isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial revision

Browse Source
This commit is contained in:
Todd C. Miller
1996-01-21 04:47:08 +00:00
parent 75ef8ca4bb
commit 3c20fdea2b
1 changed files with 151 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

151
sudoers.pod Normal file
View File

@@ -0,0 +1,151 @@
=cut
$Id$
=pod
=head1 NAME
sudoers - list of which users may execute what as root
=head1 DESCRIPTION
The I<sudoers> file is composed of an optional host alias section,
an optional command alias section and the user specification section.
All command or host aliases need to start with their respective keywords
(ie: Host_Alias, User_Alias, or Cmnd_Alias).
If there are multiple occurrences of a user, the union of the entries
will be used.
=head2 user specification format:
user access_group [: access_group] ...
access_group ::= host_type = [op]cmnd_type [,[op]cmnd_type] ...
host_type ::= a lower\-case hostname, netgroup, ip address,
network number, or host alias.
cmnd_type ::= an command OR a command alias.
op ::= the logical '!' NOT operator.
=head2 host alias section format:
Host_Alias HOSTALIAS = host\-list
Host_Alias ::= a keyword.
HOSTALIAS ::= an upper\-case alias name.
host\-list ::= a comma separated list of hosts, netgroups,
ip addresses, networks.
=head2 user alias section format:
User_Alias USERALIAS = user\-list
User_Alias ::= a keyword.
USERALIAS ::= an upper\-case alias name.
user\-list ::= a comma separated list of users, groups and netgroups.
=head2 command alias section format:
Cmnd_Alias CMNDALIAS = cmnd\-list
Cmnd_Alias ::= a keyword.
CMNDALIAS ::= an upper\-case alias name.
cmnd\-list ::= a comma separated list commands.
=head2 command specification:
path arg1 arg2 .. argn = command
path ::= a fully qualified pathname.
arg[1..n] ::= optional command line arguments.
Text after a pound sign ('#') is considered a comment.
Words that begin with a percent sign ('%') are assumed to
be UN*X groups (%staff refers to users in the group "staff").
Words that begin with a plus sign ('+') are assumed to
be netgroups (+cshosts refers to the netgroup "cshosts").
Long lines can be newline escaped with the backslash '\\' character.
The reserved alias 'ALL' can be used for both {Host,User,Cmnd}_Alias.
DO NOT define an alias of 'ALL', it will NOT be used.
Note that 'ALL' implies the entire universe of hosts/users/commands.
You can subtract elements from the universe by using the syntax:
user host=ALL,!ALIAS1,!/etc/halt...
Note that the '!' notation only works in a user's command list. You
may not use it to subtract elements in a User_Alias, Host_Alias, or
Cmnd_Alias.
Commands may have optional command line arguments. If they do,
then the arguments in the sudoers file must exactly match those
on the command line. It is also possible to have a command's
arguments span multiple lines as long as the line continuance
character '\\' is used. The following characters must be escaped
with a '\\' if used in command arguments: ',', ':', '=', '\\'.
=head1 EXAMPLES
# Host alias specification
Host_Alias HUB=houdini:\\
REMOTE=merlin,kodiakthorn,spirit
Host_Alias SERVERS=houdini,merlin,kodiakthorn,spirit
Host_Alias CSNETS=128.138.243.0,128.138.204.0,\\
128.138.205.192
# User alias specification
User_Alias FULLTIME=millert,dowdy,mikef
User_Alias PARTTIME=juola,mccreary,tor
# Command alias specification
Cmnd_Alias LPCS=/usr/etc/lpc,/usr/ucb/lprm
Cmnd_Alias SHELLS=/bin/sh,/bin/csh,/bin/tcsh,/bin/ksh
Cmnd_Alias SU=/bin/su
Cmnd_Alias MISC=/bin/rm,/bin/cat:\\
SHUTDOWN=/etc/halt,/etc/shutdown
# User specification
FULLTIME ALL=ALL
%wheel ALL=ALL
PARTTIME ALL=ALL,!SHELLS,!SU
+interns +openlabs=ALL,!SHELLS,!SU
britt REMOTE=SHUTDOWN:ALL=LPCS
nieusma SERVERS=SHUTDOWN,/etc/reboot:\\
HUB=ALL,!SHELLS
jill houdini=/etc/shutdown -r now,MISC
markm HUB=ALL,!MISC,!/etc/shutdown,!/etc/halt
davehieb merlin=ALL:SERVERS=/etc/halt:\\
kodiakthorn=ALL
steve CSNETS=/usr/op_commands/,/bin/su operator
The above I<sudoers> file specification is composed of 4 host alias
specifications, 2 user alias specifications, 4 command alias
specifications and 8 user specifications. Full time staff (those
in the FULLTIME alias) and anyone in group "wheel" are allowed to
execute any command on any host. Part time staff (those in the PARTTIME
alias) are allowed to execute any command except for the group of SHELL
and SU commands on any machine. Britt is permitted to execute /etc/halt,
/etc/shutdown, /usr/etc/lpc and /usr/ucb/lprm on the REMOTE machines (merlin,
kodiakthorn, and spirit). Nieusma is allowed to run /etc/halt, /etc/shutdown,
and /etc/halt on all machines and all commands except for the group of SHELL
commands on the HUB machines. Jill is permitted to execute /etc/shutdown with
the "\-r now" flags, /bin/rm, and /bin/cat on houdini. Davehieb can execute
any command on machines merlin and kodiakthorn and can halt the SERVERS. Any
user in the netgroup "interns" may run any command on the machines in the
netgroup "openlabs" except for those commands in the groups SHELL and SU.
Steve can run any command located in the directory /usr/op_commands on all
machines on the subnets listed in CSNETS (note that the 128.138.192 net has
a netmask of 255.255.255.192 which is why its network number is
128.138.192.192). He may also su to operator but to no one else.
B<sudo> will do a logical and of a machine's ip address(es) with
its netmask to decide whether that machine is on a given network).
The I<sudoers> file should B<always> be edited by the B<visudo>
command which locks the file and does grammatical checking. It is
imperative that the I<sudoers> be free of syntax errors since sudo
will not run with a syntactically incorrect sudoers file.
=head1 FILES
F</etc/sudoers> file of authorized users.
F</etc/netgroup> list of network groups
=head1 SEE ALSO
sudo(8), visudo(8), su(1).