sudoers
—
sudo
privileges. It is the default
sudo
policy plugin. The policy is driven by
the /etc/sudoers file or, optionally in
LDAP. The policy format is described in detail in the
SUDOERS FILE FORMAT
section. For information on storing sudoers
policy information in LDAP, please see
sudoers.ldap(5).
sudo
consults the
sudo.conf(5) file to determine which policy and
and I/O logging plugins to load. If no
sudo.conf(5) file is present, or if it contains
no Plugin
lines,
sudoers
will be used for policy decisions
and I/O logging. To explicitly configure
sudo.conf(5) to use the
sudoers
plugin, the following configuration
can be used.
Plugin sudoers_policy sudoers.so Plugin sudoers_io sudoers.so
sudo
1.8.5, it is possible to
specify optional arguments to the sudoers
plugin in the sudo.conf(5) file. These arguments,
if present, should be listed after the path to the plugin (i.e. after
sudoers.so). Multiple arguments may be
specified, separated by white space. For example:
Plugin sudoers_policy sudoers.so sudoers_mode=0400
sudo
. A password is not required if the
invoking user is root, if the target user is the same as the invoking user, or
if the policy has disabled authentication for the user or command. Unlike
su(1), when sudoers
requires authentication, it validates the invoking user's credentials, not the
target user's (or root's) credentials. This can be changed via the
rootpw, targetpw and
runaspw flags, described later.
If a user who is not listed in the policy tries to run a command via
sudo
, mail is sent to the proper
authorities. The address used for such mail is configurable via the
mailto Defaults entry (described later) and
defaults to root
.
Note that mail will not be sent if an unauthorized user tries to run
sudo
with the
-l
or -v
option. This allows users to determine for themselves whether or not they are
allowed to use sudo
.
If sudo
is run by root and the
SUDO_USER
environment variable is set, the
sudoers policy will use this value to determine
who the actual user is. This can be used by a user to log commands through
sudo even when a root shell has been invoked. It also allows the
-e
option to remain useful even when
invoked via a sudo-run script or program. Note, however, that the
sudoers lookup is still done for root, not the
user specified by SUDO_USER
.
sudoers uses per-user time stamp files for
credential caching. Once a user has been authenticated, a record is written
containing the uid that was used to authenticate, the terminal session ID, and
a time stamp (using a monotonic clock if one is available). The user may then
use sudo
without a password for a short
period of time (5
minutes unless overridden by the
timeout option). By default,
sudoers uses a separate record for each tty,
which means that a user's login sessions are authenticated separately. The
tty_tickets option can be disabled to force the
use of a single time stamp for all of a user's sessions.
sudoers can log both successful and unsuccessful
attempts (as well as errors) to syslog(3), a log
file, or both. By default, sudoers will log via
syslog(3) but this is changeable via the
syslog and logfile
Defaults settings.
sudoers also supports logging a command's input and
output streams. I/O logging is not on by default but can be enabled using the
log_input and
log_output Defaults flags as well as the
LOG_INPUT
and LOG_OUTPUT
command tags.
TERM
,
PATH
,
HOME
,
MAIL
,
SHELL
,
LOGNAME
,
USER
,
USERNAME
and
SUDO_*
variables in addition to variables
from the invoking process permitted by the
env_check and
env_keep options. This is effectively a whitelist
for environment variables.
If, however, the env_reset option is disabled, any
variables not explicitly denied by the env_check
and env_delete options are inherited from the
invoking process. In this case, env_check and
env_delete behave like a blacklist. Since it is
not possible to blacklist all potentially dangerous environment variables, use
of the default env_reset behavior is encouraged.
In all cases, environment variables with a value beginning with
()
are removed as they could be interpreted as
bash functions. The list of environment variables
that sudo
allows or denies is contained in
the output of “sudo -V
” when run as
root.
Note that the dynamic linker on most operating systems will remove variables
that can control dynamic linking from the environment of setuid executables,
including sudo
. Depending on the operating
system this may include _RLD*
,
DYLD_*
,
LD_*
,
LDR_*
,
LIBPATH
,
SHLIB_PATH
, and others. These type of
variables are removed from the environment before
sudo
even begins execution and, as such, it
is not possible for sudo
to preserve them.
As a special case, if sudo
's
-i
option (initial login) is specified,
sudoers will initialize the environment
regardless of the value of env_reset. The
DISPLAY
,
PATH
and
TERM
variables remain unchanged;
HOME
,
MAIL
,
SHELL
,
USER
, and
LOGNAME
are set based on the target user.
On AIX (and Linux systems without PAM), the contents of
/etc/environment are also included. On BSD
systems, if the use_loginclass option is enabled,
the path and setenv
variables in /etc/login.conf are also
applied. All other environment variables are removed.
Finally, if the env_file option is defined, any
variables present in that file will be set to their specified values as long
as they would not conflict with an existing environment variable.
symbol ::= definition
|
alternate1
| alternate2 ...
Each production rule references others and thus
makes up a grammar for the language. EBNF also contains the following
operators, which many readers will recognize from regular expressions. Do not,
however, confuse them with “wildcard” characters, which have
different meanings.
?
*
+
User_Alias
,
Runas_Alias
, Host_Alias
and
Cmnd_Alias
.
Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | 'Host_Alias' Host_Alias (':' Host_Alias)* | 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* User_Alias ::= NAME '=' User_List Runas_Alias ::= NAME '=' Runas_List Host_Alias ::= NAME '=' Host_List Cmnd_Alias ::= NAME '=' Cmnd_List NAME ::= [A-Z]([A-Z][0-9]_)*
Alias_Type NAME = item1, item2, ...
User_Alias
, Runas_Alias
,
Host_Alias
, or Cmnd_Alias
. A
NAME
is a string of uppercase letters, numbers, and
underscore characters (‘_
’). A
NAME
must start with an
uppercase letter. It is possible to put several alias definitions of the same
type on a single line, joined by a colon
(‘:
’). E.g.,
Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
User_List ::= User | User ',' User_List User ::= '!'* user name | '!'* #uid | '!'* %group | '!'* %#gid | '!'* +netgroup | '!'* %:nonunix_group | '!'* %:#nonunix_gid | '!'* User_Alias
User_List
is made up of one or more user names, user
IDs (prefixed with ‘#
’), system group
names and IDs (prefixed with ‘%
’ and
‘%#
’ respectively), netgroups (prefixed
with ‘+
’), non-Unix group names and IDs
(prefixed with ‘%:
’ and
‘%:#
’ respectively) and
User_Alias
es. Each list item may be prefixed with zero
or more ‘!
’ operators. An odd number of
‘!
