isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Rework source layout in preparation for modular sudo.

Browse Source
This commit is contained in:
Todd C. Miller
2010-02-20 09:14:01 -05:00
parent 28c24027ec
commit e90fa482f9
151 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
doc/HISTORY Normal file
View File

@@ -0,0 +1,49 @@
A brief history of sudo:
Sudo was first conceived and implemented by Bob Coggeshall and Cliff Spencer
around 1980 at the Department of Computer Science at SUNY/Buffalo. It ran on
a VAX-11/750 running 4.1BSD. An updated version, credited to Phil Betchel,
Cliff Spencer, Gretchen Phillips, John LoVerso and Don Gworek, was posted to
the net.sources Usenet newsgroup in December of 1985.
In the Summer of 1986, Garth Snyder released an enhanced version of sudo.
For the next 5 years, sudo was fed and watered by a handful of folks at
CU-Boulder, including Bob Coggeshall, Bob Manchek, and Trent Hein.
In 1991, Dave Hieb and Jeff Nieusma wrote a new version of sudo with an
enhanced sudoers format under contract to a consulting firm called "The Root
Group". This version was later released under the GNU public license.
In 1994, after maintaining sudo informally within CU-Boulder for some time,
Todd Miller made a public release of "CU sudo" (version 1.3) with bug fixes
and support for more operating systems. The "CU" was added to differentiate
it from the "official" version from "The Root Group".
In 1995, a new parser for the sudoers file was contributed by Chris Jepeway.
The new parser was a proper grammar (unlike the old one) and could work with
both sudo and visudo (previously they had slightly different parsers).
In 1996, Todd, who had been maintaining sudo for several years in his spare
time, moved distribution of sudo from a CU-Boulder ftp site to his domain,
courtesan.com.
In 1999, the "CU" prefix was dropped from the name since there has been no
formal release of sudo from "The Root Group" since 1991 (the original
authors now work elsewhere). As of version 1.6, Sudo no longer contains any
of the original "Root Group" code and is available under an ISC-style
license.
In 2001, the sudo web site, ftp site and mailing lists were moved from
courtesan.com to the sudo.ws domain (sudo.org was already taken).
In 2005, Todd rewrote the sudoers parser to better support the features that
had been added in the past ten years. This new parser removes some
limitations of the previous one, removes ordering constraints and adds
support for including multiple sudoers files.
sudo, in its current form, is maintained by:
Todd Miller <Todd.Miller@courtesan.com>
Todd continues to enhance sudo and fix bugs.

78
doc/LICENSE Normal file
View File

@@ -0,0 +1,78 @@
Sudo is distributed under the following ISC-style license:
Copyright (c) 1994-1996, 1998-2009
Todd C. Miller <Todd.Miller@courtesan.com>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Sponsored in part by the Defense Advanced Research Projects
Agency (DARPA) and Air Force Research Laboratory, Air Force
Materiel Command, USAF, under agreement number F39502-99-1-0512.
Additionally, fnmatch.c, fnmatch.h, getcwd.c, glob.c, glob.h and snprintf.c
bear the following UCB license:
Copyright (c) 1987, 1989, 1990, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of the University nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
nonunix.h and vasgroups.c bear the following license:
Copyright (c) 2006 Quest Software, Inc. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of Quest Software, Inc. nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.

85
doc/PORTING Normal file
View File

@@ -0,0 +1,85 @@
Sudo porting hints
==================
Before trying to port sudo to a new architecture, please join the
sudo-workers mailing list (see the README file) and ask if anyone
has a port working or in-progress. Sudo should be fairly easy to
port. Since it uses a configure script, most of the work is often
done for you. As long as your operating system is reasonably POSIX
compliant porting should be easy. If your operating system has a
separate library for POSIX compatibility you may need to add it by
using configure's --with-libraries option.
If your OS is an SVR4 derivative (or some approximation thereof), it may
be sufficient to tell configure you are runnng SVR4, something like:
configure foo-bar-sysv4
where foo is the hardware architecture and bar is the vendor.
A possible pitfall is getdtablesize(2) which is used to get the
maximum number of open files the process can have. If an OS has
the POSIX sysconf(2) it will be used instead of getdtablesize(2).
ulimit(2) or getrlimit(2) can also be used on some OS's. If all
else fails you can use the value of NOFILE in <sys/param.h>.
Sudo tries to clear the environment of dangerous environment variables
such as LD_* to prevent shared library spoofing. If you are porting
sudo to a new OS that has shared libraries you'll want to mask out
the variables that allow one to change the shared library path.
See initial_badenv_table() in env.c to see how this is done for
various operating systems.
It is possible that on a really weird system, tgetpass() may not
compile. (The most common cause for this is that the "fd_set" type
is not defined in a place that sudo expects it to be. If you can
find the header file where "fd_set" is typedef'd, have tgetpass.c
include it and send in a bug report.)
Alternately, tgetpass.c may compile but not work (nothing happens
at the Password: prompt). It is possible that your C library
contains a broken or unusable crypt() function--try linking with
-lcrypt if that exists. Another possibility is that select() is
not fully functional; running configure with --with-password-timeout=0
will disable the use of select(). If sudo prompts you for a
password but never accepts it, see below.
Sudo detects and recognizes most common shadow password schemes
automatically. If you find that sudo is not accepting your password
and you are sure that it has been typed in correctly there are two
likely problems. One possibility is that your C library has a
broken crypt() function (see above). The other is that your operating
system is using shadow passwords and sudo has not detected that
fact. Look in config.h to see what, if any, shadow password scheme
was detected. The most common are SVR4 (HAVE_GETSPNAM will be
defined) and SecureWare (HAVE_GETPRPWNAM will be defined). Check
the manual pages on your system for "getspnam" and "getprpwnam".
If one of those exist but the appropriate define does not exist in
config.h then the problem is most likely that those routines live
in a library that sudo does not know to link against. The manual
page should tell you what library this is. You can then use the
--with-libraries option to configure to tell sudo to link with the
library in question. For example:
--with-libraries='-lgen'
would cause sudo to link in libgen which contains "getspnam" on SCO
systems.
If you are trying to port to a system without standard Berkeley
networking you may find that interfaces.c will not compile. This
is most likely on OS's with STREAMS-based networking. It should
be possible to make it work by modifying the ISC streams support
(see the _ISC #ifdef's). However, if you don't care about ip address
and network address support, you can just run configure with the
--without-interfaces flag to get a do-nothing load_interfaces()
stub function.
Sudo wants POSIX signals (sigaction and friends). If your system
lacks sigaction but has the 4.3BSD sigvec() function, sigvec() will
be used instead via the wrapper functions in sigaction.c. It is
not currently possible to use the old SVR3 and 4.2BSD signals, but
this is due more to my lack of a test machine than anything else.
If you port sudo to a new architecture, please send the output of
"configure", the config.log file and your changes to:
sudo@courtesan.com
If you are unable to get sudo working, and you are willing to
give me an account on a machine, send mail to sudo@courtesan.com.
Note, however, that I can't make any promises.

