sudo/sample.sudoers

#
# Sample /etc/sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for the details on how to write a sudoers file.
#

##
# User alias specification
##
User_Alias	FULLTIMERS=millert,mikef,dowdy
User_Alias	PARTTIMERS=bostley,jwfox,mccreary

##
# Runas alias specification
##
Runas_Alias	OP=root,operator

##
# Cmnd alias specification
##
Cmnd_Alias      DUMPS=/usr.sbin/dump,/usr.sbin/rdump,/usr.sbin/restore,\
		      /usr.sbin/rrestore,/usr/bin/mt
Cmnd_Alias	KILL=/usr/bin/kill
Cmnd_Alias	PRINTING=/usr.sbin/lpc,/usr.bin/lprm
Cmnd_Alias	SHUTDOWN=/usr.sbin/shutdown
Cmnd_Alias	HALT=/usr.sbin/halt,/usr.sbin/fasthalt
Cmnd_Alias	REBOOT=/usr.sbin/reboot,/usr.sbin/fastboot
Cmnd_Alias	SHELLS=/usr/bin/sh,/usr/bin/csh,/usr/bin/ksh,\
                       /usr/local/bin/tcsh,/usr.bin/rsh,\
                       /usr/local/bin/zsh
Cmnd_Alias	SU=/usr/bin/su
Cmnd_Alias	VIPW=/usr.sbin/vipw,/usr/sbin/vipw,/usr/bin/passwd

##
# Host alias specification
##
Host_Alias	SUN4=bruno,eclipse,moet,anchor
Host_Alias	SUN3=brazil,columbine
Host_Alias	DECSTATION=wilkinson,soma,dendrite,thang
Host_Alias 	DECALPHA=widget,thalamus,foobar
Host_Alias	HPSNAKE=boa,nag,python
Host_Alias	CUNETS=128.138.0.0/255.255.0.0
Host_Alias	CSNETS=128.138.243.0,128.138.204.0,128.138.242.0
Host_Alias	SEVERS=master,mail,www,ns

##
# User specification
##

# root and users in group wheel can run anything on any machine as any user
root		ALL=(ALL) ALL
%wheel		ALL=(ALL) ALL

# full time sysadmins can run anything on any machine without a password
FULLTIMERS	ALL=NOPASSWD:ALL
# part time sysadmins may run anything except root shells or su
PARTTIMERS	ALL=ALL,!SU,!SHELLS

# rodney may run anything except root shells or su on machines in CSNETS
rodney		CSNETS=ALL,!SU,!SHELLS

# smartguy may run any command on any host in CUNETS (call B address)
smartguy	CUNETS=ALL

# operator may run maintenance commands and anything in /usr/oper/bin/
operator	ALL=DUMPS,KILL,PRINTING,SHUTDOWN,HALT,REBOOT,/usr/oper/bin/

# joe may su only to operator
joe		ALL=SU operator

# pete may change passwords for anyone but root
pete		ALL=/usr/bin/passwd [A-z]*,!/usr/bin/passwd root

# bob may run anything except root shells or su on the sun3 and sun4 machines
# as any user in the Runas_Alias "OP" (contains root and operator)
bob		SUN4=(OP) ALL, !SU, !SHELLS:\
		SUN3=(OP) ALL, !SU, !SHELLS

# jim may run anything on machines in the biglab netgroup
jim		+biglab=ALL

# users in the secretaries netgroup need to help manage the printers
+secretaries	ALL=PRINTING

# fred can run commands as oracle by specifying -u oracle on command line
# without a password but cannot run su or any shells
fred		ALL=(oracle) NOPASSWD:ALL, !SU, !SHELLS