’ operators negate the value of the
item; an even number just cancel each other out.
A user name
, uid
,
group
, gid
,
netgroup
, nonunix_group
or
nonunix_gid
may be enclosed in double quotes to avoid
the need for escaping special characters. Alternately, special characters may
be specified in escaped hex mode, e.g. \x20 for space. When using double
quotes, any prefix characters must be included inside the quotes.
The actual nonunix_group
and
nonunix_gid
syntax depends on the underlying group
provider plugin. For instance, the QAS AD plugin supports the following
formats:
\
’) to escape spaces and
special characters. See
Other
special characters and reserved words for a list of characters that need
to be escaped.
Runas_List ::= Runas_Member | Runas_Member ',' Runas_List Runas_Member ::= '!'* user name | '!'* #uid | '!'* %group | '!'* %#gid | '!'* %:nonunix_group | '!'* %:#nonunix_gid | '!'* +netgroup | '!'* Runas_Alias
Runas_List
is similar to a
User_List
except that instead of
User_Alias
es it can contain
Runas_Alias
es. Note that user names and groups are
matched as strings. In other words, two users (groups) with the same uid (gid)
are considered to be distinct. If you wish to match all user names with the
same uid (e.g. root and toor), you can use a uid instead (#0 in the example
given).
Host_List ::= Host | Host ',' Host_List Host ::= '!'* host name | '!'* ip_addr | '!'* network(/netmask)? | '!'* +netgroup | '!'* Host_Alias
Host_List
is made up of one or more host names, IP
addresses, network numbers, netgroups (prefixed with
‘+
’) and other aliases. Again, the value
of an item may be negated with the ‘!
’
operator. If you do not specify a netmask along with the network number,
sudo
will query each of the local host's
network interfaces and, if the network number corresponds to one of the
hosts's network interfaces, the corresponding netmask will be used. The
netmask may be specified either in standard IP address notation (e.g.
255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR notation (number of bits,
e.g. 24 or 64). A host name may include shell-style wildcards (see the
Wildcards section below), but
unless the host name
command on your machine returns
the fully qualified host name, you'll need to use the
fqdn option for wildcards to be useful. Note that
sudo
only inspects actual network
interfaces; this means that IP address 127.0.0.1 (localhost) will never match.
Also, the host name “localhost” will only match if that is the
actual host name, which is usually only the case for non-networked systems.
digest ::= [A-Fa-f0-9]+ | [[A-Za-z0-9+/=]+ Digest_Spec ::= "sha224" ':' digest | "sha256" ':' digest | "sha384" ':' digest | "sha512" ':' digest Cmnd_List ::= Cmnd | Cmnd ',' Cmnd_List command name ::= file name | file name args | file name '""' Cmnd ::= Digest_Spec? '!'* command name | '!'* directory | '!'* "sudoedit" | '!'* Cmnd_Alias
Cmnd_List
is a list of one or more command names,
directories, and other aliases. A command name is a fully qualified file name
which may include shell-style wildcards (see the
Wildcards section below). A
simple file name allows the user to run the command with any arguments he/she
wishes. However, you may also specify command line arguments (including
wildcards). Alternately, you can specify ""
to indicate that the command may only be run
without command line arguments. A directory is a
fully qualified path name ending in a
‘/
’. When you specify a directory in a
Cmnd_List
, the user will be able to run any file
within that directory (but not in any sub-directories therein).
If a Cmnd
has associated command line arguments, then
the arguments in the Cmnd
must match exactly those
given by the user on the command line (or match the wildcards if there are
any). Note that the following characters must be escaped with a
‘\
’ if they are used in command
arguments: ‘,
’,
‘:
’,
‘=
’,
‘\
’. The built-in command
“sudoedit
” is used to permit a user to
run sudo
with the
-e
option (or as
sudoedit
). It may take command line
arguments just as a normal command does. Note that
“sudoedit
” is a command built into
sudo
itself and must be specified in
sudoers without a leading path.
If a command name
is prefixed with a
Digest_Spec
, the command will only match successfully
if it can be verified using the specified SHA-2 digest. This may be useful in
situations where the user invoking sudo
has
write access to the command or its parent directory. The following digest
formats are supported: sha224, sha256, sha384 and sha512. The string may be
specified in either hex or base64 format (base64 is more compact). There are
several utilities capable of generating SHA-2 digests in hex format such as
openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
For example, using openssl:
$ openssl dgst -sha224 /bin/ls SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
$ openssl dgst -binary -sha224 /bin/ls | openssl base64 EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
Default_Entry
lines. These
may affect all users on any host, all users on a specific host, a specific
user, a specific command, or commands being run as a specific user. Note that
per-command entries may not include command line arguments. If you need to
specify arguments, define a Cmnd_Alias
and reference
that instead.
Default_Type ::= 'Defaults' | 'Defaults' '@' Host_List | 'Defaults' ':' User_List | 'Defaults' '!' Cmnd_List | 'Defaults' '>' Runas_List Default_Entry ::= Default_Type Parameter_List Parameter_List ::= Parameter | Parameter ',' Parameter_List Parameter ::= Parameter '=' Value | Parameter '+=' Value | Parameter '-=' Value | '!'* Parameter
!
’ operator. Some integer, string and
list parameters may also be used in a boolean context to disable them. Values
may be enclosed in double quotes ("") when they contain multiple
words. Special characters may be escaped with a backslash
(‘\
’).
Lists have two additional assignment operators, +=
and
-=
. These operators are used to add to and delete from
a list respectively. It is not an error to use the -=
operator to remove an element that does not exist in a list.
Defaults entries are parsed in the following order: generic, host and user
Defaults first, then runas Defaults and finally command defaults.
See SUDOERS OPTIONS for a
list of supported Defaults parameters.
User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ (':' Host_List '=' Cmnd_Spec_List)* Cmnd_Spec_List ::= Cmnd_Spec | Cmnd_Spec ',' Cmnd_Spec_List Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset') Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
Runas_Spec
determines the user and/or the group that a
command may be run as. A fully-specified Runas_Spec
consists of two Runas_List
s (as defined above)
separated by a colon (‘:
’) and enclosed
in a set of parentheses. The first Runas_List
indicates which users the command may be run as via
sudo
's
-u
option. The second defines a list of
groups that can be specified via sudo
's
-g
option. If both
Runas_List
s are specified, the command may be run with
any combination of users and groups listed in their respective
Runas_List
s. If only the first is specified, the
command may be run as any user in the list but no
-g
option may be specified. If the first
Runas_List
is empty but the second is specified, the
command may be run as the invoking user with the group set to any listed in
the Runas_List
. If both
Runas_List
s are empty, the command may only be run as
the invoking user. If no Runas_Spec
is specified the
command may be run as root and no group may be
specified.
