mirror of
https://github.com/sudo-project/sudo.git
synced 2025-08-30 22:05:46 +00:00
regen
This commit is contained in:
Todd C. Miller
69
sudo.man.in
69
sudo.man.in
@@ -150,7 +150,7 @@
|
||||
.\" ========================================================================
|
||||
.\"
|
||||
.IX Title "SUDO @mansectsu@"
|
||||
.TH SUDO @mansectsu@ "June 23, 2007" "1.7" "MAINTENANCE COMMANDS"
|
||||
.TH SUDO @mansectsu@ "July 9, 2007" "1.7" "MAINTENANCE COMMANDS"
|
||||
.SH "NAME"
|
||||
sudo, sudoedit \- execute a command as another user
|
||||
.SH "SYNOPSIS"
|
||||
@@ -163,7 +163,7 @@ sudo, sudoedit \- execute a command as another user
|
||||
[\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
|
||||
[\fB\s-1VAR\s0\fR=\fIvalue\fR] {\fB\-e\fR\ file\ [...]\ |\ \fB\-i\fR\ |\ \fB\-s\fR\ |\ \fIcommand\fR}
|
||||
.PP
|
||||
\&\fBsudoedit\fR [\fB\-a\fR\ \fIauth_type\fR]
|
||||
\&\fBsudoedit\fR [\fB\-a\fR\ \fIauth_type\fR] [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
|
||||
[\fB\-p\fR\ \fIprompt\fR] [\fB\-S\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
|
||||
file [...]
|
||||
.SH "DESCRIPTION"
|
||||
@@ -410,10 +410,12 @@ line arguments. It is most useful in conjunction with the \fB\-s\fR flag.
|
||||
.PP
|
||||
Environment variables to be set for the command may also be passed
|
||||
on the command line in the form of \fB\s-1VAR\s0\fR=\fIvalue\fR, e.g.
|
||||
\&\fB\s-1LD_LIBRARY_PATH\s0\fR=\fI/usr/local/pkg/lib\fR. This is only permitted
|
||||
when the \fIsetenv\fR option is set in \fIsudoers\fR or the command to
|
||||
be run has the \f(CW\*(C`SETENV\*(C'\fR tag set. See sudoers(@mansectform@)
|
||||
for more information.
|
||||
\&\fB\s-1LD_LIBRARY_PATH\s0\fR=\fI/usr/local/pkg/lib\fR. Variables passed on the
|
||||
command line are subject to the same restrictions as normal environment
|
||||
variables with one important exception. If the \fIsetenv\fR option
|
||||
is set in \fIsudoers\fR or the command to be run has the \f(CW\*(C`SETENV\*(C'\fR tag
|
||||
set the user may set variables that would overwise be forbidden.
|
||||
See sudoers(@mansectform@) for more information.
|
||||
.SH "RETURN VALUES"
|
||||
.IX Header "RETURN VALUES"
|
||||
Upon successful execution of a program, the return value from \fBsudo\fR
|
||||
@@ -432,25 +434,35 @@ of the directories in your \f(CW\*(C`PATH\*(C'\fR is on a machine that is curren
|
||||
unreachable.
|
||||
.SH "SECURITY NOTES"
|
||||
.IX Header "SECURITY NOTES"
|
||||
\&\fBsudo\fR tries to be safe when executing external commands. Variables
|
||||
that control how dynamic loading and binding is done can be used
|
||||
to subvert the program that \fBsudo\fR runs. To combat this the
|
||||
\&\f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`_RLD_*\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR (\s-1HP\-UX\s0 only), and \f(CW\*(C`LIBPATH\*(C'\fR (\s-1AIX\s0
|
||||
only) environment variables are removed from the environment passed
|
||||
on to all commands executed. \fBsudo\fR will also remove the \f(CW\*(C`IFS\*(C'\fR,
|
||||
\&\f(CW\*(C`CDPATH\*(C'\fR, \f(CW\*(C`ENV\*(C'\fR, \f(CW\*(C`BASH_ENV\*(C'\fR, \f(CW\*(C`KRB_CONF\*(C'\fR, \f(CW\*(C`KRBCONFDIR\*(C'\fR, \f(CW\*(C`KRBTKFILE\*(C'\fR,
|
||||
\&\f(CW\*(C`KRB5_CONFIG\*(C'\fR, \f(CW\*(C`LOCALDOMAIN\*(C'\fR, \f(CW\*(C`RES_OPTIONS\*(C'\fR, \f(CW\*(C`HOSTALIASES\*(C'\fR,
|
||||
\&\f(CW\*(C`NLSPATH\*(C'\fR, \f(CW\*(C`PATH_LOCALE\*(C'\fR, \f(CW\*(C`TERMINFO\*(C'\fR, \f(CW\*(C`TERMINFO_DIRS\*(C'\fR and
|
||||
\&\f(CW\*(C`TERMPATH\*(C'\fR variables as they too can pose a threat. If the
|
||||
\&\f(CW\*(C`TERMCAP\*(C'\fR variable is set and is a pathname, it too is ignored.