190
doc/TROUBLESHOOTING Normal file
View File

@@ -0,0 +1,190 @@
Troubleshooting tips and FAQ for Sudo
=====================================
Q) When I run configure, it says "C compiler cannot create executables".
A) This usually means you either don't have a working compiler. This
could be due to the lack of a license or that some component of the
compiler suite could not be found. Check config.log for clues as
to why this is happening. On many systems, compiler components live
in /usr/ccs/bin which may not be in your PATH environment variable.
Q) Sudo compiles but when I run it I get "Sorry, sudo must be setuid root."
and sudo quits.
A) Sudo must be setuid root to do its work. You need to do something like
`chmod 4111 /usr/local/bin/sudo'. Also, the file system sudo resides
on must *not* be mounted (or exported) with the nosuid option or sudo
will not be able to work. Another possibility is you may have '.' in
your $PATH before the directory containing sudo. If you are going
to have '.' in your path you should make sure it is at the end.
Q) Sudo never gives me a chance to enter a password using PAM, it just
says 'Sorry, try again.' three times and exits.
A) You didn't setup PAM to work with sudo. On Redhat Linux or Fedora
Core this generally means installing sample.pam as /etc/pam.d/sudo.
See the sample.pam file for hints on what to use for other Linux
systems.
Q) Sudo says 'Account expired or PAM config lacks an "account"
section for sudo, contact your system administrator' and exits
but I know my account has not expired.
A) Your PAM config lacks an "account" specification. On Linux this
usually means you are missing a line like:
account required pam_unix.so
in /etc/pam.d/sudo.
Q) Sudo is setup to log via syslog(3) but I'm not getting any log
messages.
A) Make sure you have an entry in your syslog.conf file to save
the sudo messages (see the sample.syslog.conf file). The default
log facility is local2 (changeable via configure). Don't forget
to send a SIGHUP to your syslogd so that it re-reads its conf file.
Also, remember that syslogd does *not* create log files, you need to
create the file before syslogd will log to it (ie: touch /var/log/sudo).
Note: the facility ("local2.debug") must be separated from the
destination ("/var/adm/sudo.log" or "@loghost") by
tabs, *not* spaces. This is a common error.
Q) When sudo asks me for my password it never accepts what I enter even
though I know I entered my password correctly.
A) If your system uses shadow passwords, it is possible that sudo
didn't detect this. Take a look at the generated config.h file
and verify that the C function used for shadow password lookups
was detected. For instance, for SVR4-style shadow passwords,
HAVE_GETSPNAM should be defined (you can search for the string
"shadow passwords" in config.h with your editor). Note that
there is no define for 4.4BSD-based shadow passwords since that
just uses the standard getpw* routines.
Q) I don't want the sudoers file in /etc, how can I specify where it
should go?
A) Use the --sysconfdir option to configure. Ie:
configure --sysconfdir=/dir/you/want/sudoers/in
Q) Can I put the sudoers file in NIS/NIS+ or do I have to have a
copy on each machine?
A) There is no support for making an NIS/NIS+ map/table out of
the sudoers file at this time. A good way to distribute the
sudoers file is via rdist(1). It is also possible to NFS-mount
the sudoers file.
Q) I don't run sendmail on my machine. Does this mean that I cannot
use sudo?
A) No, you just need to run use the --without-sendmail argument to configure
or add "!mailerpath" to the Defaults line in /etc/sudoers.
Q) When I run visudo it uses vi as the editor and I hate vi. How
can I make it use another editor?
A) Your best bet is to run configure with the --with-env-editor switch.
This will make visudo use the editor specified by the user's
EDITOR environment variable. Alternately, you can run configure
with the --with-editor=/path/to/another/editor.
Q) Sudo appears to be removing some variables from my environment, why?
A) Sudo removes the following "dangerous" environment variables
to guard against shared library spoofing, shell voodoo, and
kerberos server spoofing.
IFS
LOCALDOMAIN
RES_OPTIONS
HOSTALIASES
NLSPATH
PATH_LOCALE
TERMINFO
TERMINFO_DIRS
TERMPATH
TERMCAP
ENV
BASH_ENV
LC_ (if it contains a '/' or '%')
LANG (if it contains a '/' or '%')
LANGUAGE (if it contains a '/' or '%')
LD_*
_RLD_*
SHLIB_PATH (HP-UX only)
LIBPATH (AIX only)
KRB_CONF (kerb4 only)
KRBCONFDIR (kerb4 only)
KRBTKFILE (kerb4 only)
KRB5_CONFIG (kerb5 only)
VAR_ACE (SecurID only)
USR_ACE (SecurID only)
DLC_ACE (SecurID only)
Q) How can I keep sudo from asking for a password?
A) To specify this on a per-user (and per-command) basis, use the 'NOPASSWD'
tag right before the command list in sudoers. See the sudoers man page
and sample.sudoers for details. To disable passwords completely,
run configure with the --without-passwd option or add "!authenticate"
to the Defaults line in /etc/sudoers. You can also turn off authentication
on a per-user or per-host basis using a user or host-specific Defaults
entry in sudoers.
Q) When I run configure, it dies with the following error:
"no acceptable cc found in $PATH".
A) /usr/ucb/cc was the only C compiler that configure could find.
You need to tell configure the path to the "real" C compiler
via the --with-CC option. On Solaris, the path is probably
something like "/opt/SUNWspro/SC4.0/bin/cc". If you have gcc
that will also work.
Q) When I run configure, it dies with the following error:
Fatal Error: config.cache exists from another platform!
Please remove it and re-run configure.
A) configure caches the results of its tests in a file called
config.cache to make re-running configure speedy. However,
if you are building sudo for a different platform the results
in config.cache will be wrong so you need to remove config.cache.
You can do this by "rm config.cache" or "make realclean".
Note that "make realclean" will also remove any object files
and configure temp files that are laying around as well.
Q) I built sudo on a Solaris >= 2.6 machine but the resulting binary
doesn't work on Solaris <= 2.5.1. Why?
A) Starting with Solaris 2.6, snprintf(3) is included in the standard
C library. To build a version of sudo on a >= 2.6 machine that
will run on a <= 2.5.1 machine, edit config.h and comment out the lines:
#define HAVE_SNPRINTF 1
#define HAVE_VSNPRINTF 1
and run make.
Q) When I run "visudo" it says "sudoers file busy, try again later."
and doesn't do anything.
A) Someone else is currently editing the sudoers file with visudo.
Q) When I try to use "cd" with sudo it says "cd: command not found".
A) "cd" is a shell built-in command, you can't run it as a command
since a child process (sudo) cannot affect the current working
directory of the parent (your shell).
Q) When I try to use "cd" with sudo the command completes without
errors but nothing happens.
A) Even though "cd" is a shell built-in command, some operating systems
include a /usr/bin/cd command for some reason. A standalone
"cd" command is totally useless since a child process (cd) cannot
affect the current working directory of the parent (your shell).
Thus, "sudo cd /foo" will start a child process, change the
directory and immediately exit without doing anything useful.
Q) When I run sudo it says I am not allowed to run the command as root
but I don't want to run it as root, I want to run it as another user.
My sudoers file entry looks like:
bob ALL=(oracle) ALL
A) The default user sudo tries to run things as is always root, even if
the invoking user can only run commands as a single, specific user.
This may change in the future but at the present time you have to
work around this using the 'runas_default' option in sudoers.
For example:
Defaults:bob runas_default=oracle
would achieve the desired result ofr the preceding sudoers fragment.
Q) When I try to run sudo via ssh, I get the error:
sudo: no tty present and no askpass program specified
A) ssh does not allocate a tty by default when running a remote command.
Without a tty, sudo cannot disable echo when prompting for a password.
You can use ssh's "-t" option to force it to allocate a tty.
Alternately, if you do not mind your password being echoed to the
screen, you can use the "visiblepw" sudoers option to allow this.
Q) How do you pronounce `sudo'?
A) The official pronunciation is soo-doo (for su "do"). However, an
alternate pronunciation, a homophone of "pseudo", is also common.

143
doc/UPGRADE Normal file
View File

@@ -0,0 +1,143 @@
Notes on upgrading from an older release
========================================
o Upgrading from a version prior to 1.7.0:
Starting with sudo 1.7.0 comments in the sudoers file must not
have a digit or minus sign immediately after the comment character
('#'). Otherwise, the comment may be interpreted as a user or
group ID.
When sudo is build with LDAP support the /etc/nsswitch.conf file is
now used to determine the sudoers seach order. sudo will default to
only using /etc/sudoers unless /etc/nsswitch.conf says otherwise.
This can be changed with an nsswitch.conf line, e.g.:
sudoers: ldap files
Would case LDAP to be searched first, then the sudoers file.
To restore the pre-1.7.0 behavior, run configure with the
--with-nsswitch=no flag.
Sudo now ignores user .ldaprc files as well as system LDAP defaults.
All LDAP configuration is now in /etc/ldap.conf (or whichever file
was specified by configure's --with-ldap-conf-file option).
If you are using TLS, you may now need to specify:
tls_checkpeer no
in sudo's ldap.conf unless ldap.conf references a valid certificate
authority file(s).
Please also see the WHATSNEW file for a list of new features in
sudo 1.7.0.
o Upgrading from a version prior to 1.6.9:
Starting with sudo 1.6.9, if an OS supports a modular authentication
method such as PAM, it will be used by default by configure.
Environment variable handling has changed significantly in sudo
1.6.9. Prior to version 1.6.9, sudo would preserve the user's
environment, pruning out potentially dangerous variables.
Beginning with sudo 1.6.9, the envionment is reset to a default
set of values with only a small number of "safe" variables
preserved. To preserve specific environment variables, add
them to the "env_keep" list in sudoers. E.g.
Defaults env_keep += "EDITOR"
The old behavior can be restored by negating the "env_reset"
option in sudoers. E.g.
Defaults !env_reset
There have also been changes to how the "env_keep" and
"env_check" options behave.
Prior to sudo 1.6.9, the TERM and PATH environment variables
would always be preserved even if the env_keep option was
redefined. That is no longer the case. Consequently, if
env_keep is set with "=" and not simply appended to (i.e. using
"+="), PATH and TERM must be explicitly included in the list
of environment variables to keep. The LOGNAME, SHELL, USER,
and USERNAME environment variables are still always set.
Additionally, the env_check setting previously had no effect
when env_reset was set (which is now on by default). Starting
with sudo 1.6.9, environment variables listed in env_check are
also preserved in the env_reset case, provided that they do not
contain a '/' or '%' character. Note that it is not necessary
to also list a variable in env_keep--having it in env_check is
sufficent.
The default lists of variables to be preserved and/or checked
are displayed when sudo is run by root with the -V flag.
o Upgrading from a version prior to 1.6.8:
Prior to sudo 1.6.8, if /var/run did not exist, sudo would put
the timestamp files in /tmp/.odus. As of sudo 1.6.8, the
timestamp files will be placed in /var/adm/sudo or /usr/adm/sudo
if there is no /var/run directory. This directory will be
created if it does not already exist.
Previously, a sudoers entry that explicitly prohibited running
a command as a certain user did not override a previous entry
allowing the same command. This has been fixed in sudo 1.6.8
such that the last match is now used (as it is documented).
Hopefully no one was depending on the previous (buggy) beghavior.
o Upgrading from a version prior to 1.6:
As of sudo 1.6, parsing of runas entries and the NOPASSWD tag
has changed. Prior to 1.6, a runas specifier applied only to
a single command directly following it. Likewise, the NOPASSWD
tag only allowed the command directly following it to be run
without a password. Starting with sudo 1.6, both the runas
specifier and the NOPASSWD tag are "sticky" for an entire
command list. So, given the following line in sudo < 1.6
millert ALL=(daemon) NOPASSWD:/usr/bin/whoami,/bin/ls
millert would be able to run /usr/bin/whoami as user daemon
without a password and /bin/ls as root with a password.
As of sudo 1.6, the same line now means that millert is able
to run run both /usr/bin/whoami and /bin/ls as user daemon
without a password. To expand on this, take the following
example:
millert ALL=(daemon) NOPASSWD:/usr/bin/whoami, (root) /bin/ls, \
/sbin/dump
millert can run /usr/bin/whoami as daemon and /bin/ls and
/sbin/dump as root. No password need be given for either
command. In other words, the "(root)" sets the default runas
user to root for the rest of the list. If we wanted to require
a password for /bin/ls and /sbin/dump the line could be written
thusly:
millert ALL=(daemon) NOPASSWD:/usr/bin/whoami, \
(root) PASSWD:/bin/ls, /sbin/dump
Additionally, sudo now uses a per-user timestamp directory
instead of a timestamp file. This allows tty timestamps to
simply be files within the user's timestamp dir. For the
default, non-tty case, the timestamp on the directory itself
is used.
Also, the temporary file used by visudo is now /etc/sudoers.tmp
since some versions of vipw on systems with shadow passwords use
/etc/stmp for the temporary shadow file.
o Upgrading from a version prior to 1.5:
By default, sudo expects the sudoers file to be mode 0440 and
to be owned by user and group 0. This differs from version 1.4
and below which expected the sudoers file to be mode 0400 and
to be owned by root. Doing a `make install' will set the sudoers
file to the new mode and group. If sudo encounters a sudoers
file with the old permissions it will attempt to update it to
the new scheme. You cannot, however, use a sudoers file with
the new permissions with an old sudo binary. It is suggested
that if have a means of distributing sudo you distribute the
new binaries first, then the new sudoers file (or you can leave
sudoers as is and sudo will fix the permissions itself as long
as sudoers is on a local file system).

