MAINTENANCE COMANDS SUDOERS(4)
NAME
sudoers - list of which users may execute what
DESCRIPTION
The sudoers file is composed of two types of entries:
aliases (basically variables) and user specifications (which
specify who may run what).
When multiple entries match for a user, they are applied in
order. Where there are multiple matches, the last match is
used (which is not necessarily the most specific match).
The sudoers grammar will be described below in Extended
Backus-Naur Form (EBNF). Don't despair if you don't know
what EBNF is; it is fairly simple, and the definitions below
are annotated.
Quick guide to EBNF
EBNF is a concise and exact way of describing the grammar of
a language. Each EBNF definition is made up of production
rules. E.g.,
symbol ::= definition alternate1 alternate2 ...
Each production rule references others and thus makes up a
grammar for the language. EBNF also contains the following
operators, which many readers will recognize from regular
expressions. Do not, however, confuse them with "wildcard"
characters, which have different meanings.
? Means that the preceding symbol (or group of symbols) is
optional. That is, it may appear once or not at all.
* Means that the preceding symbol (or group of symbols)
may appear zero or more times.
] Means that the preceding symbol (or group of symbols)
may appear one or more times.
Parentheses may be used to group symbols together. For
clarity, we will use single quotes ('') to designate what is
a verbatim character string (as opposed to a symbol name).
Aliases
There are four kinds of aliases: UserAlias, RunasAlias,
HostAlias and CmndAlias.
1.6.9p17 Last change: Jun 21, 2008 1
MAINTENANCE COMANDS SUDOERS(4)
Alias ::= 'UserAlias' UserAlias (':' UserAlias)*
'RunasAlias' RunasAlias (':' RunasAlias)*
'HostAlias' HostAlias (':' HostAlias)*
'CmndAlias' CmndAlias (':' CmndAlias)*
UserAlias ::= NAME '=' UserList
RunasAlias ::= NAME '=' RunasList
HostAlias ::= NAME '=' HostList
CmndAlias ::= NAME '=' CmndList
NAME ::= [A-Z]([A-Z][0-9])*
Each alias definition is of the form
AliasType NAME = item1, item2, ...
where AliasType is one of UserAlias, RunasAlias,
HostAlias, or CmndAlias. A NAME is a string of uppercase
letters, numbers, and underscore characters (''). A NAME
must start with an uppercase letter. It is possible to put
several alias definitions of the same type on a single line,
joined by a colon (':'). E.g.,
AliasType NAME = item1, item2, item3 : NAME = item4, item5
The definitions of what constitutes a valid alias member
follow.
UserList ::= User
User ',' UserList
User ::= '!'* username
'!'* '%'group
'!'* ']'netgroup
'!'* UserAlias
A UserList is made up of one or more usernames, system
groups (prefixed with '%'), netgroups (prefixed with ']')
and other aliases. Each list item may be prefixed with one
or more '!' operators. An odd number of '!' operators
negate the value of the item; an even number just cancel
each other out.
RunasList ::= RunasUser
RunasUser ',' RunasList
1.6.9p17 Last change: Jun 21, 2008 2
MAINTENANCE COMANDS SUDOERS(4)
RunasUser ::= '!'* username
'!'* '#'uid
'!'* '%'group
'!'* ]netgroup
'!'* RunasAlias
A RunasList is similar to a UserList except that it can
also contain uids (prefixed with '#') and instead of
UserAliases it can contain RunasAliases. Note that
usernames and groups are matched as strings. In other
words, two users (groups) with the same uid (gid) are
considered to be distinct. If you wish to match all
usernames with the same uid (e.g. root and toor), you can
use a uid instead (#0 in the example given).
HostList ::= Host
Host ',' HostList
Host ::= '!'* hostname
'!'* ipaddr
'!'* network(/netmask)?
'!'* ']'netgroup
'!'* HostAlias
A HostList is made up of one or more hostnames, IP
addresses, network numbers, netgroups (prefixed with ']')
and other aliases. Again, the value of an item may be
negated with the '!' operator. If you do not specify a
netmask along with the network number, sudo will query each
of the local host's network interfaces and, if the network
number corresponds to one of the hosts's network interfaces,
the corresponding netmask will be used. The netmask may be
specified either in standard IP address notation
(e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR
notation (number of bits, e.g. 24 or 64). A hostname may
include shell-style wildcards (see the Wildcards section
below), but unless the hostname command on your machine
returns the fully qualified hostname, you'll need to use the
fqdn option for wildcards to be useful.
CmndList ::= Cmnd
Cmnd ',' CmndList
commandname ::= filename
filename args
filename '""'
Cmnd ::= '!'* commandname
'!'* directory
'!'* "sudoedit"
'!'* CmndAlias
1.6.9p17 Last change: Jun 21, 2008 3
MAINTENANCE COMANDS SUDOERS(4)
A CmndList is a list of one or more commandnames,
directories, and other aliases. A commandname is a fully
qualified filename which may include shell-style wildcards
(see the Wildcards section below). A simple filename allows
the user to run the command with any arguments he/she
wishes. However, you may also specify command line
arguments (including wildcards). Alternately, you can
specify "" to indicate that the command may only be run
without command line arguments. A directory is a fully
qualified pathname ending in a '/'. When you specify a
directory in a CmndList, the user will be able to run any
file within that directory (but not in any subdirectories
therein).