# john may su to anyone but root and flags are not allowed
john		ALL=SU [!-]*, !SU *root*

# killroy can run all but shells and su on all machines but those
# in the "SERVERS" Host_Alias
killroy		ALL,!SERVERS=ALL, !SU, !SHELLS
added real stuff in there 1993-11-28 00:25:23 +00:00			`#`
use modern paths and give examples for some of the new parser features 1999-04-15 05:12:46 +00:00			`# Sample /etc/sudoers file.`
Initial revision 1993-11-27 23:59:52 +00:00			`#`
			`# This file MUST be edited with the 'visudo' command as root.`
			`#`
			`# See the man page for the details on how to write a sudoers file.`
			`#`

added User_Alias stuff 1995-04-10 23:51:35 +00:00			`##`
			`# User alias specification`
			`##`
			`User_Alias FULLTIMERS=millert,mikef,dowdy`
			`User_Alias PARTTIMERS=bostley,jwfox,mccreary`

added Runas_Alias example and fixed syntax errors 1996-11-14 03:50:55 +00:00			`##`
			`# Runas alias specification`
			`##`
			`Runas_Alias OP=root,operator`

added User_Alias stuff 1995-04-10 23:51:35 +00:00			`##`
Initial revision 1993-11-27 23:59:52 +00:00			`# Cmnd alias specification`
added User_Alias stuff 1995-04-10 23:51:35 +00:00			`##`
use modern paths and give examples for some of the new parser features 1999-04-15 05:12:46 +00:00			`Cmnd_Alias DUMPS=/usr.sbin/dump,/usr.sbin/rdump,/usr.sbin/restore,\`
			`/usr.sbin/rrestore,/usr/bin/mt`
added real stuff in there 1993-11-28 00:25:23 +00:00			`Cmnd_Alias KILL=/usr/bin/kill`
use modern paths and give examples for some of the new parser features 1999-04-15 05:12:46 +00:00			`Cmnd_Alias PRINTING=/usr.sbin/lpc,/usr.bin/lprm`
			`Cmnd_Alias SHUTDOWN=/usr.sbin/shutdown`
			`Cmnd_Alias HALT=/usr.sbin/halt,/usr.sbin/fasthalt`
			`Cmnd_Alias REBOOT=/usr.sbin/reboot,/usr.sbin/fastboot`
added real stuff in there 1993-11-28 00:25:23 +00:00			`Cmnd_Alias SHELLS=/usr/bin/sh,/usr/bin/csh,/usr/bin/ksh,\`
use modern paths and give examples for some of the new parser features 1999-04-15 05:12:46 +00:00			`/usr/local/bin/tcsh,/usr.bin/rsh,\`
added real stuff in there 1993-11-28 00:25:23 +00:00			`/usr/local/bin/zsh`
			`Cmnd_Alias SU=/usr/bin/su`
use modern paths and give examples for some of the new parser features 1999-04-15 05:12:46 +00:00			`Cmnd_Alias VIPW=/usr.sbin/vipw,/usr/sbin/vipw,/usr/bin/passwd`
added real stuff in there 1993-11-28 00:25:23 +00:00
added User_Alias stuff 1995-04-10 23:51:35 +00:00			`##`
added real stuff in there 1993-11-28 00:25:23 +00:00			`# Host alias specification`
added User_Alias stuff 1995-04-10 23:51:35 +00:00			`##`
added real stuff in there 1993-11-28 00:25:23 +00:00			`Host_Alias SUN4=bruno,eclipse,moet,anchor`
			`Host_Alias SUN3=brazil,columbine`
now has a dir and subnet entry 1994-08-15 00:47:48 +00:00			`Host_Alias DECSTATION=wilkinson,soma,dendrite,thang`
			`Host_Alias DECALPHA=widget,thalamus,foobar`
added real stuff in there 1993-11-28 00:25:23 +00:00			`Host_Alias HPSNAKE=boa,nag,python`
added net_addr/mask example 1996-06-17 04:07:40 +00:00			`Host_Alias CUNETS=128.138.0.0/255.255.0.0`
use modern paths and give examples for some of the new parser features 1999-04-15 05:12:46 +00:00			`Host_Alias CSNETS=128.138.243.0,128.138.204.0,128.138.242.0`
			`Host_Alias SEVERS=master,mail,www,ns`
Initial revision 1993-11-27 23:59:52 +00:00
added User_Alias stuff 1995-04-10 23:51:35 +00:00			`##`
Initial revision 1993-11-27 23:59:52 +00:00			`# User specification`
added User_Alias stuff 1995-04-10 23:51:35 +00:00			`##`
added comments 1996-01-14 20:39:26 +00:00
updated with examples of new stuff 1996-06-15 22:11:08 +00:00			`# root and users in group wheel can run anything on any machine as any user`
fixed 2 syntax errors 1996-07-13 22:24:38 +00:00			`root ALL=(ALL) ALL`
			`%wheel ALL=(ALL) ALL`
added real stuff in there 1993-11-28 00:25:23 +00:00
updated with examples of new stuff 1996-06-15 22:11:08 +00:00			`# full time sysadmins can run anything on any machine without a password`
			`FULLTIMERS ALL=NOPASSWD:ALL`
added comments 1996-01-14 20:39:26 +00:00			`# part time sysadmins may run anything except root shells or su`
added User_Alias stuff 1995-04-10 23:51:35 +00:00			`PARTTIMERS ALL=ALL,!SU,!SHELLS`
added comments 1996-01-14 20:39:26 +00:00
			`# rodney may run anything except root shells or su on machines in CSNETS`
now has a dir and subnet entry 1994-08-15 00:47:48 +00:00			`rodney CSNETS=ALL,!SU,!SHELLS`
added comments 1996-01-14 20:39:26 +00:00
added net_addr/mask example 1996-06-17 04:07:40 +00:00			`# smartguy may run any command on any host in CUNETS (call B address)`
			`smartguy CUNETS=ALL`

