isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use "Nm sudoers" when talking about the plugin and "Em sudoers" when

Browse Source 
talking about the sudoers file.
This commit is contained in:
Todd C. Miller
2016-01-16 16:46:17 -07:00
parent 12a8becd70
commit ad8c96403d
3 changed files with 250 additions and 250 deletions
Download Patch File Download Diff File Expand all files Collapse all files

202
doc/sudoers.cat
View File

@@ -7,7 +7,7 @@ DDEESSCCRRIIPPTTIIOONN
The ssuuddooeerrss policy plugin determines a user's ssuuddoo privileges. It is the The ssuuddooeerrss policy plugin determines a user's ssuuddoo privileges. It is the
default ssuuddoo policy plugin. The policy is driven by the _/_e_t_c_/_s_u_d_o_e_r_s default ssuuddoo policy plugin. The policy is driven by the _/_e_t_c_/_s_u_d_o_e_r_s
file or, optionally in LDAP. The policy format is described in detail in file or, optionally in LDAP. The policy format is described in detail in
the _S_U_D_O_E_R_S _F_I_L_E _F_O_R_M_A_T section. For information on storing _s_u_d_o_e_r_s the _S_U_D_O_E_R_S _F_I_L_E _F_O_R_M_A_T section. For information on storing ssuuddooeerrss
policy information in LDAP, please see sudoers.ldap(4). policy information in LDAP, please see sudoers.ldap(4).
CCoonnffiigguurriinngg ssuuddoo..ccoonnff ffoorr ssuuddooeerrss CCoonnffiigguurriinngg ssuuddoo..ccoonnff ffoorr ssuuddooeerrss
@@ -61,11 +61,11 @@ DDEESSCCRRIIPPTTIIOONN
manual. manual.
AAuutthheennttiiccaattiioonn aanndd llooggggiinngg AAuutthheennttiiccaattiioonn aanndd llooggggiinngg
The _s_u_d_o_e_r_s security policy requires that most users authenticate The ssuuddooeerrss security policy requires that most users authenticate
themselves before they can use ssuuddoo. A password is not required if the themselves before they can use ssuuddoo. A password is not required if the
invoking user is root, if the target user is the same as the invoking invoking user is root, if the target user is the same as the invoking
user, or if the policy has disabled authentication for the user or user, or if the policy has disabled authentication for the user or
command. Unlike su(1), when _s_u_d_o_e_r_s requires authentication, it command. Unlike su(1), when ssuuddooeerrss requires authentication, it
validates the invoking user's credentials, not the target user's (or validates the invoking user's credentials, not the target user's (or
root's) credentials. This can be changed via the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and root's) credentials. This can be changed via the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and
_r_u_n_a_s_p_w flags, described later. _r_u_n_a_s_p_w flags, described later.
@@ -83,25 +83,24 @@ DDEESSCCRRIIPPTTIIOONN
regardless of whether or not mail is sent. regardless of whether or not mail is sent.
If ssuuddoo is run by root and the SUDO_USER environment variable is set, the If ssuuddoo is run by root and the SUDO_USER environment variable is set, the
_s_u_d_o_e_r_s policy will use this value to determine who the actual user is. ssuuddooeerrss policy will use this value to determine who the actual user is.
This can be used by a user to log commands through sudo even when a root This can be used by a user to log commands through sudo even when a root
shell has been invoked. It also allows the --ee option to remain useful shell has been invoked. It also allows the --ee option to remain useful
even when invoked via a sudo-run script or program. Note, however, that even when invoked via a sudo-run script or program. Note, however, that
the _s_u_d_o_e_r_s lookup is still done for root, not the user specified by the _s_u_d_o_e_r_s file lookup is still done for root, not the user specified by
SUDO_USER. SUDO_USER.
_s_u_d_o_e_r_s uses per-user time stamp files for credential caching. Once a ssuuddooeerrss uses per-user time stamp files for credential caching. Once a
user has been authenticated, a record is written containing the uid that user has been authenticated, a record is written containing the uid that
was used to authenticate, the terminal session ID, and a time stamp was used to authenticate, the terminal session ID, and a time stamp
(using a monotonic clock if one is available). The user may then use (using a monotonic clock if one is available). The user may then use
ssuuddoo without a password for a short period of time (5 minutes unless ssuuddoo without a password for a short period of time (5 minutes unless
overridden by the _t_i_m_e_o_u_t option). By default, _s_u_d_o_e_r_s uses a separate overridden by the _t_i_m_e_o_u_t option). By default, ssuuddooeerrss uses a separate
record for each tty, which means that a user's login sessions are record for each tty, which means that a user's login sessions are
authenticated separately. The _t_t_y___t_i_c_k_e_t_s option can be disabled to authenticated separately. The _t_t_y___t_i_c_k_e_t_s option can be disabled to
force the use of a single time stamp for all of a user's sessions. force the use of a single time stamp for all of a user's sessions.
ssuuddooeerrss can log both successful and unsuccessful attempts (as well as
_s_u_d_o_e_r_s can log both successful and unsuccessful attempts (as well as errors) to syslog(3), a log file, or both. By default, ssuuddooeerrss will log
errors) to syslog(3), a log file, or both. By default, _s_u_d_o_e_r_s will log
via syslog(3) but this is changeable via the _s_y_s_l_o_g and _l_o_g_f_i_l_e Defaults via syslog(3) but this is changeable via the _s_y_s_l_o_g and _l_o_g_f_i_l_e Defaults
settings. settings.
@@ -111,10 +110,10 @@ DDEESSCCRRIIPPTTIIOONN
tags. tags.
CCoommmmaanndd eennvviirroonnmmeenntt CCoommmmaanndd eennvviirroonnmmeenntt
Since environment variables can influence program behavior, _s_u_d_o_e_r_s Since environment variables can influence program behavior, ssuuddooeerrss
provides a means to restrict which variables from the user's environment provides a means to restrict which variables from the user's environment
are inherited by the command to be run. There are two distinct ways are inherited by the command to be run. There are two distinct ways
_s_u_d_o_e_r_s can deal with environment variables. ssuuddooeerrss can deal with environment variables.
By default, the _e_n_v___r_e_s_e_t option is enabled. This causes commands to be By default, the _e_n_v___r_e_s_e_t option is enabled. This causes commands to be
executed with a new, minimal environment. On AIX (and Linux systems executed with a new, minimal environment. On AIX (and Linux systems
@@ -173,7 +172,7 @@ DDEESSCCRRIIPPTTIIOONN
them. them.
As a special case, if ssuuddoo's --ii option (initial login) is specified, As a special case, if ssuuddoo's --ii option (initial login) is specified,
_s_u_d_o_e_r_s will initialize the environment regardless of the value of ssuuddooeerrss will initialize the environment regardless of the value of
_e_n_v___r_e_s_e_t. The DISPLAY, PATH and TERM variables remain unchanged; HOME, _e_n_v___r_e_s_e_t. The DISPLAY, PATH and TERM variables remain unchanged; HOME,
MAIL, SHELL, USER, and LOGNAME are set based on the target user. On AIX MAIL, SHELL, USER, and LOGNAME are set based on the target user. On AIX
(and Linux systems without PAM), the contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are (and Linux systems without PAM), the contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are
@@ -193,8 +192,8 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
there are multiple matches, the last match is used (which is not there are multiple matches, the last match is used (which is not
necessarily the most specific match). necessarily the most specific match).
The _s_u_d_o_e_r_s grammar will be described below in Extended Backus-Naur Form The _s_u_d_o_e_r_s file grammar will be described below in Extended Backus-Naur
(EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly Form (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly
simple, and the definitions below are annotated. simple, and the definitions below are annotated.
QQuuiicckk gguuiiddee ttoo EEBBNNFF QQuuiicckk gguuiiddee ttoo EEBBNNFF
@@ -388,7 +387,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may
take command line arguments just as a normal command does. Note that take command line arguments just as a normal command does. Note that
``sudoedit'' is a command built into ssuuddoo itself and must be specified in ``sudoedit'' is a command built into ssuuddoo itself and must be specified in
_s_u_d_o_e_r_s without a leading path. the _s_u_d_o_e_r_s file without a leading path.
If a command name is prefixed with a Digest_Spec, the command will only If a command name is prefixed with a Digest_Spec, the command will only
match successfully if it can be verified using the specified SHA-2 match successfully if it can be verified using the specified SHA-2
@@ -556,14 +555,14 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
setting the group to operator or system. setting the group to operator or system.
SSEELLiinnuuxx__SSppeecc SSEELLiinnuuxx__SSppeecc
On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an On systems with SELinux support, _s_u_d_o_e_r_s file entries may optionally have
SELinux role and/or type associated with a command. If a role or type is an SELinux role and/or type associated with a command. If a role or type
specified with the command it will override any default values specified is specified with the command it will override any default values
in _s_u_d_o_e_r_s. A role or type specified on the command line, however, will specified in _s_u_d_o_e_r_s. A role or type specified on the command line,
supersede the values in _s_u_d_o_e_r_s. however, will supersede the values in _s_u_d_o_e_r_s.
SSoollaarriiss__PPrriivv__SSppeecc SSoollaarriiss__PPrriivv__SSppeecc
On Solaris systems, _s_u_d_o_e_r_s entries may optionally specify Solaris On Solaris systems, _s_u_d_o_e_r_s file entries may optionally specify Solaris
privilege set and/or limit privilege set associated with a command. If privilege set and/or limit privilege set associated with a command. If
privileges or limit privileges are specified with the command it will privileges or limit privileges are specified with the command it will
override any default values specified in _s_u_d_o_e_r_s. override any default values specified in _s_u_d_o_e_r_s.