A Runas_Spec
sets the default for the commands that
follow it. What this means is that for the entry:
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
$ sudo -u operator /bin/ls
Runas_Spec
later on in
an entry. If we modify the entry like so:
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
/bin/ls
with either the user or group set to
operator:
dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\ /usr/bin/lprm
Runas_Spec
permits the user to run as command with that group, it does not force the user
to do so. If no group is specified on the command line, the command will run
with the group listed in the target user's password database entry. The
following would all be permitted by the sudoers entry above:
$ sudo -u operator /bin/ls $ sudo -u operator -g operator /bin/ls $ sudo -g operator /bin/ls
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\ /usr/local/bin/minicom
$ sudo -g dialer /usr/bin/cu
Runas_Spec
, in which case the user may select any
combination of users and groups via the -u
and -g
options. In this example:
alan ALL = (root, bin : operator, system) ALL
$ ppriv -l
!
’ or
‘-
’ character.
NOPASSWD
, PASSWD
,
NOEXEC
, EXEC
,
SETENV
, NOSETENV
,
LOG_INPUT
, NOLOG_INPUT
,
LOG_OUTPUT
and NOLOG_OUTPUT
.
Once a tag is set on a Cmnd
, subsequent
Cmnd
s in the Cmnd_Spec_List
,
inherit the tag unless it is overridden by the opposite tag (in other words,
PASSWD
overrides NOPASSWD
and
NOEXEC
overrides EXEC
).
sudo
requires that a user
authenticate him or herself before running a command. This behavior can be
modified via the NOPASSWD
tag. Like a
Runas_Spec
, the NOPASSWD
tag sets a default for the commands that follow it in the
Cmnd_Spec_List
. Conversely, the
PASSWD
tag can be used to reverse things. For
example:
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
PASSWD
tag has no effect on
users who are in the group specified by the
exempt_group option.
By default, if the NOPASSWD
tag is applied to any of
the entries for a user on the current host, he or she will be able to run
“sudo -l
” without a password.
Additionally, a user may only run “sudo
-v
” without a password if the
NOPASSWD
tag is present for all a user's entries
that pertain to the current host. This behavior may be overridden via the
verifypw and
listpw options.sudo
has been compiled with
noexec support and the underlying operating
system supports it, the NOEXEC
tag can be used to
prevent a dynamically-linked executable from running further commands
itself.
In the following example, user aaron may run
/usr/bin/more and
/usr/bin/vi but shell escapes will be
disabled.
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
NOEXEC
works and whether or not it will work on
your system.SETENV
has been set for a command, the user may disable the
env_reset option from the command line via
the -E
option. Additionally,
environment variables set on the command line are not subject to the
restrictions imposed by env_check,
env_delete, or
env_keep. As such, only trusted users should
be allowed to set variables in this manner. If the command matched is
ALL, the SETENV
tag
is implied for that command; this default may be overridden by use of the
NOSETENV
tag.sudo
allows shell-style
wildcards (aka meta or glob characters) to be
used in host names, path names and command line arguments in the
sudoers file. Wildcard matching is done via the
glob(3) and
fnmatch(3) functions as specified by
IEEE Std 1003.1 (“POSIX.1”).
Note that these are not regular expressions.
*
?
[...]
[!...]
\x
*
’,
‘?
’,
‘[
’, and
‘]
’.:
’ character has special
meaning in sudoers, it must be escaped. For
example:
/bin/ls [[:alpha:]]*
/
’) will
not be matched by wildcards used in the path
name. This is to make a path like:
/usr/bin/*
?
’ or
‘*
’ can match multiple words. For
example, while a sudoers entry like:
%operator ALL = /bin/cat /var/log/messages*
$ sudo cat /var/log/messages.1
$ sudo cat /var/log/messages /etc/shadow
""
""
is the only
command line argument in the sudoers entry it
means that command is not allowed to be run with
any arguments./
’) will not be matched by a
wildcard.#include
and
#includedir
directives.
This can be used, for example, to keep a site-wide
sudoers file in addition to a local, per-machine
file. For the sake of this example the site-wide
sudoers will be
/etc/sudoers and the per-machine one will
be /etc/sudoers.local. To include
/etc/sudoers.local from within
/etc/sudoers we would use the following
line in /etc/sudoers:
#include /etc/sudoers.local
sudo
reaches this line it will suspend
processing of the current file
(/etc/sudoers) and switch to
/etc/sudoers.local. Upon reaching the end
of /etc/sudoers.local, the rest of
/etc/sudoers will be processed. Files that
are included may themselves include other files. A hard limit of 128 nested
include files is enforced to prevent include file loops.
If the path to the include file is not fully-qualified (does not begin with a
‘/
’, it must be located in the same
directory as the sudoers file it was included from. For example, if
/etc/sudoers contains the line:
#include sudoers.local
%h
escape, signifying
the short form of the host name. In other words, if the machine's host name is
“xerxes”, then
#include /etc/sudoers.%h
sudo
to include the file
/etc/sudoers.xerxes.
The #includedir
directive can be used to create a
sudo.d directory that the system package
manager can drop sudoers rules into as part of
package installation. For example, given:
#includedir /etc/sudoers.d
sudo
will read each file in
/etc/sudoers.d, skipping file names that
end in ‘~
’ or contain a
‘.
’ character to avoid causing problems
with package manager or editor temporary/backup files. Files are parsed in
sorted lexical order. That is,
/etc/sudoers.d/01_first will be parsed
before /etc/sudoers.d/10_second. Be aware
that because the sorting is lexical, not numeric,
/etc/sudoers.d/1_whoops would be loaded
after
/etc/sudoers.d/10_second. Using a
consistent number of leading zeroes in the file names can be used to avoid
such problems.
Note that unlike files included via #include
,
visudo
will not edit the files in a
#includedir
directory unless one of them contains a
syntax error. It is still possible to run
visudo
with the
-f
flag to edit the files directly.
#
’) is used to indicate a
comment (unless it is part of a #include directive or unless it occurs in the
context of a user name and is followed by one or more digits, in which case it
is treated as a uid). Both the comment character and any text after it, up to
the end of the line, are ignored.
The reserved word ALL is a built-in
alias that always causes a match to succeed. It
can be used wherever one might otherwise use a
Cmnd_Alias
, User_Alias
,
Runas_Alias
, or Host_Alias
.
You should not try to define your own alias
called ALL as the built-in alias will be used in
preference to your own. Please note that using
ALL can be dangerous since in a command context,
it allows the user to run any command on the
system.
