isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use "Nm sudoers" when talking about the plugin and "Em sudoers" when

Browse Source 
talking about the sudoers file.
This commit is contained in:
Todd C. Miller
2016-01-16 16:46:17 -07:00
parent 12a8becd70
commit ad8c96403d
3 changed files with 250 additions and 250 deletions
Download Patch File Download Diff File Expand all files Collapse all files

202
doc/sudoers.cat
View File

@@ -7,7 +7,7 @@ DDEESSCCRRIIPPTTIIOONN
The ssuuddooeerrss policy plugin determines a user's ssuuddoo privileges. It is the
default ssuuddoo policy plugin. The policy is driven by the _/_e_t_c_/_s_u_d_o_e_r_s
file or, optionally in LDAP. The policy format is described in detail in
the _S_U_D_O_E_R_S _F_I_L_E _F_O_R_M_A_T section. For information on storing _s_u_d_o_e_r_s
the _S_U_D_O_E_R_S _F_I_L_E _F_O_R_M_A_T section. For information on storing ssuuddooeerrss
policy information in LDAP, please see sudoers.ldap(4).
CCoonnffiigguurriinngg ssuuddoo..ccoonnff ffoorr ssuuddooeerrss
@@ -61,11 +61,11 @@ DDEESSCCRRIIPPTTIIOONN
manual.
AAuutthheennttiiccaattiioonn aanndd llooggggiinngg
The _s_u_d_o_e_r_s security policy requires that most users authenticate
The ssuuddooeerrss security policy requires that most users authenticate
themselves before they can use ssuuddoo. A password is not required if the
invoking user is root, if the target user is the same as the invoking
user, or if the policy has disabled authentication for the user or
command. Unlike su(1), when _s_u_d_o_e_r_s requires authentication, it
command. Unlike su(1), when ssuuddooeerrss requires authentication, it
validates the invoking user's credentials, not the target user's (or
root's) credentials. This can be changed via the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and
_r_u_n_a_s_p_w flags, described later.
@@ -83,25 +83,24 @@ DDEESSCCRRIIPPTTIIOONN
regardless of whether or not mail is sent.
If ssuuddoo is run by root and the SUDO_USER environment variable is set, the
_s_u_d_o_e_r_s policy will use this value to determine who the actual user is.
ssuuddooeerrss policy will use this value to determine who the actual user is.
This can be used by a user to log commands through sudo even when a root
shell has been invoked. It also allows the --ee option to remain useful
even when invoked via a sudo-run script or program. Note, however, that
the _s_u_d_o_e_r_s lookup is still done for root, not the user specified by
the _s_u_d_o_e_r_s file lookup is still done for root, not the user specified by
SUDO_USER.
_s_u_d_o_e_r_s uses per-user time stamp files for credential caching. Once a
ssuuddooeerrss uses per-user time stamp files for credential caching. Once a
user has been authenticated, a record is written containing the uid that
was used to authenticate, the terminal session ID, and a time stamp
(using a monotonic clock if one is available). The user may then use
ssuuddoo without a password for a short period of time (5 minutes unless
overridden by the _t_i_m_e_o_u_t option). By default, _s_u_d_o_e_r_s uses a separate
overridden by the _t_i_m_e_o_u_t option). By default, ssuuddooeerrss uses a separate
record for each tty, which means that a user's login sessions are
authenticated separately. The _t_t_y___t_i_c_k_e_t_s option can be disabled to
force the use of a single time stamp for all of a user's sessions.
_s_u_d_o_e_r_s can log both successful and unsuccessful attempts (as well as
errors) to syslog(3), a log file, or both. By default, _s_u_d_o_e_r_s will log
ssuuddooeerrss can log both successful and unsuccessful attempts (as well as
errors) to syslog(3), a log file, or both. By default, ssuuddooeerrss will log
via syslog(3) but this is changeable via the _s_y_s_l_o_g and _l_o_g_f_i_l_e Defaults
settings.
@@ -111,10 +110,10 @@ DDEESSCCRRIIPPTTIIOONN
tags.
CCoommmmaanndd eennvviirroonnmmeenntt
Since environment variables can influence program behavior, _s_u_d_o_e_r_s
Since environment variables can influence program behavior, ssuuddooeerrss
provides a means to restrict which variables from the user's environment
are inherited by the command to be run. There are two distinct ways
_s_u_d_o_e_r_s can deal with environment variables.
ssuuddooeerrss can deal with environment variables.
By default, the _e_n_v___r_e_s_e_t option is enabled. This causes commands to be
executed with a new, minimal environment. On AIX (and Linux systems
@@ -173,7 +172,7 @@ DDEESSCCRRIIPPTTIIOONN
them.
As a special case, if ssuuddoo's --ii option (initial login) is specified,
_s_u_d_o_e_r_s will initialize the environment regardless of the value of
ssuuddooeerrss will initialize the environment regardless of the value of
_e_n_v___r_e_s_e_t. The DISPLAY, PATH and TERM variables remain unchanged; HOME,
MAIL, SHELL, USER, and LOGNAME are set based on the target user. On AIX
(and Linux systems without PAM), the contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are
@@ -193,8 +192,8 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
there are multiple matches, the last match is used (which is not
necessarily the most specific match).
The _s_u_d_o_e_r_s grammar will be described below in Extended Backus-Naur Form
(EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly
The _s_u_d_o_e_r_s file grammar will be described below in Extended Backus-Naur
Form (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly
simple, and the definitions below are annotated.
QQuuiicckk gguuiiddee ttoo EEBBNNFF
@@ -388,7 +387,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may
take command line arguments just as a normal command does. Note that
``sudoedit'' is a command built into ssuuddoo itself and must be specified in
_s_u_d_o_e_r_s without a leading path.
the _s_u_d_o_e_r_s file without a leading path.
If a command name is prefixed with a Digest_Spec, the command will only
match successfully if it can be verified using the specified SHA-2
@@ -556,14 +555,14 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
setting the group to operator or system.
SSEELLiinnuuxx__SSppeecc
On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an
SELinux role and/or type associated with a command. If a role or type is
specified with the command it will override any default values specified
in _s_u_d_o_e_r_s. A role or type specified on the command line, however, will
supersede the values in _s_u_d_o_e_r_s.
On systems with SELinux support, _s_u_d_o_e_r_s file entries may optionally have
an SELinux role and/or type associated with a command. If a role or type
is specified with the command it will override any default values
specified in _s_u_d_o_e_r_s. A role or type specified on the command line,
however, will supersede the values in _s_u_d_o_e_r_s.
SSoollaarriiss__PPrriivv__SSppeecc
On Solaris systems, _s_u_d_o_e_r_s entries may optionally specify Solaris
On Solaris systems, _s_u_d_o_e_r_s file entries may optionally specify Solaris
privilege set and/or limit privilege set associated with a command. If
privileges or limit privileges are specified with the command it will
override any default values specified in _s_u_d_o_e_r_s.
