summaryrefslogtreecommitdiffstats
path: root/doc/sudoers.cat
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--doc/sudoers.cat2931
1 files changed, 2931 insertions, 0 deletions
diff --git a/doc/sudoers.cat b/doc/sudoers.cat
new file mode 100644
index 0000000..9cc6a95
--- /dev/null
+++ b/doc/sudoers.cat
@@ -0,0 +1,2931 @@
+SUDOERS(4) File Formats Manual SUDOERS(4)
+
+NNAAMMEE
+ ssuuddooeerrss - default sudo security policy plugin
+
+DDEESSCCRRIIPPTTIIOONN
+ The ssuuddooeerrss policy plugin determines a user's ssuuddoo privileges. It is the
+ default ssuuddoo policy plugin. The policy is driven by the _/_e_t_c_/_s_u_d_o_e_r_s
+ file or, optionally in LDAP. The policy format is described in detail in
+ the _S_U_D_O_E_R_S _F_I_L_E _F_O_R_M_A_T section. For information on storing ssuuddooeerrss
+ policy information in LDAP, please see sudoers.ldap(4).
+
+ CCoonnffiigguurriinngg ssuuddoo..ccoonnff ffoorr ssuuddooeerrss
+ ssuuddoo consults the sudo.conf(4) file to determine which policy and I/O
+ logging plugins to load. If no sudo.conf(4) file is present, or if it
+ contains no Plugin lines, ssuuddooeerrss will be used for policy decisions and
+ I/O logging. To explicitly configure sudo.conf(4) to use the ssuuddooeerrss
+ plugin, the following configuration can be used.
+
+ Plugin sudoers_policy sudoers.so
+ Plugin sudoers_io sudoers.so
+
+ Starting with ssuuddoo 1.8.5, it is possible to specify optional arguments to
+ the ssuuddooeerrss plugin in the sudo.conf(4) file. These arguments, if
+ present, should be listed after the path to the plugin (i.e., after
+ _s_u_d_o_e_r_s_._s_o). Multiple arguments may be specified, separated by white
+ space. For example:
+
+ Plugin sudoers_policy sudoers.so sudoers_mode=0400
+
+ The following plugin arguments are supported:
+
+ ldap_conf=pathname
+ The _l_d_a_p___c_o_n_f argument can be used to override the default path
+ to the _l_d_a_p_._c_o_n_f file.
+
+ ldap_secret=pathname
+ The _l_d_a_p___s_e_c_r_e_t argument can be used to override the default
+ path to the _l_d_a_p_._s_e_c_r_e_t file.
+
+ sudoers_file=pathname
+ The _s_u_d_o_e_r_s___f_i_l_e argument can be used to override the default
+ path to the _s_u_d_o_e_r_s file.
+
+ sudoers_uid=uid
+ The _s_u_d_o_e_r_s___u_i_d argument can be used to override the default
+ owner of the sudoers file. It should be specified as a numeric
+ user ID.
+
+ sudoers_gid=gid
+ The _s_u_d_o_e_r_s___g_i_d argument can be used to override the default
+ group of the sudoers file. It must be specified as a numeric
+ group ID (not a group name).
+
+ sudoers_mode=mode
+ The _s_u_d_o_e_r_s___m_o_d_e argument can be used to override the default
+ file mode for the sudoers file. It should be specified as an
+ octal value.
+
+ For more information on configuring sudo.conf(4), please refer to its
+ manual.
+
+ UUsseerr AAuutthheennttiiccaattiioonn
+ The ssuuddooeerrss security policy requires that most users authenticate
+ themselves before they can use ssuuddoo. A password is not required if the
+ invoking user is root, if the target user is the same as the invoking
+ user, or if the policy has disabled authentication for the user or
+ command. Unlike su(1), when ssuuddooeerrss requires authentication, it
+ validates the invoking user's credentials, not the target user's (or
+ root's) credentials. This can be changed via the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and
+ _r_u_n_a_s_p_w flags, described later.
+
+ If a user who is not listed in the policy tries to run a command via
+ ssuuddoo, mail is sent to the proper authorities. The address used for such
+ mail is configurable via the _m_a_i_l_t_o Defaults entry (described later) and
+ defaults to root.
+
+ Note that no mail will be sent if an unauthorized user tries to run ssuuddoo
+ with the --ll or --vv option unless there is an authentication error and
+ either the _m_a_i_l___a_l_w_a_y_s or _m_a_i_l___b_a_d_p_a_s_s flags are enabled. This allows
+ users to determine for themselves whether or not they are allowed to use
+ ssuuddoo. All attempts to run ssuuddoo (successful or not) will be logged,
+ regardless of whether or not mail is sent.
+
+ If ssuuddoo is run by root and the SUDO_USER environment variable is set, the
+ ssuuddooeerrss policy will use this value to determine who the actual user is.
+ This can be used by a user to log commands through sudo even when a root
+ shell has been invoked. It also allows the --ee option to remain useful
+ even when invoked via a sudo-run script or program. Note, however, that
+ the _s_u_d_o_e_r_s file lookup is still done for root, not the user specified by
+ SUDO_USER.
+
+ ssuuddooeerrss uses per-user time stamp files for credential caching. Once a
+ user has been authenticated, a record is written containing the user ID
+ that was used to authenticate, the terminal session ID, the start time of
+ the session leader (or parent process) and a time stamp (using a
+ monotonic clock if one is available). The user may then use ssuuddoo without
+ a password for a short period of time (5 minutes unless overridden by the
+ _t_i_m_e_s_t_a_m_p___t_i_m_e_o_u_t option). By default, ssuuddooeerrss uses a separate record
+ for each terminal, which means that a user's login sessions are
+ authenticated separately. The _t_i_m_e_s_t_a_m_p___t_y_p_e option can be used to
+ select the type of time stamp record ssuuddooeerrss will use.
+
+ LLooggggiinngg
+ ssuuddooeerrss can log both successful and unsuccessful attempts (as well as
+ errors) to syslog(3), a log file, or both. By default, ssuuddooeerrss will log
+ via syslog(3) but this is changeable via the _s_y_s_l_o_g and _l_o_g_f_i_l_e Defaults
+ settings. See _L_O_G _F_O_R_M_A_T for a description of the log file format.
+
+ ssuuddooeerrss is also capable of running a command in a pseudo-tty and logging
+ all input and/or output. The standard input, standard output and
+ standard error can be logged even when not associated with a terminal.
+ I/O logging is not on by default but can be enabled using the _l_o_g___i_n_p_u_t
+ and _l_o_g___o_u_t_p_u_t options as well as the LOG_INPUT and LOG_OUTPUT command
+ tags. See _I_/_O _L_O_G _F_I_L_E_S for details on how I/O log files are stored.
+
+ CCoommmmaanndd eennvviirroonnmmeenntt
+ Since environment variables can influence program behavior, ssuuddooeerrss
+ provides a means to restrict which variables from the user's environment
+ are inherited by the command to be run. There are two distinct ways
+ ssuuddooeerrss can deal with environment variables.
+
+ By default, the _e_n_v___r_e_s_e_t option is enabled. This causes commands to be
+ executed with a new, minimal environment. On AIX (and Linux systems
+ without PAM), the environment is initialized with the contents of the
+ _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t file. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s option is
+ enabled, the environment is initialized based on the _p_a_t_h and _s_e_t_e_n_v
+ settings in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The new environment contains the TERM,
+ PATH, HOME, MAIL, SHELL, LOGNAME, USER and SUDO_* variables in addition
+ to variables from the invoking process permitted by the _e_n_v___c_h_e_c_k and
+ _e_n_v___k_e_e_p options. This is effectively a whitelist for environment
+ variables. The environment variables LOGNAME and USER are treated
+ specially. If one of them is preserved (or removed) from user's
+ environment, the other will be as well. If LOGNAME and USER are to be
+ preserved but only one of them is present in the user's environment, the
+ other will be set to the same value. This avoids an inconsistent
+ environment where one of the variables describing the user name is set to
+ the invoking user and one is set to the target user. () are removed
+ unless both the name and value parts are matched by _e_n_v___k_e_e_p or
+ _e_n_v___c_h_e_c_k, as they may be interpreted as functions by the bbaasshh shell.
+ Prior to version 1.8.11, such variables were always removed.
+
+ If, however, the _e_n_v___r_e_s_e_t option is disabled, any variables not
+ explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are inherited
+ from the invoking process. In this case, _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e behave
+ like a blacklist. Prior to version 1.8.21, environment variables with a
+ value beginning with () were always removed. Beginning with version
+ 1.8.21, a pattern in _e_n_v___d_e_l_e_t_e is used to match bbaasshh shell functions
+ instead. Since it is not possible to blacklist all potentially dangerous
+ environment variables, use of the default _e_n_v___r_e_s_e_t behavior is
+ encouraged.
+
+ Environment variables specified by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p may
+ include one or more `*' characters which will match zero or more
+ characters. No other wildcard characters are supported.
+
+ By default, environment variables are matched by name. However, if the
+ pattern includes an equal sign (`='), both the variables name and value
+ must match. For example, a bbaasshh shell function could be matched as
+ follows:
+
+ env_keep += "BASH_FUNC_my_func%%=()*"
+
+ Without the "=()*" suffix, this would not match, as bbaasshh shell functions
+ are not preserved by default.
+
+ The complete list of environment variables that ssuuddoo allows or denies is
+ contained in the output of "sudo -V" when run as root. Please note that
+ this list varies based on the operating system ssuuddoo is running on.
+
+ On systems that support PAM where the ppaamm__eennvv module is enabled for ssuuddoo,
+ variables in the PAM environment may be merged in to the environment. If
+ a variable in the PAM environment is already present in the user's
+ environment, the value will only be overridden if the variable was not
+ preserved by ssuuddooeerrss. When _e_n_v___r_e_s_e_t is enabled, variables preserved
+ from the invoking user's environment by the _e_n_v___k_e_e_p list take precedence
+ over those in the PAM environment. When _e_n_v___r_e_s_e_t is disabled, variables
+ present the invoking user's environment take precedence over those in the
+ PAM environment unless they match a pattern in the _e_n_v___d_e_l_e_t_e list.
+
+ Note that the dynamic linker on most operating systems will remove
+ variables that can control dynamic linking from the environment of setuid
+ executables, including ssuuddoo. Depending on the operating system this may
+ include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others.
+ These type of variables are removed from the environment before ssuuddoo even
+ begins execution and, as such, it is not possible for ssuuddoo to preserve
+ them.
+
+ As a special case, if ssuuddoo's --ii option (initial login) is specified,
+ ssuuddooeerrss will initialize the environment regardless of the value of
+ _e_n_v___r_e_s_e_t. The DISPLAY, PATH and TERM variables remain unchanged; HOME,
+ MAIL, SHELL, USER, and LOGNAME are set based on the target user. On AIX
+ (and Linux systems without PAM), the contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are
+ also included. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s flag is enabled,
+ the _p_a_t_h and _s_e_t_e_n_v variables in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f are also applied. All
+ other environment variables are removed unless permitted by _e_n_v___k_e_e_p or
+ _e_n_v___c_h_e_c_k, described above.
+
+ Finally, the _r_e_s_t_r_i_c_t_e_d___e_n_v___f_i_l_e and _e_n_v___f_i_l_e files are applied, if
+ present. The variables in _r_e_s_t_r_i_c_t_e_d___e_n_v___f_i_l_e are applied first and are
+ subject to the same restrictions as the invoking user's environment, as
+ detailed above. The variables in _e_n_v___f_i_l_e are applied last and are not
+ subject to these restrictions. In both cases, variables present in the
+ files will only be set to their specified values if they would not
+ conflict with an existing environment variable.
+
+SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
+ The _s_u_d_o_e_r_s file is composed of two types of entries: aliases (basically
+ variables) and user specifications (which specify who may run what).
+
+ When multiple entries match for a user, they are applied in order. Where
+ there are multiple matches, the last match is used (which is not
+ necessarily the most specific match).
+
+ The _s_u_d_o_e_r_s file grammar will be described below in Extended Backus-Naur
+ Form (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly
+ simple, and the definitions below are annotated.
+
+ QQuuiicckk gguuiiddee ttoo EEBBNNFF
+ EBNF is a concise and exact way of describing the grammar of a language.
+ Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g.,
+
+ symbol ::= definition | alternate1 | alternate2 ...
+
+ Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a grammar for
+ the language. EBNF also contains the following operators, which many
+ readers will recognize from regular expressions. Do not, however,
+ confuse them with "wildcard" characters, which have different meanings.
+
+ ? Means that the preceding symbol (or group of symbols) is optional.
+ That is, it may appear once or not at all.
+
+ * Means that the preceding symbol (or group of symbols) may appear
+ zero or more times.
+
+ + Means that the preceding symbol (or group of symbols) may appear
+ one or more times.
+
+ Parentheses may be used to group symbols together. For clarity, we will
+ use single quotes ('') to designate what is a verbatim character string
+ (as opposed to a symbol name).
+
+ AAlliiaasseess
+ There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and
+ Cmnd_Alias.
+
+ Alias ::= 'User_Alias' User_Alias_Spec (':' User_Alias_Spec)* |
+ 'Runas_Alias' Runas_Alias_Spec (':' Runas_Alias_Spec)* |
+ 'Host_Alias' Host_Alias_Spec (':' Host_Alias_Spec)* |
+ 'Cmnd_Alias' Cmnd_Alias_Spec (':' Cmnd_Alias_Spec)*
+
+ User_Alias ::= NAME
+
+ User_Alias_Spec ::= User_Alias '=' User_List
+
+ Runas_Alias ::= NAME
+
+ Runas_Alias_Spec ::= Runas_Alias '=' Runas_List
+
+ Host_Alias ::= NAME
+
+ Host_Alias_Spec ::= Host_Alias '=' Host_List
+
+ Cmnd_Alias ::= NAME
+
+ Cmnd_Alias_Spec ::= Cmnd_Alias '=' Cmnd_List
+
+ NAME ::= [A-Z]([A-Z][0-9]_)*
+
+ Each _a_l_i_a_s definition is of the form
+
+ Alias_Type NAME = item1, item2, ...
+
+ where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias, Host_Alias, or
+ Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
+ underscore characters (`_'). A NAME mmuusstt start with an uppercase letter.
+ It is possible to put several alias definitions of the same type on a
+ single line, joined by a colon (`:'). E.g.,
+
+ Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
+
+ It is a syntax error to redefine an existing _a_l_i_a_s. It is possible to
+ use the same name for _a_l_i_a_s_e_s of different types, but this is not
+ recommended.
+
+ The definitions of what constitutes a valid _a_l_i_a_s member follow.
+
+ User_List ::= User |
+ User ',' User_List
+
+ User ::= '!'* user name |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* +netgroup |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
+ '!'* User_Alias
+
+ A User_List is made up of one or more user names, user IDs (prefixed with
+ `#'), system group names and IDs (prefixed with `%' and `%#'
+ respectively), netgroups (prefixed with `+'), non-Unix group names and
+ IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each
+ list item may be prefixed with zero or more `!' operators. An odd number
+ of `!' operators negate the value of the item; an even number just cancel
+ each other out. User netgroups are matched using the user and domain
+ members only; the host member is not used when matching.
+
+ A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may
+ be enclosed in double quotes to avoid the need for escaping special
+ characters. Alternately, special characters may be specified in escaped
+ hex mode, e.g., \x20 for space. When using double quotes, any prefix
+ characters must be included inside the quotes.
+
+ The actual nonunix_group and nonunix_gid syntax depends on the underlying
+ group provider plugin. For instance, the QAS AD plugin supports the
+ following formats:
+
+ ++oo Group in the same domain: "%:Group Name"
+
+ ++oo Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
+
+ ++oo Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
+
+ See _G_R_O_U_P _P_R_O_V_I_D_E_R _P_L_U_G_I_N_S for more information.
