diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 02:23:56 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 02:23:56 +0000 |
commit | 9620f76a210d9d8c1aaff25e99d6dc513f87e6e9 (patch) | |
tree | ceecc90fb95780872c35da764c5163f38e4727c4 /doc/sudoers.cat | |
parent | Initial commit. (diff) | |
download | sudo-9620f76a210d9d8c1aaff25e99d6dc513f87e6e9.tar.xz sudo-9620f76a210d9d8c1aaff25e99d6dc513f87e6e9.zip |
Adding upstream version 1.8.27.upstream/1.8.27upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | doc/sudoers.cat | 2931 |
1 files changed, 2931 insertions, 0 deletions
diff --git a/doc/sudoers.cat b/doc/sudoers.cat new file mode 100644 index 0000000..9cc6a95 --- /dev/null +++ b/doc/sudoers.cat @@ -0,0 +1,2931 @@ +SUDOERS(4) File Formats Manual SUDOERS(4) + +NNAAMMEE + ssuuddooeerrss - default sudo security policy plugin + +DDEESSCCRRIIPPTTIIOONN + The ssuuddooeerrss policy plugin determines a user's ssuuddoo privileges. It is the + default ssuuddoo policy plugin. The policy is driven by the _/_e_t_c_/_s_u_d_o_e_r_s + file or, optionally in LDAP. The policy format is described in detail in + the _S_U_D_O_E_R_S _F_I_L_E _F_O_R_M_A_T section. For information on storing ssuuddooeerrss + policy information in LDAP, please see sudoers.ldap(4). + + CCoonnffiigguurriinngg ssuuddoo..ccoonnff ffoorr ssuuddooeerrss + ssuuddoo consults the sudo.conf(4) file to determine which policy and I/O + logging plugins to load. If no sudo.conf(4) file is present, or if it + contains no Plugin lines, ssuuddooeerrss will be used for policy decisions and + I/O logging. To explicitly configure sudo.conf(4) to use the ssuuddooeerrss + plugin, the following configuration can be used. + + Plugin sudoers_policy sudoers.so + Plugin sudoers_io sudoers.so + + Starting with ssuuddoo 1.8.5, it is possible to specify optional arguments to + the ssuuddooeerrss plugin in the sudo.conf(4) file. These arguments, if + present, should be listed after the path to the plugin (i.e., after + _s_u_d_o_e_r_s_._s_o). Multiple arguments may be specified, separated by white + space. For example: + + Plugin sudoers_policy sudoers.so sudoers_mode=0400 + + The following plugin arguments are supported: + + ldap_conf=pathname + The _l_d_a_p___c_o_n_f argument can be used to override the default path + to the _l_d_a_p_._c_o_n_f file. + + ldap_secret=pathname + The _l_d_a_p___s_e_c_r_e_t argument can be used to override the default + path to the _l_d_a_p_._s_e_c_r_e_t file. + + sudoers_file=pathname + The _s_u_d_o_e_r_s___f_i_l_e argument can be used to override the default + path to the _s_u_d_o_e_r_s file. + + sudoers_uid=uid + The _s_u_d_o_e_r_s___u_i_d argument can be used to override the default + owner of the sudoers file. It should be specified as a numeric + user ID. + + sudoers_gid=gid + The _s_u_d_o_e_r_s___g_i_d argument can be used to override the default + group of the sudoers file. It must be specified as a numeric + group ID (not a group name). + + sudoers_mode=mode + The _s_u_d_o_e_r_s___m_o_d_e argument can be used to override the default + file mode for the sudoers file. It should be specified as an + octal value. + + For more information on configuring sudo.conf(4), please refer to its + manual. + + UUsseerr AAuutthheennttiiccaattiioonn + The ssuuddooeerrss security policy requires that most users authenticate + themselves before they can use ssuuddoo. A password is not required if the + invoking user is root, if the target user is the same as the invoking + user, or if the policy has disabled authentication for the user or + command. Unlike su(1), when ssuuddooeerrss requires authentication, it + validates the invoking user's credentials, not the target user's (or + root's) credentials. This can be changed via the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and + _r_u_n_a_s_p_w flags, described later. + + If a user who is not listed in the policy tries to run a command via + ssuuddoo, mail is sent to the proper authorities. The address used for such + mail is configurable via the _m_a_i_l_t_o Defaults entry (described later) and + defaults to root. + + Note that no mail will be sent if an unauthorized user tries to run ssuuddoo + with the --ll or --vv option unless there is an authentication error and + either the _m_a_i_l___a_l_w_a_y_s or _m_a_i_l___b_a_d_p_a_s_s flags are enabled. This allows + users to determine for themselves whether or not they are allowed to use + ssuuddoo. All attempts to run ssuuddoo (successful or not) will be logged, + regardless of whether or not mail is sent. + + If ssuuddoo is run by root and the SUDO_USER environment variable is set, the + ssuuddooeerrss policy will use this value to determine who the actual user is. + This can be used by a user to log commands through sudo even when a root + shell has been invoked. It also allows the --ee option to remain useful + even when invoked via a sudo-run script or program. Note, however, that + the _s_u_d_o_e_r_s file lookup is still done for root, not the user specified by + SUDO_USER. + + ssuuddooeerrss uses per-user time stamp files for credential caching. Once a + user has been authenticated, a record is written containing the user ID + that was used to authenticate, the terminal session ID, the start time of + the session leader (or parent process) and a time stamp (using a + monotonic clock if one is available). The user may then use ssuuddoo without + a password for a short period of time (5 minutes unless overridden by the + _t_i_m_e_s_t_a_m_p___t_i_m_e_o_u_t option). By default, ssuuddooeerrss uses a separate record + for each terminal, which means that a user's login sessions are + authenticated separately. The _t_i_m_e_s_t_a_m_p___t_y_p_e option can be used to + select the type of time stamp record ssuuddooeerrss will use. + + LLooggggiinngg + ssuuddooeerrss can log both successful and unsuccessful attempts (as well as + errors) to syslog(3), a log file, or both. By default, ssuuddooeerrss will log + via syslog(3) but this is changeable via the _s_y_s_l_o_g and _l_o_g_f_i_l_e Defaults + settings. See _L_O_G _F_O_R_M_A_T for a description of the log file format. + + ssuuddooeerrss is also capable of running a command in a pseudo-tty and logging + all input and/or output. The standard input, standard output and + standard error can be logged even when not associated with a terminal. + I/O logging is not on by default but can be enabled using the _l_o_g___i_n_p_u_t + and _l_o_g___o_u_t_p_u_t options as well as the LOG_INPUT and LOG_OUTPUT command + tags. See _I_/_O _L_O_G _F_I_L_E_S for details on how I/O log files are stored. + + CCoommmmaanndd eennvviirroonnmmeenntt + Since environment variables can influence program behavior, ssuuddooeerrss + provides a means to restrict which variables from the user's environment + are inherited by the command to be run. There are two distinct ways + ssuuddooeerrss can deal with environment variables. + + By default, the _e_n_v___r_e_s_e_t option is enabled. This causes commands to be + executed with a new, minimal environment. On AIX (and Linux systems + without PAM), the environment is initialized with the contents of the + _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t file. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s option is + enabled, the environment is initialized based on the _p_a_t_h and _s_e_t_e_n_v + settings in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The new environment contains the TERM, + PATH, HOME, MAIL, SHELL, LOGNAME, USER and SUDO_* variables in addition + to variables from the invoking process permitted by the _e_n_v___c_h_e_c_k and + _e_n_v___k_e_e_p options. This is effectively a whitelist for environment + variables. The environment variables LOGNAME and USER are treated + specially. If one of them is preserved (or removed) from user's + environment, the other will be as well. If LOGNAME and USER are to be + preserved but only one of them is present in the user's environment, the + other will be set to the same value. This avoids an inconsistent + environment where one of the variables describing the user name is set to + the invoking user and one is set to the target user. () are removed + unless both the name and value parts are matched by _e_n_v___k_e_e_p or + _e_n_v___c_h_e_c_k, as they may be interpreted as functions by the bbaasshh shell. + Prior to version 1.8.11, such variables were always removed. + + If, however, the _e_n_v___r_e_s_e_t option is disabled, any variables not + explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are inherited + from the invoking process. In this case, _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e behave + like a blacklist. Prior to version 1.8.21, environment variables with a + value beginning with () were always removed. Beginning with version + 1.8.21, a pattern in _e_n_v___d_e_l_e_t_e is used to match bbaasshh shell functions + instead. Since it is not possible to blacklist all potentially dangerous + environment variables, use of the default _e_n_v___r_e_s_e_t behavior is + encouraged. + + Environment variables specified by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p may + include one or more `*' characters which will match zero or more + characters. No other wildcard characters are supported. + + By default, environment variables are matched by name. However, if the + pattern includes an equal sign (`='), both the variables name and value + must match. For example, a bbaasshh shell function could be matched as + follows: + + env_keep += "BASH_FUNC_my_func%%=()*" + + Without the "=()*" suffix, this would not match, as bbaasshh shell functions + are not preserved by default. + + The complete list of environment variables that ssuuddoo allows or denies is + contained in the output of "sudo -V" when run as root. Please note that + this list varies based on the operating system ssuuddoo is running on. + + On systems that support PAM where the ppaamm__eennvv module is enabled for ssuuddoo, + variables in the PAM environment may be merged in to the environment. If + a variable in the PAM environment is already present in the user's + environment, the value will only be overridden if the variable was not + preserved by ssuuddooeerrss. When _e_n_v___r_e_s_e_t is enabled, variables preserved + from the invoking user's environment by the _e_n_v___k_e_e_p list take precedence + over those in the PAM environment. When _e_n_v___r_e_s_e_t is disabled, variables + present the invoking user's environment take precedence over those in the + PAM environment unless they match a pattern in the _e_n_v___d_e_l_e_t_e list. + + Note that the dynamic linker on most operating systems will remove + variables that can control dynamic linking from the environment of setuid + executables, including ssuuddoo. Depending on the operating system this may + include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others. + These type of variables are removed from the environment before ssuuddoo even + begins execution and, as such, it is not possible for ssuuddoo to preserve + them. + + As a special case, if ssuuddoo's --ii option (initial login) is specified, + ssuuddooeerrss will initialize the environment regardless of the value of + _e_n_v___r_e_s_e_t. The DISPLAY, PATH and TERM variables remain unchanged; HOME, + MAIL, SHELL, USER, and LOGNAME are set based on the target user. On AIX + (and Linux systems without PAM), the contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are + also included. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s flag is enabled, + the _p_a_t_h and _s_e_t_e_n_v variables in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f are also applied. All + other environment variables are removed unless permitted by _e_n_v___k_e_e_p or + _e_n_v___c_h_e_c_k, described above. + + Finally, the _r_e_s_t_r_i_c_t_e_d___e_n_v___f_i_l_e and _e_n_v___f_i_l_e files are applied, if + present. The variables in _r_e_s_t_r_i_c_t_e_d___e_n_v___f_i_l_e are applied first and are + subject to the same restrictions as the invoking user's environment, as + detailed above. The variables in _e_n_v___f_i_l_e are applied last and are not + subject to these restrictions. In both cases, variables present in the + files will only be set to their specified values if they would not + conflict with an existing environment variable. + +SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT + The _s_u_d_o_e_r_s file is composed of two types of entries: aliases (basically + variables) and user specifications (which specify who may run what). + + When multiple entries match for a user, they are applied in order. Where + there are multiple matches, the last match is used (which is not + necessarily the most specific match). + + The _s_u_d_o_e_r_s file grammar will be described below in Extended Backus-Naur + Form (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly + simple, and the definitions below are annotated. + + QQuuiicckk gguuiiddee ttoo EEBBNNFF + EBNF is a concise and exact way of describing the grammar of a language. + Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g., + + symbol ::= definition | alternate1 | alternate2 ... + + Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a grammar for + the language. EBNF also contains the following operators, which many + readers will recognize from regular expressions. Do not, however, + confuse them with "wildcard" characters, which have different meanings. + + ? Means that the preceding symbol (or group of symbols) is optional. + That is, it may appear once or not at all. + + * Means that the preceding symbol (or group of symbols) may appear + zero or more times. + + + Means that the preceding symbol (or group of symbols) may appear + one or more times. + + Parentheses may be used to group symbols together. For clarity, we will + use single quotes ('') to designate what is a verbatim character string + (as opposed to a symbol name). + + AAlliiaasseess + There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and + Cmnd_Alias. + + Alias ::= 'User_Alias' User_Alias_Spec (':' User_Alias_Spec)* | + 'Runas_Alias' Runas_Alias_Spec (':' Runas_Alias_Spec)* | + 'Host_Alias' Host_Alias_Spec (':' Host_Alias_Spec)* | + 'Cmnd_Alias' Cmnd_Alias_Spec (':' Cmnd_Alias_Spec)* + + User_Alias ::= NAME + + User_Alias_Spec ::= User_Alias '=' User_List + + Runas_Alias ::= NAME + + Runas_Alias_Spec ::= Runas_Alias '=' Runas_List + + Host_Alias ::= NAME + + Host_Alias_Spec ::= Host_Alias '=' Host_List + + Cmnd_Alias ::= NAME + + Cmnd_Alias_Spec ::= Cmnd_Alias '=' Cmnd_List + + NAME ::= [A-Z]([A-Z][0-9]_)* + + Each _a_l_i_a_s definition is of the form + + Alias_Type NAME = item1, item2, ... + + where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias, Host_Alias, or + Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and + underscore characters (`_'). A NAME mmuusstt start with an uppercase letter. + It is possible to put several alias definitions of the same type on a + single line, joined by a colon (`:'). E.g., + + Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 + + It is a syntax error to redefine an existing _a_l_i_a_s. It is possible to + use the same name for _a_l_i_a_s_e_s of different types, but this is not + recommended. + + The definitions of what constitutes a valid _a_l_i_a_s member follow. + + User_List ::= User | + User ',' User_List + + User ::= '!'* user name | + '!'* #uid | + '!'* %group | + '!'* %#gid | + '!'* +netgroup | + '!'* %:nonunix_group | + '!'* %:#nonunix_gid | + '!'* User_Alias + + A User_List is made up of one or more user names, user IDs (prefixed with + `#'), system group names and IDs (prefixed with `%' and `%#' + respectively), netgroups (prefixed with `+'), non-Unix group names and + IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each + list item may be prefixed with zero or more `!' operators. An odd number + of `!' operators negate the value of the item; an even number just cancel + each other out. User netgroups are matched using the user and domain + members only; the host member is not used when matching. + + A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may + be enclosed in double quotes to avoid the need for escaping special + characters. Alternately, special characters may be specified in escaped + hex mode, e.g., \x20 for space. When using double quotes, any prefix + characters must be included inside the quotes. + + The actual nonunix_group and nonunix_gid syntax depends on the underlying + group provider plugin. For instance, the QAS AD plugin supports the + following formats: + + ++oo Group in the same domain: "%:Group Name" + + ++oo Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN" + + ++oo Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567" + + See _G_R_O_U_P _P_R_O_V_I_D_E_R _P_L_U_G_I_N_S for more information. + + Note that quotes around group names are optional. Unquoted strings must + use a backslash (`\') to escape spaces and special characters. See _O_t_h_e_r + _s_p_e_c_i_a_l _c_h_a_r_a_c_t_e_r_s _a_n_d _r_e_s_e_r_v_e_d _w_o_r_d_s for a list of characters that need + to be escaped. + + Runas_List ::= Runas_Member | + Runas_Member ',' Runas_List + + Runas_Member ::= '!'