isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Make it clear that runas_default sets the default user for Runas_Spec.

Browse Source 
Also use mention runas_default in other parts of the manual, use
@runas_default@ instead of root and add markup around user names.
GitHub issue #186.
This commit is contained in:
Todd C. Miller
2022-10-20 08:08:48 -06:00
parent 3ca21f9506
commit d744271a63
2 changed files with 302 additions and 130 deletions
Download Patch File Download Diff File Expand all files Collapse all files

216
docs/sudoers.man.in
View File

@@ -25,7 +25,7 @@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
.TH "SUDOERS" "@mansectform@" "September 27, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDOERS" "@mansectform@" "October 20, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -179,16 +179,19 @@ security policy requires that most users authenticate
themselves before they can use themselves before they can use
\fBsudo\fR. \fBsudo\fR.
A password is not required A password is not required
if the invoking user is root, if the target user is the same as the if the invoking user is
invoking user, or if the policy has disabled authentication for the \fBroot\fR,
user or command. if the target user is the same as the invoking user, or if the
policy has disabled authentication for the user or command.
Unlike Unlike
su(1), su(1),
when when
\fBsudoers\fR \fBsudoers\fR
requires requires
authentication, it validates the invoking user's credentials, not authentication, it validates the invoking user's credentials, not
the target user's (or root's) credentials. the target user's (or
\fB@runas_default@\fR's)
credentials.
This can be changed via This can be changed via
the the
\fIrootpw\fR, \fIrootpw\fR,
@@ -230,7 +233,9 @@ are logged, regardless of whether or not mail is sent.
.PP .PP
If If
\fBsudo\fR \fBsudo\fR
is run by root and the is run by
\fBroot\fR
and the
\fRSUDO_USER\fR \fRSUDO_USER\fR
environment variable environment variable
is set, the is set, the
@@ -238,7 +243,9 @@ is set, the
policy will use this value to determine who policy will use this value to determine who
the actual user is. the actual user is.
This can be used by a user to log commands This can be used by a user to log commands
through sudo even when a root shell has been invoked. through sudo even when a
\fBroot\fR
shell has been invoked.
It also It also
allows the allows the
\fB\-e\fR \fB\-e\fR
@@ -246,7 +253,9 @@ option to remain useful even when invoked via a
sudo-run script or program. sudo-run script or program.
Note, however, that the Note, however, that the
\fIsudoers\fR \fIsudoers\fR
file lookup is still done for root, not the user specified by file lookup is still done for
\fBroot\fR,
not the user specified by
\fRSUDO_USER\fR. \fRSUDO_USER\fR.
.PP .PP
\fBsudoers\fR \fBsudoers\fR
@@ -456,7 +465,9 @@ as modified by global Defaults parameters in
\fIsudoers\fR, \fIsudoers\fR,
is displayed when is displayed when
\fBsudo\fR \fBsudo\fR
is run by root with the is run by
\fBroot\fR
with the
\fB\-V\fR \fB\-V\fR
option. option.
The list of environment variables to remove The list of environment variables to remove
@@ -926,8 +937,11 @@ it can contain
User names and groups are matched as strings. User names and groups are matched as strings.
In other words, two users (groups) with the same user (group) ID In other words, two users (groups) with the same user (group) ID
are considered to be distinct. are considered to be distinct.
If you wish to match all user names with the same user-ID (e.g., root and If you wish to match all user names with the same user-ID (e.g.,
toor), you can use a user-ID instead of a name (#0 in the example given). \fBroot\fR
and
\fBtoor\fR),
you can use a user-ID instead of a name (#0 in the example given).
The user-ID or group-ID specified in a The user-ID or group-ID specified in a
\fIRunas_Member\fR \fIRunas_Member\fR
need not be listed in the password or group database. need not be listed in the password or group database.
@@ -1308,10 +1322,12 @@ A
\fBuser specification\fR \fBuser specification\fR
determines which commands a user may run determines which commands a user may run
(and as what user) on specified hosts. (and as what user) on specified hosts.
By default, commands are By default, commands are run as
run as \fB@runas_default@\fR
\fBroot\fR, (unless
but this can be changed on a per-command basis. \fIrunas_default\fR
has been set to a different value)
but this can also be changed on a per-command basis.
.PP .PP
The basic structure of a user specification is The basic structure of a user specification is
\(lqwho where = (as_whom) what\(rq. \(lqwho where = (as_whom) what\(rq.
@@ -1355,11 +1371,14 @@ are empty, the command may only be run as the invoking user and the
group, if specified, must be one that the invoking user is a member of. group, if specified, must be one that the invoking user is a member of.
If no If no
\fIRunas_Spec\fR \fIRunas_Spec\fR
is specified, the command may only be run as is specified, the command may only be run as the
\fBroot\fR \fIrunas_default\fR
and the group, if specified, must be one that user
\fBroot\fR (\fB@runas_default@\fR
is a member of. by default) and the group,
if specified, must be one that the
\fIrunas_default\fR
user is a member of.
.PP .PP
A A
\fIRunas_Spec\fR \fIRunas_Spec\fR
@@ -1487,7 +1506,10 @@ alan ALL = (root, bin : operator, system) ALL
.PP .PP
user user
\fBalan\fR \fBalan\fR
may run any command as either user root or bin, may run any command as either user
\fBroot\fR
or
\fBbin\fR,
optionally setting the group to operator or system. optionally setting the group to operator or system.