+
+ Note that quotes around group names are optional. Unquoted strings must
+ use a backslash (`\') to escape spaces and special characters. See _O_t_h_e_r
+ _s_p_e_c_i_a_l _c_h_a_r_a_c_t_e_r_s _a_n_d _r_e_s_e_r_v_e_d _w_o_r_d_s for a list of characters that need
+ to be escaped.
+
+ Runas_List ::= Runas_Member |
+ Runas_Member ',' Runas_List
+
+ Runas_Member ::= '!'* user name |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
+ '!'* +netgroup |
+ '!'* Runas_Alias
+
+ A Runas_List is similar to a User_List except that instead of
+ User_Aliases it can contain Runas_Aliases. Note that user names and
+ groups are matched as strings. In other words, two users (groups) with
+ the same uid (gid) are considered to be distinct. If you wish to match
+ all user names with the same uid (e.g., root and toor), you can use a uid
+ instead (#0 in the example given).
+
+ Host_List ::= Host |
+ Host ',' Host_List
+
+ Host ::= '!'* host name |
+ '!'* ip_addr |
+ '!'* network(/netmask)? |
+ '!'* +netgroup |
+ '!'* Host_Alias
+
+ A Host_List is made up of one or more host names, IP addresses, network
+ numbers, netgroups (prefixed with `+') and other aliases. Again, the
+ value of an item may be negated with the `!' operator. Host netgroups
+ are matched using the host (both qualified and unqualified) and domain
+ members only; the user member is not used when matching. If you specify
+ a network number without a netmask, ssuuddoo will query each of the local
+ host's network interfaces and, if the network number corresponds to one
+ of the hosts's network interfaces, will use the netmask of that
+ interface. The netmask may be specified either in standard IP address
+ notation (e.g., 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR notation
+ (number of bits, e.g., 24 or 64). A host name may include shell-style
+ wildcards (see the _W_i_l_d_c_a_r_d_s section below), but unless the host name
+ command on your machine returns the fully qualified host name, you'll
+ need to use the _f_q_d_n option for wildcards to be useful. Note that ssuuddoo
+ only inspects actual network interfaces; this means that IP address
+ 127.0.0.1 (localhost) will never match. Also, the host name "localhost"
+ will only match if that is the actual host name, which is usually only
+ the case for non-networked systems.
+
+ digest ::= [A-Fa-f0-9]+ |
+ [[A-Za-z0-9+/=]+
+
+ Digest_Spec ::= "sha224" ':' digest |
+ "sha256" ':' digest |
+ "sha384" ':' digest |
+ "sha512" ':' digest
+
+ Cmnd_List ::= Cmnd |
+ Cmnd ',' Cmnd_List
+
+ command name ::= file name |
+ file name args |
+ file name '""'
+
+ Cmnd ::= Digest_Spec? '!'* command name |
+ '!'* directory |
+ '!'* "sudoedit" |
+ '!'* Cmnd_Alias
+
+ A Cmnd_List is a list of one or more command names, directories, and
+ other aliases. A command name is a fully qualified file name which may
+ include shell-style wildcards (see the _W_i_l_d_c_a_r_d_s section below). A
+ simple file name allows the user to run the command with any arguments
+ he/she wishes. However, you may also specify command line arguments
+ (including wildcards). Alternately, you can specify "" to indicate that
+ the command may only be run wwiitthhoouutt command line arguments. A directory
+ is a fully qualified path name ending in a `/'. When you specify a
+ directory in a Cmnd_List, the user will be able to run any file within
+ that directory (but not in any sub-directories therein).
+
+ If a Cmnd has associated command line arguments, then the arguments in
+ the Cmnd must match exactly those given by the user on the command line
+ (or match the wildcards if there are any). Note that the following
+ characters must be escaped with a `\' if they are used in command
+ arguments: `,', `:', `=', `\'. The built-in command "sudoedit" is used
+ to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may
+ take command line arguments just as a normal command does. Note that
+ "sudoedit" is a command built into ssuuddoo itself and must be specified in
+ the _s_u_d_o_e_r_s file without a leading path.
+
+ If a command name is prefixed with a Digest_Spec, the command will only
+ match successfully if it can be verified using the specified SHA-2
+ digest. The following digest formats are supported: sha224, sha256,
+ sha384 and sha512. The string may be specified in either hex or base64
+ format (base64 is more compact). There are several utilities capable of
+ generating SHA-2 digests in hex format such as openssl, shasum,
+ sha224sum, sha256sum, sha384sum, sha512sum.
+
+ For example, using openssl:
+
+ $ openssl dgst -sha224 /bin/ls
+ SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
+
+ It is also possible to use openssl to generate base64 output:
+
+ $ openssl dgst -binary -sha224 /bin/ls | openssl base64
+ EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
+
+ Warning, if the user has write access to the command itself (directly or
+ via a ssuuddoo command), it may be possible for the user to replace the
+ command after the digest check has been performed but before the command
+ is executed. A similar race condition exists on systems that lack the
+ fexecve(2) system call when the directory in which the command is located
+ is writable by the user. See the description of the _f_d_e_x_e_c setting for
+ more information on how ssuuddoo executes commands that have an associated
+ digest.
+
+ Command digests are only supported by version 1.8.7 or higher.
+
+ DDeeffaauullttss
+ Certain configuration options may be changed from their default values at
+ run-time via one or more Default_Entry lines. These may affect all users
+ on any host, all users on a specific host, a specific user, a specific
+ command, or commands being run as a specific user. Note that per-command
+ entries may not include command line arguments. If you need to specify
+ arguments, define a Cmnd_Alias and reference that instead.
+
+ Default_Type ::= 'Defaults' |
+ 'Defaults' '@' Host_List |
+ 'Defaults' ':' User_List |
+ 'Defaults' '!' Cmnd_List |
+ 'Defaults' '>' Runas_List
+
+ Default_Entry ::= Default_Type Parameter_List
+
+ Parameter_List ::= Parameter |
+ Parameter ',' Parameter_List
+
+ Parameter ::= Parameter '=' Value |
+ Parameter '+=' Value |
+ Parameter '-=' Value |
+ '!'* Parameter
+
+ Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are
+ implicitly boolean and can be turned off via the `!' operator. Some
+ integer, string and list parameters may also be used in a boolean context
+ to disable them. Values may be enclosed in double quotes ("") when they
+ contain multiple words. Special characters may be escaped with a
+ backslash (`\').
+
+ Lists have two additional assignment operators, += and -=. These
+ operators are used to add to and delete from a list respectively. It is
+ not an error to use the -= operator to remove an element that does not
+ exist in a list.
+
+ Defaults entries are parsed in the following order: generic, host, user
+ and runas Defaults first, then command defaults. If there are multiple
+ Defaults settings of the same type, the last matching setting is used.
+ The following Defaults settings are parsed before all others since they
+ may affect subsequent entries: _f_q_d_n, _g_r_o_u_p___p_l_u_g_i_n, _r_u_n_a_s___d_e_f_a_u_l_t,
+ _s_u_d_o_e_r_s___l_o_c_a_l_e.
+
+ See _S_U_D_O_E_R_S _O_P_T_I_O_N_S for a list of supported Defaults parameters.
+
+ UUsseerr ssppeecciiffiiccaattiioonn
+ User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
+ (':' Host_List '=' Cmnd_Spec_List)*
+
+ Cmnd_Spec_List ::= Cmnd_Spec |
+ Cmnd_Spec ',' Cmnd_Spec_List
+
+ Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd
+
+ Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
+
+ Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec)
+
+ SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
+
+ Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
+
+ Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp')
+
+ Timeout_Spec ::= 'TIMEOUT=timeout'
+
+ Tag_Spec ::= ('EXEC:' | 'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' |
+ 'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' |
+ 'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'PASSWD:' |
+ 'NOPASSWD:' | 'SETENV:' | 'NOSETENV:')
+
+ A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as
+ what user) on specified hosts. By default, commands are run as rroooott, but
+ this can be changed on a per-command basis.
+
+ The basic structure of a user specification is "who where = (as_whom)
+ what". Let's break that down into its constituent parts:
+
+ RRuunnaass__SSppeecc
+ A Runas_Spec determines the user and/or the group that a command may be
+ run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
+ defined above) separated by a colon (`:') and enclosed in a set of
+ parentheses. The first Runas_List indicates which users the command may
+ be run as via ssuuddoo's --uu option. The second defines a list of groups that
+ can be specified via ssuuddoo's --gg option in addition to any of the target
+ user's groups. If both Runas_Lists are specified, the command may be run
+ with any combination of users and groups listed in their respective
+ Runas_Lists. If only the first is specified, the command may be run as
+ any user in the list but no --gg option may be specified. If the first
+ Runas_List is empty but the second is specified, the command may be run
+ as the invoking user with the group set to any listed in the Runas_List.
+ If both Runas_Lists are empty, the command may only be run as the
+ invoking user. If no Runas_Spec is specified the command may be run as
+ rroooott and no group may be specified.
+
+ A Runas_Spec sets the default for the commands that follow it. What this
+ means is that for the entry:
+
+ dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
+
+ The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m on the host
+ boulder--but only as ooppeerraattoorr. E.g.,
+
+ $ sudo -u operator /bin/ls
+
+ It is also possible to override a Runas_Spec later on in an entry. If we
+ modify the entry like so:
+
+ dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
+
+ Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l
+ and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott.
+
+ We can extend this to allow ddggbb to run /bin/ls with either the user or
+ group set to ooppeerraattoorr:
+
+ dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
+ /usr/bin/lprm
+
+ Note that while the group portion of the Runas_Spec permits the user to
+ run as command with that group, it does not force the user to do so. If
+ no group is specified on the command line, the command will run with the
+ group listed in the target user's password database entry. The following
+ would all be permitted by the sudoers entry above:
+
+ $ sudo -u operator /bin/ls
+ $ sudo -u operator -g operator /bin/ls
+ $ sudo -g operator /bin/ls
+
+ In the following example, user ttccmm may run commands that access a modem
+ device file with the dialer group.
+
+ tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
+ /usr/local/bin/minicom
+
+ Note that in this example only the group will be set, the command still
+ runs as user ttccmm. E.g.
+
+ $ sudo -g dialer /usr/bin/cu
+
+ Multiple users and groups may be present in a Runas_Spec, in which case
+ the user may select any combination of users and groups via the --uu and --gg
+ options. In this example:
+
+ alan ALL = (root, bin : operator, system) ALL
+
+ user aallaann may run any command as either user root or bin, optionally
+ setting the group to operator or system.
+
+ OOppttiioonn__SSppeecc
+ A Cmnd may have zero or more options associated with it. Options may
+ consist of SELinux roles and/or types, Solaris privileges sets, start
+ and/or end dates and command timeouts. Once an option is set for a Cmnd,
+ subsequent Cmnds in the Cmnd_Spec_List, inherit that option unless it is
+ overridden by another option.
+
+ SSEELLiinnuuxx__SSppeecc
+ On systems with SELinux support, _s_u_d_o_e_r_s file entries may optionally have
+ an SELinux role and/or type associated with a command. If a role or type
+ is specified with the command it will override any default values
+ specified in _s_u_d_o_e_r_s. A role or type specified on the command line,
+ however, will supersede the values in _s_u_d_o_e_r_s.
+
+ SSoollaarriiss__PPrriivv__SSppeecc
+ On Solaris systems, _s_u_d_o_e_r_s file entries may optionally specify Solaris
+ privilege set and/or limit privilege set associated with a command. If
+ privileges or limit privileges are specified with the command it will
+ override any default values specified in _s_u_d_o_e_r_s.
+
+ A privilege set is a comma-separated list of privilege names. The
+ ppriv(1) command can be used to list all privileges known to the system.
+ For example:
+
+ $ ppriv -l
+
+ In addition, there are several "special" privilege strings:
+
+ none the empty set
+
+ all the set of all privileges
+
+ zone the set of all privileges available in the current zone
+
+ basic the default set of privileges normal users are granted at login
+ time
+
+ Privileges can be excluded from a set by prefixing the privilege name
+ with either an `!' or `-' character.
+
+ DDaattee__SSppeecc
+ ssuuddooeerrss rules can be specified with a start and end date via the
+ NOTBEFORE and NOTAFTER settings. The time stamp must be specified in
+ _G_e_n_e_r_a_l_i_z_e_d _T_i_m_e as defined by RFC 4517. The format is effectively
+ yyyymmddHHMMSSZ where the minutes and seconds are optional. The `Z'
+ suffix indicates that the time stamp is in Coordinated Universal Time
+ (UTC). It is also possible to specify a timezone offset from UTC in
+ hours and minutes instead of a `Z'. For example, `-0500' would
+ correspond to Eastern Standard time in the US. As an extension, if no
+ `Z' or timezone offset is specified, local time will be used.
+
+ The following are all valid time stamps:
+
+ 20170214083000Z
+ 2017021408Z
+ 20160315220000-0500
+ 20151201235900
+
+ TTiimmeeoouutt__SSppeecc
+ A command may have a timeout associated with it. If the timeout expires
+ before the command has exited, the command will be terminated. The
+ timeout may be specified in combinations of days, hours, minutes and
+ seconds with a single-letter case-insensitive suffix that indicates the
+ unit of time. For example, a timeout of 7 days, 8 hours, 30 minutes and
+ 10 seconds would be written as 7d8h30m10s. If a number is specified
+ without a unit, seconds are assumed. Any of the days, minutes, hours or
+ seconds may be omitted. The order must be from largest to smallest unit
+ and a unit may not be specified more than once.
+
+ The following are all _v_a_l_i_d timeout values: 7d8h30m10s, 14d, 8h30m, 600s,
+ 3600. The following are _i_n_v_a_l_i_d timeout values: 12m2w1d, 30s10m4h,
+ 1d2d3h.
+
+ This option is only supported by version 1.8.20 or higher.
+
+ TTaagg__SSppeecc
+ A command may have zero or more tags associated with it. The following
+ tag values are supported: EXEC, NOEXEC, FOLLOW, NOFOLLOW, LOG_INPUT,
+ NOLOG_INPUT, LOG_OUTPUT, NOLOG_OUTPUT, MAIL, NOMAIL, PASSWD, NOPASSWD,
+ SETENV, and NOSETENV. Once a tag is set on a Cmnd, subsequent Cmnds in
+ the Cmnd_Spec_List, inherit the tag unless it is overridden by the
+ opposite tag (in other words, PASSWD overrides NOPASSWD and NOEXEC
+ overrides EXEC).
+
+ _E_X_E_C and _N_O_E_X_E_C
+
+ If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying
+ operating system supports it, the NOEXEC tag can be used to prevent a
+ dynamically-linked executable from running further commands itself.
+
+ In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and
+ _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled.
+
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+
+ See the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section below for more details on how
+ NOEXEC works and whether or not it will work on your system.
+
+ _F_O_L_L_O_W and _N_O_F_O_L_L_O_W Starting with version 1.8.15, ssuuddooeeddiitt will not open
+ a file that is a symbolic link unless the _s_u_d_o_e_d_i_t___f_o_l_l_o_w option is
+ enabled. The _F_O_L_L_O_W and _N_O_F_O_L_L_O_W tags override the value of
+ _s_u_d_o_e_d_i_t___f_o_l_l_o_w and can be used to permit (or deny) the editing of
+ symbolic links on a per-command basis. These tags are only effective
+ for the _s_u_d_o_e_d_i_t command and are ignored for all other commands.
+
+ _L_O_G___I_N_P_U_T and _N_O_L_O_G___I_N_P_U_T
+
+ These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command
+ basis. For more information, see the description of _l_o_g___i_n_p_u_t in the
+ _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below.
+
+ _L_O_G___O_U_T_P_U_T and _N_O_L_O_G___O_U_T_P_U_T
+
+ These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command
+ basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the
+ _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below.
