isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

regen

Browse Source
This commit is contained in:
Todd C. Miller
2007-09-05 22:50:55 +00:00
parent 6e05465b97
commit a06ae77c5a
2 changed files with 275 additions and 209 deletions
Download Patch File Download Diff File Expand all files Collapse all files

448
sudoers.cat
View File

@@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN
1.7 August 15, 2007 1 1.7 September 5, 2007 1
@@ -105,29 +105,29 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
User ',' User_List User ',' User_List
User ::= '!'* username | User ::= '!'* username |
'!'* '#'uid |
'!'* '%'group | '!'* '%'group |
'!'* '+'netgroup | '!'* '+'netgroup |
'!'* User_Alias '!'* User_Alias
A User_List is made up of one or more usernames, system A User_List is made up of one or more usernames, uids
groups (prefixed with '%'), netgroups (prefixed with '+') (prefixed with '#'), system groups (prefixed with '%'),
and other aliases. Each list item may be prefixed with netgroups (prefixed with '+') and User_Aliases. Each list
one or more '!' operators. An odd number of '!' operators item may be prefixed with zero or more '!' operators. An
negate the value of the item; an even number just cancel odd number of '!' operators negate the value of the item;
each other out. an even number just cancel each other out.
Runas_List ::= Runas_User | Runas_List ::= Runas_User |
Runas_User ',' Runas_List Runas_User ',' Runas_List
Runas_User ::= '!'* username |
'!'* '#'uid |
'!'* '%'group |
'!'* +netgroup |
'!'* Runas_Alias
1.7 August 15, 2007 2
1.7 September 5, 2007 2
@@ -136,9 +136,14 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
A Runas_List is similar to a User_List except that it can Runas_User ::= '!'* username |
also contain uids (prefixed with '#') and instead of '!'* '#'uid |
User_Aliases it can contain Runas_Aliases. Note that '!'* '%'group |
'!'* +netgroup |
'!'* Runas_Alias
A Runas_List is similar to a User_List except that instead
of User_Aliases it can contain Runas_Aliases. Note that
usernames and groups are matched as strings. In other usernames and groups are matched as strings. In other
words, two users (groups) with the same uid (gid) are con- words, two users (groups) with the same uid (gid) are con-
sidered to be distinct. If you wish to match all user- sidered to be distinct. If you wish to match all user-
@@ -185,15 +190,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
A Cmnd_List is a list of one or more commandnames, direc- A Cmnd_List is a list of one or more commandnames, direc-
tories, and other aliases. A commandname is a fully qual- tories, and other aliases. A commandname is a fully qual-
ified filename which may include shell-style wildcards ified filename which may include shell-style wildcards
(see the Wildcards section below). A simple filename
allows the user to run the command with any arguments
he/she wishes. However, you may also specify command line
arguments (including wildcards). Alternately, you can
specify "" to indicate that the command may only be run
1.7 August 15, 2007 3 1.7 September 5, 2007 3
@@ -202,6 +202,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
(see the Wildcards section below). A simple filename
allows the user to run the command with any arguments
he/she wishes. However, you may also specify command line
arguments (including wildcards). Alternately, you can
specify "" to indicate that the command may only be run
wwiitthhoouutt command line arguments. A directory is a fully wwiitthhoouutt command line arguments. A directory is a fully
qualified pathname ending in a '/'. When you specify a qualified pathname ending in a '/'. When you specify a
directory in a Cmnd_List, the user will be able to run any directory in a Cmnd_List, the user will be able to run any
@@ -230,10 +235,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
reference that instead. reference that instead.
Default_Type ::= 'Defaults' | Default_Type ::= 'Defaults' |
'Defaults' '@' Host | 'Defaults' '@' Host_List |
'Defaults' ':' User | 'Defaults' ':' User_List |
'Defaults' '!' Cmnd | 'Defaults' '!' Cmnd_List |
'Defaults' '>' RunasUser 'Defaults' '>' Runas_List
Default_Entry ::= Default_Type Parameter_List Default_Entry ::= Default_Type Parameter_List
@@ -251,15 +256,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
parameters may also be used in a boolean context to dis- parameters may also be used in a boolean context to dis-
able them. Values may be enclosed in double quotes (") able them. Values may be enclosed in double quotes (")
when they contain multiple words. Special characters may when they contain multiple words. Special characters may
be escaped with a backslash (\).
Lists have two additional assignment operators, += and -=.