.SS "Option_Spec" .SS "Option_Spec"
A A
@@ -1554,7 +1576,9 @@ alice ALL = (root) APPARMOR_PROFILE=my-profile ALL
.PP .PP
the user the user
\fBalice\fR \fBalice\fR
may run any command as root under confinement by the profile may run any command as
\fBroot\fR
under confinement by the profile
\(oqmy-profile\(cq. \(oqmy-profile\(cq.
You can also stack profiles, or allow a user to run commands unconfined by You can also stack profiles, or allow a user to run commands unconfined by
any profile. any profile.
@@ -1573,7 +1597,9 @@ entries allow user
\fBbob\fR \fBbob\fR
to run to run
\fI/usr/bin/vi\fR \fI/usr/bin/vi\fR
as root under the stacked profiles as
\fBroot\fR
under the stacked profiles
\(oqfoo\(cq \(oqfoo\(cq
and and
\(oqbar\(cq, \(oqbar\(cq,
@@ -1927,7 +1953,7 @@ to run
and and
\fI/usr/bin/lprm\fR \fI/usr/bin/lprm\fR
as as
\fBroot\fR \fB@runas_default@\fR
on the machine on the machine
\(lqrushmore\(rq \(lqrushmore\(rq
without authenticating himself. without authenticating himself.
@@ -2200,7 +2226,11 @@ In the following example, user
\fBjohn\fR \fBjohn\fR
can run the can run the
passwd(1) passwd(1)
command as root on any host but is not allowed to change root's password. command as
\fB@runas_default@\fR
on any host but is not allowed to change
\fBroot\fR's
password.
This kind of rule is impossible to express safely using wildcards. This kind of rule is impossible to express safely using wildcards.
.nf .nf
.sp .sp
@@ -2237,7 +2267,8 @@ to run the
\fI/usr/sbin/usermod\fR, \fI/usr/sbin/usermod\fR,
and and
\fI/usr/sbin/userdel\fR \fI/usr/sbin/userdel\fR
commands as root. commands as
\fB@runas_default@\fR.
.nf .nf
.sp .sp
.RS 4n .RS 4n
@@ -2485,7 +2516,9 @@ This allows one to exclude certain values.
For the For the
\(oq\&!\(cq \(oq\&!\(cq
operator to be effective, there must be something for it to exclude. operator to be effective, there must be something for it to exclude.
For example, to match all users except for root one would use: For example, to match all users except for
\fBroot\fR
one would use:
.nf .nf
.sp .sp
.RS 4n .RS 4n
@@ -2503,7 +2536,9 @@ is omitted, as in:
.RE .RE
.fi .fi
.PP .PP
it would explicitly deny root but not match any other users. it would explicitly deny
\fBroot\fR
but not match any other users.
This is different from a true This is different from a true
\(lqnegation\(rq \(lqnegation\(rq
operator. operator.
@@ -2570,7 +2605,9 @@ If enabled,
will set the will set the
\fRHOME\fR \fRHOME\fR
environment variable to the home directory of the target user environment variable to the home directory of the target user
(which is the root user unless the (which is the
\fIrunas_default\fR
user unless the
\fB\-u\fR \fB\-u\fR
option is used). option is used).
This flag is largely obsolete and has no effect unless the This flag is largely obsolete and has no effect unless the
@@ -2709,9 +2746,13 @@ or
\fREDITOR\fR \fREDITOR\fR
environment variables before falling back on the default editor list. environment variables before falling back on the default editor list.
\fBvisudo\fR \fBvisudo\fR
is typically run as root so this flag may allow a user with is typically run as
\fBroot\fR
so this flag may allow a user with
\fBvisudo\fR \fBvisudo\fR
privileges to run arbitrary commands as root without logging. privileges to run arbitrary commands as
\fBroot\fR
without logging.
An alternative is to place a colon-separated list of An alternative is to place a colon-separated list of
\(lqsafe\(rq \(lqsafe\(rq
editors int the editors int the
@@ -2777,7 +2818,9 @@ lists, as modified by global Defaults parameters in
\fIsudoers\fR, \fIsudoers\fR,
are displayed when are displayed when
\fBsudo\fR \fBsudo\fR
is run by root with the is run by
\fBroot\fR
with the
\fB\-V\fR \fB\-V\fR
option. option.
If the If the
@@ -3736,17 +3779,23 @@ This flag is
by default. by default.
.TP 18n .TP 18n
root_sudo root_sudo
If set, root is allowed to run If set,
\fBroot\fR
is allowed to run
\fBsudo\fR \fBsudo\fR
too. too.
Disabling this prevents users from Disabling this prevents users from
\(lqchaining\(rq \(lqchaining\(rq
\fBsudo\fR \fBsudo\fR
commands to get a root shell by doing something like commands to get a
\fBroot\fR
shell by doing something like
\(oqsudo sudo /bin/sh\(cq. \(oqsudo sudo /bin/sh\(cq.
Note, however, that turning off Note, however, that turning off
\fIroot_sudo\fR \fIroot_sudo\fR
will also prevent root from running will also prevent
\fBroot\fR
from running
\fBsudoedit\fR. \fBsudoedit\fR.