* user name | + '!'* #uid | + '!'* %group | + '!'* %#gid | + '!'* %:nonunix_group | + '!'* %:#nonunix_gid | + '!'* +netgroup | + '!'* Runas_Alias + + A Runas_List is similar to a User_List except that instead of + User_Aliases it can contain Runas_Aliases. Note that user names and + groups are matched as strings. In other words, two users (groups) with + the same uid (gid) are considered to be distinct. If you wish to match + all user names with the same uid (e.g., root and toor), you can use a uid + instead (#0 in the example given). + + Host_List ::= Host | + Host ',' Host_List + + Host ::= '!'* host name | + '!'* ip_addr | + '!'* network(/netmask)? | + '!'* +netgroup | + '!'* Host_Alias + + A Host_List is made up of one or more host names, IP addresses, network + numbers, netgroups (prefixed with `+') and other aliases. Again, the + value of an item may be negated with the `!' operator. Host netgroups + are matched using the host (both qualified and unqualified) and domain + members only; the user member is not used when matching. If you specify + a network number without a netmask, ssuuddoo will query each of the local + host's network interfaces and, if the network number corresponds to one + of the hosts's network interfaces, will use the netmask of that + interface. The netmask may be specified either in standard IP address + notation (e.g., 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR notation + (number of bits, e.g., 24 or 64). A host name may include shell-style + wildcards (see the _W_i_l_d_c_a_r_d_s section below), but unless the host name + command on your machine returns the fully qualified host name, you'll + need to use the _f_q_d_n option for wildcards to be useful. Note that ssuuddoo + only inspects actual network interfaces; this means that IP address + 127.0.0.1 (localhost) will never match. Also, the host name "localhost" + will only match if that is the actual host name, which is usually only + the case for non-networked systems. + + digest ::= [A-Fa-f0-9]+ | + [[A-Za-z0-9+/=]+ + + Digest_Spec ::= "sha224" ':' digest | + "sha256" ':' digest | + "sha384" ':' digest | + "sha512" ':' digest + + Cmnd_List ::= Cmnd | + Cmnd ',' Cmnd_List + + command name ::= file name | + file name args | + file name '""' + + Cmnd ::= Digest_Spec? '!'* command name | + '!'* directory | + '!'* "sudoedit" | + '!'* Cmnd_Alias + + A Cmnd_List is a list of one or more command names, directories, and + other aliases. A command name is a fully qualified file name which may + include shell-style wildcards (see the _W_i_l_d_c_a_r_d_s section below). A + simple file name allows the user to run the command with any arguments + he/she wishes. However, you may also specify command line arguments + (including wildcards). Alternately, you can specify "" to indicate that + the command may only be run wwiitthhoouutt command line arguments. A directory + is a fully qualified path name ending in a `/'. When you specify a + directory in a Cmnd_List, the user will be able to run any file within + that directory (but not in any sub-directories therein). + + If a Cmnd has associated command line arguments, then the arguments in + the Cmnd must match exactly those given by the user on the command line + (or match the wildcards if there are any). Note that the following + characters must be escaped with a `\' if they are used in command + arguments: `,', `:', `=', `\'. The built-in command "sudoedit" is used + to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may + take command line arguments just as a normal command does. Note that + "sudoedit" is a command built into ssuuddoo itself and must be specified in + the _s_u_d_o_e_r_s file without a leading path. + + If a command name is prefixed with a Digest_Spec, the command will only + match successfully if it can be verified using the specified SHA-2 + digest. The following digest formats are supported: sha224, sha256, + sha384 and sha512. The string may be specified in either hex or base64 + format (base64 is more compact). There are several utilities capable of + generating SHA-2 digests in hex format such as openssl, shasum, + sha224sum, sha256sum, sha384sum, sha512sum. + + For example, using openssl: + + $ openssl dgst -sha224 /bin/ls + SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25 + + It is also possible to use openssl to generate base64 output: + + $ openssl dgst -binary -sha224 /bin/ls | openssl base64 + EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ== + + Warning, if the user has write access to the command itself (directly or + via a ssuuddoo command), it may be possible for the user to replace the + command after the digest check has been performed but before the command + is executed. A similar race condition exists on systems that lack the + fexecve(2) system call when the directory in which the command is located + is writable by the user. See the description of the _f_d_e_x_e_c setting for + more information on how ssuuddoo executes commands that have an associated + digest. + + Command digests are only supported by version 1.8.7 or higher. + + DDeeffaauullttss + Certain configuration options may be changed from their default values at + run-time via one or more Default_Entry lines. These may affect all users + on any host, all users on a specific host, a specific user, a specific + command, or commands being run as a specific user. Note that per-command + entries may not include command line arguments. If you need to specify + arguments, define a Cmnd_Alias and reference that instead. + + Default_Type ::= 'Defaults' | + 'Defaults' '@' Host_List | + 'Defaults' ':' User_List | + 'Defaults' '!' Cmnd_List | + 'Defaults' '>' Runas_List + + Default_Entry ::= Default_Type Parameter_List + + Parameter_List ::= Parameter | + Parameter ',' Parameter_List + + Parameter ::= Parameter '=' Value | + Parameter '+=' Value | + Parameter '-=' Value | + '!'* Parameter + + Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are + implicitly boolean and can be turned off via the `!' operator. Some + integer, string and list parameters may also be used in a boolean context + to disable them. Values may be enclosed in double quotes ("") when they + contain multiple words. Special characters may be escaped with a + backslash (`\'). + + Lists have two additional assignment operators, += and -=. These + operators are used to add to and delete from a list respectively. It is + not an error to use the -= operator to remove an element that does not + exist in a list. + + Defaults entries are parsed in the following order: generic, host, user + and runas Defaults first, then command defaults. If there are multiple + Defaults settings of the same type, the last matching setting is used. + The following Defaults settings are parsed before all others since they + may affect subsequent entries: _f_q_d_n, _g_r_o_u_p___p_l_u_g_i_n, _r_u_n_a_s___d_e_f_a_u_l_t, + _s_u_d_o_e_r_s___l_o_c_a_l_e. + + See _S_U_D_O_E_R_S _O_P_T_I_O_N_S for a list of supported Defaults parameters. + + UUsseerr ssppeecciiffiiccaattiioonn + User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ + (':' Host_List '=' Cmnd_Spec_List)* + + Cmnd_Spec_List ::= Cmnd_Spec | + Cmnd_Spec ',' Cmnd_Spec_List + + Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd + + Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' + + Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec) + + SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') + + Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset') + + Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp') + + Timeout_Spec ::= 'TIMEOUT=timeout' + + Tag_Spec ::= ('EXEC:' | 'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' | + 'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' | + 'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'PASSWD:' | + 'NOPASSWD:' | 'SETENV:' | 'NOSETENV:') + + A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as + what user) on specified hosts. By default, commands are run as rroooott, but + this can be changed on a per-command basis. + + The basic structure of a user specification is "who where = (as_whom) + what". Let's break that down into its constituent parts: + + RRuunnaass__SSppeecc + A Runas_Spec determines the user and/or the group that a command may be + run as. A fully-specified Runas_Spec consists of two Runas_Lists (as + defined above) separated by a colon (`:') and enclosed in a set of + parentheses. The first Runas_List indicates which users the command may + be run as via ssuuddoo's --uu option. The second defines a list of groups that + can be specified via ssuuddoo's --gg option in addition to any of the target + user's groups. If both Runas_Lists are specified, the command may be run + with any combination of users and groups listed in their respective + Runas_Lists. If only the first is specified, the command may be run as + any user in the list but no --gg option may be specified. If the first + Runas_List is empty but the second is specified, the command may be run + as the invoking user with the group set to any listed in the Runas_List. + If both Runas_Lists are empty, the command may only be run as the + invoking user. If no Runas_Spec is specified the command may be run as + rroooott and no group may be specified. + + A Runas_Spec sets the default for the commands that follow it. What this + means is that for the entry: + + dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm + + The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m on the host + boulder--but only as ooppeerraattoorr. E.g., + + $ sudo -u operator /bin/ls + + It is also possible to override a Runas_Spec later on in an entry. If we + modify the entry like so: + + dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm + + Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l + and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. + + We can extend this to allow ddggbb to run /bin/ls with either the user or + group set to ooppeerraattoorr: + + dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\ + /usr/bin/lprm + + Note that while the group portion of the Runas_Spec permits the user to + run as command with that group, it does not force the user to do so. If + no group is specified on the command line, the command will run with the + group listed in the target user's password database entry. The following + would all be permitted by the sudoers entry above: + + $ sudo -u operator /bin/ls + $ sudo -u operator -g operator /bin/ls + $ sudo -g operator /bin/ls + + In the following example, user ttccmm may run commands that access a modem + device file with the dialer group. + + tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\ + /usr/local/bin/minicom + + Note that in this example only the group will be set, the command still + runs as user ttccmm. E.g. + + $ sudo -g dialer /usr/bin/cu + + Multiple users and groups may be present in a Runas_Spec, in which case + the user may select any combination of users and groups via the --uu and --gg + options. In this example: + + alan ALL = (root, bin : operator, system) ALL + + user aallaann may run any command as either user root or bin, optionally + setting the group to operator or system. + + OOppttiioonn__SSppeecc + A Cmnd may have zero or more options associated with it. Options may + consist of SELinux roles and/or types, Solaris privileges sets, start + and/or end dates and command timeouts. Once an option is set for a Cmnd, + subsequent Cmnds in the Cmnd_Spec_List, inherit that option unless it is + overridden by another option. + + SSEELLiinnuuxx__SSppeecc + On systems with SELinux support, _s_u_d_o_e_r_s file entries may optionally have + an SELinux role and/or type associated with a command. If a role or type + is specified with the command it will override any default values + specified in _s_u_d_o_e_r_s. A role or type specified on the command line, + however, will supersede the values in _s_u_d_o_e_r_s. + + SSoollaarriiss__PPrriivv__SSppeecc + On Solaris systems, _s_u_d_o_e_r_s file entries may optionally specify Solaris + privilege set and/or limit privilege set associated with a command. If + privileges or limit privileges are specified with the command it will + override any default values specified in _s_u_d_o_e_r_s. + + A privilege set is a comma-separated list of privilege names. The + ppriv(1) command can be used to list all privileges known to the system. + For example: + + $ ppriv -l + + In addition, there are several "special" privilege strings: + + none the empty set + + all the set of all privileges + + zone the set of all privileges available in the current zone + + basic the default set of privileges normal users are granted at login + time + + Privileges can be excluded from a set by prefixing the privilege name + with either an `!' or `-' character. + + DDaattee__SSppeecc + ssuuddooeerrss rules can be specified with a start and end date via the + NOTBEFORE and NOTAFTER settings. The time stamp must be specified in + _G_e_n_e_r_a_l_i_z_e_d _T_i_m_e as defined by RFC 4517. The format is effectively + yyyymmddHHMMSSZ where the minutes and seconds are optional. The `Z' + suffix indicates that the time stamp is in Coordinated Universal Time + (UTC). It is also possible to specify a timezone offset from UTC in + hours and minutes instead of a `Z'. For example, `-0500' would + correspond to Eastern Standard time in the US. As an extension, if no + `Z' or timezone offset is specified, local time will be used. + + The following are all valid time stamps: + + 20170214083000Z + 2017021408Z + 20160315220000-0500 + 20151201235900 + + TTiimmeeoouutt__SSppeecc + A command may have a timeout associated with it. If the timeout expires + before the command has exited, the command will be terminated. The + timeout may be specified in combinations of days, hours, minutes and + seconds with a single-letter case-insensitive suffix that indicates the + unit of time. For example, a timeout of 7 days, 8 hours, 30 minutes and + 10 seconds would be written as 7d8h30m10s. If a number is specified + without a unit, seconds are assumed. Any of the days, minutes, hours or + seconds may be omitted. The order must be from largest to smallest unit + and a unit may not be specified more than once. + + The following are all _v_a_l_i_d timeout values: 7d8h30m10s, 14d, 8h30m, 600s, + 3600. The following are _i_n_v_a_l_i_d timeout values: 12m2w1d, 30s10m4h, + 1d2d3h. + + This option is only supported by version 1.8.20 or higher. + + TTaagg__SSppeecc + A command may have zero or more tags associated with it. The following + tag values are supported: EXEC, NOEXEC, FOLLOW, NOFOLLOW, LOG_INPUT, + NOLOG_INPUT, LOG_OUTPUT, NOLOG_OUTPUT, MAIL, NOMAIL, PASSWD, NOPASSWD, + SETENV, and NOSETENV. Once a tag is set on a Cmnd, subsequent Cmnds in + the Cmnd_Spec_List, inherit the tag unless it is overridden by the + opposite tag (in other words, PASSWD overrides NOPASSWD and NOEXEC + overrides EXEC). + + _E_X_E_C and _N_O_E_X_E_C + + If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying + operating system supports it, the NOEXEC tag can be used to prevent a + dynamically-linked executable from running further commands itself. + + In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and + _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. + + aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi + + See the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section below for more details on how + NOEXEC works and whether or not it will work on your system. + + _F_O_L_L_O_W and _N_O_F_O_L_L_O_W Starting with version 1.8.15, ssuuddooeeddiitt will not open + a file that is a symbolic link unless the _s_u_d_o_e_d_i_t___f_o_l_l_o_w option is + enabled. The _F_O_L_L_O_W and _N_O_F_O_L_L_O_W tags