forked from sudo-project/sudo
-
Notifications
You must be signed in to change notification settings - Fork 1
/
sudoers.man.in
5294 lines (5268 loc) · 119 KB
/
sudoers.man.in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
.\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in
.\"
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2016
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" Sponsored in part by the Defense Advanced Research Projects
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.TH "SUDOERS" "5" "January 17, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
\fBsudoers\fR
\- default sudo security policy plugin
.SH "DESCRIPTION"
The
\fBsudoers\fR
policy plugin determines a user's
\fBsudo\fR
privileges.
It is the default
\fBsudo\fR
policy plugin.
The policy is driven by
the
\fI@sysconfdir@/sudoers\fR
file or, optionally in LDAP.
The policy format is described in detail in the
\fISUDOERS FILE FORMAT\fR
section.
For information on storing
\fBsudoers\fR
policy information
in LDAP, please see
sudoers.ldap(@mansectform@).
.SS "Configuring sudo.conf for sudoers"
\fBsudo\fR
consults the
sudo.conf(@mansectform@)
file to determine which policy and and I/O logging plugins to load.
If no
sudo.conf(@mansectform@)
file is present, or if it contains no
\fRPlugin\fR
lines,
\fBsudoers\fR
will be used for policy decisions and I/O logging.
To explicitly configure
sudo.conf(@mansectform@)
to use the
\fBsudoers\fR
plugin, the following configuration can be used.
.nf
.sp
.RS 6n
Plugin sudoers_policy sudoers.so
Plugin sudoers_io sudoers.so
.RE
.fi
.PP
Starting with
\fBsudo\fR
1.8.5, it is possible to specify optional arguments to the
\fBsudoers\fR
plugin in the
sudo.conf(@mansectform@)
file.
These arguments, if present, should be listed after the path to the plugin
(i.e.\& after
\fIsudoers.so\fR).
Multiple arguments may be specified, separated by white space.
For example:
.nf
.sp
.RS 6n
Plugin sudoers_policy sudoers.so sudoers_mode=0400
.RE
.fi
.PP
The following plugin arguments are supported:
.TP 10n
ldap_conf=pathname
The
\fIldap_conf\fR
argument can be used to override the default path to the
\fIldap.conf\fR
file.
.TP 10n
ldap_secret=pathname
The
\fIldap_secret\fR
argument can be used to override the default path to the
\fIldap.secret\fR
file.
.TP 10n
sudoers_file=pathname
The
\fIsudoers_file\fR
argument can be used to override the default path to the
\fIsudoers\fR
file.
.TP 10n
sudoers_uid=uid
The
\fIsudoers_uid\fR
argument can be used to override the default owner of the sudoers file.
It should be specified as a numeric user ID.
.TP 10n
sudoers_gid=gid
The
\fIsudoers_gid\fR
argument can be used to override the default group of the sudoers file.
It must be specified as a numeric group ID (not a group name).
.TP 10n
sudoers_mode=mode
The
\fIsudoers_mode\fR
argument can be used to override the default file mode for the sudoers file.
It should be specified as an octal value.
.PP
For more information on configuring
sudo.conf(@mansectform@),
please refer to its manual.
.SS "User Authentication"
The
\fBsudoers\fR
security policy requires that most users authenticate
themselves before they can use
\fBsudo\fR.
A password is not required
if the invoking user is root, if the target user is the same as the
invoking user, or if the policy has disabled authentication for the
user or command.
Unlike
su(1),
when
\fBsudoers\fR
requires
authentication, it validates the invoking user's credentials, not
the target user's (or root's) credentials.
This can be changed via
the
\fIrootpw\fR,
\fItargetpw\fR
and
\fIrunaspw\fR
flags, described later.
.PP
If a user who is not listed in the policy tries to run a command
via
\fBsudo\fR,
mail is sent to the proper authorities.
The address
used for such mail is configurable via the
\fImailto\fR
Defaults entry
(described later) and defaults to
\fR@mailto@\fR.
.PP
Note that no mail will be sent if an unauthorized user tries to run
\fBsudo\fR
with the
\fB\-l\fR
or
\fB\-v\fR
option unless there is an authentication error and
either the
\fImail_always\fR
or
\fImail_badpass\fR
flags are enabled.