@@ -736,14 +735,15 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
$ sudo cat /var/log/messages /etc/shadow $ sudo cat /var/log/messages /etc/shadow
which is probably not what was intended. In most cases it is better to which is probably not what was intended. In most cases it is better to
do command line processing outside of _s_u_d_o_e_r_s in a scripting language. do command line processing outside of the _s_u_d_o_e_r_s file in a scripting
language.
EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess
The following exceptions apply to the above rules: The following exceptions apply to the above rules:
"" If the empty string "" is the only command line argument in the "" If the empty string "" is the only command line argument in the
_s_u_d_o_e_r_s entry it means that command is not allowed to be run _s_u_d_o_e_r_s file entry it means that command is not allowed to be
with _a_n_y arguments. run with _a_n_y arguments.
sudoedit Command line arguments to the _s_u_d_o_e_d_i_t built-in command should sudoedit Command line arguments to the _s_u_d_o_e_d_i_t built-in command should
always be path names, so a forward slash (`/') will not be always be path names, so a forward slash (`/') will not be
@@ -756,8 +756,8 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in
addition to a local, per-machine file. For the sake of this example the addition to a local, per-machine file. For the sake of this example the
site-wide _s_u_d_o_e_r_s will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will be site-wide _s_u_d_o_e_r_s file will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will
_/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within be _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within
_/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s: _/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s:
#include /etc/sudoers.local #include /etc/sudoers.local
@@ -785,8 +785,8 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s. will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s.
The #includedir directive can be used to create a _s_u_d_o_e_r_s_._d directory The #includedir directive can be used to create a _s_u_d_o_e_r_s_._d directory
that the system package manager can drop _s_u_d_o_e_r_s rules into as part of that the system package manager can drop _s_u_d_o_e_r_s file rules into as part
package installation. For example, given: of package installation. For example, given:
#includedir /etc/sudoers.d #includedir /etc/sudoers.d
@@ -967,9 +967,9 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
names that include globbing characters are used with names that include globbing characters are used with
the negation operator, `!', as such rules can be the negation operator, `!', as such rules can be
trivially bypassed. As such, this option should not be trivially bypassed. As such, this option should not be
used when _s_u_d_o_e_r_s contains rules that contain negated used when the _s_u_d_o_e_r_s file contains rules that contain
path names which include globbing characters. This negated path names which include globbing characters.
flag is _o_f_f by default. This flag is _o_f_f by default.
fqdn Set this flag if you want to put fully qualified host fqdn Set this flag if you want to put fully qualified host
names in the _s_u_d_o_e_r_s file when the local host name (as names in the _s_u_d_o_e_r_s file when the local host name (as
@@ -1039,7 +1039,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
log_host If set, the host name will be logged in the (non- log_host If set, the host name will be logged in the (non-
syslog) ssuuddoo log file. This flag is _o_f_f by default. syslog) ssuuddoo log file. This flag is _o_f_f by default.
log_input If set, ssuuddoo will run the command in a _p_s_e_u_d_o_-_t_t_y and log_input If set, ssuuddoo will run the command in a pseudo-tty and
log all user input. If the standard input is not log all user input. If the standard input is not
connected to the user's tty, due to I/O redirection or connected to the user's tty, due to I/O redirection or
because the command is part of a pipeline, that input because the command is part of a pipeline, that input
@@ -1064,7 +1064,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
unencrypted. In most cases, logging the command output unencrypted. In most cases, logging the command output
via _l_o_g___o_u_t_p_u_t is all that is required. via _l_o_g___o_u_t_p_u_t is all that is required.
log_output If set, ssuuddoo will run the command in a _p_s_e_u_d_o_-_t_t_y and log_output If set, ssuuddoo will run the command in a pseudo-tty and
log all output that is sent to the screen, similar to log all output that is sent to the screen, similar to
the script(1) command. If the standard output or the script(1) command. If the standard output or
standard error is not connected to the user's tty, due standard error is not connected to the user's tty, due
@@ -1112,7 +1112,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo
does not enter the correct password. If the command does not enter the correct password. If the command
the user is attempting to run is not permitted by the user is attempting to run is not permitted by
_s_u_d_o_e_r_s and one of the _m_a_i_l___a_l_l___c_m_n_d_s, _m_a_i_l___a_l_w_a_y_s, ssuuddooeerrss and one of the _m_a_i_l___a_l_l___c_m_n_d_s, _m_a_i_l___a_l_w_a_y_s,
_m_a_i_l___n_o___h_o_s_t, _m_a_i_l___n_o___p_e_r_m_s or _m_a_i_l___n_o___u_s_e_r flags are _m_a_i_l___n_o___h_o_s_t, _m_a_i_l___n_o___p_e_r_m_s or _m_a_i_l___n_o___u_s_e_r flags are
set, this flag will have no effect. This flag is _o_f_f set, this flag will have no effect. This flag is _o_f_f
by default. by default.
@@ -1323,13 +1323,14 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
single record is used for all login sessions. This single record is used for all login sessions. This
flag is _o_n by default. flag is _o_n by default.
umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s umask_override If set, ssuuddoo will set the umask as specified in the
without modification. This makes it possible to _s_u_d_o_e_r_s file without modification. This makes it
specify a more permissive umask in _s_u_d_o_e_r_s than the possible to specify a umask in the _s_u_d_o_e_r_s file that is
user's own umask and matches historical behavior. If more permissive than the user's own umask and matches
_u_m_a_s_k___o_v_e_r_r_i_d_e is not set, ssuuddoo will set the umask to historical behavior. If _u_m_a_s_k___o_v_e_r_r_i_d_e is not set,
be the union of the user's umask and what is specified ssuuddoo will set the umask to be the union of the user's
in _s_u_d_o_e_r_s. This flag is _o_f_f by default. umask and what is specified in _s_u_d_o_e_r_s. This flag is
_o_f_f by default.
use_loginclass If set, ssuuddoo will apply the defaults specified for the use_loginclass If set, ssuuddoo will apply the defaults specified for the
target user's login class if one exists. Only target user's login class if one exists. Only
@@ -1588,8 +1589,8 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
role The default SELinux role to use when constructing a new role The default SELinux role to use when constructing a new
security context to run the command. The default role security context to run the command. The default role
may be overridden on a per-command basis in _s_u_d_o_e_r_s or may be overridden on a per-command basis in the _s_u_d_o_e_r_s
via command line options. This option is only file or via command line options. This option is only
available when ssuuddoo is built with SELinux support. available when ssuuddoo is built with SELinux support.
runas_default The default user to run commands as if the --uu option is runas_default The default user to run commands as if the --uu option is
@@ -1623,8 +1624,8 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
type The default SELinux type to use when constructing a new type The default SELinux type to use when constructing a new
security context to run the command. The default type security context to run the command. The default type
may be overridden on a per-command basis in _s_u_d_o_e_r_s or may be overridden on a per-command basis in the _s_u_d_o_e_r_s
via command line options. This option is only file or via command line options. This option is only
available when ssuuddoo is built with SELinux support. available when ssuuddoo is built with SELinux support.
SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
@@ -1642,7 +1643,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
requirements. The group name specified should not include requirements. The group name specified should not include
a % prefix. This is not set by default. a % prefix. This is not set by default.
group_plugin A string containing a _s_u_d_o_e_r_s group plugin with optional group_plugin A string containing a ssuuddooeerrss group plugin with optional
arguments. The string should consist of the plugin path, arguments. The string should consist of the plugin path,
either fully-qualified or relative to the either fully-qualified or relative to the
_/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o directory, followed by any _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o directory, followed by any
@@ -1675,16 +1676,16 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
a user runs ssuuddoo with the --ll option. It has the following a user runs ssuuddoo with the --ll option. It has the following
possible values: possible values:
all All the user's _s_u_d_o_e_r_s entries for the current all All the user's _s_u_d_o_e_r_s file entries for the
host must have the NOPASSWD flag set to avoid current host must have the NOPASSWD flag set to
entering a password. avoid entering a password.
always The user must always enter a password to use the always The user must always enter a password to use the
--ll option. --ll option.
any At least one of the user's _s_u_d_o_e_r_s entries for any At least one of the user's _s_u_d_o_e_r_s file entries
the current host must have the NOPASSWD flag set for the current host must have the NOPASSWD flag
to avoid entering a password. set to avoid entering a password.
never The user need never enter a password to use the never The user need never enter a password to use the
--ll option. --ll option.
@@ -1730,15 +1731,15 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
a user runs ssuuddoo with the --vv option. It has the following a user runs ssuuddoo with the --vv option. It has the following
possible values: possible values:
all All the user's _s_u_d_o_e_r_s entries for the current host all All the user's _s_u_d_o_e_r_s file entries for the current
must have the NOPASSWD flag set to avoid entering a host must have the NOPASSWD flag set to avoid
password. entering a password.
always The user must always enter a password to use the --vv always The user must always enter a password to use the --vv
option. option.
any At least one of the user's _s_u_d_o_e_r_s entries for the any At least one of the user's _s_u_d_o_e_r_s file entries for
current host must have the NOPASSWD flag set to the current host must have the NOPASSWD flag set to
avoid entering a password. avoid entering a password.
never The user need never enter a password to use the --vv never The user need never enter a password to use the --vv
@@ -1938,8 +1939,8 @@ LLOOGG FFOORRMMAATT
unable to open/read /etc/sudoers unable to open/read /etc/sudoers
The _s_u_d_o_e_r_s file could not be opened for reading. This can happen The _s_u_d_o_e_r_s file could not be opened for reading. This can happen
when the _s_u_d_o_e_r_s file is located on a remote file system that maps when the _s_u_d_o_e_r_s file is located on a remote file system that maps
user ID 0 to a different value. Normally, ssuuddooeerrss tries to open user ID 0 to a different value. Normally, ssuuddooeerrss tries to open the
_s_u_d_o_e_r_s using group permissions to avoid this problem. Consider _s_u_d_o_e_r_s file using group permissions to avoid this problem. Consider
either changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s or adding an argument either changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s or adding an argument
like ``sudoers_uid=N'' (where `N' is the user ID that owns the _s_u_d_o_e_r_s like ``sudoers_uid=N'' (where `N' is the user ID that owns the _s_u_d_o_e_r_s
file) to the end of the ssuuddooeerrss Plugin line in the sudo.conf(4) file. file) to the end of the ssuuddooeerrss Plugin line in the sudo.conf(4) file.