An exclamation point (‘!
’) can be used as
a logical not operator in a list or
alias as well as in front of a
Cmnd
. This allows one to exclude certain values. For
the ‘!
’ operator to be effective, there
must be something for it to exclude. For example, to match all users except
for root one would use:
ALL,!root
!root
!
’ in
conjunction with the built-in ALL alias to allow
a user to run “all but a few” commands rarely works as intended
(see SECURITY NOTES
below).
Long lines can be continued with a backslash
(‘\
’) as the last character on the line.
White space between elements in a list as well as special syntactic characters
in a User Specification
(‘=
’,
‘:
’,
‘(
’,
‘)
’) is optional.
The following characters must be escaped with a backslash
(‘\
’) when used as part of a word (e.g.
a user name or host name): ‘!
’,
‘=
’,
‘:
’,
‘,
’,
‘(
’,
‘)
’,
‘\
’.
sudo
's behavior can be modified by
Default_Entry
lines, as explained earlier. A list of
all supported Defaults parameters, grouped by type, are listed below.
Boolean Flags:
sudo
will set the
HOME
environment variable to the home
directory of the target user (which is root unless the
-u
option is used). This effectively
means that the -H
option is always
implied. Note that HOME
is already set
when the env_reset option is enabled, so
always_set_home is only effective for
configurations where either env_reset is
disabled or HOME
is present in the
env_keep list. This flag is
off by default.PASSWD
and
NOPASSWD
tags. This flag is
on by default.sudo
's
-C
option which overrides the default
starting point at which sudo
begins
closing open file descriptors. This flag is
off by default.sudo
is configured to log a
command's input or output, the I/O logs will be compressed using
zlib. This flag is
on by default when
sudo
is compiled with
zlib support.+
’), may be used in place of a user
or host. For LDAP-based sudoers, netgroup support requires an expensive
substring match on the server. If netgroups are not needed, this option
can be disabled to reduce the load on the LDAP server. This flag is
on by default.sudo
runs a command as the
foreground process as long as sudo
itself is running in the foreground. When the
exec_background flag is enabled and the
command is being run in a pty (due to I/O logging or the
use_pty flag), the command will be run as a
background process. Attempts to read from the controlling terminal (or to
change terminal settings) will result in the command being suspended with
the SIGTTIN
signal (or
SIGTTOU
in the case of terminal
settings). If this happens when sudo
is
a foreground process, the command will be granted the controlling terminal
and resumed in the foreground with no user intervention required. The
advantage of initially running the command in the background is that
sudo
need not read from the terminal
unless the command explicitly requests it. Otherwise, any terminal input
must be passed to the command, whether it has required it or not (the
kernel buffers terminals so it is not possible to tell whether the command
really wants the input). This is different from historic
sudo behavior or when the command is not
being run in a pty.
For this to work seamlessly, the operating system must support the automatic
restarting of system calls. Unfortunately, not all operating systems do
this by default, and even those that do may have bugs. For example, Mac OS
X fails to restart the tcgetattr
() and
tcsetattr
() system calls (this is a bug
in Mac OS X). Furthermore, because this behavior depends on the command
stopping with the SIGTTIN
or
SIGTTOU
signals, programs that catch
these signals and suspend themselves with a different signal (usually
SIGTOP
) will not be automatically
foregrounded. Some versions of the linux
su(1) command behave this way.
This setting is only supported by version 1.8.7 or higher. It has no effect
unless I/O logging is enabled or the use_pty
flag is enabled.visudo
will use the value of
the EDITOR
or
VISUAL
environment variables before
falling back on the default editor list. Note that this may create a
security hole as it allows the user to run any arbitrary command as root
without logging. A safer alternative is to place a colon-separated list of
editors in the editor
variable.
visudo
will then only use the
EDITOR
or
VISUAL
if they match a value specified
in editor
. This flag is
off by default.sudo
will run the command in a
minimal environment containing the
TERM
,
PATH
,
HOME
,
MAIL
,
SHELL
,
LOGNAME
,
USER
,
USERNAME
and
SUDO_*
variables. Any variables in the
caller's environment that match the env_keep
and
env_check
lists are then added, followed by any
variables present in the file specified by the
env_file option (if any). The default
contents of the env_keep
and
env_check
lists are displayed when
sudo
is run by root with the
-V
option. If the
secure_path option is set, its value will be
used for the PATH
environment variable.
This flag is on by default.sudo
uses the
glob(3) function to do shell-style globbing
when matching path names. However, since it accesses the file system,
glob(3) can take a long time to complete for
some patterns, especially when the pattern references a network file
system that is mounted on demand (auto mounted). The
fast_glob option causes
sudo
to use the
fnmatch(3) function, which does not access
the file system to do its matching. The disadvantage of
fast_glob is that it is unable to match
relative path names such as ./ls or
../bin/ls. This has security
implications when path names that include globbing characters are used
with the negation operator, ‘!
’, as
such rules can be trivially bypassed. As such, this option should not be
used when sudoers contains rules that contain
negated path names which include globbing characters. This flag is
off by default.hostname
command) does not contain
the domain name. In other words, instead of myhost you would use
myhost.mydomain.edu. You may still use the short form if you wish (and
even mix the two). This option is only effective when the
“canonical” host name, as returned by the
getaddrinfo
() or
gethostbyname
() function, is a
fully-qualified domain name. This is usually the case when the system is
configured to use DNS for host name resolution.
If the system is configured to use the
/etc/hosts file in preference to DNS,
the “canonical” host name may not be fully-qualified. The
order that sources are queried for host name resolution is usually
specified in the /etc/nsswitch.conf,
/etc/netsvc.conf,
/etc/host.conf, or, in some cases,
/etc/resolv.conf file. In the
/etc/hosts file, the first host name of
the entry is considered to be the “canonical” name;
subsequent names are aliases that are not used by
sudoers
. For example, the following
hosts file line for the machine “xyzzy” has the
fully-qualified domain name as the “canonical” host name,
and the short version as an alias.
192.168.1.1 xyzzy.sudo.ws
xyzzy
sudoers
to make DNS lookups which
renders sudo
unusable if DNS stops
working (for example if the machine is disconnected from the network).
Also note that just like with the hosts file, you must use the
“canonical” name as DNS knows it. That is, you may not use a
host alias (CNAME
entry) due to performance issues
and the fact that there is no way to get all aliases from DNS.