This allows users to
determine for themselves whether or not they are allowed to use
\fBsudo\fR.
All attempts to run
\fBsudo\fR
(successful or not)
will be logged, regardless of whether or not mail is sent.
.PP
If
\fBsudo\fR
is run by root and the
\fRSUDO_USER\fR
environment variable
is set, the
\fBsudoers\fR
policy will use this value to determine who
the actual user is.
This can be used by a user to log commands
through sudo even when a root shell has been invoked.
It also
allows the
\fB\-e\fR
option to remain useful even when invoked via a
sudo-run script or program.
Note, however, that the
\fIsudoers\fR
file lookup is still done for root, not the user specified by
\fRSUDO_USER\fR.
.PP
\fBsudoers\fR
uses per-user time stamp files for credential caching.
Once a user has been authenticated, a record is written
containing the uid that was used to authenticate, the
terminal session ID, and a time stamp
(using a monotonic clock if one is available).
The user may then use
\fBsudo\fR
without a password for a short period of time
(\fR@timeout@\fR
minutes unless overridden by the
\fItimeout\fR
option)
\&.
By default,
\fBsudoers\fR
uses a separate record for each tty, which means that
a user's login sessions are authenticated separately.
The
\fItty_tickets\fR
option can be disabled to force the use of a
single time stamp for all of a user's sessions.
.SS "Logging"
\fBsudoers\fR
can log both successful and unsuccessful attempts (as well
as errors) to
syslog(3),
a log file, or both.
By default,
\fBsudoers\fR
will log via
syslog(3)
but this is changeable via the
\fIsyslog\fR
and
\fIlogfile\fR
Defaults settings.
See
\fILOG FORMAT\fR
for a description of the log file format.
.PP
\fBsudoers\fR
is also capable of running a command in a pseudo-tty and logging all
input and/or output.
The standard input, standard output and standard error can be logged
even when not associated with a terminal.
I/O logging is not on by default but can be enabled using
the
\fIlog_input\fR
and
\fIlog_output\fR
options as well as the
\fRLOG_INPUT\fR
and
\fRLOG_OUTPUT\fR
command tags.
See
\fII/O LOG FILES\fR
for details on how I/O log files are stored.
.SS "Command environment"
Since environment variables can influence program behavior,
\fBsudoers\fR
provides a means to restrict which variables from the user's
environment are inherited by the command to be run.
There are two
distinct ways
\fBsudoers\fR
can deal with environment variables.
.PP
By default, the
\fIenv_reset\fR
option is enabled.
This causes commands
to be executed with a new, minimal environment.
On AIX (and Linux
systems without PAM), the environment is initialized with the
contents of the
\fI/etc/environment\fR
file.
On BSD systems, if the
\fIuse_loginclass\fR
option is enabled, the environment is initialized
based on the
\fIpath\fR
and
\fIsetenv\fR
settings in
\fI/etc/login.conf\fR.
The new environment contains the
\fRTERM\fR,
\fRPATH\fR,
\fRHOME\fR,
\fRMAIL\fR,
\fRSHELL\fR,
\fRLOGNAME\fR,
\fRUSER\fR,
\fRUSERNAME\fR
and
\fRSUDO_*\fR
variables
in addition to variables from the invoking process permitted by the
\fIenv_check\fR
and
\fIenv_keep\fR
options.
This is effectively a whitelist
for environment variables.
Environment variables with a value beginning with
\fR()\fR
are removed unless both the name and value parts are matched by
\fIenv_keep\fR
or
\fIenv_check\fR,
as they will be interpreted as functions by older versions of the
\fBbash\fR
shell.
Prior to version 1.8.11, such variables were always removed.
.PP
If, however, the
\fIenv_reset\fR
option is disabled, any variables not
explicitly denied by the
\fIenv_check\fR
and
\fIenv_delete\fR
options are
inherited from the invoking process.
In this case,
\fIenv_check\fR
and
\fIenv_delete\fR
behave like a blacklist.
Environment variables with a value beginning with
\fR()\fR
are always removed, even if they do not match one of the blacklists.