@@ -1971,29 +1972,29 @@ LLOOGG FFOORRMMAATT
line in the sudo.conf(4) file. line in the sudo.conf(4) file.
unable to open /var/run/sudo/ts/username unable to open /var/run/sudo/ts/username
_s_u_d_o_e_r_s was unable to read or create the user's time stamp file. This ssuuddooeerrss was unable to read or create the user's time stamp file. This
can happen when _t_i_m_e_s_t_a_m_p_o_w_n_e_r is set to a user other than root and can happen when _t_i_m_e_s_t_a_m_p_o_w_n_e_r is set to a user other than root and
the mode on _/_v_a_r_/_r_u_n_/_s_u_d_o is not searchable by group or other. The the mode on _/_v_a_r_/_r_u_n_/_s_u_d_o is not searchable by group or other. The
default mode for _/_v_a_r_/_r_u_n_/_s_u_d_o is 0711. default mode for _/_v_a_r_/_r_u_n_/_s_u_d_o is 0711.
unable to write to /var/run/sudo/ts/username unable to write to /var/run/sudo/ts/username
_s_u_d_o_e_r_s was unable to write to the user's time stamp file. ssuuddooeerrss was unable to write to the user's time stamp file.
/var/run/sudo/ts is owned by uid X, should be Y /var/run/sudo/ts is owned by uid X, should be Y
The time stamp directory is owned by a user other than _t_i_m_e_s_t_a_m_p_o_w_n_e_r. The time stamp directory is owned by a user other than _t_i_m_e_s_t_a_m_p_o_w_n_e_r.
This can occur when the value of _t_i_m_e_s_t_a_m_p_o_w_n_e_r has been changed. This can occur when the value of _t_i_m_e_s_t_a_m_p_o_w_n_e_r has been changed.
_s_u_d_o_e_r_s will ignore the time stamp directory until the owner is ssuuddooeerrss will ignore the time stamp directory until the owner is
corrected. corrected.
/var/run/sudo/ts is group writable /var/run/sudo/ts is group writable
The time stamp directory is group-writable; it should be writable only The time stamp directory is group-writable; it should be writable only
by _t_i_m_e_s_t_a_m_p_o_w_n_e_r. The default mode for the time stamp directory is by _t_i_m_e_s_t_a_m_p_o_w_n_e_r. The default mode for the time stamp directory is
0700. _s_u_d_o_e_r_s will ignore the time stamp directory until the mode is 0700. ssuuddooeerrss will ignore the time stamp directory until the mode is
corrected. corrected.
NNootteess oonn llooggggiinngg vviiaa ssyysslloogg NNootteess oonn llooggggiinngg vviiaa ssyysslloogg
By default, _s_u_d_o_e_r_s logs messages via syslog(3). The _d_a_t_e, _h_o_s_t_n_a_m_e, and By default, ssuuddooeerrss logs messages via syslog(3). The _d_a_t_e, _h_o_s_t_n_a_m_e, and
_p_r_o_g_n_a_m_e fields are added by the syslog daemon, not _s_u_d_o_e_r_s itself. As _p_r_o_g_n_a_m_e fields are added by the syslog daemon, not ssuuddooeerrss itself. As
such, they may vary in format on different systems. such, they may vary in format on different systems.
On most systems, syslog(3) has a relatively small log buffer. To prevent On most systems, syslog(3) has a relatively small log buffer. To prevent
@@ -2004,8 +2005,8 @@ LLOOGG FFOORRMMAATT
and before the continued command line arguments. and before the continued command line arguments.
NNootteess oonn llooggggiinngg ttoo aa ffiillee NNootteess oonn llooggggiinngg ttoo aa ffiillee
If the _l_o_g_f_i_l_e option is set, _s_u_d_o_e_r_s will log to a local file, such as If the _l_o_g_f_i_l_e option is set, ssuuddooeerrss will log to a local file, such as
_/_v_a_r_/_l_o_g_/_s_u_d_o. When logging to a file, _s_u_d_o_e_r_s uses a format similar to _/_v_a_r_/_l_o_g_/_s_u_d_o. When logging to a file, ssuuddooeerrss uses a format similar to
syslog(3), with a few important differences: syslog(3), with a few important differences:
1. The _p_r_o_g_n_a_m_e and _h_o_s_t_n_a_m_e fields are not present. 1. The _p_r_o_g_n_a_m_e and _h_o_s_t_n_a_m_e fields are not present.
@@ -2032,18 +2033,18 @@ FFIILLEESS
_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files
_/_v_a_r_/_r_u_n_/_s_u_d_o_/_t_s Directory containing time stamps for the _/_v_a_r_/_r_u_n_/_s_u_d_o_/_t_s Directory containing time stamps for the
_s_u_d_o_e_r_s security policy ssuuddooeerrss security policy
_/_v_a_r_/_a_d_m_/_s_u_d_o_/_l_e_c_t_u_r_e_d Directory containing lecture status files for _/_v_a_r_/_a_d_m_/_s_u_d_o_/_l_e_c_t_u_r_e_d Directory containing lecture status files for
the _s_u_d_o_e_r_s security policy the ssuuddooeerrss security policy
_/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on AIX and _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on AIX and
Linux systems Linux systems
EEXXAAMMPPLLEESS EEXXAAMMPPLLEESS
Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit Below are example _s_u_d_o_e_r_s file entries. Admittedly, some of these are a
contrived. First, we allow a few environment variables to pass and then bit contrived. First, we allow a few environment variables to pass and
define our _a_l_i_a_s_e_s: then define our _a_l_i_a_s_e_s:
# Run X applications through sudo; HOME is used to find the # Run X applications through sudo; HOME is used to find the
# .Xauthority file. Note that other programs use HOME to find # .Xauthority file. Note that other programs use HOME to find
@@ -2265,7 +2266,7 @@ SSEECCUURRIITTYY NNOOTTEESS
that grant privileges, it can result in a security issue for rules that that grant privileges, it can result in a security issue for rules that
subtract or revoke privileges. subtract or revoke privileges.
For example, given the following _s_u_d_o_e_r_s entry: For example, given the following _s_u_d_o_e_r_s file entry:
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\ john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
@@ -2331,13 +2332,13 @@ SSEECCUURRIITTYY NNOOTTEESS
give the user permission to run ssuuddooeeddiitt (see below). give the user permission to run ssuuddooeeddiitt (see below).
SSeeccuurree eeddiittiinngg SSeeccuurree eeddiittiinngg
The _s_u_d_o_e_r_s plugin includes ssuuddooeeddiitt support which allows users to The ssuuddooeerrss plugin includes ssuuddooeeddiitt support which allows users to
securely edit files with the editor of their choice. As ssuuddooeeddiitt is a securely edit files with the editor of their choice. As ssuuddooeeddiitt is a
built-in command, it must be specified in _s_u_d_o_e_r_s without a leading path. built-in command, it must be specified in the _s_u_d_o_e_r_s file without a
However, it may take command line arguments just as a normal command leading path. However, it may take command line arguments just as a
does. Wildcards used in _s_u_d_o_e_d_i_t command line arguments are expected to normal command does. Wildcards used in _s_u_d_o_e_d_i_t command line arguments
be path names, so a forward slash (`/') will not be matched by a are expected to be path names, so a forward slash (`/') will not be
wildcard. matched by a wildcard.
Unlike other ssuuddoo commands, the editor is run with the permissions of the Unlike other ssuuddoo commands, the editor is run with the permissions of the
invoking user and with the environment unmodified. More information may invoking user and with the environment unmodified. More information may
@@ -2368,7 +2369,7 @@ SSEECCUURRIITTYY NNOOTTEESS
same file system. same file system.
TTiimmee ssttaammpp ffiillee cchheecckkss TTiimmee ssttaammpp ffiillee cchheecckkss
_s_u_d_o_e_r_s will check the ownership of its time stamp directory ssuuddooeerrss will check the ownership of its time stamp directory
(_/_v_a_r_/_r_u_n_/_s_u_d_o_/_t_s by default) and ignore the directory's contents if it (_/_v_a_r_/_r_u_n_/_s_u_d_o_/_t_s by default) and ignore the directory's contents if it
is not owned by root or if it is writable by a user other than root. is not owned by root or if it is writable by a user other than root.
Older versions of ssuuddoo stored time stamp files in _/_t_m_p; this is no longer Older versions of ssuuddoo stored time stamp files in _/_t_m_p; this is no longer
@@ -2378,33 +2379,33 @@ SSEECCUURRIITTYY NNOOTTEESS
While the time stamp directory _s_h_o_u_l_d be cleared at reboot time, not all While the time stamp directory _s_h_o_u_l_d be cleared at reboot time, not all
systems contain a _/_v_a_r_/_r_u_n directory. To avoid potential problems, systems contain a _/_v_a_r_/_r_u_n directory. To avoid potential problems,
_s_u_d_o_e_r_s will ignore time stamp files that date from before the machine ssuuddooeerrss will ignore time stamp files that date from before the machine
booted on systems where the boot time is available. booted on systems where the boot time is available.