If a Cmnd has associated command line arguments, then the
arguments in the Cmnd must match exactly those given by the
user on the command line (or match the wildcards if there
are any). Note that the following characters must be
escaped with a '\' if they are used in command arguments:
',', ':', '=', '\'. The special command "sudoedit" is used
to permit a user to run sudo with the -e flag (or as
sudoedit). It may take command line arguments just as a
normal command does.
Defaults
Certain configuration options may be changed from their
default values at runtime via one or more DefaultEntry
lines. These may affect all users on any host, all users on
a specific host, a specific user, or commands being run as a
specific user.
DefaultType ::= 'Defaults'
'Defaults' '@' HostList
'Defaults' ':' UserList
'Defaults' '>' RunasList
DefaultEntry ::= DefaultType ParameterList
ParameterList ::= Parameter
Parameter ',' ParameterList
Parameter ::= Parameter '=' Value
Parameter ']=' Value
Parameter '-=' Value
'!'* Parameter
Parameters may be flags, integer values, strings, or lists.
Flags are implicitly boolean and can be turned off via the
'!' operator. Some integer, string and list parameters may
also be used in a boolean context to disable them. Values
may be enclosed in double quotes (") when they contain
1.6.9p17 Last change: Jun 21, 2008 4
MAINTENANCE COMANDS SUDOERS(4)
multiple words. Special characters may be escaped with a
backslash (\).
Lists have two additional assignment operators, ]= and -=.
These operators are used to add to and delete from a list
respectively. It is not an error to use the -= operator to
remove an element that does not exist in a list.
See "SUDOERS OPTIONS" for a list of supported Defaults
parameters.
User Specification
UserSpec ::= UserList HostList '=' CmndSpecList \
(':' HostList '=' CmndSpecList)*
CmndSpecList ::= CmndSpec
CmndSpec ',' CmndSpecList
CmndSpec ::= RunasSpec? TagSpec* Cmnd
RunasSpec ::= '(' RunasList ')'
TagSpec ::= ('NOPASWD:' 'PASWD:' 'NOEXEC:' 'EXEC:'
'SETENV:' 'NOSETENV:')
A user specification determines which commands a user may
run (and as what user) on specified hosts. By default,
commands are run as root, but this can be changed on a per-
command basis.
Let's break that down into its constituent parts:
RunasSpec
A RunasSpec is simply a RunasList (as defined above)
enclosed in a set of parentheses. If you do not specify a
RunasSpec in the user specification, a default RunasSpec
of root will be used. A RunasSpec sets the default for
commands that follow it. What this means is that for the
entry:
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
The user dgb may run /bin/ls, /bin/kill, and /usr/bin/lprm
-- but only as operator. E.g.,
$ sudo -u operator /bin/ls.
It is also possible to override a RunasSpec later on in an
entry. If we modify the entry like so:
1.6.9p17 Last change: Jun 21, 2008 5
MAINTENANCE COMANDS SUDOERS(4)
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
Then user dgb is now allowed to run /bin/ls as operator, but
/bin/kill and /usr/bin/lprm as root.
TagSpec
A command may have zero or more tags associated with it.
There are six possible tag values, NOPASWD, PASWD, NOEXEC,
EXEC, SETENV and NOSETENV. Once a tag is set on a Cmnd,
subsequent Cmnds in the CmndSpecList, inherit the tag
unless it is overridden by the opposite tag (i.e.: PASWD
overrides NOPASWD and NOEXEC overrides EXEC).
NOPASWD and PASWD
By default, sudo requires that a user authenticate him or
herself before running a command. This behavior can be
modified via the NOPASWD tag. Like a RunasSpec, the
NOPASWD tag sets a default for the commands that follow it
in the CmndSpecList. Conversely, the PASWD tag can be
used to reverse things. For example:
ray rushmore = NOPASWD: /bin/kill, /bin/ls, /usr/bin/lprm
would allow the user ray to run /bin/kill, /bin/ls, and
/usr/bin/lprm as root on the machine rushmore as root
without authenticating himself. If we only want ray to be
able to run /bin/kill without a password the entry would be:
ray rushmore = NOPASWD: /bin/kill, PASWD: /bin/ls, /usr/bin/lprm
Note, however, that the PASWD tag has no effect on users
who are in the group specified by the exemptgroup option.
By default, if the NOPASWD tag is applied to any of the
entries for a user on the current host, he or she will be
able to run sudo -l without a password. Additionally, a
user may only run sudo -v without a password if the NOPASWD
tag is present for all a user's entries that pertain to the
current host. This behavior may be overridden via the
verifypw and listpw options.
NOEXEC and EXEC
If sudo has been compiled with noexec support and the
underlying operating system supports it, the NOEXEC tag can
be used to prevent a dynamically-linked executable from
running further commands itself.