Since it is not possible
to blacklist all potentially dangerous environment variables, use
of the default
\fIenv_reset\fR
behavior is encouraged.
.PP
By default, environment variables are matched by name.
However, if the pattern includes an equal sign
(\(oq=\&\(cq),
both the variables name and value must match.
For example, an old-style (pre-shellshock)
\fBbash\fR
shell function could be matched as follows:
.nf
.sp
.RS 4n
env_keep += "my_func=()*"
.RE
.fi
.PP
Without the
\(Lq\fR=()*\fR\(Rq
suffix, this would not match, as old-style
\fBbash\fR
shell functions are not preserved by default.
.PP
The complete list of environment variables that
\fBsudo\fR
allows or denies is contained in the output of
\(Lq\fRsudo -V\fR\(Rq
when run as root.
Please note that this list varies based on the operating system
\fBsudo\fR
is running on.
.PP
On systems that support PAM where the
\fBpam_env\fR
module is enabled for
\fBsudo\fR,
variables in the PAM environment may be merged in to the environment.
If a variable in the PAM environment is already present in the
user's environment, the value will only be overridden if the variable
was not preserved by
\fBsudoers\fR.
When
\fIenv_reset\fR
is enabled, variables preserved from the invoking user's environment
by the
\fIenv_keep\fR
list take precedence over those in the PAM environment.
When
\fIenv_reset\fR
is disabled, variables present the invoking user's environment
take precedence over those in the PAM environment unless they
match a pattern in the
\fIenv_delete\fR
list.
.PP
Note that the dynamic linker on most operating systems will remove
variables that can control dynamic linking from the environment of
setuid executables, including
\fBsudo\fR.
Depending on the operating
system this may include
\fR_RLD*\fR,
\fRDYLD_*\fR,
\fRLD_*\fR,
\fRLDR_*\fR,
\fRLIBPATH\fR,
\fRSHLIB_PATH\fR,
and others.
These type of variables are
removed from the environment before
\fBsudo\fR
even begins execution
and, as such, it is not possible for
\fBsudo\fR
to preserve them.
.PP
As a special case, if
\fBsudo\fR's
\fB\-i\fR
option (initial login) is
specified,
\fBsudoers\fR
will initialize the environment regardless
of the value of
\fIenv_reset\fR.
The
\fRDISPLAY\fR,
\fRPATH\fR
and
\fRTERM\fR
variables remain unchanged;
\fRHOME\fR,
\fRMAIL\fR,
\fRSHELL\fR,
\fRUSER\fR,
and
\fRLOGNAME\fR
are set based on the target user.
On AIX (and Linux
systems without PAM), the contents of
\fI/etc/environment\fR
are also
included.
On BSD systems, if the
\fIuse_loginclass\fR
flag is
enabled, the
\fIpath\fR
and
\fIsetenv\fR
variables in
\fI/etc/login.conf\fR
are also applied.
All other environment variables are removed.
.PP
Finally, if the
\fIenv_file\fR
option is defined, any variables present
in that file will be set to their specified values as long as they
would not conflict with an existing environment variable.
.SH "SUDOERS FILE FORMAT"
The
\fIsudoers\fR
file is composed of two types of entries: aliases
(basically variables) and user specifications (which specify who
may run what).
.PP
When multiple entries match for a user, they are applied in order.
Where there are multiple matches, the last match is used (which is
not necessarily the most specific match).
.PP
The
\fIsudoers\fR
file grammar will be described below in Extended Backus-Naur
Form (EBNF).
Don't despair if you are unfamiliar with EBNF; it is fairly simple,
and the definitions below are annotated.
.SS "Quick guide to EBNF"
EBNF is a concise and exact way of describing the grammar of a language.
Each EBNF definition is made up of
\fIproduction rules\fR.
E.g.,
.PP
\fRsymbol ::= definition\fR | \fRalternate1\fR | \fRalternate2 ...\fR
.PP
Each
\fIproduction rule\fR
references others and thus makes up a
grammar for the language.
EBNF also contains the following
operators, which many readers will recognize from regular
expressions.