These operators are used to add to and delete from a list
respectively. It is not an error to use the -= operator
1.7 August 15, 2007 4 1.7 September 5, 2007 4
@@ -268,6 +268,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
be escaped with a backslash (\).
Lists have two additional assignment operators, += and -=.
These operators are used to add to and delete from a list
respectively. It is not an error to use the -= operator
to remove an element that does not exist in a list. to remove an element that does not exist in a list.
See "SUDOERS OPTIONS" for a list of supported Defaults See "SUDOERS OPTIONS" for a list of supported Defaults
@@ -317,15 +322,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr,
but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott.
1.7 September 5, 2007 5
1.7 August 15, 2007 5
@@ -334,6 +334,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott.
TTaagg__SSppeecc TTaagg__SSppeecc
A command may have zero or more tags associated with it. A command may have zero or more tags associated with it.
@@ -386,12 +388,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
See the "PREVENTING SHELL ESCAPES" section below for more See the "PREVENTING SHELL ESCAPES" section below for more
details on how NOEXEC works and whether or not it will
work on your system.
1.7 August 15, 2007 6 1.7 September 5, 2007 6
@@ -400,6 +400,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
details on how NOEXEC works and whether or not it will
work on your system.
_S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V _S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V
These tags override the value of the _s_e_t_e_n_v option on a These tags override the value of the _s_e_t_e_n_v option on a
@@ -451,13 +454,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
It is possible to include other _s_u_d_o_e_r_s files from within It is possible to include other _s_u_d_o_e_r_s files from within
the _s_u_d_o_e_r_s file currently being parsed using the #include the _s_u_d_o_e_r_s file currently being parsed using the #include
directive, similar to the one used by the C preprocessor. directive, similar to the one used by the C preprocessor.
This is useful, for example, for keeping a site-wide _s_u_d_o_-
_e_r_s file in addition to a per-machine local one. For the
sake of this example the site-wide _s_u_d_o_e_r_s will be
1.7 August 15, 2007 7 1.7 September 5, 2007 7
@@ -466,6 +466,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
This is useful, for example, for keeping a site-wide _s_u_d_o_-
_e_r_s file in addition to a per-machine local one. For the
sake of this example the site-wide _s_u_d_o_e_r_s will be
_/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will be _/_e_t_c_/_s_u_d_o_- _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will be _/_e_t_c_/_s_u_d_o_-
_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from _/_e_t_c_/_s_u_d_o_- _e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from _/_e_t_c_/_s_u_d_o_-
_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s: _e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s:
@@ -516,14 +519,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
('\') when used as part of a word (e.g. a username or ('\') when used as part of a word (e.g. a username or
hostname): '@', '!', '=', ':', ',', '(', ')', '\'. hostname): '@', '!', '=', ':', ',', '(', ')', '\'.
SSUUDDOOEERRSS OOPPTTIIOONNSS
ssuuddoo's behavior can be modified by Default_Entry lines, as
explained earlier. A list of all supported Defaults
parameters, grouped by type, are listed below.
1.7 August 15, 2007 8
1.7 September 5, 2007 8
@@ -532,6 +532,11 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SSUUDDOOEERRSS OOPPTTIIOONNSS
ssuuddoo's behavior can be modified by Default_Entry lines, as
explained earlier. A list of all supported Defaults
parameters, grouped by type, are listed below.
FFllaaggss: FFllaaggss:
always_set_home If set, ssuuddoo will set the HOME environment always_set_home If set, ssuuddoo will set the HOME environment
@@ -581,15 +586,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
default. default.
fqdn Set this flag if you want to put fully fqdn Set this flag if you want to put fully
qualified hostnames in the _s_u_d_o_e_r_s file.
I.e., instead of myhost you would use
myhost.mydomain.edu. You may still use
the short form if you wish (and even mix
the two). Beware that turning on _f_q_d_n
1.7 August 15, 2007 9 1.7 September 5, 2007 9
@@ -598,6 +598,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
qualified hostnames in the _s_u_d_o_e_r_s file.