added comments 1996-01-14 20:39:26 +00:00			`# operator may run maintenance commands and anything in /usr/oper/bin/`
			`operator ALL=DUMPS,KILL,PRINTING,SHUTDOWN,HALT,REBOOT,/usr/oper/bin/`

			`# joe may su only to operator`
use modern paths and give examples for some of the new parser features 1999-04-15 05:12:46 +00:00			`joe ALL=SU operator`
added comments 1996-01-14 20:39:26 +00:00
added wildcard example 1996-02-05 23:39:35 +00:00			`# pete may change passwords for anyone but root`
use modern paths and give examples for some of the new parser features 1999-04-15 05:12:46 +00:00			`pete ALL=/usr/bin/passwd [A-z]*,!/usr/bin/passwd root`
added wildcard example 1996-02-05 23:39:35 +00:00
added comments 1996-01-14 20:39:26 +00:00			`# bob may run anything except root shells or su on the sun3 and sun4 machines`
New runas semantics 1999-04-06 18:06:12 +00:00			`# as any user in the Runas_Alias "OP" (contains root and operator)`
			`bob SUN4=(OP) ALL, !SU, !SHELLS:\`
			`SUN3=(OP) ALL, !SU, !SHELLS`
added comments 1996-01-14 20:39:26 +00:00
			`# jim may run anything on machines in the biglab netgroup`
updated with examples of new features 1995-09-01 04:17:42 +00:00			`jim +biglab=ALL`
added comments 1996-01-14 20:39:26 +00:00
			`# users in the secretaries netgroup need to help manage the printers`
updated with examples of new features 1995-09-01 04:17:42 +00:00			`+secretaries ALL=PRINTING`
added support for NOPASSWD and "runas" from garp@opustel.com / 1996-04-28 01:04:50 +00:00
use modern paths and give examples for some of the new parser features 1999-04-15 05:12:46 +00:00			`# fred can run commands as oracle by specifying -u oracle on command line`
			`# without a password but cannot run su or any shells`
			`fred ALL=(oracle) NOPASSWD:ALL, !SU, !SHELLS`

			`# john may su to anyone but root and flags are not allowed`
			`john ALL=SU [!-], !SU root*`
added an example 1996-07-24 16:49:18 +00:00
use modern paths and give examples for some of the new parser features 1999-04-15 05:12:46 +00:00			`# killroy can run all but shells and su on all machines but those`
			`# in the "SERVERS" Host_Alias`
			`killroy ALL,!SERVERS=ALL, !SU, !SHELLS`