Do not, however, confuse them with
\(Lqwildcard\(Rq
characters, which have different meanings.
.TP 6n
\fR\&?\fR
Means that the preceding symbol (or group of symbols) is optional.
That is, it may appear once or not at all.
.TP 6n
\fR*\fR
Means that the preceding symbol (or group of symbols) may appear
zero or more times.
.TP 6n
\fR+\fR
Means that the preceding symbol (or group of symbols) may appear
one or more times.
.PP
Parentheses may be used to group symbols together.
For clarity,
we will use single quotes
('')
to designate what is a verbatim character string (as opposed to a symbol name).
.SS "Aliases"
There are four kinds of aliases:
\fRUser_Alias\fR,
\fRRunas_Alias\fR,
\fRHost_Alias\fR
and
\fRCmnd_Alias\fR.
.nf
.sp
.RS 0n
Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
'Host_Alias' Host_Alias (':' Host_Alias)* |
'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
User_Alias ::= NAME '=' User_List
Runas_Alias ::= NAME '=' Runas_List
Host_Alias ::= NAME '=' Host_List
Cmnd_Alias ::= NAME '=' Cmnd_List
NAME ::= [A-Z]([A-Z][0-9]_)*
.RE
.fi
.PP
Each
\fIalias\fR
definition is of the form
.nf
.sp
.RS 0n
Alias_Type NAME = item1, item2, ...
.RE
.fi
.PP
where
\fIAlias_Type\fR
is one of
\fRUser_Alias\fR,
\fRRunas_Alias\fR,
\fRHost_Alias\fR,
or
\fRCmnd_Alias\fR.
A
\fRNAME\fR
is a string of uppercase letters, numbers,
and underscore characters
(\(oq_\(cq).
A
\fRNAME\fR
\fBmust\fR
start with an
uppercase letter.
It is possible to put several alias definitions
of the same type on a single line, joined by a colon
(\(oq:\&\(cq).
E.g.,
.nf
.sp
.RS 0n
Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
.RE
.fi
.PP
It is a syntax error to redefine an existing
\fIalias\fR.
It is possible to use the same name for
\fIaliases\fR
of different types, but this is not recommended.
.PP
The definitions of what constitutes a valid
\fIalias\fR
member follow.
.nf
.sp
.RS 0n
User_List ::= User |
User ',' User_List
User ::= '!'* user name |
'!'* #uid |
'!'* %group |
'!'* %#gid |
'!'* +netgroup |
'!'* %:nonunix_group |
'!'* %:#nonunix_gid |
'!'* User_Alias
.RE
.fi
.PP
A
\fRUser_List\fR
is made up of one or more user names, user IDs
(prefixed with
\(oq#\(cq),
system group names and IDs (prefixed with
\(oq%\(cq
and
\(oq%#\(cq
respectively), netgroups (prefixed with
\(oq+\(cq),
non-Unix group names and IDs (prefixed with
\(oq%:\(cq
and
\(oq%:#\(cq
respectively) and
\fRUser_Alias\fRes.
Each list item may be prefixed with zero or more
\(oq\&!\(cq
operators.
An odd number of
\(oq\&!\(cq
operators negate the value of
the item; an even number just cancel each other out.
User netgroups are matched using the user and domain members only;
the host member is not used when matching.
.PP
A
\fRuser name\fR,
\fRuid\fR,
\fRgroup\fR,
\fRgid\fR,
\fRnetgroup\fR,
\fRnonunix_group\fR
or
\fRnonunix_gid\fR
may be enclosed in double quotes to avoid the
need for escaping special characters.
Alternately, special characters
may be specified in escaped hex mode, e.g.\& \ex20 for space.
When
using double quotes, any prefix characters must be included inside
the quotes.
.PP
The actual
\fRnonunix_group\fR
and
\fRnonunix_gid\fR
syntax depends on
the underlying group provider plugin.
For instance, the QAS AD plugin supports the following formats:
.TP 6n
\fB\(bu\fR
Group in the same domain: "%:Group Name"
.TP 6n
\fB\(bu\fR
Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
.TP 6n
\fB\(bu\fR
Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
.PP
See
\fIGROUP PROVIDER PLUGINS\fR
for more information.