+
+ _M_A_I_L and _N_O_M_A_I_L
+
+ These tags provide fine-grained control over whether mail will be sent
+ when a user runs a command by overriding the value of the
+ _m_a_i_l___a_l_l___c_m_n_d_s option on a per-command basis. They have no effect when
+ ssuuddoo is run with the --ll or --vv options. A _N_O_M_A_I_L tag will also override
+ the _m_a_i_l___a_l_w_a_y_s and _m_a_i_l___n_o___p_e_r_m_s options. For more information, see
+ the descriptions of _m_a_i_l___a_l_l___c_m_n_d_s, _m_a_i_l___a_l_w_a_y_s, and _m_a_i_l___n_o___p_e_r_m_s in
+ the _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below.
+
+ _P_A_S_S_W_D and _N_O_P_A_S_S_W_D
+
+ By default, ssuuddoo requires that a user authenticate him or herself
+ before running a command. This behavior can be modified via the
+ NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
+ the commands that follow it in the Cmnd_Spec_List. Conversely, the
+ PASSWD tag can be used to reverse things. For example:
+
+ ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
+
+ would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m
+ as rroooott on the machine rushmore without authenticating himself. If we
+ only want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry
+ would be:
+
+ ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
+
+ Note, however, that the PASSWD tag has no effect on users who are in
+ the group specified by the _e_x_e_m_p_t___g_r_o_u_p option.
+
+ By default, if the NOPASSWD tag is applied to any of the entries for a
+ user on the current host, he or she will be able to run "sudo -l"
+ without a password. Additionally, a user may only run "sudo -v"
+ without a password if the NOPASSWD tag is present for all a user's
+ entries that pertain to the current host. This behavior may be
+ overridden via the _v_e_r_i_f_y_p_w and _l_i_s_t_p_w options.
+
+ _S_E_T_E_N_V and _N_O_S_E_T_E_N_V
+
+ These tags override the value of the _s_e_t_e_n_v option on a per-command
+ basis. Note that if SETENV has been set for a command, the user may
+ disable the _e_n_v___r_e_s_e_t option from the command line via the --EE option.
+ Additionally, environment variables set on the command line are not
+ subject to the restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or
+ _e_n_v___k_e_e_p. As such, only trusted users should be allowed to set
+ variables in this manner. If the command matched is AALLLL, the SETENV
+ tag is implied for that command; this default may be overridden by use
+ of the NOSETENV tag.
+
+ WWiillddccaarrddss
+ ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be
+ used in host names, path names and command line arguments in the _s_u_d_o_e_r_s
+ file. Wildcard matching is done via the glob(3) and fnmatch(3) functions
+ as specified by IEEE Std 1003.1 ("POSIX.1").
+
+ * Matches any set of zero or more characters (including white
+ space).
+
+ ? Matches any single character (including white space).
+
+ [...] Matches any character in the specified range.
+
+ [!...] Matches any character _n_o_t in the specified range.
+
+ \x For any character `x', evaluates to `x'. This is used to
+ escape special characters such as: `*', `?', `[', and `]'.
+
+ NNoottee tthhaatt tthheessee aarree nnoott rreegguullaarr eexxpprreessssiioonnss.. Unlike a regular expression
+ there is no way to match one or more characters within a range.
+
+ Character classes may be used if your system's glob(3) and fnmatch(3)
+ functions support them. However, because the `:' character has special
+ meaning in _s_u_d_o_e_r_s, it must be escaped. For example:
+
+ /bin/ls [[\:alpha\:]]*
+
+ Would match any file name beginning with a letter.
+
+ Note that a forward slash (`/') will _n_o_t be matched by wildcards used in
+ the file name portion of the command. This is to make a path like:
+
+ /usr/bin/*
+
+ match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m.
+
+ When matching the command line arguments, however, a slash _d_o_e_s get
+ matched by wildcards since command line arguments may contain arbitrary
+ strings and not just path names.
+
+ WWiillddccaarrddss iinn ccoommmmaanndd lliinnee aarrgguummeennttss sshhoouulldd bbee uusseedd wwiitthh ccaarree..
+ Command line arguments are matched as a single, concatenated string.
+ This mean a wildcard character such as `?' or `*' will match across word
+ boundaries, which may be unexpected. For example, while a sudoers entry
+ like:
+
+ %operator ALL = /bin/cat /var/log/messages*
+
+ will allow command like:
+
+ $ sudo cat /var/log/messages.1
+
+ It will also allow:
+
+ $ sudo cat /var/log/messages /etc/shadow
+
+ which is probably not what was intended. In most cases it is better to
+ do command line processing outside of the _s_u_d_o_e_r_s file in a scripting
+ language.
+
+ EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess
+ The following exceptions apply to the above rules:
+
+ "" If the empty string "" is the only command line argument in the
+ _s_u_d_o_e_r_s file entry it means that command is not allowed to be
+ run with _a_n_y arguments.
+
+ sudoedit Command line arguments to the _s_u_d_o_e_d_i_t built-in command should
+ always be path names, so a forward slash (`/') will not be
+ matched by a wildcard.
+
+ IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss
+ It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s
+ file currently being parsed using the #include and #includedir
+ directives.
+
+ This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in
+ addition to a local, per-machine file. For the sake of this example the
+ site-wide _s_u_d_o_e_r_s file will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will
+ be _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within
+ _/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s:
+
+ #include /etc/sudoers.local
+
+ When ssuuddoo reaches this line it will suspend processing of the current
+ file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. Upon reaching the
+ end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be processed.
+ Files that are included may themselves include other files. A hard limit
+ of 128 nested include files is enforced to prevent include file loops.
+
+ If the path to the include file is not fully-qualified (does not begin
+ with a `/'), it must be located in the same directory as the sudoers file
+ it was included from. For example, if _/_e_t_c_/_s_u_d_o_e_r_s contains the line:
+
+ #include sudoers.local
+
+ the file that will be included is _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l.
+
+ The file name may also include the %h escape, signifying the short form
+ of the host name. In other words, if the machine's host name is
+ "xerxes", then
+
+ #include /etc/sudoers.%h
+
+ will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s.
+
+ The #includedir directive can be used to create a _s_u_d_o_e_r_s_._d directory
+ that the system package manager can drop _s_u_d_o_e_r_s file rules into as part
+ of package installation. For example, given:
+
+ #includedir /etc/sudoers.d
+
+ ssuuddoo will suspend processing of the current file and read each file in
+ _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that end in `~' or contain a `.'
+ character to avoid causing problems with package manager or editor
+ temporary/backup files. Files are parsed in sorted lexical order. That
+ is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed before
+ _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is lexical,
+ not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded _a_f_t_e_r
+ _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes in
+ the file names can be used to avoid such problems. After parsing the
+ files in the directory, control returns to the file that contained the
+ #includedir directive.
+
+ Note that unlike files included via #include, vviissuuddoo will not edit the
+ files in a #includedir directory unless one of them contains a syntax
+ error. It is still possible to run vviissuuddoo with the --ff flag to edit the
+ files directly, but this will not catch the redefinition of an _a_l_i_a_s that
+ is also present in a different file.
+
+ OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss
+ The pound sign (`#') is used to indicate a comment (unless it is part of
+ a #include directive or unless it occurs in the context of a user name
+ and is followed by one or more digits, in which case it is treated as a
+ uid). Both the comment character and any text after it, up to the end of
+ the line, are ignored.
+
+ The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to
+ succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
+ User_Alias, Runas_Alias, or Host_Alias. You should not try to define
+ your own _a_l_i_a_s called AALLLL as the built-in alias will be used in
+ preference to your own. Please note that using AALLLL can be dangerous
+ since in a command context, it allows the user to run _a_n_y command on the
+ system.
+
+ An exclamation point (`!') can be used as a logical _n_o_t operator in a
+ list or _a_l_i_a_s as well as in front of a Cmnd. This allows one to exclude
+ certain values. For the `!' operator to be effective, there must be
+ something for it to exclude. For example, to match all users except for
+ root one would use:
+
+ ALL,!root
+
+ If the AALLLL, is omitted, as in:
+
+ !root
+
+ it would explicitly deny root but not match any other users. This is
+ different from a true "negation" operator.
+
+ Note, however, that using a `!' in conjunction with the built-in AALLLL
+ alias to allow a user to run "all but a few" commands rarely works as
+ intended (see _S_E_C_U_R_I_T_Y _N_O_T_E_S below).
+
+ Long lines can be continued with a backslash (`\') as the last character
+ on the line.
+
+ White space between elements in a list as well as special syntactic
+ characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n (`=', `:', `(', `)') is optional.
+
+ The following characters must be escaped with a backslash (`\') when used
+ as part of a word (e.g., a user name or host name): `!', `=', `:', `,',
+ `(', `)', `\'.
+
+SSUUDDOOEERRSS OOPPTTIIOONNSS
+ ssuuddoo's behavior can be modified by Default_Entry lines, as explained
+ earlier. A list of all supported Defaults parameters, grouped by type,
+ are listed below.
+
+ BBoooolleeaann FFllaaggss:
+
+ always_query_group_plugin
+ If a _g_r_o_u_p___p_l_u_g_i_n is configured, use it to resolve
+ groups of the form %group as long as there is not also
+ a system group of the same name. Normally, only groups
+ of the form %:group are passed to the _g_r_o_u_p___p_l_u_g_i_n.
+ This flag is _o_f_f by default.
+
+ always_set_home If enabled, ssuuddoo will set the HOME environment variable
+ to the home directory of the target user (which is root
+ unless the --uu option is used). This effectively means
+ that the --HH option is always implied. Note that by
+ default, HOME will be set to the home directory of the
+ target user when the _e_n_v___r_e_s_e_t option is enabled, so
+ _a_l_w_a_y_s___s_e_t___h_o_m_e only has an effect for configurations
+ where either _e_n_v___r_e_s_e_t is disabled or HOME is present
+ in the _e_n_v___k_e_e_p list. This flag is _o_f_f by default.
+
+ authenticate If set, users must authenticate themselves via a
+ password (or other means of authentication) before they
+ may run commands. This default may be overridden via
+ the PASSWD and NOPASSWD tags. This flag is _o_n by
+ default.
+
+ case_insensitive_group
+ If enabled, group names in _s_u_d_o_e_r_s will be matched in a
+ case insensitive manner. This may be necessary when
+ users are stored in LDAP or AD. This flag is _o_n by
+ default.
+
+ case_insensitive_user
+ If enabled, user names in _s_u_d_o_e_r_s will be matched in a
+ case insensitive manner. This may be necessary when
+ groups are stored in LDAP or AD. This flag is _o_n by
+ default.
+
+ closefrom_override
+ If set, the user may use ssuuddoo's --CC option which
+ overrides the default starting point at which ssuuddoo
+ begins closing open file descriptors. This flag is _o_f_f
+ by default.
+
+ compress_io If set, and ssuuddoo is configured to log a command's input
+ or output, the I/O logs will be compressed using zzlliibb.
+ This flag is _o_n by default when ssuuddoo is compiled with
+ zzlliibb support.
+
+ exec_background By default, ssuuddoo runs a command as the foreground
+ process as long as ssuuddoo itself is running in the
+ foreground. When the _e_x_e_c___b_a_c_k_g_r_o_u_n_d flag is enabled
+ and the command is being run in a pty (due to I/O
+ logging or the _u_s_e___p_t_y flag), the command will be run
+ as a background process. Attempts to read from the
+ controlling terminal (or to change terminal settings)
+ will result in the command being suspended with the
+ SIGTTIN signal (or SIGTTOU in the case of terminal
+ settings). If this happens when ssuuddoo is a foreground
+ process, the command will be granted the controlling
+ terminal and resumed in the foreground with no user
+ intervention required. The advantage of initially
+ running the command in the background is that ssuuddoo need
+ not read from the terminal unless the command
+ explicitly requests it. Otherwise, any terminal input
+ must be passed to the command, whether it has required
+ it or not (the kernel buffers terminals so it is not
+ possible to tell whether the command really wants the
+ input). This is different from historic _s_u_d_o behavior
+ or when the command is not being run in a pty.
+
+ For this to work seamlessly, the operating system must
+ support the automatic restarting of system calls.
+ Unfortunately, not all operating systems do this by
+ default, and even those that do may have bugs. For
+ example, macOS fails to restart the ttccggeettaattttrr() and
+ ttccsseettaattttrr() system calls (this is a bug in macOS).
+ Furthermore, because this behavior depends on the
+ command stopping with the SIGTTIN or SIGTTOU signals,
+ programs that catch these signals and suspend
+ themselves with a different signal (usually SIGTOP)
+ will not be automatically foregrounded. Some versions
+ of the linux su(1) command behave this way. This flag
+ is _o_f_f by default.
+
+ This setting is only supported by version 1.8.7 or
+ higher. It has no effect unless I/O logging is enabled
+ or the _u_s_e___p_t_y flag is enabled.
+
+ env_editor If set, vviissuuddoo will use the value of the SUDO_EDITOR,
+ VISUAL or EDITOR environment variables before falling
+ back on the default editor list. Note that this may
+ create a security hole as it allows the user to run any
+ arbitrary command as root without logging. A safer
+ alternative is to place a colon-separated list of
+ editors in the _e_d_i_t_o_r variable. vviissuuddoo will then only
+ use SUDO_EDITOR, VISUAL or EDITOR if they match a value
+ specified in _e_d_i_t_o_r. If the _e_n_v___r_e_s_e_t flag is enabled,
+ the SUDO_EDITOR, VISUAL and/or EDITOR environment
+ variables must be present in the _e_n_v___k_e_e_p list for the
+ _e_n_v___e_d_i_t_o_r flag to function when vviissuuddoo is invoked via
+ ssuuddoo. This flag is _o_f_f by default.
+
+ env_reset If set, ssuuddoo will run the command in a minimal
+ environment containing the TERM, PATH, HOME, MAIL,
+ SHELL, LOGNAME, USER and SUDO_* variables. Any
+ variables in the caller's environment or in the file
+ specified by the _r_e_s_t_r_i_c_t_e_d___e_n_v___f_i_l_e option that match
+ the env_keep and env_check lists are then added,
+ followed by any variables present in the file specified
+ by the _e_n_v___f_i_l_e option (if any). The contents of the
+ env_keep and env_check lists, as modified by global
+ Defaults parameters in _s_u_d_o_e_r_s, are displayed when ssuuddoo
+ is run by root with the --VV option. If the _s_e_c_u_r_e___p_a_t_h
+ option is set, its value will be used for the PATH
+ environment variable. This flag is _o_n by default.
+
+ fast_glob Normally, ssuuddoo uses the glob(3) function to do shell-
+ style globbing when matching path names. However,
+ since it accesses the file system, glob(3) can take a
+ long time to complete for some patterns, especially
+ when the pattern references a network file system that
+ is mounted on demand (auto mounted). The _f_a_s_t___g_l_o_b
+ option causes ssuuddoo to use the fnmatch(3) function,
+ which does not access the file system to do its
+ matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is
+ unable to match relative path names such as _._/_l_s or
+ _._._/_b_i_n_/_l_s. This has security implications when path
+ names that include globbing characters are used with
+ the negation operator, `!', as such rules can be
+ trivially bypassed. As such, this option should not be
+ used when the _s_u_d_o_e_r_s file contains rules that contain
+ negated path names which include globbing characters.
+ This flag is _o_f_f by default.
+
+ fqdn Set this flag if you want to put fully qualified host
+ names in the _s_u_d_o_e_r_s file when the local host name (as
+ returned by the hostname command) does not contain the
+ domain name. In other words, instead of myhost you
+ would use myhost.mydomain.edu. You may still use the
+ short form if you wish (and even mix the two). This
+ option is only effective when the "canonical" host
+ name, as returned by the ggeettaaddddrriinnffoo() or
+ ggeetthhoossttbbyynnaammee() function, is a fully-qualified domain
+ name. This is usually the case when the system is
+ configured to use DNS for host name resolution.