|
||||
Additionally, if the \f(CW\*(C`LC_*\*(C'\fR or \f(CW\*(C`LANGUAGE\*(C'\fR variables contain the
|
||||
\&\f(CW\*(C`/\*(C'\fR or \f(CW\*(C`%\*(C'\fR characters, they are ignored. Environment variables
|
||||
with a value beginning with \f(CW\*(C`()\*(C'\fR are also removed as they could
|
||||
be interpreted as \fBbash\fR functions. If \fBsudo\fR has been
|
||||
compiled with SecurID support, the \f(CW\*(C`VAR_ACE\*(C'\fR, \f(CW\*(C`USR_ACE\*(C'\fR and
|
||||
\&\f(CW\*(C`DLC_ACE\*(C'\fR variables are cleared as well. The list of environment
|
||||
variables that \fBsudo\fR clears is contained in the output of
|
||||
\&\f(CW\*(C`sudo \-V\*(C'\fR when run as root.
|
||||
\&\fBsudo\fR tries to be safe when executing external commands.
|
||||
.PP
|
||||
There are two distinct ways to deal with environment variables.
|
||||
By default, the \fIenv_reset\fR \fIsudoers\fR option is enabled.
|
||||
This causes commands to be executed with a minimal environment
|
||||
containing \f(CW\*(C`TERM\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR
|
||||
and \f(CW\*(C`USERNAME\*(C'\fR in addition to variables from the invoking process
|
||||
permitted by the \fIenv_check\fR and \fIenv_keep\fR \fIsudoers\fR options.
|
||||
There is effectively a whitelist for environment variables.
|
||||
.PP
|
||||
If, however, the \fIenv_reset\fR option is disabled in \fIsudoers\fR, any
|
||||
variables not explicitly denied by the \fIenv_check\fR and \fIenv_delete\fR
|
||||
options are inherited from the invoking process. In this case,
|
||||
\&\fIenv_check\fR and \fIenv_delete\fR behave like a blacklist. Since it
|
||||
is not possible to blacklist all potentially dangerous environment
|
||||
variables, use of the default \fIenv_reset\fR behavior is encouraged.
|
||||
.PP
|
||||
In all cases, environment variables with a value beginning with
|
||||
\&\f(CW\*(C`()\*(C'\fR are removed as they could be interpreted as \fBbash\fR functions.
|
||||
The list of environment variables that \fBsudo\fR allows or denies is
|
||||
contained in the output of \f(CW\*(C`sudo \-V\*(C'\fR when run as root.
|
||||
.PP
|
||||
Note that the dynamic linker on most operating systems will remove
|
||||
variables that can control dynamic linking from the environment of
|
||||
setuid executables, including \fBsudo\fR. Depending on the operating
|
||||
system this may include \f(CW\*(C`_RLD*\*(C'\fR, \f(CW\*(C`DYLD_*\*(C'\fR, \f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`LDR_*\*(C'\fR,
|
||||
\&\f(CW\*(C`LIBPATH\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR, and others. These type of variables are
|
||||
removed from the environment before \fBsudo\fR even begins execution
|
||||
and, as such, it is not possible for \fBsudo\fR to preserve them.
|
||||
.PP
|
||||
To prevent command spoofing, \fBsudo\fR checks \*(L".\*(R" and "" (both denoting
|
||||
current directory) last when searching for a command in the user's
|
||||
@@ -458,11 +470,6 @@ current directory) last when searching for a command in the user's
|
||||
actual \f(CW\*(C`PATH\*(C'\fR environment variable is \fInot\fR modified and is passed
|
||||
unchanged to the program that \fBsudo\fR executes.
|
||||
.PP
|
||||
For security reasons, if your \s-1OS\s0 supports shared libraries and does
|
||||
not disable user-defined library search paths for setuid programs
|
||||
(most do), you should either use a linker option that disables this
|
||||
behavior or link \fBsudo\fR statically.
