifications:
The are four I<host aliases>. The first actually contains
two I<aliases>. It sets C<HUB> to be C<houdini> and C<REMOTE>
to the three machines C<merlin>, C<kodiakthorn> and C<spirit>.
Similarly, C<SERVERS> is set to the machines C<houdini>, C<merlin>,
C<kodiakthorn> and C<spirit>. The C<CSNETS> alias will match
any host on the 128.138.243.0, 128.138.204.0, or 128.138.205.192
nets. The C<CUNETS> alias will match any host on the 128.138.0.0
(class B) network. Note that these are B<network> addresses, not ip
addresses. Unless an explicate netmask is given, the local I<netmask>
is used to determine whether or not the current host belongs to a network.
=head2 User Alias specifications:
The two I<user aliases> simply groups the C<FULLTIME> and
C<PARTTIME> folks into two separate aliases.
=head2 Command alias specifications:
Command aliases are lists of commands with or without associated
command line arguments. The entries above should be self-explanatory.
=head2 User specifications:
=over 16
=item FULLTIME
Full-time sysadmins in the C<FULLTIME> alias may run any
command on any host as any user without a password.
=item %wheel
Any user in the UN*X group C<wheel> may run any
command on any host.
=item PARTTIME
Part-time sysadmins in the C<PARTTIME> alias may run any
command except those in the C<SHELLS> and C<SU> aliases
on any host.
=item +interns
Any user in the netgroup C<interns> may run any
command except those in the C<SHELLS> and C<SU> aliases
on any host that is in the C<openlabs> netgroup.
=item britt
The user C<britt> may run commands in the C<SHUTDOWN> alias
on the C<REMOTE> machines and commands in the C<LPCS> alias
on any machine.
=item jimbo
The user C<jimbo> may C<su> to any user save root on the
machines on C<CUNETS> (which is explicately listed as a class
B network).
=item nieusma
The user C<nieusma> may run commands in the C<SHUTDOWN> alias
as well as F</etc/reboot> on the C<SERVER> machines and
any command except those in the C<SHELLS> alias on the C<HUB>
machines.
=item jill
The user C<jill> may run C</etc/shutdown -h now> or
C</etc/shutdown -r now> as well as the commands in the
C<MISC> alias on houdini.
=item markm
The user C<markm> may run any command on the C<HUB> machines
except F</etc/shutdown>, F</etc/halt>, and commands listed
in the C<MISC> alias.
=item davehieb
The user C<davehieb> may run any command on C<merlin> as any
user in the Runas_Alias OP (ie: root or operator). He may
also run F</etc/halt> on the C<SERVERS> and any command
on C<kodiakthorn> (no password required on C<kodiakthorn>).
=item steve
The user C<steve> may run any command in the F</usr/op_commands/>
directory as user C<operator> on the machines on C<CSNETS>.
=back
=head1 CAVEATS
The I<sudoers> file should B<always> be edited by the B<visudo>
command which locks the file and does grammatical checking. It is
imperative that the I<sudoers> be free of syntax errors since sudo
will not run with a syntactically incorrect I<sudoers> file.
=head1 FILES
/etc/sudoers file of authorized users.
/etc/netgroup list of network groups.
=head1 SEE ALSO
sudo(8), visudo(8), su(1), fnmatch(3).
|