Disabling Disabling
\fIroot_sudo\fR \fIroot_sudo\fR
@@ -3758,7 +3807,9 @@ by default.
rootpw rootpw
If set, If set,
\fBsudo\fR \fBsudo\fR
will prompt for the root password instead of the password of the invoking user will prompt for the
\fBroot\fR
password instead of the password of the invoking user
when running a command or editing a file. when running a command or editing a file.
This flag is This flag is
\fIoff\fR \fIoff\fR
@@ -3808,7 +3859,8 @@ If set,
\fBsudo\fR \fBsudo\fR
will prompt for the password of the user defined by the will prompt for the password of the user defined by the
\fIrunas_default\fR \fIrunas_default\fR
option (defaults to @runas_default@) option (defaults to
\fB@runas_default@\fR)
instead of the password of the invoking user instead of the password of the invoking user
when running a command or editing a file. when running a command or editing a file.
This flag is This flag is
@@ -3833,7 +3885,9 @@ is invoked with the
option, the option, the
\fRHOME\fR \fRHOME\fR
environment variable will be set to the home directory of the target environment variable will be set to the home directory of the target
user (which is the root user unless the user (which is the
\fIrunas_default\fR
user unless the
\fB\-u\fR \fB\-u\fR
option is used). option is used).
This flag is largely obsolete and has no effect unless the This flag is largely obsolete and has no effect unless the
@@ -3854,7 +3908,9 @@ will set the
\fRLOGNAME\fR \fRLOGNAME\fR
and and
\fRUSER\fR \fRUSER\fR
environment variables to the name of the target user (usually root unless the environment variables to the name of the target user (the user specified by
\fIrunas_default\fR
unless the
\fB\-u\fR \fB\-u\fR
option is given). option is given).
However, since some programs (including the RCS revision control system) use However, since some programs (including the RCS revision control system) use
@@ -3924,7 +3980,9 @@ If set and
is invoked with no arguments it acts as if the is invoked with no arguments it acts as if the
\fB\-s\fR \fB\-s\fR
option had been given. option had been given.
That is, it runs a shell as root (the shell is determined by the That is, it runs a shell as
\fBroot\fR
(the shell is determined by the
\fRSHELL\fR \fRSHELL\fR
environment variable if it is set, falling back on the shell listed environment variable if it is set, falling back on the shell listed
in the invoking user's /etc/passwd entry if not). in the invoking user's /etc/passwd entry if not).
@@ -3936,7 +3994,9 @@ stay_setuid
Normally, when Normally, when
\fBsudo\fR \fBsudo\fR
executes a command the real and effective user-IDs are set to the target executes a command the real and effective user-IDs are set to the target
user (root by default). user
(\fB@runas_default@\fR
by default).
This option changes that behavior such that the real user-ID is left This option changes that behavior such that the real user-ID is left
as the invoking user's user-ID. as the invoking user's user-ID.
In other words, this makes In other words, this makes
@@ -3964,7 +4024,8 @@ Symbolic links will not be followed in writable directories and
will refuse to edit a file located in a writable directory. will refuse to edit a file located in a writable directory.
These restrictions are not enforced when These restrictions are not enforced when
\fBsudoedit\fR \fBsudoedit\fR
is run by root. is run by
\fBroot\fR.
On some systems, if all directory components of the path to be edited On some systems, if all directory components of the path to be edited
are not readable by the target user, are not readable by the target user,
\fBsudoedit\fR \fBsudoedit\fR
@@ -4014,7 +4075,8 @@ If set,
will prompt for the password of the user specified will prompt for the password of the user specified
by the by the
\fB\-u\fR \fB\-u\fR
option (defaults to root) option (defaults to the value of
\fIrunas_default\fR)
instead of the password of the invoking user instead of the password of the invoking user
when running a command or editing a file. when running a command or editing a file.
This flag precludes the use of a user-ID not listed in the passwd This flag precludes the use of a user-ID not listed in the passwd
@@ -4475,11 +4537,13 @@ expanded to the name of the invoking user's real group-ID
.TP 6n .TP 6n
%{runas_user} %{runas_user}
expanded to the login name of the user the command will expanded to the login name of the user the command will
be run as (e.g., root) be run as (e.g.,
\fBroot\fR)
.TP 6n .TP 6n
%{runas_group} %{runas_group}
expanded to the group name of the user the command will expanded to the group name of the user the command will
be run as (e.g., wheel) be run as (e.g.,
\fBwheel\fR)
.TP 6n .TP 6n
%{hostname} %{hostname}
expanded to the local host name without the domain name expanded to the local host name without the domain name
@@ -4766,7 +4830,8 @@ flags in
.TP 6n .TP 6n
\&%U \&%U
expanded to the login name of the user the command will expanded to the login name of the user the command will
be run as (defaults to root) be run as (defaults to
\fB@runas_default@\fR)
.TP 6n .TP 6n
%u %u
expanded to the invoking user's login name expanded to the invoking user's login name
@@ -4830,7 +4895,8 @@ runas_default
The default user to run commands as if the The default user to run commands as if the
\fB\-u\fR \fB\-u\fR
option is not specified on the command line. option is not specified on the command line.
This defaults to @runas_default@. This defaults to
\fB@runas_default@\fR.