54
doc/history.pod Normal file
View File

@@ -0,0 +1,54 @@
=head1 A brief history of sudo:
Sudo was first conceived and implemented by Bob Coggeshall and Cliff
Spencer around 1980 at the Department of Computer Science at
SUNY/Buffalo. It ran on a VAX-11/750 running 4.1BSD. An updated
version, credited to Phil Betchel, Cliff Spencer, Gretchen Phillips,
John LoVerso and Don Gworek, was posted to the net.sources Usenet
newsgroup in December of 1985.
In the Summer of 1986, Garth Snyder released an enhanced version
of sudo. For the next 5 years, sudo was fed and watered by a handful
of folks at CU-Boulder, including Bob Coggeshall, Bob Manchek, and
Trent Hein.
In 1991, Dave Hieb and Jeff Nieusma wrote a new version of sudo
with an enhanced sudoers format under contract to a consulting firm
called "The Root Group". This version was later released under the
GNU public license.
In 1994, after maintaining sudo informally within CU-Boulder for
some time, Todd Miller made a public release of "CU sudo" (version
1.3) with bug fixes and support for more operating systems. The
"CU" was added to differentiate it from the "official" version from
"The Root Group".
In 1995, a new parser for the sudoers file was contributed by Chris
Jepeway. The new parser was a proper grammar (unlike the old one)
and could work with both sudo and visudo (previously they had
slightly different parsers).
In 1996, Todd, who had been maintaining sudo for several years in
his spare time, moved distribution of sudo from a CU-Boulder ftp
site to his domain, courtesan.com.
In 1999, the "CU" prefix was dropped from the name since there has
been no formal release of sudo from "The Root Group" since 1991
(the original authors now work elsewhere). As of version 1.6, Sudo
no longer contains any of the original "Root Group" code and is
available under an ISC-style license.
In 2001, the sudo web site, ftp site and mailing lists were moved
from courtesan.com to the sudo.ws domain (sudo.org was already
taken).
In 2005, Todd rewrote the sudoers parser to better support the
features that had been added in the past ten years. This new parser
removes some limitations of the previous one, removes ordering
constraints and adds support for including multiple sudoers files.
sudo, in its current form, is maintained by:
Todd Miller <Todd.Miller@courtesan.com>
Todd continues to enhance sudo and fix bugs.

54
doc/license.pod Normal file
View File

@@ -0,0 +1,54 @@
=head1 Sudo License
=head3
Sudo is distributed under the following ISC-style license:
Copyright (c) 1994-1996, 1998-2008
Todd C. Miller <Todd.Miller@courtesan.com>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Sponsored in part by the Defense Advanced Research Projects
Agency (DARPA) and Air Force Research Laboratory, Air Force
Materiel Command, USAF, under agreement number F39502-99-1-0512.
=head3
Additionally, fnmatch.c, fnmatch.h, getcwd.c, glob.c, glob.h, mkstemp.c
and snprintf.c bear the following UCB license:
Copyright (c) 1987, 1989, 1990, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of the University nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.

30
doc/sample.pam Normal file
View File

@@ -0,0 +1,30 @@
#%PAM-1.0
# Sample /etc/pam.d/sudo file for RedHat 9 / Fedora Core.
# For other Linux distributions you may want to
# use /etc/pam.d/sshd or /etc/pam.d/su as a guide.
#
# There are two basic ways to configure PAM, either via pam_stack
# or by explicitly specifying the various methods to use.
#
# Here we use pam_stack
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
#
# Alternately, you can specify the authentication method directly.
# Here we use pam_unix for normal password authentication.
#auth required pam_env.so
#auth sufficient pam_unix.so
#account required pam_unix.so
#password required pam_cracklib.so retry=3 type=
#password required pam_unix.so nullok use_authtok md5 shadow
#session required pam_limits.so
#session required pam_unix.so
#
# Another option is to use SMB for authentication.
#auth required pam_env.so
#auth sufficient pam_smb_auth.so
#account required pam_smb_auth.so
#password required pam_smb_auth.so
#session required pam_limits.so

131
doc/sample.sudoers Normal file
View File

@@ -0,0 +1,131 @@
#
# Sample /etc/sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
##
# Override built-in defaults
##
Defaults syslog=auth
Defaults>root !set_logname
Defaults:FULLTIMERS !lecture
Defaults:millert !authenticate
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
Defaults!PAGERS noexec
##
# User alias specification
##
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
User_Alias WEBMASTERS = will, wendy, wim
##
# Runas alias specification
##
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
##
# Host alias specification
##
Host_Alias SPARC = bigtime, eclipse, moet, anchor:\
SGI = grolsch, dandelion, black:\
ALPHA = widget, thalamus, foobar:\
HPPA = boa, nag, python
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
##
# Cmnd alias specification
##
Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \
/usr/sbin/rrestore, /usr/bin/mt
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt
Cmnd_Alias REBOOT = /usr/sbin/reboot
Cmnd_Alias SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
/usr/local/bin/tcsh, /usr/bin/rsh, \
/usr/local/bin/zsh
Cmnd_Alias SU = /usr/bin/su
Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \
/usr/bin/chfn
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
##
# User specification
##
# root and users in group wheel can run anything on any machine as any user
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
# full time sysadmins can run anything on any machine without a password
FULLTIMERS ALL = NOPASSWD: ALL
# part time sysadmins may run anything but need a password
PARTTIMERS ALL = ALL
# jack may run anything on machines in CSNETS
jack CSNETS = ALL
# lisa may run any command on any host in CUNETS (a class B network)
lisa CUNETS = ALL
# operator may run maintenance commands and anything in /usr/oper/bin/
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
sudoedit /etc/printcap, /usr/oper/bin/
# joe may su only to operator
joe ALL = /usr/bin/su operator
# pete may change passwords for anyone but root on the hp snakes
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
# bob may run anything on the sparc and sgi machines as any user
# listed in the Runas_Alias "OP" (ie: root and operator)
bob SPARC = (OP) ALL : SGI = (OP) ALL
# jim may run anything on machines in the biglab netgroup
jim +biglab = ALL
# users in the secretaries netgroup need to help manage the printers
# as well as add and remove users
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
# fred can run commands as oracle or sybase without a password
fred ALL = (DB) NOPASSWD: ALL
# on the alphas, john may su to anyone but root and flags are not allowed
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
# jen can run anything on all machines except the ones
# in the "SERVERS" Host_Alias
jen ALL, !SERVERS = ALL
# jill can run any commands in the directory /usr/bin/, except for
# those in the SU and SHELLS aliases.
jill SERVERS = /usr/bin/, !SU, !SHELLS
# steve can run any command in the directory /usr/local/op_commands/
# as user operator.
steve CSNETS = (operator) /usr/local/op_commands/
# matt needs to be able to kill things on his workstation when
# they get hung.
matt valkyrie = KILL
# users in the WEBMASTERS User_Alias (will, wendy, and wim)
# may run any command as user www (which owns the web pages)
# or simply su to www.
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
# anyone can mount/unmount a cd-rom on the machines in the CDROM alias
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM

25
doc/sample.syslog.conf Normal file
View File

@@ -0,0 +1,25 @@
# This is a sample syslog.conf fragment for use with Sudo.
#
# Sudo logs to local2 by default, but this is changable via the
# --with-logfac configure option. To see what syslog facility
# a sudo binary uses, run `sudo -V' as *root*. You may have
# to check /usr/include/syslog.h to map the facility number to
# a name.
#
# NOTES:
# The whitespace in the following line is made up of <TAB>
# characters, *not* spaces. You cannot just cut and paste!
#
# If you edit syslog.conf you need to send syslogd a HUP signal.
# Ie: kill -HUP process_id
#
# Syslogd will not create new log files for you, you must first
# create the file before syslogd will log to it. Eg.
# 'touch /var/log/sudo'
# This logs successful and failed sudo attempts to the file /var/log/sudo
local2.debug /var/log/sudo
# To log to a remote machine, use something like the following,
# where "loghost" is the name of the remote machine.
local2.debug @loghost

172
doc/schema.ActiveDirectory Normal file
View File

@@ -0,0 +1,172 @@
#
# Active Directory Schema for sudo configuration (sudoers)
#
# To extend your Active Directory schema, run the following command
# on your Windows DC:
#
# ldifde -i -f schema.ActiveDirectory -c dc=X dc=YOURDOMAIN,DC=COM
#
dn: CN=sudoUser,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoUser
distinguishedName: CN=sudoUser,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.1
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoUser
adminDescription: User(s) who may run sudo
oMSyntax: 22
searchFlags: 1
lDAPDisplayName: sudoUser
name: sudoUser
schemaIDGUID:: JrGcaKpnoU+0s+HgeFjAbg==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn: CN=sudoHost,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoHost
distinguishedName: CN=sudoHost,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.2
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoHost
adminDescription: Host(s) who may run sudo
oMSyntax: 22
lDAPDisplayName: sudoHost
name: sudoHost
schemaIDGUID:: d0TTjg+Y6U28g/Y+ns2k4w==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn: CN=sudoCommand,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoCommand
distinguishedName: CN=sudoCommand,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.3
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoCommand
adminDescription: Command(s) to be executed by sudo
oMSyntax: 22
lDAPDisplayName: sudoCommand
name: sudoCommand
schemaIDGUID:: D6QR4P5UyUen3RGYJCHCPg==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn: CN=sudoRunAs,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoRunAs
distinguishedName: CN=sudoRunAs,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.4
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoRunAs
adminDescription: User(s) impersonated by sudo (deprecated)
oMSyntax: 22
lDAPDisplayName: sudoRunAs
name: sudoRunAs
schemaIDGUID:: CP98mCQTyUKKxGrQeM80hQ==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn: CN=sudoOption,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoOption
distinguishedName: CN=sudoOption,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.5
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoOption
adminDescription: Option(s) followed by sudo
oMSyntax: 22
lDAPDisplayName: sudoOption
name: sudoOption
schemaIDGUID:: ojaPzBBlAEmsvrHxQctLnA==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn: CN=sudoRunAsUser,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoRunAsUser
distinguishedName: CN=sudoRunAsUser,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.6
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoRunAsUser
adminDescription: User(s) impersonated by sudo
oMSyntax: 22
lDAPDisplayName: sudoRunAsUser
name: sudoRunAsUser
schemaIDGUID:: 9C52yPYd3RG3jMR2VtiVkw==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn: CN=sudoRunAsGroup,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: attributeSchema
cn: sudoRunAsGroup
distinguishedName: CN=sudoRunAsGroup,CN=Schema,CN=Configuration,DC=X
instanceType: 4
attributeID: 1.3.6.1.4.1.15953.9.1.7
attributeSyntax: 2.5.5.5
isSingleValued: FALSE
showInAdvancedViewOnly: TRUE
adminDisplayName: sudoRunAsGroup
adminDescription: Groups(s) impersonated by sudo
oMSyntax: 22
lDAPDisplayName: sudoRunAsGroup
name: sudoRunAsGroup
schemaIDGUID:: xJhSt/Yd3RGJPTB1VtiVkw==
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
dn: CN=sudoRole,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: top
objectClass: classSchema
cn: sudoRole
distinguishedName: CN=sudoRole,CN=Schema,CN=Configuration,DC=X
instanceType: 4
possSuperiors: container
possSuperiors: top
subClassOf: top
governsID: 1.3.6.1.4.1.15953.9.2.1
mayContain: sudoCommand
mayContain: sudoHost
mayContain: sudoOption
mayContain: sudoRunAs
mayContain: sudoRunAsUser
mayContain: sudoRunAsGroup
mayContain: sudoUser
rDNAttID: cn
showInAdvancedViewOnly: FALSE
adminDisplayName: sudoRole
adminDescription: Sudoer Entries
objectClassCategory: 1
lDAPDisplayName: sudoRole
name: sudoRole
schemaIDGUID:: SQn432lnZ0+ukbdh3+gN3w==
systemOnly: FALSE
objectCategory: CN=Class-Schema,CN=Schema,CN=Configuration,DC=X
defaultObjectCategory: CN=sudoRole,CN=Schema,CN=Configuration,DC=X

55
doc/schema.OpenLDAP Normal file
View File

@@ -0,0 +1,55 @@
#
# OpenLDAP schema file for Sudo
# Save as /etc/openldap/schema/sudo.schema
#
attributetype ( 1.3.6.1.4.1.15953.9.1.1
NAME 'sudoUser'
DESC 'User(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.2
NAME 'sudoHost'
DESC 'Host(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.3
NAME 'sudoCommand'
DESC 'Command(s) to be executed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.4
NAME 'sudoRunAs'
DESC 'User(s) impersonated by sudo (deprecated)'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.5
NAME 'sudoOption'
DESC 'Options(s) followed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.6
NAME 'sudoRunAsUser'
DESC 'User(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.7
NAME 'sudoRunAsGroup'
DESC 'Group(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
DESC 'Sudoer Entries'
MUST ( cn )
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $
description )
)

9
doc/schema.iPlanet Normal file
View File

@@ -0,0 +1,9 @@
dn: cn=schema
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) X-ORIGIN 'SUDO' )