.PP
Note that quotes around group names are optional.
Unquoted strings must use a backslash
(\(oq\e\(cq)
to escape spaces and special characters.
See
\fIOther special characters and reserved words\fR
for a list of
characters that need to be escaped.
.nf
.sp
.RS 0n
Runas_List ::= Runas_Member |
Runas_Member ',' Runas_List
Runas_Member ::= '!'* user name |
'!'* #uid |
'!'* %group |
'!'* %#gid |
'!'* %:nonunix_group |
'!'* %:#nonunix_gid |
'!'* +netgroup |
'!'* Runas_Alias
.RE
.fi
.PP
A
\fRRunas_List\fR
is similar to a
\fRUser_List\fR
except that instead
of
\fRUser_Alias\fRes
it can contain
\fRRunas_Alias\fRes.
Note that
user names and groups are matched as strings.
In other words, two
users (groups) with the same uid (gid) are considered to be distinct.
If you wish to match all user names with the same uid (e.g.\&
root and toor), you can use a uid instead (#0 in the example given).
.nf
.sp
.RS 0n
Host_List ::= Host |
Host ',' Host_List
Host ::= '!'* host name |
'!'* ip_addr |
'!'* network(/netmask)? |
'!'* +netgroup |
'!'* Host_Alias
.RE
.fi
.PP
A
\fRHost_List\fR
is made up of one or more host names, IP addresses,
network numbers, netgroups (prefixed with
\(oq+\(cq)
and other aliases.
Again, the value of an item may be negated with the
\(oq\&!\(cq
operator.
Host netgroups are matched using the host (both qualified and unqualified)
and domain members only; the user member is not used when matching.
If you specify a network number without a netmask,
\fBsudo\fR
will query each of the local host's network interfaces and,
if the network number corresponds to one of the hosts's network
interfaces, will use the netmask of that interface.
The netmask may be specified either in standard IP address notation
(e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
or CIDR notation (number of bits, e.g.\& 24 or 64).
A host name may include shell-style wildcards (see the
\fIWildcards\fR
section below),
but unless the
\fRhost name\fR
command on your machine returns the fully
qualified host name, you'll need to use the
\fIfqdn\fR
option for wildcards to be useful.
Note that
\fBsudo\fR
only inspects actual network interfaces; this means that IP address
127.0.0.1 (localhost) will never match.
Also, the host name
\(Lqlocalhost\(Rq
will only match if that is the actual host name, which is usually
only the case for non-networked systems.
.nf
.sp
.RS 0n
digest ::= [A-Fa-f0-9]+ |
[[A-Za-z0-9\+/=]+
Digest_Spec ::= "sha224" ':' digest |
"sha256" ':' digest |
"sha384" ':' digest |
"sha512" ':' digest
Cmnd_List ::= Cmnd |
Cmnd ',' Cmnd_List
command name ::= file name |
file name args |
file name '""'
Cmnd ::= Digest_Spec? '!'* command name |
'!'* directory |
'!'* "sudoedit" |
'!'* Cmnd_Alias
.RE
.fi
.PP
A
\fRCmnd_List\fR
is a list of one or more command names, directories, and other aliases.
A command name is a fully qualified file name which may include
shell-style wildcards (see the
\fIWildcards\fR
section below).
A simple file name allows the user to run the command with any
arguments he/she wishes.
However, you may also specify command line arguments (including
wildcards).
Alternately, you can specify
\fR\&""\fR
to indicate that the command
may only be run
\fBwithout\fR
command line arguments.
A directory is a
fully qualified path name ending in a
\(oq/\(cq.
When you specify a directory in a
\fRCmnd_List\fR,
the user will be able to run any file within that directory
(but not in any sub-directories therein).
.PP
If a
\fRCmnd\fR
has associated command line arguments, then the arguments
in the
\fRCmnd\fR
must match exactly those given by the user on the command line
(or match the wildcards if there are any).
Note that the following characters must be escaped with a
\(oq\e\(cq
if they are used in command arguments:
\(oq,\&\(cq,
\(oq:\&\(cq,
\(oq=\&\(cq,
\(oq\e\(cq.