.TP 18n .TP 18n
sudoers_locale sudoers_locale
Locale to use when parsing the sudoers file, logging commands, and Locale to use when parsing the sudoers file, logging commands, and
@@ -4908,7 +4974,8 @@ The default is
timestampowner timestampowner
The owner of the lecture status directory, time stamp directory and all The owner of the lecture status directory, time stamp directory and all
files stored therein. files stored therein.
The default is root. The default is
\fBroot\fR.
.if \n(SL \{\ .if \n(SL \{\
.TP 18n .TP 18n
type type
@@ -5557,8 +5624,9 @@ option is enabled or disabled, variables specified by
will be preserved in the environment if they pass the aforementioned check. will be preserved in the environment if they pass the aforementioned check.
The global list of environment variables to check is displayed when The global list of environment variables to check is displayed when
\fBsudo\fR \fBsudo\fR
is run by root with is run by
the \fBroot\fR
with the
\fB\-V\fR \fB\-V\fR
option. option.
.RE .RE
@@ -5578,7 +5646,9 @@ and
operators respectively. operators respectively.
The global list of environment variables to remove is displayed when The global list of environment variables to remove is displayed when
\fBsudo\fR \fBsudo\fR
is run by root with the is run by
\fBroot\fR
with the
\fB\-V\fR \fB\-V\fR
option. option.
Many operating systems will remove potentially dangerous variables Many operating systems will remove potentially dangerous variables
@@ -5604,7 +5674,9 @@ operators respectively.
The global list of variables to keep The global list of variables to keep
is displayed when is displayed when
\fBsudo\fR \fBsudo\fR
is run by root with the is run by
\fBroot\fR
with the
\fB\-V\fR \fB\-V\fR
option. option.
.sp .sp
@@ -6017,7 +6089,9 @@ unable to open @rundir@/ts/username
was unable to read or create the user's time stamp file. was unable to read or create the user's time stamp file.
This can happen when This can happen when
\fItimestampowner\fR \fItimestampowner\fR
is set to a user other than root and the mode on is set to a user other than
\fBroot\fR
and the mode on
\fI@rundir@\fR \fI@rundir@\fR
is not searchable by group or other. is not searchable by group or other.
The default mode for The default mode for
@@ -6641,7 +6715,8 @@ need not provide a password and we don't want to reset the
\fRLOGNAME\fR \fRLOGNAME\fR
or or
\fRUSER\fR \fRUSER\fR
environment variables when running commands as root. environment variables when running commands as
\fBroot\fR.
Additionally, on the machines in the Additionally, on the machines in the
\fRSERVERS\fR \fRSERVERS\fR
\fIHost_Alias\fR, \fIHost_Alias\fR,
@@ -6807,7 +6882,8 @@ groups).
The user The user
\fBpete\fR \fBpete\fR
is allowed to change anyone's password except for is allowed to change anyone's password except for
root on the \fBroot\fR
on the
\fRHPPA\fR \fRHPPA\fR
machines. machines.
Because command line arguments are matched as a single, Because command line arguments are matched as a single,
@@ -6908,8 +6984,9 @@ On the
\fRALPHA\fR \fRALPHA\fR
machines, user machines, user
\fBjohn\fR \fBjohn\fR
may su to anyone except root but he is not allowed to specify any options may su to anyone except
to the \fBroot\fR
but he is not allowed to specify any options to the
su(1) su(1)
command. command.
.nf .nf
@@ -7034,7 +7111,9 @@ advisory at best (and reinforced by policy).
In general, if a user has sudo In general, if a user has sudo
\fBALL\fR \fBALL\fR
there is nothing to prevent them from creating their own program that gives there is nothing to prevent them from creating their own program that gives
them a root shell (or making their own copy of a shell) regardless of any them a
\fBroot\fR
shell (or making their own copy of a shell) regardless of any
\(oq!\&\(cq \(oq!\&\(cq
elements in the user specification. elements in the user specification.
.SS "Security implications of \fIfast_glob\fR" .SS "Security implications of \fIfast_glob\fR"
@@ -7418,9 +7497,11 @@ is enabled.
.RE .RE
.PP .PP
Restricting shell escapes is not a panacea. Restricting shell escapes is not a panacea.
Programs running as root are still capable of many potentially hazardous Programs running as
operations (such as changing or overwriting files) that could lead \fBroot\fR
to unintended privilege escalation. are still capable of many potentially hazardous operations (such
as changing or overwriting files) that could lead to unintended
privilege escalation.
In the specific case of an editor, a safer approach is to give the In the specific case of an editor, a safer approach is to give the
user permission to run user permission to run
\fBsudoedit\fR \fBsudoedit\fR
@@ -7473,7 +7554,9 @@ $ sudoedit /etc/motd
.RE .RE
.fi .fi
.PP .PP
The editor will run as the operator user, not root, on a temporary copy of The editor will run as the operator user, not
\fB@runas_default@\fR,
on a temporary copy of
\fI/etc/motd\fR. \fI/etc/motd\fR.
After the file has been edited, After the file has been edited,
\fI/etc/motd\fR \fI/etc/motd\fR
@@ -7494,7 +7577,8 @@ not be followed in writable directories and
will refuse to edit a file located in a writable directory will refuse to edit a file located in a writable directory
unless the unless the
\fIsudoedit_checkdir\fR \fIsudoedit_checkdir\fR
option has been disabled or the invoking user is root. option has been disabled or the invoking user is
\fBroot\fR.