@@ -736,14 +735,15 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
$ sudo cat /var/log/messages /etc/shadow
which is probably not what was intended. In most cases it is better to
do command line processing outside of _s_u_d_o_e_r_s in a scripting language.
do command line processing outside of the _s_u_d_o_e_r_s file in a scripting
language.
EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess
The following exceptions apply to the above rules:
"" If the empty string "" is the only command line argument in the
_s_u_d_o_e_r_s entry it means that command is not allowed to be run
with _a_n_y arguments.
_s_u_d_o_e_r_s file entry it means that command is not allowed to be
run with _a_n_y arguments.
sudoedit Command line arguments to the _s_u_d_o_e_d_i_t built-in command should
always be path names, so a forward slash (`/') will not be
@@ -756,8 +756,8 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in
addition to a local, per-machine file. For the sake of this example the
site-wide _s_u_d_o_e_r_s will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will be
_/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within
site-wide _s_u_d_o_e_r_s file will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will
be _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within
_/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s:
#include /etc/sudoers.local
@@ -785,8 +785,8 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s.
The #includedir directive can be used to create a _s_u_d_o_e_r_s_._d directory
that the system package manager can drop _s_u_d_o_e_r_s rules into as part of
package installation. For example, given:
that the system package manager can drop _s_u_d_o_e_r_s file rules into as part
of package installation. For example, given:
#includedir /etc/sudoers.d
@@ -967,9 +967,9 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
names that include globbing characters are used with
the negation operator, `!', as such rules can be
trivially bypassed. As such, this option should not be
used when _s_u_d_o_e_r_s contains rules that contain negated
path names which include globbing characters. This
flag is _o_f_f by default.
used when the _s_u_d_o_e_r_s file contains rules that contain
negated path names which include globbing characters.
This flag is _o_f_f by default.
fqdn Set this flag if you want to put fully qualified host
names in the _s_u_d_o_e_r_s file when the local host name (as
@@ -1039,7 +1039,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
log_host If set, the host name will be logged in the (non-
syslog) ssuuddoo log file. This flag is _o_f_f by default.
log_input If set, ssuuddoo will run the command in a _p_s_e_u_d_o_-_t_t_y and
log_input If set, ssuuddoo will run the command in a pseudo-tty and
log all user input. If the standard input is not
connected to the user's tty, due to I/O redirection or
because the command is part of a pipeline, that input
@@ -1064,7 +1064,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
unencrypted. In most cases, logging the command output
via _l_o_g___o_u_t_p_u_t is all that is required.
log_output If set, ssuuddoo will run the command in a _p_s_e_u_d_o_-_t_t_y and
log_output If set, ssuuddoo will run the command in a pseudo-tty and
log all output that is sent to the screen, similar to
the script(1) command. If the standard output or
standard error is not connected to the user's tty, due
@@ -1112,7 +1112,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo
does not enter the correct password. If the command
the user is attempting to run is not permitted by
_s_u_d_o_e_r_s and one of the _m_a_i_l___a_l_l___c_m_n_d_s, _m_a_i_l___a_l_w_a_y_s,
ssuuddooeerrss and one of the _m_a_i_l___a_l_l___c_m_n_d_s, _m_a_i_l___a_l_w_a_y_s,
_m_a_i_l___n_o___h_o_s_t, _m_a_i_l___n_o___p_e_r_m_s or _m_a_i_l___n_o___u_s_e_r flags are
set, this flag will have no effect. This flag is _o_f_f
by default.
@@ -1323,13 +1323,14 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
single record is used for all login sessions. This
flag is _o_n by default.
umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s
without modification. This makes it possible to
specify a more permissive umask in _s_u_d_o_e_r_s than the
user's own umask and matches historical behavior. If
_u_m_a_s_k___o_v_e_r_r_i_d_e is not set, ssuuddoo will set the umask to
be the union of the user's umask and what is specified
in _s_u_d_o_e_r_s. This flag is _o_f_f by default.
umask_override If set, ssuuddoo will set the umask as specified in the
_s_u_d_o_e_r_s file without modification. This makes it
possible to specify a umask in the _s_u_d_o_e_r_s file that is
more permissive than the user's own umask and matches
historical behavior. If _u_m_a_s_k___o_v_e_r_r_i_d_e is not set,
ssuuddoo will set the umask to be the union of the user's
umask and what is specified in _s_u_d_o_e_r_s. This flag is
_o_f_f by default.
use_loginclass If set, ssuuddoo will apply the defaults specified for the
target user's login class if one exists. Only
@@ -1588,8 +1589,8 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
role The default SELinux role to use when constructing a new
security context to run the command. The default role
may be overridden on a per-command basis in _s_u_d_o_e_r_s or
via command line options. This option is only
may be overridden on a per-command basis in the _s_u_d_o_e_r_s
file or via command line options. This option is only
available when ssuuddoo is built with SELinux support.
runas_default The default user to run commands as if the --uu option is
@@ -1623,8 +1624,8 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
type The default SELinux type to use when constructing a new
security context to run the command. The default type
may be overridden on a per-command basis in _s_u_d_o_e_r_s or
via command line options. This option is only
may be overridden on a per-command basis in the _s_u_d_o_e_r_s
file or via command line options. This option is only
available when ssuuddoo is built with SELinux support.
SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
@@ -1642,7 +1643,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
requirements. The group name specified should not include
a % prefix. This is not set by default.
group_plugin A string containing a _s_u_d_o_e_r_s group plugin with optional
group_plugin A string containing a ssuuddooeerrss group plugin with optional
arguments. The string should consist of the plugin path,
either fully-qualified or relative to the
_/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o directory, followed by any
@@ -1675,16 +1676,16 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
a user runs ssuuddoo with the --ll option. It has the following
possible values:
all All the user's _s_u_d_o_e_r_s entries for the current
host must have the NOPASSWD flag set to avoid
entering a password.
all All the user's _s_u_d_o_e_r_s file entries for the
current host must have the NOPASSWD flag set to
avoid entering a password.
always The user must always enter a password to use the
--ll option.
any At least one of the user's _s_u_d_o_e_r_s entries for
the current host must have the NOPASSWD flag set
to avoid entering a password.
any At least one of the user's _s_u_d_o_e_r_s file entries
for the current host must have the NOPASSWD flag
set to avoid entering a password.
never The user need never enter a password to use the
--ll option.