In the following example, user aaron may run /usr/bin/more
and /usr/bin/vi but shell escapes will be disabled.
1.6.9p17 Last change: Jun 21, 2008 6
MAINTENANCE COMANDS SUDOERS(4)
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
See the "PREVENTING SHEL ESCAPES" section below for more
details on how NOEXEC works and whether or not it will work
on your system.
SETENV and NOSETENV
These tags override the value of the setenv option on a
per-command basis. Note that if SETENV has been set for a
command, any environment variables set on the command line
way are not subject to the restrictions imposed by
envcheck, envdelete, or envkeep. As such, only trusted
users should be allowed to set variables in this manner. If
the command matched is AL, the SETENV tag is implied for
that command; this default may be overridden by use of the
UNSETENV tag.
Wildcards
sudo allows shell-style wildcards (aka meta or glob
characters) to be used in pathnames as well as command line
arguments in the sudoers file. Wildcard matching is done
via the POSIX fnmatch(3) routine. Note that these are not
regular expressions.
* Matches any set of zero or more characters.
? Matches any single character.
[...] Matches any character in the specified range.
[!...] Matches any character not in the specified range.
\x For any character "x", evaluates to "x". This is
used to escape special characters such as: "*", "?",
"[", and "}".
Note that a forward slash ('/') will not be matched by
wildcards used in the pathname. When matching the command
line arguments, however, a slash does get matched by
wildcards. This is to make a path like:
/usr/bin/*
match /usr/bin/who but not /usr/bin/X11/xterm.
Exceptions to wildcard rules
The following exceptions apply to the above rules:
"" If the empty string "" is the only command line
1.6.9p17 Last change: Jun 21, 2008 7
MAINTENANCE COMANDS SUDOERS(4)
argument in the sudoers entry it means that command
is not allowed to be run with any arguments.
Other special characters and reserved words
The pound sign ('#') is used to indicate a comment (unless
it is part of a #include directive or unless it occurs in
the context of a user name and is followed by one or more
digits, in which case it is treated as a uid). Both the
comment character and any text after it, up to the end of
the line, are ignored.
The reserved word AL is a built-in alias that always causes
a match to succeed. It can be used wherever one might
otherwise use a CmndAlias, UserAlias, RunasAlias, or
HostAlias. You should not try to define your own alias
called AL as the built-in alias will be used in preference
to your own. Please note that using AL can be dangerous
since in a command context, it allows the user to run any
command on the system.
An exclamation point ('!') can be used as a logical not
operator both in an alias and in front of a Cmnd. This
allows one to exclude certain values. Note, however, that
using a ! in conjunction with the built-in AL alias to
allow a user to run "all but a few" commands rarely works as
intended (see SECURITY NOTES below).
Long lines can be continued with a backslash ('\') as the
last character on the line.
Whitespace between elements in a list as well as special
syntactic characters in a User Specification ('=', ':', '(',
')') is optional.
The following characters must be escaped with a backslash
('\') when used as part of a word (e.g. a username or
hostname): '@', '!', '=', ':', ',', '(', ')', '\'.
SUDOERS OPTIONS
sudo's behavior can be modified by DefaultEntry lines, as
explained earlier. A list of all supported Defaults
parameters, grouped by type, are listed below.
Flags:
alwayssethome If set, sudo will set the HOME environment
variable to the home directory of the target
user (which is root unless the -u option is
used). This effectively means that the -H
flag is always implied. This flag is off by
default.
1.6.9p17 Last change: Jun 21, 2008 8
MAINTENANCE COMANDS SUDOERS(4)
authenticate If set, users must authenticate themselves
via a password (or other means of
authentication) before they may run
commands. This default may be overridden
via the PASWD and NOPASWD tags. This flag
is on by default.
enveditor If set, visudo will use the value of the
EDITOR or VISUAL environment variables
before falling back on the default editor
list. Note that this may create a security
hole as it allows the user to run any
arbitrary command as root without logging.
A safer alternative is to place a colon-
separated list of editors in the editor
variable. visudo will then only use the
EDITOR or VISUAL if they match a value
specified in editor. This flag is off by
default.
envreset If set, sudo will reset the environment to
only contain the LOGNAME, SHEL, USER,
USERNAME and the SUDO* variables. Any
variables in the caller's environment that
match the envkeep and envcheck lists are
then added. The default contents of the
envkeep and envcheck lists are displayed
when sudo is run by root with the -V option.
If sudo was compiled with the SECUREPATH
option, its value will be used for the PATH
environment variable. This flag is on by
default.
fqdn Set this flag if you want to put fully
qualified hostnames in the sudoers file.
I.e., instead of myhost you would use
myhost.mydomain.edu. You may still use the
short form if you wish (and even mix the
two). Beware that turning on fqdn requires
sudo to make DNS lookups which may make sudo
unusable if DNS stops working (for example
if the machine is not plugged into the
network). Also note that you must use the
host's official name as DNS knows it. That
is, you may not use a host alias (CNAME
entry) due to performance issues and the
fact that there is no way to get all aliases
from DNS. If your machine's hostname (as
returned by the hostname command) is already
fully qualified you shouldn't need to set
fqdn. This flag is off by default.