Additionally, in version 1.8.15 and higher, Additionally, in version 1.8.15 and higher,
\fBsudoedit\fR \fBsudoedit\fR
will refuse to open a symbolic link unless either the will refuse to open a symbolic link unless either the
@@ -7511,8 +7595,10 @@ file.
will check the ownership of its time stamp directory will check the ownership of its time stamp directory
(\fI@rundir@/ts\fR (\fI@rundir@/ts\fR
by default) by default)
and ignore the directory's contents if it is not owned by root or and ignore the directory's contents if it is not owned by
if it is writable by a user other than root. \fBroot\fR
or if it is writable by a user other than
\fBroot\fR.
Older versions of Older versions of
\fBsudo\fR \fBsudo\fR
stored time stamp files in stored time stamp files in

216
docs/sudoers.mdoc.in
View File

@@ -25,7 +25,7 @@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
.Dd September 27, 2022 .Dd October 20, 2022
.Dt SUDOERS @mansectform@ .Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@@ -168,16 +168,19 @@ security policy requires that most users authenticate
themselves before they can use themselves before they can use
.Nm sudo . .Nm sudo .
A password is not required A password is not required
if the invoking user is root, if the target user is the same as the if the invoking user is
invoking user, or if the policy has disabled authentication for the .Sy root ,
user or command. if the target user is the same as the invoking user, or if the
policy has disabled authentication for the user or command.
Unlike Unlike
.Xr su 1 , .Xr su 1 ,
when when
.Nm .Nm
requires requires
authentication, it validates the invoking user's credentials, not authentication, it validates the invoking user's credentials, not
the target user's (or root's) credentials. the target user's (or
.Sy @runas_default@ Ns No 's)
credentials.
This can be changed via This can be changed via
the the
.Em rootpw , .Em rootpw ,
@@ -219,7 +222,9 @@ are logged, regardless of whether or not mail is sent.
.Pp .Pp
If If
.Nm sudo .Nm sudo
is run by root and the is run by
.Sy root
and the
.Ev SUDO_USER .Ev SUDO_USER
environment variable environment variable
is set, the is set, the
@@ -227,7 +232,9 @@ is set, the
policy will use this value to determine who policy will use this value to determine who
the actual user is. the actual user is.
This can be used by a user to log commands This can be used by a user to log commands
through sudo even when a root shell has been invoked. through sudo even when a
.Sy root
shell has been invoked.
It also It also
allows the allows the
.Fl e .Fl e
@@ -235,7 +242,9 @@ option to remain useful even when invoked via a
sudo-run script or program. sudo-run script or program.
Note, however, that the Note, however, that the
.Em sudoers .Em sudoers
file lookup is still done for root, not the user specified by file lookup is still done for
.Sy root ,
not the user specified by
.Ev SUDO_USER . .Ev SUDO_USER .
.Pp .Pp
.Nm .Nm
@@ -442,7 +451,9 @@ as modified by global Defaults parameters in
.Em sudoers , .Em sudoers ,
is displayed when is displayed when
.Nm sudo .Nm sudo
is run by root with the is run by
.Sy root
with the
.Fl V .Fl V
option. option.
The list of environment variables to remove The list of environment variables to remove
@@ -888,8 +899,11 @@ it can contain
User names and groups are matched as strings. User names and groups are matched as strings.
In other words, two users (groups) with the same user (group) ID In other words, two users (groups) with the same user (group) ID
are considered to be distinct. are considered to be distinct.
If you wish to match all user names with the same user-ID (e.g., root and If you wish to match all user names with the same user-ID (e.g.,
toor), you can use a user-ID instead of a name (#0 in the example given). .Sy root
and
.Sy toor ) ,
you can use a user-ID instead of a name (#0 in the example given).
The user-ID or group-ID specified in a The user-ID or group-ID specified in a
.Em Runas_Member .Em Runas_Member
need not be listed in the password or group database. need not be listed in the password or group database.
@@ -1261,10 +1275,12 @@ A
.Sy user specification .Sy user specification
determines which commands a user may run determines which commands a user may run
(and as what user) on specified hosts. (and as what user) on specified hosts.
By default, commands are By default, commands are run as
run as .Sy @runas_default@
.Sy root , (unless
but this can be changed on a per-command basis. .Em runas_default
has been set to a different value)
but this can also be changed on a per-command basis.
.Pp .Pp
The basic structure of a user specification is The basic structure of a user specification is
.Dq who where = (as_whom) what . .Dq who where = (as_whom) what .
@@ -1308,11 +1324,14 @@ are empty, the command may only be run as the invoking user and the
group, if specified, must be one that the invoking user is a member of. group, if specified, must be one that the invoking user is a member of.
If no If no
.Em Runas_Spec .Em Runas_Spec
is specified, the command may only be run as is specified, the command may only be run as the
.Sy root .Em runas_default
and the group, if specified, must be one that user
.Sy root .Sy ( @runas_default@
is a member of. by default) and the group,
if specified, must be one that the
.Em runas_default
user is a member of.
.Pp .Pp
A A
.Em Runas_Spec .Em Runas_Spec
@@ -1416,7 +1435,10 @@ alan ALL = (root, bin : operator, system) ALL
.Pp .Pp
user user
.Sy alan .Sy alan
may run any command as either user root or bin, may run any command as either user
.Sy root
or
.Sy bin ,
optionally setting the group to operator or system. optionally setting the group to operator or system.