Some systems with graphical desktop environments allow unprivileged users Some systems with graphical desktop environments allow unprivileged users
to change the system clock. Since _s_u_d_o_e_r_s relies on the system clock for to change the system clock. Since ssuuddooeerrss relies on the system clock for
time stamp validation, it may be possible on such systems for a user to time stamp validation, it may be possible on such systems for a user to
run ssuuddoo for longer than _t_i_m_e_s_t_a_m_p___t_i_m_e_o_u_t by setting the clock back. To run ssuuddoo for longer than _t_i_m_e_s_t_a_m_p___t_i_m_e_o_u_t by setting the clock back. To
combat this, _s_u_d_o_e_r_s uses a monotonic clock (which never moves backwards) combat this, ssuuddooeerrss uses a monotonic clock (which never moves backwards)
for its time stamps if the system supports it. for its time stamps if the system supports it.
_s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps ssuuddooeerrss will not honor time stamps set far in the future. Time stamps
with a date greater than current_time + 2 * TIMEOUT will be ignored and with a date greater than current_time + 2 * TIMEOUT will be ignored and
_s_u_d_o_e_r_s will log and complain. ssuuddooeerrss will log and complain.
Since time stamp files live in the file system, they can outlive a user's Since time stamp files live in the file system, they can outlive a user's
login session. As a result, a user may be able to login, run a command login session. As a result, a user may be able to login, run a command
with ssuuddoo after authenticating, logout, login again, and run ssuuddoo without with ssuuddoo after authenticating, logout, login again, and run ssuuddoo without
authenticating so long as the record's time stamp is within 5 minutes (or authenticating so long as the record's time stamp is within 5 minutes (or
whatever value the timeout is set to in _s_u_d_o_e_r_s). When the _t_t_y___t_i_c_k_e_t_s whatever value the timeout is set to in the _s_u_d_o_e_r_s file). When the
option is enabled, the time stamp record includes the device number of _t_t_y___t_i_c_k_e_t_s option is enabled, the time stamp record includes the device
the terminal the user authenticated with. This provides per-tty number of the terminal the user authenticated with. This provides per-
granularity but time stamp records still may outlive the user's session. tty granularity but time stamp records still may outlive the user's
The time stamp record also includes the session ID of the process that session. The time stamp record also includes the session ID of the
last authenticated. This prevents processes in different terminal process that last authenticated. This prevents processes in different
sessions from using the same time stamp record. It also helps reduce the terminal sessions from using the same time stamp record. It also helps
chance that a user will be able to run ssuuddoo without entering a password reduce the chance that a user will be able to run ssuuddoo without entering a
when logging out and back in again on the same terminal. password when logging out and back in again on the same terminal.
DDEEBBUUGGGGIINNGG DDEEBBUUGGGGIINNGG
Versions 1.8.4 and higher of the ssuuddooeerrss plugin support a flexible Versions 1.8.4 and higher of the ssuuddooeerrss plugin support a flexible
@@ -2431,7 +2432,7 @@ DDEEBBUUGGGGIINNGG
_a_u_t_h user authentication _a_u_t_h user authentication
_d_e_f_a_u_l_t_s _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings _d_e_f_a_u_l_t_s _s_u_d_o_e_r_s file _D_e_f_a_u_l_t_s settings
_e_n_v environment handling _e_n_v environment handling
@@ -2439,11 +2440,12 @@ DDEEBBUUGGGGIINNGG
_l_o_g_g_i_n_g logging support _l_o_g_g_i_n_g logging support
_m_a_t_c_h matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s _m_a_t_c_h matching of users, groups, hosts and netgroups in the _s_u_d_o_e_r_s
file
_n_e_t_i_f network interface handling _n_e_t_i_f network interface handling
_n_s_s network service switch handling in _s_u_d_o_e_r_s _n_s_s network service switch handling in ssuuddooeerrss
_p_a_r_s_e_r _s_u_d_o_e_r_s file parsing _p_a_r_s_e_r _s_u_d_o_e_r_s file parsing
@@ -2480,8 +2482,8 @@ AAUUTTHHOORRSS
CCAAVVEEAATTSS CCAAVVEEAATTSS
The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which
locks the file and does grammatical checking. It is imperative that locks the file and does grammatical checking. It is imperative that the
_s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a _s_u_d_o_e_r_s file be free of syntax errors since ssuuddoo will not run with a
syntactically incorrect _s_u_d_o_e_r_s file. syntactically incorrect _s_u_d_o_e_r_s file.
When using netgroups of machines (as opposed to users), if you store When using netgroups of machines (as opposed to users), if you store

149
doc/sudoers.man.in
View File

@@ -44,7 +44,7 @@ The policy format is described in detail in the
\fISUDOERS FILE FORMAT\fR \fISUDOERS FILE FORMAT\fR
section. section.
For information on storing For information on storing
\fIsudoers\fR \fBsudoers\fR
policy information policy information
in LDAP, please see in LDAP, please see
sudoers.ldap(@mansectform@). sudoers.ldap(@mansectform@).
@@ -138,7 +138,7 @@ sudo.conf(@mansectform@),
please refer to its manual. please refer to its manual.
.SS "Authentication and logging" .SS "Authentication and logging"
The The
\fIsudoers\fR \fBsudoers\fR
security policy requires that most users authenticate security policy requires that most users authenticate
themselves before they can use themselves before they can use
\fBsudo\fR. \fBsudo\fR.
@@ -149,7 +149,7 @@ user or command.
Unlike Unlike
su(1), su(1),
when when
\fIsudoers\fR \fBsudoers\fR
requires requires
authentication, it validates the invoking user's credentials, not authentication, it validates the invoking user's credentials, not
the target user's (or root's) credentials. the target user's (or root's) credentials.
@@ -198,7 +198,7 @@ is run by root and the
\fRSUDO_USER\fR \fRSUDO_USER\fR
environment variable environment variable
is set, the is set, the
\fIsudoers\fR \fBsudoers\fR
policy will use this value to determine who policy will use this value to determine who
the actual user is. the actual user is.
This can be used by a user to log commands This can be used by a user to log commands
@@ -210,10 +210,10 @@ option to remain useful even when invoked via a
sudo-run script or program. sudo-run script or program.
Note, however, that the Note, however, that the
\fIsudoers\fR \fIsudoers\fR
lookup is still done for root, not the user specified by file lookup is still done for root, not the user specified by
\fRSUDO_USER\fR. \fRSUDO_USER\fR.
.PP .PP
\fIsudoers\fR \fBsudoers\fR
uses per-user time stamp files for credential caching. uses per-user time stamp files for credential caching.
Once a user has been authenticated, a record is written Once a user has been authenticated, a record is written
containing the uid that was used to authenticate, the containing the uid that was used to authenticate, the
@@ -228,21 +228,20 @@ minutes unless overridden by the
option) option)
\&. \&.
By default, By default,
\fIsudoers\fR \fBsudoers\fR
uses a separate record for each tty, which means that uses a separate record for each tty, which means that
a user's login sessions are authenticated separately. a user's login sessions are authenticated separately.
The The
\fItty_tickets\fR \fItty_tickets\fR
option can be disabled to force the use of a option can be disabled to force the use of a
single time stamp for all of a user's sessions. single time stamp for all of a user's sessions.
.PP \fBsudoers\fR
\fIsudoers\fR
can log both successful and unsuccessful attempts (as well can log both successful and unsuccessful attempts (as well
as errors) to as errors) to
syslog(3), syslog(3),
a log file, or both. a log file, or both.
By default, By default,
\fIsudoers\fR \fBsudoers\fR
will log via will log via
syslog(3) syslog(3)
but this is changeable via the but this is changeable via the
@@ -266,12 +265,12 @@ and
command tags. command tags.
.SS "Command environment" .SS "Command environment"
Since environment variables can influence program behavior, Since environment variables can influence program behavior,
\fIsudoers\fR \fBsudoers\fR
provides a means to restrict which variables from the user's provides a means to restrict which variables from the user's
environment are inherited by the command to be run. environment are inherited by the command to be run.
There are two There are two
distinct ways distinct ways
\fIsudoers\fR \fBsudoers\fR
can deal with environment variables. can deal with environment variables.
.PP .PP
By default, the By default, the
@@ -424,7 +423,7 @@ As a special case, if
\fB\-i\fR \fB\-i\fR
option (initial login) is option (initial login) is
specified, specified,
\fIsudoers\fR \fBsudoers\fR
will initialize the environment regardless will initialize the environment regardless
of the value of of the value of
\fIenv_reset\fR. \fIenv_reset\fR.
@@ -476,7 +475,7 @@ not necessarily the most specific match).
.PP .PP
The The
\fIsudoers\fR \fIsudoers\fR
grammar will be described below in Extended Backus-Naur file grammar will be described below in Extended Backus-Naur
Form (EBNF). Form (EBNF).
Don't despair if you are unfamiliar with EBNF; it is fairly simple, Don't despair if you are unfamiliar with EBNF; it is fairly simple,
and the definitions below are annotated. and the definitions below are annotated.
@@ -840,9 +839,9 @@ Note that
\(Lq\fRsudoedit\fR\(Rq \(Lq\fRsudoedit\fR\(Rq
is a command built into is a command built into
\fBsudo\fR \fBsudo\fR
itself and must be specified in itself and must be specified in the
\fIsudoers\fR \fIsudoers\fR
without a leading path. file without a leading path.
.PP .PP
If a If a
\fRcommand name\fR \fRcommand name\fR
@@ -1168,7 +1167,7 @@ optionally setting the group to operator or system.
.SS "SELinux_Spec" .SS "SELinux_Spec"
On systems with SELinux support, On systems with SELinux support,
\fIsudoers\fR \fIsudoers\fR
entries may optionally have an SELinux role and/or type associated file entries may optionally have an SELinux role and/or type associated
with a command. with a command.