1.6.9p17 Last change: Jun 21, 2008 9
MAINTENANCE COMANDS SUDOERS(4)
ignoredot If set, sudo will ignore '.' or '' (current
dir) in the PATH environment variable; the
PATH itself is not modified. This flag is
off by default. Currently, while it is
possible to set ignoredot in sudoers, its
value is not used. This option should be
considered read-only (it will be fixed in a
future version of sudo).
ignorelocalsudoers
If set via LDAP, parsing of /etc/sudoers
will be skipped. This is intended for
Enterprises that wish to prevent the usage
of local sudoers files so that only LDAP is
used. This thwarts the efforts of rogue
operators who would attempt to add roles to
/etc/sudoers. When this option is present,
/etc/sudoers does not even need to exist.
Since this option tells sudo how to behave
when no specific LDAP entries have been
matched, this sudoOption is only meaningful
for the cn=defaults section. This flag is
off by default.
insults If set, sudo will insult users when they
enter an incorrect password. This flag is
off by default.
loghost If set, the hostname will be logged in the
(non-syslog) sudo log file. This flag is
off by default.
logyear If set, the four-digit year will be logged
in the (non-syslog) sudo log file. This
flag is off by default.
longotpprompt When validating with a One Time Password
(OPT) scheme such as S/Key or OPIE, a two-
line prompt is used to make it easier to cut
and paste the challenge to a local window.
It's not as pretty as the default but some
people find it more convenient. This flag
is off by default.
mailalways Send mail to the mailto user every time a
users runs sudo. This flag is off by
default.
mailbadpass Send mail to the mailto user if the user
running sudo does not enter the correct
password. This flag is off by default.
1.6.9p17 Last change: Jun 21, 2008 10
MAINTENANCE COMANDS SUDOERS(4)
mailnohost If set, mail will be sent to the mailto user
if the invoking user exists in the sudoers
file, but is not allowed to run commands on
the current host. This flag is off by
default.
mailnoperms If set, mail will be sent to the mailto user
if the invoking user is allowed to use sudo
but the command they are trying is not
listed in their sudoers file entry or is
explicitly denied. This flag is off by
default.
mailnouser If set, mail will be sent to the mailto user
if the invoking user is not in the sudoers
file. This flag is on by default.
noexec If set, all commands run via sudo will
behave as if the NOEXEC tag has been set,
unless overridden by a EXEC tag. See the
description of NOEXEC and EXEC below as well
as the "PREVENTING SHEL ESCAPES" section at
the end of this manual. This flag is off by
default.
pathinfo Normally, sudo will tell the user when a
command could not be found in their PATH
environment variable. Some sites may wish
to disable this as it could be used to
gather information on the location of
executables that the normal user does not
have access to. The disadvantage is that if
the executable is simply not in the user's
PATH, sudo will tell the user that they are
not allowed to run it, which can be
confusing. This flag is on by default.
passpromptoverride
The password prompt specified by passprompt
will normally only be used if the passwod
prompt provided by systems such as PAM
matches the string "Password:". If
passpromptoverride is set, passprompt will
always be used. This flag is off by
default.
preservegroups By default sudo will initialize the group
vector to the list of groups the target user
is in. When preservegroups is set, the
user's existing group vector is left
unaltered. The real and effective group
IDs, however, are still set to match the
1.6.9p17 Last change: Jun 21, 2008 11
MAINTENANCE COMANDS SUDOERS(4)
target user. This flag is off by default.
requiretty If set, sudo will only run when the user is
logged in to a real tty. This will disallow
things like "rsh somehost sudo ls" since
rsh(1) does not allocate a tty. Because it
is not possible to turn off echo when there
is no tty present, some sites may wish to
set this flag to prevent a user from
entering a visible password. This flag is
off by default.
rootsudo If set, root is allowed to run sudo too.
Disabling this prevents users from
"chaining" sudo commands to get a root shell
by doing something like "sudo sudo /bin/sh".
Note, however, that turning off rootsudo
will also prevent root and from running
sudoedit. Disabling rootsudo provides no
real additional security; it exists purely
for historical reasons. This flag is on by
default.
rootpw If set, sudo will prompt for the root
password instead of the password of the
invoking user. This flag is off by default.
runaspw If set, sudo will prompt for the password of
the user defined by the runasdefault option
(defaults to root) instead of the password
of the invoking user. This flag is off by
default.
sethome If set and sudo is invoked with the -s flag
the HOME environment variable will be set to
the home directory of the target user (which
is root unless the -u option is used). This
effectively makes the -s flag imply -H.