.Ss Option_Spec .Ss Option_Spec
A A
@@ -1483,7 +1505,9 @@ alice ALL = (root) APPARMOR_PROFILE=my-profile ALL
.Pp .Pp
the user the user
.Sy alice .Sy alice
may run any command as root under confinement by the profile may run any command as
.Sy root
under confinement by the profile
.Ql my-profile . .Ql my-profile .
You can also stack profiles, or allow a user to run commands unconfined by You can also stack profiles, or allow a user to run commands unconfined by
any profile. any profile.
@@ -1499,7 +1523,9 @@ entries allow user
.Sy bob .Sy bob
to run to run
.Pa /usr/bin/vi .Pa /usr/bin/vi
as root under the stacked profiles as
.Sy root
under the stacked profiles
.Ql foo .Ql foo
and and
.Ql bar , .Ql bar ,
@@ -1832,7 +1858,7 @@ to run
and and
.Pa /usr/bin/lprm .Pa /usr/bin/lprm
as as
.Sy root .Sy @runas_default@
on the machine on the machine
.Dq rushmore .Dq rushmore
without authenticating himself. without authenticating himself.
@@ -2090,7 +2116,11 @@ In the following example, user
.Sy john .Sy john
can run the can run the
.Xr passwd 1 .Xr passwd 1
command as root on any host but is not allowed to change root's password. command as
.Sy @runas_default@
on any host but is not allowed to change
.Sy root Ns No 's
password.
This kind of rule is impossible to express safely using wildcards. This kind of rule is impossible to express safely using wildcards.
.Bd -literal -offset 4n .Bd -literal -offset 4n
john ALL = /usr/bin/passwd ^[a-zA-Z0-9_]+$,\e john ALL = /usr/bin/passwd ^[a-zA-Z0-9_]+$,\e
@@ -2121,7 +2151,8 @@ to run the
.Pa /usr/sbin/usermod , .Pa /usr/sbin/usermod ,
and and
.Pa /usr/sbin/userdel .Pa /usr/sbin/userdel
commands as root. commands as
.Sy @runas_default@ .
.Bd -literal -offset 4n .Bd -literal -offset 4n
sid ALL = ^/usr/sbin/(group|user)(add|mod|del)$ sid ALL = ^/usr/sbin/(group|user)(add|mod|del)$
.Ed .Ed
@@ -2350,7 +2381,9 @@ This allows one to exclude certain values.
For the For the
.Ql \&! .Ql \&!
operator to be effective, there must be something for it to exclude. operator to be effective, there must be something for it to exclude.
For example, to match all users except for root one would use: For example, to match all users except for
.Sy root
one would use:
.Bd -literal -offset 4n .Bd -literal -offset 4n
ALL, !root ALL, !root
.Ed .Ed
@@ -2362,7 +2395,9 @@ is omitted, as in:
!root !root
.Ed .Ed
.Pp .Pp
it would explicitly deny root but not match any other users. it would explicitly deny
.Sy root
but not match any other users.
This is different from a true This is different from a true
.Dq negation .Dq negation
operator. operator.
@@ -2430,7 +2465,9 @@ If enabled,
will set the will set the
.Ev HOME .Ev HOME
environment variable to the home directory of the target user environment variable to the home directory of the target user
(which is the root user unless the (which is the
.Em runas_default
user unless the
.Fl u .Fl u
option is used). option is used).
This flag is largely obsolete and has no effect unless the This flag is largely obsolete and has no effect unless the
@@ -2562,9 +2599,13 @@ or
.Ev EDITOR .Ev EDITOR
environment variables before falling back on the default editor list. environment variables before falling back on the default editor list.
.Nm visudo .Nm visudo
is typically run as root so this flag may allow a user with is typically run as
.Sy root
so this flag may allow a user with
.Nm visudo .Nm visudo
privileges to run arbitrary commands as root without logging. privileges to run arbitrary commands as
.Sy root
without logging.
An alternative is to place a colon-separated list of An alternative is to place a colon-separated list of
.Dq safe .Dq safe
editors int the editors int the
@@ -2629,7 +2670,9 @@ lists, as modified by global Defaults parameters in
.Em sudoers , .Em sudoers ,
are displayed when are displayed when
.Nm sudo .Nm sudo
is run by root with the is run by
.Sy root
with the
.Fl V .Fl V
option. option.
If the If the
@@ -3532,17 +3575,23 @@ This flag is
.Em off .Em off
by default. by default.
.It root_sudo .It root_sudo
If set, root is allowed to run If set,
.Sy root
is allowed to run
.Nm sudo .Nm sudo
too. too.
Disabling this prevents users from Disabling this prevents users from
.Dq chaining .Dq chaining
.Nm sudo .Nm sudo
commands to get a root shell by doing something like commands to get a
.Sy root
shell by doing something like
.Ql sudo sudo /bin/sh . .Ql sudo sudo /bin/sh .
Note, however, that turning off Note, however, that turning off
.Em root_sudo .Em root_sudo
will also prevent root from running will also prevent
.Sy root
from running
.Nm sudoedit . .Nm sudoedit .
Disabling Disabling
.Em root_sudo .Em root_sudo
@@ -3553,7 +3602,9 @@ by default.