If a role or If a role or
type is specified with the command it will override any default values type is specified with the command it will override any default values
@@ -1180,7 +1179,7 @@ however, will supersede the values in
.SS "Solaris_Priv_Spec" .SS "Solaris_Priv_Spec"
On Solaris systems, On Solaris systems,
\fIsudoers\fR \fIsudoers\fR
entries may optionally specify Solaris privilege set and/or limit file entries may optionally specify Solaris privilege set and/or limit
privilege set associated with a command. privilege set associated with a command.
If privileges or limit privileges are specified with the command If privileges or limit privileges are specified with the command
it will override any default values specified in it will override any default values specified in
@@ -1582,9 +1581,9 @@ $ sudo cat /var/log/messages /etc/shadow
.PP .PP
which is probably not what was intended. which is probably not what was intended.
In most cases it is better to do command line processing In most cases it is better to do command line processing
outside of outside of the
\fIsudoers\fR \fIsudoers\fR
in a scripting language. file in a scripting language.
.SS "Exceptions to wildcard rules" .SS "Exceptions to wildcard rules"
The following exceptions apply to the above rules: The following exceptions apply to the above rules:
.TP 10n .TP 10n
@@ -1593,7 +1592,7 @@ If the empty string
\fR\&""\fR \fR\&""\fR
is the only command line argument in the is the only command line argument in the
\fIsudoers\fR \fIsudoers\fR
entry it means that command is not allowed to be run with file entry it means that command is not allowed to be run with
\fIany\fR \fIany\fR
arguments. arguments.
.TP 10n .TP 10n
@@ -1619,7 +1618,7 @@ This can be used, for example, to keep a site-wide
file in addition to a local, per-machine file. file in addition to a local, per-machine file.
For the sake of this example the site-wide For the sake of this example the site-wide
\fIsudoers\fR \fIsudoers\fR
will be file will be
\fI/etc/sudoers\fR \fI/etc/sudoers\fR
and the per-machine one will be and the per-machine one will be
\fI/etc/sudoers.local\fR. \fI/etc/sudoers.local\fR.
@@ -1694,8 +1693,7 @@ directive can be used to create a
\fIsudoers.d\fR \fIsudoers.d\fR
directory that the system package manager can drop directory that the system package manager can drop
\fIsudoers\fR \fIsudoers\fR
rules file rules into as part of package installation.
into as part of package installation.
For example, given: For example, given:
.nf .nf
.sp .sp
@@ -2084,9 +2082,9 @@ This has security implications when path names that include globbing
characters are used with the negation operator, characters are used with the negation operator,
\(oq!\&\(cq, \(oq!\&\(cq,
as such rules can be trivially bypassed. as such rules can be trivially bypassed.
As such, this option should not be used when As such, this option should not be used when the
\fIsudoers\fR \fIsudoers\fR
contains rules that contain negated path names which include globbing file contains rules that contain negated path names which include globbing
characters. characters.
This flag is This flag is
\fIoff\fR \fIoff\fR
@@ -2218,9 +2216,7 @@ by default.
log_input log_input
If set, If set,
\fBsudo\fR \fBsudo\fR
will run the command in a will run the command in a pseudo-tty and log all user input.
\fIpseudo-tty\fR
and log all user input.
If the standard input is not connected to the user's tty, due to If the standard input is not connected to the user's tty, due to
I/O redirection or because the command is part of a pipeline, that I/O redirection or because the command is part of a pipeline, that
input is also captured and stored in a separate log file. input is also captured and stored in a separate log file.
@@ -2263,9 +2259,8 @@ is all that is required.
log_output log_output
If set, If set,
\fBsudo\fR \fBsudo\fR
will run the command in a will run the command in a pseudo-tty and log all output that is sent
\fIpseudo-tty\fR to the screen, similar to the
and log all output that is sent to the screen, similar to the
script(1) script(1)
command. command.
If the standard output or standard error is not connected to the If the standard output or standard error is not connected to the
@@ -2363,7 +2358,7 @@ user if the user running
\fBsudo\fR \fBsudo\fR
does not enter the correct password. does not enter the correct password.
If the command the user is attempting to run is not permitted by If the command the user is attempting to run is not permitted by
\fIsudoers\fR \fBsudoers\fR
and one of the and one of the
\fImail_all_cmnds\fR, \fImail_all_cmnds\fR,
\fImail_always\fR, \fImail_always\fR,
@@ -2809,12 +2804,13 @@ by default.
umask_override umask_override
If set, If set,
\fBsudo\fR \fBsudo\fR
will set the umask as specified by will set the umask as specified in the
\fIsudoers\fR \fIsudoers\fR
without modification. file without modification.
This makes it possible to specify a more permissive umask in This makes it possible to specify a umask in the
\fIsudoers\fR \fIsudoers\fR
than the user's own umask and matches historical behavior. file that is more permissive than the user's own umask and matches
historical behavior.
If If
\fIumask_override\fR \fIumask_override\fR
is not set, is not set,
@@ -3272,9 +3268,9 @@ is built on Solaris 10 or higher.
role role
The default SELinux role to use when constructing a new security The default SELinux role to use when constructing a new security
context to run the command. context to run the command.
The default role may be overridden on a per-command basis in The default role may be overridden on a per-command basis in the
\fIsudoers\fR \fIsudoers\fR
or via command line options. file or via command line options.
This option is only available when This option is only available when
\fBsudo\fR \fBsudo\fR
is built with SELinux support. is built with SELinux support.
@@ -3335,9 +3331,9 @@ The default is
type type
The default SELinux type to use when constructing a new security The default SELinux type to use when constructing a new security
context to run the command. context to run the command.
The default type may be overridden on a per-command basis in The default type may be overridden on a per-command basis in the
\fIsudoers\fR \fIsudoers\fR
or via command line options. file or via command line options.
This option is only available when This option is only available when
\fBsudo\fR \fBsudo\fR
is built with SELinux support. is built with SELinux support.
@@ -3370,7 +3366,7 @@ This is not set by default.
.TP 14n .TP 14n
group_plugin group_plugin
A string containing a A string containing a
\fIsudoers\fR \fBsudoers\fR
group plugin with optional arguments. group plugin with optional arguments.
The string should consist of the plugin The string should consist of the plugin
path, either fully-qualified or relative to the path, either fully-qualified or relative to the
@@ -3435,7 +3431,7 @@ It has the following possible values:
all all
All the user's All the user's
\fIsudoers\fR \fIsudoers\fR
entries for the current host must have file entries for the current host must have
the the
\fRNOPASSWD\fR \fRNOPASSWD\fR
flag set to avoid entering a password. flag set to avoid entering a password.
@@ -3449,7 +3445,7 @@ option.
any any
At least one of the user's At least one of the user's
\fIsudoers\fR \fIsudoers\fR
entries for the current host file entries for the current host
must have the must have the
\fRNOPASSWD\fR \fRNOPASSWD\fR
flag set to avoid entering a password. flag set to avoid entering a password.
@@ -3569,7 +3565,7 @@ It has the following possible values:
all all
All the user's All the user's
\fIsudoers\fR \fIsudoers\fR
entries for the current host must have the file entries for the current host must have the
\fRNOPASSWD\fR \fRNOPASSWD\fR
flag set to avoid entering a password. flag set to avoid entering a password.
.PD .PD
@@ -3582,7 +3578,7 @@ option.
any any
At least one of the user's At least one of the user's
\fIsudoers\fR \fIsudoers\fR
entries for the current host must have the file entries for the current host must have the
\fRNOPASSWD\fR \fRNOPASSWD\fR
flag set to avoid entering a password. flag set to avoid entering a password.
.TP 8n .TP 8n
@@ -3941,9 +3937,9 @@ file is located on a remote file system that maps user ID 0 to
a different value. a different value.
Normally, Normally,
\fBsudoers\fR \fBsudoers\fR
tries to open tries to open the
\fIsudoers\fR \fIsudoers\fR
using group permissions to avoid this problem. file using group permissions to avoid this problem.
Consider either changing the ownership of Consider either changing the ownership of
\fI@sysconfdir@/sudoers\fR \fI@sysconfdir@/sudoers\fR
or adding an argument like or adding an argument like
@@ -4025,7 +4021,7 @@ sudo.conf(@mansectform@)
file. file.
.TP 3n .TP 3n
unable to open @rundir@/ts/username unable to open @rundir@/ts/username
\fIsudoers\fR \fBsudoers\fR
was unable to read or create the user's time stamp file. was unable to read or create the user's time stamp file.
This can happen when This can happen when
\fItimestampowner\fR \fItimestampowner\fR
@@ -4037,7 +4033,7 @@ The default mode for
is 0711. is 0711.
.TP 3n .TP 3n
unable to write to @rundir@/ts/username unable to write to @rundir@/ts/username
\fIsudoers\fR \fBsudoers\fR
was unable to write to the user's time stamp file. was unable to write to the user's time stamp file.
.TP 3n .TP 3n
@rundir@/ts is owned by uid X, should be Y @rundir@/ts is owned by uid X, should be Y
@@ -4046,18 +4042,18 @@ The time stamp directory is owned by a user other than
This can occur when the value of This can occur when the value of
\fItimestampowner\fR \fItimestampowner\fR
has been changed. has been changed.
\fIsudoers\fR \fBsudoers\fR
will ignore the time stamp directory until the owner is corrected. will ignore the time stamp directory until the owner is corrected.
.TP 3n .TP 3n
@rundir@/ts is group writable @rundir@/ts is group writable
The time stamp directory is group-writable; it should be writable only by The time stamp directory is group-writable; it should be writable only by
\fItimestampowner\fR. \fItimestampowner\fR.
The default mode for the time stamp directory is 0700. The default mode for the time stamp directory is 0700.