This flag is off by default.
setlogname Normally, sudo will set the LOGNAME, USER
and USERNAME environment variables to the
name of the target user (usually root unless
the -u flag is given). However, since some
programs (including the RCS revision control
system) use LOGNAME to determine the real
identity of the user, it may be desirable to
change this behavior. This can be done by
negating the setlogname option. Note that
if the envreset option has not been
disabled, entries in the envkeep list will
override the value of setlogname. This
1.6.9p17 Last change: Jun 21, 2008 12
MAINTENANCE COMANDS SUDOERS(4)
flag is off by default.
setenv Allow the user to disable the envreset
option from the command line. Additionally,
environment variables set via the command
line are not subject to the restrictions
imposed by envcheck, envdelete, or
envkeep. As such, only trusted users
should be allowed to set variables in this
manner. This flag is off by default.
shellnoargs If set and sudo is invoked with no arguments
it acts as if the -s flag had been given.
That is, it runs a shell as root (the shell
is determined by the SHEL environment
variable if it is set, falling back on the
shell listed in the invoking user's
/etc/passwd entry if not). This flag is off
by default.
staysetuid Normally, when sudo executes a command the
real and effective UIDs are set to the
target user (root by default). This option
changes that behavior such that the real UID
is left as the invoking user's UID. In
other words, this makes sudo act as a setuid
wrapper. This can be useful on systems that
disable some potentially dangerous
functionality when a program is run setuid.
This option is only effective on systems
with either the setreuid() or setresuid()
function. This flag is off by default.
targetpw If set, sudo will prompt for the password of
the user specified by the -u flag (defaults
to root) instead of the password of the
invoking user. Note that this precludes the
use of a uid not listed in the passwd
database as an argument to the -u flag.
This flag is off by default.
ttytickets If set, users must authenticate on a per-tty
basis. Normally, sudo uses a directory in
the ticket dir with the same name as the
user running it. With this flag enabled,
sudo will use a file named for the tty the
user is logged in on in that directory.
This flag is off by default.
Integers:
passwdtries The number of tries a user gets to enter
1.6.9p17 Last change: Jun 21, 2008 13
MAINTENANCE COMANDS SUDOERS(4)
his/her password before sudo logs the
failure and exits. The default is 3.
Integers that can be used in a boolean context:
loglinelen Number of characters per line for the file
log. This value is used to decide when to
wrap lines for nicer log files. This has no
effect on the syslog log file, only the file
log. The default is 80 (use 0 or negate the
option to disable word wrap).
passwdtimeout Number of minutes before the sudo password
prompt times out. The default is 5; set
this to 0 for no password timeout.
timestamptimeout
Number of minutes that can elapse before
sudo will ask for a passwd again. The
default is 5. Set this to 0 to always
prompt for a password. If set to a value
less than 0 the user's timestamp will never
expire. This can be used to allow users to
create or delete their own timestamps via
sudo -v and sudo -k respectively.
umask Umask to use when running the command.
Negate this option or set it to 0777 to
preserve the user's umask. The default is
0022.
Strings:
badpassmessage Message that is displayed if a user enters
an incorrect password. The default is
Sorry, try again. unless insults are
enabled.
editor A colon (':') separated list of editors
allowed to be used with visudo. visudo will
choose the editor that matches the user's
EDITOR environment variable if possible, or
the first editor in the list that exists and
is executable. The default is the path to
vi on your system.
mailsub Subject of the mail sent to the mailto user.
The escape %h will expand to the hostname of
the machine. Default is *** SECURITY
information for %h ***.
noexecfile Path to a shared library containing dummy
1.6.9p17 Last change: Jun 21, 2008 14
MAINTENANCE COMANDS SUDOERS(4)
versions of the execv(), execve() and
fexecve() library functions that just return
an error. This is used to implement the
noexec functionality on systems that support
LDPRELOAD or its equivalent. Defaults to
/usr/lib/sudonoexec.so.
passprompt The default prompt to use when asking for a
password; can be overridden via the -p
option or the SUDOPROMPT environment
variable. The following percent (`%')
escapes are supported:
%H expanded to the local hostname including
the domain name (on if the machine's
hostname is fully qualified or the fqdn
option is set)
%h expanded to the local hostname without
the domain name
%p expanded to the user whose password is
being asked for (respects the rootpw,
targetpw and runaspw flags in sudoers)
%U expanded to the login name of the user
the command will be run as (defaults to
root)
%u expanded to the invoking user's login
name
%% two consecutive % characters are
collapsed into a single % character
The default value is Password:.
runasdefault The default user to run commands as if the
-u flag is not specified on the command
line. This defaults to root. Note that if
runasdefault is set it must occur before
any RunasAlias specifications.
syslogbadpri Syslog priority to use when user
authenticates unsuccessfully. Defaults to
alert.
sysloggoodpri Syslog priority to use when user
authenticates successfully. Defaults to
notice.
timestampdir The directory in which sudo stores its
1.6.9p17 Last change: Jun 21, 2008 15
MAINTENANCE COMANDS SUDOERS(4)
timestamp files. The default is
/var/run/sudo.
timestampowner The owner of the timestamp directory and the
timestamps stored therein. The default is
root.
Strings that can be used in a boolean context:
exemptgroup
Users in this group are exempt from password and
PATH requirements. This is not set by default.
lecture This option controls when a short lecture will
be printed along with the password prompt. It
has the following possible values:
always Always lecture the user.
never Never lecture the user.
once Only lecture the user the first time
they run sudo.