@@ -1730,15 +1731,15 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
a user runs ssuuddoo with the --vv option. It has the following
possible values:
all All the user's _s_u_d_o_e_r_s entries for the current host
must have the NOPASSWD flag set to avoid entering a
password.
all All the user's _s_u_d_o_e_r_s file entries for the current
host must have the NOPASSWD flag set to avoid
entering a password.
always The user must always enter a password to use the --vv
option.
any At least one of the user's _s_u_d_o_e_r_s entries for the
current host must have the NOPASSWD flag set to
any At least one of the user's _s_u_d_o_e_r_s file entries for
the current host must have the NOPASSWD flag set to
avoid entering a password.
never The user need never enter a password to use the --vv
@@ -1938,8 +1939,8 @@ LLOOGG FFOORRMMAATT
unable to open/read /etc/sudoers
The _s_u_d_o_e_r_s file could not be opened for reading. This can happen
when the _s_u_d_o_e_r_s file is located on a remote file system that maps
user ID 0 to a different value. Normally, ssuuddooeerrss tries to open
_s_u_d_o_e_r_s using group permissions to avoid this problem. Consider
user ID 0 to a different value. Normally, ssuuddooeerrss tries to open the
_s_u_d_o_e_r_s file using group permissions to avoid this problem. Consider
either changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s or adding an argument
like ``sudoers_uid=N'' (where `N' is the user ID that owns the _s_u_d_o_e_r_s
file) to the end of the ssuuddooeerrss Plugin line in the sudo.conf(4) file.
@@ -1971,29 +1972,29 @@ LLOOGG FFOORRMMAATT
line in the sudo.conf(4) file.
unable to open /var/run/sudo/ts/username
_s_u_d_o_e_r_s was unable to read or create the user's time stamp file. This
ssuuddooeerrss was unable to read or create the user's time stamp file. This
can happen when _t_i_m_e_s_t_a_m_p_o_w_n_e_r is set to a user other than root and
the mode on _/_v_a_r_/_r_u_n_/_s_u_d_o is not searchable by group or other. The
default mode for _/_v_a_r_/_r_u_n_/_s_u_d_o is 0711.
unable to write to /var/run/sudo/ts/username
_s_u_d_o_e_r_s was unable to write to the user's time stamp file.
ssuuddooeerrss was unable to write to the user's time stamp file.
/var/run/sudo/ts is owned by uid X, should be Y
The time stamp directory is owned by a user other than _t_i_m_e_s_t_a_m_p_o_w_n_e_r.
This can occur when the value of _t_i_m_e_s_t_a_m_p_o_w_n_e_r has been changed.
_s_u_d_o_e_r_s will ignore the time stamp directory until the owner is
ssuuddooeerrss will ignore the time stamp directory until the owner is
corrected.
/var/run/sudo/ts is group writable
The time stamp directory is group-writable; it should be writable only
by _t_i_m_e_s_t_a_m_p_o_w_n_e_r. The default mode for the time stamp directory is
0700. _s_u_d_o_e_r_s will ignore the time stamp directory until the mode is
0700. ssuuddooeerrss will ignore the time stamp directory until the mode is
corrected.
NNootteess oonn llooggggiinngg vviiaa ssyysslloogg
By default, _s_u_d_o_e_r_s logs messages via syslog(3). The _d_a_t_e, _h_o_s_t_n_a_m_e, and
_p_r_o_g_n_a_m_e fields are added by the syslog daemon, not _s_u_d_o_e_r_s itself. As
By default, ssuuddooeerrss logs messages via syslog(3). The _d_a_t_e, _h_o_s_t_n_a_m_e, and
_p_r_o_g_n_a_m_e fields are added by the syslog daemon, not ssuuddooeerrss itself. As
such, they may vary in format on different systems.
On most systems, syslog(3) has a relatively small log buffer. To prevent
@@ -2004,8 +2005,8 @@ LLOOGG FFOORRMMAATT
and before the continued command line arguments.
NNootteess oonn llooggggiinngg ttoo aa ffiillee
If the _l_o_g_f_i_l_e option is set, _s_u_d_o_e_r_s will log to a local file, such as
_/_v_a_r_/_l_o_g_/_s_u_d_o. When logging to a file, _s_u_d_o_e_r_s uses a format similar to
If the _l_o_g_f_i_l_e option is set, ssuuddooeerrss will log to a local file, such as
_/_v_a_r_/_l_o_g_/_s_u_d_o. When logging to a file, ssuuddooeerrss uses a format similar to
syslog(3), with a few important differences:
1. The _p_r_o_g_n_a_m_e and _h_o_s_t_n_a_m_e fields are not present.
@@ -2032,18 +2033,18 @@ FFIILLEESS
_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files
_/_v_a_r_/_r_u_n_/_s_u_d_o_/_t_s Directory containing time stamps for the
_s_u_d_o_e_r_s security policy
ssuuddooeerrss security policy
_/_v_a_r_/_a_d_m_/_s_u_d_o_/_l_e_c_t_u_r_e_d Directory containing lecture status files for
the _s_u_d_o_e_r_s security policy
the ssuuddooeerrss security policy
_/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on AIX and
Linux systems
EEXXAAMMPPLLEESS
Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit
contrived. First, we allow a few environment variables to pass and then
define our _a_l_i_a_s_e_s:
Below are example _s_u_d_o_e_r_s file entries. Admittedly, some of these are a
bit contrived. First, we allow a few environment variables to pass and
then define our _a_l_i_a_s_e_s:
# Run X applications through sudo; HOME is used to find the
# .Xauthority file. Note that other programs use HOME to find
@@ -2265,7 +2266,7 @@ SSEECCUURRIITTYY NNOOTTEESS
that grant privileges, it can result in a security issue for rules that
subtract or revoke privileges.
For example, given the following _s_u_d_o_e_r_s entry:
For example, given the following _s_u_d_o_e_r_s file entry:
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
@@ -2331,13 +2332,13 @@ SSEECCUURRIITTYY NNOOTTEESS
give the user permission to run ssuuddooeeddiitt (see below).
SSeeccuurree eeddiittiinngg
The _s_u_d_o_e_r_s plugin includes ssuuddooeeddiitt support which allows users to
The ssuuddooeerrss plugin includes ssuuddooeeddiitt support which allows users to
securely edit files with the editor of their choice. As ssuuddooeeddiitt is a
built-in command, it must be specified in _s_u_d_o_e_r_s without a leading path.
However, it may take command line arguments just as a normal command
does. Wildcards used in _s_u_d_o_e_d_i_t command line arguments are expected to
be path names, so a forward slash (`/') will not be matched by a
wildcard.
built-in command, it must be specified in the _s_u_d_o_e_r_s file without a
leading path. However, it may take command line arguments just as a
normal command does. Wildcards used in _s_u_d_o_e_d_i_t command line arguments
are expected to be path names, so a forward slash (`/') will not be
matched by a wildcard.
Unlike other ssuuddoo commands, the editor is run with the permissions of the
invoking user and with the environment unmodified. More information may
@@ -2368,7 +2369,7 @@ SSEECCUURRIITTYY NNOOTTEESS
same file system.
TTiimmee ssttaammpp ffiillee cchheecckkss
_s_u_d_o_e_r_s will check the ownership of its time stamp directory
ssuuddooeerrss will check the ownership of its time stamp directory
(_/_v_a_r_/_r_u_n_/_s_u_d_o_/_t_s by default) and ignore the directory's contents if it
is not owned by root or if it is writable by a user other than root.