660
doc/sudo.cat Normal file
View File

@@ -0,0 +1,660 @@
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
NNAAMMEE
sudo, sudoedit - execute a command as another user
SSYYNNOOPPSSIISS
ssuuddoo --hh | --KK | --kk | --LL | --VV
ssuuddoo --vv [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t]
[--uu _u_s_e_r_n_a_m_e|_#_u_i_d]
ssuuddoo --ll[[ll]] [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t]
[--UU _u_s_e_r _n_a_m_e] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] [_c_o_m_m_a_n_d]
ssuuddoo [--AAbbEEHHnnPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-]
[--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e]
[--ii | --ss] [_c_o_m_m_a_n_d]
ssuuddooeeddiitt [--AAnnSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-]
[--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] file ...
DDEESSCCRRIIPPTTIIOONN
ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the superuser or
another user, as specified in the _s_u_d_o_e_r_s file. The real and effective
uid and gid are set to match those of the target user as specified in
the passwd file and the group vector is initialized based on the group
file (unless the --PP option was specified). If the invoking user is
root or if the target user is the same as the invoking user, no
password is required. Otherwise, ssuuddoo requires that users authenticate
themselves with a password by default (NOTE: in the default
configuration this is the user's password, not the root password).
Once a user has been authenticated, a timestamp is updated and the user
may then use sudo without a password for a short period of time (5
minutes unless overridden in _s_u_d_o_e_r_s).
When invoked as ssuuddooeeddiitt, the --ee option (described below), is implied.
ssuuddoo determines who is an authorized user by consulting the file
_/_e_t_c_/_s_u_d_o_e_r_s. By running ssuuddoo with the --vv option, a user can update
the time stamp without running a _c_o_m_m_a_n_d. The password prompt itself
will also time out if the user's password is not entered within 5
minutes (unless overridden via _s_u_d_o_e_r_s).
If a user who is not listed in the _s_u_d_o_e_r_s file tries to run a command
via ssuuddoo, mail is sent to the proper authorities, as defined at
configure time or in the _s_u_d_o_e_r_s file (defaults to root). Note that
the mail will not be sent if an unauthorized user tries to run sudo
with the --ll or --vv option. This allows users to determine for
themselves whether or not they are allowed to use ssuuddoo.
If ssuuddoo is run by root and the SUDO_USER environment variable is set,
ssuuddoo will use this value to determine who the actual user is. This can
be used by a user to log commands through sudo even when a root shell
has been invoked. It also allows the --ee option to remain useful even
when being run via a sudo-run script or program. Note however, that
the sudoers lookup is still done for root, not the user specified by
1.7.3b2 December 19, 2009 1
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO_USER.
ssuuddoo can log both successful and unsuccessful attempts (as well as
errors) to _s_y_s_l_o_g(3), a log file, or both. By default ssuuddoo will log
via _s_y_s_l_o_g(3) but this is changeable at configure time or via the
_s_u_d_o_e_r_s file.
OOPPTTIIOONNSS
ssuuddoo accepts the following command line options:
-A Normally, if ssuuddoo requires a password, it will read it from
the current terminal. If the --AA (_a_s_k_p_a_s_s) option is
specified, a (possibly graphical) helper program is
executed to read the user's password and output the
password to the standard output. If the SUDO_ASKPASS
environment variable is set, it specifies the path to the
helper program. Otherwise, the value specified by the
_a_s_k_p_a_s_s option in _s_u_d_o_e_r_s(4) is used.
-a _t_y_p_e The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use the
specified authentication type when validating the user, as
allowed by _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system administrator may
specify a list of sudo-specific authentication methods by
adding an "auth-sudo" entry in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This
option is only available on systems that support BSD
authentication.
-b The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run the given
command in the background. Note that if you use the --bb
option you cannot use shell job control to manipulate the
process.
-C _f_d Normally, ssuuddoo will close all open file descriptors other
than standard input, standard output and standard error.
The --CC (_c_l_o_s_e _f_r_o_m) option allows the user to specify a
starting point above the standard error (file descriptor
three). Values less than three are not permitted. This
option is only available if the administrator has enabled
the _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option in _s_u_d_o_e_r_s(4).
-c _c_l_a_s_s The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified
command with resources limited by the specified login
class. The _c_l_a_s_s argument can be either a class name as
defined in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a single '-' character.
Specifying a _c_l_a_s_s of - indicates that the command should
be run restricted by the default login capabilities for the
user the command is run as. If the _c_l_a_s_s argument
specifies an existing user class, the command must be run
as root, or the ssuuddoo command must be run from a shell that
is already root. This option is only available on systems
with BSD login classes.
-E The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option will override the
_e_n_v___r_e_s_e_t option in _s_u_d_o_e_r_s(4)). It is only available when
1.7.3b2 December 19, 2009 2
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
either the matching command has the SETENV tag or the
_s_e_t_e_n_v option is set in _s_u_d_o_e_r_s(4).
-e The --ee (_e_d_i_t) option indicates that, instead of running a
command, the user wishes to edit one or more files. In
lieu of a command, the string "sudoedit" is used when
consulting the _s_u_d_o_e_r_s file. If the user is authorized by
_s_u_d_o_e_r_s the following steps are taken:
1. Temporary copies are made of the files to be edited
with the owner set to the invoking user.
2. The editor specified by the SUDO_EDITOR, VISUAL or
EDITOR environment variables is run to edit the
temporary files. If none of SUDO_EDITOR, VISUAL or
EDITOR are set, the first program listed in the _e_d_i_t_o_r
_s_u_d_o_e_r_s variable is used.
3. If they have been modified, the temporary files are
copied back to their original location and the
temporary versions are removed.
If the specified file does not exist, it will be created.
Note that unlike most commands run by ssuuddoo, the editor is
run with the invoking user's environment unmodified. If,
for some reason, ssuuddoo is unable to update a file with its
edited version, the user will receive a warning and the
edited copy will remain in a temporary file.
-g _g_r_o_u_p Normally, ssuuddoo sets the primary group to the one specified
by the passwd database for the user the command is being
run as (by default, root). The --gg (_g_r_o_u_p) option causes
ssuuddoo to run the specified command with the primary group
set to _g_r_o_u_p. To specify a _g_i_d instead of a _g_r_o_u_p _n_a_m_e,
use _#_g_i_d. When running commands as a _g_i_d, many shells
require that the '#' be escaped with a backslash ('\'). If
no --uu option is specified, the command will be run as the
invoking user (not root). In either case, the primary
group will be set to _g_r_o_u_p.
-H The --HH (_H_O_M_E) option sets the HOME environment variable to
the homedir of the target user (root by default) as
specified in _p_a_s_s_w_d(4). By default, ssuuddoo does not modify
HOME (see _s_e_t___h_o_m_e and _a_l_w_a_y_s___s_e_t___h_o_m_e in _s_u_d_o_e_r_s(4)).
-h The --hh (_h_e_l_p) option causes ssuuddoo to print a usage message
and exit.
-i [command]
The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell
specified in the _p_a_s_s_w_d(4) entry of the target user as a
login shell. This means that login-specific resource files
such as .profile or .login will be read by the shell. If a
command is specified, it is passed to the shell for
1.7.3b2 December 19, 2009 3
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
execution. Otherwise, an interactive shell is executed.
ssuuddoo attempts to change to that user's home directory
before running the shell. It also initializes the
environment, leaving _D_I_S_P_L_A_Y and _T_E_R_M unchanged, setting
_H_O_M_E, _S_H_E_L_L, _U_S_E_R, _L_O_G_N_A_M_E, and _P_A_T_H, as well as the
contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t on Linux and AIX systems. All
other environment variables are removed.
-K The --KK (sure _k_i_l_l) option is like --kk except that it removes
the user's timestamp entirely and may not be used in
conjunction with a command or other option. This option
does not require a password.
-k When used by itself, the --kk (_k_i_l_l) option to ssuuddoo
invalidates the user's timestamp by setting the time on it
to the Epoch. The next time ssuuddoo is run a password will be
required. This option does not require a password and was
added to allow a user to revoke ssuuddoo permissions from a
.logout file.
When used in conjunction with a command or an option that
may require a password, the --kk option will cause ssuuddoo to
ignore the user's timestamp file. As a result, ssuuddoo will
prompt for a password (if one is required by _s_u_d_o_e_r_s) and
will not update the user's timestamp file.
-L The --LL (_l_i_s_t defaults) option will list the parameters that
may be set in a _D_e_f_a_u_l_t_s line along with a short
description for each. This option will be removed from a
future version of ssuuddoo.
-l[l] [_c_o_m_m_a_n_d]
If no _c_o_m_m_a_n_d is specified, the --ll (_l_i_s_t) option will list
the allowed (and forbidden) commands for the invoking user
(or the user specified by the --UU option) on the current
host. If a _c_o_m_m_a_n_d is specified and is permitted by
_s_u_d_o_e_r_s, the fully-qualified path to the command is
displayed along with any command line arguments. If
_c_o_m_m_a_n_d is specified but not allowed, ssuuddoo will exit with a
status value of 1. If the --ll option is specified with an ll
argument (i.e. --llll), or if --ll is specified multiple times,
a longer list format is used.
-n The --nn (_n_o_n_-_i_n_t_e_r_a_c_t_i_v_e) option prevents ssuuddoo from
prompting the user for a password. If a password is
required for the command to run, ssuuddoo will display an error
messages and exit.
-P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to
preserve the invoking user's group vector unaltered. By
default, ssuuddoo will initialize the group vector to the list
of groups the target user is in. The real and effective
group IDs, however, are still set to match the target user.
1.7.3b2 December 19, 2009 4
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-p _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default
password prompt and use a custom one. The following
percent (`%') escapes are supported:
%H expanded to the local host name including the domain
name (on if the machine's host name is fully qualified
or the _f_q_d_n _s_u_d_o_e_r_s option is set)
%h expanded to the local host name without the domain name
%p expanded to the user whose password is being asked for
(respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w flags in
_s_u_d_o_e_r_s)
%U expanded to the login name of the user the command will
be run as (defaults to root)
%u expanded to the invoking user's login name
%% two consecutive % characters are collapsed into a
single % character
The prompt specified by the --pp option will override the