|
||||
.PP
|
||||
\&\fBsudo\fR will check the ownership of its timestamp directory
|
||||
(\fI@timedir@\fR by default) and ignore the directory's contents if
|
||||
it is not owned by root or if it is writable by a user other than
|
||||
@@ -556,7 +563,7 @@ sudoers(@mansectform@).
|
||||
.IX Header "FILES"
|
||||
.Vb 2
|
||||
\& @sysconfdir@/sudoers List of who can run what
|
||||
\& @timedir@ Directory containing timestamps
|
||||
\& @timedir@ Directory containing timestamps
|
||||
.Ve
|
||||
.SH "EXAMPLES"
|
||||
.IX Header "EXAMPLES"
|
||||
|
||||
512
sudoers.man.in
512
sudoers.man.in
@@ -149,7 +149,7 @@
|
||||
.\" ========================================================================
|
||||
.\"
|
||||
.IX Title "SUDOERS @mansectform@"
|
||||
.TH SUDOERS @mansectform@ "June 23, 2007" "1.7" "MAINTENANCE COMMANDS"
|
||||
.TH SUDOERS @mansectform@ "July 9, 2007" "1.7" "MAINTENANCE COMMANDS"
|
||||
.SH "NAME"
|
||||
sudoers \- list of which users may execute what
|
||||
.SH "DESCRIPTION"
|
||||
@@ -397,6 +397,260 @@ These operators are used to add to and delete from a list respectively.
|
||||
It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element
|
||||
that does not exist in a list.
|
||||
.PP
|
||||
See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults parameters.
|
||||
.Sh "User Specification"
|
||||
.IX Subsection "User Specification"
|
||||
.Vb 2
|
||||
\& User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
|
||||
\& (':' Host_List '=' Cmnd_Spec_List)*
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& Cmnd_Spec_List ::= Cmnd_Spec |
|
||||
\& Cmnd_Spec ',' Cmnd_Spec_List
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 1
|
||||
\& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 1
|
||||
\& Runas_Spec ::= '(' Runas_List ')'
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
|
||||
\& 'SETENV:' | 'NOSETENV:' | 'MONITOR:' | 'NOMONITOR:')
|
||||
.Ve
|
||||
.PP
|
||||
A \fBuser specification\fR determines which commands a user may run
|
||||
(and as what user) on specified hosts. By default, commands are
|
||||
run as \fBroot\fR, but this can be changed on a per-command basis.
|
||||
.PP
|
||||
Let's break that down into its constituent parts:
|
||||
.Sh "Runas_Spec"
|
||||
.IX Subsection "Runas_Spec"
|
||||
A \f(CW\*(C`Runas_Spec\*(C'\fR is simply a \f(CW\*(C`Runas_List\*(C'\fR (as defined above)
|
||||
enclosed in a set of parentheses. If you do not specify a
|
||||
\&\f(CW\*(C`Runas_Spec\*(C'\fR in the user specification, a default \f(CW\*(C`Runas_Spec\*(C'\fR
|
||||
of \fBroot\fR will be used. A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for
|
||||
commands that follow it. What this means is that for the entry:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
|
||||
.Ve
|
||||
.PP
|
||||
The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and
|
||||
\&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g.,
|
||||
.PP
|
||||
.Vb 1
|
||||
\& $ sudo -u operator /bin/ls.
|
||||
.Ve
|
||||
.PP
|
||||
It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an
|
||||
entry. If we modify the entry like so:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
|
||||
.Ve
|
||||
.PP
|
||||
Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
|
||||
but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
|
||||
.Sh "Tag_Spec"
|
||||
.IX Subsection "Tag_Spec"
|
||||
A command may have zero or more tags associated with it. There are
|
||||
eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR,
|
||||
\&\f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`MONITOR\*(C'\fR and \f(CW\*(C`NOMONITOR\*(C'\fR.
|
||||
Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the
|
||||
\&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the
|
||||
opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR
|
||||
overrides \f(CW\*(C`EXEC\*(C'\fR).
|
||||
.PP
|
||||
\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR
|
||||
.IX Subsection "NOPASSWD and PASSWD"
|
||||
.PP
|
||||
By default, \fBsudo\fR requires that a user authenticate him or herself
|
||||
before running a command. This behavior can be modified via the
|
||||
\&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets
|
||||
a default for the commands that follow it in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR.