I.e., instead of myhost you would use
myhost.mydomain.edu. You may still use
the short form if you wish (and even mix
the two). Beware that turning on _f_q_d_n
requires ssuuddoo to make DNS lookups which requires ssuuddoo to make DNS lookups which
may make ssuuddoo unusable if DNS stops work- may make ssuuddoo unusable if DNS stops work-
ing (for example if the machine is not ing (for example if the machine is not
@@ -647,15 +652,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
flag is _o_f_f by default. flag is _o_f_f by default.
long_otp_prompt When validating with a One Time Password long_otp_prompt When validating with a One Time Password
(OPT) scheme such as SS//KKeeyy or OOPPIIEE, a two-
line prompt is used to make it easier to
cut and paste the challenge to a local
window. It's not as pretty as the default
but some people find it more convenient.
1.7 August 15, 2007 10 1.7 September 5, 2007 10
@@ -664,6 +664,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
(OPT) scheme such as SS//KKeeyy or OOPPIIEE, a two-
line prompt is used to make it easier to
cut and paste the challenge to a local
window. It's not as pretty as the default
but some people find it more convenient.
This flag is _o_f_f by default. This flag is _o_f_f by default.
mail_always Send mail to the _m_a_i_l_t_o user every time a mail_always Send mail to the _m_a_i_l_t_o user every time a
@@ -713,15 +718,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
preserve_groups By default ssuuddoo will initialize the group preserve_groups By default ssuuddoo will initialize the group
vector to the list of groups the target vector to the list of groups the target
user is in. When _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set,
the user's existing group vector is left
unaltered. The real and effective group
IDs, however, are still set to match the
target user. This flag is _o_f_f by default.
1.7 August 15, 2007 11 1.7 September 5, 2007 11
@@ -730,6 +730,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
user is in. When _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set,
the user's existing group vector is left
unaltered. The real and effective group
IDs, however, are still set to match the
target user. This flag is _o_f_f by default.
requiretty If set, ssuuddoo will only run when the user requiretty If set, ssuuddoo will only run when the user
is logged in to a real tty. This will is logged in to a real tty. This will
disallow things like "rsh somehost sudo disallow things like "rsh somehost sudo
@@ -777,17 +783,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
since some programs (including the RCS since some programs (including the RCS
revision control system) use LOGNAME to revision control system) use LOGNAME to
determine the real identity of the user, determine the real identity of the user,
it may be desirable to change this behav- it may be desirable to change this
ior. This can be done by negating the
set_logname option. Note that if the
_e_n_v___r_e_s_e_t option has not been disabled,
entries in the _e_n_v___k_e_e_p list will override
the value of _s_e_t___l_o_g_n_a_m_e. This flag is
_o_f_f by default.
1.7 August 15, 2007 12 1.7 September 5, 2007 12
@@ -796,6 +796,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
behavior. This can be done by negating
the set_logname option. Note that if the
_e_n_v___r_e_s_e_t option has not been disabled,
entries in the _e_n_v___k_e_e_p list will override
the value of _s_e_t___l_o_g_n_a_m_e. This flag is
_o_f_f by default.
setenv Allow the user to disable the _e_n_v___r_e_s_e_t setenv Allow the user to disable the _e_n_v___r_e_s_e_t
option from the command line. Addition- option from the command line. Addition-
ally, environment variables set via the ally, environment variables set via the
@@ -843,17 +850,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
as the user running it. With this flag as the user running it. With this flag
enabled, ssuuddoo will use a file named for enabled, ssuuddoo will use a file named for
the tty the user is logged in on in that the tty the user is logged in on in that
directory. This flag is _o_f_f by default.
use_loginclass If set, ssuuddoo will apply the defaults spec-
ified for the target user's login class if
one exists. Only available if ssuuddoo is
configured with the --with-logincap
option. This flag is _o_f_f by default.
1.7 August 15, 2007 13 1.7 September 5, 2007 13
@@ -862,6 +862,14 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
directory. This flag is _o_f_f by default.
use_loginclass If set, ssuuddoo will apply the defaults spec-
ified for the target user's login class if
one exists. Only available if ssuuddoo is
configured with the --with-logincap
option. This flag is _o_f_f by default.
IInntteeggeerrss: IInntteeggeerrss:
closefrom Before it executes a command, ssuuddoo will closefrom Before it executes a command, ssuuddoo will
@@ -908,18 +916,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SSttrriinnggss: SSttrriinnggss:
badpass_message Message that is displayed if a user enters badpass_message Message that is displayed if a user enters
an incorrect password. The default is
Sorry, try again. unless insults are
enabled.
editor A colon (':') separated list of editors
allowed to be used with vviissuuddoo. vviissuuddoo
will choose the editor that matches the
user's EDITOR environment variable if
1.7 August 15, 2007 14 1.7 September 5, 2007 14
@@ -928,7 +928,15 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
possible, or the first editor in the list an incorrect password. The default is
Sorry, try again. unless insults are
enabled.
editor A colon (':') separated list of editors
allowed to be used with vviissuuddoo. vviissuuddoo
will choose the editor that matches the
user's EDITOR environment variable if pos-
sible, or the first editor in the list
that exists and is executable. The that exists and is executable. The
default is the path to vi on your system. default is the path to vi on your system.