Older versions of ssuuddoo stored time stamp files in _/_t_m_p; this is no longer
@@ -2378,33 +2379,33 @@ SSEECCUURRIITTYY NNOOTTEESS
While the time stamp directory _s_h_o_u_l_d be cleared at reboot time, not all
systems contain a _/_v_a_r_/_r_u_n directory. To avoid potential problems,
_s_u_d_o_e_r_s will ignore time stamp files that date from before the machine
ssuuddooeerrss will ignore time stamp files that date from before the machine
booted on systems where the boot time is available.
Some systems with graphical desktop environments allow unprivileged users
to change the system clock. Since _s_u_d_o_e_r_s relies on the system clock for
to change the system clock. Since ssuuddooeerrss relies on the system clock for
time stamp validation, it may be possible on such systems for a user to
run ssuuddoo for longer than _t_i_m_e_s_t_a_m_p___t_i_m_e_o_u_t by setting the clock back. To
combat this, _s_u_d_o_e_r_s uses a monotonic clock (which never moves backwards)
combat this, ssuuddooeerrss uses a monotonic clock (which never moves backwards)
for its time stamps if the system supports it.
_s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps
ssuuddooeerrss will not honor time stamps set far in the future. Time stamps
with a date greater than current_time + 2 * TIMEOUT will be ignored and
_s_u_d_o_e_r_s will log and complain.
ssuuddooeerrss will log and complain.
Since time stamp files live in the file system, they can outlive a user's
login session. As a result, a user may be able to login, run a command
with ssuuddoo after authenticating, logout, login again, and run ssuuddoo without
authenticating so long as the record's time stamp is within 5 minutes (or
whatever value the timeout is set to in _s_u_d_o_e_r_s). When the _t_t_y___t_i_c_k_e_t_s
option is enabled, the time stamp record includes the device number of
the terminal the user authenticated with. This provides per-tty
granularity but time stamp records still may outlive the user's session.
The time stamp record also includes the session ID of the process that
last authenticated. This prevents processes in different terminal
sessions from using the same time stamp record. It also helps reduce the
chance that a user will be able to run ssuuddoo without entering a password
when logging out and back in again on the same terminal.
whatever value the timeout is set to in the _s_u_d_o_e_r_s file). When the
_t_t_y___t_i_c_k_e_t_s option is enabled, the time stamp record includes the device
number of the terminal the user authenticated with. This provides per-
tty granularity but time stamp records still may outlive the user's
session. The time stamp record also includes the session ID of the
process that last authenticated. This prevents processes in different
terminal sessions from using the same time stamp record. It also helps
reduce the chance that a user will be able to run ssuuddoo without entering a
password when logging out and back in again on the same terminal.
DDEEBBUUGGGGIINNGG
Versions 1.8.4 and higher of the ssuuddooeerrss plugin support a flexible
@@ -2431,7 +2432,7 @@ DDEEBBUUGGGGIINNGG
_a_u_t_h user authentication
_d_e_f_a_u_l_t_s _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings
_d_e_f_a_u_l_t_s _s_u_d_o_e_r_s file _D_e_f_a_u_l_t_s settings
_e_n_v environment handling
@@ -2439,11 +2440,12 @@ DDEEBBUUGGGGIINNGG
_l_o_g_g_i_n_g logging support
_m_a_t_c_h matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s
_m_a_t_c_h matching of users, groups, hosts and netgroups in the _s_u_d_o_e_r_s
file
_n_e_t_i_f network interface handling
_n_s_s network service switch handling in _s_u_d_o_e_r_s
_n_s_s network service switch handling in ssuuddooeerrss
_p_a_r_s_e_r _s_u_d_o_e_r_s file parsing
@@ -2480,8 +2482,8 @@ AAUUTTHHOORRSS
CCAAVVEEAATTSS
The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which
locks the file and does grammatical checking. It is imperative that
_s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a
locks the file and does grammatical checking. It is imperative that the
_s_u_d_o_e_r_s file be free of syntax errors since ssuuddoo will not run with a
syntactically incorrect _s_u_d_o_e_r_s file.
When using netgroups of machines (as opposed to users), if you store

149
doc/sudoers.man.in
View File

@@ -44,7 +44,7 @@ The policy format is described in detail in the
\fISUDOERS FILE FORMAT\fR
section.
For information on storing
\fIsudoers\fR
\fBsudoers\fR
policy information
in LDAP, please see
sudoers.ldap(@mansectform@).
@@ -138,7 +138,7 @@ sudo.conf(@mansectform@),
please refer to its manual.
.SS "Authentication and logging"
The
\fIsudoers\fR
\fBsudoers\fR
security policy requires that most users authenticate
themselves before they can use
\fBsudo\fR.
@@ -149,7 +149,7 @@ user or command.
Unlike
su(1),
when
\fIsudoers\fR
\fBsudoers\fR
requires
authentication, it validates the invoking user's credentials, not
the target user's (or root's) credentials.
@@ -198,7 +198,7 @@ is run by root and the
\fRSUDO_USER\fR
environment variable
is set, the
\fIsudoers\fR
\fBsudoers\fR
policy will use this value to determine who
the actual user is.
This can be used by a user to log commands
@@ -210,10 +210,10 @@ option to remain useful even when invoked via a
sudo-run script or program.
Note, however, that the
\fIsudoers\fR
lookup is still done for root, not the user specified by
file lookup is still done for root, not the user specified by
\fRSUDO_USER\fR.
.PP
\fIsudoers\fR
\fBsudoers\fR
uses per-user time stamp files for credential caching.
Once a user has been authenticated, a record is written
containing the uid that was used to authenticate, the
@@ -228,21 +228,20 @@ minutes unless overridden by the
option)
\&.
By default,
\fIsudoers\fR
\fBsudoers\fR
uses a separate record for each tty, which means that
a user's login sessions are authenticated separately.
The
\fItty_tickets\fR
option can be disabled to force the use of a
single time stamp for all of a user's sessions.
.PP
\fIsudoers\fR
\fBsudoers\fR
can log both successful and unsuccessful attempts (as well
as errors) to
syslog(3),
a log file, or both.
By default,
\fIsudoers\fR
\fBsudoers\fR
will log via
syslog(3)
but this is changeable via the
@@ -266,12 +265,12 @@ and
command tags.
.SS "Command environment"
Since environment variables can influence program behavior,
\fIsudoers\fR
\fBsudoers\fR
provides a means to restrict which variables from the user's
environment are inherited by the command to be run.
There are two
distinct ways
\fIsudoers\fR
\fBsudoers\fR
can deal with environment variables.
.PP
By default, the
@@ -424,7 +423,7 @@ As a special case, if
\fB\-i\fR
option (initial login) is
specified,
\fIsudoers\fR
\fBsudoers\fR
will initialize the environment regardless
of the value of
\fIenv_reset\fR.