If no value is specified, a value of once is
implied. Negating the option results in a value
of never being used. The default value is once.
lecturefile
Path to a file containing an alternate sudo
lecture that will be used in place of the
standard lecture if the named file exists. By
default, sudo uses a built-in lecture.
listpw This option controls when a password will be
required when a user runs sudo with the -l flag.
It has the following possible values:
all All the user's sudoers entries for the
current host must have the NOPASWD flag
set to avoid entering a password.
always The user must always enter a password to
use the -l flag.
any At least one of the user's sudoers
entries for the current host must have
the NOPASWD flag set to avoid entering
a password.
never The user need never enter a password to
use the -l flag.
1.6.9p17 Last change: Jun 21, 2008 16
MAINTENANCE COMANDS SUDOERS(4)
If no value is specified, a value of any is
implied. Negating the option results in a value
of never being used. The default value is any.
logfile Path to the sudo log file (not the syslog log
file). Setting a path turns on logging to a
file; negating this option turns it off. By
default, sudo logs via syslog.
mailerflags Flags to use when invoking mailer. Defaults to
-t.
mailerpath Path to mail program used to send warning mail.
Defaults to the path to sendmail found at
configure time.
mailto Address to send warning and error mail to. The
address should be enclosed in double quotes (")
to protect against sudo interpreting the @ sign.
Defaults to root.
syslog Syslog facility if syslog is being used for
logging (negate to disable syslog logging).
Defaults to local2.
verifypw This option controls when a password will be
required when a user runs sudo with the -v flag.
It has the following possible values:
all All the user's sudoers entries for the
current host must have the NOPASWD flag
set to avoid entering a password.
always The user must always enter a password to
use the -v flag.
any At least one of the user's sudoers
entries for the current host must have
the NOPASWD flag set to avoid entering
a password.
never The user need never enter a password to
use the -v flag.
If no value is specified, a value of all is
implied. Negating the option results in a value
of never being used. The default value is all.
Lists that can be used in a boolean context:
envcheck Environment variables to be removed from the
user's environment if the variable's value
1.6.9p17 Last change: Jun 21, 2008 17
MAINTENANCE COMANDS SUDOERS(4)
contains % or / characters. This can be
used to guard against printf-style format
vulnerabilities in poorly-written programs.
The argument may be a double-quoted, space-
separated list or a single value without
double-quotes. The list can be replaced,
added to, deleted from, or disabled by using
the =, ]=, -=, and ! operators respectively.
Regardless of whether the envreset option
is enabled or disabled, variables specified
by envcheck will be preserved in the
environment if they pass the aforementioned
check. The default list of environment
variables to check is displayed when sudo is
run by root with the -V option.
envdelete Environment variables to be removed from the
user's environment. The argument may be a
double-quoted, space-separated list or a
single value without double-quotes. The
list can be replaced, added to, deleted
from, or disabled by using the =, ]=, -=,
and ! operators respectively. The default
list of environment variables to remove is
displayed when sudo is run by root with the
-V option. Note that many operating systems
will remove potentially dangerous variables
from the environment of any setuid process
(such as sudo).
envkeep Environment variables to be preserved in the
user's environment when the envreset option
is in effect. This allows fine-grained
control over the environment sudo-spawned
processes will receive. The argument may be
a double-quoted, space-separated list or a
single value without double-quotes. The
list can be replaced, added to, deleted
from, or disabled by using the =, ]=, -=,
and ! operators respectively. The default
list of variables to keep is displayed when
sudo is run by root with the -V option.
When logging via syslog(3), sudo accepts the following
values for the syslog facility (the value of the syslog
Parameter): authpriv (if your OS supports it), auth,
daemon, user, local0, local1, local2, local3, local4,
local5, local6, and local7. The following syslog priorities
are supported: alert, crit, debug, emerg, err, info, notice,
and warning.
1.6.9p17 Last change: Jun 21, 2008 18
MAINTENANCE COMANDS SUDOERS(4)
FILES
/etc/sudoers List of who can run what
/etc/group Local groups file
/etc/netgroup List of network groups
EXAMPLES
Since the sudoers file is parsed in a single pass, order is
important. In general, you should structure sudoers such
that the HostAlias, UserAlias, and CmndAlias
specifications come first, followed by any DefaultEntry
lines, and finally the RunasAlias and user specifications.
The basic rule of thumb is you cannot reference an Alias
that has not already been defined.