system password prompt on systems that support PAM unless
the _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s.
-S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from
the standard input instead of the terminal device. The
password must be followed by a newline character.
-s [command]
The --ss (_s_h_e_l_l) option runs the shell specified by the _S_H_E_L_L
environment variable if it is set or the shell as specified
in _p_a_s_s_w_d(4). If a command is specified, it is passed to
the shell for execution. Otherwise, an interactive shell
is executed.
-U _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the
--ll option to specify the user whose privileges should be
listed. Only root or a user with ssuuddoo ALL on the current
host may use this option.
-u _u_s_e_r The --uu (_u_s_e_r) option causes ssuuddoo to run the specified
command as a user other than _r_o_o_t. To specify a _u_i_d
instead of a _u_s_e_r _n_a_m_e, use _#_u_i_d. When running commands as
a _u_i_d, many shells require that the '#' be escaped with a
backslash ('\'). Note that if the _t_a_r_g_e_t_p_w Defaults option
is set (see _s_u_d_o_e_r_s(4)) it is not possible to run commands
with a uid not listed in the password database.
-V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print the version
number and exit. If the invoking user is already root the
--VV option will print out a list of the defaults ssuuddoo was
compiled with as well as the machine's local network
1.7.3b2 December 19, 2009 5
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
addresses.
-v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the
user's timestamp, prompting for the user's password if
necessary. This extends the ssuuddoo timeout for another 5
minutes (or whatever the timeout is set to in _s_u_d_o_e_r_s) but
does not run a command.
-- The ---- option indicates that ssuuddoo should stop processing
command line arguments. It is most useful in conjunction
with the --ss option.
Environment variables to be set for the command may also be passed on
the command line in the form of VVAARR=_v_a_l_u_e, e.g.
LLDD__LLIIBBRRAARRYY__PPAATTHH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. Variables passed on the command
line are subject to the same restrictions as normal environment
variables with one important exception. If the _s_e_t_e_n_v option is set in
_s_u_d_o_e_r_s, the command to be run has the SETENV tag set or the command
matched is ALL, the user may set variables that would overwise be
forbidden. See _s_u_d_o_e_r_s(4) for more information.
RREETTUURRNN VVAALLUUEESS
Upon successful execution of a program, the exit status from ssuuddoo will
simply be the exit status of the program that was executed.
Otherwise, ssuuddoo quits with an exit value of 1 if there is a
configuration/permission problem or if ssuuddoo cannot execute the given
command. In the latter case the error string is printed to stderr. If
ssuuddoo cannot _s_t_a_t(2) one or more entries in the user's PATH an error is
printed on stderr. (If the directory does not exist or if it is not
really a directory, the entry is ignored and no error is printed.)
This should not happen under normal circumstances. The most common
reason for _s_t_a_t(2) to return "permission denied" is if you are running
an automounter and one of the directories in your PATH is on a machine
that is currently unreachable.
SSEECCUURRIITTYY NNOOTTEESS
ssuuddoo tries to be safe when executing external commands.
There are two distinct ways to deal with environment variables. By
default, the _e_n_v___r_e_s_e_t _s_u_d_o_e_r_s option is enabled. This causes commands
to be executed with a minimal environment containing TERM, PATH, HOME,
SHELL, LOGNAME, USER and USERNAME in addition to variables from the
invoking process permitted by the _e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p _s_u_d_o_e_r_s
options. There is effectively a whitelist for environment variables.
If, however, the _e_n_v___r_e_s_e_t option is disabled in _s_u_d_o_e_r_s, any variables
not explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are
inherited from the invoking process. In this case, _e_n_v___c_h_e_c_k and
_e_n_v___d_e_l_e_t_e behave like a blacklist. Since it is not possible to
blacklist all potentially dangerous environment variables, use of the
default _e_n_v___r_e_s_e_t behavior is encouraged.
In all cases, environment variables with a value beginning with () are
1.7.3b2 December 19, 2009 6
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
removed as they could be interpreted as bbaasshh functions. The list of
environment variables that ssuuddoo allows or denies is contained in the
output of sudo -V when run as root.
Note that the dynamic linker on most operating systems will remove
variables that can control dynamic linking from the environment of
setuid executables, including ssuuddoo. Depending on the operating system
this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and
others. These type of variables are removed from the environment
before ssuuddoo even begins execution and, as such, it is not possible for
ssuuddoo to preserve them.
To prevent command spoofing, ssuuddoo checks "." and "" (both denoting
current directory) last when searching for a command in the user's PATH
(if one or both are in the PATH). Note, however, that the actual PATH
environment variable is _n_o_t modified and is passed unchanged to the
program that ssuuddoo executes.
ssuuddoo will check the ownership of its timestamp directory (_/_v_a_r_/_r_u_n_/_s_u_d_o
by default) and ignore the directory's contents if it is not owned by
root or if it is writable by a user other than root. On systems that
allow non-root users to give away files via _c_h_o_w_n(2), if the timestamp
directory is located in a directory writable by anyone (e.g., _/_t_m_p), it
is possible for a user to create the timestamp directory before ssuuddoo is
run. However, because ssuuddoo checks the ownership and mode of the
directory and its contents, the only damage that can be done is to
"hide" files by putting them in the timestamp dir. This is unlikely to
happen since once the timestamp dir is owned by root and inaccessible
by any other user, the user placing files there would be unable to get
them back out. To get around this issue you can use a directory that
is not world-writable for the timestamps (_/_v_a_r_/_a_d_m_/_s_u_d_o for instance)
or create _/_v_a_r_/_r_u_n_/_s_u_d_o with the appropriate owner (root) and
permissions (0700) in the system startup files.
ssuuddoo will not honor timestamps set far in the future. Timestamps with
a date greater than current_time + 2 * TIMEOUT will be ignored and sudo
will log and complain. This is done to keep a user from creating
his/her own timestamp with a bogus date on systems that allow users to
give away files.
Please note that ssuuddoo will normally only log the command it explicitly
runs. If a user runs a command such as sudo su or sudo sh, subsequent
commands run from that shell will _n_o_t be logged, nor will ssuuddoo's access
control affect them. The same is true for commands that offer shell
escapes (including most editors). Because of this, care must be taken
when giving users access to commands via ssuuddoo to verify that the
command does not inadvertently give the user an effective root shell.
For more information, please see the PREVENTING SHELL ESCAPES section
in _s_u_d_o_e_r_s(4).
EENNVVIIRROONNMMEENNTT
ssuuddoo utilizes the following environment variables:
EDITOR Default editor to use in --ee (sudoedit) mode if neither
1.7.3b2 December 19, 2009 7
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO_EDITOR nor VISUAL is set
HOME In --ss or --HH mode (or if sudo was configured with the
--enable-shell-sets-home option), set to homedir of the
target user
PATH Set to a sane value if the _s_e_c_u_r_e___p_a_t_h sudoers option
is set.
SHELL Used to determine shell to run with -s option
SUDO_ASKPASS Specifies the path to a helper program used to read the
password if no terminal is available or if the -A
option is specified.
SUDO_COMMAND Set to the command run by sudo
SUDO_EDITOR Default editor to use in --ee (sudoedit) mode
SUDO_GID Set to the group ID of the user who invoked sudo
SUDO_PROMPT Used as the default password prompt
SUDO_PS1 If set, PS1 will be set to its value for the program
being run
SUDO_UID Set to the user ID of the user who invoked sudo
SUDO_USER Set to the login of the user who invoked sudo
USER Set to the target user (root unless the --uu option is
specified)
VISUAL Default editor to use in --ee (sudoedit) mode if
SUDO_EDITOR is not set
FFIILLEESS
_/_e_t_c_/_s_u_d_o_e_r_s List of who can run what
_/_v_a_r_/_r_u_n_/_s_u_d_o Directory containing timestamps
_/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on Linux and
AIX
EEXXAAMMPPLLEESS
Note: the following examples assume suitable _s_u_d_o_e_r_s(4) entries.
To get a file listing of an unreadable directory:
$ sudo ls /usr/local/protected
To list the home directory of user yaz on a machine where the file
system holding ~yaz is not exported as root:
1.7.3b2 December 19, 2009 8
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
$ sudo -u yaz ls ~yaz
To edit the _i_n_d_e_x_._h_t_m_l file as user www:
$ sudo -u www vi ~www/htdocs/index.html
To view system logs only accessible to root and users in the adm group:
$ sudo -g adm view /var/log/syslog
To run an editor as jim with a different primary group:
$ sudo -u jim -g audio vi ~jim/sound.txt
To shutdown a machine:
$ sudo shutdown -r +15 "quick reboot"
To make a usage listing of the directories in the /home partition.
Note that this runs the commands in a sub-shell to make the cd and file
redirection work.
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
SSEEEE AALLSSOO
_g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), _p_a_s_s_w_d(4), _s_u_d_o_e_r_s(5),
_v_i_s_u_d_o(1m)
AAUUTTHHOORRSS
Many people have worked on ssuuddoo over the years; this version consists
of code written primarily by:
Todd C. Miller
See the HISTORY file in the ssuuddoo distribution or visit
http://www.sudo.ws/sudo/history.html for a short history of ssuuddoo.
CCAAVVEEAATTSS
There is no easy way to prevent a user from gaining a root shell if
that user is allowed to run arbitrary commands via ssuuddoo. Also, many
programs (such as editors) allow the user to run commands via shell
escapes, thus avoiding ssuuddoo's checks. However, on most systems it is
possible to prevent shell escapes with ssuuddoo's _n_o_e_x_e_c functionality.
See the _s_u_d_o_e_r_s(4) manual for details.
It is not meaningful to run the cd command directly via sudo, e.g.,
$ sudo cd /usr/local/protected
since when the command exits the parent process (your shell) will still
be the same. Please see the EXAMPLES section for more information.
If users have sudo ALL there is nothing to prevent them from creating
their own program that gives them a root shell regardless of any '!'
1.7.3b2 December 19, 2009 9
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
elements in the user specification.
Running shell scripts via ssuuddoo can expose the same kernel bugs that
make setuid shell scripts unsafe on some operating systems (if your OS
has a /dev/fd/ directory, setuid shell scripts are generally safe).
BBUUGGSS
If you feel you have found a bug in ssuuddoo, please submit a bug report at
http://www.sudo.ws/sudo/bugs/
SSUUPPPPOORRTT
Limited free support is available via the sudo-users mailing list, see
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
DDIISSCCLLAAIIMMEERR
ssuuddoo is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed.
See the LICENSE file distributed with ssuuddoo or
http://www.sudo.ws/sudo/license.html for complete details.
1.7.3b2 December 19, 2009 10