+
+ If the system is configured to use the _/_e_t_c_/_h_o_s_t_s file
+ in preference to DNS, the "canonical" host name may not
+ be fully-qualified. The order that sources are queried
+ for host name resolution is usually specified in the
+ _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f, _/_e_t_c_/_h_o_s_t_._c_o_n_f,
+ or, in some cases, _/_e_t_c_/_r_e_s_o_l_v_._c_o_n_f file. In the
+ _/_e_t_c_/_h_o_s_t_s file, the first host name of the entry is
+ considered to be the "canonical" name; subsequent names
+ are aliases that are not used by ssuuddooeerrss. For example,
+ the following hosts file line for the machine "xyzzy"
+ has the fully-qualified domain name as the "canonical"
+ host name, and the short version as an alias.
+
+ 192.168.1.1 xyzzy.sudo.ws xyzzy
+
+ If the machine's hosts file entry is not formatted
+ properly, the _f_q_d_n option will not be effective if it
+ is queried before DNS.
+
+ Beware that when using DNS for host name resolution,
+ turning on _f_q_d_n requires ssuuddooeerrss to make DNS lookups
+ which renders ssuuddoo unusable if DNS stops working (for
+ example if the machine is disconnected from the
+ network). Also note that just like with the hosts
+ file, you must use the "canonical" name as DNS knows
+ it. That is, you may not use a host alias (CNAME
+ entry) due to performance issues and the fact that
+ there is no way to get all aliases from DNS.
+
+ This flag is _o_f_f by default.
+
+ ignore_audit_errors
+ Allow commands to be run even if ssuuddooeerrss cannot write
+ to the audit log. If enabled, an audit log write
+ failure is not treated as a fatal error. If disabled,
+ a command may only be run after the audit event is
+ successfully written. This flag is only effective on
+ systems for which ssuuddooeerrss supports audit logging,
+ including FreeBSD, Linux, macOS and Solaris. This flag
+ is _o_n by default.
+
+ ignore_dot If set, ssuuddoo will ignore "." or "" (both denoting
+ current directory) in the PATH environment variable;
+ the PATH itself is not modified. This flag is _o_f_f by
+ default.
+
+ ignore_iolog_errors
+ Allow commands to be run even if ssuuddooeerrss cannot write
+ to the I/O log. If enabled, an I/O log write failure
+ is not treated as a fatal error. If disabled, the
+ command will be terminated if the I/O log cannot be
+ written to. This flag is _o_f_f by default.
+
+ ignore_logfile_errors
+ Allow commands to be run even if ssuuddooeerrss cannot write
+ to the log file. If enabled, a log file write failure
+ is not treated as a fatal error. If disabled, a
+ command may only be run after the log file entry is
+ successfully written. This flag only has an effect
+ when ssuuddooeerrss is configured to use file-based logging
+ via the _l_o_g_f_i_l_e option. This flag is _o_n by default.
+
+ ignore_local_sudoers
+ If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s will be
+ skipped. This is intended for Enterprises that wish to
+ prevent the usage of local sudoers files so that only
+ LDAP is used. This thwarts the efforts of rogue
+ operators who would attempt to add roles to
+ _/_e_t_c_/_s_u_d_o_e_r_s. When this option is present,
+ _/_e_t_c_/_s_u_d_o_e_r_s does not even need to exist. Since this
+ option tells ssuuddoo how to behave when no specific LDAP
+ entries have been matched, this sudoOption is only
+ meaningful for the cn=defaults section. This flag is
+ _o_f_f by default.
+
+ ignore_unknown_defaults
+ If set, ssuuddoo will not produce a warning if it
+ encounters an unknown Defaults entry in the _s_u_d_o_e_r_s
+ file or an unknown sudoOption in LDAP. This flag is
+ _o_f_f by default.
+
+ insults If set, ssuuddoo will insult users when they enter an
+ incorrect password. This flag is _o_f_f by default.
+
+ log_host If set, the host name will be logged in the (non-
+ syslog) ssuuddoo log file. This flag is _o_f_f by default.
+
+ log_input If set, ssuuddoo will run the command in a pseudo-tty and
+ log all user input. If the standard input is not
+ connected to the user's tty, due to I/O redirection or
+ because the command is part of a pipeline, that input
+ is also captured and stored in a separate log file.
+ Anything sent to the standard input will be consumed,
+ regardless of whether or not the command run via ssuuddoo
+ is actually reading the standard input. This may have
+ unexpected results when using ssuuddoo in a shell script
+ that expects to process the standard input. For more
+ information about I/O logging, see the _I_/_O _L_O_G _F_I_L_E_S
+ section. This flag is _o_f_f by default.
+
+ log_output If set, ssuuddoo will run the command in a pseudo-tty and
+ log all output that is sent to the screen, similar to
+ the script(1) command. For more information about I/O
+ logging, see the _I_/_O _L_O_G _F_I_L_E_S section. This flag is
+ _o_f_f by default.
+
+ log_year If set, the four-digit year will be logged in the (non-
+ syslog) ssuuddoo log file. This flag is _o_f_f by default.
+
+ long_otp_prompt When validating with a One Time Password (OTP) scheme
+ such as SS//KKeeyy or OOPPIIEE, a two-line prompt is used to
+ make it easier to cut and paste the challenge to a
+ local window. It's not as pretty as the default but
+ some people find it more convenient. This flag is _o_f_f
+ by default.
+
+ mail_all_cmnds Send mail to the _m_a_i_l_t_o user every time a user attempts
+ to run a command via ssuuddoo (this includes ssuuddooeeddiitt). No
+ mail will be sent if the user runs ssuuddoo with the --ll or
+ --vv option unless there is an authentication error and
+ the _m_a_i_l___b_a_d_p_a_s_s flag is also set. This flag is _o_f_f by
+ default.
+
+ mail_always Send mail to the _m_a_i_l_t_o user every time a user runs
+ ssuuddoo. This flag is _o_f_f by default.
+
+ mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo
+ does not enter the correct password. If the command
+ the user is attempting to run is not permitted by
+ ssuuddooeerrss and one of the _m_a_i_l___a_l_l___c_m_n_d_s, _m_a_i_l___a_l_w_a_y_s,
+ _m_a_i_l___n_o___h_o_s_t, _m_a_i_l___n_o___p_e_r_m_s or _m_a_i_l___n_o___u_s_e_r flags are
+ set, this flag will have no effect. This flag is _o_f_f
+ by default.
+
+ mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the
+ invoking user exists in the _s_u_d_o_e_r_s file, but is not
+ allowed to run commands on the current host. This flag
+ is _o_f_f by default.
+
+ mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the
+ invoking user is allowed to use ssuuddoo but the command
+ they are trying is not listed in their _s_u_d_o_e_r_s file
+ entry or is explicitly denied. This flag is _o_f_f by
+ default.
+
+ mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the
+ invoking user is not in the _s_u_d_o_e_r_s file. This flag is
+ _o_n by default.
+
+ match_group_by_gid
+ By default, ssuuddooeerrss will look up each group the user is
+ a member of by group ID to determine the group name
+ (this is only done once). The resulting list of the
+ user's group names is used when matching groups listed
+ in the _s_u_d_o_e_r_s file. This works well on systems where
+ the number of groups listed in the _s_u_d_o_e_r_s file is
+ larger than the number of groups a typical user belongs
+ to. On systems where group lookups are slow, where
+ users may belong to a large number of groups, and where
+ the number of groups listed in the _s_u_d_o_e_r_s file is
+ relatively small, it may be prohibitively expensive and
+ running commands via ssuuddoo may take longer than normal.
+ On such systems it may be faster to use the
+ _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d flag to avoid resolving the user's
+ group IDs to group names. In this case, ssuuddooeerrss must
+ look up any group name listed in the _s_u_d_o_e_r_s file and
+ use the group ID instead of the group name when
+ determining whether the user is a member of the group.
+
+ Note that if _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d is enabled, group
+ database lookups performed by ssuuddooeerrss will be keyed by
+ group name as opposed to group ID. On systems where
+ there are multiple sources for the group database, it
+ is possible to have conflicting group names or group
+ IDs in the local _/_e_t_c_/_g_r_o_u_p file and the remote group
+ database. On such systems, enabling or disabling
+ _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d can be used to choose whether group
+ database queries are performed by name (enabled) or ID
+ (disabled), which may aid in working around group entry
+ conflicts.
+
+ The _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d flag has no effect when _s_u_d_o_e_r_s
+ data is stored in LDAP. This flag is _o_f_f by default.
+
+ This setting is only supported by version 1.8.18 or
+ higher.
+
+ netgroup_tuple If set, netgroup lookups will be performed using the
+ full netgroup tuple: host name, user name and domain
+ (if one is set). Historically, ssuuddoo only matched the
+ user name and domain for netgroups used in a User_List
+ and only matched the host name and domain for netgroups
+ used in a Host_List. This flag is _o_f_f by default.
+
+ noexec If set, all commands run via ssuuddoo will behave as if the
+ NOEXEC tag has been set, unless overridden by an EXEC
+ tag. See the description of _E_X_E_C _a_n_d _N_O_E_X_E_C above as
+ well as the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section at the end
+ of this manual. This flag is _o_f_f by default.
+
+ pam_session On systems that use PAM for authentication, ssuuddoo will
+ create a new PAM session for the command to be run in.
+ Disabling _p_a_m___s_e_s_s_i_o_n may be needed on older PAM
+ implementations or on operating systems where opening a
+ PAM session changes the utmp or wtmp files. If PAM
+ session support is disabled, resource limits may not be
+ updated for the command being run. If _p_a_m___s_e_s_s_i_o_n,
+ _p_a_m___s_e_t_c_r_e_d, and _u_s_e___p_t_y are disabled and I/O logging
+ has not been configured, ssuuddoo will execute the command
+ directly instead of running it as a child process.
+ This flag is _o_n by default.
+
+ This setting is only supported by version 1.8.7 or
+ higher.
+
+ pam_setcred On systems that use PAM for authentication, ssuuddoo will
+ attempt to establish credentials for the target user by
+ default, if supported by the underlying authentication
+ system. One example of a credential is a Kerberos
+ ticket. If _p_a_m___s_e_s_s_i_o_n, _p_a_m___s_e_t_c_r_e_d, and _u_s_e___p_t_y are
+ disabled and I/O logging has not been configured, ssuuddoo
+ will execute the command directly instead of running it
+ as a child process. This flag is _o_n by default.
+
+ This setting is only supported by version 1.8.8 or
+ higher.
+
+ passprompt_override
+ If set, the prompt specified by _p_a_s_s_p_r_o_m_p_t or the
+ SUDO_PROMPT environment variable will always be used
+ and will replace the prompt provided by a PAM module or
+ other authentication method. This flag is _o_f_f by
+ default.
+
+ path_info Normally, ssuuddoo will tell the user when a command could
+ not be found in their PATH environment variable. Some
+ sites may wish to disable this as it could be used to
+ gather information on the location of executables that
+ the normal user does not have access to. The
+ disadvantage is that if the executable is simply not in
+ the user's PATH, ssuuddoo will tell the user that they are
+ not allowed to run it, which can be confusing. This
+ flag is _o_n by default.
+
+ preserve_groups By default, ssuuddoo will initialize the group vector to
+ the list of groups the target user is in. When
+ _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's existing group
+ vector is left unaltered. The real and effective group
+ IDs, however, are still set to match the target user.
+ This flag is _o_f_f by default.
+
+ pwfeedback By default, ssuuddoo reads the password like most other
+ Unix programs, by turning off echo until the user hits
+ the return (or enter) key. Some users become confused
+ by this as it appears to them that ssuuddoo has hung at
+ this point. When _p_w_f_e_e_d_b_a_c_k is set, ssuuddoo will provide
+ visual feedback when the user presses a key. Note that
+ this does have a security impact as an onlooker may be
+ able to determine the length of the password being
+ entered. This flag is _o_f_f by default.
+
+ requiretty If set, ssuuddoo will only run when the user is logged in
+ to a real tty. When this flag is set, ssuuddoo can only be
+ run from a login session and not via other means such
+ as cron(1m) or cgi-bin scripts. This flag is _o_f_f by
+ default.
+
+ root_sudo If set, root is allowed to run ssuuddoo too. Disabling
+ this prevents users from "chaining" ssuuddoo commands to
+ get a root shell by doing something like "sudo sudo
+ /bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o
+ will also prevent root from running ssuuddooeeddiitt.
+ Disabling _r_o_o_t___s_u_d_o provides no real additional
+ security; it exists purely for historical reasons.
+ This flag is _o_n by default.
+
+ rootpw If set, ssuuddoo will prompt for the root password instead
+ of the password of the invoking user when running a
+ command or editing a file. This flag is _o_f_f by
+ default.
+
+ runaspw If set, ssuuddoo will prompt for the password of the user
+ defined by the _r_u_n_a_s___d_e_f_a_u_l_t option (defaults to root)
+ instead of the password of the invoking user when
+ running a command or editing a file. This flag is _o_f_f
+ by default.
+
+ set_home If enabled and ssuuddoo is invoked with the --ss option the
+ HOME environment variable will be set to the home
+ directory of the target user (which is root unless the
+ --uu option is used). This effectively makes the --ss
+ option imply --HH. Note that HOME is already set when
+ the _e_n_v___r_e_s_e_t option is enabled, so _s_e_t___h_o_m_e is only
+ effective for configurations where either _e_n_v___r_e_s_e_t is
+ disabled or HOME is present in the _e_n_v___k_e_e_p list. This
+ flag is _o_f_f by default.
+
+ set_logname Normally, ssuuddoo will set the LOGNAME and USER
+ environment variables to the name of the target user
+ (usually root unless the --uu option is given). However,
+ since some programs (including the RCS revision control
+ system) use LOGNAME to determine the real identity of
+ the user, it may be desirable to change this behavior.
+ This can be done by negating the set_logname option.
+ Note that _s_e_t___l_o_g_n_a_m_e will have no effect if the
+ _e_n_v___r_e_s_e_t option has not been disabled and the _e_n_v___k_e_e_p
+ list contains LOGNAME or USER. This flag is _o_n by
+ default.
+
+ set_utmp When enabled, ssuuddoo will create an entry in the utmp (or
+ utmpx) file when a pseudo-tty is allocated. A pseudo-
+ tty is allocated by ssuuddoo when the _l_o_g___i_n_p_u_t, _l_o_g___o_u_t_p_u_t
+ or _u_s_e___p_t_y flags are enabled. By default, the new
+ entry will be a copy of the user's existing utmp entry
+ (if any), with the tty, time, type and pid fields
+ updated. This flag is _o_n by default.
+
+ setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the
+ command line via the --EE option. Additionally,
+ environment variables set via the command line are not
+ subject to the restrictions imposed by _e_n_v___c_h_e_c_k,
+ _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only trusted users
+ should be allowed to set variables in this manner.
+ This flag is _o_f_f by default.
+
+ shell_noargs If set and ssuuddoo is invoked with no arguments it acts as
+ if the --ss option had been given. That is, it runs a
+ shell as root (the shell is determined by the SHELL
+ environment variable if it is set, falling back on the
+ shell listed in the invoking user's /etc/passwd entry
+ if not). This flag is _o_f_f by default.
+
+ stay_setuid Normally, when ssuuddoo executes a command the real and
+ effective UIDs are set to the target user (root by
+ default). This option changes that behavior such that
+ the real UID is left as the invoking user's UID. In
+ other words, this makes ssuuddoo act as a setuid wrapper.