The built-in command
\(Lq\fRsudoedit\fR\(Rq
is used to permit a user to run
\fBsudo\fR
with the
\fB\-e\fR
option (or as
\fBsudoedit\fR).
It may take command line arguments just as a normal command does.
Note that
\(Lq\fRsudoedit\fR\(Rq
is a command built into
\fBsudo\fR
itself and must be specified in the
\fIsudoers\fR
file without a leading path.
.PP
If a
\fRcommand name\fR
is prefixed with a
\fRDigest_Spec\fR,
the command will only match successfully if it can be verified
using the specified SHA-2 digest.
The following digest formats are supported: sha224, sha256, sha384 and sha512.
The string may be specified in either hex or base64 format
(base64 is more compact).
There are several utilities capable of generating SHA-2 digests in hex
format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
.PP
For example, using openssl:
.nf
.sp
.RS 0n
$ openssl dgst -sha224 /bin/ls
SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
.RE
.fi
.PP
It is also possible to use openssl to generate base64 output:
.nf
.sp
.RS 0n
$ openssl dgst -binary -sha224 /bin/ls | openssl base64
EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
.RE
.fi
.PP
Warning, if the user has write access to the command itself (directly or via a
\fBsudo\fR
command), it may be possible for the user to replace the command after the
digest check has been performed but before the command is executed.
A similar race condition exists on systems that lack the
fexecve(2)
system call when the directory in which the command is located
is writable by the user.
.PP
Command digests are only supported by version 1.8.7 or higher.
.SS "Defaults"
Certain configuration options may be changed from their default
values at run-time via one or more
\fRDefault_Entry\fR
lines.
These may affect all users on any host, all users on a specific host, a
specific user, a specific command, or commands being run as a specific user.
Note that per-command entries may not include command line arguments.
If you need to specify arguments, define a
\fRCmnd_Alias\fR
and reference
that instead.
.nf
.sp
.RS 0n
Default_Type ::= 'Defaults' |
'Defaults' '@' Host_List |
'Defaults' ':' User_List |
'Defaults' '!' Cmnd_List |
'Defaults' '>' Runas_List
Default_Entry ::= Default_Type Parameter_List
Parameter_List ::= Parameter |
Parameter ',' Parameter_List
Parameter ::= Parameter '=' Value |
Parameter '+=' Value |
Parameter '-=' Value |
'!'* Parameter
.RE
.fi
.PP
Parameters may be
\fBflags\fR,
\fBinteger\fR
values,
\fBstrings\fR,
or
\fBlists\fR.
Flags are implicitly boolean and can be turned off via the
\(oq\&!\(cq
operator.
Some integer, string and list parameters may also be
used in a boolean context to disable them.
Values may be enclosed
in double quotes
(\&"")
when they contain multiple words.
Special characters may be escaped with a backslash
(\(oq\e\(cq).
.PP
Lists have two additional assignment operators,
\fR+=\fR
and
\fR-=\fR.
These operators are used to add to and delete from a list respectively.
It is not an error to use the
\fR-=\fR
operator to remove an element
that does not exist in a list.
.PP
Defaults entries are parsed in the following order: generic, host,
user and runas Defaults first, then command defaults.
If there are multiple Defaults settings of the same type, the last
matching setting is used.
The following Defaults settings are parsed before all others since
they may affect subsequent entries:
\fIfqdn\fR,
\fIgroup_plugin\fR,
\fIrunas_default\fR,
\fIsudoers_locale\fR.
.PP
See
\fISUDOERS OPTIONS\fR
for a list of supported Defaults parameters.
.SS "User specification"
.nf
.RS 0n
User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
(':' Host_List '=' Cmnd_Spec_List)*
Cmnd_Spec_List ::= Cmnd_Spec |
Cmnd_Spec ',' Cmnd_Spec_List
Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
Tag_Spec ::= ('EXEC:' | 'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' |
'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' |
'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'PASSWD:' |
'NOPASSWD:' | 'SETENV:' | 'NOSETENV:')
.RE
.fi
.PP
A
\fBuser specification\fR
determines which commands a user may run
(and as what user) on specified hosts.
By default, commands are
run as