@@ -476,7 +475,7 @@ not necessarily the most specific match).
.PP
The
\fIsudoers\fR
grammar will be described below in Extended Backus-Naur
file grammar will be described below in Extended Backus-Naur
Form (EBNF).
Don't despair if you are unfamiliar with EBNF; it is fairly simple,
and the definitions below are annotated.
@@ -840,9 +839,9 @@ Note that
\(Lq\fRsudoedit\fR\(Rq
is a command built into
\fBsudo\fR
itself and must be specified in
itself and must be specified in the
\fIsudoers\fR
without a leading path.
file without a leading path.
.PP
If a
\fRcommand name\fR
@@ -1168,7 +1167,7 @@ optionally setting the group to operator or system.
.SS "SELinux_Spec"
On systems with SELinux support,
\fIsudoers\fR
entries may optionally have an SELinux role and/or type associated
file entries may optionally have an SELinux role and/or type associated
with a command.
If a role or
type is specified with the command it will override any default values
@@ -1180,7 +1179,7 @@ however, will supersede the values in
.SS "Solaris_Priv_Spec"
On Solaris systems,
\fIsudoers\fR
entries may optionally specify Solaris privilege set and/or limit
file entries may optionally specify Solaris privilege set and/or limit
privilege set associated with a command.
If privileges or limit privileges are specified with the command
it will override any default values specified in
@@ -1582,9 +1581,9 @@ $ sudo cat /var/log/messages /etc/shadow
.PP
which is probably not what was intended.
In most cases it is better to do command line processing
outside of
outside of the
\fIsudoers\fR
in a scripting language.
file in a scripting language.
.SS "Exceptions to wildcard rules"
The following exceptions apply to the above rules:
.TP 10n
@@ -1593,7 +1592,7 @@ If the empty string
\fR\&""\fR
is the only command line argument in the
\fIsudoers\fR
entry it means that command is not allowed to be run with
file entry it means that command is not allowed to be run with
\fIany\fR
arguments.
.TP 10n
@@ -1619,7 +1618,7 @@ This can be used, for example, to keep a site-wide
file in addition to a local, per-machine file.
For the sake of this example the site-wide
\fIsudoers\fR
will be
file will be
\fI/etc/sudoers\fR
and the per-machine one will be
\fI/etc/sudoers.local\fR.
@@ -1694,8 +1693,7 @@ directive can be used to create a
\fIsudoers.d\fR
directory that the system package manager can drop
\fIsudoers\fR
rules
into as part of package installation.
file rules into as part of package installation.
For example, given:
.nf
.sp
@@ -2084,9 +2082,9 @@ This has security implications when path names that include globbing
characters are used with the negation operator,
\(oq!\&\(cq,
as such rules can be trivially bypassed.
As such, this option should not be used when
As such, this option should not be used when the
\fIsudoers\fR
contains rules that contain negated path names which include globbing
file contains rules that contain negated path names which include globbing
characters.
This flag is
\fIoff\fR
@@ -2218,9 +2216,7 @@ by default.
log_input
If set,
\fBsudo\fR
will run the command in a
\fIpseudo-tty\fR
and log all user input.
will run the command in a pseudo-tty and log all user input.
If the standard input is not connected to the user's tty, due to
I/O redirection or because the command is part of a pipeline, that
input is also captured and stored in a separate log file.
@@ -2263,9 +2259,8 @@ is all that is required.
log_output
If set,
\fBsudo\fR
will run the command in a
\fIpseudo-tty\fR
and log all output that is sent to the screen, similar to the
will run the command in a pseudo-tty and log all output that is sent
to the screen, similar to the
script(1)
command.
If the standard output or standard error is not connected to the
@@ -2363,7 +2358,7 @@ user if the user running
\fBsudo\fR
does not enter the correct password.
If the command the user is attempting to run is not permitted by
\fIsudoers\fR
\fBsudoers\fR
and one of the
\fImail_all_cmnds\fR,
\fImail_always\fR,
@@ -2809,12 +2804,13 @@ by default.
umask_override
If set,
\fBsudo\fR
will set the umask as specified by
will set the umask as specified in the
\fIsudoers\fR
without modification.
This makes it possible to specify a more permissive umask in
file without modification.
This makes it possible to specify a umask in the
\fIsudoers\fR
than the user's own umask and matches historical behavior.
file that is more permissive than the user's own umask and matches
historical behavior.
If
\fIumask_override\fR
is not set,
@@ -3272,9 +3268,9 @@ is built on Solaris 10 or higher.
role
The default SELinux role to use when constructing a new security
context to run the command.
The default role may be overridden on a per-command basis in
The default role may be overridden on a per-command basis in the
\fIsudoers\fR
or via command line options.
file or via command line options.
This option is only available when
\fBsudo\fR
is built with SELinux support.
@@ -3335,9 +3331,9 @@ The default is
type
The default SELinux type to use when constructing a new security
context to run the command.
The default type may be overridden on a per-command basis in
The default type may be overridden on a per-command basis in the
\fIsudoers\fR
or via command line options.
file or via command line options.
This option is only available when
\fBsudo\fR
is built with SELinux support.
@@ -3370,7 +3366,7 @@ This is not set by default.
.TP 14n
group_plugin
A string containing a
\fIsudoers\fR
\fBsudoers\fR
group plugin with optional arguments.
The string should consist of the plugin
path, either fully-qualified or relative to the
@@ -3435,7 +3431,7 @@ It has the following possible values:
all
All the user's
\fIsudoers\fR
entries for the current host must have
file entries for the current host must have
the
\fRNOPASSWD\fR
flag set to avoid entering a password.
@@ -3449,7 +3445,7 @@ option.
any
At least one of the user's
\fIsudoers\fR
entries for the current host
file entries for the current host
must have the
\fRNOPASSWD\fR
flag set to avoid entering a password.
@@ -3569,7 +3565,7 @@ It has the following possible values:
all
All the user's
\fIsudoers\fR
entries for the current host must have the
file entries for the current host must have the
\fRNOPASSWD\fR
flag set to avoid entering a password.
.PD
@@ -3582,7 +3578,7 @@ option.
any
At least one of the user's
\fIsudoers\fR
entries for the current host must have the
file entries for the current host must have the
\fRNOPASSWD\fR
flag set to avoid entering a password.
.TP 8n
@@ -3941,9 +3937,9 @@ file is located on a remote file system that maps user ID 0 to
a different value.
Normally,
\fBsudoers\fR
tries to open
tries to open the
\fIsudoers\fR
using group permissions to avoid this problem.
file using group permissions to avoid this problem.
Consider either changing the ownership of
\fI@sysconfdir@/sudoers\fR
or adding an argument like
@@ -4025,7 +4021,7 @@ sudo.conf(@mansectform@)
file.
.TP 3n
unable to open @rundir@/ts/username
\fIsudoers\fR
\fBsudoers\fR
was unable to read or create the user's time stamp file.