override the value of + _s_u_d_o_e_d_i_t___f_o_l_l_o_w and can be used to permit (or deny) the editing of + symbolic links on a per-command basis. These tags are only effective + for the _s_u_d_o_e_d_i_t command and are ignored for all other commands. + + _L_O_G___I_N_P_U_T and _N_O_L_O_G___I_N_P_U_T + + These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command + basis. For more information, see the description of _l_o_g___i_n_p_u_t in the + _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below. + + _L_O_G___O_U_T_P_U_T and _N_O_L_O_G___O_U_T_P_U_T + + These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command + basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the + _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below. + + _M_A_I_L and _N_O_M_A_I_L + + These tags provide fine-grained control over whether mail will be sent + when a user runs a command by overriding the value of the + _m_a_i_l___a_l_l___c_m_n_d_s option on a per-command basis. They have no effect when + ssuuddoo is run with the --ll or --vv options. A _N_O_M_A_I_L tag will also override + the _m_a_i_l___a_l_w_a_y_s and _m_a_i_l___n_o___p_e_r_m_s options. For more information, see + the descriptions of _m_a_i_l___a_l_l___c_m_n_d_s, _m_a_i_l___a_l_w_a_y_s, and _m_a_i_l___n_o___p_e_r_m_s in + the _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below. + + _P_A_S_S_W_D and _N_O_P_A_S_S_W_D + + By default, ssuuddoo requires that a user authenticate him or herself + before running a command. This behavior can be modified via the + NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for + the commands that follow it in the Cmnd_Spec_List. Conversely, the + PASSWD tag can be used to reverse things. For example: + + ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm + + would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m + as rroooott on the machine rushmore without authenticating himself. If we + only want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry + would be: + + ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm + + Note, however, that the PASSWD tag has no effect on users who are in + the group specified by the _e_x_e_m_p_t___g_r_o_u_p option. + + By default, if the NOPASSWD tag is applied to any of the entries for a + user on the current host, he or she will be able to run "sudo -l" + without a password. Additionally, a user may only run "sudo -v" + without a password if the NOPASSWD tag is present for all a user's + entries that pertain to the current host. This behavior may be + overridden via the _v_e_r_i_f_y_p_w and _l_i_s_t_p_w options. + + _S_E_T_E_N_V and _N_O_S_E_T_E_N_V + + These tags override the value of the _s_e_t_e_n_v option on a per-command + basis. Note that if SETENV has been set for a command, the user may + disable the _e_n_v___r_e_s_e_t option from the command line via the --EE option. + Additionally, environment variables set on the command line are not + subject to the restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or + _e_n_v___k_e_e_p. As such, only trusted users should be allowed to set + variables in this manner. If the command matched is AALLLL, the SETENV + tag is implied for that command; this default may be overridden by use + of the NOSETENV tag. + + WWiillddccaarrddss + ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be + used in host names, path names and command line arguments in the _s_u_d_o_e_r_s + file. Wildcard matching is done via the glob(3) and fnmatch(3) functions + as specified by IEEE Std 1003.1 ("POSIX.1"). + + * Matches any set of zero or more characters (including white + space). + + ? Matches any single character (including white space). + + [...] Matches any character in the specified range. + + [!...] Matches any character _n_o_t in the specified range. + + \x For any character `x', evaluates to `x'. This is used to + escape special characters such as: `*', `?', `[', and `]'. + + NNoottee tthhaatt tthheessee aarree nnoott rreegguullaarr eexxpprreessssiioonnss.. Unlike a regular expression + there is no way to match one or more characters within a range. + + Character classes may be used if your system's glob(3) and fnmatch(3) + functions support them. However, because the `:' character has special + meaning in _s_u_d_o_e_r_s, it must be escaped. For example: + + /bin/ls [[\:alpha\:]]* + + Would match any file name beginning with a letter. + + Note that a forward slash (`/') will _n_o_t be matched by wildcards used in + the file name portion of the command. This is to make a path like: + + /usr/bin/* + + match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. + + When matching the command line arguments, however, a slash _d_o_e_s get + matched by wildcards since command line arguments may contain arbitrary + strings and not just path names. + + WWiillddccaarrddss iinn ccoommmmaanndd lliinnee aarrgguummeennttss sshhoouulldd bbee uusseedd wwiitthh ccaarree.. + Command line arguments are matched as a single, concatenated string. + This mean a wildcard character such as `?' or `*' will match across word + boundaries, which may be unexpected. For example, while a sudoers entry + like: + + %operator ALL = /bin/cat /var/log/messages* + + will allow command like: + + $ sudo cat /var/log/messages.1 + + It will also allow: + + $ sudo cat /var/log/messages /etc/shadow + + which is probably not what was intended. In most cases it is better to + do command line processing outside of the _s_u_d_o_e_r_s file in a scripting + language. + + EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess + The following exceptions apply to the above rules: + + "" If the empty string "" is the only command line argument in the + _s_u_d_o_e_r_s file entry it means that command is not allowed to be + run with _a_n_y arguments. + + sudoedit Command line arguments to the _s_u_d_o_e_d_i_t built-in command should + always be path names, so a forward slash (`/') will not be + matched by a wildcard. + + IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss + It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s + file currently being parsed using the #include and #includedir + directives. + + This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in + addition to a local, per-machine file. For the sake of this example the + site-wide _s_u_d_o_e_r_s file will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will + be _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within + _/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s: + + #include /etc/sudoers.local + + When ssuuddoo reaches this line it will suspend processing of the current + file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. Upon reaching the + end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be processed. + Files that are included may themselves include other files. A hard limit + of 128 nested include files is enforced to prevent include file loops. + + If the path to the include file is not fully-qualified (does not begin + with a `/'), it must be located in the same directory as the sudoers file + it was included from. For example, if _/_e_t_c_/_s_u_d_o_e_r_s contains the line: + + #include sudoers.local + + the file that will be included is _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. + + The file name may also include the %h escape, signifying the short form + of the host name. In other words, if the machine's host name is + "xerxes", then + + #include /etc/sudoers.%h + + will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s. + + The #includedir directive can be used to create a _s_u_d_o_e_r_s_._d directory + that the system package manager can drop _s_u_d_o_e_r_s file rules into as part + of package installation. For example, given: + + #includedir /etc/sudoers.d + + ssuuddoo will suspend processing of the current file and read each file in + _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that end in `~' or contain a `.' + character to avoid causing problems with package manager or editor + temporary/backup files. Files are parsed in sorted lexical order. That + is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed before + _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is lexical, + not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded _a_f_t_e_r + _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes in + the file names can be used to avoid such problems. After parsing the + files in the directory, control returns to the file that contained the + #includedir directive. + + Note that unlike files included via #include, vviissuuddoo will not edit the + files in a #includedir directory unless one of them contains a syntax + error. It is still possible to run vviissuuddoo with the --ff flag to edit the + files directly, but this will not catch the redefinition of an _a_l_i_a_s that + is also present in a different file. + + OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss + The pound sign (`#') is used to indicate a comment (unless it is part of + a #include directive or unless it occurs in the context of a user name + and is followed by one or more digits, in which case it is treated as a + uid). Both the comment character and any text after it, up to the end of + the line, are ignored. + + The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to + succeed. It can be used wherever one might otherwise use a Cmnd_Alias, + User_Alias, Runas_Alias, or Host_Alias. You should not try to define + your own _a_l_i_a_s called AALLLL as the built-in alias will be used in + preference to your own. Please note that using AALLLL can be dangerous + since in a command context, it allows the user to run _a_n_y command on the + system. + + An exclamation point (`!') can be used as a logical _n_o_t operator in a + list or _a_l_i_a_s as well as in front of a Cmnd. This allows one to exclude + certain values. For the `!' operator to be effective, there must be + something for it to exclude. For example, to match all users except for + root one would use: + + ALL,!root + + If the AALLLL, is omitted, as in: + + !root + + it would explicitly deny root but not match any other users. This is + different from a true "negation" operator. + + Note, however, that using a `!' in conjunction with the built-in AALLLL + alias to allow a user to run "all but a few" commands rarely works as + intended (see _S_E_C_U_R_I_T_Y _N_O_T_E_S below). + + Long lines can be continued with a backslash (`\') as the last character + on the line. + + White space between elements in a list as well as special syntactic + characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n (`=', `:', `(', `)') is optional. + + The following characters must be escaped with a backslash (`\') when used + as part of a word (e.g., a user name or host name): `!', `=', `:', `,', + `(', `)', `\'. + +SSUUDDOOEERRSS OOPPTTIIOONNSS + ssuuddoo's behavior can be modified by Default_Entry lines, as explained + earlier. A list of all supported Defaults parameters, grouped by type, + are listed below. + + BBoooolleeaann FFllaaggss: + + always_query_group_plugin + If a _g_r_o_u_p___p_l_u_g_i_n is configured, use it to resolve + groups of the form %group as long as there is not also + a system group of the same name. Normally, only groups + of the form %:group are passed to the _g_r_o_u_p___p_l_u_g_i_n. + This flag is _o_f_f by default. + + always_set_home If enabled, ssuuddoo will set the HOME environment variable + to the home directory of the target user (which is root + unless the --uu option is used). This effectively means + that the --HH option is always implied. Note that by + default, HOME will be set to the home directory of the + target user when the _e_n_v___r_e_s_e_t option is enabled, so + _a_l_w_a_y_s___s_e_t___h_o_m_e only has an effect for configurations + where either _e_n_v___r_e_s_e_t is disabled or HOME is present + in the _e_n_v___k_e_e_p list. This flag is _o_f_f by default. + + authenticate If set, users must authenticate themselves via a + password (or other means of authentication) before they + may run commands. This default may be overridden via + the PASSWD and NOPASSWD tags. This flag is _o_n by + default. + + case_insensitive_group + If enabled, group names in _s_u_d_o_e_r_s will be matched in a + case insensitive manner. This may be necessary when + users are stored in LDAP or AD. This flag is _o_n by + default. + + case_insensitive_user + If enabled, user names in _s_u_d_o_e_r_s will be matched in a + case insensitive manner. This may be necessary when + groups are stored in LDAP or AD. This flag is _o_n by + default. + + closefrom_override + If set, the user may use ssuuddoo's --CC option which + overrides the default starting point at which ssuuddoo + begins closing open file descriptors. This flag is _o_f_f + by default. + + compress_io If set, and ssuuddoo is configured to log a command's input + or output, the I/O logs will be compressed using zzlliibb. + This flag is _o_n by default when ssuuddoo is compiled with + zzlliibb support. + + exec_background By default, ssuuddoo runs a command as the foreground + process as long as ssuuddoo itself is running in the + foreground. When the _e_x_e_c___b_a_c_k_g_r_o_u_n_d flag is enabled + and the command is being run in a pty (due to I/O + logging or the _u_s_e___p_t_y flag), the command will be run + as a background process. Attempts to read from the + controlling terminal (or to change terminal settings) + will result in the command being suspended with the + SIGTTIN signal (or SIGTTOU in the case of terminal + settings). If this happens when ssuuddoo is a foreground + process, the command will be granted the controlling + terminal and resumed in the foreground with no user + intervention required. The advantage of initially + running the command in the background is that ssuuddoo need + not read from the terminal unless the command + explicitly requests it. Otherwise, any terminal input + must be passed to the command, whether it has required + it or not (the kernel buffers terminals so it is not + possible to tell whether the command really wants the + input). This is different from historic _s_u_d_o behavior + or when the command is not being run in a pty. + + For this to work seamlessly, the operating system must + support the automatic restarting of system calls. + Unfortunately, not all operating systems do this by + default, and even those that do may have bugs. For + example, macOS fails to restart the ttccggeettaattttrr() and + ttccsseettaattttrr() system calls (this is a bug in macOS). + Furthermore, because this behavior depends on the + command stopping with the SIGTTIN or SIGTTOU signals, + programs that catch these signals and suspend + themselves with a different signal (usually SIGTOP) + will not be automatically foregrounded. Some versions + of the linux su(1) command behave this way. This flag + is _o_f_f by default. + + This setting is only supported by version 1.8.7 or + higher. It has no effect unless I/O logging is enabled + or the _u_s_e___p_t_y flag is enabled. + + env_editor If set, vviissuuddoo will use the value of the SUDO_EDITOR, + VISUAL or EDITOR environment variables before falling + back on the default editor list. Note that this may + create a security hole as it allows the user to run any + arbitrary command as root without logging. A safer + alternative is to place a colon-separated list of + editors in the _e_d_i_t_o_r variable. vviissuuddoo will then only + use SUDO_EDITOR, VISUAL or EDITOR if they match a value + specified in _e_d_i_t_o_r. If the _e_n_v___r_e_s_e_t flag is enabled, + the SUDO_EDITOR, VISUAL and/or EDITOR environment + variables must be present in the _e_n_v___k_e_e_p list for the + _e_n_v___e_d_i_t_o_r flag to function when vviissuuddoo is invoked via + ssuuddoo. This flag is _o_f_f by default. + + env_reset If set, ssuuddoo will run the command in a minimal + environment containing the TERM, PATH, HOME, MAIL, + SHELL, LOGNAME, USER and SUDO_* variables. Any + variables in the caller's environment or in the file + specified by the _r_e_s_t_r_i_c_t_e_d___e_n_v___f_i_l_e option that match + the env_keep and env_check lists are then added, + followed by any variables present in the file specified + by the _e_n_v___f_i_l_e option (if any). The contents of the + env_keep and env_check lists, as modified by global + Defaults parameters in _s_u_d_o_e_r_s, are displayed when ssuuddoo + is run by root with the --VV option. If the _s_e_c_u_r_e___p_a_t_h + option is set, its value will be used for the PATH + environment variable. This flag is _o_n by default. + + fast_glob Normally, ssuuddoo uses the glob(3) function to do shell- + style globbing when matching path names. However, + since it accesses the file system, glob(3) can take a + long time to complete for some patterns, especially + when the pattern references a network file system that + is mounted on demand (auto mounted). The _f_a_s_t___g_l_o_b + option causes ssuuddoo to use the fnmatch(3) function, + which does not access the file system to do its + matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is + unable to match relative path names such as _._/_l_s or + _._._/_b_i_n_/_l_s. This has security implications when path + names that include globbing characters are used with + the negation operator, `!', as such rules can be + trivially bypassed. As such, this option should not be + used when the _s_u_d_o_e_r_s file contains rules that contain + negated path names which include globbing characters. + This flag is _o_f_f by default. + + fqdn Set this flag if you want to put fully qualified host + names in the _s_u_d_o_e_r_s file when the local host name (as + returned by the hostname command) does not contain the + domain name. In other words, instead of myhost you + would use myhost.mydomain.edu. You may still use the + short form if you wish (and even mix the two). This + option is only effective when the "canonical" host + name, as returned by the ggeettaaddddrriinnffoo() or + ggeetthhoossttbbyynnaammee() function, is a fully-qualified domain + name. This is usually the case when the system is + configured to use DNS for host name resolution. + + If the system is configured to use the _/_e_t_c_/_h_o_s_t_s file + in preference to DNS, the "canonical" host name may not + be fully-qualified. The order that sources are queried + for host name resolution is usually specified in the + _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f, _/_e_t_c_/_h_o_s_t_._c_o_n_f, + or, in some cases, _/_e_t_c_/_r_e_s_o_l_v_._c_o_n_f file. In the + _/_e_t_c_/_h_o_s_t_s file, the first host name of the entry is + considered to be the "canonical" name; subsequent names + are aliases that are not used by ssuuddooeerrss. For example, + the following hosts file line for the machine "xyzzy" + has the fully-qualified domain name as the "canonical" + host name, and the short version as an alias. + + 192.168.1.1 xyzzy.sudo.ws xyzzy + + If the machine's hosts file entry is not formatted + properly, the _f_q_d_n option will not be effective if it + is queried before DNS. + + Beware that when using DNS for host name resolution, + turning on _f_q_d_n requires ssuuddooeerrss to make DNS lookups + which renders ssuuddoo unusable if DNS stops working (for + example if the machine is disconnected from the + network). Also note that just like with the hosts + file, you must use the "canonical" name as DNS knows + it. That is, you may not use a host alias (CNAME + entry) due to performance issues and the fact that + there is no way to get all aliases from DNS. + + This flag is _o_f_f by default. + + ignore_audit_errors + Allow commands to be run even if ssuuddooeerrss cannot write + to the audit log. If enabled, an audit log write + failure is not treated as a fatal error. If disabled, + a command may only be run after the audit event is + successfully written. This flag is only effective on + systems for which ssuuddooeerrss supports audit logging, + including FreeBSD, Linux, macOS and Solaris. This flag + is _o_n by default. + + ignore_dot If set, ssuuddoo will ignore "." or "" (both denoting + current directory) in the PATH environment variable; + the PATH itself is not modified. This flag is _o_f_f by + default. + + ignore_iolog_errors + Allow commands to be run even if ssuuddooeerrss cannot write + to the I/O log. If enabled, an I/O log write failure + is not treated as a fatal error. If disabled, the + command will be terminated if the I/O log cannot be + written to. This flag is _o_f_f by default. + + ignore_logfile_errors + Allow commands to be run even if ssuuddooeerrss cannot write + to the log file. If enabled, a log file write failure + is not treated as a fatal error. If disabled, a + command may only be run after the log file entry is + successfully written. This flag only has an effect + when ssuuddooeerrss is configured to use file-based logging + via the _l_o_g_f_i_l_e option. This flag is _o_n by default. + + ignore_local_sudoers + If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s will be + skipped. This is intended for Enterprises that wish to + prevent the usage of local sudoers files so that only + LDAP is used. This thwarts the efforts of rogue + operators who would attempt to add roles to + _/_e_t_c_/_s_u_d_o_e_r_s. When this option is present, + _/_e_t_c_/_s_u_d_o_e_r_s does not even need to exist. Since this + option tells ssuuddoo how to behave when no specific LDAP + entries have been matched, this sudoOption is only + meaningful for the cn=defaults section. This flag is + _o_f_f by default. + + ignore_unknown_defaults + If set, ssuuddoo will not produce a warning if it + encounters an unknown Defaults entry in the _s_u_d_o_e_r_s + file or an unknown sudoOption in LDAP. This flag is + _o_f_f by default. + + insults If set, ssuuddoo will insult users when they enter an + incorrect password. This flag is _o_f_f by default. + + log_host If set, the host name will be logged in the (non- + syslog) ssuuddoo log file. This flag is _o_f_f by default. + + log_input If set, ssuuddoo will run the command in a pseudo-tty and + log all user input. If the standard input is not + connected to the user's tty, due to I/O redirection or + because the command is part of a pipeline, that input + is also captured and stored in a separate log file. + Anything sent to the standard input will be consumed, + regardless of whether or not the command run via ssuuddoo + is actually reading the standard input. This may have + unexpected results when using ssuuddoo in a shell script + that expects to process the standard input. For more + information about I/O logging, see the _I_/_O _L_O_G _F_I_L_E_S + section. This flag is _o_f_f by default. + + log_output If set, ssuuddoo will run the command in a pseudo-tty and + log all output that is sent to the screen, similar to + the script(1) command. For more information about I/O + logging, see the _I_/_O _L_O_G _F_I_L_E_S section. This flag is + _o_f_f by default. + + log_year If set, the four-digit year will be logged in the (non- + syslog) ssuuddoo log file. This flag is _o_f_f by default. + + long_otp_prompt When validating with a One Time Password (OTP) scheme + such as SS//KKeeyy or OOPPIIEE, a two-line prompt is used to + make it easier to cut and paste the challenge to a + local window. It's not as pretty as the default but + some people find it more convenient. This flag is _o_f_f + by default. + + mail_all_cmnds Send mail to the _m_a_i_l_t_o user every time a user attempts + to run a command via ssuuddoo (this includes ssuuddooeeddiitt). No + mail will be sent if the user runs ssuuddoo with the --ll or + --vv option unless there is an authentication error and + the _m_a_i_l___b_a_d_p_a_s_s flag is also set. This flag is _o_f_f by + default. + + mail_always Send mail to the _m_a_i_l_t_o user every time a user runs + ssuuddoo. This flag is _o_f_f by default. + + mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo + does not enter the correct password. If the command + the user is attempting to run is not permitted by + ssuuddooeerrss and one of the _m_a_i_l___a_l_l___c_m_n_d_s, _m_a_i_l___a_l_w_a_y_s, + _m_a_i_l___n_o___h_o_s_t, _m_a_i_l___n_o___p_e_r_m_s or _m_a_i_l___n_o___u_s_e_r flags are + set, this flag will have no effect. This flag is _o_f_f + by default. + + mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the + invoking user exists in the _s_u_d_o_e_r_s file, but is not + allowed to run commands on the current host. This flag + is _o_f_f by default. + + mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the + invoking user is allowed to use ssuuddoo but the command + they are trying is not listed in their _s_u_d_o_e_r_s file + entry or is explicitly denied. This flag is _o_f_f by + default. + + mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the + invoking user is not in the _s_u_d_o_e_r_s file. This flag is + _o_n by default. + + match_group_by_gid + By default, ssuuddooeerrss will look up each group the user is + a member of by group ID to determine the group name + (this is only done once). The resulting list of the + user's group names is used when matching groups listed + in the _s_u_d_o_e_r_s file. This works well on systems where + the number of groups listed in the _s_u_d_o_e_r_s file is + larger than the number of groups a typical user belongs + to. On systems where group lookups are slow, where + users may belong to a large number of groups, and where + the number of groups listed in the _s_u_d_o_e_r_s file is + relatively small, it may be prohibitively expensive and + running commands via ssuuddoo may take longer than normal. + On such systems it may be faster to use the + _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d flag to avoid resolving the user's + group IDs to group names. In this case, ssuuddooeerrss must + look up any group name listed in the _s_u_d_o_e_r_s file and + use the group ID instead of the group name when + determining whether the user is a member of the group. + + Note that if _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d is enabled, group + database lookups performed by ssuuddooeerrss will be keyed by + group name as opposed to group ID. On systems where + there are multiple sources for the group database, it + is possible to have conflicting group names or group + IDs in the local _/_e_t_c_/_g_r_o_u_p file and the remote group + database. On such systems, enabling or disabling + _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d can be used to choose whether group + database queries are performed by name (enabled) or ID + (disabled), which may aid in working around group entry + conflicts. + + The _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d flag has no effect when _s_u_d_o_e_r_s + data is stored in LDAP. This flag is _o_f_f by default. + + This setting is only supported by version 1.8.18 or + higher. + + netgroup_tuple If set, netgroup lookups will be performed using the + full netgroup tuple: host name, user name and domain + (if one is set). Historically, ssuuddoo only matched the + user name and domain for netgroups used in a User_List + and only matched the host name and domain for netgroups + used in a Host_List. This flag is _o_f_f by default. + + noexec If set, all commands run via ssuuddoo will behave as if the + NOEXEC tag has been set, unless overridden by an EXEC + tag. See the description of _E_X_E_C _a_n_d _N_O_E_X_E_C above as + well as the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section at the end + of this manual. This flag is _o_f_f by default. + + pam_session On systems that use PAM for authentication, ssuuddoo will + create a new PAM session for the command to be run in. + Disabling _p_a_m___s_e_s_s_i_o_n may be needed on older PAM + implementations or on operating systems where opening a + PAM session changes the utmp or wtmp files. If PAM + session support is disabled, resource limits may not be + updated for the command being run. If _p_a_m___s_e_s_s_i_o_n, + _p_a_m___s_e_t_c_r_e_d, and _u_s_e___p_t_y are disabled and I/O logging + has not been configured, ssuuddoo will execute the command + directly instead of running it as a child process. + This flag is _o_n by default. + + This setting is only supported by version 1.8.7 or + higher. + + pam_setcred On systems that use PAM for authentication, ssuuddoo will + attempt to establish credentials for the target user by + default, if supported by the underlying authentication + system. One example of a credential is a Kerberos + ticket. If _p_a_m___s_e_s_s_i_o_n, _p_a_m___s_e_t_c_r_e_d, and _u_s_e___p_t_y are + disabled and I/O logging has not been configured, ssuuddoo + will execute the command directly instead of running it + as a child process. This flag is _o_n by default. + + This setting is only supported by version 1.8.8 or + higher. + + passprompt_override + If set, the prompt specified by _p_a_s_s_p_r_o_m_p_t or the + SUDO_PROMPT environment variable will always be used + and will replace the prompt provided by a PAM module or + other authentication method. This flag is _o_f_f by + default. + + path_info Normally, ssuuddoo will tell the user when a command could + not be found in their PATH environment variable. Some + sites may wish to disable this as it could be used to + gather information on the location of executables that + the normal user does not have access to. The + disadvantage is that if the executable is simply not in + the user's PATH, ssuuddoo will tell the user that they are + not allowed to run it, which can be confusing. This + flag is _o_n by default. + + preserve_groups By default, ssuuddoo will initialize the group vector to + the list of groups the target user is in. When + _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's existing group + vector is left unaltered. The real and effective group + IDs, however, are still set to match the target user. + This flag is _o_f_f by default. + + pwfeedback By default, ssuuddoo reads the password like most other + Unix programs, by turning off echo until the user hits + the return (or enter) key. Some users become confused + by this as it appears to them that ssuuddoo has hung at + this point. When _p_w_f_e_e_d_b_a_c_k is set, ssuuddoo will provide + visual feedback when the user presses a key. Note that + this does have a security impact as an onlooker may be + able to determine the length of the password being + entered. This flag is _o_f_f by default. + + requiretty If set, ssuuddoo will only run when the user is logged in + to a real tty. When this flag is set, ssuuddoo can only be + run from a login session and not via other means such + as cron(1m) or cgi-bin scripts. This flag is _o_f_f by + default. + + root_sudo If set, root is allowed to run ssuuddoo too. Disabling + this prevents users from "chaining" ssuuddoo commands to + get a root shell by doing something like "sudo sudo + /bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o + will also prevent root from running ssuuddooeeddiitt. + Disabling _r_o_o_t___s_u_d_o provides no real additional + security; it exists purely for historical reasons. + This flag is _o_n by default. + + rootpw If set, ssuuddoo will prompt for the root password instead + of the password of the invoking user when running a + command or editing a file. This flag is _o_f_f by + default. + + runaspw If set, ssuuddoo will prompt for the password of the user + defined by the _r_u_n_a_s___d_e_f_a_u_l_t option (defaults to root) + instead of the password of the invoking user when + running a command or editing a file. This flag is _o_f_f + by default. + + set_home If enabled and ssuuddoo is invoked with the --ss option the + HOME environment variable will be set to the home + directory of the target user (which is root unless the + --uu option is used). This effectively makes the --ss + option imply --HH. Note that HOME is already set when + the _e_n_v___r_e_s_e_t option is enabled, so _s_e_t___h_o_m_e is only + effective for configurations where either _e_n_v___r_e_s_e_t is + disabled or HOME is present in the _e_n_v___k_e_e_p list. This + flag is _o_f_f by default. + + set_logname Normally, ssuuddoo will set the LOGNAME and USER + environment variables to the name of the target user + (usually root unless the --uu option is given). However, + since some programs (including the RCS revision control + system) use LOGNAME to determine the real identity of + the user, it may be desirable to change this behavior. + This can be done by negating the set_logname option. + Note that _s_e_t___l_o_g_n_a_m_e will have no effect if the + _e_n_v___r_e_s_e_t option has not been disabled and the _e_n_v___k_e_e_p + list contains LOGNAME or USER. This flag is _o_n by + default. + + set_utmp When enabled, ssuuddoo will create an entry in the utmp (or + utmpx) file when a pseudo-tty is allocated. A pseudo- + tty is allocated by ssuuddoo when the _l_o_g___i_n_p_u_t, _l_o_g___o_u_t_p_u_t + or _u_s_e___p_t_y