This flag is off by default.sudo
will ignore "."
or "" (both denoting current directory) in the
PATH
environment variable; the
PATH
itself is not modified. This flag
is off by default.sudo
how to behave when no specific
LDAP entries have been matched, this sudoOption is only meaningful for the
cn=defaults
section. This flag is
off by default.sudo
will insult users when
they enter an incorrect password. This flag is
off by default.sudo
log file. This flag is
off by default.sudo
will run the command in a
pseudo tty and log all user input. If the
standard input is not connected to the user's tty, due to I/O redirection
or because the command is part of a pipeline, that input is also captured
and stored in a separate log file.
Input is logged to the directory specified by the
iolog_dir option
(/var/log/sudo-io by default) using a
unique session ID that is included in the normal
sudo
log line, prefixed with
“TSID=
”. The
iolog_file option may be used to control the
format of the session ID.
Note that user input may contain sensitive information such as passwords
(even if they are not echoed to the screen), which will be stored in the
log file unencrypted. In most cases, logging the command output via
log_output is all that is required.sudo
will run the command in a
pseudo tty and log all output that is sent to
the screen, similar to the script(1) command.
If the standard output or standard error is not connected to the user's
tty, due to I/O redirection or because the command is part of a pipeline,
that output is also captured and stored in separate log files.
Output is logged to the directory specified by the
iolog_dir option
(/var/log/sudo-io by default) using a
unique session ID that is included in the normal
sudo
log line, prefixed with
“TSID=
”. The
iolog_file option may be used to control the
format of the session ID.
Output logs may be viewed with the
sudoreplay(8) utility, which can also be used
to list or search the available logs.sudo
log file. This flag is
off by default.sudo
. This flag is
off by default.sudo
does not enter the correct
password. If the command the user is attempting to run is not permitted by
sudoers and one of the
mail_always,
mail_no_host,
mail_no_perms or
mail_no_user flags are set, this flag will
have no effect. This flag is off by
default.sudo
but the command they are trying is
not listed in their sudoers file entry or is
explicitly denied. This flag is off by
default.sudo
will
behave as if the NOEXEC
tag has been set, unless
overridden by a EXEC
tag. See the description of
NOEXEC and EXEC below as well as the
Preventing shell
escapes section at the end of this manual. This flag is
off by default.sudo
will create a new PAM session for
the command to be run in. Disabling
pam_session may be needed on older PAM
implementations or on operating systems where opening a PAM session
changes the utmp or wtmp files. If PAM session support is disabled,
resource limits may not be updated for the command being run. If
pam_session,
pam_setcred, and
use_pty are disabled and I/O logging has not
been configured, sudo
will execute the
command directly instead of running it as a child process. This flag is
on by default.
This setting is only supported by version 1.8.7 or higher.sudo
will attempt to establish
credentials for the target user by default, if supported by the underlying
authentication system. One example of a credential is a Kerberos ticket.
If pam_session,
pam_setcred, and
use_pty are disabled and I/O logging has not
been configured, sudo
will execute the
command directly instead of running it as a child process. This flag is
on by default.
This setting is only supported by version 1.8.8 or higher.sudo
will tell the user when
a command could not be found in their
PATH
environment variable. Some sites
may wish to disable this as it could be used to gather information on the
location of executables that the normal user does not have access to. The
disadvantage is that if the executable is simply not in the user's
PATH
,
sudo
will tell the user that they are
not allowed to run it, which can be confusing. This flag is
on by default.sudo
will initialize the
group vector to the list of groups the target user is in. When
preserve_groups is set, the user's existing
group vector is left unaltered. The real and effective group IDs, however,
are still set to match the target user. This flag is
off by default.sudo
reads the password
like most other Unix programs, by turning off echo until the user hits the
return (or enter) key. Some users become confused by this as it appears to
them that sudo
has hung at this point.
When pwfeedback is set,
sudo
will provide visual feedback when
the user presses a key. Note that this does have a security impact as an
onlooker may be able to determine the length of the password being
entered. This flag is off by default.sudo
will only run when the
user is logged in to a real tty. When this flag is set,
sudo
can only be run from a login
session and not via other means such as
cron(8) or cgi-bin scripts. This flag is
off by default.sudo
too. Disabling this prevents users from “chaining”
sudo
commands to get a root shell by
doing something like “sudo sudo
/bin/sh
”. Note, however, that turning off
root_sudo will also prevent root from running
sudoedit
. Disabling
root_sudo provides no real additional
security; it exists purely for historical reasons. This flag is
on by default.sudo
will prompt for the root
password instead of the password of the invoking user when running a
command or editing a file. This flag is off
by default.sudo
will prompt for the
password of the user defined by the
runas_default option (defaults to
root
) instead of the password of the invoking user
when running a command or editing a file. This flag is
off by default.sudo
is invoked with the
-s
option the
HOME
environment variable will be set
to the home directory of the target user (which is root unless the
-u
option is used). This effectively
makes the -s
option imply
-H
. Note that
HOME
is already set when the
env_reset option is enabled, so
set_home is only effective for configurations
where either env_reset is disabled or
HOME
is present in the
env_keep list. This flag is
off by default.sudo
will set the
LOGNAME
,
USER
and
USERNAME
environment variables to the
name of the target user (usually root unless the
-u
option is given). However, since
some programs (including the RCS revision control system) use
LOGNAME
to determine the real identity
of the user, it may be desirable to change this behavior. This can be done
by negating the set_logname option. Note that if the
env_reset option has not been disabled,
entries in the env_keep list will override
the value of set_logname. This flag is
on by default.sudo
will create an entry
in the utmp (or utmpx) file when a pseudo-tty is allocated. A pseudo-tty
is allocated by sudo
when the
log_input,
log_output or
use_pty flags are enabled. By default, the
new entry will be a copy of the user's existing utmp entry (if any), with
the tty, time, type and pid fields updated. This flag is
on by default.-E
option. Additionally, environment variables set via the command line are
not subject to the restrictions imposed by
env_check,
env_delete, or
env_keep. As such, only trusted users should
be allowed to set variables in this manner. This flag is
off by default.sudo
is invoked with no
arguments it acts as if the -s
option
had been given. That is, it runs a shell as root (the shell is determined
by the SHELL
environment variable if it
is set, falling back on the shell listed in the invoking user's
/etc/passwd entry if not). This flag is off
by default.sudo
executes a command
the real and effective UIDs are set to the target user (root by default).
This option changes that behavior such that the real UID is left as the
invoking user's UID. In other words, this makes
sudo
act as a setuid wrapper. This can
be useful on systems that disable some potentially dangerous functionality
when a program is run setuid. This option is only effective on systems
that support either the setreuid(2) or
setresuid(2) system call. This flag is
off by default.sudo
will prompt for the
password of the user specified by the
-u
option (defaults to
root
) instead of the password of the invoking user
when running a command or editing a file. Note that this flag precludes
the use of a uid not listed in the passwd database as an argument to the
-u
option. This flag is
off by default.sudo
will use a separate
record in the time stamp file for each tty. If disabled, a single record
is used for all login sessions. This flag is
on by default.sudo
will set the umask as
specified by sudoers without modification.