This can happen when
\fItimestampowner\fR
@@ -4037,7 +4033,7 @@ The default mode for
is 0711.
.TP 3n
unable to write to @rundir@/ts/username
\fIsudoers\fR
\fBsudoers\fR
was unable to write to the user's time stamp file.
.TP 3n
@rundir@/ts is owned by uid X, should be Y
@@ -4046,18 +4042,18 @@ The time stamp directory is owned by a user other than
This can occur when the value of
\fItimestampowner\fR
has been changed.
\fIsudoers\fR
\fBsudoers\fR
will ignore the time stamp directory until the owner is corrected.
.TP 3n
@rundir@/ts is group writable
The time stamp directory is group-writable; it should be writable only by
\fItimestampowner\fR.
The default mode for the time stamp directory is 0700.
\fIsudoers\fR
\fBsudoers\fR
will ignore the time stamp directory until the mode is corrected.
.SS "Notes on logging via syslog"
By default,
\fIsudoers\fR
\fBsudoers\fR
logs messages via
syslog(3).
The
@@ -4066,7 +4062,7 @@ The
and
\fIprogname\fR
fields are added by the syslog daemon, not
\fIsudoers\fR
\fBsudoers\fR
itself.
As such, they may vary in format on different systems.
.PP
@@ -4085,11 +4081,11 @@ after the user name and before the continued command line arguments.
If the
\fIlogfile\fR
option is set,
\fIsudoers\fR
\fBsudoers\fR
will log to a local file, such as
\fI/var/log/sudo\fR.
When logging to a file,
\fIsudoers\fR
\fBsudoers\fR
uses a format similar to
syslog(3),
with a few important differences:
@@ -4140,12 +4136,12 @@ I/O log files
.TP 26n
\fI@rundir@/ts\fR
Directory containing time stamps for the
\fIsudoers\fR
\fBsudoers\fR
security policy
.TP 26n
\fI@vardir@/lectured\fR
Directory containing lecture status files for the
\fIsudoers\fR
\fBsudoers\fR
security policy
.TP 26n
\fI/etc/environment\fR
@@ -4155,7 +4151,7 @@ mode on AIX and Linux systems
.SH "EXAMPLES"
Below are example
\fIsudoers\fR
entries.
file entries.
Admittedly, some of these are a bit contrived.
First, we allow a few environment variables to pass and then define our
\fIaliases\fR:
@@ -4635,7 +4631,7 @@ it can result in a security issue for rules that subtract or revoke privileges.
.PP
For example, given the following
\fIsudoers\fR
entry:
file entry:
.nf
.sp
.RS 0n
@@ -4760,16 +4756,16 @@ user permission to run
(see below).
.SS "Secure editing"
The
\fIsudoers\fR
\fBsudoers\fR
plugin includes
\fBsudoedit\fR
support which allows users to securely edit files with the editor
of their choice.
As
\fBsudoedit\fR
is a built-in command, it must be specified in
is a built-in command, it must be specified in the
\fIsudoers\fR
without a leading path.
file without a leading path.
However, it may take command line arguments just as a normal command does.
Wildcards used in
\fIsudoedit\fR
@@ -4833,7 +4829,7 @@ tag.
However, it is still possible to create a hard link if the directory
is writable and the link target resides on the same file system.
.SS "Time stamp file checks"
\fIsudoers\fR
\fBsudoers\fR
will check the ownership of its time stamp directory
(\fI@rundir@/ts\fR
by default)
@@ -4853,14 +4849,14 @@ be cleared at reboot time, not all systems contain a
\fI/var/run\fR
directory.
To avoid potential problems,
\fIsudoers\fR
\fBsudoers\fR
will ignore time stamp files that date from before the machine booted
on systems where the boot time is available.
.PP
Some systems with graphical desktop environments allow unprivileged
users to change the system clock.
Since
\fIsudoers\fR
\fBsudoers\fR
relies on the system clock for time stamp validation, it may be
possible on such systems for a user to run
\fBsudo\fR
@@ -4868,16 +4864,16 @@ for longer than
\fItimestamp_timeout\fR
by setting the clock back.
To combat this,
\fIsudoers\fR
\fBsudoers\fR
uses a monotonic clock (which never moves backwards) for its time stamps
if the system supports it.
.PP
\fIsudoers\fR
\fBsudoers\fR
will not honor time stamps set far in the future.
Time stamps with a date greater than current_time + 2 *
\fRTIMEOUT\fR
will be ignored and
\fIsudoers\fR
\fBsudoers\fR
will log and complain.
.PP
Since time stamp files live in the file system, they can outlive a
@@ -4888,8 +4884,9 @@ after authenticating, logout, login again, and run
\fBsudo\fR
without authenticating so long as the record's time stamp is within
\fR@timeout@\fR
minutes (or whatever value the timeout is set to in
\fIsudoers\fR).
minutes (or whatever value the timeout is set to in the
\fIsudoers\fR
file).
When the
\fItty_tickets\fR
option is enabled, the time stamp record includes the device
@@ -4958,6 +4955,7 @@ user authentication
.TP 10n
\fIdefaults\fR
\fIsudoers\fR
file
\fIDefaults\fR
settings
.TP 10n
@@ -4971,15 +4969,16 @@ LDAP-based sudoers
logging support
.TP 10n
\fImatch\fR
matching of users, groups, hosts and netgroups in
matching of users, groups, hosts and netgroups in the
\fIsudoers\fR
file
.TP 10n
\fInetif\fR
network interface handling
.TP 10n
\fInss\fR
network service switch handling in
\fIsudoers\fR
\fBsudoers\fR
.TP 10n
\fIparser\fR
\fIsudoers\fR
@@ -5053,9 +5052,9 @@ be edited by the
\fBvisudo\fR
command which locks the file and does grammatical checking.
It is
imperative that
imperative that the
\fIsudoers\fR
be free of syntax errors since
file be free of syntax errors since
\fBsudo\fR
will not run with a syntactically incorrect
\fIsudoers\fR

149
doc/sudoers.mdoc.in
View File

@@ -42,7 +42,7 @@ The policy format is described in detail in the
.Sx SUDOERS FILE FORMAT
section.
For information on storing
.Em sudoers
.Nm sudoers
policy information
in LDAP, please see
.Xr sudoers.ldap @mansectform@ .
@@ -126,7 +126,7 @@ For more information on configuring
please refer to its manual.
.Ss Authentication and logging
The
.Em sudoers
.Nm sudoers
security policy requires that most users authenticate
themselves before they can use
.Nm sudo .
@@ -137,7 +137,7 @@ user or command.
Unlike
.Xr su 1 ,
when
.Em sudoers
.Nm sudoers
requires
authentication, it validates the invoking user's credentials, not
the target user's (or root's) credentials.
@@ -186,7 +186,7 @@ is run by root and the
.Ev SUDO_USER
environment variable
is set, the
.Em sudoers
.Nm sudoers
policy will use this value to determine who
the actual user is.