flags are enabled. By default, the new + entry will be a copy of the user's existing utmp entry + (if any), with the tty, time, type and pid fields + updated. This flag is _o_n by default. + + setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the + command line via the --EE option. Additionally, + environment variables set via the command line are not + subject to the restrictions imposed by _e_n_v___c_h_e_c_k, + _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only trusted users + should be allowed to set variables in this manner. + This flag is _o_f_f by default. + + shell_noargs If set and ssuuddoo is invoked with no arguments it acts as + if the --ss option had been given. That is, it runs a + shell as root (the shell is determined by the SHELL + environment variable if it is set, falling back on the + shell listed in the invoking user's /etc/passwd entry + if not). This flag is _o_f_f by default. + + stay_setuid Normally, when ssuuddoo executes a command the real and + effective UIDs are set to the target user (root by + default). This option changes that behavior such that + the real UID is left as the invoking user's UID. In + other words, this makes ssuuddoo act as a setuid wrapper. + This can be useful on systems that disable some + potentially dangerous functionality when a program is + run setuid. This option is only effective on systems + that support either the setreuid(2) or setresuid(2) + system call. This flag is _o_f_f by default. + + sudoedit_checkdir + If set, ssuuddooeeddiitt will check all directory components of + the path to be edited for writability by the invoking + user. Symbolic links will not be followed in writable + directories and ssuuddooeeddiitt will refuse to edit a file + located in a writable directory. These restrictions + are not enforced when ssuuddooeeddiitt is run by root. On some + systems, if all directory components of the path to be + edited are not readable by the target user, ssuuddooeeddiitt + will be unable to edit the file. This flag is _o_n by + default. + + This setting was first introduced in version 1.8.15 but + initially suffered from a race condition. The check + for symbolic links in writable intermediate directories + was added in version 1.8.16. + + sudoedit_follow By default, ssuuddooeeddiitt will not follow symbolic links + when opening files. The _s_u_d_o_e_d_i_t___f_o_l_l_o_w option can be + enabled to allow ssuuddooeeddiitt to open symbolic links. It + may be overridden on a per-command basis by the _F_O_L_L_O_W + and _N_O_F_O_L_L_O_W tags. This flag is _o_f_f by default. + + This setting is only supported by version 1.8.15 or + higher. + + syslog_pid When logging via syslog(3), include the process ID in + the log entry. This flag is _o_f_f by default. + + This setting is only supported by version 1.8.21 or + higher. + + targetpw If set, ssuuddoo will prompt for the password of the user + specified by the --uu option (defaults to root) instead + of the password of the invoking user when running a + command or editing a file. Note that this flag + precludes the use of a uid not listed in the passwd + database as an argument to the --uu option. This flag is + _o_f_f by default. + + tty_tickets If set, users must authenticate on a per-tty basis. + With this flag enabled, ssuuddoo will use a separate record + in the time stamp file for each terminal. If disabled, + a single record is used for all login sessions. + + This option has been superseded by the _t_i_m_e_s_t_a_m_p___t_y_p_e + option. + + umask_override If set, ssuuddoo will set the umask as specified in the + _s_u_d_o_e_r_s file without modification. This makes it + possible to specify a umask in the _s_u_d_o_e_r_s file that is + more permissive than the user's own umask and matches + historical behavior. If _u_m_a_s_k___o_v_e_r_r_i_d_e is not set, + ssuuddoo will set the umask to be the union of the user's + umask and what is specified in _s_u_d_o_e_r_s. This flag is + _o_f_f by default. + + use_loginclass If set, ssuuddoo will apply the defaults specified for the + target user's login class if one exists. Only + available if ssuuddoo is configured with the + --with-logincap option. This flag is _o_f_f by default. + + use_netgroups If set, netgroups (prefixed with `+'), may be used in + place of a user or host. For LDAP-based sudoers, + netgroup support requires an expensive sub-string match + on the server unless the NNEETTGGRROOUUPP__BBAASSEE directive is + present in the _/_e_t_c_/_l_d_a_p_._c_o_n_f file. If netgroups are + not needed, this option can be disabled to reduce the + load on the LDAP server. This flag is _o_n by default. + + use_pty If set, and ssuuddoo is running in a terminal, the command + will be run in a pseudo-pty (even if no I/O logging is + being done). If the ssuuddoo process is not attached to a + terminal, _u_s_e___p_t_y has no effect. + + A malicious program run under ssuuddoo may be capable of + injecting commands into the user's terminal or running + a background process that retains access to the user's + terminal device even after the main program has + finished executing. By running the command in a + separate pseudo-pty, this attack is no longer possible. + This flag is _o_f_f by default. + + user_command_timeouts + If set, the user may specify a timeout on the command + line. If the timeout expires before the command has + exited, the command will be terminated. If a timeout + is specified both in the _s_u_d_o_e_r_s file and on the + command line, the smaller of the two timeouts will be + used. See the Timeout_Spec section for a description + of the timeout syntax. This flag is _o_f_f by default. + + This setting is only supported by version 1.8.20 or + higher. + + utmp_runas If set, ssuuddoo will store the name of the runas user when + updating the utmp (or utmpx) file. By default, ssuuddoo + stores the name of the invoking user. This flag is _o_f_f + by default. + + visiblepw By default, ssuuddoo will refuse to run if the user must + enter a password but it is not possible to disable echo + on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo + will prompt for a password even when it would be + visible on the screen. This makes it possible to run + things like "ssh somehost sudo ls" since by default, + ssh(1) does not allocate a tty when running a command. + This flag is _o_f_f by default. + + IInntteeggeerrss: + + closefrom Before it executes a command, ssuuddoo will close all open + file descriptors other than standard input, standard + output and standard error (ie: file descriptors 0-2). + The _c_l_o_s_e_f_r_o_m option can be used to specify a different + file descriptor at which to start closing. The default + is 3. + + command_timeout The maximum amount of time a command is allowed to run + before it is terminated. See the Timeout_Spec section + for a description of the timeout syntax. + + This setting is only supported by version 1.8.20 or + higher. + + maxseq The maximum sequence number that will be substituted + for the "%{seq}" escape in the I/O log file (see the + _i_o_l_o_g___d_i_r description below for more information). + While the value substituted for "%{seq}" is in base 36, + _m_a_x_s_e_q itself should be expressed in decimal. Values + larger than 2176782336 (which corresponds to the base + 36 sequence number "ZZZZZZ") will be silently truncated + to 2176782336. The default value is 2176782336. + + Once the local sequence number reaches the value of + _m_a_x_s_e_q, it will "roll over" to zero, after which + ssuuddooeerrss will truncate and re-use any existing I/O log + path names. + + This setting is only supported by version 1.8.7 or + higher. + + passwd_tries The number of tries a user gets to enter his/her + password before ssuuddoo logs the failure and exits. The + default is 3. + + syslog_maxlen On many systems, syslog(3) has a relatively small log + buffer. IETF RFC 5424 states that syslog servers must + support messages of at least 480 bytes and should + support messages up to 2048 bytes. By default, ssuuddooeerrss + creates log messages up to 980 bytes which corresponds + to the historic BSD syslog implementation which used a + 1024 byte buffer to store the message, date, hostname + and program name. To prevent syslog messages from + being truncated, ssuuddooeerrss will split up log messages + that are larger than _s_y_s_l_o_g___m_a_x_l_e_n bytes. When a + message is split, additional parts will include the + string "(command continued)" after the user name and + before the continued command line arguments. + + This setting is only supported by version 1.8.19 or + higher. + + IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + + loglinelen Number of characters per line for the file log. This + value is used to decide when to wrap lines for nicer + log files. This has no effect on the syslog log file, + only the file log. The default is 80 (use 0 or negate + the option to disable word wrap). + + passwd_timeout Number of minutes before the ssuuddoo password prompt times + out, or 0 for no timeout. The timeout may include a + fractional component if minute granularity is + insufficient, for example 2.5. The default is 5. + + timestamp_timeout + Number of minutes that can elapse before ssuuddoo will ask + for a passwd again. The timeout may include a + fractional component if minute granularity is + insufficient, for example 2.5. The default is 5. Set + this to 0 to always prompt for a password. If set to a + value less than 0 the user's time stamp will not expire + until the system is rebooted. This can be used to + allow users to create or delete their own time stamps + via "sudo -v" and "sudo -k" respectively. + + umask Umask to use when running the command. Negate this + option or set it to 0777 to preserve the user's umask. + The actual umask that is used will be the union of the + user's umask and the value of the _u_m_a_s_k option, which + defaults to 0022. This guarantees that ssuuddoo never + lowers the umask when running a command. Note: on + systems that use PAM, the default PAM configuration may + specify its own umask which will override the value set + in _s_u_d_o_e_r_s. + + SSttrriinnggss: + + authfail_message Message that is displayed after a user fails to + authenticate. The message may include the `%d' escape + which will expand to the number of failed password + attempts. If set, it overrides the default message, %d + incorrect password attempt(s). + + badpass_message Message that is displayed if a user enters an incorrect + password. The default is Sorry, try again. unless + insults are enabled. + + editor A colon (`:') separated list of editors path names used + by ssuuddooeeddiitt and vviissuuddoo. For ssuuddooeeddiitt, this list is + used to find an editor when none of the SUDO_EDITOR, + VISUAL or EDITOR environment variables are set to an + editor that exists and is executable. For vviissuuddoo, it + is used as a white list of allowed editors; vviissuuddoo will + choose the editor that matches the user's SUDO_EDITOR, + VISUAL or EDITOR environment variable if possible, or + the first editor in the list that exists and is + executable if not. Unless invoked as ssuuddooeeddiitt, ssuuddoo + does not preserve the SUDO_EDITOR, VISUAL and EDITOR + environment variables by default, even when the + _e_n_v___r_e_s_e_t option is enabled. The default is _v_i. + + iolog_dir The top-level directory to use when constructing the + path name for the input/output log directory. Only + used if the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t options are enabled + or when the LOG_INPUT or LOG_OUTPUT tags are present + for a command. The session sequence number, if any, is + stored in the directory. The default is + _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o. + + The following percent (`%') escape sequences are + supported: + + %{seq} + expanded to a monotonically increasing base-36 + sequence number, such as 0100A5, where every two + digits are used to form a new directory, e.g., + _0_1_/_0_0_/_A_5 + + %{user} + expanded to the invoking user's login name + + %{group} + expanded to the name of the invoking user's real + group ID + + %{runas_user} + expanded to the login name of the user the + command will be run as (e.g., root) + + %{runas_group} + expanded to the group name of the user the + command will be run as (e.g., wheel) + + %{hostname} + expanded to the local host name without the + domain name + + %{command} + expanded to the base name of the command being + run + + In addition, any escape sequences supported by the + system's strftime(3) function will be expanded. + + To include a literal `%' character, the string `%%' + should be used. + + iolog_file The path name, relative to _i_o_l_o_g___d_i_r, in which to store + input/output logs when the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t + options are enabled or when the LOG_INPUT or LOG_OUTPUT + tags are present for a command. Note that _i_o_l_o_g___f_i_l_e + may contain directory components. The default is + "%{seq}". + + See the _i_o_l_o_g___d_i_r option above for a list of supported + percent (`%') escape sequences. + + In addition to the escape sequences, path names that + end in six or more Xs will have the Xs replaced with a + unique combination of digits and letters, similar to + the mktemp(3) function. + + If the path created by concatenating _i_o_l_o_g___d_i_r and + _i_o_l_o_g___f_i_l_e already exists, the existing I/O log file + will be truncated and overwritten unless _i_o_l_o_g___f_i_l_e + ends in six or more Xs. + + iolog_flush If set, ssuuddoo will flush I/O log data to disk after each + write instead of buffering it. This makes it possible + to view the logs in real-time as the program is + executing but may significantly reduce the + effectiveness of I/O log compression. This flag is _o_f_f + by default. + + This setting is only supported by version 1.8.20 or + higher. + + iolog_group The group name to look up when setting the group ID on + new I/O log files and directories. If _i_o_l_o_g___g_r_o_u_p is + not set, the primary group ID of the user specified by + _i_o_l_o_g___u_s_e_r is used. If neither _i_o_l_o_g___g_r_o_u_p nor + _i_o_l_o_g___u_s_e_r are set, I/O log files and directories are + created with group ID 0. + + This setting is only supported by version 1.8.19 or + higher. + + iolog_mode The file mode to use when creating I/O log files. Mode + bits for read and write permissions for owner, group or + other are honored, everything else is ignored. The + file permissions will always include the owner read and + write bits, even if they are not present in the + specified mode. When creating I/O log directories, + search (execute) bits are added to match the read and + write bits specified by _i_o_l_o_g___m_o_d_e. Defaults to 0600 + (read and write by user only). + + This setting is only supported by version 1.8.19 or + higher. + + iolog_user The user name to look up when setting the user and + group IDs on new I/O log files and directories. If + _i_o_l_o_g___g_r_o_u_p is set, it will be used instead of the + user's primary group ID. By default, I/O log files and + directories are created with user and group ID 0. + + This setting can be useful when the I/O logs are stored + on a Network File System (NFS) share. Having a + dedicated user own the I/O log files means that ssuuddooeerrss + does not write to the log files as user ID 0, which is + usually not permitted by NFS. + + This setting is only supported by version 1.8.19 or + higher. + + lecture_status_dir + The directory in which ssuuddoo stores per-user lecture + status files. Once a user has received the lecture, a + zero-length file is created in this directory so that + ssuuddoo will not lecture the user again. This directory + should _n_o_t be cleared when the system reboots. The + default is _/_v_a_r_/_a_d_m_/_s_u_d_o_/_l_e_c_t_u_r_e_d. + + limitprivs The default Solaris limit privileges to use when + constructing a new privilege set for a command. This + bounds all privileges of the executing process. The + default limit privileges may be overridden on a per- + command basis in _s_u_d_o_e_r_s. This option is only + available if ssuuddooeerrss is built on Solaris 10 or higher. + + mailsub Subject of the mail sent to the _m_a_i_l_t_o user. The + escape %h will expand to the host name of the machine. + Default is "*** SECURITY information for %h ***". + + noexec_file As of ssuuddoo version 1.8.1 this option is no longer + supported. The path