759
doc/sudo.man.in Normal file
View File

@@ -0,0 +1,759 @@
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2009
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" Sponsored in part by the Defense Advanced Research Projects
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C`
. ds C'
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
.el \{\
. de IX
..
.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
.TH SUDO @mansectsu@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
sudo, sudoedit \- execute a command as another user
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBsudo\fR \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-L\fR | \fB\-V\fR
.PP
\&\fBsudo\fR \fB\-v\fR [\fB\-AknS\fR]
@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
.PP
\&\fBsudo\fR \fB\-l[l]\fR [\fB\-AknS\fR]
@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
[\fB\-U\fR\ \fIuser\ name\fR] [\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] [\fIcommand\fR]
.PP
\&\fBsudo\fR [\fB\-AbEHnPS\fR]
@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR]
@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
@SEMAN@[\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR]
[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR]
[\fB\s-1VAR\s0\fR=\fIvalue\fR] [\fB\-i\fR\ |\ \fB\-s\fR] [\fIcommand\fR]
.PP
\&\fBsudoedit\fR [\fB\-AnS\fR]
@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR]
@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] file ...
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the
superuser or another user, as specified in the \fIsudoers\fR file.
The real and effective uid and gid are set to match those of the
target user as specified in the passwd file and the group vector
is initialized based on the group file (unless the \fB\-P\fR option was
specified). If the invoking user is root or if the target user is
the same as the invoking user, no password is required. Otherwise,
\&\fBsudo\fR requires that users authenticate themselves with a password
by default (\s-1NOTE:\s0 in the default configuration this is the user's
password, not the root password). Once a user has been authenticated,
a timestamp is updated and the user may then use sudo without a
password for a short period of time (\f(CW\*(C`@timeout@\*(C'\fR minutes unless
overridden in \fIsudoers\fR).
.PP
When invoked as \fBsudoedit\fR, the \fB\-e\fR option (described below),
is implied.
.PP
\&\fBsudo\fR determines who is an authorized user by consulting the file
\&\fI@sysconfdir@/sudoers\fR. By running \fBsudo\fR with the \fB\-v\fR option,
a user can update the time stamp without running a \fIcommand\fR. The
password prompt itself will also time out if the user's password
is not entered within \f(CW\*(C`@password_timeout@\*(C'\fR minutes (unless overridden
via \fIsudoers\fR).
.PP
If a user who is not listed in the \fIsudoers\fR file tries to run a
command via \fBsudo\fR, mail is sent to the proper authorities, as
defined at configure time or in the \fIsudoers\fR file (defaults to
\&\f(CW\*(C`@mailto@\*(C'\fR). Note that the mail will not be sent if an unauthorized
user tries to run sudo with the \fB\-l\fR or \fB\-v\fR option. This allows
users to determine for themselves whether or not they are allowed
to use \fBsudo\fR.
.PP
If \fBsudo\fR is run by root and the \f(CW\*(C`SUDO_USER\*(C'\fR environment variable
is set, \fBsudo\fR will use this value to determine who the actual
user is. This can be used by a user to log commands through sudo
even when a root shell has been invoked. It also allows the \fB\-e\fR
option to remain useful even when being run via a sudo-run script or
program. Note however, that the sudoers lookup is still done for
root, not the user specified by \f(CW\*(C`SUDO_USER\*(C'\fR.
.PP
\&\fBsudo\fR can log both successful and unsuccessful attempts (as well
as errors) to \fIsyslog\fR\|(3), a log file, or both. By default \fBsudo\fR
will log via \fIsyslog\fR\|(3) but this is changeable at configure time
or via the \fIsudoers\fR file.
.SH "OPTIONS"
.IX Header "OPTIONS"
\&\fBsudo\fR accepts the following command line options:
.IP "\-A" 12
.IX Item "-A"
Normally, if \fBsudo\fR requires a password, it will read it from the
current terminal. If the \fB\-A\fR (\fIaskpass\fR) option is specified,
a (possibly graphical) helper program is executed to read the
user's password and output the password to the standard output. If
the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR environment variable is set, it specifies the
path to the helper program. Otherwise, the value specified by the
\&\fIaskpass\fR option in \fIsudoers\fR\|(@mansectform@) is used.
@BAMAN@.IP "\-a \fItype\fR" 12
@BAMAN@.IX Item "-a type"
@BAMAN@The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the
@BAMAN@specified authentication type when validating the user, as allowed
@BAMAN@by \fI/etc/login.conf\fR. The system administrator may specify a list
@BAMAN@of sudo-specific authentication methods by adding an \*(L"auth-sudo\*(R"
@BAMAN@entry in \fI/etc/login.conf\fR. This option is only available on systems
@BAMAN@that support \s-1BSD\s0 authentication.
.IP "\-b" 12
.IX Item "-b"
The \fB\-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given
command in the background. Note that if you use the \fB\-b\fR
option you cannot use shell job control to manipulate the process.
.IP "\-C \fIfd\fR" 12
.IX Item "-C fd"
Normally, \fBsudo\fR will close all open file descriptors other than
standard input, standard output and standard error. The \fB\-C\fR
(\fIclose from\fR) option allows the user to specify a starting point
above the standard error (file descriptor three). Values less than
three are not permitted. This option is only available if the
administrator has enabled the \fIclosefrom_override\fR option in
\&\fIsudoers\fR\|(@mansectform@).
@LCMAN@.IP "\-c \fIclass\fR" 12
@LCMAN@.IX Item "-c class"
@LCMAN@The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command
@LCMAN@with resources limited by the specified login class. The \fIclass\fR
@LCMAN@argument can be either a class name as defined in \fI/etc/login.conf\fR,
@LCMAN@or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates
@LCMAN@that the command should be run restricted by the default login
@LCMAN@capabilities for the user the command is run as. If the \fIclass\fR
@LCMAN@argument specifies an existing user class, the command must be run
@LCMAN@as root, or the \fBsudo\fR command must be run from a shell that is already
@LCMAN@root. This option is only available on systems with \s-1BSD\s0 login classes.
.IP "\-E" 12
.IX Item "-E"
The \fB\-E\fR (\fIpreserve\fR \fIenvironment\fR) option will override the
\&\fIenv_reset\fR option in \fIsudoers\fR\|(@mansectform@)). It is only
available when either the matching command has the \f(CW\*(C`SETENV\*(C'\fR tag
or the \fIsetenv\fR option is set in \fIsudoers\fR\|(@mansectform@).
.IP "\-e" 12
.IX Item "-e"
The \fB\-e\fR (\fIedit\fR) option indicates that, instead of running
a command, the user wishes to edit one or more files. In lieu
of a command, the string \*(L"sudoedit\*(R" is used when consulting
the \fIsudoers\fR file. If the user is authorized by \fIsudoers\fR
the following steps are taken:
.RS 12
.IP "1." 4
Temporary copies are made of the files to be edited with the owner
set to the invoking user.
.IP "2." 4
The editor specified by the \f(CW\*(C`SUDO_EDITOR\*(C'\fR, \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR
environment variables is run to edit the temporary files. If none
of \f(CW\*(C`SUDO_EDITOR\*(C'\fR, \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR are set, the first program
listed in the \fIeditor\fR \fIsudoers\fR variable is used.
.IP "3." 4
If they have been modified, the temporary files are copied back to
their original location and the temporary versions are removed.
.RE
.RS 12
.Sp
If the specified file does not exist, it will be created. Note
that unlike most commands run by \fBsudo\fR, the editor is run with
the invoking user's environment unmodified. If, for some reason,
\&\fBsudo\fR is unable to update a file with its edited version, the
user will receive a warning and the edited copy will remain in a
temporary file.
.RE
.IP "\-g \fIgroup\fR" 12
.IX Item "-g group"
Normally, \fBsudo\fR sets the primary group to the one specified by
the passwd database for the user the command is being run as (by
default, root). The \fB\-g\fR (\fIgroup\fR) option causes \fBsudo\fR to run
the specified command with the primary group set to \fIgroup\fR. To
specify a \fIgid\fR instead of a \fIgroup name\fR, use \fI#gid\fR. When
running commands as a \fIgid\fR, many shells require that the '#' be
escaped with a backslash ('\e'). If no \fB\-u\fR option is specified,
the command will be run as the invoking user (not root). In either
case, the primary group will be set to \fIgroup\fR.
.IP "\-H" 12
.IX Item "-H"
The \fB\-H\fR (\fI\s-1HOME\s0\fR) option sets the \f(CW\*(C`HOME\*(C'\fR environment variable