This can be used by a user to log commands
@@ -198,10 +198,10 @@ option to remain useful even when invoked via a
sudo-run script or program.
Note, however, that the
.Em sudoers
lookup is still done for root, not the user specified by
file lookup is still done for root, not the user specified by
.Ev SUDO_USER .
.Pp
.Em sudoers
.Nm sudoers
uses per-user time stamp files for credential caching.
Once a user has been authenticated, a record is written
containing the uid that was used to authenticate, the
@@ -217,21 +217,20 @@ minutes unless overridden by the
option
.Pc .
By default,
.Em sudoers
.Nm sudoers
uses a separate record for each tty, which means that
a user's login sessions are authenticated separately.
The
.Em tty_tickets
option can be disabled to force the use of a
single time stamp for all of a user's sessions.
.Pp
.Em sudoers
.Nm sudoers
can log both successful and unsuccessful attempts (as well
as errors) to
.Xr syslog 3 ,
a log file, or both.
By default,
.Em sudoers
.Nm sudoers
will log via
.Xr syslog 3
but this is changeable via the
@@ -255,12 +254,12 @@ and
command tags.
.Ss Command environment
Since environment variables can influence program behavior,
.Em sudoers
.Nm sudoers
provides a means to restrict which variables from the user's
environment are inherited by the command to be run.
There are two
distinct ways
.Em sudoers
.Nm sudoers
can deal with environment variables.
.Pp
By default, the
@@ -410,7 +409,7 @@ As a special case, if
.Fl i
option (initial login) is
specified,
.Em sudoers
.Nm sudoers
will initialize the environment regardless
of the value of
.Em env_reset .
@@ -462,7 +461,7 @@ not necessarily the most specific match).
.Pp
The
.Em sudoers
grammar will be described below in Extended Backus-Naur
file grammar will be described below in Extended Backus-Naur
Form (EBNF).
Don't despair if you are unfamiliar with EBNF; it is fairly simple,
and the definitions below are annotated.
@@ -803,9 +802,9 @@ Note that
.Dq Li sudoedit
is a command built into
.Nm sudo
itself and must be specified in
itself and must be specified in the
.Em sudoers
without a leading path.
file without a leading path.
.Pp
If a
.Li command name
@@ -1096,7 +1095,7 @@ optionally setting the group to operator or system.
.Ss SELinux_Spec
On systems with SELinux support,
.Em sudoers
entries may optionally have an SELinux role and/or type associated
file entries may optionally have an SELinux role and/or type associated
with a command.
If a role or
type is specified with the command it will override any default values
@@ -1108,7 +1107,7 @@ however, will supersede the values in
.Ss Solaris_Priv_Spec
On Solaris systems,
.Em sudoers
entries may optionally specify Solaris privilege set and/or limit
file entries may optionally specify Solaris privilege set and/or limit
privilege set associated with a command.
If privileges or limit privileges are specified with the command
it will override any default values specified in
@@ -1473,9 +1472,9 @@ $ sudo cat /var/log/messages /etc/shadow
.Pp
which is probably not what was intended.
In most cases it is better to do command line processing
outside of
outside of the
.Em sudoers
in a scripting language.
file in a scripting language.
.Ss Exceptions to wildcard rules
The following exceptions apply to the above rules:
.Bl -tag -width 8n
@@ -1484,7 +1483,7 @@ If the empty string
.Li \&""
is the only command line argument in the
.Em sudoers
entry it means that command is not allowed to be run with
file entry it means that command is not allowed to be run with
.Em any
arguments.
.It sudoedit
@@ -1510,7 +1509,7 @@ This can be used, for example, to keep a site-wide
file in addition to a local, per-machine file.
For the sake of this example the site-wide
.Em sudoers
will be
file will be
.Pa /etc/sudoers
and the per-machine one will be
.Pa /etc/sudoers.local .
@@ -1576,8 +1575,7 @@ directive can be used to create a
.Pa sudoers.d
directory that the system package manager can drop
.Em sudoers
rules
into as part of package installation.
file rules into as part of package installation.
For example, given:
.Bd -literal -offset 4n
#includedir /etc/sudoers.d
@@ -1951,9 +1949,9 @@ This has security implications when path names that include globbing
characters are used with the negation operator,
.Ql !\& ,
as such rules can be trivially bypassed.
As such, this option should not be used when
As such, this option should not be used when the
.Em sudoers
contains rules that contain negated path names which include globbing
file contains rules that contain negated path names which include globbing
characters.
This flag is
.Em off
@@ -2077,9 +2075,7 @@ by default.
.It log_input
If set,
.Nm sudo
will run the command in a
.Em pseudo-tty
and log all user input.
will run the command in a pseudo-tty and log all user input.
If the standard input is not connected to the user's tty, due to
I/O redirection or because the command is part of a pipeline, that
input is also captured and stored in a separate log file.
@@ -2123,9 +2119,8 @@ is all that is required.
.It log_output
If set,
.Nm sudo
will run the command in a
.Em pseudo-tty
and log all output that is sent to the screen, similar to the
will run the command in a pseudo-tty and log all output that is sent
to the screen, similar to the
.Xr script 1
command.
If the standard output or standard error is not connected to the
@@ -2220,7 +2215,7 @@ user if the user running
.Nm sudo
does not enter the correct password.
If the command the user is attempting to run is not permitted by
.Em sudoers
.Nm sudoers
and one of the
.Em mail_all_cmnds ,
.Em mail_always ,
@@ -2639,12 +2634,13 @@ by default.
.It umask_override
If set,
.Nm sudo
will set the umask as specified by
will set the umask as specified in the
.Em sudoers
without modification.
This makes it possible to specify a more permissive umask in
file without modification.
This makes it possible to specify a umask in the
.Em sudoers
than the user's own umask and matches historical behavior.
file that is more permissive than the user's own umask and matches
historical behavior.
If
.Em umask_override
is not set,
@@ -3062,9 +3058,9 @@ is built on Solaris 10 or higher.
.It role
The default SELinux role to use when constructing a new security
context to run the command.
The default role may be overridden on a per-command basis in
The default role may be overridden on a per-command basis in the
.Em sudoers
or via command line options.
file or via command line options.
This option is only available when
.Nm sudo
is built with SELinux support.
@@ -3118,9 +3114,9 @@ The default is
.It type
The default SELinux type to use when constructing a new security
context to run the command.
The default type may be overridden on a per-command basis in
The default type may be overridden on a per-command basis in the
.Em sudoers
or via command line options.
file or via command line options.
This option is only available when
.Nm sudo
is built with SELinux support.
@@ -3152,7 +3148,7 @@ prefix.
This is not set by default.
.It group_plugin
A string containing a
.Em sudoers
.Nm sudoers
group plugin with optional arguments.