This makes it possible to specify a more permissive umask in
sudoers than the user's own umask and matches
historical behavior. If umask_override is not
set, sudo
will set the umask to be the
union of the user's umask and what is specified in
sudoers. This flag is
off by default.sudo
will apply the defaults
specified for the target user's login class if one exists. Only available
if sudo
is configured with the
--with-logincap
option. This flag is
off by default.sudo
will run the command in a
pseudo-pty even if no I/O logging is being gone. A malicious program run
under sudo
could conceivably fork a
background process that retains to the user's terminal device after the
main program has finished executing. Use of this option will make that
impossible. This flag is off by default.sudo
will store the name of the
runas user when updating the utmp (or utmpx) file. By default,
sudo
stores the name of the invoking
user. This flag is off by default.sudo
will refuse to run if
the user must enter a password but it is not possible to disable echo on
the terminal. If the visiblepw flag is set,
sudo
will prompt for a password even
when it would be visible on the screen. This makes it possible to run
things like “ssh somehost sudo ls
”
since by default, ssh(1) does not allocate a
tty when running a command. This flag is off
by default.sudo
will
close all open file descriptors other than standard input, standard output
and standard error (ie: file descriptors 0-2). The
closefrom option can be used to specify a
different file descriptor at which to start closing. The default is
3
.sudo
logs the failure and exits. The
default is 3
.80
(use 0 or negate the option to disable word
wrap).sudo
password prompt times out, or 0
for no timeout.
The timeout may include a fractional component if minute granularity is
insufficient, for example 2.5
. The default is
5
.sudo
will ask for a passwd again. The
timeout may include a fractional component if minute granularity is
insufficient, for example 2.5
. The default is
5
. Set this to 0
to always
prompt for a password. If set to a value less than
0
the user's time stamp will never expire. This
can be used to allow users to create or delete their own time stamps via
“sudo -v
” and
“sudo -k
” respectively.0022
. This guarantees that
sudo
never lowers the umask when
running a command. Note: on systems that use PAM, the default PAM
configuration may specify its own umask which will override the value set
in sudoers.Sorry, try again.
unless insults are
enabled.:
’) separated list of
editors allowed to be used with visudo
.
visudo
will choose the editor that
matches the user's EDITOR
environment
variable if possible, or the first editor in the list that exists and is
executable. The default is vi.LOG_INPUT
or LOG_OUTPUT
tags are present for a command. The session sequence number, if any, is
stored in the directory. The default is
/var/log/sudo-io.
The following percent (‘%
’) escape
sequences are supported:
%{seq}
%{user}
%{group}
%{runas_user}
%{runas_group}
%{hostname}
%{command}
%
’ character,
the string ‘%%
’ should be used.LOG_INPUT
or LOG_OUTPUT
tags are present for a command. Note that
iolog_file may contain directory components.
The default is “%{seq}
”.
See the iolog_dir option above for a list of
supported percent (‘%
’) escape
sequences.
In addition to the escape sequences, path names that end in six or more
X
s will have the X
s
replaced with a unique combination of digits and letters, similar to the
mktemp(3) function.
If the path created by concatenating iolog_dir
and iolog_file already exists, the existing
I/O log file will be truncated and overwritten unless
iolog_file ends in six or more
X
s.sudo
stores
per-user lecture status files. Once a user has received the lecture, a
zero-length file is created in this directory so that
sudo
will not lecture the user again.
This directory should not be cleared when the
system reboots. The default is
/var/adm/sudo/lectured.sudoers
is built on
Solaris 10 or higher.%h
will expand to the host name of the
machine. Default is “*** SECURITY information for
%h ***
”.%{seq}
” escape in the I/O log file
(see the iolog_dir description above for more
information). While the value substituted for
“%{seq}
” is in base 36,
maxseq itself should be expressed in decimal.
Values larger than 2176782336 (which corresponds to the base 36 sequence
number “ZZZZZZ”) will be silently truncated to 2176782336.
The default value is 2176782336.
Once the local sequence number reaches the value of
maxseq, it will “roll over” to
zero, after which sudoers
will truncate
and re-use any existing I/O log path names.
This setting is only supported by version 1.8.7 or higher.sudo
version 1.8.1 this option is
no longer supported. The path to the noexec file should now be set in the
sudo.conf(5) file.-i
option is specified. The
default value is “sudo
”. See the
description of pam_service for more
information.
This setting is only supported by version 1.8.8 or higher.sudo
”.
This setting is only supported by version 1.8.8 or higher.-p
option or the
SUDO_PROMPT
environment variable. The
following percent (‘%
’) escape
sequences are supported:
%H
%h
%p
%U
%u
%%
%
characters are collapsed
into a single %
characterPassword:
”.sudoers
is built on Solaris 10 or
higher.sudo
is built with SELinux support.-u
option is not specified on the
command line. This defaults to root
.alert
.
The following syslog priorities are supported:
alert, crit,
debug, emerg,
err, info,
notice, and
warning.notice
.
See syslog_badpri for the list of supported
syslog priorities.C
”.sudo
stores its
time stamp files. This directory should be cleared when the system
reboots. The default is
/var/run/sudo/ts.root
.sudo
is built with SELinux support.VARIABLE=value
” or
“export VARIABLE=value
”. The value
may optionally be surrounded by single or double quotes. Variables in this
file are subject to other sudo
environment settings such as env_keep and
env_check.%
prefix. This is not set by default.sudo
.sudo
lecture that will be used in place
of the standard lecture if the named file exists. By default,
sudo
uses a built-in lecture.sudo
with the
-l
option. It has the following
possible values:
NOPASSWD
flag set
to avoid entering a password.-l
option.NOPASSWD
flag set to avoid entering a
password.-l
option.sudo
log file (not the
syslog log file). Setting a path turns on logging to a file; negating this
option turns it off. By default, sudo
logs via syslog.-t
.sudo
interpreting the @
sign. Defaults to the name of
the user running sudo
.sudo
interpreting the
@
sign. Defaults to
root
.sudo
. If you don't trust the people
running sudo
to have a sane
PATH
environment variable you may want
to use this. Another use is if you want to have the “root
path” be separate from the “user path”. Users in the
group specified by the exempt_group option
are not affected by secure_path. This option
is not set by default.auth
.
