dagwieers edited this page Jun 6, 2012 · 3 revisions

op - controlled privilege escalation


The op tool provides a flexible means for system administrators to grant access to certain root operations without having to give them full superuser privileges. Different sets of users may access different operations, and the security-related aspects of each operation can be carefully controlled.

It was originally written around 1990 by Tom Christiansen and Dave Koblas. Further updates and porting were performed by Howard Owen. The last version of this vintage is available here. The current version is maintained by Alec Thomas.

I first came into contact with op whilst working at Access Gaming Systems, where op was used extensively to control developer and administrator access to resources.


Discussion relating to the development of op can be found here. Feel free to log in and add your ideas and comments.

Extra Feature Patches

Some kind op users have contributed patches that add extra features which others might find useful. You can get them here.

Bugs/Feature Requests

Report bugs or feature requests or view active tickets.

Change Log

The op/changelog contains the history of releases and their changes.


The man page included with op is the authoritative source of information for configuration and usage of op, but some of its more interesting features are documented briefly below.

Original Features


The main attraction of op over sudo is its use of mnemonics rather than true commands. This allows an administrator to present users with more intuitive commands.

For example, instead of requiring the user to do something like this:

$ sudo /bin/mount -t iso9660 /dev/cdrom /mnt/cdrom

op allows the following:

$ op mount cd

Fine-grained Per-Command Control

Each command in the op configuration file has a number of keywords and key/value pairs associated with it. Each of these modifies the default behaviour. The keyword environment, for example, passes the original users environment on to the final command.

A Really Short Name

op has a short name and as any Unix head should know, this can only be a Good Thing (tm).

New Features

I have added quite a few features since encountering version 1.11 of op. Some of the more basic additions are PAM support and various security fixes. Other more interesting additions follow.

Host-based Access Control

Host-based access control is particularly useful for environments where a single op.conf is used among multiple servers.

Here is an example of host based restriction. The user athomas can only execute xine on host cavern.

xine    /usr/bin/xine;

Variable Expansion

The ability to restrict access by host also required the addition of basic variable expansion to ease in the management of large access control lists.

The following example shows the expansion of a user/host list. It allows the user athomas to obtain a root shell on all servers, while the user dcooper may only obtain root on the internal servers cavern and seraph.




shell /bin/su -; users=ACL environment password

The final line would be expanded to the following, which is matched as a regular expression against user@hostname.

shell /bin/su -; users=athomas@(blink|iris|cavern|seraph),dcooper@(cavern|seraph)

Command Expiration

op has the ability to expire access to arbitrary commands at a specific time.

This example lets the users admin and operator start/stop/restart Apache, however the operator users access will expire at midnight on the 20th of January 2004.

apache  /usr/sbin/apachectl $1;

Multi-line Arguments

op arguments can now be quoted multi-line strings, which allows small scripts to be defined directly in the op.conf:

mount   /bin/sh -c '
        case $1 in
                cdrom) /bin/mount /mnt/cdrom ;;
                dvd) /bin/mount -o ro /dev/dvd /mnt/dvd ;;
                burner) /bin/mount -o ro /dev/burner /mnt/burner ;;
                *) echo "op: you do not have permission to mount \'$1\'" 1>2 ;;
        users=ROOT_USERS environment


Netgroups can be used to restrict access to mnemonics:

reboot   /sbin/reboot;

Config Directory (new in 1.26)

All configuration files in /etc/op.d with the extension .conf are read. This reduces administration overhead in enterprise environments.



Things tagged op:

Example Configuration File

# Host definitions

# User definitions

# ACL definitions

# Group definitions

# Actions requiring authentication
shell /bin/su -; users=ASN_ACL environment password
sh /bin/su -; users=ASN_ACL environment password
vi /usr/bin/vi $*; users=ASN_ACL password
reboot /sbin/reboot; users=ASN_ACL environment password

# Password-less commands
shutdown /sbin/shutdown -h $1; users=ASN_ACL environment
	$1=now|[2[0-3 0-1]?[0-9]:[0-9][0-9]]:[0-5][0-9]|\+[0-9]+
ethereal /usr/bin/ethereal $*; users=ASN_ACL environment
nomad /usr/bin/nomad $*; users=ASN_ACL environment
tcpdump /usr/sbin/tcpdump $*; users=ASN_ACL environment
nmap /usr/bin/nmap $*; users=ASN_ACL environment
updatedb /usr/bin/updatedb; users=ASN_ACL environment
makewhatis /bin/sh -c '
		/usr/sbin/makewhatis &
		echo makewhatis running in the background
	users=ASN_ACL environment
cdrom /sbin/mount /mnt/cdrom; users=ASN_ACL
eject /usr/bin/eject; users=ASN_ACL
nmap /usr/bin/nmap $*; users=ASN_ACL environment
grip /bin/sh -c '/usr/bin/nice -n 19 /usr/bin/grip &';

# Cavern local commands
gtkam	/usr/bin/gtkam; users{{{athomas environment $DISPLAY $GTKRC}}}/home/athomas/.gtkrc
drip	/usr/bin/drip; users{{{athomas environment $DISPLAY $GTKRC}}}/home/athomas/.gtkrc
evms	/bin/sh -c 'PATH{{{/sbin:/usr/sbin:$PATH /sbin/evmsgui &'; users}}}athomas environment $DISPLAY $GTKRC=/home/athomas/.gtkrc
xine	/usr/bin/xine; users=athomas environment $DISPLAY

# An example of scripts within an op command
mount	/bin/sh -c '
	case $1 in
		cdrom) /bin/mount /mnt/cdrom ;;
		dvd) /bin/mount -o ro /dev/dvd /mnt/dvd ;;
		burner) /bin/mount -o ro /dev/burner /mnt/burner ;;
		*) echo "op: you do not have permission to mount \'$1\'" ;;
	users=athomas environment

apache	/usr/sbin/apachectl $1;

umount	/bin/sh -c '
	case $1 in
		cdrom) /bin/umount /mnt/cdrom ;;
		dvd) /bin/umount /mnt/dvd ;;
		burner) /bin/umount /mnt/burner ;;
		*) echo "op: you do not have permission to unmount \'$1\'" ;;
	users=athomas environment

tail	/usr/bin/tail -f $1; users=athomas
Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.