The string should consist of the plugin
path, either fully-qualified or relative to the
@@ -3205,7 +3201,7 @@ It has the following possible values:
.It all
All the user's
.Em sudoers
entries for the current host must have
file entries for the current host must have
the
.Li NOPASSWD
flag set to avoid entering a password.
@@ -3216,7 +3212,7 @@ option.
.It any
At least one of the user's
.Em sudoers
entries for the current host
file entries for the current host
must have the
.Li NOPASSWD
flag set to avoid entering a password.
@@ -3324,7 +3320,7 @@ It has the following possible values:
.It all
All the user's
.Em sudoers
entries for the current host must have the
file entries for the current host must have the
.Li NOPASSWD
flag set to avoid entering a password.
.It always
@@ -3334,7 +3330,7 @@ option.
.It any
At least one of the user's
.Em sudoers
entries for the current host must have the
file entries for the current host must have the
.Li NOPASSWD
flag set to avoid entering a password.
.It never
@@ -3660,9 +3656,9 @@ file is located on a remote file system that maps user ID 0 to
a different value.
Normally,
.Nm
tries to open
tries to open the
.Em sudoers
using group permissions to avoid this problem.
file using group permissions to avoid this problem.
Consider either changing the ownership of
.Pa @sysconfdir@/sudoers
or adding an argument like
@@ -3738,7 +3734,7 @@ line in the
.Xr sudo.conf @mansectform@
file.
.It unable to open @rundir@/ts/username
.Em sudoers
.Nm sudoers
was unable to read or create the user's time stamp file.
This can happen when
.Em timestampowner
@@ -3749,7 +3745,7 @@ The default mode for
.Pa @rundir@
is 0711.
.It unable to write to @rundir@/ts/username
.Em sudoers
.Nm sudoers
was unable to write to the user's time stamp file.
.It @rundir@/ts is owned by uid X, should be Y
The time stamp directory is owned by a user other than
@@ -3757,18 +3753,18 @@ The time stamp directory is owned by a user other than
This can occur when the value of
.Em timestampowner
has been changed.
.Em sudoers
.Nm sudoers
will ignore the time stamp directory until the owner is corrected.
.It @rundir@/ts is group writable
The time stamp directory is group-writable; it should be writable only by
.Em timestampowner .
The default mode for the time stamp directory is 0700.
.Em sudoers
.Nm sudoers
will ignore the time stamp directory until the mode is corrected.
.El
.Ss Notes on logging via syslog
By default,
.Em sudoers
.Nm sudoers
logs messages via
.Xr syslog 3 .
The
@@ -3777,7 +3773,7 @@ The
and
.Em progname
fields are added by the syslog daemon, not
.Em sudoers
.Nm sudoers
itself.
As such, they may vary in format on different systems.
.Pp
@@ -3796,11 +3792,11 @@ after the user name and before the continued command line arguments.
If the
.Em logfile
option is set,
.Em sudoers
.Nm sudoers
will log to a local file, such as
.Pa /var/log/sudo .
When logging to a file,
.Em sudoers
.Nm sudoers
uses a format similar to
.Xr syslog 3 ,
with a few important differences:
@@ -3845,11 +3841,11 @@ List of network groups
I/O log files
.It Pa @rundir@/ts
Directory containing time stamps for the
.Em sudoers
.Nm sudoers
security policy
.It Pa @vardir@/lectured
Directory containing lecture status files for the
.Em sudoers
.Nm sudoers
security policy
.It Pa /etc/environment
Initial environment for
@@ -3859,7 +3855,7 @@ mode on AIX and Linux systems
.Sh EXAMPLES
Below are example
.Em sudoers
entries.
file entries.
Admittedly, some of these are a bit contrived.
First, we allow a few environment variables to pass and then define our
.Em aliases :
@@ -4277,7 +4273,7 @@ it can result in a security issue for rules that subtract or revoke privileges.
.Pp
For example, given the following
.Em sudoers
entry:
file entry:
.Bd -literal
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
@@ -4394,16 +4390,16 @@ user permission to run
(see below).
.Ss Secure editing
The
.Em sudoers
.Nm sudoers
plugin includes
.Nm sudoedit
support which allows users to securely edit files with the editor
of their choice.
As
.Nm sudoedit
is a built-in command, it must be specified in
is a built-in command, it must be specified in the
.Em sudoers
without a leading path.
file without a leading path.
However, it may take command line arguments just as a normal command does.
Wildcards used in
.Em sudoedit
@@ -4461,7 +4457,7 @@ tag.
However, it is still possible to create a hard link if the directory
is writable and the link target resides on the same file system.
.Ss Time stamp file checks
.Em sudoers
.Nm sudoers
will check the ownership of its time stamp directory
.Po
.Pa @rundir@/ts
@@ -4483,14 +4479,14 @@ be cleared at reboot time, not all systems contain a
.Pa /var/run
directory.
To avoid potential problems,
.Em sudoers
.Nm sudoers
will ignore time stamp files that date from before the machine booted
on systems where the boot time is available.
.Pp
Some systems with graphical desktop environments allow unprivileged
users to change the system clock.
Since
.Em sudoers
.Nm sudoers
relies on the system clock for time stamp validation, it may be
possible on such systems for a user to run
.Nm sudo
@@ -4498,16 +4494,16 @@ for longer than
.Em timestamp_timeout
by setting the clock back.
To combat this,
.Em sudoers
.Nm sudoers
uses a monotonic clock (which never moves backwards) for its time stamps
if the system supports it.
.Pp
.Em sudoers
.Nm sudoers
will not honor time stamps set far in the future.
Time stamps with a date greater than current_time + 2 *
.Li TIMEOUT
will be ignored and
.Em sudoers
.Nm sudoers
will log and complain.
.Pp
Since time stamp files live in the file system, they can outlive a
@@ -4518,8 +4514,9 @@ after authenticating, logout, login again, and run
.Nm sudo
without authenticating so long as the record's time stamp is within
.Li @timeout@
minutes (or whatever value the timeout is set to in
.Em sudoers ) .
minutes (or whatever value the timeout is set to in the
.Em sudoers
file).
When the
.Em tty_tickets
option is enabled, the time stamp record includes the device
@@ -4584,6 +4581,7 @@ BSM and Linux audit code
user authentication
.It Em defaults
.Em sudoers
file
.Em Defaults
settings
.It Em env
@@ -4593,13 +4591,14 @@ LDAP-based sudoers
.It Em logging
logging support
.It Em match
matching of users, groups, hosts and netgroups in
matching of users, groups, hosts and netgroups in the
.Em sudoers
file
.It Em netif
network interface handling
.It Em nss
network service switch handling in
.Em sudoers
.Nm sudoers
.It Em parser
.Em sudoers
file parsing
@@ -4660,9 +4659,9 @@ be edited by the
.Nm visudo
command which locks the file and does grammatical checking.
It is
imperative that
imperative that the
.Em sudoers
be free of syntax errors since
file be free of syntax errors since
.Nm sudo
will not run with a syntactically incorrect
.Em sudoers