"noexec" flag

Todd C. Miller Todd.Miller at courtesan.com
Thu May 27 15:48:36 EDT 2004

In message <F6E6EB8E-B00C-11D8-AA31-000A9579FDFC at mac.com>
	so spake Jacob Pszonowsky (jdp16):

> What is it I need to do to enable "noexec" in the beta version?

This is documented in the sudoers man page, though it could probably
do with more examples.

There are two ways:

 1) The "noexec" Defaults option can turn off exec on a more or less
    global basis.  It works just like the other Defaults things in sudoers.

	Default noexec
	Default noexec at Hostname
	Default noexec:Username
	Default noexec>RunasUser

    Note that many programs require that they be able to execute other
    programs in order to function.

 2) There is a per-entry NOEXEC flag that is syntactically similar
    to the NOPASSWD modifier.


    bob	server = NOEXEC: /usr/bin/more, /usr/bin/vi

    would allow bob to run more and vi on the machine "server" with
    noexec enabled.

 - todd

More information about the sudo-workers mailing list