@@ -974,18 +982,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
runas_default The default user to run commands as if the runas_default The default user to run commands as if the
--uu flag is not specified on the command --uu flag is not specified on the command
line. This defaults to root. Note that
if _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur
before any Runas_Alias specifications.
syslog_badpri Syslog priority to use when user authenti-
cates unsuccessfully. Defaults to alert.
syslog_goodpri Syslog priority to use when user
1.7 August 15, 2007 15 1.7 September 5, 2007 15
@@ -994,8 +994,15 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
authenticates successfully. Defaults to line. This defaults to root. Note that
notice. if _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur
before any Runas_Alias specifications.
syslog_badpri Syslog priority to use when user authenti-
cates unsuccessfully. Defaults to alert.
syslog_goodpri Syslog priority to use when user authenti-
cates successfully. Defaults to notice.
timestampdir The directory in which ssuuddoo stores its timestampdir The directory in which ssuuddoo stores its
timestamp files. The default is timestamp files. The default is
@@ -1042,16 +1049,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
current host must have the NOPASSWD current host must have the NOPASSWD
flag set to avoid entering a password. flag set to avoid entering a password.
always The user must always enter a password
to use the --ll flag.
any At least one of the user's _s_u_d_o_e_r_s
entries for the current host must have
the NOPASSWD flag set to avoid
1.7 September 5, 2007 16
1.7 August 15, 2007 16
@@ -1060,7 +1060,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
entering a password. always The user must always enter a password
to use the --ll flag.
any At least one of the user's _s_u_d_o_e_r_s
entries for the current host must have
the NOPASSWD flag set to avoid enter-
ing a password.
never The user need never enter a password never The user need never enter a password
to use the --ll flag. to use the --ll flag.
@@ -1108,16 +1114,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
current host must have the NOPASSWD current host must have the NOPASSWD
flag set to avoid entering a password. flag set to avoid entering a password.
always The user must always enter a password
to use the --vv flag.
any At least one of the user's _s_u_d_o_e_r_s
entries for the current host must have
the NOPASSWD flag set to avoid
1.7 August 15, 2007 17 1.7 September 5, 2007 17
@@ -1126,7 +1126,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
entering a password. always The user must always enter a password
to use the --vv flag.
any At least one of the user's _s_u_d_o_e_r_s
entries for the current host must have
the NOPASSWD flag set to avoid enter-
ing a password.
never The user need never enter a password never The user need never enter a password
to use the --vv flag. to use the --vv flag.
@@ -1174,16 +1180,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
env_keep Environment variables to be preserved in env_keep Environment variables to be preserved in
the user's environment when the _e_n_v___r_e_s_e_t the user's environment when the _e_n_v___r_e_s_e_t
option is in effect. This allows fine- option is in effect. This allows fine-
grained control over the environment
ssuuddoo-spawned processes will receive. The
argument may be a double-quoted, space-
separated list or a single value without
double-quotes. The list can be replaced,
added to, deleted from, or disabled by
1.7 August 15, 2007 18 1.7 September 5, 2007 18
@@ -1192,6 +1192,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
grained control over the environment
ssuuddoo-spawned processes will receive. The
argument may be a double-quoted, space-
separated list or a single value without
double-quotes. The list can be replaced,
added to, deleted from, or disabled by
using the =, +=, -=, and ! operators using the =, +=, -=, and ! operators
respectively. The default list of vari- respectively. The default list of vari-
ables to keep is displayed when ssuuddoo is ables to keep is displayed when ssuuddoo is
@@ -1233,6 +1239,25 @@ EEXXAAMMPPLLEESS
Host_Alias SERVERS = master, mail, www, ns Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules Host_Alias CDROM = orion, perseus, hercules
1.7 September 5, 2007 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
# Cmnd alias specification # Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore /usr/sbin/restore, /usr/sbin/rrestore
@@ -1247,17 +1272,6 @@ EEXXAAMMPPLLEESS
Cmnd_Alias SU = /usr/bin/su Cmnd_Alias SU = /usr/bin/su
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1.7 August 15, 2007 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Here we override some of the compiled in default values. Here we override some of the compiled in default values.