+ This can be useful on systems that disable some
+ potentially dangerous functionality when a program is
+ run setuid. This option is only effective on systems
+ that support either the setreuid(2) or setresuid(2)
+ system call. This flag is _o_f_f by default.
+
+ sudoedit_checkdir
+ If set, ssuuddooeeddiitt will check all directory components of
+ the path to be edited for writability by the invoking
+ user. Symbolic links will not be followed in writable
+ directories and ssuuddooeeddiitt will refuse to edit a file
+ located in a writable directory. These restrictions
+ are not enforced when ssuuddooeeddiitt is run by root. On some
+ systems, if all directory components of the path to be
+ edited are not readable by the target user, ssuuddooeeddiitt
+ will be unable to edit the file. This flag is _o_n by
+ default.
+
+ This setting was first introduced in version 1.8.15 but
+ initially suffered from a race condition. The check
+ for symbolic links in writable intermediate directories
+ was added in version 1.8.16.
+
+ sudoedit_follow By default, ssuuddooeeddiitt will not follow symbolic links
+ when opening files. The _s_u_d_o_e_d_i_t___f_o_l_l_o_w option can be
+ enabled to allow ssuuddooeeddiitt to open symbolic links. It
+ may be overridden on a per-command basis by the _F_O_L_L_O_W
+ and _N_O_F_O_L_L_O_W tags. This flag is _o_f_f by default.
+
+ This setting is only supported by version 1.8.15 or
+ higher.
+
+ syslog_pid When logging via syslog(3), include the process ID in
+ the log entry. This flag is _o_f_f by default.
+
+ This setting is only supported by version 1.8.21 or
+ higher.
+
+ targetpw If set, ssuuddoo will prompt for the password of the user
+ specified by the --uu option (defaults to root) instead
+ of the password of the invoking user when running a
+ command or editing a file. Note that this flag
+ precludes the use of a uid not listed in the passwd
+ database as an argument to the --uu option. This flag is
+ _o_f_f by default.
+
+ tty_tickets If set, users must authenticate on a per-tty basis.
+ With this flag enabled, ssuuddoo will use a separate record
+ in the time stamp file for each terminal. If disabled,
+ a single record is used for all login sessions.
+
+ This option has been superseded by the _t_i_m_e_s_t_a_m_p___t_y_p_e
+ option.
+
+ umask_override If set, ssuuddoo will set the umask as specified in the
+ _s_u_d_o_e_r_s file without modification. This makes it
+ possible to specify a umask in the _s_u_d_o_e_r_s file that is
+ more permissive than the user's own umask and matches
+ historical behavior. If _u_m_a_s_k___o_v_e_r_r_i_d_e is not set,
+ ssuuddoo will set the umask to be the union of the user's
+ umask and what is specified in _s_u_d_o_e_r_s. This flag is
+ _o_f_f by default.
+
+ use_loginclass If set, ssuuddoo will apply the defaults specified for the
+ target user's login class if one exists. Only
+ available if ssuuddoo is configured with the
+ --with-logincap option. This flag is _o_f_f by default.
+
+ use_netgroups If set, netgroups (prefixed with `+'), may be used in
+ place of a user or host. For LDAP-based sudoers,
+ netgroup support requires an expensive sub-string match
+ on the server unless the NNEETTGGRROOUUPP__BBAASSEE directive is
+ present in the _/_e_t_c_/_l_d_a_p_._c_o_n_f file. If netgroups are
+ not needed, this option can be disabled to reduce the
+ load on the LDAP server. This flag is _o_n by default.
+
+ use_pty If set, and ssuuddoo is running in a terminal, the command
+ will be run in a pseudo-pty (even if no I/O logging is
+ being done). If the ssuuddoo process is not attached to a
+ terminal, _u_s_e___p_t_y has no effect.
+
+ A malicious program run under ssuuddoo may be capable of
+ injecting commands into the user's terminal or running
+ a background process that retains access to the user's
+ terminal device even after the main program has
+ finished executing. By running the command in a
+ separate pseudo-pty, this attack is no longer possible.
+ This flag is _o_f_f by default.
+
+ user_command_timeouts
+ If set, the user may specify a timeout on the command
+ line. If the timeout expires before the command has
+ exited, the command will be terminated. If a timeout
+ is specified both in the _s_u_d_o_e_r_s file and on the
+ command line, the smaller of the two timeouts will be
+ used. See the Timeout_Spec section for a description
+ of the timeout syntax. This flag is _o_f_f by default.
+
+ This setting is only supported by version 1.8.20 or
+ higher.
+
+ utmp_runas If set, ssuuddoo will store the name of the runas user when
+ updating the utmp (or utmpx) file. By default, ssuuddoo
+ stores the name of the invoking user. This flag is _o_f_f
+ by default.
+
+ visiblepw By default, ssuuddoo will refuse to run if the user must
+ enter a password but it is not possible to disable echo
+ on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo
+ will prompt for a password even when it would be
+ visible on the screen. This makes it possible to run
+ things like "ssh somehost sudo ls" since by default,
+ ssh(1) does not allocate a tty when running a command.
+ This flag is _o_f_f by default.
+
+ IInntteeggeerrss:
+
+ closefrom Before it executes a command, ssuuddoo will close all open
+ file descriptors other than standard input, standard
+ output and standard error (ie: file descriptors 0-2).
+ The _c_l_o_s_e_f_r_o_m option can be used to specify a different
+ file descriptor at which to start closing. The default
+ is 3.
+
+ command_timeout The maximum amount of time a command is allowed to run
+ before it is terminated. See the Timeout_Spec section
+ for a description of the timeout syntax.
+
+ This setting is only supported by version 1.8.20 or
+ higher.
+
+ maxseq The maximum sequence number that will be substituted
+ for the "%{seq}" escape in the I/O log file (see the
+ _i_o_l_o_g___d_i_r description below for more information).
+ While the value substituted for "%{seq}" is in base 36,
+ _m_a_x_s_e_q itself should be expressed in decimal. Values
+ larger than 2176782336 (which corresponds to the base
+ 36 sequence number "ZZZZZZ") will be silently truncated
+ to 2176782336. The default value is 2176782336.
+
+ Once the local sequence number reaches the value of
+ _m_a_x_s_e_q, it will "roll over" to zero, after which
+ ssuuddooeerrss will truncate and re-use any existing I/O log
+ path names.
+
+ This setting is only supported by version 1.8.7 or
+ higher.
+
+ passwd_tries The number of tries a user gets to enter his/her
+ password before ssuuddoo logs the failure and exits. The
+ default is 3.
+
+ syslog_maxlen On many systems, syslog(3) has a relatively small log
+ buffer. IETF RFC 5424 states that syslog servers must
+ support messages of at least 480 bytes and should
+ support messages up to 2048 bytes. By default, ssuuddooeerrss
+ creates log messages up to 980 bytes which corresponds
+ to the historic BSD syslog implementation which used a
+ 1024 byte buffer to store the message, date, hostname
+ and program name. To prevent syslog messages from
+ being truncated, ssuuddooeerrss will split up log messages
+ that are larger than _s_y_s_l_o_g___m_a_x_l_e_n bytes. When a
+ message is split, additional parts will include the
+ string "(command continued)" after the user name and
+ before the continued command line arguments.
+
+ This setting is only supported by version 1.8.19 or
+ higher.
+
+ IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
+
+ loglinelen Number of characters per line for the file log. This
+ value is used to decide when to wrap lines for nicer
+ log files. This has no effect on the syslog log file,
+ only the file log. The default is 80 (use 0 or negate
+ the option to disable word wrap).
+
+ passwd_timeout Number of minutes before the ssuuddoo password prompt times
+ out, or 0 for no timeout. The timeout may include a
+ fractional component if minute granularity is
+ insufficient, for example 2.5. The default is 5.
+
+ timestamp_timeout
+ Number of minutes that can elapse before ssuuddoo will ask
+ for a passwd again. The timeout may include a
+ fractional component if minute granularity is
+ insufficient, for example 2.5. The default is 5. Set
+ this to 0 to always prompt for a password. If set to a
+ value less than 0 the user's time stamp will not expire
+ until the system is rebooted. This can be used to
+ allow users to create or delete their own time stamps
+ via "sudo -v" and "sudo -k" respectively.
+
+ umask Umask to use when running the command. Negate this
+ option or set it to 0777 to preserve the user's umask.
+ The actual umask that is used will be the union of the
+ user's umask and the value of the _u_m_a_s_k option, which
+ defaults to 0022. This guarantees that ssuuddoo never
+ lowers the umask when running a command. Note: on
+ systems that use PAM, the default PAM configuration may
+ specify its own umask which will override the value set
+ in _s_u_d_o_e_r_s.
+
+ SSttrriinnggss:
+
+ authfail_message Message that is displayed after a user fails to
+ authenticate. The message may include the `%d' escape
+ which will expand to the number of failed password
+ attempts. If set, it overrides the default message, %d
+ incorrect password attempt(s).
+
+ badpass_message Message that is displayed if a user enters an incorrect
+ password. The default is Sorry, try again. unless
+ insults are enabled.
+
+ editor A colon (`:') separated list of editors path names used
+ by ssuuddooeeddiitt and vviissuuddoo. For ssuuddooeeddiitt, this list is
+ used to find an editor when none of the SUDO_EDITOR,
+ VISUAL or EDITOR environment variables are set to an
+ editor that exists and is executable. For vviissuuddoo, it
+ is used as a white list of allowed editors; vviissuuddoo will
+ choose the editor that matches the user's SUDO_EDITOR,
+ VISUAL or EDITOR environment variable if possible, or
+ the first editor in the list that exists and is
+ executable if not. Unless invoked as ssuuddooeeddiitt, ssuuddoo
+ does not preserve the SUDO_EDITOR, VISUAL and EDITOR
+ environment variables by default, even when the
+ _e_n_v___r_e_s_e_t option is enabled. The default is _v_i.
+
+ iolog_dir The top-level directory to use when constructing the
+ path name for the input/output log directory. Only
+ used if the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t options are enabled
+ or when the LOG_INPUT or LOG_OUTPUT tags are present
+ for a command. The session sequence number, if any, is
+ stored in the directory. The default is
+ _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o.
+
+ The following percent (`%') escape sequences are
+ supported:
+
+ %{seq}
+ expanded to a monotonically increasing base-36
+ sequence number, such as 0100A5, where every two
+ digits are used to form a new directory, e.g.,
+ _0_1_/_0_0_/_A_5
+
+ %{user}
+ expanded to the invoking user's login name
+
+ %{group}
+ expanded to the name of the invoking user's real
+ group ID
+
+ %{runas_user}
+ expanded to the login name of the user the
+ command will be run as (e.g., root)
+
+ %{runas_group}
+ expanded to the group name of the user the
+ command will be run as (e.g., wheel)
+
+ %{hostname}
+ expanded to the local host name without the
+ domain name
+
+ %{command}
+ expanded to the base name of the command being
+ run
+
+ In addition, any escape sequences supported by the
+ system's strftime(3) function will be expanded.
+
+ To include a literal `%' character, the string `%%'
+ should be used.
+
+ iolog_file The path name, relative to _i_o_l_o_g___d_i_r, in which to store
+ input/output logs when the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t
+ options are enabled or when the LOG_INPUT or LOG_OUTPUT
+ tags are present for a command. Note that _i_o_l_o_g___f_i_l_e
+ may contain directory components. The default is
+ "%{seq}".
+
+ See the _i_o_l_o_g___d_i_r option above for a list of supported
+ percent (`%') escape sequences.
+
+ In addition to the escape sequences, path names that
+ end in six or more Xs will have the Xs replaced with a
+ unique combination of digits and letters, similar to
+ the mktemp(3) function.
+
+ If the path created by concatenating _i_o_l_o_g___d_i_r and
+ _i_o_l_o_g___f_i_l_e already exists, the existing I/O log file
+ will be truncated and overwritten unless _i_o_l_o_g___f_i_l_e
+ ends in six or more Xs.
+
+ iolog_flush If set, ssuuddoo will flush I/O log data to disk after each
+ write instead of buffering it. This makes it possible
+ to view the logs in real-time as the program is
+ executing but may significantly reduce the
+ effectiveness of I/O log compression. This flag is _o_f_f
+ by default.
+
+ This setting is only supported by version 1.8.20 or
+ higher.
+
+ iolog_group The group name to look up when setting the group ID on
+ new I/O log files and directories. If _i_o_l_o_g___g_r_o_u_p is
+ not set, the primary group ID of the user specified by
+ _i_o_l_o_g___u_s_e_r is used. If neither _i_o_l_o_g___g_r_o_u_p nor
+ _i_o_l_o_g___u_s_e_r are set, I/O log files and directories are
+ created with group ID 0.
+
+ This setting is only supported by version 1.8.19 or
+ higher.
+
+ iolog_mode The file mode to use when creating I/O log files. Mode
+ bits for read and write permissions for owner, group or
+ other are honored, everything else is ignored. The
+ file permissions will always include the owner read and
+ write bits, even if they are not present in the
+ specified mode. When creating I/O log directories,
+ search (execute) bits are added to match the read and
+ write bits specified by _i_o_l_o_g___m_o_d_e. Defaults to 0600
+ (read and write by user only).
+
+ This setting is only supported by version 1.8.19 or
+ higher.
+
+ iolog_user The user name to look up when setting the user and
+ group IDs on new I/O log files and directories. If
+ _i_o_l_o_g___g_r_o_u_p is set, it will be used instead of the
+ user's primary group ID. By default, I/O log files and
+ directories are created with user and group ID 0.
+
+ This setting can be useful when the I/O logs are stored
+ on a Network File System (NFS) share. Having a
+ dedicated user own the I/O log files means that ssuuddooeerrss
+ does not write to the log files as user ID 0, which is
+ usually not permitted by NFS.
+
+ This setting is only supported by version 1.8.19 or
+ higher.
+
+ lecture_status_dir
+ The directory in which ssuuddoo stores per-user lecture
+ status files. Once a user has received the lecture, a
+ zero-length file is created in this directory so that
+ ssuuddoo will not lecture the user again. This directory
+ should _n_o_t be cleared when the system reboots. The
+ default is _/_v_a_r_/_a_d_m_/_s_u_d_o_/_l_e_c_t_u_r_e_d.
+
+ limitprivs The default Solaris limit privileges to use when
+ constructing a new privilege set for a command. This
+ bounds all privileges of the executing process. The
+ default limit privileges may be overridden on a per-
+ command basis in _s_u_d_o_e_r_s. This option is only
+ available if ssuuddooeerrss is built on Solaris 10 or higher.
+
+ mailsub Subject of the mail sent to the _m_a_i_l_t_o user. The
+ escape %h will expand to the host name of the machine.
+ Default is "*** SECURITY information for %h ***".
+
+ noexec_file As of ssuuddoo version 1.8.1 this option is no longer
+ supported. The path to the noexec file should now be
+ set in the sudo.conf(4) file.
+
+ pam_login_service
+ On systems that use PAM for authentication, this is the
+ service name used when the --ii option is specified. The
+ default value is "sudo". See the description of
+ _p_a_m___s_e_r_v_i_c_e for more information.
+
+ This setting is only supported by version 1.8.8 or
+ higher.
+
+ pam_service On systems that use PAM for authentication, the service
+ name specifies the PAM policy to apply. This usually
+ corresponds to an entry in the _p_a_m_._c_o_n_f file or a file
+ in the _/_e_t_c_/_p_a_m_._d directory. The default value is
+ "sudo".
+
+ This setting is only supported by version 1.8.8 or
+ higher.