Below are example sudoers entries. Admittedly, some of
these are a bit contrived. First, we define our aliases:
# User alias specification
UserAlias FULTIMERS = millert, mikef, dowdy
UserAlias PARTIMERS = bostley, jwfox, crawl
UserAlias WEBMASTERS = will, wendy, wim
# Runas alias specification
RunasAlias OP = root, operator
RunasAlias DB = oracle, sybase
# Host alias specification
HostAlias SPARC = bigtime, eclipse, moet, anchor :\
SGI = grolsch, dandelion, black :\
ALPHA = widget, thalamus, foobar :\
HPA = boa, nag, python
HostAlias CUNETS = 128.138.0.0/255.255.0.0
HostAlias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
HostAlias SERVERS = master, mail, www, ns
HostAlias CDROM = orion, perseus, hercules
# Cmnd alias specification
CmndAlias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
CmndAlias KIL = /usr/bin/kill
CmndAlias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
CmndAlias SHUTDOWN = /usr/sbin/shutdown
CmndAlias HALT = /usr/sbin/halt
CmndAlias REBOT = /usr/sbin/reboot
CmndAlias SHELS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
/usr/local/bin/tcsh, /usr/bin/rsh, \
/usr/local/bin/zsh
CmndAlias SU = /usr/bin/su
CmndAlias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1.6.9p17 Last change: Jun 21, 2008 19
MAINTENANCE COMANDS SUDOERS(4)
Here we override some of the compiled in default values. We
want sudo to log via syslog(3) using the auth facility in
all cases. We don't want to subject the full time staff to
the sudo lecture, user millert need not give a password, and
we don't want to reset the LOGNAME, USER or USERNAME
environment variables when running commands as root.
Additionally, on the machines in the SERVERS HostAlias, we
keep an additional local log file and make sure we log the
year in each log line since the log entries will be kept
around for several years. Lastly, we disable shell escapes
for the commands in the PAGERS CmndAlias (/usr/bin/more,
/usr/bin/pg and /usr/bin/less).
# Override built-in defaults
Defaults syslog=auth
Defaults>root !setlogname
Defaults:FULTIMERS !lecture
Defaults:millert !authenticate
Defaults@SERVERS logyear, logfile=/var/log/sudo.log
Defaults!PAGERS noexec
The User specification is the part that actually determines
who may run what.
root AL = (AL) AL
%wheel AL = (AL) AL
We let root and any user in group wheel run any command on
any host as any user.
FULTIMERS AL = NOPASWD: AL
Full time sysadmins (millert, mikef, and dowdy) may run any
command on any host without authenticating themselves.
PARTIMERS AL = AL
Part time sysadmins (bostley, jwfox, and crawl) may run any
command on any host but they must authenticate themselves
first (since the entry lacks the NOPASWD tag).
jack CSNETS = AL
The user jack may run any command on the machines in the
CSNETS alias (the networks 128.138.243.0, 128.138.204.0, and
128.138.242.0). Of those networks, only 128.138.204.0 has
an explicit netmask (in CIDR notation) indicating it is a
class C network. For the other networks in CSNETS, the
local machine's netmask will be used during matching.
lisa CUNETS = AL
1.6.9p17 Last change: Jun 21, 2008 20
MAINTENANCE COMANDS SUDOERS(4)
The user lisa may run any command on any host in the CUNETS
alias (the class B network 128.138.0.0).
operator AL = DUMPS, KIL, SHUTDOWN, HALT, REBOT, PRINTING,\
sudoedit /etc/printcap, /usr/oper/bin/
The operator user may run commands limited to simple
maintenance. Here, those are commands related to backups,
killing processes, the printing system, shutting down the
system, and any commands in the directory /usr/oper/bin/.
joe AL = /usr/bin/su operator
The user joe may only su(1) to operator.
pete HPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
The user pete is allowed to change anyone's password except
for root on the HPA machines. Note that this assumes
passwd(1) does not take multiple usernames on the command
line.
bob SPARC = (OP) AL : SGI = (OP) AL
The user bob may run anything on the SPARC and SGI machines
as any user listed in the OP RunasAlias (root and
operator).
jim ]biglab = AL
The user jim may run any command on machines in the biglab
netgroup. sudo knows that "biglab" is a netgroup due to the
']' prefix.
]secretaries AL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
Users in the secretaries netgroup need to help manage the
printers as well as add and remove users, so they are
allowed to run those commands on all machines.
fred AL = (DB) NOPASWD: AL
The user fred can run commands as any user in the DB
RunasAlias (oracle or sybase) without giving a password.
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
On the ALPHA machines, user john may su to anyone except
root but he is not allowed to give su(1) any flags.
jen AL, !SERVERS = AL
1.6.9p17 Last change: Jun 21, 2008 21
MAINTENANCE COMANDS SUDOERS(4)
The user jen may run any command on any machine except for
those in the SERVERS HostAlias (master, mail, www and ns).
jill SERVERS = /usr/bin/, !SU, !SHELS
For any machine in the SERVERS HostAlias, jill may run any
commands in the directory /usr/bin/ except for those
commands belonging to the SU and SHELS CmndAliases.
steve CSNETS = (operator) /usr/local/opcommands/
The user steve may run any command in the directory
/usr/local/opcommands/ but only as user operator.
matt valkyrie = KIL
On his personal workstation, valkyrie, matt needs to be able
to kill hung processes.
WEBMASTERS www = (www) AL, (root) /usr/bin/su www
On the host www, any user in the WEBMASTERS UserAlias
(will, wendy, and wim), may run any command as user www
(which owns the web pages) or simply su(1) to www.