to the noexec file should now be + set in the sudo.conf(4) file. + + pam_login_service + On systems that use PAM for authentication, this is the + service name used when the --ii option is specified. The + default value is "sudo". See the description of + _p_a_m___s_e_r_v_i_c_e for more information. + + This setting is only supported by version 1.8.8 or + higher. + + pam_service On systems that use PAM for authentication, the service + name specifies the PAM policy to apply. This usually + corresponds to an entry in the _p_a_m_._c_o_n_f file or a file + in the _/_e_t_c_/_p_a_m_._d directory. The default value is + "sudo". + + This setting is only supported by version 1.8.8 or + higher. + + passprompt The default prompt to use when asking for a password; + can be overridden via the --pp option or the SUDO_PROMPT + environment variable. The following percent (`%') + escape sequences are supported: + + %H expanded to the local host name including the + domain name (only if the machine's host name is + fully qualified or the _f_q_d_n option is set) + + %h expanded to the local host name without the + domain name + + %p expanded to the user whose password is being + asked for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and + _r_u_n_a_s_p_w flags in _s_u_d_o_e_r_s) + + %U expanded to the login name of the user the + command will be run as (defaults to root) + + %u expanded to the invoking user's login name + + %% two consecutive % characters are collapsed into a + single % character + + On systems that use PAM for authentication, _p_a_s_s_p_r_o_m_p_t + will only be used if the prompt provided by the PAM + module matches the string "Password: " or "username's + Password: ". This ensures that the _p_a_s_s_p_r_o_m_p_t setting + does not interfere with challenge-response style + authentication. The _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag can be + used to change this behavior. + + The default value is "Password: ". + + privs The default Solaris privileges to use when constructing + a new privilege set for a command. This is passed to + the executing process via the inherited privilege set, + but is bounded by the limit privileges. If the _p_r_i_v_s + option is specified but the _l_i_m_i_t_p_r_i_v_s option is not, + the limit privileges of the executing process is set to + _p_r_i_v_s. The default privileges may be overridden on a + per-command basis in _s_u_d_o_e_r_s. This option is only + available if ssuuddooeerrss is built on Solaris 10 or higher. + + role The default SELinux role to use when constructing a new + security context to run the command. The default role + may be overridden on a per-command basis in the _s_u_d_o_e_r_s + file or via command line options. This option is only + available when ssuuddoo is built with SELinux support. + + runas_default The default user to run commands as if the --uu option is + not specified on the command line. This defaults to + root. + + sudoers_locale Locale to use when parsing the sudoers file, logging + commands, and sending email. Note that changing the + locale may affect how sudoers is interpreted. Defaults + to "C". + + timestamp_type ssuuddooeerrss uses per-user time stamp files for credential + caching. The _t_i_m_e_s_t_a_m_p___t_y_p_e option can be used to + specify the type of time stamp record used. It has the + following possible values: + + global A single time stamp record is used for all of a + user's login sessions, regardless of the + terminal or parent process ID. An additional + record is used to serialize password prompts + when ssuuddoo is used multiple times in a pipeline, + but this does not affect authentication. + + ppid A single time stamp record is used for all + processes with the same parent process ID + (usually the shell). Commands run from the + same shell (or other common parent process) + will not require a password for + _t_i_m_e_s_t_a_m_p___t_i_m_e_o_u_t minutes (5 by default). + Commands run via ssuuddoo with a different parent + process ID, for example from a shell script, + will be authenticated separately. + + tty One time stamp record is used for each + terminal, which means that a user's login + sessions are authenticated separately. If no + terminal is present, the behavior is the same + as _p_p_i_d. Commands run from the same terminal + will not require a password for + _t_i_m_e_s_t_a_m_p___t_i_m_e_o_u_t minutes (5 by default). + + kernel The time stamp is stored in the kernel as an + attribute of the terminal device. If no + terminal is present, the behavior is the same + as _p_p_i_d. Negative _t_i_m_e_s_t_a_m_p___t_i_m_e_o_u_t values are + not supported and positive values are limited + to a maximum of 60 minutes. This is currently + only supported on OpenBSD. + + The default value is _t_t_y. + + This setting is only supported by version 1.8.21 or + higher. + + timestampdir The directory in which ssuuddoo stores its time stamp + files. This directory should be cleared when the + system reboots. The default is _/_v_a_r_/_r_u_n_/_s_u_d_o_/_t_s. + + timestampowner The owner of the lecture status directory, time stamp + directory and all files stored therein. The default is + root. + + type The default SELinux type to use when constructing a new + security context to run the command. The default type + may be overridden on a per-command basis in the _s_u_d_o_e_r_s + file or via command line options. This option is only + available when ssuuddoo is built with SELinux support. + + SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + + env_file The _e_n_v___f_i_l_e option specifies the fully qualified path to a + file containing variables to be set in the environment of + the program being run. Entries in this file should either + be of the form "VARIABLE=value" or "export VARIABLE=value". + The value may optionally be surrounded by single or double + quotes. Variables in this file are only added if the + variable does not already exist in the environment. This + file is considered to be part of the security policy, its + contents are not subject to other ssuuddoo environment + restrictions such as _e_n_v___k_e_e_p and _e_n_v___c_h_e_c_k. + + exempt_group Users in this group are exempt from password and PATH + requirements. The group name specified should not include + a % prefix. This is not set by default. + + fdexec Determines whether ssuuddoo will execute a command by its path + or by an open file descriptor. It has the following + possible values: + + always Always execute by file descriptor. + + never Never execute by file descriptor. + + digest_only + Only execute by file descriptor if the command has + an associated digest in the _s_u_d_o_e_r_s file. + + The default value is _d_i_g_e_s_t___o_n_l_y. This avoids a time of + check versus time of use race condition when the command is + located in a directory writable by the invoking user. + + Note that _f_d_e_x_e_c will change the first element of the + argument vector for scripts ($0 in the shell) due to the + way the kernel runs script interpreters. Instead of being + a normal path, it will refer to a file descriptor. For + example, _/_d_e_v_/_f_d_/_4 on Solaris and _/_p_r_o_c_/_s_e_l_f_/_f_d_/_4 on Linux. + A workaround is to use the SUDO_COMMAND environment + variable instead. + + The _f_d_e_x_e_c setting is only used when the command is matched + by path name. It has no effect if the command is matched + by the built-in AALLLL alias. + + This setting is only supported by version 1.8.20 or higher. + If the operating system does not support the fexecve(2) + system call, this setting has no effect. + + group_plugin A string containing a ssuuddooeerrss group plugin with optional + arguments. The string should consist of the plugin path, + either fully-qualified or relative to the + _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o directory, followed by any + configuration arguments the plugin requires. These + arguments (if any) will be passed to the plugin's + initialization function. If arguments are present, the + string must be enclosed in double quotes (""). + + For more information see _G_R_O_U_P _P_R_O_V_I_D_E_R _P_L_U_G_I_N_S. + + lecture This option controls when a short lecture will be printed + along with the password prompt. It has the following + possible values: + + always Always lecture the user. + + never Never lecture the user. + + once Only lecture the user the first time they run ssuuddoo. + + If no value is specified, a value of _o_n_c_e is implied. + Negating the option results in a value of _n_e_v_e_r being used. + The default value is _o_n_c_e. + + lecture_file Path to a file containing an alternate ssuuddoo lecture that + will be used in place of the standard lecture if the named + file exists. By default, ssuuddoo uses a built-in lecture. + + listpw This option controls when a password will be required when + a user runs ssuuddoo with the --ll option. It has the following + possible values: + + all All the user's _s_u_d_o_e_r_s file entries for the + current host must have the NOPASSWD flag set to + avoid entering a password. + + always The user must always enter a password to use the + --ll option. + + any At least one of the user's _s_u_d_o_e_r_s file entries + for the current host must have the NOPASSWD flag + set to avoid entering a password. + + never The user need never enter a password to use the + --ll option. + + If no value is specified, a value of _a_n_y is implied. + Negating the option results in a value of _n_e_v_e_r being used. + The default value is _a_n_y. + + logfile Path to the ssuuddoo log file (not the syslog log file). + Setting a path turns on logging to a file; negating this + option turns it off. By default, ssuuddoo logs via syslog. + + mailerflags Flags to use when invoking mailer. Defaults to --tt. + + mailerpath Path to mail program used to send warning mail. Defaults + to the path to sendmail found at configure time. + + mailfrom Address to use for the "from" address when sending warning + and error mail. The address should be enclosed in double + quotes ("") to protect against ssuuddoo interpreting the @ + sign. Defaults to the name of the user running ssuuddoo. + + mailto Address to send warning and error mail to. The address + should be enclosed in double quotes ("") to protect against + ssuuddoo interpreting the @ sign. Defaults to root. + + restricted_env_file + The _r_e_s_t_r_i_c_t_e_d___e_n_v___f_i_l_e option specifies the fully + qualified path to a file containing variables to be set in + the environment of the program being run. Entries in this + file should either be of the form "VARIABLE=value" or + "export VARIABLE=value". The value may optionally be + surrounded by single or double quotes. Variables in this + file are only added if the variable does not already exist + in the environment. Unlike _e_n_v___f_i_l_e, the file's contents + are not trusted and are processed in a manner similar to + that of the invoking user's environment. If _e_n_v___r_e_s_e_t is + enabled, variables in the file will only be added if they + are matched by either the _e_n_v___c_h_e_c_k or _e_n_v___k_e_e_p list. If + _e_n_v___r_e_s_e_t is disabled, variables in the file are added as + long as they are not matched by the _e_n_v___d_e_l_e_t_e list. In + either case, the contents of _r_e_s_t_r_i_c_t_e_d___e_n_v___f_i_l_e are + processed before the contents of _e_n_v___f_i_l_e. + + secure_path Path used for every command run from ssuuddoo. If you don't + trust the people running ssuuddoo to have a sane PATH + environment variable you may want to use this. Another use + is if you want to have the "root path" be separate from the + "user path". Users in the group specified by the + _e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This + option is not set by default. + + syslog Syslog facility if syslog is being used for logging (negate + to disable syslog logging). Defaults to auth. + + The following syslog facilities are supported: aauutthhpprriivv (if + your OS supports it), aauutthh, ddaaeemmoonn, uusseerr, llooccaall00, llooccaall11, + llooccaall22, llooccaall33, llooccaall44, llooccaall55, llooccaall66, and llooccaall77. + + syslog_badpri + Syslog priority to use when the user is not allowed to run + a command or when authentication is unsuccessful. Defaults + to alert. + + The following syslog priorities are supported: aalleerrtt, ccrriitt, + ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee, wwaarrnniinngg, and nnoonnee. + Negating the option or setting it to a value of nnoonnee will + disable logging of unsuccessful commands. + + syslog_goodpri + Syslog priority to use when the user is allowed to run a + command and authentication is successful. Defaults to + notice. + + See _s_y_s_l_o_g___b_a_d_p_r_i for the list of supported syslog + priorities. Negating the option or setting it to a value + of nnoonnee will disable logging of successful commands. + + verifypw This option controls when a password will be required when + a user runs ssuuddoo with the --vv option. It has the following + possible values: + + all All the user's _s_u_d_o_e_r_s file entries for the current + host must have the NOPASSWD flag set to avoid + entering a password. + + always The user must always enter a password to use the --vv + option. + + any At least one of the user's _s_u_d_o_e_r_s file entries for + the current host must have the NOPASSWD flag set to + avoid entering a password. + + never The user need never enter a password to use the --vv + option. + + If no value is specified, a value of _a_l_l is implied. + Negating the option results in a value of _n_e_v_e_r being used. + The default value is _a_l_l. + + LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + + env_check Environment variables to be removed from the user's + environment unless they are considered "safe". For all + variables except TZ, "safe" means that the variable's + value does not contain any `%' or `/' characters. This + can be used to guard against printf-style format + vulnerabilities in poorly-written programs. The TZ + variable is considered unsafe if any of the following + are true: + + ++oo It consists of a fully-qualified path name, + optionally prefixed with a colon (`:'), that does + not match the location of the _z_o_n_e_i_n_f_o directory. + + ++oo It contains a _._. path element. + + ++oo It contains white space or non-printable characters. + + ++oo It is longer than the value of PATH_MAX. + + The argument may be a double-quoted, space-separated + list or a single value without double-quotes. The list + can be replaced, added to, deleted from, or disabled by + using the =, +=, -=, and ! operators respectively. + Regardless of whether the env_reset option is enabled + or disabled, variables specified by env_check will be + preserved in the environment if they pass the + aforementioned check. The global list of environment + variables to check is displayed when ssuuddoo is run by + root with the --VV option. + + env_delete Environment variables to be removed from the user's + environment when the _e_n_v___r_e_s_e_t option is not in effect. + The argument may be a double-quoted, space-separated + list or a single value without double-quotes. The list + can be replaced, added to, deleted from, or disabled by + using the =, +=, -=, and ! operators respectively. The + global list of environment variables to remove is + displayed when ssuuddoo is run by root with the --VV option. + Note that many operating systems will remove + potentially dangerous variables from the environment of + any setuid process (such as ssuuddoo). + + env_keep Environment variables to be preserved in the user's + environment when the _e_n_v___r_e_s_e_t option is in effect. + This allows fine-grained control over the environment + ssuuddoo-spawned processes will receive. The argument may + be a double-quoted, space-separated list or a single + value without double-quotes. The list can be replaced, + added to, deleted from, or disabled by using the =, +=, + -=, and ! operators respectively. The global list of + variables to keep is displayed when ssuuddoo is run by root + with the --VV option. + +GGRROOUUPP PPRROOVVIIDDEERR PPLLUUGGIINNSS + The ssuuddooeerrss plugin supports its own plugin interface to allow non-Unix + group lookups which can query a group source other than the standard Unix + group database. This can be used to implement support for the + nonunix_group syntax described earlier. + + Group provider plugins are specified via the _g_r_o_u_p___p_l_u_g_i_n