+
+ passprompt The default prompt to use when asking for a password;
+ can be overridden via the --pp option or the SUDO_PROMPT
+ environment variable. The following percent (`%')
+ escape sequences are supported:
+
+ %H expanded to the local host name including the
+ domain name (only if the machine's host name is
+ fully qualified or the _f_q_d_n option is set)
+
+ %h expanded to the local host name without the
+ domain name
+
+ %p expanded to the user whose password is being
+ asked for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and
+ _r_u_n_a_s_p_w flags in _s_u_d_o_e_r_s)
+
+ %U expanded to the login name of the user the
+ command will be run as (defaults to root)
+
+ %u expanded to the invoking user's login name
+
+ %% two consecutive % characters are collapsed into a
+ single % character
+
+ On systems that use PAM for authentication, _p_a_s_s_p_r_o_m_p_t
+ will only be used if the prompt provided by the PAM
+ module matches the string "Password: " or "username's
+ Password: ". This ensures that the _p_a_s_s_p_r_o_m_p_t setting
+ does not interfere with challenge-response style
+ authentication. The _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag can be
+ used to change this behavior.
+
+ The default value is "Password: ".
+
+ privs The default Solaris privileges to use when constructing
+ a new privilege set for a command. This is passed to
+ the executing process via the inherited privilege set,
+ but is bounded by the limit privileges. If the _p_r_i_v_s
+ option is specified but the _l_i_m_i_t_p_r_i_v_s option is not,
+ the limit privileges of the executing process is set to
+ _p_r_i_v_s. The default privileges may be overridden on a
+ per-command basis in _s_u_d_o_e_r_s. This option is only
+ available if ssuuddooeerrss is built on Solaris 10 or higher.
+
+ role The default SELinux role to use when constructing a new
+ security context to run the command. The default role
+ may be overridden on a per-command basis in the _s_u_d_o_e_r_s
+ file or via command line options. This option is only
+ available when ssuuddoo is built with SELinux support.
+
+ runas_default The default user to run commands as if the --uu option is
+ not specified on the command line. This defaults to
+ root.
+
+ sudoers_locale Locale to use when parsing the sudoers file, logging
+ commands, and sending email. Note that changing the
+ locale may affect how sudoers is interpreted. Defaults
+ to "C".
+
+ timestamp_type ssuuddooeerrss uses per-user time stamp files for credential
+ caching. The _t_i_m_e_s_t_a_m_p___t_y_p_e option can be used to
+ specify the type of time stamp record used. It has the
+ following possible values:
+
+ global A single time stamp record is used for all of a
+ user's login sessions, regardless of the
+ terminal or parent process ID. An additional
+ record is used to serialize password prompts
+ when ssuuddoo is used multiple times in a pipeline,
+ but this does not affect authentication.
+
+ ppid A single time stamp record is used for all
+ processes with the same parent process ID
+ (usually the shell). Commands run from the
+ same shell (or other common parent process)
+ will not require a password for
+ _t_i_m_e_s_t_a_m_p___t_i_m_e_o_u_t minutes (5 by default).
+ Commands run via ssuuddoo with a different parent
+ process ID, for example from a shell script,
+ will be authenticated separately.
+
+ tty One time stamp record is used for each
+ terminal, which means that a user's login
+ sessions are authenticated separately. If no
+ terminal is present, the behavior is the same
+ as _p_p_i_d. Commands run from the same terminal
+ will not require a password for
+ _t_i_m_e_s_t_a_m_p___t_i_m_e_o_u_t minutes (5 by default).
+
+ kernel The time stamp is stored in the kernel as an
+ attribute of the terminal device. If no
+ terminal is present, the behavior is the same
+ as _p_p_i_d. Negative _t_i_m_e_s_t_a_m_p___t_i_m_e_o_u_t values are
+ not supported and positive values are limited
+ to a maximum of 60 minutes. This is currently
+ only supported on OpenBSD.
+
+ The default value is _t_t_y.
+
+ This setting is only supported by version 1.8.21 or
+ higher.
+
+ timestampdir The directory in which ssuuddoo stores its time stamp
+ files. This directory should be cleared when the
+ system reboots. The default is _/_v_a_r_/_r_u_n_/_s_u_d_o_/_t_s.
+
+ timestampowner The owner of the lecture status directory, time stamp
+ directory and all files stored therein. The default is
+ root.
+
+ type The default SELinux type to use when constructing a new
+ security context to run the command. The default type
+ may be overridden on a per-command basis in the _s_u_d_o_e_r_s
+ file or via command line options. This option is only
+ available when ssuuddoo is built with SELinux support.
+
+ SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
+
+ env_file The _e_n_v___f_i_l_e option specifies the fully qualified path to a
+ file containing variables to be set in the environment of
+ the program being run. Entries in this file should either
+ be of the form "VARIABLE=value" or "export VARIABLE=value".
+ The value may optionally be surrounded by single or double
+ quotes. Variables in this file are only added if the
+ variable does not already exist in the environment. This
+ file is considered to be part of the security policy, its
+ contents are not subject to other ssuuddoo environment
+ restrictions such as _e_n_v___k_e_e_p and _e_n_v___c_h_e_c_k.
+
+ exempt_group Users in this group are exempt from password and PATH
+ requirements. The group name specified should not include
+ a % prefix. This is not set by default.
+
+ fdexec Determines whether ssuuddoo will execute a command by its path
+ or by an open file descriptor. It has the following
+ possible values:
+
+ always Always execute by file descriptor.
+
+ never Never execute by file descriptor.
+
+ digest_only
+ Only execute by file descriptor if the command has
+ an associated digest in the _s_u_d_o_e_r_s file.
+
+ The default value is _d_i_g_e_s_t___o_n_l_y. This avoids a time of
+ check versus time of use race condition when the command is
+ located in a directory writable by the invoking user.
+
+ Note that _f_d_e_x_e_c will change the first element of the
+ argument vector for scripts ($0 in the shell) due to the
+ way the kernel runs script interpreters. Instead of being
+ a normal path, it will refer to a file descriptor. For
+ example, _/_d_e_v_/_f_d_/_4 on Solaris and _/_p_r_o_c_/_s_e_l_f_/_f_d_/_4 on Linux.
+ A workaround is to use the SUDO_COMMAND environment
+ variable instead.
+
+ The _f_d_e_x_e_c setting is only used when the command is matched
+ by path name. It has no effect if the command is matched
+ by the built-in AALLLL alias.
+
+ This setting is only supported by version 1.8.20 or higher.
+ If the operating system does not support the fexecve(2)
+ system call, this setting has no effect.
+
+ group_plugin A string containing a ssuuddooeerrss group plugin with optional
+ arguments. The string should consist of the plugin path,
+ either fully-qualified or relative to the
+ _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o directory, followed by any
+ configuration arguments the plugin requires. These
+ arguments (if any) will be passed to the plugin's
+ initialization function. If arguments are present, the
+ string must be enclosed in double quotes ("").
+
+ For more information see _G_R_O_U_P _P_R_O_V_I_D_E_R _P_L_U_G_I_N_S.
+
+ lecture This option controls when a short lecture will be printed
+ along with the password prompt. It has the following
+ possible values:
+
+ always Always lecture the user.
+
+ never Never lecture the user.
+
+ once Only lecture the user the first time they run ssuuddoo.
+
+ If no value is specified, a value of _o_n_c_e is implied.
+ Negating the option results in a value of _n_e_v_e_r being used.
+ The default value is _o_n_c_e.
+
+ lecture_file Path to a file containing an alternate ssuuddoo lecture that
+ will be used in place of the standard lecture if the named
+ file exists. By default, ssuuddoo uses a built-in lecture.
+
+ listpw This option controls when a password will be required when
+ a user runs ssuuddoo with the --ll option. It has the following
+ possible values:
+
+ all All the user's _s_u_d_o_e_r_s file entries for the
+ current host must have the NOPASSWD flag set to
+ avoid entering a password.
+
+ always The user must always enter a password to use the
+ --ll option.
+
+ any At least one of the user's _s_u_d_o_e_r_s file entries
+ for the current host must have the NOPASSWD flag
+ set to avoid entering a password.
+
+ never The user need never enter a password to use the
+ --ll option.
+
+ If no value is specified, a value of _a_n_y is implied.
+ Negating the option results in a value of _n_e_v_e_r being used.
+ The default value is _a_n_y.
+
+ logfile Path to the ssuuddoo log file (not the syslog log file).
+ Setting a path turns on logging to a file; negating this
+ option turns it off. By default, ssuuddoo logs via syslog.
+
+ mailerflags Flags to use when invoking mailer. Defaults to --tt.
+
+ mailerpath Path to mail program used to send warning mail. Defaults
+ to the path to sendmail found at configure time.
+
+ mailfrom Address to use for the "from" address when sending warning
+ and error mail. The address should be enclosed in double
+ quotes ("") to protect against ssuuddoo interpreting the @
+ sign. Defaults to the name of the user running ssuuddoo.
+
+ mailto Address to send warning and error mail to. The address
+ should be enclosed in double quotes ("") to protect against
+ ssuuddoo interpreting the @ sign. Defaults to root.
+
+ restricted_env_file
+ The _r_e_s_t_r_i_c_t_e_d___e_n_v___f_i_l_e option specifies the fully
+ qualified path to a file containing variables to be set in
+ the environment of the program being run. Entries in this
+ file should either be of the form "VARIABLE=value" or
+ "export VARIABLE=value". The value may optionally be
+ surrounded by single or double quotes. Variables in this
+ file are only added if the variable does not already exist
+ in the environment. Unlike _e_n_v___f_i_l_e, the file's contents
+ are not trusted and are processed in a manner similar to
+ that of the invoking user's environment. If _e_n_v___r_e_s_e_t is
+ enabled, variables in the file will only be added if they
+ are matched by either the _e_n_v___c_h_e_c_k or _e_n_v___k_e_e_p list. If
+ _e_n_v___r_e_s_e_t is disabled, variables in the file are added as
+ long as they are not matched by the _e_n_v___d_e_l_e_t_e list. In
+ either case, the contents of _r_e_s_t_r_i_c_t_e_d___e_n_v___f_i_l_e are
+ processed before the contents of _e_n_v___f_i_l_e.
+
+ secure_path Path used for every command run from ssuuddoo. If you don't
+ trust the people running ssuuddoo to have a sane PATH
+ environment variable you may want to use this. Another use
+ is if you want to have the "root path" be separate from the
+ "user path". Users in the group specified by the
+ _e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This
+ option is not set by default.
+
+ syslog Syslog facility if syslog is being used for logging (negate
+ to disable syslog logging). Defaults to auth.
+
+ The following syslog facilities are supported: aauutthhpprriivv (if
+ your OS supports it), aauutthh, ddaaeemmoonn, uusseerr, llooccaall00, llooccaall11,
+ llooccaall22, llooccaall33, llooccaall44, llooccaall55, llooccaall66, and llooccaall77.
+
+ syslog_badpri
+ Syslog priority to use when the user is not allowed to run
+ a command or when authentication is unsuccessful. Defaults
+ to alert.
+
+ The following syslog priorities are supported: aalleerrtt, ccrriitt,
+ ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee, wwaarrnniinngg, and nnoonnee.
+ Negating the option or setting it to a value of nnoonnee will
+ disable logging of unsuccessful commands.
+
+ syslog_goodpri
+ Syslog priority to use when the user is allowed to run a
+ command and authentication is successful. Defaults to
+ notice.
+
+ See _s_y_s_l_o_g___b_a_d_p_r_i for the list of supported syslog
+ priorities. Negating the option or setting it to a value
+ of nnoonnee will disable logging of successful commands.
+
+ verifypw This option controls when a password will be required when
+ a user runs ssuuddoo with the --vv option. It has the following
+ possible values:
+
+ all All the user's _s_u_d_o_e_r_s file entries for the current
+ host must have the NOPASSWD flag set to avoid
+ entering a password.
+
+ always The user must always enter a password to use the --vv
+ option.
+
+ any At least one of the user's _s_u_d_o_e_r_s file entries for
+ the current host must have the NOPASSWD flag set to
+ avoid entering a password.
+
+ never The user need never enter a password to use the --vv
+ option.
+
+ If no value is specified, a value of _a_l_l is implied.
+ Negating the option results in a value of _n_e_v_e_r being used.
+ The default value is _a_l_l.
+
+ LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
+
+ env_check Environment variables to be removed from the user's
+ environment unless they are considered "safe". For all
+ variables except TZ, "safe" means that the variable's
+ value does not contain any `%' or `/' characters. This
+ can be used to guard against printf-style format
+ vulnerabilities in poorly-written programs. The TZ
+ variable is considered unsafe if any of the following
+ are true:
+
+ ++oo It consists of a fully-qualified path name,
+ optionally prefixed with a colon (`:'), that does
+ not match the location of the _z_o_n_e_i_n_f_o directory.
+
+ ++oo It contains a _._. path element.
+
+ ++oo It contains white space or non-printable characters.
+
+ ++oo It is longer than the value of PATH_MAX.
+
+ The argument may be a double-quoted, space-separated
+ list or a single value without double-quotes. The list
+ can be replaced, added to, deleted from, or disabled by
+ using the =, +=, -=, and ! operators respectively.
+ Regardless of whether the env_reset option is enabled
+ or disabled, variables specified by env_check will be
+ preserved in the environment if they pass the
+ aforementioned check. The global list of environment
+ variables to check is displayed when ssuuddoo is run by
+ root with the --VV option.
+
+ env_delete Environment variables to be removed from the user's
+ environment when the _e_n_v___r_e_s_e_t option is not in effect.
+ The argument may be a double-quoted, space-separated
+ list or a single value without double-quotes. The list
+ can be replaced, added to, deleted from, or disabled by
+ using the =, +=, -=, and ! operators respectively. The
+ global list of environment variables to remove is
+ displayed when ssuuddoo is run by root with the --VV option.
+ Note that many operating systems will remove
+ potentially dangerous variables from the environment of
+ any setuid process (such as ssuuddoo).
+
+ env_keep Environment variables to be preserved in the user's
+ environment when the _e_n_v___r_e_s_e_t option is in effect.
+ This allows fine-grained control over the environment
+ ssuuddoo-spawned processes will receive. The argument may
+ be a double-quoted, space-separated list or a single
+ value without double-quotes. The list can be replaced,
+ added to, deleted from, or disabled by using the =, +=,
+ -=, and ! operators respectively. The global list of
+ variables to keep is displayed when ssuuddoo is run by root
+ with the --VV option.
+
+GGRROOUUPP PPRROOVVIIDDEERR PPLLUUGGIINNSS
+ The ssuuddooeerrss plugin supports its own plugin interface to allow non-Unix
+ group lookups which can query a group source other than the standard Unix
+ group database. This can be used to implement support for the
+ nonunix_group syntax described earlier.
+
+ Group provider plugins are specified via the _g_r_o_u_p___p_l_u_g_i_n Defaults
+ setting. The argument to _g_r_o_u_p___p_l_u_g_i_n should consist of the plugin path,
+ either fully-qualified or relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o
+ directory, followed by any configuration options the plugin requires.
+ These options (if specified) will be passed to the plugin's
+ initialization function. If options are present, the string must be
+ enclosed in double quotes ("").
+
+ The following group provider plugins are installed by default:
+
+ group_file
+ The _g_r_o_u_p___f_i_l_e plugin supports an alternate group file that
+ uses the same syntax as the _/_e_t_c_/_g_r_o_u_p file. The path to the
+ group file should be specified as an option to the plugin. For
+ example, if the group file to be used is _/_e_t_c_/_s_u_d_o_-_g_r_o_u_p:
+
+ Defaults group_plugin="group_file.so /etc/sudo-group"
+
+ system_group
+ The _s_y_s_t_e_m___g_r_o_u_p plugin supports group lookups via the standard
+ C library functions ggeettggrrnnaamm() and ggeettggrriidd(). This plugin can
+ be used in instances where the user belongs to groups not
+ present in the user's supplemental group vector. This plugin
+ takes no options:
+
+ Defaults group_plugin=system_group.so
+
+ The group provider plugin API is described in detail in sudo_plugin(4).