AL CDROM = NOPASWD: /sbin/umount /CDROM,\
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
Any user may mount or unmount a CD-ROM on the machines in
the CDROM HostAlias (orion, perseus, hercules) without
entering a password. This is a bit tedious for users to
type, so it is a prime candidate for encapsulating in a
shell script.
SECURITY NOTES
It is generally not effective to "subtract" commands from
AL using the '!' operator. A user can trivially circumvent
this by copying the desired command to a different name and
then executing that. For example:
bill AL = AL, !SU, !SHELS
Doesn't really prevent bill from running the commands listed
in SU or SHELS since he can simply copy those commands to a
different name, or use a shell escape from an editor or
other program. Therefore, these kind of restrictions should
be considered advisory at best (and reinforced by policy).
PREVENTING SHEL ESCAPES
Once sudo executes a program, that program is free to do
whatever it pleases, including run other programs. This can
be a security issue since it is not uncommon for a program
1.6.9p17 Last change: Jun 21, 2008 22
MAINTENANCE COMANDS SUDOERS(4)
to allow shell escapes, which lets a user bypass sudo's
access control and logging. Common programs that permit
shell escapes include shells (obviously), editors,
paginators, mail and terminal programs.
There are two basic approaches to this problem:
restrict Avoid giving users access to commands that allow
the user to run arbitrary commands. Many editors
have a restricted mode where shell escapes are
disabled, though sudoedit is a better solution to
running editors via sudo. Due to the large number
of programs that offer shell escapes, restricting
users to the set of programs that do not if often
unworkable.
noexec Many systems that support shared libraries have
the ability to override default library functions
by pointing an environment variable (usually
LDPRELOAD) to an alternate shared library. On
such systems, sudo's noexec functionality can be
used to prevent a program run by sudo from
executing any other programs. Note, however, that
this applies only to native dynamically-linked
executables. Statically-linked executables and
foreign executables running under binary emulation
are not affected.
To tell whether or not sudo supports noexec, you
can run the following as root:
sudo -V grep "dummy exec"
If the resulting output contains a line that
begins with:
File containing dummy exec functions:
then sudo may be able to replace the exec family
of functions in the standard library with its own
that simply return an error. Unfortunately, there
is no foolproof way to know whether or not noexec
will work at compile-time. noexec should work on
SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
MacOS X, and HP-UX 11.x. It is known not to work
on AIX and UnixWare. noexec is expected to work
on most operating systems that support the
LDPRELOAD environment variable. Check your
operating system's manual pages for the dynamic
linker (usually ld.so, ld.so.1, dyld, dld.sl, rld,
or loader) to see if LDPRELOAD is supported.
1.6.9p17 Last change: Jun 21, 2008 23
MAINTENANCE COMANDS SUDOERS(4)
To enable noexec for a command, use the NOEXEC tag
as documented in the User Specification section
above. Here is that example again:
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
This allows user aaron to run /usr/bin/more and
/usr/bin/vi with noexec enabled. This will
prevent those two commands from executing other
commands (such as a shell). If you are unsure
whether or not your system is capable of
supporting noexec you can always just try it out
and see if it works.
Note that restricting shell escapes is not a panacea.
Programs running as root are still capable of many
potentially hazardous operations (such as changing or
overwriting files) that could lead to unintended privilege
escalation. In the specific case of an editor, a safer
approach is to give the user permission to run sudoedit.
SEE ALSO
rsh(1), su(1), fnmatch(3), sudo(1m), visudo(8)
CAVEATS
The sudoers file should always be edited by the visudo
command which locks the file and does grammatical checking.
It is imperative that sudoers be free of syntax errors since
sudo will not run with a syntactically incorrect sudoers
file.
When using netgroups of machines (as opposed to users), if
you store fully qualified hostnames in the netgroup (as is
usually the case), you either need to have the machine's
hostname be fully qualified as returned by the hostname
command or use the fqdn option in sudoers.
BUGS
If you feel you have found a bug in sudo, please submit a
bug report at http:/www.sudo.ws/sudo/bugs/
SUPORT
Limited free support is available via the sudo-users mailing
list, see http:/www.sudo.ws/mailman/listinfo/sudo-users to
subscribe or search the archives.
DISCLAIMER
sudo is provided ``AS IS'' and any express or implied
warranties, including, but not limited to, the implied
warranties of merchantability and fitness for a particular
purpose are disclaimed. See the LICENSE file distributed
with sudo or http:/www.sudo.ws/sudo/license.html for
1.6.9p17 Last change: Jun 21, 2008 24
MAINTENANCE COMANDS SUDOERS(4)
complete details.
ATRIBUTES
See attributes(5) for descriptions of the following
attributes:
box; cbp-1 cbp-1 l l . ATRIBUTE TYPE ATRIBUTE VALUE =
Availability SUNWsudor, SUNWsudou = Interface
Stability Uncommitted
NOTES
sudo does not create audit(2) records; for a Role Based
administration solution that performs auditing of all
actions, please refer to rbac(5).
Source for sudo is available on http:/opensolaris.org.
1.6.9p17 Last change: Jun 21, 2008 25
|