Defaults + setting. The argument to _g_r_o_u_p___p_l_u_g_i_n should consist of the plugin path, + either fully-qualified or relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o + directory, followed by any configuration options the plugin requires. + These options (if specified) will be passed to the plugin's + initialization function. If options are present, the string must be + enclosed in double quotes (""). + + The following group provider plugins are installed by default: + + group_file + The _g_r_o_u_p___f_i_l_e plugin supports an alternate group file that + uses the same syntax as the _/_e_t_c_/_g_r_o_u_p file. The path to the + group file should be specified as an option to the plugin. For + example, if the group file to be used is _/_e_t_c_/_s_u_d_o_-_g_r_o_u_p: + + Defaults group_plugin="group_file.so /etc/sudo-group" + + system_group + The _s_y_s_t_e_m___g_r_o_u_p plugin supports group lookups via the standard + C library functions ggeettggrrnnaamm() and ggeettggrriidd(). This plugin can + be used in instances where the user belongs to groups not + present in the user's supplemental group vector. This plugin + takes no options: + + Defaults group_plugin=system_group.so + + The group provider plugin API is described in detail in sudo_plugin(4). + +LLOOGG FFOORRMMAATT + ssuuddooeerrss can log events using either syslog(3) or a simple log file. The + log format is almost identical in both cases. + + AAcccceepptteedd ccoommmmaanndd lloogg eennttrriieess + Commands that sudo runs are logged using the following format (split into + multiple lines for readability): + + date hostname progname: username : TTY=ttyname ; PWD=cwd ; \ + USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \ + ENV=env_vars COMMAND=command + + Where the fields are as follows: + + date The date the command was run. Typically, this is in the + format "MMM, DD, HH:MM:SS". If logging via syslog(3), the + actual date format is controlled by the syslog daemon. If + logging to a file and the _l_o_g___y_e_a_r option is enabled, the + date will also include the year. + + hostname The name of the host ssuuddoo was run on. This field is only + present when logging via syslog(3). + + progname The name of the program, usually _s_u_d_o or _s_u_d_o_e_d_i_t. This + field is only present when logging via syslog(3). + + username The login name of the user who ran ssuuddoo. + + ttyname The short name of the terminal (e.g., "console", "tty01", + or "pts/0") ssuuddoo was run on, or "unknown" if there was no + terminal present. + + cwd The current working directory that ssuuddoo was run in. + + runasuser The user the command was run as. + + runasgroup The group the command was run as if one was specified on + the command line. + + logid An I/O log identifier that can be used to replay the + command's output. This is only present when the _l_o_g___i_n_p_u_t + or _l_o_g___o_u_t_p_u_t option is enabled. + + env_vars A list of environment variables specified on the command + line, if specified. + + command The actual command that was executed. + + Messages are logged using the locale specified by _s_u_d_o_e_r_s___l_o_c_a_l_e, which + defaults to the "C" locale. + + DDeenniieedd ccoommmmaanndd lloogg eennttrriieess + If the user is not allowed to run the command, the reason for the denial + will follow the user name. Possible reasons include: + + user NOT in sudoers + The user is not listed in the _s_u_d_o_e_r_s file. + + user NOT authorized on host + The user is listed in the _s_u_d_o_e_r_s file but is not allowed to run + commands on the host. + + command not allowed + The user is listed in the _s_u_d_o_e_r_s file for the host but they are not + allowed to run the specified command. + + 3 incorrect password attempts + The user failed to enter their password after 3 tries. The actual + number of tries will vary based on the number of failed attempts and + the value of the _p_a_s_s_w_d___t_r_i_e_s option. + + a password is required + ssuuddoo's --nn option was specified but a password was required. + + sorry, you are not allowed to set the following environment variables + The user specified environment variables on the command line that were + not allowed by _s_u_d_o_e_r_s. + + EErrrroorr lloogg eennttrriieess + If an error occurs, ssuuddooeerrss will log a message and, in most cases, send a + message to the administrator via email. Possible errors include: + + parse error in /etc/sudoers near line N + ssuuddooeerrss encountered an error when parsing the specified file. In some + cases, the actual error may be one line above or below the line number + listed, depending on the type of error. + + problem with defaults entries + The _s_u_d_o_e_r_s file contains one or more unknown Defaults settings. This + does not prevent ssuuddoo from running, but the _s_u_d_o_e_r_s file should be + checked using vviissuuddoo. + + timestamp owner (username): No such user + The time stamp directory owner, as specified by the _t_i_m_e_s_t_a_m_p_o_w_n_e_r + setting, could not be found in the password database. + + unable to open/read /etc/sudoers + The _s_u_d_o_e_r_s file could not be opened for reading. This can happen + when the _s_u_d_o_e_r_s file is located on a remote file system that maps + user ID 0 to a different value. Normally, ssuuddooeerrss tries to open the + _s_u_d_o_e_r_s file using group permissions to avoid this problem. Consider + either changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s or adding an argument + like "sudoers_uid=N" (where `N' is the user ID that owns the _s_u_d_o_e_r_s + file) to the end of the ssuuddooeerrss Plugin line in the sudo.conf(4) file. + + unable to stat /etc/sudoers + The _/_e_t_c_/_s_u_d_o_e_r_s file is missing. + + /etc/sudoers is not a regular file + The _/_e_t_c_/_s_u_d_o_e_r_s file exists but is not a regular file or symbolic + link. + + /etc/sudoers is owned by uid N, should be 0 + The _s_u_d_o_e_r_s file has the wrong owner. If you wish to change the + _s_u_d_o_e_r_s file owner, please add "sudoers_uid=N" (where `N' is the user + ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss Plugin line in the + sudo.conf(4) file. + + /etc/sudoers is world writable + The permissions on the _s_u_d_o_e_r_s file allow all users to write to it. + The _s_u_d_o_e_r_s file must not be world-writable, the default file mode is + 0440 (readable by owner and group, writable by none). The default + mode may be changed via the "sudoers_mode" option to the ssuuddooeerrss + Plugin line in the sudo.conf(4) file. + + /etc/sudoers is owned by gid N, should be 1 + The _s_u_d_o_e_r_s file has the wrong group ownership. If you wish to change + the _s_u_d_o_e_r_s file group ownership, please add "sudoers_gid=N" (where + `N' is the group ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss Plugin + line in the sudo.conf(4) file. + + unable to open /var/run/sudo/ts/username + ssuuddooeerrss was unable to read or create the user's time stamp file. This + can happen when _t_i_m_e_s_t_a_m_p_o_w_n_e_r is set to a user other than root and + the mode on _/_v_a_r_/_r_u_n_/_s_u_d_o is not searchable by group or other. The + default mode for _/_v_a_r_/_r_u_n_/_s_u_d_o is 0711. + + unable to write to /var/run/sudo/ts/username + ssuuddooeerrss was unable to write to the user's time stamp file. + + /var/run/sudo/ts is owned by uid X, should be Y + The time stamp directory is owned by a user other than _t_i_m_e_s_t_a_m_p_o_w_n_e_r. + This can occur when the value of _t_i_m_e_s_t_a_m_p_o_w_n_e_r has been changed. + ssuuddooeerrss will ignore the time stamp directory until the owner is + corrected. + + /var/run/sudo/ts is group writable + The time stamp directory is group-writable; it should be writable only + by _t_i_m_e_s_t_a_m_p_o_w_n_e_r. The default mode for the time stamp directory is + 0700. ssuuddooeerrss will ignore the time stamp directory until the mode is + corrected. + + NNootteess oonn llooggggiinngg vviiaa ssyysslloogg + By default, ssuuddooeerrss logs messages via syslog(3). The _d_a_t_e, _h_o_s_t_n_a_m_e, and + _p_r_o_g_n_a_m_e fields are added by the system's ssyysslloogg() function, not ssuuddooeerrss + itself. As such, they may vary in format on different systems. + + The maximum size of syslog messages varies from system to system. The + _s_y_s_l_o_g___m_a_x_l_e_n setting can be used to change the maximum syslog message + size from the default value of 980 bytes. For more information, see the + description of _s_y_s_l_o_g___m_a_x_l_e_n. + + NNootteess oonn llooggggiinngg ttoo aa ffiillee + If the _l_o_g_f_i_l_e option is set, ssuuddooeerrss will log to a local file, such as + _/_v_a_r_/_l_o_g_/_s_u_d_o. When logging to a file, ssuuddooeerrss uses a format similar to + syslog(3), with a few important differences: + + 1. The _p_r_o_g_n_a_m_e and _h_o_s_t_n_a_m_e fields are not present. + + 2. If the _l_o_g___y_e_a_r option is enabled, the date will also include the + year. + + 3. Lines that are longer than _l_o_g_l_i_n_e_l_e_n characters (80 by default) are + word-wrapped and continued on the next line with a four character + indent. This makes entries easier to read for a human being, but + makes it more difficult to use grep(1) on the log files. If the + _l_o_g_l_i_n_e_l_e_n option is set to 0 (or negated with a `!'), word wrap + will be disabled. + +II//OO LLOOGG FFIILLEESS + When I/O logging is enabled, ssuuddoo will run the command in a pseudo-tty + and log all user input and/or output, depending on which options are + enabled. I/O is logged to the directory specified by the _i_o_l_o_g___d_i_r + option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a unique session ID that is + included in the ssuuddoo log line, prefixed with "TSID=". The _i_o_l_o_g___f_i_l_e + option may be used to control the format of the session ID. + + Each I/O log is stored in a separate directory that contains the + following files: + + _l_o_g a text file containing the time the command was run, the name + of the user who ran ssuuddoo, the name of the target user, the name + of the target group (optional), the terminal that ssuuddoo was run + from, the number of rows and columns of the terminal, the + working directory the command was run from and the path name of + the command itself (with arguments if present) + + _t_i_m_i_n_g a log of the amount of time between, and the number of bytes + in, each I/O log entry (used for session playback) + + _t_t_y_i_n input from the user's tty (what the user types) + + _s_t_d_i_n input from a pipe or file + + _t_t_y_o_u_t output from the pseudo-tty (what the command writes to the + screen) + + _s_t_d_o_u_t standard output to a pipe or redirected to a file + + _s_t_d_e_r_r standard error to a pipe or redirected to a file + + All files other than _l_o_g are compressed in gzip format unless the + _c_o_m_p_r_e_s_s___i_o flag has been disabled. Due to buffering, it is not normally + possible to display the I/O logs in real-time as the program is executing + The I/O log data will not be complete until the program run by ssuuddoo has + exited or has been terminated by a signal. The _i_o_l_o_g___f_l_u_s_h flag can be + used to disable buffering, in which case I/O log data is written to disk + as soon as it is available. The output portion of an I/O log file can be + viewed with the sudoreplay(1m) utility, which can also be used to list or + search the available logs. + + Note that user input may contain sensitive information such as passwords + (even if they are not echoed to the screen), which will be stored in the + log file unencrypted. In most cases, logging the command output via + _l_o_g___o_u_t_p_u_t or LOG_OUTPUT is all that is required. + + Since each session's I/O logs are stored in a separate directory, + traditional log rotation utilities cannot be used to limit the number of + I/O logs. The simplest way to limit the number of I/O is by setting the + _m_a_x_s_e_q option to the maximum number of logs you wish to store. Once the + I/O log sequence number reaches _m_a_x_s_e_q, it will be reset to zero and + ssuuddooeerrss will truncate and re-use any existing I/O logs. + +FFIILLEESS + _/_e_t_c_/_s_u_d_o_._c_o_n_f Sudo front end configuration + + _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what + + _/_e_t_c_/_g_r_o_u_p Local groups file + + _/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups + + _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files + + _/_v_a_r_/_r_u_n_/_s_u_d_o_/_t_s Directory containing time stamps for the + ssuuddooeerrss security policy + + _/_v_a_r_/_a_d_m_/_s_u_d_o_/_l_e_c_t_u_r_e_d Directory containing lecture status files for + the ssuuddooeerrss security policy + + _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on AIX and + Linux systems + +EEXXAAMMPPLLEESS + Below are example _s_u_d_o_e_r_s file entries. Admittedly, some of these are a + bit contrived. First, we allow a few environment variables to pass and + then define our _a_l_i_a_s_e_s: + + # Run X applications through sudo; HOME is used to find the + # .Xauthority file. Note that other programs use HOME to find + # configuration files and this may lead to privilege escalation! + Defaults env_keep += "DISPLAY HOME" + + # User alias specification + User_Alias FULLTIMERS = millert, mikef, dowdy + User_Alias PARTTIMERS = bostley, jwfox, crawl + User_Alias WEBMASTERS = will, wendy, wim + + # Runas alias specification + Runas_Alias OP = root, operator + Runas_Alias DB = oracle, sybase + Runas_Alias ADMINGRP = adm, oper + + # Host alias specification + Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ + SGI = grolsch, dandelion, black :\ + ALPHA = widget, thalamus, foobar :\ + HPPA = boa, nag, python + Host_Alias CUNETS = 128.138.0.0/255.255.0.0 + Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 + Host_Alias SERVERS = master, mail, www, ns + Host_Alias CDROM = orion, perseus, hercules + + # Cmnd alias specification + Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ + /usr/sbin/restore, /usr/sbin/rrestore,\ + sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \ + /home/operator/bin/start_backups + Cmnd_Alias KILL = /usr/bin/kill + Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm + Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown + Cmnd_Alias HALT = /usr/sbin/halt + Cmnd_Alias REBOOT = /usr/sbin/reboot + Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\ + /usr/local/bin/tcsh, /usr/bin/rsh,\ + /usr/local/bin/zsh + Cmnd_Alias SU = /usr/bin/su + Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less + + Here we override some of the compiled in default values. We want ssuuddoo to + log via syslog(3) using the _a_u_t_h facility in all cases. We don't want to + subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt need not + give a password, and we don't want to reset the LOGNAME or USER + environment variables when running commands as root. Additionally, on + the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an additional local log + file and make sure we log the year in each log line since the log entries + will be kept around for several years. Lastly, we disable shell escapes + for the commands in the PAGERS Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and + _/_u_s_r_/_b_i_n_/_l_e_s_s). Note that this will not effectively constrain users with + ssuuddoo AALLLL privileges. + + # Override built-in defaults + Defaults syslog=auth + Defaults>root !set_logname + Defaults:FULLTIMERS !lecture + Defaults:millert !authenticate + Defaults@SERVERS log_year, logfile=/var/log/sudo.log + Defaults!PAGERS noexec + + The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run + what. + + root ALL = (ALL) ALL + %wheel ALL = (ALL) ALL + + We let rroooott and any user in group wwhheeeell run any command on any host as + any user. + + FULLTIMERS ALL = NOPASSWD: ALL + + Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on + any host without authenticating themselves. + + PARTTIMERS ALL = ALL + + Part time sysadmins bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on any + host but they must authenticate themselves first (since the entry lacks + the NOPASSWD tag). + + jack CSNETS = ALL + + The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias + (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those + networks, only 128.138.204.0 has an explicit netmask (in CIDR notation) + indicating it is a class C network. For the other networks in _C_S_N_E_T_S, + the local machine's netmask will be used during matching. + + lisa CUNETS = ALL + + The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the + class B network 128.138.0.0). + + operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ + sudoedit /etc/printcap, /usr/oper/bin/ + + The ooppeerraattoorr user may run commands limited to simple maintenance. Here, + those are commands related to backups, killing processes, the printing + system, shutting down the system, and any commands in the directory + _/_u_s_r_/_o_p_e_r_/_b_i_n_/. Note that one command in the DUMPS Cmnd_Alias includes a + sha224 digest, _/_h_o_m_e_/_o_p_e_r_a_t_o_r_/_b_i_n_/_s_t_a_r_t___b_a_c_k_u_p_s. This is because the + directory containing the script is writable by the operator user. If the + script is modified (resulting in a digest mismatch) it will no longer be + possible to run it via ssuuddoo. + + joe ALL = /usr/bin/su operator + + The user jjooee may only su(1) to operator. + + pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root* + + %opers ALL = (: ADMINGRP) /usr/sbin/ + + Users in the ooppeerrss group may run commands in _/_u_s_r_/_s_b_i_n_/ as themselves + with any group in the _A_D_M_I_N_G_R_P Runas_Alias (the aaddmm and ooppeerr groups). + + The user ppeettee is allowed to change anyone's password except for root on + the _H_P_P_A machines. Because command line arguments are matched as a + single, concatenated string, the `*' wildcard will match _m_u_l_t_i_p_l_e words. + This example assumes that passwd(1) does not take multiple user names on + the command line. Note that on GNU systems, options to passwd(1) may be + specified after the user argument. As a result, this rule will also + allow: + + passwd username --expire + + which may not be desirable. + + bob SPARC = (OP) ALL : SGI = (OP) ALL + + The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user + listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr.) + + jim +biglab = ALL + + The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup. + ssuuddoo knows that "biglab" is a netgroup due to the `+' prefix. + + +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser + + Users in the sseeccrreettaarriieess netgroup need to help manage the printers as + well as add and remove users, so they are allowed to run those commands + on all machines. + + fred ALL = (DB) NOPASSWD: ALL + + The user ffrreedd can run commands as any user in the _D_B Runas_Alias (oorraaccllee + or ssyybbaassee) without giving a password. + + john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* + + On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is + not allowed to specify any options to the su(1) command. + + jen ALL, !SERVERS = ALL + + The user jjeenn may run any command on any machine except for those in the + _S_E_R_V_E_R_S Host_Alias (master, mail, www and ns). + + jill SERVERS = /usr/bin/, !SU, !SHELLS + + For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in + the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U and + _S_H_E_L_L_S Cmnd_Aliases. While not specifically mentioned in the rule, the + commands in the _P_A_G_E_R_S Cmnd_Alias all reside in _/_u_s_r_/_b_i_n and have the + _n_o_e_x_e_c option set. + + steve CSNETS = (operator) /usr/local/op_commands/ + + The user sstteevvee may run any command in the directory + /usr/local/op_commands/ but only as user operator. + + matt valkyrie = KILL + + On his personal workstation, valkyrie, mmaatttt needs to be able to kill hung + processes. + + WEBMASTERS www = (www) ALL, (root) /usr/bin/su www + + On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias (will, wendy, and + wim), may run any command as user www (which owns the web pages) or + simply su(1) to www. + + ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ + /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM + + Any user may mount or unmount a CD-ROM on the machines in the CDROM + Host_Alias (orion, perseus, hercules) without entering a password. This + is a bit tedious for users to type, so it is a prime candidate for + encapsulating in a shell script. + +SSEECCUURRIITTYY NNOOTTEESS + LLiimmiittaattiioonnss ooff tthhee ``!!'' ooppeerraattoorr + It is generally not effective to "subtract" commands from AALLLL using the + `!' operator. A user can trivially circumvent this by copying the + desired command to a different name and then executing that. For + example: + + bill ALL = ALL, !SU, !SHELLS + + Doesn't really prevent bbiillll from running the commands listed in _S_U or + _S_H_E_L_L_S since he can simply copy those commands to a different name, or + use a shell escape from an editor or other program. Therefore, these + kind of restrictions should be considered advisory at best (and + reinforced by policy). + + In general, if a user has sudo AALLLL there is nothing to prevent them from + creating their own program that gives them a root shell (or making their + own copy of a shell) regardless of any `!' elements in the user + specification. + + SSeeccuurriittyy iimmpplliiccaattiioonnss ooff _f_a_s_t___g_l_o_b + If the _f_a_s_t___g_l_o_b option is in use, it is not possible to reliably negate + commands where the path name includes globbing (aka wildcard) characters. + This is because the C library's fnmatch(3) function cannot resolve + relative paths. While this is typically only an inconvenience for rules + that grant privileges, it can result in a security issue for rules that + subtract or revoke privileges. + + For example, given the following _s_u_d_o_e_r_s file entry: + + john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\ + /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root + + User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by + changing to _/_u_s_r_/_b_i_n and running ./passwd root instead. + + PPrreevveennttiinngg sshheellll eessccaappeess + Once ssuuddoo executes a program, that program is free to do whatever it + pleases, including run other programs. This can be a security issue + since it is not uncommon for a program to allow shell escapes, which lets + a user bypass ssuuddoo's access control and logging. Common programs that + permit shell escapes include shells (obviously), editors, paginators, + mail and terminal programs. + + There are two basic approaches to this problem: + + restrict Avoid giving users access to commands that allow the user to + run arbitrary commands. Many editors have a restricted mode + where shell escapes are disabled, though ssuuddooeeddiitt is a better + solution to running editors via ssuuddoo. Due to the large number + of programs that offer shell escapes, restricting users to the + set of programs that do not is often unworkable. + + noexec Many systems that support shared libraries have the ability to + override default library functions by pointing an environment + variable (usually LD_PRELOAD) to an alternate shared library. + On such systems, ssuuddoo's _n_o_e_x_e_c functionality can be used to + prevent a program run by ssuuddoo from executing any other + programs. Note, however, that this applies only to native + dynamically-linked executables. Statically-linked executables + and foreign executables running under binary emulation are not + affected. + + The _n_o_e_x_e_c feature is known to work on SunOS, Solaris, *BSD, + Linux, IRIX, Tru64 UNIX, macOS, HP-UX 11.x and AIX 5.3 and + above. It should be supported on most operating systems that + support the LD_PRELOAD environment variable. Check your + operating system's manual pages for the dynamic linker (usually + ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if + LD_PRELOAD is supported. + + On Solaris 10 and higher, _n_o_e_x_e_c uses Solaris privileges + instead of the LD_PRELOAD environment variable. + + To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as + documented in the User Specification section above. Here is + that example again: + + aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi + + This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i + with _n_o_e_x_e_c enabled. This will prevent those two commands from + executing other commands (such as a shell). If you are unsure + whether or not your system is capable of supporting _n_o_e_x_e_c you + can always just try it out and check whether shell escapes work + when _n_o_e_x_e_c is enabled. + + Note that restricting shell escapes is not a panacea. Programs running + as root are still capable of many potentially hazardous operations (such + as changing or overwriting files) that could lead to unintended privilege + escalation. In the specific case of an editor, a safer approach is to + give the user permission to run ssuuddooeeddiitt (see below). + + SSeeccuurree eeddiittiinngg + The ssuuddooeerrss plugin includes ssuuddooeeddiitt support which allows users to + securely edit files with the editor of their choice. As ssuuddooeeddiitt is a + built-in command, it must be specified in the _s_u_d_o_e_r_s file without a + leading path. However, it may take command line arguments just as a + normal command does. Wildcards used in _s_u_d_o_e_d_i_t command line arguments + are expected to be path names, so a forward slash (`/') will not be + matched by a wildcard. + + Unlike other ssuuddoo commands, the editor is run with the permissions of the + invoking user and with the environment unmodified. More information may + be found in the description of the --ee option in sudo(1m). + + For example, to allow user operator to edit the "message of the day" + file: + + operator sudoedit /etc/motd + + The operator user then runs ssuuddooeeddiitt as follows: + + $ sudoedit /etc/motd + + The editor will run as the operator user, not root, on a temporary copy + of _/_e_t_c_/_m_o_t_d. After the file has been edited, _/_e_t_c_/_m_o_t_d will be updated + with the contents of the temporary copy. + + Users should _n_e_v_e_r be granted ssuuddooeeddiitt permission to edit a file that + resides in a directory the user has write access to, either directly or + via a wildcard. If the user has write access to the directory it is + possible to replace the legitimate file with a link to another file, + allowing the editing of arbitrary files. To prevent this, starting with + version 1.8.16, symbolic links will not be followed in writable + directories and ssuuddooeeddiitt will refuse to edit a file located in a writable + directory unless the _s_u_d_o_e_d_i_t___c_h_e_c_k_d_i_r option has been disabled or the + invoking user is root. Additionally, in version 1.8.15 and higher, + ssuuddooeeddiitt will refuse to open a symbolic link unless either the + _s_u_d_o_e_d_i_t___f_o_l_l_o_w option is enabled or the _s_u_d_o_e_d_i_t command is prefixed + with the FOLLOW tag in the _s_u_d_o_e_r_s file. + + TTiimmee ssttaammpp ffiillee cchheecckkss + ssuuddooeerrss will check the ownership of its time stamp directory + (_/_v_a_r_/_r_u_n_/_s_u_d_o_/_t_s by default) and ignore the directory's contents if it + is not owned by root or if it is writable by a user other than root. + Older versions of ssuuddoo stored time stamp files in _/_t_m_p; this is no longer + recommended as it may be possible for a user to create the time stamp + themselves on systems that allow unprivileged users to change the + ownership of files they create. + + While the time stamp directory _s_h_o_u_l_d be cleared at reboot time, not all + systems contain a _/_r_u_n or _/_v_a_r_/_r_u_n directory. To avoid potential + problems, ssuuddooeerrss will ignore time stamp files that date from before the + machine booted on systems where the boot time is available. + + Some systems with graphical desktop environments allow unprivileged users + to change the system clock. Since ssuuddooeerrss relies on the system clock for + time stamp validation, it may be possible on such systems for a user to + run ssuuddoo for longer than _t_i_m_e_s_t_a_m_p___t_i_m_e_o_u_t by setting the clock back. To + combat this, ssuuddooeerrss uses a monotonic clock (which never moves backwards) + for its time stamps if the system supports it. + + ssuuddooeerrss will not honor time stamps set far in the future. Time stamps + with a date greater than current_time + 2 * TIMEOUT will be ignored and + ssuuddooeerrss will log and complain. + + If the _t_i_m_e_s_t_a_m_p___t_y_p_e option is set to "tty", the time stamp record + includes the device number of the terminal the user authenticated with. + This provides per-terminal granularity but time stamp records may still + outlive the user's session. + + Unless the _t_i_m_e_s_t_a_m_p___t_y_p_e option is set to "global", the time stamp + record also includes the session ID of the process that last + authenticated. This prevents processes in different terminal sessions + from using the same time stamp record. On systems where a process's + start time can be queried, the start time of the session leader is + recorded in the time stamp record. If no terminal is present or the + _t_i_m_e_s_t_a_m_p___t_y_p_e option is set to "ppid", the start time of the parent + process is used instead. In most cases this will prevent a time stamp + record from being re-used without the user entering a password when + logging out and back in again. + +DDEEBBUUGGGGIINNGG + Versions 1.8.4 and higher of the ssuuddooeerrss plugin support a flexible + debugging framework that can help track down what the plugin is doing + internally if there is a problem. This can be configured in the + sudo.conf(4) file. + + The ssuuddooeerrss plugin uses the same debug flag format as the ssuuddoo front-end: + _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y. + + The priorities used by ssuuddooeerrss, in order of decreasing severity, are: + _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. Each priority, + when specified, also includes all priorities higher than it. For + example, a priority of _n_o_t_i_c_e would include debug messages logged at + _n_o_t_i_c_e and higher. + + The following subsystems are used by the ssuuddooeerrss plugin: + + _a_l_i_a_s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing + + _a_l_l matches every subsystem + + _a_u_d_i_t BSM and Linux audit code + + _a_u_t_h user authentication + + _d_e_f_a_u_l_t_s _s_u_d_o_e_r_s file _D_e_f_a_u_l_t_s settings + + _e_n_v environment handling + + _l_d_a_p LDAP-based sudoers + + _l_o_g_g_i_n_g logging support + + _m_a_t_c_h matching of users, groups, hosts and netgroups in the _s_u_d_o_e_r_s + file + + _n_e_t_i_f network interface handling + + _n_s_s network service switch handling in ssuuddooeerrss + + _p_a_r_s_e_r _s_u_d_o_e_r_s file parsing + + _p_e_r_m_s permission setting + + _p_l_u_g_i_n The equivalent of _m_a_i_n for the plugin. + + _p_t_y pseudo-tty related code + + _r_b_t_r_e_e redblack tree internals + + _s_s_s_d SSSD-based sudoers + + _u_t_i_l utility functions + For example: + + Debug sudo /var/log/sudo_debug match@info,nss@info + + For more information, see the sudo.conf(4) manual. + +SSEEEE AALLSSOO + ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), sudo.conf(4), + sudo_plugin(4), sudoers.ldap(4), sudoers_timestamp(4), sudo(1m), visudo(1m) + +AAUUTTHHOORRSS + Many people have worked on ssuuddoo over the years; this version consists of + code written primarily by: + + Todd C. Miller + + See the CONTRIBUTORS file in the ssuuddoo distribution + (https://www.sudo.ws/contributors.html) for an exhaustive list of people + who have contributed to ssuuddoo. + +CCAAVVEEAATTSS + The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which + locks the file and does grammatical checking. It is imperative that the + _s_u_d_o_e_r_s file be free of syntax errors since ssuuddoo will not run with a + syntactically incorrect _s_u_d_o_e_r_s file. + + When using netgroups of machines (as opposed to users), if you store + fully qualified host name in the netgroup (as is usually the case), you + either need to have the machine's host name be fully qualified as + returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s. + +BBUUGGSS + If you feel you have found a bug in ssuuddoo, please submit a bug report at + https://bugzilla.sudo.ws/ + +SSUUPPPPOORRTT + Limited free support is available via the sudo-users mailing list, see + https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search + the archives. + +DDIISSCCLLAAIIMMEERR + ssuuddoo is provided "AS IS" and any express or implied warranties, + including, but not limited to, the implied warranties of merchantability + and fitness for a particular purpose are disclaimed. See the LICENSE + file distributed with ssuuddoo or https://www.sudo.ws/license.html for + complete details. + +Sudo 1.8.26 December 20, 2018 Sudo 1.8.26 |