|
||||
Conversely, the \f(CW\*(C`PASSWD\*(C'\fR tag can be used to reverse things.
|
||||
For example:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
|
||||
.Ve
|
||||
.PP
|
||||
would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and
|
||||
\&\fI/usr/bin/lprm\fR as root on the machine rushmore as \fBroot\fR without
|
||||
authenticating himself. If we only want \fBray\fR to be able to
|
||||
run \fI/bin/kill\fR without a password the entry would be:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
|
||||
.Ve
|
||||
.PP
|
||||
Note, however, that the \f(CW\*(C`PASSWD\*(C'\fR tag has no effect on users who are
|
||||
in the group specified by the \fIexempt_group\fR option.
|
||||
.PP
|
||||
By default, if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is applied to any of the entries
|
||||
for a user on the current host, he or she will be able to run
|
||||
\&\f(CW\*(C`sudo \-l\*(C'\fR without a password. Additionally, a user may only run
|
||||
\&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present
|
||||
for all a user's entries that pertain to the current host.
|
||||
This behavior may be overridden via the verifypw and listpw options.
|
||||
.PP
|
||||
\fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR
|
||||
.IX Subsection "NOEXEC and EXEC"
|
||||
.PP
|
||||
If \fBsudo\fR has been compiled with \fInoexec\fR support and the underlying
|
||||
operating system supports it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent
|
||||
a dynamically-linked executable from running further commands itself.
|
||||
.PP
|
||||
In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR
|
||||
and \fI/usr/bin/vi\fR but shell escapes will be disabled.
|
||||
.PP
|
||||
.Vb 1
|
||||
\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
|
||||
.Ve
|
||||
.PP
|
||||
See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
|
||||
on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system.
|
||||
.PP
|
||||
\fI\s-1SETENV\s0 and \s-1NOSETENV\s0\fR
|
||||
.IX Subsection "SETENV and NOSETENV"
|
||||
.PP
|
||||
These tags override the value of the \fIsetenv\fR option on a per-command
|
||||
basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, any
|
||||
environment variables set on the command line way are not subject
|
||||
to the restrictions imposed by \fIenv_check\fR, \fIenv_delete\fR, or
|
||||
\&\fIenv_keep\fR. As such, only trusted users should be allowed to set
|
||||
variables in this manner.
|
||||
.PP
|
||||
\fI\s-1MONITOR\s0 and \s-1NOMONITOR\s0\fR
|
||||
.IX Subsection "MONITOR and NOMONITOR"
|
||||
.PP
|
||||
If \fBsudo\fR has been configured with the \f(CW\*(C`\-\-with\-systrace\*(C'\fR option,
|
||||
the \f(CW\*(C`MONITOR\*(C'\fR tag can be used to cause programs spawned by a command
|
||||
to be checked against \fIsudoers\fR and logged just like they would
|
||||
be if run through \fBsudo\fR directly. This is useful in conjunction
|
||||
with commands that allow shell escapes such as editors, shells and
|
||||
paginators.
|
||||
.PP
|
||||
In the following example, user \fBchuck\fR may run any command on the
|
||||
machine research in monitor mode.
|
||||
.PP
|
||||
.Vb 1
|
||||
\& chuck research = MONITOR: ALL
|
||||
.Ve
|
||||
.PP
|
||||
See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
|
||||
on how \f(CW\*(C`MONITOR\*(C'\fR works and whether or not it will work on your system.
|
||||
.Sh "Wildcards"
|
||||
.IX Subsection "Wildcards"
|
||||
\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
|
||||
to be used in pathnames as well as command line arguments in the
|
||||
\&\fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
|
||||
\&\fIfnmatch\fR\|(3) routine. Note that these are \fInot\fR regular expressions.
|
||||
.ie n .IP "\*(C`*\*(C'" 8
|
||||
.el .IP "\f(CW\*(C`*\*(C'\fR" 8
|
||||
.IX Item "*"
|
||||
Matches any set of zero or more characters.
|
||||
.ie n .IP "\*(C`?\*(C'" 8
|
||||
.el .IP "\f(CW\*(C`?\*(C'\fR" 8
|
||||
.IX Item "?"
|
||||
Matches any single character.
|
||||
.ie n .IP "\*(C`[...]\*(C'" 8
|
||||
.el .IP "\f(CW\*(C`[...]\*(C'\fR" 8
|
||||
.IX Item "[...]"
|
||||
Matches any character in the specified range.