The following syslog facilities are supported:
authpriv (if your OS supports it),
auth, daemon,
user, local0,
local1, local2,
local3, local4,
local5, local6,
and local7.sudo
with the
-v
option. It has the following
possible values:
NOPASSWD
flag set
to avoid entering a password.-v
option.NOPASSWD
flag set to avoid entering a
password.-v
option.%
’ or
‘/
’ characters. This can be used to
guard against printf-style format vulnerabilities in poorly-written
programs. The argument may be a double-quoted, space-separated list or a
single value without double-quotes. The list can be replaced, added to,
deleted from, or disabled by using the =
,
+=
, -=
, and
!
operators respectively. Regardless of whether
the env_reset
option is enabled or disabled,
variables specified by env_check
will be preserved
in the environment if they pass the aforementioned check. The default list
of environment variables to check is displayed when
sudo
is run by root with the
-V
option.=
,
+=
, -=
, and
!
operators respectively. The default list of
environment variables to remove is displayed when
sudo
is run by root with the
-V
option. Note that many operating
systems will remove potentially dangerous variables from the environment
of any setuid process (such as
sudo
).sudo
-spawned processes will receive.
The argument may be a double-quoted, space-separated list or a single
value without double-quotes. The list can be replaced, added to, deleted
from, or disabled by using the =
,
+=
, -=
, and
!
operators respectively. The default list of
variables to keep is displayed when
sudo
is run by root with the
-V
option.sudoers
plugin supports its own plugin
interface to allow non-Unix group lookups which can query a group source other
than the standard Unix group database. This can be used to implement support
for the nonunix_group
syntax described earlier.
Group provider plugins are specified via the
group_plugin Defaults setting. The argument to
group_plugin should consist of the plugin path,
either fully-qualified or relative to the
/usr/local/libexec/sudo directory, followed
by any configuration options the plugin requires. These options (if specified)
will be passed to the plugin's initialization function. If options are
present, the string must be enclosed in double quotes ("").
The following group provider plugins are installed by default:
Defaults group_plugin="group_file.so /etc/sudo-group"
getgrnam
() and
getgrid
(). This plugin can be used in
instances where the user belongs to groups not present in the user's
supplemental group vector. This plugin takes no options:
Defaults group_plugin=system_group.so
sudoers
can log events using either
syslog(3) or a simple log file. In each case the
log format is almost identical.
date hostname progname: username : TTY=ttyname ; PWD=cwd ; \ USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \ ENV=env_vars COMMAND=command
sudo
was run on.
This field is only present when logging via
syslog(3).sudo
.sudo
was run on, or
“unknown” if there was no terminal present.sudo
was run in.C
” locale.
sudo
's
-n
option was specified but a password
was required.sudoers
will log a
message and, in most cases, send a message to the administrator via email.
Possible errors include:
sudoers
encountered an error when
parsing the specified file. In some cases, the actual error may be one
line above or below the line number listed, depending on the type of
error.sudo
from running, but the
sudoers file should be checked using
visudo
.sudoers
tries to open
sudoers using group permissions to avoid this
problem. Consider either changing the ownership of
/etc/sudoers or adding an argument like
“sudoers_uid=N” (where ‘N’ is the user ID that
owns the sudoers file) to the end of the
sudoers
Plugin
line in the sudo.conf(5) file.sudoers
Plugin
line in the sudo.conf(5) file.sudoers
Plugin
line in the sudo.conf(5) file.sudoers
Plugin
line in the sudo.conf(5) file.sudoers
will split up log messages that are
larger than 960 characters (not including the date, hostname, and the string
“sudo”). When a message is split, additional parts will include
the string “(command continued)” after the user name and before
the continued command line arguments.
!
’), word wrap will be
disabled.-i
mode on AIX
and Linux systems# Run X applications through sudo; HOME is used to find the # .Xauthority file. Note that other programs use HOME to find # configuration files and this may lead to privilege escalation! Defaults env_keep += "DISPLAY HOME" # User alias specification User_Alias FULLTIMERS = millert, mikef, dowdy User_Alias PARTTIMERS = bostley, jwfox, crawl User_Alias WEBMASTERS = will, wendy, wim # Runas alias specification Runas_Alias OP = root, operator Runas_Alias DB = oracle, sybase Runas_Alias ADMINGRP = adm, oper # Host alias specification Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ SGI = grolsch, dandelion, black :\ ALPHA = widget, thalamus, foobar :\ HPPA = boa, nag, python Host_Alias CUNETS = 128.138.0.0/255.255.0.0 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 Host_Alias SERVERS = master, mail, www, ns Host_Alias CDROM = orion, perseus, hercules # Cmnd alias specification Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ /usr/sbin/restore, /usr/sbin/rrestore,\ sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \ /home/operator/bin/start_backups Cmnd_Alias KILL = /usr/bin/kill Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown Cmnd_Alias HALT = /usr/sbin/halt Cmnd_Alias REBOOT = /usr/sbin/reboot Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\ /usr/local/bin/tcsh, /usr/bin/rsh,\ /usr/local/bin/zsh Cmnd_Alias SU = /usr/bin/su Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
sudo
to log via
syslog(3) using the
auth facility in all cases. We don't want to
subject the full time staff to the sudo
lecture, user millert need not give a password,
and we don't want to reset the LOGNAME
,
USER
or
USERNAME
environment variables when running
commands as root. Additionally, on the machines in the
SERVERS Host_Alias
, we
keep an additional local log file and make sure we log the year in each log
line since the log entries will be kept around for several years. Lastly, we
disable shell escapes for the commands in the PAGERS
Cmnd_Alias
(/usr/bin/more,
/usr/bin/pg and
/usr/bin/less). Note that this will not
effectively constrain users with sudo
ALL privileges.
# Override built-in defaults Defaults syslog=auth Defaults>root !set_logname Defaults:FULLTIMERS !lecture Defaults:millert !authenticate Defaults@SERVERS log_year, logfile=/var/log/sudo.log Defaults!PAGERS noexec
root ALL = (ALL) ALL %wheel ALL = (ALL) ALL
FULLTIMERS ALL = NOPASSWD: ALL
PARTTIMERS ALL = ALL
NOPASSWD
tag).
jack CSNETS = ALL
128.138.243.0
, 128.138.204.0
,
and 128.138.242.0
). Of those networks, only
128.138.204.0
has an explicit netmask (in CIDR
notation) indicating it is a class C network. For the other networks in
CSNETS, the local machine's netmask will be used
during matching.
lisa CUNETS = ALL
128.138.0.0
).
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ sudoedit /etc/printcap, /usr/oper/bin/
DUMPS
Cmnd_Alias includes a sha224
digest, /home/operator/bin/start_backups.