We want ssuuddoo to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility We want ssuuddoo to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility
in all cases. We don't want to subject the full time in all cases. We don't want to subject the full time
@@ -1299,6 +1313,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
any command on any host but they must authenticate them- any command on any host but they must authenticate them-
selves first (since the entry lacks the NOPASSWD tag). selves first (since the entry lacks the NOPASSWD tag).
1.7 September 5, 2007 20
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
jack CSNETS = ALL jack CSNETS = ALL
The user jjaacckk may run any command on the machines in the The user jjaacckk may run any command on the machines in the
@@ -1313,17 +1338,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
The user lliissaa may run any command on any host in the The user lliissaa may run any command on any host in the
_C_U_N_E_T_S alias (the class B network 128.138.0.0). _C_U_N_E_T_S alias (the class B network 128.138.0.0).
1.7 August 15, 2007 20
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
sudoedit /etc/printcap, /usr/oper/bin/ sudoedit /etc/printcap, /usr/oper/bin/
@@ -1364,6 +1378,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
fred ALL = (DB) NOPASSWD: ALL fred ALL = (DB) NOPASSWD: ALL
The user ffrreedd can run commands as any user in the _D_B The user ffrreedd can run commands as any user in the _D_B
1.7 September 5, 2007 21
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Runas_Alias (oorraaccllee or ssyybbaassee) without giving a password. Runas_Alias (oorraaccllee or ssyybbaassee) without giving a password.
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
@@ -1379,17 +1405,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
jill SERVERS = /usr/bin/, !SU, !SHELLS jill SERVERS = /usr/bin/, !SU, !SHELLS
1.7 August 15, 2007 21
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run
any commands in the directory _/_u_s_r_/_b_i_n_/ except for those any commands in the directory _/_u_s_r_/_b_i_n_/ except for those
commands belonging to the _S_U and _S_H_E_L_L_S Cmnd_Aliases. commands belonging to the _S_U and _S_H_E_L_L_S Cmnd_Aliases.
@@ -1428,9 +1443,21 @@ SSEECCUURRIITTYY NNOOTTEESS
bill ALL = ALL, !SU, !SHELLS bill ALL = ALL, !SU, !SHELLS
Doesn't really prevent bbiillll from running the commands Doesn't really prevent bbiillll from running the commands
listed in _S_U or _S_H_E_L_L_S since he can simply copy those com- listed in _S_U or _S_H_E_L_L_S since he can simply copy those
mands to a different name, or use a shell escape from an
editor or other program. Therefore, these kind of
1.7 September 5, 2007 22
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
commands to a different name, or use a shell escape from
an editor or other program. Therefore, these kind of
restrictions should be considered advisory at best (and restrictions should be considered advisory at best (and
reinforced by policy). reinforced by policy).
@@ -1445,17 +1472,6 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
There are two basic approaches to this problem: There are two basic approaches to this problem:
1.7 August 15, 2007 22
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
restrict Avoid giving users access to commands that allow restrict Avoid giving users access to commands that allow
the user to run arbitrary commands. Many edi- the user to run arbitrary commands. Many edi-
tors have a restricted mode where shell escapes tors have a restricted mode where shell escapes
@@ -1494,6 +1510,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
_n_o_e_x_e_c will work at compile-time. _n_o_e_x_e_c should _n_o_e_x_e_c will work at compile-time. _n_o_e_x_e_c should
work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64
UNIX, MacOS X, and HP-UX 11.x. It is known nnoott UNIX, MacOS X, and HP-UX 11.x. It is known nnoott
1.7 September 5, 2007 23
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
to work on AIX and UnixWare. _n_o_e_x_e_c is expected to work on AIX and UnixWare. _n_o_e_x_e_c is expected
to work on most operating systems that support to work on most operating systems that support
the LD_PRELOAD environment variable. Check your the LD_PRELOAD environment variable. Check your
@@ -1509,20 +1537,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and
_/_u_s_r_/_b_i_n_/_v_i with _n_o_e_x_e_c enabled. This will _/_u_s_r_/_b_i_n_/_v_i with _n_o_e_x_e_c enabled. This will pre-
vent those two commands from executing other
1.7 August 15, 2007 23
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
prevent those two commands from executing other
commands (such as a shell). If you are unsure commands (such as a shell). If you are unsure
whether or not your system is capable of sup- whether or not your system is capable of sup-
porting _n_o_e_x_e_c you can always just try it out porting _n_o_e_x_e_c you can always just try it out
@@ -1561,6 +1577,17 @@ SSUUPPPPOORRTT
man/listinfo/sudo-users to subscribe or search the man/listinfo/sudo-users to subscribe or search the
archives. archives.