|
||||
.ie n .IP "\*(C`[!...]\*(C'" 8
|
||||
.el .IP "\f(CW\*(C`[!...]\*(C'\fR" 8
|
||||
.IX Item "[!...]"
|
||||
Matches any character \fBnot\fR in the specified range.
|
||||
.ie n .IP "\*(C`\ex\*(C'" 8
|
||||
.el .IP "\f(CW\*(C`\ex\*(C'\fR" 8
|
||||
.IX Item "x"
|
||||
For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
|
||||
escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
|
||||
.PP
|
||||
Note that a forward slash ('/') will \fBnot\fR be matched by
|
||||
wildcards used in the pathname. When matching the command
|
||||
line arguments, however, a slash \fBdoes\fR get matched by
|
||||
wildcards. This is to make a path like:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& /usr/bin/*
|
||||
.Ve
|
||||
.PP
|
||||
match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR.
|
||||
.Sh "Exceptions to wildcard rules"
|
||||
.IX Subsection "Exceptions to wildcard rules"
|
||||
The following exceptions apply to the above rules:
|
||||
.ie n .IP """""" 8
|
||||
.el .IP "\f(CW``''\fR" 8
|
||||
.IX Item """"""
|
||||
If the empty string \f(CW""\fR is the only command line argument in the
|
||||
\&\fIsudoers\fR entry it means that command is not allowed to be run
|
||||
with \fBany\fR arguments.
|
||||
.Sh "Including other files from within sudoers"
|
||||
.IX Subsection "Including other files from within sudoers"
|
||||
It is possible to include other \fIsudoers\fR files from within the
|
||||
\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR
|
||||
directive, similar to the one used by the C preprocessor. This is
|
||||
useful, for example, for keeping a site-wide \fIsudoers\fR file in
|
||||
addition to a per-machine local one. For the sake of this example
|
||||
the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the per-machine
|
||||
one will be \fI/etc/sudoers.local\fR. To include \fI/etc/sudoers.local\fR
|
||||
from \fI/etc/sudoers\fR we would use the following line in \fI/etc/sudoers\fR:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& #include /etc/sudoers.local
|
||||
.Ve
|
||||
.PP
|
||||
When \fBsudo\fR reaches this line it will suspend processing of the
|
||||
current file (\fI/etc/sudoers\fR) and switch to \fI/etc/sudoers.local\fR.
|
||||
Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of
|
||||
\&\fI/etc/sudoers\fR will be processed. Files that are included may
|
||||
themselves include other files. A hard limit of 128 nested include
|
||||
files is enforced to prevent include file loops.
|
||||
.Sh "Other special characters and reserved words"
|
||||
.IX Subsection "Other special characters and reserved words"
|
||||
The pound sign ('#') is used to indicate a comment (unless it is
|
||||
part of a #include directive or unless it occurs in the context of
|
||||
a user name and is followed by one or more digits, in which case
|
||||
it is treated as a uid). Both the comment character and any text
|
||||
after it, up to the end of the line, are ignored.
|
||||
.PP
|
||||
The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes
|
||||
a match to succeed. It can be used wherever one might otherwise
|
||||
use a \f(CW\*(C`Cmnd_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, or \f(CW\*(C`Host_Alias\*(C'\fR.
|
||||
You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the
|
||||
built-in alias will be used in preference to your own. Please note
|
||||
that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it
|
||||
allows the user to run \fBany\fR command on the system.
|
||||
.PP
|
||||
An exclamation point ('!') can be used as a logical \fInot\fR operator
|
||||
both in an \fIalias\fR and in front of a \f(CW\*(C`Cmnd\*(C'\fR. This allows one to
|
||||
exclude certain values. Note, however, that using a \f(CW\*(C`!\*(C'\fR in
|
||||
conjunction with the built-in \f(CW\*(C`ALL\*(C'\fR alias to allow a user to
|
||||
run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0
|
||||
\&\s-1NOTES\s0 below).
|
||||
.PP
|
||||
Long lines can be continued with a backslash ('\e') as the last
|
||||
character on the line.
|
||||
.PP
|
||||
Whitespace between elements in a list as well as special syntactic
|
||||
characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional.
|
||||
.PP
|
||||
The following characters must be escaped with a backslash ('\e') when
|
||||
used as part of a word (e.g.\ a username or hostname):
|
||||
\&'@', '!', '=', ':', ',', '(', ')', '\e'.