This is because the directory containing the script is writable by the
operator user. If the script is modified (resulting in a digest mismatch) it
will no longer be possible to run it via
sudo
.
joe ALL = /usr/bin/su operator
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root %opers ALL = (: ADMINGRP) /usr/sbin/
Runas_Alias
(the adm and oper
groups).
The user pete is allowed to change anyone's
password except for root on the HPPA machines.
Note that this assumes passwd(1) does not take
multiple user names on the command line.
bob SPARC = (OP) ALL : SGI = (OP) ALL
Runas_Alias
(root and
operator.)
jim +biglab = ALL
sudo
knows that “biglab” is a
netgroup due to the ‘+
’ prefix.
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
fred ALL = (DB) NOPASSWD: ALL
Runas_Alias
(oracle or sybase)
without giving a password.
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
jen ALL, !SERVERS = ALL
Host_Alias
(master, mail, www and ns).
jill SERVERS = /usr/bin/, !SU, !SHELLS
Host_Alias
, jill may run
any commands in the directory /usr/bin/
except for those commands belonging to the SU and
SHELLS Cmnd_Aliases
.
While not specifically mentioned in the rule, the commands in the
PAGERS Cmnd_Alias
all
reside in /usr/bin and have the
noexec option set.
steve CSNETS = (operator) /usr/local/op_commands/
matt valkyrie = KILL
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
User_Alias
(will, wendy, and wim), may run any command
as user www (which owns the web pages) or simply
su(1) to www.
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ /sbin/mount -o nosuidnodev /dev/cd0a /CDROM
Host_Alias
(orion, perseus, hercules) without entering
a password. This is a bit tedious for users to type, so it is a prime
candidate for encapsulating in a shell script.
!
’ operator. A user can trivially
circumvent this by copying the desired command to a different name and then
executing that. For example:
bill ALL = ALL, !SU, !SHELLS
!
’ elements in the user specification.
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\ /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
/usr/bin/passwd root
if
fast_glob is enabled by changing to
/usr/bin and running
./passwd root
instead.
sudo
executes a program, that program is
free to do whatever it pleases, including run other programs. This can be a
security issue since it is not uncommon for a program to allow shell escapes,
which lets a user bypass sudo
's access
control and logging. Common programs that permit shell escapes include shells
(obviously), editors, paginators, mail and terminal programs.
There are two basic approaches to this problem:
sudoedit
is a better
solution to running editors via sudo
.
Due to the large number of programs that offer shell escapes, restricting
users to the set of programs that do not is often unworkable.LD_PRELOAD
) to an alternate shared
library. On such systems, sudo
's
noexec functionality can be used to prevent a
program run by sudo
from executing any
other programs. Note, however, that this applies only to native
dynamically-linked executables. Statically-linked executables and foreign
executables running under binary emulation are not affected.
The noexec feature is known to work on SunOS,
Solaris, *BSD, Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3
and above. It should be supported on most operating systems that support
the LD_PRELOAD
environment variable.
Check your operating system's manual pages for the dynamic linker (usually
ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
LD_PRELOAD
is supported.
On Solaris 10 and higher, noexec uses Solaris
privileges instead of the LD_PRELOAD
environment variable.
To enable noexec for a command, use the
NOEXEC
tag as documented in the User Specification
section above. Here is that example again:
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
sudoedit
(see below).
sudoedit
support which allows users to
securely edit files with the editor of their choice. As
sudoedit
is a built-in command, it must be
specified in sudoers without a leading path.
However, it may take command line arguments just as a normal command does. For
example, to allow user operator to edit the “message of the day”
file:
operator sudoedit /etc/motd
sudoedit
as
follows:
$ sudoedit /etc/motd
sudo
stored time stamp files in
/tmp; this is no longer recommended as it
may be possible for a user to create the time stamp themselves on systems that
allow unprivileged users to change the ownership of files they create.
While the time stamp directory should be cleared at
reboot time, not all systems contain a
/var/run directory. To avoid potential
problems, sudoers will ignore time stamp files
that date from before the machine booted on systems where the boot time is
available.
Some systems with graphical desktop environments allow unprivileged users to
change the system clock. Since sudoers relies on
the system clock for time stamp validation, it may be possible on such systems
for a user to run sudo
for longer than
timestamp_timeout by setting the clock back. To
combat this, sudoers uses a monotonic clock
(which never moves backwards) for its time stamps if the system supports it.
sudoers will not honor time stamps set far in the
future. Time stamps with a date greater than current_time + 2 *
TIMEOUT
will be ignored and
sudoers will log and complain.
Since time stamp files live in the file system, they can outlive a user's login
session. As a result, a user may be able to login, run a command with
sudo
after authenticating, logout, login
again, and run sudo
without authenticating
so long as the record's time stamp is within 5
minutes
(or whatever value the timeout is set to in
sudoers). When the
tty_tickets option is enabled, the time stamp
record includes the device number of the terminal the user authenticated with.
This provides per-tty granularity but time stamp records still may outlive the
user's session. The time stamp record also includes the session ID of the
process that last authenticated. This prevents processes in different terminal
sessions from using the same time stamp record. It also helps reduce the
chance that a user will be able to run sudo
without entering a password when logging out and back in again on the same
terminal.
sudoers
plugin support a flexible debugging framework that can help track down what
the plugin is doing internally if there is a problem. This can be configured
in the sudo.conf(5) file.
The sudoers
plugin uses the same debug flag
format as the sudo
front-end:
subsystem@priority.
The priorities used by sudoers
, in order of
decreasing severity, are: crit,
err, warn,
notice, diag,
info, trace and
debug. Each priority, when specified, also
includes all priorities higher than it. For example, a priority of
notice would include debug messages logged at
notice and higher.
The following subsystems are used by the
sudoers
plugin:
User_Alias
,
Runas_Alias
, Host_Alias
and Cmnd_Alias
processingDebug sudo /var/log/sudo_debug match@info,nss@info
visudo
command which locks the file and
does grammatical checking. It is imperative that
sudoers be free of syntax errors since
sudo
will not run with a syntactically
incorrect sudoers file.
When using netgroups of machines (as opposed to users), if you store fully
qualified host name in the netgroup (as is usually the case), you either need
to have the machine's host name be fully qualified as returned by the
hostname
command or use the
fqdn option in
sudoers.
sudo
,
please submit a bug report at https://www.sudo.ws/sudo/bugs/
sudo
is provided “AS IS” and
any express or implied warranties, including, but not limited to, the implied
warranties of merchantability and fitness for a particular purpose are
disclaimed. See the LICENSE file distributed with
sudo
or
https://www.sudo.ws/sudo/license.html for complete details.