.It rootpw .It rootpw
If set, If set,
.Nm sudo .Nm sudo
will prompt for the root password instead of the password of the invoking user will prompt for the
.Sy root
password instead of the password of the invoking user
when running a command or editing a file. when running a command or editing a file.
This flag is This flag is
.Em off .Em off
@@ -3599,7 +3650,8 @@ If set,
.Nm sudo .Nm sudo
will prompt for the password of the user defined by the will prompt for the password of the user defined by the
.Em runas_default .Em runas_default
option (defaults to @runas_default@) option (defaults to
.Sy @runas_default@ )
instead of the password of the invoking user instead of the password of the invoking user
when running a command or editing a file. when running a command or editing a file.
This flag is This flag is
@@ -3622,7 +3674,9 @@ is invoked with the
option, the option, the
.Ev HOME .Ev HOME
environment variable will be set to the home directory of the target environment variable will be set to the home directory of the target
user (which is the root user unless the user (which is the
.Em runas_default
user unless the
.Fl u .Fl u
option is used). option is used).
This flag is largely obsolete and has no effect unless the This flag is largely obsolete and has no effect unless the
@@ -3642,7 +3696,9 @@ will set the
.Ev LOGNAME .Ev LOGNAME
and and
.Ev USER .Ev USER
environment variables to the name of the target user (usually root unless the environment variables to the name of the target user (the user specified by
.Em runas_default
unless the
.Fl u .Fl u
option is given). option is given).
However, since some programs (including the RCS revision control system) use However, since some programs (including the RCS revision control system) use
@@ -3709,7 +3765,9 @@ If set and
is invoked with no arguments it acts as if the is invoked with no arguments it acts as if the
.Fl s .Fl s
option had been given. option had been given.
That is, it runs a shell as root (the shell is determined by the That is, it runs a shell as
.Sy root
(the shell is determined by the
.Ev SHELL .Ev SHELL
environment variable if it is set, falling back on the shell listed environment variable if it is set, falling back on the shell listed
in the invoking user's /etc/passwd entry if not). in the invoking user's /etc/passwd entry if not).
@@ -3720,7 +3778,9 @@ by default.
Normally, when Normally, when
.Nm sudo .Nm sudo
executes a command the real and effective user-IDs are set to the target executes a command the real and effective user-IDs are set to the target
user (root by default). user
.Sy ( @runas_default@
by default).
This option changes that behavior such that the real user-ID is left This option changes that behavior such that the real user-ID is left
as the invoking user's user-ID. as the invoking user's user-ID.
In other words, this makes In other words, this makes
@@ -3746,7 +3806,8 @@ Symbolic links will not be followed in writable directories and
will refuse to edit a file located in a writable directory. will refuse to edit a file located in a writable directory.
These restrictions are not enforced when These restrictions are not enforced when
.Nm sudoedit .Nm sudoedit
is run by root. is run by
.Sy root .
On some systems, if all directory components of the path to be edited On some systems, if all directory components of the path to be edited
are not readable by the target user, are not readable by the target user,
.Nm sudoedit .Nm sudoedit
@@ -3793,7 +3854,8 @@ If set,
will prompt for the password of the user specified will prompt for the password of the user specified
by the by the
.Fl u .Fl u
option (defaults to root) option (defaults to the value of
.Em runas_default )
instead of the password of the invoking user instead of the password of the invoking user
when running a command or editing a file. when running a command or editing a file.
This flag precludes the use of a user-ID not listed in the passwd This flag precludes the use of a user-ID not listed in the passwd
@@ -4225,10 +4287,12 @@ expanded to the invoking user's login name
expanded to the name of the invoking user's real group-ID expanded to the name of the invoking user's real group-ID
.It %{runas_user} .It %{runas_user}
expanded to the login name of the user the command will expanded to the login name of the user the command will
be run as (e.g., root) be run as (e.g.,
.Sy root )
.It %{runas_group} .It %{runas_group}
expanded to the group name of the user the command will expanded to the group name of the user the command will
be run as (e.g., wheel) be run as (e.g.,
.Sy wheel )
.It %{hostname} .It %{hostname}
expanded to the local host name without the domain name expanded to the local host name without the domain name
.It %{command} .It %{command}
@@ -4489,7 +4553,8 @@ flags in
.Em sudoers ) .Em sudoers )
.It \&%U .It \&%U
expanded to the login name of the user the command will expanded to the login name of the user the command will
be run as (defaults to root) be run as (defaults to
.Sy @runas_default@ )
.It %u .It %u
expanded to the invoking user's login name expanded to the invoking user's login name
.It %% .It %%
@@ -4548,7 +4613,8 @@ is built with SELinux support.
The default user to run commands as if the The default user to run commands as if the
.Fl u .Fl u
option is not specified on the command line. option is not specified on the command line.
This defaults to @runas_default@. This defaults to
.Sy @runas_default@ .
.It sudoers_locale .It sudoers_locale
Locale to use when parsing the sudoers file, logging commands, and Locale to use when parsing the sudoers file, logging commands, and
sending email. sending email.
@@ -4615,7 +4681,8 @@ The default is
.It timestampowner .It timestampowner
The owner of the lecture status directory, time stamp directory and all The owner of the lecture status directory, time stamp directory and all
files stored therein. files stored therein.
The default is root. The default is
.Sy root .