|
||||
.SH "SUDOERS OPTIONS"
|
||||
.IX Header "SUDOERS OPTIONS"
|
||||
Sudo's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as
|
||||
explained earlier. A list of all supported Defaults parameters,
|
||||
grouped by type, are listed below.
|
||||
.PP
|
||||
\&\fBFlags\fR:
|
||||
.IP "long_otp_prompt" 12
|
||||
.IX Item "long_otp_prompt"
|
||||
@@ -655,11 +909,11 @@ to specify a different file descriptor at which to start closing.
|
||||
The default is 3.
|
||||
.IP "setenv" 12
|
||||
.IX Item "setenv"
|
||||
Allow the user to set additional environment variables from the
|
||||
command line. Note that variables set this way are not subject to
|
||||
the restrictions imposed by \fIenv_check\fR, \fIenv_delete\fR, or
|
||||
\&\fIenv_reset\fR. As such, only trusted users should be allowed to set
|
||||
variables in this manner.
|
||||
Allow the user to disable the \fIenv_reset\fR option from the command
|
||||
line. Additionally, environment variables set via the command line
|
||||
are not subject to the restrictions imposed by \fIenv_check\fR,
|
||||
\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should
|
||||
be allowed to set variables in this manner.
|
||||
.PP
|
||||
\&\fBStrings\fR:
|
||||
.IP "mailsub" 12
|
||||
@@ -896,252 +1150,6 @@ for the syslog facility (the value of the \fBsyslog\fR Parameter):
|
||||
\&\fBlocal6\fR, and \fBlocal7\fR. The following syslog priorities are
|
||||
supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR,
|
||||
\&\fBnotice\fR, and \fBwarning\fR.
|
||||
.Sh "User Specification"
|
||||
.IX Subsection "User Specification"
|
||||
.Vb 2
|
||||
\& User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
|
||||
\& (':' Host_List '=' Cmnd_Spec_List)*
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& Cmnd_Spec_List ::= Cmnd_Spec |
|
||||
\& Cmnd_Spec ',' Cmnd_Spec_List
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 1
|
||||
\& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 1
|
||||
\& Runas_Spec ::= '(' Runas_List ')'
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
|
||||
\& 'SETENV:' | 'NOSETENV:' | 'MONITOR:' | 'NOMONITOR:')
|
||||
.Ve
|
||||
.PP
|
||||
A \fBuser specification\fR determines which commands a user may run
|
||||
(and as what user) on specified hosts. By default, commands are
|
||||
run as \fBroot\fR, but this can be changed on a per-command basis.
|
||||
.PP
|
||||
Let's break that down into its constituent parts:
|
||||
.Sh "Runas_Spec"
|
||||
.IX Subsection "Runas_Spec"
|
||||
A \f(CW\*(C`Runas_Spec\*(C'\fR is simply a \f(CW\*(C`Runas_List\*(C'\fR (as defined above)
|
||||
enclosed in a set of parentheses. If you do not specify a
|
||||
\&\f(CW\*(C`Runas_Spec\*(C'\fR in the user specification, a default \f(CW\*(C`Runas_Spec\*(C'\fR
|
||||
of \fBroot\fR will be used. A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for
|
||||
commands that follow it. What this means is that for the entry:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
|
||||
.Ve
|
||||
.PP
|
||||
The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and
|
||||
\&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g.,
|
||||
.PP
|
||||
.Vb 1
|
||||
\& $ sudo -u operator /bin/ls.
|
||||
.Ve
|
||||
.PP
|
||||
It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an
|
||||
entry. If we modify the entry like so:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
|
||||
.Ve
|
||||
.PP
|
||||
Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
|
||||
but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
|
||||
.Sh "Tag_Spec"
|
||||
.IX Subsection "Tag_Spec"
|
||||
A command may have zero or more tags associated with it. There are
|
||||
eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR,
|
||||
\&\f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`MONITOR\*(C'\fR and \f(CW\*(C`NOMONITOR\*(C'\fR.
|
||||
Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the
|
||||
\&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the
|
||||
opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR
|
||||
overrides \f(CW\*(C`EXEC\*(C'\fR).
|
||||
.PP
|
||||
\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR
|
||||
.IX Subsection "NOPASSWD and PASSWD"
|
||||
.PP
|
||||
By default, \fBsudo\fR requires that a user authenticate him or herself
|
||||
before running a command. This behavior can be modified via the
|
||||
\&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets
|
||||
a default for the commands that follow it in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR.
|
||||
Conversely, the \f(CW\*(C`PASSWD\*(C'\fR tag can be used to reverse things.