\fIsudoers\fR \fBsudoers\fR
will ignore the time stamp directory until the mode is corrected. will ignore the time stamp directory until the mode is corrected.
.SS "Notes on logging via syslog" .SS "Notes on logging via syslog"
By default, By default,
\fIsudoers\fR \fBsudoers\fR
logs messages via logs messages via
syslog(3). syslog(3).
The The
@@ -4066,7 +4062,7 @@ The
and and
\fIprogname\fR \fIprogname\fR
fields are added by the syslog daemon, not fields are added by the syslog daemon, not
\fIsudoers\fR \fBsudoers\fR
itself. itself.
As such, they may vary in format on different systems. As such, they may vary in format on different systems.
.PP .PP
@@ -4085,11 +4081,11 @@ after the user name and before the continued command line arguments.
If the If the
\fIlogfile\fR \fIlogfile\fR
option is set, option is set,
\fIsudoers\fR \fBsudoers\fR
will log to a local file, such as will log to a local file, such as
\fI/var/log/sudo\fR. \fI/var/log/sudo\fR.
When logging to a file, When logging to a file,
\fIsudoers\fR \fBsudoers\fR
uses a format similar to uses a format similar to
syslog(3), syslog(3),
with a few important differences: with a few important differences:
@@ -4140,12 +4136,12 @@ I/O log files
.TP 26n .TP 26n
\fI@rundir@/ts\fR \fI@rundir@/ts\fR
Directory containing time stamps for the Directory containing time stamps for the
\fIsudoers\fR \fBsudoers\fR
security policy security policy
.TP 26n .TP 26n
\fI@vardir@/lectured\fR \fI@vardir@/lectured\fR
Directory containing lecture status files for the Directory containing lecture status files for the
\fIsudoers\fR \fBsudoers\fR
security policy security policy
.TP 26n .TP 26n
\fI/etc/environment\fR \fI/etc/environment\fR
@@ -4155,7 +4151,7 @@ mode on AIX and Linux systems
.SH "EXAMPLES" .SH "EXAMPLES"
Below are example Below are example
\fIsudoers\fR \fIsudoers\fR
entries. file entries.
Admittedly, some of these are a bit contrived. Admittedly, some of these are a bit contrived.
First, we allow a few environment variables to pass and then define our First, we allow a few environment variables to pass and then define our
\fIaliases\fR: \fIaliases\fR:
@@ -4635,7 +4631,7 @@ it can result in a security issue for rules that subtract or revoke privileges.
.PP .PP
For example, given the following For example, given the following
\fIsudoers\fR \fIsudoers\fR
entry: file entry:
.nf .nf
.sp .sp
.RS 0n .RS 0n
@@ -4760,16 +4756,16 @@ user permission to run
(see below). (see below).
.SS "Secure editing" .SS "Secure editing"
The The
\fIsudoers\fR \fBsudoers\fR
plugin includes plugin includes
\fBsudoedit\fR \fBsudoedit\fR
support which allows users to securely edit files with the editor support which allows users to securely edit files with the editor
of their choice. of their choice.
As As
\fBsudoedit\fR \fBsudoedit\fR
is a built-in command, it must be specified in is a built-in command, it must be specified in the
\fIsudoers\fR \fIsudoers\fR
without a leading path. file without a leading path.
However, it may take command line arguments just as a normal command does. However, it may take command line arguments just as a normal command does.
Wildcards used in Wildcards used in
\fIsudoedit\fR \fIsudoedit\fR
@@ -4833,7 +4829,7 @@ tag.
However, it is still possible to create a hard link if the directory However, it is still possible to create a hard link if the directory
is writable and the link target resides on the same file system. is writable and the link target resides on the same file system.
.SS "Time stamp file checks" .SS "Time stamp file checks"
\fIsudoers\fR \fBsudoers\fR
will check the ownership of its time stamp directory will check the ownership of its time stamp directory
(\fI@rundir@/ts\fR (\fI@rundir@/ts\fR
by default) by default)
@@ -4853,14 +4849,14 @@ be cleared at reboot time, not all systems contain a
\fI/var/run\fR \fI/var/run\fR
directory. directory.
To avoid potential problems, To avoid potential problems,
\fIsudoers\fR \fBsudoers\fR
will ignore time stamp files that date from before the machine booted will ignore time stamp files that date from before the machine booted
on systems where the boot time is available. on systems where the boot time is available.
.PP .PP
Some systems with graphical desktop environments allow unprivileged Some systems with graphical desktop environments allow unprivileged
users to change the system clock. users to change the system clock.
Since Since
\fIsudoers\fR \fBsudoers\fR
relies on the system clock for time stamp validation, it may be relies on the system clock for time stamp validation, it may be
possible on such systems for a user to run possible on such systems for a user to run
\fBsudo\fR \fBsudo\fR
@@ -4868,16 +4864,16 @@ for longer than
\fItimestamp_timeout\fR \fItimestamp_timeout\fR
by setting the clock back. by setting the clock back.
To combat this, To combat this,
\fIsudoers\fR \fBsudoers\fR
uses a monotonic clock (which never moves backwards) for its time stamps uses a monotonic clock (which never moves backwards) for its time stamps
if the system supports it. if the system supports it.
.PP .PP
\fIsudoers\fR \fBsudoers\fR
will not honor time stamps set far in the future. will not honor time stamps set far in the future.
Time stamps with a date greater than current_time + 2 * Time stamps with a date greater than current_time + 2 *
\fRTIMEOUT\fR \fRTIMEOUT\fR
will be ignored and will be ignored and
\fIsudoers\fR \fBsudoers\fR
will log and complain. will log and complain.
.PP .PP
Since time stamp files live in the file system, they can outlive a Since time stamp files live in the file system, they can outlive a
@@ -4888,8 +4884,9 @@ after authenticating, logout, login again, and run
\fBsudo\fR \fBsudo\fR
without authenticating so long as the record's time stamp is within without authenticating so long as the record's time stamp is within
\fR@timeout@\fR \fR@timeout@\fR
minutes (or whatever value the timeout is set to in minutes (or whatever value the timeout is set to in the
\fIsudoers\fR). \fIsudoers\fR
file).
When the When the
\fItty_tickets\fR \fItty_tickets\fR
option is enabled, the time stamp record includes the device option is enabled, the time stamp record includes the device
@@ -4958,6 +4955,7 @@ user authentication
.TP 10n .TP 10n
\fIdefaults\fR \fIdefaults\fR
\fIsudoers\fR \fIsudoers\fR
file
\fIDefaults\fR \fIDefaults\fR
settings settings
.TP 10n .TP 10n
@@ -4971,15 +4969,16 @@ LDAP-based sudoers
logging support logging support
.TP 10n .TP 10n
\fImatch\fR \fImatch\fR
matching of users, groups, hosts and netgroups in matching of users, groups, hosts and netgroups in the
\fIsudoers\fR \fIsudoers\fR
file
.TP 10n .TP 10n
\fInetif\fR \fInetif\fR
network interface handling network interface handling
.TP 10n .TP 10n
\fInss\fR \fInss\fR
network service switch handling in network service switch handling in
\fIsudoers\fR \fBsudoers\fR
.TP 10n .TP 10n
\fIparser\fR \fIparser\fR
\fIsudoers\fR \fIsudoers\fR
@@ -5053,9 +5052,9 @@ be edited by the
\fBvisudo\fR \fBvisudo\fR
command which locks the file and does grammatical checking. command which locks the file and does grammatical checking.
It is It is
imperative that imperative that the
\fIsudoers\fR \fIsudoers\fR
be free of syntax errors since file be free of syntax errors since
\fBsudo\fR \fBsudo\fR
will not run with a syntactically incorrect will not run with a syntactically incorrect
\fIsudoers\fR \fIsudoers\fR

149
doc/sudoers.mdoc.in
View File

@@ -42,7 +42,7 @@ The policy format is described in detail in the
.Sx SUDOERS FILE FORMAT .Sx SUDOERS FILE FORMAT
section. section.
For information on storing For information on storing
.Em sudoers .Nm sudoers
policy information policy information
in LDAP, please see in LDAP, please see
.Xr sudoers.ldap @mansectform@ . .Xr sudoers.ldap @mansectform@ .
@@ -126,7 +126,7 @@ For more information on configuring
please refer to its manual. please refer to its manual.
.Ss Authentication and logging .Ss Authentication and logging
The The
.Em sudoers .Nm sudoers
security policy requires that most users authenticate security policy requires that most users authenticate
themselves before they can use themselves before they can use
.Nm sudo . .Nm sudo .
@@ -137,7 +137,7 @@ user or command.
Unlike Unlike
.Xr su 1 , .Xr su 1 ,
when when
.Em sudoers .Nm sudoers
requires requires
authentication, it validates the invoking user's credentials, not authentication, it validates the invoking user's credentials, not
the target user's (or root's) credentials. the target user's (or root's) credentials.
@@ -186,7 +186,7 @@ is run by root and the
.Ev SUDO_USER .Ev SUDO_USER
environment variable environment variable
is set, the is set, the
.Em sudoers .Nm sudoers
policy will use this value to determine who policy will use this value to determine who
the actual user is. the actual user is.
This can be used by a user to log commands This can be used by a user to log commands
@@ -198,10 +198,10 @@ option to remain useful even when invoked via a
sudo-run script or program. sudo-run script or program.
Note, however, that the Note, however, that the
.Em sudoers .Em sudoers
lookup is still done for root, not the user specified by file lookup is still done for root, not the user specified by
.Ev SUDO_USER . .Ev SUDO_USER .
.Pp .Pp
.Em sudoers .Nm sudoers
uses per-user time stamp files for credential caching. uses per-user time stamp files for credential caching.