.if \n(SL \{\ .if \n(SL \{\
.It type .It type
The default SELinux type to use when constructing a new security The default SELinux type to use when constructing a new security
@@ -5194,8 +5261,9 @@ option is enabled or disabled, variables specified by
will be preserved in the environment if they pass the aforementioned check. will be preserved in the environment if they pass the aforementioned check.
The global list of environment variables to check is displayed when The global list of environment variables to check is displayed when
.Nm sudo .Nm sudo
is run by root with is run by
the .Sy root
with the
.Fl V .Fl V
option. option.
.It env_delete .It env_delete
@@ -5213,7 +5281,9 @@ and
operators respectively. operators respectively.
The global list of environment variables to remove is displayed when The global list of environment variables to remove is displayed when
.Nm sudo .Nm sudo
is run by root with the is run by
.Sy root
with the
.Fl V .Fl V
option. option.
Many operating systems will remove potentially dangerous variables Many operating systems will remove potentially dangerous variables
@@ -5238,7 +5308,9 @@ operators respectively.
The global list of variables to keep The global list of variables to keep
is displayed when is displayed when
.Nm sudo .Nm sudo
is run by root with the is run by
.Sy root
with the
.Fl V .Fl V
option. option.
.Pp .Pp
@@ -5619,7 +5691,9 @@ file.
was unable to read or create the user's time stamp file. was unable to read or create the user's time stamp file.
This can happen when This can happen when
.Em timestampowner .Em timestampowner
is set to a user other than root and the mode on is set to a user other than
.Sy root
and the mode on
.Pa @rundir@ .Pa @rundir@
is not searchable by group or other. is not searchable by group or other.
The default mode for The default mode for
@@ -6165,7 +6239,8 @@ need not provide a password and we don't want to reset the
.Ev LOGNAME .Ev LOGNAME
or or
.Ev USER .Ev USER
environment variables when running commands as root. environment variables when running commands as
.Sy root .
Additionally, on the machines in the Additionally, on the machines in the
.Dv SERVERS .Dv SERVERS
.Em Host_Alias , .Em Host_Alias ,
@@ -6307,7 +6382,8 @@ groups).
The user The user
.Sy pete .Sy pete
is allowed to change anyone's password except for is allowed to change anyone's password except for
root on the .Sy root
on the
.Dv HPPA .Dv HPPA
machines. machines.
Because command line arguments are matched as a single, Because command line arguments are matched as a single,
@@ -6394,8 +6470,9 @@ On the
.Dv ALPHA .Dv ALPHA
machines, user machines, user
.Sy john .Sy john
may su to anyone except root but he is not allowed to specify any options may su to anyone except
to the .Sy root
but he is not allowed to specify any options to the
.Xr su 1 .Xr su 1
command. command.
.Bd -literal .Bd -literal
@@ -6499,7 +6576,9 @@ advisory at best (and reinforced by policy).
In general, if a user has sudo In general, if a user has sudo
.Sy ALL .Sy ALL
there is nothing to prevent them from creating their own program that gives there is nothing to prevent them from creating their own program that gives
them a root shell (or making their own copy of a shell) regardless of any them a
.Sy root
shell (or making their own copy of a shell) regardless of any
.Ql !\& .Ql !\&
elements in the user specification. elements in the user specification.
.Ss Security implications of Em fast_glob .Ss Security implications of Em fast_glob
@@ -6855,9 +6934,11 @@ is enabled.
.El .El
.Pp .Pp
Restricting shell escapes is not a panacea. Restricting shell escapes is not a panacea.
Programs running as root are still capable of many potentially hazardous Programs running as
operations (such as changing or overwriting files) that could lead .Sy root
to unintended privilege escalation. are still capable of many potentially hazardous operations (such
as changing or overwriting files) that could lead to unintended
privilege escalation.
In the specific case of an editor, a safer approach is to give the In the specific case of an editor, a safer approach is to give the
user permission to run user permission to run
.Nm sudoedit .Nm sudoedit
@@ -6904,7 +6985,9 @@ as follows:
$ sudoedit /etc/motd $ sudoedit /etc/motd
.Ed .Ed
.Pp .Pp
The editor will run as the operator user, not root, on a temporary copy of The editor will run as the operator user, not
.Sy @runas_default@ ,
on a temporary copy of
.Pa /etc/motd . .Pa /etc/motd .
After the file has been edited, After the file has been edited,
.Pa /etc/motd .Pa /etc/motd
@@ -6925,7 +7008,8 @@ not be followed in writable directories and
will refuse to edit a file located in a writable directory will refuse to edit a file located in a writable directory
unless the unless the
.Em sudoedit_checkdir .Em sudoedit_checkdir
option has been disabled or the invoking user is root. option has been disabled or the invoking user is
.Sy root .
Additionally, in version 1.8.15 and higher, Additionally, in version 1.8.15 and higher,
.Nm sudoedit .Nm sudoedit
will refuse to open a symbolic link unless either the will refuse to open a symbolic link unless either the
@@ -6944,8 +7028,10 @@ will check the ownership of its time stamp directory
.Pa @rundir@/ts .Pa @rundir@/ts
by default by default
.Pc .Pc
and ignore the directory's contents if it is not owned by root or and ignore the directory's contents if it is not owned by
if it is writable by a user other than root. .Sy root
or if it is writable by a user other than
.Sy root .
Older versions of Older versions of
.Nm sudo .Nm sudo
stored time stamp files in stored time stamp files in