|
||||
For example:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
|
||||
.Ve
|
||||
.PP
|
||||
would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and
|
||||
\&\fI/usr/bin/lprm\fR as root on the machine rushmore as \fBroot\fR without
|
||||
authenticating himself. If we only want \fBray\fR to be able to
|
||||
run \fI/bin/kill\fR without a password the entry would be:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
|
||||
.Ve
|
||||
.PP
|
||||
Note, however, that the \f(CW\*(C`PASSWD\*(C'\fR tag has no effect on users who are
|
||||
in the group specified by the \fIexempt_group\fR option.
|
||||
.PP
|
||||
By default, if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is applied to any of the entries
|
||||
for a user on the current host, he or she will be able to run
|
||||
\&\f(CW\*(C`sudo \-l\*(C'\fR without a password. Additionally, a user may only run
|
||||
\&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present
|
||||
for all a user's entries that pertain to the current host.
|
||||
This behavior may be overridden via the verifypw and listpw options.
|
||||
.PP
|
||||
\fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR
|
||||
.IX Subsection "NOEXEC and EXEC"
|
||||
.PP
|
||||
If \fBsudo\fR has been compiled with \fInoexec\fR support and the underlying
|
||||
operating system supports it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent
|
||||
a dynamically-linked executable from running further commands itself.
|
||||
.PP
|
||||
In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR
|
||||
and \fI/usr/bin/vi\fR but shell escapes will be disabled.
|
||||
.PP
|
||||
.Vb 1
|
||||
\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
|
||||
.Ve
|
||||
.PP
|
||||
See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
|
||||
on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system.
|
||||
.PP
|
||||
\fI\s-1SETENV\s0 and \s-1NOSETENV\s0\fR
|
||||
.IX Subsection "SETENV and NOSETENV"
|
||||
.PP
|
||||
These tags override the value of the \fIsetenv\fR option on a per-command
|
||||
basis. Note that environment variables set on the command line way
|
||||
are not subject to the restrictions imposed by \fIenv_check\fR,
|
||||
\&\fIenv_delete\fR, or \fIenv_reset\fR. As such, only trusted users should
|
||||
be allowed to set variables in this manner.
|
||||
.PP
|
||||
\fI\s-1MONITOR\s0 and \s-1NOMONITOR\s0\fR
|
||||
.IX Subsection "MONITOR and NOMONITOR"
|
||||
.PP
|
||||
If \fBsudo\fR has been configured with the \f(CW\*(C`\-\-with\-systrace\*(C'\fR option,
|
||||
the \f(CW\*(C`MONITOR\*(C'\fR tag can be used to cause programs spawned by a command
|
||||
to be checked against \fIsudoers\fR and logged just like they would
|
||||
be if run through \fBsudo\fR directly. This is useful in conjunction
|
||||
with commands that allow shell escapes such as editors, shells and
|
||||
paginators.
|
||||
.PP
|
||||
In the following example, user \fBchuck\fR may run any command on the
|
||||
machine research in monitor mode.
|
||||
.PP
|
||||
.Vb 1
|
||||
\& chuck research = MONITOR: ALL
|
||||
.Ve
|
||||
.PP
|
||||
See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
|
||||
on how \f(CW\*(C`MONITOR\*(C'\fR works and whether or not it will work on your system.
|
||||
.Sh "Wildcards"
|
||||
.IX Subsection "Wildcards"
|
||||
\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
|
||||
to be used in pathnames as well as command line arguments in the
|
||||
\&\fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
|
||||
\&\fIfnmatch\fR\|(3) routine. Note that these are \fInot\fR regular expressions.
|
||||
.ie n .IP "\*(C`*\*(C'" 8
|
||||
.el .IP "\f(CW\*(C`*\*(C'\fR" 8
|
||||
.IX Item "*"
|
||||
Matches any set of zero or more characters.
|
||||
.ie n .IP "\*(C`?\*(C'" 8
|
||||
.el .IP "\f(CW\*(C`?\*(C'\fR" 8
|
||||
.IX Item "?"
|
||||
Matches any single character.
|
||||
.ie n .IP "\*(C`[...]\*(C'" 8
|
||||
.el .IP "\f(CW\*(C`[...]\*(C'\fR" 8
|
||||
.IX Item "[...]"
|
||||
Matches any character in the specified range.
|
||||
.ie n .IP "\*(C`[!...]\*(C'" 8
|
||||
.el .IP "\f(CW\*(C`[!...]\*(C'\fR" 8
|
||||
.IX Item "[!...]"