+
+LLOOGG FFOORRMMAATT
+ ssuuddooeerrss can log events using either syslog(3) or a simple log file. The
+ log format is almost identical in both cases.
+
+ AAcccceepptteedd ccoommmmaanndd lloogg eennttrriieess
+ Commands that sudo runs are logged using the following format (split into
+ multiple lines for readability):
+
+ date hostname progname: username : TTY=ttyname ; PWD=cwd ; \
+ USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \
+ ENV=env_vars COMMAND=command
+
+ Where the fields are as follows:
+
+ date The date the command was run. Typically, this is in the
+ format "MMM, DD, HH:MM:SS". If logging via syslog(3), the
+ actual date format is controlled by the syslog daemon. If
+ logging to a file and the _l_o_g___y_e_a_r option is enabled, the
+ date will also include the year.
+
+ hostname The name of the host ssuuddoo was run on. This field is only
+ present when logging via syslog(3).
+
+ progname The name of the program, usually _s_u_d_o or _s_u_d_o_e_d_i_t. This
+ field is only present when logging via syslog(3).
+
+ username The login name of the user who ran ssuuddoo.
+
+ ttyname The short name of the terminal (e.g., "console", "tty01",
+ or "pts/0") ssuuddoo was run on, or "unknown" if there was no
+ terminal present.
+
+ cwd The current working directory that ssuuddoo was run in.
+
+ runasuser The user the command was run as.
+
+ runasgroup The group the command was run as if one was specified on
+ the command line.
+
+ logid An I/O log identifier that can be used to replay the
+ command's output. This is only present when the _l_o_g___i_n_p_u_t
+ or _l_o_g___o_u_t_p_u_t option is enabled.
+
+ env_vars A list of environment variables specified on the command
+ line, if specified.
+
+ command The actual command that was executed.
+
+ Messages are logged using the locale specified by _s_u_d_o_e_r_s___l_o_c_a_l_e, which
+ defaults to the "C" locale.
+
+ DDeenniieedd ccoommmmaanndd lloogg eennttrriieess
+ If the user is not allowed to run the command, the reason for the denial
+ will follow the user name. Possible reasons include:
+
+ user NOT in sudoers
+ The user is not listed in the _s_u_d_o_e_r_s file.
+
+ user NOT authorized on host
+ The user is listed in the _s_u_d_o_e_r_s file but is not allowed to run
+ commands on the host.
+
+ command not allowed
+ The user is listed in the _s_u_d_o_e_r_s file for the host but they are not
+ allowed to run the specified command.
+
+ 3 incorrect password attempts
+ The user failed to enter their password after 3 tries. The actual
+ number of tries will vary based on the number of failed attempts and
+ the value of the _p_a_s_s_w_d___t_r_i_e_s option.
+
+ a password is required
+ ssuuddoo's --nn option was specified but a password was required.
+
+ sorry, you are not allowed to set the following environment variables
+ The user specified environment variables on the command line that were
+ not allowed by _s_u_d_o_e_r_s.
+
+ EErrrroorr lloogg eennttrriieess
+ If an error occurs, ssuuddooeerrss will log a message and, in most cases, send a
+ message to the administrator via email. Possible errors include:
+
+ parse error in /etc/sudoers near line N
+ ssuuddooeerrss encountered an error when parsing the specified file. In some
+ cases, the actual error may be one line above or below the line number
+ listed, depending on the type of error.
+
+ problem with defaults entries
+ The _s_u_d_o_e_r_s file contains one or more unknown Defaults settings. This
+ does not prevent ssuuddoo from running, but the _s_u_d_o_e_r_s file should be
+ checked using vviissuuddoo.
+
+ timestamp owner (username): No such user
+ The time stamp directory owner, as specified by the _t_i_m_e_s_t_a_m_p_o_w_n_e_r
+ setting, could not be found in the password database.
+
+ unable to open/read /etc/sudoers
+ The _s_u_d_o_e_r_s file could not be opened for reading. This can happen
+ when the _s_u_d_o_e_r_s file is located on a remote file system that maps
+ user ID 0 to a different value. Normally, ssuuddooeerrss tries to open the
+ _s_u_d_o_e_r_s file using group permissions to avoid this problem. Consider
+ either changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s or adding an argument
+ like "sudoers_uid=N" (where `N' is the user ID that owns the _s_u_d_o_e_r_s
+ file) to the end of the ssuuddooeerrss Plugin line in the sudo.conf(4) file.
+
+ unable to stat /etc/sudoers
+ The _/_e_t_c_/_s_u_d_o_e_r_s file is missing.
+
+ /etc/sudoers is not a regular file
+ The _/_e_t_c_/_s_u_d_o_e_r_s file exists but is not a regular file or symbolic
+ link.
+
+ /etc/sudoers is owned by uid N, should be 0
+ The _s_u_d_o_e_r_s file has the wrong owner. If you wish to change the
+ _s_u_d_o_e_r_s file owner, please add "sudoers_uid=N" (where `N' is the user
+ ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss Plugin line in the
+ sudo.conf(4) file.
+
+ /etc/sudoers is world writable
+ The permissions on the _s_u_d_o_e_r_s file allow all users to write to it.
+ The _s_u_d_o_e_r_s file must not be world-writable, the default file mode is
+ 0440 (readable by owner and group, writable by none). The default
+ mode may be changed via the "sudoers_mode" option to the ssuuddooeerrss
+ Plugin line in the sudo.conf(4) file.
+
+ /etc/sudoers is owned by gid N, should be 1
+ The _s_u_d_o_e_r_s file has the wrong group ownership. If you wish to change
+ the _s_u_d_o_e_r_s file group ownership, please add "sudoers_gid=N" (where
+ `N' is the group ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss Plugin
+ line in the sudo.conf(4) file.
+
+ unable to open /var/run/sudo/ts/username
+ ssuuddooeerrss was unable to read or create the user's time stamp file. This
+ can happen when _t_i_m_e_s_t_a_m_p_o_w_n_e_r is set to a user other than root and
+ the mode on _/_v_a_r_/_r_u_n_/_s_u_d_o is not searchable by group or other. The
+ default mode for _/_v_a_r_/_r_u_n_/_s_u_d_o is 0711.
+
+ unable to write to /var/run/sudo/ts/username
+ ssuuddooeerrss was unable to write to the user's time stamp file.
+
+ /var/run/sudo/ts is owned by uid X, should be Y
+ The time stamp directory is owned by a user other than _t_i_m_e_s_t_a_m_p_o_w_n_e_r.
+ This can occur when the value of _t_i_m_e_s_t_a_m_p_o_w_n_e_r has been changed.
+ ssuuddooeerrss will ignore the time stamp directory until the owner is
+ corrected.
+
+ /var/run/sudo/ts is group writable
+ The time stamp directory is group-writable; it should be writable only
+ by _t_i_m_e_s_t_a_m_p_o_w_n_e_r. The default mode for the time stamp directory is
+ 0700. ssuuddooeerrss will ignore the time stamp directory until the mode is
+ corrected.
+
+ NNootteess oonn llooggggiinngg vviiaa ssyysslloogg
+ By default, ssuuddooeerrss logs messages via syslog(3). The _d_a_t_e, _h_o_s_t_n_a_m_e, and
+ _p_r_o_g_n_a_m_e fields are added by the system's ssyysslloogg() function, not ssuuddooeerrss
+ itself. As such, they may vary in format on different systems.
+
+ The maximum size of syslog messages varies from system to system. The
+ _s_y_s_l_o_g___m_a_x_l_e_n setting can be used to change the maximum syslog message
+ size from the default value of 980 bytes. For more information, see the
+ description of _s_y_s_l_o_g___m_a_x_l_e_n.
+
+ NNootteess oonn llooggggiinngg ttoo aa ffiillee
+ If the _l_o_g_f_i_l_e option is set, ssuuddooeerrss will log to a local file, such as
+ _/_v_a_r_/_l_o_g_/_s_u_d_o. When logging to a file, ssuuddooeerrss uses a format similar to
+ syslog(3), with a few important differences:
+
+ 1. The _p_r_o_g_n_a_m_e and _h_o_s_t_n_a_m_e fields are not present.
+
+ 2. If the _l_o_g___y_e_a_r option is enabled, the date will also include the
+ year.
+
+ 3. Lines that are longer than _l_o_g_l_i_n_e_l_e_n characters (80 by default) are
+ word-wrapped and continued on the next line with a four character
+ indent. This makes entries easier to read for a human being, but
+ makes it more difficult to use grep(1) on the log files. If the
+ _l_o_g_l_i_n_e_l_e_n option is set to 0 (or negated with a `!'), word wrap
+ will be disabled.
+
+II//OO LLOOGG FFIILLEESS
+ When I/O logging is enabled, ssuuddoo will run the command in a pseudo-tty
+ and log all user input and/or output, depending on which options are
+ enabled. I/O is logged to the directory specified by the _i_o_l_o_g___d_i_r
+ option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a unique session ID that is
+ included in the ssuuddoo log line, prefixed with "TSID=". The _i_o_l_o_g___f_i_l_e
+ option may be used to control the format of the session ID.
+
+ Each I/O log is stored in a separate directory that contains the
+ following files:
+
+ _l_o_g a text file containing the time the command was run, the name
+ of the user who ran ssuuddoo, the name of the target user, the name
+ of the target group (optional), the terminal that ssuuddoo was run
+ from, the number of rows and columns of the terminal, the
+ working directory the command was run from and the path name of
+ the command itself (with arguments if present)
+
+ _t_i_m_i_n_g a log of the amount of time between, and the number of bytes
+ in, each I/O log entry (used for session playback)
+
+ _t_t_y_i_n input from the user's tty (what the user types)
+
+ _s_t_d_i_n input from a pipe or file
+
+ _t_t_y_o_u_t output from the pseudo-tty (what the command writes to the
+ screen)
+
+ _s_t_d_o_u_t standard output to a pipe or redirected to a file
+
+ _s_t_d_e_r_r standard error to a pipe or redirected to a file
+
+ All files other than _l_o_g are compressed in gzip format unless the
+ _c_o_m_p_r_e_s_s___i_o flag has been disabled. Due to buffering, it is not normally
+ possible to display the I/O logs in real-time as the program is executing
+ The I/O log data will not be complete until the program run by ssuuddoo has
+ exited or has been terminated by a signal. The _i_o_l_o_g___f_l_u_s_h flag can be
+ used to disable buffering, in which case I/O log data is written to disk
+ as soon as it is available. The output portion of an I/O log file can be
+ viewed with the sudoreplay(1m) utility, which can also be used to list or
+ search the available logs.
+
+ Note that user input may contain sensitive information such as passwords
+ (even if they are not echoed to the screen), which will be stored in the
+ log file unencrypted. In most cases, logging the command output via
+ _l_o_g___o_u_t_p_u_t or LOG_OUTPUT is all that is required.
+
+ Since each session's I/O logs are stored in a separate directory,
+ traditional log rotation utilities cannot be used to limit the number of
+ I/O logs. The simplest way to limit the number of I/O is by setting the
+ _m_a_x_s_e_q option to the maximum number of logs you wish to store. Once the
+ I/O log sequence number reaches _m_a_x_s_e_q, it will be reset to zero and
+ ssuuddooeerrss will truncate and re-use any existing I/O logs.
+
+FFIILLEESS
+ _/_e_t_c_/_s_u_d_o_._c_o_n_f Sudo front end configuration
+
+ _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what
+
+ _/_e_t_c_/_g_r_o_u_p Local groups file
+
+ _/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups
+
+ _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files
+
+ _/_v_a_r_/_r_u_n_/_s_u_d_o_/_t_s Directory containing time stamps for the
+ ssuuddooeerrss security policy
+
+ _/_v_a_r_/_a_d_m_/_s_u_d_o_/_l_e_c_t_u_r_e_d Directory containing lecture status files for
+ the ssuuddooeerrss security policy
+
+ _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on AIX and
+ Linux systems
+
+EEXXAAMMPPLLEESS
+ Below are example _s_u_d_o_e_r_s file entries. Admittedly, some of these are a
+ bit contrived. First, we allow a few environment variables to pass and
+ then define our _a_l_i_a_s_e_s:
+
+ # Run X applications through sudo; HOME is used to find the
+ # .Xauthority file. Note that other programs use HOME to find
+ # configuration files and this may lead to privilege escalation!
+ Defaults env_keep += "DISPLAY HOME"
+
+ # User alias specification
+ User_Alias FULLTIMERS = millert, mikef, dowdy
+ User_Alias PARTTIMERS = bostley, jwfox, crawl
+ User_Alias WEBMASTERS = will, wendy, wim
+
+ # Runas alias specification
+ Runas_Alias OP = root, operator
+ Runas_Alias DB = oracle, sybase
+ Runas_Alias ADMINGRP = adm, oper
+
+ # Host alias specification
+ Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
+ SGI = grolsch, dandelion, black :\
+ ALPHA = widget, thalamus, foobar :\
+ HPPA = boa, nag, python
+ Host_Alias CUNETS = 128.138.0.0/255.255.0.0
+ Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
+ Host_Alias SERVERS = master, mail, www, ns
+ Host_Alias CDROM = orion, perseus, hercules
+
+ # Cmnd alias specification
+ Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
+ /usr/sbin/restore, /usr/sbin/rrestore,\
+ sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
+ /home/operator/bin/start_backups
+ Cmnd_Alias KILL = /usr/bin/kill
+ Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
+ Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
+ Cmnd_Alias HALT = /usr/sbin/halt
+ Cmnd_Alias REBOOT = /usr/sbin/reboot
+ Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
+ /usr/local/bin/tcsh, /usr/bin/rsh,\
+ /usr/local/bin/zsh
+ Cmnd_Alias SU = /usr/bin/su
+ Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
+
+ Here we override some of the compiled in default values. We want ssuuddoo to
+ log via syslog(3) using the _a_u_t_h facility in all cases. We don't want to
+ subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt need not
+ give a password, and we don't want to reset the LOGNAME or USER
+ environment variables when running commands as root. Additionally, on
+ the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an additional local log
+ file and make sure we log the year in each log line since the log entries
+ will be kept around for several years. Lastly, we disable shell escapes
+ for the commands in the PAGERS Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and
+ _/_u_s_r_/_b_i_n_/_l_e_s_s). Note that this will not effectively constrain users with
+ ssuuddoo AALLLL privileges.
+
+ # Override built-in defaults
+ Defaults syslog=auth
+ Defaults>root !set_logname
+ Defaults:FULLTIMERS !lecture
+ Defaults:millert !authenticate
+ Defaults@SERVERS log_year, logfile=/var/log/sudo.log
+ Defaults!PAGERS noexec
+
+ The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run
+ what.
+
+ root ALL = (ALL) ALL
+ %wheel ALL = (ALL) ALL
+
+ We let rroooott and any user in group wwhheeeell run any command on any host as
+ any user.
+
+ FULLTIMERS ALL = NOPASSWD: ALL
+
+ Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on
+ any host without authenticating themselves.
+
+ PARTTIMERS ALL = ALL
+
+ Part time sysadmins bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on any
+ host but they must authenticate themselves first (since the entry lacks
+ the NOPASSWD tag).
+
+ jack CSNETS = ALL
+
+ The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias
+ (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those
+ networks, only 128.138.204.0 has an explicit netmask (in CIDR notation)
+ indicating it is a class C network. For the other networks in _C_S_N_E_T_S,
+ the local machine's netmask will be used during matching.
+
+ lisa CUNETS = ALL
+
+ The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the
+ class B network 128.138.0.0).