1.7 September 5, 2007 24
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
DDIISSCCLLAAIIMMEERR DDIISSCCLLAAIIMMEERR
ssuuddoo is provided ``AS IS'' and any express or implied war- ssuuddoo is provided ``AS IS'' and any express or implied war-
ranties, including, but not limited to, the implied war- ranties, including, but not limited to, the implied war-
@@ -1579,6 +1606,45 @@ DDIISSCCLLAAIIMMEERR
1.7 August 15, 2007 24
1.7 September 5, 2007 25

36
sudoers.man.in
View File

@@ -150,7 +150,7 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "SUDOERS @mansectform@" .IX Title "SUDOERS @mansectform@"
.TH SUDOERS @mansectform@ "August 15, 2007" "1.7" "MAINTENANCE COMMANDS" .TH SUDOERS @mansectform@ "September 5, 2007" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME" .SH "NAME"
sudoers \- list of which users may execute what sudoers \- list of which users may execute what
.SH "DESCRIPTION" .SH "DESCRIPTION"
@@ -254,18 +254,19 @@ The definitions of what constitutes a valid \fIalias\fR member follow.
\& User ',' User_List \& User ',' User_List
.Ve .Ve
.PP .PP
.Vb 4 .Vb 5
\& User ::= '!'* username | \& User ::= '!'* username |
\& '!'* '#'uid |
\& '!'* '%'group | \& '!'* '%'group |
\& '!'* '+'netgroup | \& '!'* '+'netgroup |
\& '!'* User_Alias \& '!'* User_Alias
.Ve .Ve
.PP .PP
A \f(CW\*(C`User_List\*(C'\fR is made up of one or more usernames, system groups A \f(CW\*(C`User_List\*(C'\fR is made up of one or more usernames, uids (prefixed
(prefixed with '%'), netgroups (prefixed with '+') and other aliases. with '#'), system groups (prefixed with '%'), netgroups (prefixed
Each list item may be prefixed with one or more '!' operators. with '+') and \f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with
An odd number of '!' operators negate the value of the item; an even zero or more '!' operators. An odd number of '!' operators negate
number just cancel each other out. the value of the item; an even number just cancel each other out.
.PP .PP
.Vb 2 .Vb 2
\& Runas_List ::= Runas_User | \& Runas_List ::= Runas_User |
@@ -280,13 +281,12 @@ number just cancel each other out.
\& '!'* Runas_Alias \& '!'* Runas_Alias
.Ve .Ve
.PP .PP
A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that it can A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that instead
also contain uids (prefixed with '#') and instead of \f(CW\*(C`User_Alias\*(C'\fRes of \f(CW\*(C`User_Alias\*(C'\fRes it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that
it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that usernames and groups usernames and groups are matched as strings. In other words, two
are matched as strings. In other words, two users (groups) with users (groups) with the same uid (gid) are considered to be distinct.
the same uid (gid) are considered to be distinct. If you wish to If you wish to match all usernames with the same uid (e.g.\ root
match all usernames with the same uid (e.g.\ root and toor), you and toor), you can use a uid instead (#0 in the example given).
can use a uid instead (#0 in the example given).
.PP .PP
.Vb 2 .Vb 2
\& Host_List ::= Host | \& Host_List ::= Host |
@@ -365,10 +365,10 @@ that instead.
.PP .PP
.Vb 5 .Vb 5
\& Default_Type ::= 'Defaults' | \& Default_Type ::= 'Defaults' |
\& 'Defaults' '@' Host | \& 'Defaults' '@' Host_List |
\& 'Defaults' ':' User | \& 'Defaults' ':' User_List |
\& 'Defaults' '!' Cmnd | \& 'Defaults' '!' Cmnd_List |
\& 'Defaults' '>' RunasUser \& 'Defaults' '>' Runas_List
.Ve .Ve
.PP .PP
.Vb 1 .Vb 1