Once a user has been authenticated, a record is written Once a user has been authenticated, a record is written
containing the uid that was used to authenticate, the containing the uid that was used to authenticate, the
@@ -217,21 +217,20 @@ minutes unless overridden by the
option option
.Pc . .Pc .
By default, By default,
.Em sudoers .Nm sudoers
uses a separate record for each tty, which means that uses a separate record for each tty, which means that
a user's login sessions are authenticated separately. a user's login sessions are authenticated separately.
The The
.Em tty_tickets .Em tty_tickets
option can be disabled to force the use of a option can be disabled to force the use of a
single time stamp for all of a user's sessions. single time stamp for all of a user's sessions.
.Pp .Nm sudoers
.Em sudoers
can log both successful and unsuccessful attempts (as well can log both successful and unsuccessful attempts (as well
as errors) to as errors) to
.Xr syslog 3 , .Xr syslog 3 ,
a log file, or both. a log file, or both.
By default, By default,
.Em sudoers .Nm sudoers
will log via will log via
.Xr syslog 3 .Xr syslog 3
but this is changeable via the but this is changeable via the
@@ -255,12 +254,12 @@ and
command tags. command tags.
.Ss Command environment .Ss Command environment
Since environment variables can influence program behavior, Since environment variables can influence program behavior,
.Em sudoers .Nm sudoers
provides a means to restrict which variables from the user's provides a means to restrict which variables from the user's
environment are inherited by the command to be run. environment are inherited by the command to be run.
There are two There are two
distinct ways distinct ways
.Em sudoers .Nm sudoers
can deal with environment variables. can deal with environment variables.
.Pp .Pp
By default, the By default, the
@@ -410,7 +409,7 @@ As a special case, if
.Fl i .Fl i
option (initial login) is option (initial login) is
specified, specified,
.Em sudoers .Nm sudoers
will initialize the environment regardless will initialize the environment regardless
of the value of of the value of
.Em env_reset . .Em env_reset .
@@ -462,7 +461,7 @@ not necessarily the most specific match).
.Pp .Pp
The The
.Em sudoers .Em sudoers
grammar will be described below in Extended Backus-Naur file grammar will be described below in Extended Backus-Naur
Form (EBNF). Form (EBNF).
Don't despair if you are unfamiliar with EBNF; it is fairly simple, Don't despair if you are unfamiliar with EBNF; it is fairly simple,
and the definitions below are annotated. and the definitions below are annotated.
@@ -803,9 +802,9 @@ Note that
.Dq Li sudoedit .Dq Li sudoedit
is a command built into is a command built into
.Nm sudo .Nm sudo
itself and must be specified in itself and must be specified in the
.Em sudoers .Em sudoers
without a leading path. file without a leading path.
.Pp .Pp
If a If a
.Li command name .Li command name
@@ -1096,7 +1095,7 @@ optionally setting the group to operator or system.
.Ss SELinux_Spec .Ss SELinux_Spec
On systems with SELinux support, On systems with SELinux support,
.Em sudoers .Em sudoers
entries may optionally have an SELinux role and/or type associated file entries may optionally have an SELinux role and/or type associated
with a command. with a command.
If a role or If a role or
type is specified with the command it will override any default values type is specified with the command it will override any default values
@@ -1108,7 +1107,7 @@ however, will supersede the values in
.Ss Solaris_Priv_Spec .Ss Solaris_Priv_Spec
On Solaris systems, On Solaris systems,
.Em sudoers .Em sudoers
entries may optionally specify Solaris privilege set and/or limit file entries may optionally specify Solaris privilege set and/or limit
privilege set associated with a command. privilege set associated with a command.
If privileges or limit privileges are specified with the command If privileges or limit privileges are specified with the command
it will override any default values specified in it will override any default values specified in
@@ -1473,9 +1472,9 @@ $ sudo cat /var/log/messages /etc/shadow
.Pp .Pp
which is probably not what was intended. which is probably not what was intended.
In most cases it is better to do command line processing In most cases it is better to do command line processing
outside of outside of the
.Em sudoers .Em sudoers
in a scripting language. file in a scripting language.
.Ss Exceptions to wildcard rules .Ss Exceptions to wildcard rules
The following exceptions apply to the above rules: The following exceptions apply to the above rules:
.Bl -tag -width 8n .Bl -tag -width 8n
@@ -1484,7 +1483,7 @@ If the empty string
.Li \&"" .Li \&""
is the only command line argument in the is the only command line argument in the
.Em sudoers .Em sudoers
entry it means that command is not allowed to be run with file entry it means that command is not allowed to be run with
.Em any .Em any
arguments. arguments.
.It sudoedit .It sudoedit
@@ -1510,7 +1509,7 @@ This can be used, for example, to keep a site-wide
file in addition to a local, per-machine file. file in addition to a local, per-machine file.
For the sake of this example the site-wide For the sake of this example the site-wide
.Em sudoers .Em sudoers
will be file will be
.Pa /etc/sudoers .Pa /etc/sudoers
and the per-machine one will be and the per-machine one will be
.Pa /etc/sudoers.local . .Pa /etc/sudoers.local .
@@ -1576,8 +1575,7 @@ directive can be used to create a
.Pa sudoers.d .Pa sudoers.d
directory that the system package manager can drop directory that the system package manager can drop
.Em sudoers .Em sudoers
rules file rules into as part of package installation.
into as part of package installation.
For example, given: For example, given:
.Bd -literal -offset 4n .Bd -literal -offset 4n
#includedir /etc/sudoers.d #includedir /etc/sudoers.d
@@ -1951,9 +1949,9 @@ This has security implications when path names that include globbing
characters are used with the negation operator, characters are used with the negation operator,
.Ql !\& , .Ql !\& ,
as such rules can be trivially bypassed. as such rules can be trivially bypassed.
As such, this option should not be used when As such, this option should not be used when the
.Em sudoers .Em sudoers
contains rules that contain negated path names which include globbing file contains rules that contain negated path names which include globbing
characters. characters.
This flag is This flag is
.Em off .Em off
@@ -2077,9 +2075,7 @@ by default.
.It log_input .It log_input
If set, If set,
.Nm sudo .Nm sudo
will run the command in a will run the command in a pseudo-tty and log all user input.
.Em pseudo-tty
and log all user input.
If the standard input is not connected to the user's tty, due to If the standard input is not connected to the user's tty, due to
I/O redirection or because the command is part of a pipeline, that I/O redirection or because the command is part of a pipeline, that
input is also captured and stored in a separate log file. input is also captured and stored in a separate log file.
@@ -2123,9 +2119,8 @@ is all that is required.
.It log_output .It log_output
If set, If set,
.Nm sudo .Nm sudo
will run the command in a will run the command in a pseudo-tty and log all output that is sent
.Em pseudo-tty to the screen, similar to the
and log all output that is sent to the screen, similar to the
.Xr script 1 .Xr script 1
command. command.
If the standard output or standard error is not connected to the If the standard output or standard error is not connected to the
@@ -2220,7 +2215,7 @@ user if the user running
.Nm sudo .Nm sudo
does not enter the correct password. does not enter the correct password.
If the command the user is attempting to run is not permitted by If the command the user is attempting to run is not permitted by
.Em sudoers .Nm sudoers
and one of the and one of the
.Em mail_all_cmnds , .Em mail_all_cmnds ,
.Em mail_always , .Em mail_always ,
@@ -2639,12 +2634,13 @@ by default.
.It umask_override .It umask_override
If set, If set,
.Nm sudo .Nm sudo
will set the umask as specified by will set the umask as specified in the
.Em sudoers .Em sudoers
without modification. file without modification.
This makes it possible to specify a more permissive umask in This makes it possible to specify a umask in the
.Em sudoers .Em sudoers
than the user's own umask and matches historical behavior. file that is more permissive than the user's own umask and matches
historical behavior.
If If
.Em umask_override .Em umask_override
is not set, is not set,
@@ -3062,9 +3058,9 @@ is built on Solaris 10 or higher.
.It role .It role
The default SELinux role to use when constructing a new security The default SELinux role to use when constructing a new security
context to run the command. context to run the command.
The default role may be overridden on a per-command basis in The default role may be overridden on a per-command basis in the
.Em sudoers .Em sudoers
or via command line options. file or via command line options.
This option is only available when This option is only available when
.Nm sudo .Nm sudo
is built with SELinux support. is built with SELinux support.
@@ -3118,9 +3114,9 @@ The default is
.It type .It type
The default SELinux type to use when constructing a new security The default SELinux type to use when constructing a new security
context to run the command. context to run the command.
The default type may be overridden on a per-command basis in The default type may be overridden on a per-command basis in the
.Em sudoers .Em sudoers
or via command line options. file or via command line options.
This option is only available when This option is only available when
.Nm sudo .Nm sudo
is built with SELinux support. is built with SELinux support.
@@ -3152,7 +3148,7 @@ prefix.
This is not set by default. This is not set by default.
.It group_plugin .It group_plugin
A string containing a A string containing a
.Em sudoers .Nm sudoers
group plugin with optional arguments. group plugin with optional arguments.
The string should consist of the plugin The string should consist of the plugin
path, either fully-qualified or relative to the path, either fully-qualified or relative to the
@@ -3205,7 +3201,7 @@ It has the following possible values:
.It all .It all
All the user's All the user's
.Em sudoers .Em sudoers
entries for the current host must have file entries for the current host must have
the the
.Li NOPASSWD .Li NOPASSWD
flag set to avoid entering a password. flag set to avoid entering a password.
@@ -3216,7 +3212,7 @@ option.
.It any .It any
At least one of the user's At least one of the user's
.Em sudoers .Em sudoers
entries for the current host file entries for the current host
must have the must have the
.Li NOPASSWD .Li NOPASSWD
flag set to avoid entering a password. flag set to avoid entering a password.