+
+ operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
+ sudoedit /etc/printcap, /usr/oper/bin/
+
+ The ooppeerraattoorr user may run commands limited to simple maintenance. Here,
+ those are commands related to backups, killing processes, the printing
+ system, shutting down the system, and any commands in the directory
+ _/_u_s_r_/_o_p_e_r_/_b_i_n_/. Note that one command in the DUMPS Cmnd_Alias includes a
+ sha224 digest, _/_h_o_m_e_/_o_p_e_r_a_t_o_r_/_b_i_n_/_s_t_a_r_t___b_a_c_k_u_p_s. This is because the
+ directory containing the script is writable by the operator user. If the
+ script is modified (resulting in a digest mismatch) it will no longer be
+ possible to run it via ssuuddoo.
+
+ joe ALL = /usr/bin/su operator
+
+ The user jjooee may only su(1) to operator.
+
+ pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root*
+
+ %opers ALL = (: ADMINGRP) /usr/sbin/
+
+ Users in the ooppeerrss group may run commands in _/_u_s_r_/_s_b_i_n_/ as themselves
+ with any group in the _A_D_M_I_N_G_R_P Runas_Alias (the aaddmm and ooppeerr groups).
+
+ The user ppeettee is allowed to change anyone's password except for root on
+ the _H_P_P_A machines. Because command line arguments are matched as a
+ single, concatenated string, the `*' wildcard will match _m_u_l_t_i_p_l_e words.
+ This example assumes that passwd(1) does not take multiple user names on
+ the command line. Note that on GNU systems, options to passwd(1) may be
+ specified after the user argument. As a result, this rule will also
+ allow:
+
+ passwd username --expire
+
+ which may not be desirable.
+
+ bob SPARC = (OP) ALL : SGI = (OP) ALL
+
+ The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user
+ listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr.)
+
+ jim +biglab = ALL
+
+ The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup.
+ ssuuddoo knows that "biglab" is a netgroup due to the `+' prefix.
+
+ +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
+
+ Users in the sseeccrreettaarriieess netgroup need to help manage the printers as
+ well as add and remove users, so they are allowed to run those commands
+ on all machines.
+
+ fred ALL = (DB) NOPASSWD: ALL
+
+ The user ffrreedd can run commands as any user in the _D_B Runas_Alias (oorraaccllee
+ or ssyybbaassee) without giving a password.
+
+ john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+
+ On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is
+ not allowed to specify any options to the su(1) command.
+
+ jen ALL, !SERVERS = ALL
+
+ The user jjeenn may run any command on any machine except for those in the
+ _S_E_R_V_E_R_S Host_Alias (master, mail, www and ns).
+
+ jill SERVERS = /usr/bin/, !SU, !SHELLS
+
+ For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in
+ the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U and
+ _S_H_E_L_L_S Cmnd_Aliases. While not specifically mentioned in the rule, the
+ commands in the _P_A_G_E_R_S Cmnd_Alias all reside in _/_u_s_r_/_b_i_n and have the
+ _n_o_e_x_e_c option set.
+
+ steve CSNETS = (operator) /usr/local/op_commands/
+
+ The user sstteevvee may run any command in the directory
+ /usr/local/op_commands/ but only as user operator.
+
+ matt valkyrie = KILL
+
+ On his personal workstation, valkyrie, mmaatttt needs to be able to kill hung
+ processes.
+
+ WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
+
+ On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias (will, wendy, and
+ wim), may run any command as user www (which owns the web pages) or
+ simply su(1) to www.
+
+ ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
+ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
+
+ Any user may mount or unmount a CD-ROM on the machines in the CDROM
+ Host_Alias (orion, perseus, hercules) without entering a password. This
+ is a bit tedious for users to type, so it is a prime candidate for
+ encapsulating in a shell script.
+
+SSEECCUURRIITTYY NNOOTTEESS
+ LLiimmiittaattiioonnss ooff tthhee ``!!'' ooppeerraattoorr
+ It is generally not effective to "subtract" commands from AALLLL using the
+ `!' operator. A user can trivially circumvent this by copying the
+ desired command to a different name and then executing that. For
+ example:
+
+ bill ALL = ALL, !SU, !SHELLS
+
+ Doesn't really prevent bbiillll from running the commands listed in _S_U or
+ _S_H_E_L_L_S since he can simply copy those commands to a different name, or
+ use a shell escape from an editor or other program. Therefore, these
+ kind of restrictions should be considered advisory at best (and
+ reinforced by policy).
+
+ In general, if a user has sudo AALLLL there is nothing to prevent them from
+ creating their own program that gives them a root shell (or making their
+ own copy of a shell) regardless of any `!' elements in the user
+ specification.
+
+ SSeeccuurriittyy iimmpplliiccaattiioonnss ooff _f_a_s_t___g_l_o_b
+ If the _f_a_s_t___g_l_o_b option is in use, it is not possible to reliably negate
+ commands where the path name includes globbing (aka wildcard) characters.
+ This is because the C library's fnmatch(3) function cannot resolve
+ relative paths. While this is typically only an inconvenience for rules
+ that grant privileges, it can result in a security issue for rules that
+ subtract or revoke privileges.
+
+ For example, given the following _s_u_d_o_e_r_s file entry:
+
+ john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
+ /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
+
+ User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by
+ changing to _/_u_s_r_/_b_i_n and running ./passwd root instead.
+
+ PPrreevveennttiinngg sshheellll eessccaappeess
+ Once ssuuddoo executes a program, that program is free to do whatever it
+ pleases, including run other programs. This can be a security issue
+ since it is not uncommon for a program to allow shell escapes, which lets
+ a user bypass ssuuddoo's access control and logging. Common programs that
+ permit shell escapes include shells (obviously), editors, paginators,
+ mail and terminal programs.
+
+ There are two basic approaches to this problem:
+
+ restrict Avoid giving users access to commands that allow the user to
+ run arbitrary commands. Many editors have a restricted mode
+ where shell escapes are disabled, though ssuuddooeeddiitt is a better
+ solution to running editors via ssuuddoo. Due to the large number
+ of programs that offer shell escapes, restricting users to the
+ set of programs that do not is often unworkable.
+
+ noexec Many systems that support shared libraries have the ability to
+ override default library functions by pointing an environment
+ variable (usually LD_PRELOAD) to an alternate shared library.
+ On such systems, ssuuddoo's _n_o_e_x_e_c functionality can be used to
+ prevent a program run by ssuuddoo from executing any other
+ programs. Note, however, that this applies only to native
+ dynamically-linked executables. Statically-linked executables
+ and foreign executables running under binary emulation are not
+ affected.
+
+ The _n_o_e_x_e_c feature is known to work on SunOS, Solaris, *BSD,
+ Linux, IRIX, Tru64 UNIX, macOS, HP-UX 11.x and AIX 5.3 and
+ above. It should be supported on most operating systems that
+ support the LD_PRELOAD environment variable. Check your
+ operating system's manual pages for the dynamic linker (usually
+ ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
+ LD_PRELOAD is supported.
+
+ On Solaris 10 and higher, _n_o_e_x_e_c uses Solaris privileges
+ instead of the LD_PRELOAD environment variable.
+
+ To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as
+ documented in the User Specification section above. Here is
+ that example again:
+
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+
+ This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i
+ with _n_o_e_x_e_c enabled. This will prevent those two commands from
+ executing other commands (such as a shell). If you are unsure
+ whether or not your system is capable of supporting _n_o_e_x_e_c you
+ can always just try it out and check whether shell escapes work
+ when _n_o_e_x_e_c is enabled.
+
+ Note that restricting shell escapes is not a panacea. Programs running
+ as root are still capable of many potentially hazardous operations (such
+ as changing or overwriting files) that could lead to unintended privilege
+ escalation. In the specific case of an editor, a safer approach is to
+ give the user permission to run ssuuddooeeddiitt (see below).
+
+ SSeeccuurree eeddiittiinngg
+ The ssuuddooeerrss plugin includes ssuuddooeeddiitt support which allows users to
+ securely edit files with the editor of their choice. As ssuuddooeeddiitt is a
+ built-in command, it must be specified in the _s_u_d_o_e_r_s file without a
+ leading path. However, it may take command line arguments just as a
+ normal command does. Wildcards used in _s_u_d_o_e_d_i_t command line arguments
+ are expected to be path names, so a forward slash (`/') will not be
+ matched by a wildcard.
+
+ Unlike other ssuuddoo commands, the editor is run with the permissions of the
+ invoking user and with the environment unmodified. More information may
+ be found in the description of the --ee option in sudo(1m).
+
+ For example, to allow user operator to edit the "message of the day"
+ file:
+
+ operator sudoedit /etc/motd
+
+ The operator user then runs ssuuddooeeddiitt as follows:
+
+ $ sudoedit /etc/motd
+
+ The editor will run as the operator user, not root, on a temporary copy
+ of _/_e_t_c_/_m_o_t_d. After the file has been edited, _/_e_t_c_/_m_o_t_d will be updated
+ with the contents of the temporary copy.
+
+ Users should _n_e_v_e_r be granted ssuuddooeeddiitt permission to edit a file that
+ resides in a directory the user has write access to, either directly or
+ via a wildcard. If the user has write access to the directory it is
+ possible to replace the legitimate file with a link to another file,
+ allowing the editing of arbitrary files. To prevent this, starting with
+ version 1.8.16, symbolic links will not be followed in writable
+ directories and ssuuddooeeddiitt will refuse to edit a file located in a writable
+ directory unless the _s_u_d_o_e_d_i_t___c_h_e_c_k_d_i_r option has been disabled or the
+ invoking user is root. Additionally, in version 1.8.15 and higher,
+ ssuuddooeeddiitt will refuse to open a symbolic link unless either the
+ _s_u_d_o_e_d_i_t___f_o_l_l_o_w option is enabled or the _s_u_d_o_e_d_i_t command is prefixed
+ with the FOLLOW tag in the _s_u_d_o_e_r_s file.
+
+ TTiimmee ssttaammpp ffiillee cchheecckkss
+ ssuuddooeerrss will check the ownership of its time stamp directory
+ (_/_v_a_r_/_r_u_n_/_s_u_d_o_/_t_s by default) and ignore the directory's contents if it
+ is not owned by root or if it is writable by a user other than root.
+ Older versions of ssuuddoo stored time stamp files in _/_t_m_p; this is no longer
+ recommended as it may be possible for a user to create the time stamp
+ themselves on systems that allow unprivileged users to change the
+ ownership of files they create.
+
+ While the time stamp directory _s_h_o_u_l_d be cleared at reboot time, not all
+ systems contain a _/_r_u_n or _/_v_a_r_/_r_u_n directory. To avoid potential
+ problems, ssuuddooeerrss will ignore time stamp files that date from before the
+ machine booted on systems where the boot time is available.
+
+ Some systems with graphical desktop environments allow unprivileged users
+ to change the system clock. Since ssuuddooeerrss relies on the system clock for
+ time stamp validation, it may be possible on such systems for a user to
+ run ssuuddoo for longer than _t_i_m_e_s_t_a_m_p___t_i_m_e_o_u_t by setting the clock back. To
+ combat this, ssuuddooeerrss uses a monotonic clock (which never moves backwards)
+ for its time stamps if the system supports it.
+
+ ssuuddooeerrss will not honor time stamps set far in the future. Time stamps
+ with a date greater than current_time + 2 * TIMEOUT will be ignored and
+ ssuuddooeerrss will log and complain.
+
+ If the _t_i_m_e_s_t_a_m_p___t_y_p_e option is set to "tty", the time stamp record
+ includes the device number of the terminal the user authenticated with.
+ This provides per-terminal granularity but time stamp records may still
+ outlive the user's session.
+
+ Unless the _t_i_m_e_s_t_a_m_p___t_y_p_e option is set to "global", the time stamp
+ record also includes the session ID of the process that last
+ authenticated. This prevents processes in different terminal sessions
+ from using the same time stamp record. On systems where a process's
+ start time can be queried, the start time of the session leader is
+ recorded in the time stamp record. If no terminal is present or the
+ _t_i_m_e_s_t_a_m_p___t_y_p_e option is set to "ppid", the start time of the parent
+ process is used instead. In most cases this will prevent a time stamp
+ record from being re-used without the user entering a password when
+ logging out and back in again.
+
+DDEEBBUUGGGGIINNGG
+ Versions 1.8.4 and higher of the ssuuddooeerrss plugin support a flexible
+ debugging framework that can help track down what the plugin is doing
+ internally if there is a problem. This can be configured in the
+ sudo.conf(4) file.
+
+ The ssuuddooeerrss plugin uses the same debug flag format as the ssuuddoo front-end:
+ _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y.
+
+ The priorities used by ssuuddooeerrss, in order of decreasing severity, are:
+ _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. Each priority,
+ when specified, also includes all priorities higher than it. For
+ example, a priority of _n_o_t_i_c_e would include debug messages logged at
+ _n_o_t_i_c_e and higher.
+
+ The following subsystems are used by the ssuuddooeerrss plugin:
+
+ _a_l_i_a_s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
+
+ _a_l_l matches every subsystem
+
+ _a_u_d_i_t BSM and Linux audit code
+
+ _a_u_t_h user authentication
+
+ _d_e_f_a_u_l_t_s _s_u_d_o_e_r_s file _D_e_f_a_u_l_t_s settings
+
+ _e_n_v environment handling
+
+ _l_d_a_p LDAP-based sudoers
+
+ _l_o_g_g_i_n_g logging support
+
+ _m_a_t_c_h matching of users, groups, hosts and netgroups in the _s_u_d_o_e_r_s
+ file
+
+ _n_e_t_i_f network interface handling
+
+ _n_s_s network service switch handling in ssuuddooeerrss
+
+ _p_a_r_s_e_r _s_u_d_o_e_r_s file parsing
+
+ _p_e_r_m_s permission setting
+
+ _p_l_u_g_i_n The equivalent of _m_a_i_n for the plugin.
+
+ _p_t_y pseudo-tty related code
+
+ _r_b_t_r_e_e redblack tree internals
+
+ _s_s_s_d SSSD-based sudoers
+
+ _u_t_i_l utility functions
+ For example:
+
+ Debug sudo /var/log/sudo_debug match@info,nss@info
+
+ For more information, see the sudo.conf(4) manual.
+
+SSEEEE AALLSSOO
+ ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), sudo.conf(4),
+ sudo_plugin(4), sudoers.ldap(4), sudoers_timestamp(4), sudo(1m), visudo(1m)
+
+AAUUTTHHOORRSS
+ Many people have worked on ssuuddoo over the years; this version consists of
+ code written primarily by:
+
+ Todd C. Miller
+
+ See the CONTRIBUTORS file in the ssuuddoo distribution
+ (https://www.sudo.ws/contributors.html) for an exhaustive list of people
+ who have contributed to ssuuddoo.
+
+CCAAVVEEAATTSS
+ The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which
+ locks the file and does grammatical checking. It is imperative that the
+ _s_u_d_o_e_r_s file be free of syntax errors since ssuuddoo will not run with a
+ syntactically incorrect _s_u_d_o_e_r_s file.
+
+ When using netgroups of machines (as opposed to users), if you store
+ fully qualified host name in the netgroup (as is usually the case), you
+ either need to have the machine's host name be fully qualified as
+ returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s.
+
+BBUUGGSS
+ If you feel you have found a bug in ssuuddoo, please submit a bug report at
+ https://bugzilla.sudo.ws/
+
+SSUUPPPPOORRTT
+ Limited free support is available via the sudo-users mailing list, see
+ https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
+ the archives.
+
+DDIISSCCLLAAIIMMEERR
+ ssuuddoo is provided "AS IS" and any express or implied warranties,
+ including, but not limited to, the implied warranties of merchantability
+ and fitness for a particular purpose are disclaimed. See the LICENSE
+ file distributed with ssuuddoo or https://www.sudo.ws/license.html for
+ complete details.
+
+Sudo 1.8.26 December 20, 2018 Sudo 1.8.26
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-07 00:19:01 +0000