|
||||
Matches any character \fBnot\fR in the specified range.
|
||||
.ie n .IP "\*(C`\ex\*(C'" 8
|
||||
.el .IP "\f(CW\*(C`\ex\*(C'\fR" 8
|
||||
.IX Item "x"
|
||||
For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
|
||||
escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
|
||||
.PP
|
||||
Note that a forward slash ('/') will \fBnot\fR be matched by
|
||||
wildcards used in the pathname. When matching the command
|
||||
line arguments, however, a slash \fBdoes\fR get matched by
|
||||
wildcards. This is to make a path like:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& /usr/bin/*
|
||||
.Ve
|
||||
.PP
|
||||
match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR.
|
||||
.Sh "Exceptions to wildcard rules"
|
||||
.IX Subsection "Exceptions to wildcard rules"
|
||||
The following exceptions apply to the above rules:
|
||||
.ie n .IP """""" 8
|
||||
.el .IP "\f(CW``''\fR" 8
|
||||
.IX Item """"""
|
||||
If the empty string \f(CW""\fR is the only command line argument in the
|
||||
\&\fIsudoers\fR entry it means that command is not allowed to be run
|
||||
with \fBany\fR arguments.
|
||||
.Sh "Including other files from within sudoers"
|
||||
.IX Subsection "Including other files from within sudoers"
|
||||
It is possible to include other \fIsudoers\fR files from within the
|
||||
\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR
|
||||
directive, similar to the one used by the C preprocessor. This is
|
||||
useful, for example, for keeping a site-wide \fIsudoers\fR file in
|
||||
addition to a per-machine local one. For the sake of this example
|
||||
the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the per-machine
|
||||
one will be \fI/etc/sudoers.local\fR. To include \fI/etc/sudoers.local\fR
|
||||
from \fI/etc/sudoers\fR we would use the following line in \fI/etc/sudoers\fR:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& #include /etc/sudoers.local
|
||||
.Ve
|
||||
.PP
|
||||
When \fBsudo\fR reaches this line it will suspend processing of the
|
||||
current file (\fI/etc/sudoers\fR) and switch to \fI/etc/sudoers.local\fR.
|
||||
Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of
|
||||
\&\fI/etc/sudoers\fR will be processed. Files that are included may
|
||||
themselves include other files. A hard limit of 128 nested include
|
||||
files is enforced to prevent include file loops.
|
||||
.Sh "Other special characters and reserved words"
|
||||
.IX Subsection "Other special characters and reserved words"
|
||||
The pound sign ('#') is used to indicate a comment (unless it is
|
||||
part of a #include directive or unless it occurs in the context of
|
||||
a user name and is followed by one or more digits, in which case
|
||||
it is treated as a uid). Both the comment character and any text
|
||||
after it, up to the end of the line, are ignored.
|
||||
.PP
|
||||
The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes
|
||||
a match to succeed. It can be used wherever one might otherwise
|
||||
use a \f(CW\*(C`Cmnd_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, or \f(CW\*(C`Host_Alias\*(C'\fR.
|
||||
You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the
|
||||
built-in alias will be used in preference to your own. Please note
|
||||
that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it
|
||||
allows the user to run \fBany\fR command on the system.
|
||||
.PP
|
||||
An exclamation point ('!') can be used as a logical \fInot\fR operator
|
||||
both in an \fIalias\fR and in front of a \f(CW\*(C`Cmnd\*(C'\fR. This allows one to
|
||||
exclude certain values. Note, however, that using a \f(CW\*(C`!\*(C'\fR in
|
||||
conjunction with the built-in \f(CW\*(C`ALL\*(C'\fR alias to allow a user to
|
||||
run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0
|
||||
\&\s-1NOTES\s0 below).
|
||||
.PP
|
||||
Long lines can be continued with a backslash ('\e') as the last
|
||||
character on the line.
|
||||
.PP
|
||||
Whitespace between elements in a list as well as special syntactic
|
||||
characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional.
|
||||
.PP
|
||||
The following characters must be escaped with a backslash ('\e') when
|
||||
used as part of a word (e.g.\ a username or hostname):
|
||||
\&'@', '!', '=', ':', ',', '(', ')', '\e'.
|
||||
.SH "FILES"
|
||||
.IX Header "FILES"
|
||||
.Vb 3
|
||||
|
||||
Reference in New Issue
Block a user