@@ -3324,7 +3320,7 @@ It has the following possible values:
.It all .It all
All the user's All the user's
.Em sudoers .Em sudoers
entries for the current host must have the file entries for the current host must have the
.Li NOPASSWD .Li NOPASSWD
flag set to avoid entering a password. flag set to avoid entering a password.
.It always .It always
@@ -3334,7 +3330,7 @@ option.
.It any .It any
At least one of the user's At least one of the user's
.Em sudoers .Em sudoers
entries for the current host must have the file entries for the current host must have the
.Li NOPASSWD .Li NOPASSWD
flag set to avoid entering a password. flag set to avoid entering a password.
.It never .It never
@@ -3660,9 +3656,9 @@ file is located on a remote file system that maps user ID 0 to
a different value. a different value.
Normally, Normally,
.Nm .Nm
tries to open tries to open the
.Em sudoers .Em sudoers
using group permissions to avoid this problem. file using group permissions to avoid this problem.
Consider either changing the ownership of Consider either changing the ownership of
.Pa @sysconfdir@/sudoers .Pa @sysconfdir@/sudoers
or adding an argument like or adding an argument like
@@ -3738,7 +3734,7 @@ line in the
.Xr sudo.conf @mansectform@ .Xr sudo.conf @mansectform@
file. file.
.It unable to open @rundir@/ts/username .It unable to open @rundir@/ts/username
.Em sudoers .Nm sudoers
was unable to read or create the user's time stamp file. was unable to read or create the user's time stamp file.
This can happen when This can happen when
.Em timestampowner .Em timestampowner
@@ -3749,7 +3745,7 @@ The default mode for
.Pa @rundir@ .Pa @rundir@
is 0711. is 0711.
.It unable to write to @rundir@/ts/username .It unable to write to @rundir@/ts/username
.Em sudoers .Nm sudoers
was unable to write to the user's time stamp file. was unable to write to the user's time stamp file.
.It @rundir@/ts is owned by uid X, should be Y .It @rundir@/ts is owned by uid X, should be Y
The time stamp directory is owned by a user other than The time stamp directory is owned by a user other than
@@ -3757,18 +3753,18 @@ The time stamp directory is owned by a user other than
This can occur when the value of This can occur when the value of
.Em timestampowner .Em timestampowner
has been changed. has been changed.
.Em sudoers .Nm sudoers
will ignore the time stamp directory until the owner is corrected. will ignore the time stamp directory until the owner is corrected.
.It @rundir@/ts is group writable .It @rundir@/ts is group writable
The time stamp directory is group-writable; it should be writable only by The time stamp directory is group-writable; it should be writable only by
.Em timestampowner . .Em timestampowner .
The default mode for the time stamp directory is 0700. The default mode for the time stamp directory is 0700.
.Em sudoers .Nm sudoers
will ignore the time stamp directory until the mode is corrected. will ignore the time stamp directory until the mode is corrected.
.El .El
.Ss Notes on logging via syslog .Ss Notes on logging via syslog
By default, By default,
.Em sudoers .Nm sudoers
logs messages via logs messages via
.Xr syslog 3 . .Xr syslog 3 .
The The
@@ -3777,7 +3773,7 @@ The
and and
.Em progname .Em progname
fields are added by the syslog daemon, not fields are added by the syslog daemon, not
.Em sudoers .Nm sudoers
itself. itself.
As such, they may vary in format on different systems. As such, they may vary in format on different systems.
.Pp .Pp
@@ -3796,11 +3792,11 @@ after the user name and before the continued command line arguments.
If the If the
.Em logfile .Em logfile
option is set, option is set,
.Em sudoers .Nm sudoers
will log to a local file, such as will log to a local file, such as
.Pa /var/log/sudo . .Pa /var/log/sudo .
When logging to a file, When logging to a file,
.Em sudoers .Nm sudoers
uses a format similar to uses a format similar to
.Xr syslog 3 , .Xr syslog 3 ,
with a few important differences: with a few important differences:
@@ -3845,11 +3841,11 @@ List of network groups
I/O log files I/O log files
.It Pa @rundir@/ts .It Pa @rundir@/ts
Directory containing time stamps for the Directory containing time stamps for the
.Em sudoers .Nm sudoers
security policy security policy
.It Pa @vardir@/lectured .It Pa @vardir@/lectured
Directory containing lecture status files for the Directory containing lecture status files for the
.Em sudoers .Nm sudoers
security policy security policy
.It Pa /etc/environment .It Pa /etc/environment
Initial environment for Initial environment for
@@ -3859,7 +3855,7 @@ mode on AIX and Linux systems
.Sh EXAMPLES .Sh EXAMPLES
Below are example Below are example
.Em sudoers .Em sudoers
entries. file entries.
Admittedly, some of these are a bit contrived. Admittedly, some of these are a bit contrived.
First, we allow a few environment variables to pass and then define our First, we allow a few environment variables to pass and then define our
.Em aliases : .Em aliases :
@@ -4277,7 +4273,7 @@ it can result in a security issue for rules that subtract or revoke privileges.
.Pp .Pp
For example, given the following For example, given the following
.Em sudoers .Em sudoers
entry: file entry:
.Bd -literal .Bd -literal
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
@@ -4394,16 +4390,16 @@ user permission to run
(see below). (see below).
.Ss Secure editing .Ss Secure editing
The The
.Em sudoers .Nm sudoers
plugin includes plugin includes
.Nm sudoedit .Nm sudoedit
support which allows users to securely edit files with the editor support which allows users to securely edit files with the editor
of their choice. of their choice.
As As
.Nm sudoedit .Nm sudoedit
is a built-in command, it must be specified in is a built-in command, it must be specified in the
.Em sudoers .Em sudoers
without a leading path. file without a leading path.
However, it may take command line arguments just as a normal command does. However, it may take command line arguments just as a normal command does.
Wildcards used in Wildcards used in
.Em sudoedit .Em sudoedit
@@ -4461,7 +4457,7 @@ tag.
However, it is still possible to create a hard link if the directory However, it is still possible to create a hard link if the directory
is writable and the link target resides on the same file system. is writable and the link target resides on the same file system.
.Ss Time stamp file checks .Ss Time stamp file checks
.Em sudoers .Nm sudoers
will check the ownership of its time stamp directory will check the ownership of its time stamp directory
.Po .Po
.Pa @rundir@/ts .Pa @rundir@/ts
@@ -4483,14 +4479,14 @@ be cleared at reboot time, not all systems contain a
.Pa /var/run .Pa /var/run
directory. directory.
To avoid potential problems, To avoid potential problems,
.Em sudoers .Nm sudoers
will ignore time stamp files that date from before the machine booted will ignore time stamp files that date from before the machine booted
on systems where the boot time is available. on systems where the boot time is available.
.Pp .Pp
Some systems with graphical desktop environments allow unprivileged Some systems with graphical desktop environments allow unprivileged
users to change the system clock. users to change the system clock.
Since Since
.Em sudoers .Nm sudoers
relies on the system clock for time stamp validation, it may be relies on the system clock for time stamp validation, it may be
possible on such systems for a user to run possible on such systems for a user to run
.Nm sudo .Nm sudo
@@ -4498,16 +4494,16 @@ for longer than
.Em timestamp_timeout .Em timestamp_timeout
by setting the clock back. by setting the clock back.
To combat this, To combat this,
.Em sudoers .Nm sudoers
uses a monotonic clock (which never moves backwards) for its time stamps uses a monotonic clock (which never moves backwards) for its time stamps
if the system supports it. if the system supports it.
.Pp .Pp
.Em sudoers .Nm sudoers
will not honor time stamps set far in the future. will not honor time stamps set far in the future.
Time stamps with a date greater than current_time + 2 * Time stamps with a date greater than current_time + 2 *
.Li TIMEOUT .Li TIMEOUT
will be ignored and will be ignored and
.Em sudoers .Nm sudoers
will log and complain. will log and complain.
.Pp .Pp
Since time stamp files live in the file system, they can outlive a Since time stamp files live in the file system, they can outlive a
@@ -4518,8 +4514,9 @@ after authenticating, logout, login again, and run
.Nm sudo .Nm sudo
without authenticating so long as the record's time stamp is within without authenticating so long as the record's time stamp is within
.Li @timeout@ .Li @timeout@
minutes (or whatever value the timeout is set to in minutes (or whatever value the timeout is set to in the
.Em sudoers ) . .Em sudoers
file).
When the When the
.Em tty_tickets .Em tty_tickets
option is enabled, the time stamp record includes the device option is enabled, the time stamp record includes the device
@@ -4584,6 +4581,7 @@ BSM and Linux audit code
user authentication user authentication
.It Em defaults .It Em defaults
.Em sudoers .Em sudoers
file
.Em Defaults .Em Defaults
settings settings
.It Em env .It Em env
@@ -4593,13 +4591,14 @@ LDAP-based sudoers
.It Em logging .It Em logging
logging support logging support
.It Em match .It Em match
matching of users, groups, hosts and netgroups in matching of users, groups, hosts and netgroups in the
.Em sudoers .Em sudoers
file
.It Em netif .It Em netif
network interface handling network interface handling
.It Em nss .It Em nss
network service switch handling in network service switch handling in
.Em sudoers .Nm sudoers
.It Em parser .It Em parser
.Em sudoers .Em sudoers
file parsing file parsing
@@ -4660,9 +4659,9 @@ be edited by the
.Nm visudo .Nm visudo
command which locks the file and does grammatical checking. command which locks the file and does grammatical checking.
It is It is
imperative that imperative that the
.Em sudoers .Em sudoers
be free of syntax errors since file be free of syntax errors since
.Nm sudo .Nm sudo
will not run with a syntactically incorrect will not run with a syntactically incorrect
.Em sudoers .Em sudoers