to the homedir of the target user (root by default) as specified
in \fIpasswd\fR\|(@mansectform@). By default, \fBsudo\fR does not modify \f(CW\*(C`HOME\*(C'\fR
(see \fIset_home\fR and \fIalways_set_home\fR in \fIsudoers\fR\|(@mansectform@)).
.IP "\-h" 12
.IX Item "-h"
The \fB\-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a usage message and exit.
.IP "\-i [command]" 12
.IX Item "-i [command]"
The \fB\-i\fR (\fIsimulate initial login\fR) option runs the shell specified
in the \fIpasswd\fR\|(@mansectform@) entry of the target user as a login shell. This
means that login-specific resource files such as \f(CW\*(C`.profile\*(C'\fR or
\&\f(CW\*(C`.login\*(C'\fR will be read by the shell. If a command is specified,
it is passed to the shell for execution. Otherwise, an interactive
shell is executed. \fBsudo\fR attempts to change to that user's home
directory before running the shell. It also initializes the
environment, leaving \fI\s-1DISPLAY\s0\fR and \fI\s-1TERM\s0\fR unchanged, setting
\&\fI\s-1HOME\s0\fR, \fI\s-1SHELL\s0\fR, \fI\s-1USER\s0\fR, \fI\s-1LOGNAME\s0\fR, and \fI\s-1PATH\s0\fR, as well as
the contents of \fI/etc/environment\fR on Linux and \s-1AIX\s0 systems.
All other environment variables are removed.
.IP "\-K" 12
.IX Item "-K"
The \fB\-K\fR (sure \fIkill\fR) option is like \fB\-k\fR except that it removes
the user's timestamp entirely and may not be used in conjunction
with a command or other option. This option does not require a
password.
.IP "\-k" 12
.IX Item "-k"
When used by itself, the \fB\-k\fR (\fIkill\fR) option to \fBsudo\fR invalidates
the user's timestamp by setting the time on it to the Epoch. The
next time \fBsudo\fR is run a password will be required. This option
does not require a password and was added to allow a user to revoke
\&\fBsudo\fR permissions from a .logout file.
.Sp
When used in conjunction with a command or an option that may require
a password, the \fB\-k\fR option will cause \fBsudo\fR to ignore the user's
timestamp file. As a result, \fBsudo\fR will prompt for a password
(if one is required by \fIsudoers\fR) and will not update the user's
timestamp file.
.IP "\-L" 12
.IX Item "-L"
The \fB\-L\fR (\fIlist\fR defaults) option will list the parameters that
may be set in a \fIDefaults\fR line along with a short description for
each. This option will be removed from a future version of \fBsudo\fR.
.IP "\-l[l] [\fIcommand\fR]" 12
.IX Item "-l[l] [command]"
If no \fIcommand\fR is specified, the \fB\-l\fR (\fIlist\fR) option will list
the allowed (and forbidden) commands for the invoking user (or the
user specified by the \fB\-U\fR option) on the current host. If a
\&\fIcommand\fR is specified and is permitted by \fIsudoers\fR, the
fully-qualified path to the command is displayed along with any
command line arguments. If \fIcommand\fR is specified but not allowed,
\&\fBsudo\fR will exit with a status value of 1. If the \fB\-l\fR option is
specified with an \fBl\fR argument (i.e. \fB\-ll\fR), or if \fB\-l\fR
is specified multiple times, a longer list format is used.
.IP "\-n" 12
.IX Item "-n"
The \fB\-n\fR (\fInon-interactive\fR) option prevents \fBsudo\fR from prompting
the user for a password. If a password is required for the command
to run, \fBsudo\fR will display an error messages and exit.
.IP "\-P" 12
.IX Item "-P"
The \fB\-P\fR (\fIpreserve\fR \fIgroup vector\fR) option causes \fBsudo\fR to
preserve the invoking user's group vector unaltered. By default,
\&\fBsudo\fR will initialize the group vector to the list of groups the
target user is in. The real and effective group IDs, however, are
still set to match the target user.
.IP "\-p \fIprompt\fR" 12
.IX Item "-p prompt"
The \fB\-p\fR (\fIprompt\fR) option allows you to override the default
password prompt and use a custom one. The following percent (`\f(CW\*(C`%\*(C'\fR')
escapes are supported:
.RS 12
.ie n .IP "%H" 4
.el .IP "\f(CW%H\fR" 4
.IX Item "%H"
expanded to the local host name including the domain name
(on if the machine's host name is fully qualified or the \fIfqdn\fR
\&\fIsudoers\fR option is set)
.ie n .IP "%h" 4
.el .IP "\f(CW%h\fR" 4
.IX Item "%h"
expanded to the local host name without the domain name
.ie n .IP "%p" 4
.el .IP "\f(CW%p\fR" 4
.IX Item "%p"
expanded to the user whose password is being asked for (respects the
\&\fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags in \fIsudoers\fR)
.ie n .IP "%U" 4
.el .IP "\f(CW%U\fR" 4
.IX Item "%U"
expanded to the login name of the user the command will
be run as (defaults to root)
.ie n .IP "%u" 4
.el .IP "\f(CW%u\fR" 4
.IX Item "%u"
expanded to the invoking user's login name
.ie n .IP "\*(C`%%\*(C'" 4
.el .IP "\f(CW\*(C`%%\*(C'\fR" 4
.IX Item "%%"
two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character
.RE
.RS 12
.Sp
The prompt specified by the \fB\-p\fR option will override the system
password prompt on systems that support \s-1PAM\s0 unless the
\&\fIpassprompt_override\fR flag is disabled in \fIsudoers\fR.
.RE
@SEMAN@.IP "\-r \fIrole\fR" 12
@SEMAN@.IX Item "-r role"
@SEMAN@The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to
@SEMAN@have the role specified by \fIrole\fR.
.IP "\-S" 12
.IX Item "-S"
The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from
the standard input instead of the terminal device. The password must
be followed by a newline character.
.IP "\-s [command]" 12
.IX Item "-s [command]"
The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\s0\fR
environment variable if it is set or the shell as specified in
\&\fIpasswd\fR\|(@mansectform@). If a command is specified, it is passed to the shell
for execution. Otherwise, an interactive shell is executed.
@SEMAN@.IP "\-t \fItype\fR" 12
@SEMAN@.IX Item "-t type"
@SEMAN@The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to
@SEMAN@have the type specified by \fItype\fR. If no type is specified, the default
@SEMAN@type is derived from the specified role.
.IP "\-U \fIuser\fR" 12
.IX Item "-U user"
The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the \fB\-l\fR
option to specify the user whose privileges should be listed. Only
root or a user with \fBsudo\fR \f(CW\*(C`ALL\*(C'\fR on the current host may use this
option.
.IP "\-u \fIuser\fR" 12
.IX Item "-u user"
The \fB\-u\fR (\fIuser\fR) option causes \fBsudo\fR to run the specified
command as a user other than \fIroot\fR. To specify a \fIuid\fR instead
of a \fIuser name\fR, use \fI#uid\fR. When running commands as a \fIuid\fR,
many shells require that the '#' be escaped with a backslash ('\e').
Note that if the \fItargetpw\fR Defaults option is set (see \fIsudoers\fR\|(@mansectform@))
it is not possible to run commands with a uid not listed in the
password database.
.IP "\-V" 12
.IX Item "-V"
The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the version
number and exit. If the invoking user is already root the \fB\-V\fR
option will print out a list of the defaults \fBsudo\fR was compiled
with as well as the machine's local network addresses.
.IP "\-v" 12
.IX Item "-v"
If given the \fB\-v\fR (\fIvalidate\fR) option, \fBsudo\fR will update the
user's timestamp, prompting for the user's password if necessary.
This extends the \fBsudo\fR timeout for another \f(CW\*(C`@timeout@\*(C'\fR minutes
(or whatever the timeout is set to in \fIsudoers\fR) but does not run
a command.
.IP "\-\-" 12
The \fB\-\-\fR option indicates that \fBsudo\fR should stop processing command
line arguments. It is most useful in conjunction with the \fB\-s\fR option.
.PP
Environment variables to be set for the command may also be passed
on the command line in the form of \fB\s-1VAR\s0\fR=\fIvalue\fR, e.g.
\&\fB\s-1LD_LIBRARY_PATH\s0\fR=\fI/usr/local/pkg/lib\fR. Variables passed on the
command line are subject to the same restrictions as normal environment
variables with one important exception. If the \fIsetenv\fR option
is set in \fIsudoers\fR, the command to be run has the \f(CW\*(C`SETENV\*(C'\fR tag
set or the command matched is \f(CW\*(C`ALL\*(C'\fR, the user may set variables
that would overwise be forbidden. See \fIsudoers\fR\|(@mansectform@) for more information.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
Upon successful execution of a program, the exit status from \fBsudo\fR
will simply be the exit status of the program that was executed.
.PP
Otherwise, \fBsudo\fR quits with an exit value of 1 if there is a
configuration/permission problem or if \fBsudo\fR cannot execute the
given command. In the latter case the error string is printed to
stderr. If \fBsudo\fR cannot \fIstat\fR\|(2) one or more entries in the user's
\&\f(CW\*(C`PATH\*(C'\fR an error is printed on stderr. (If the directory does not
exist or if it is not really a directory, the entry is ignored and
no error is printed.) This should not happen under normal
circumstances. The most common reason for \fIstat\fR\|(2) to return
\&\*(L"permission denied\*(R" is if you are running an automounter and one
of the directories in your \f(CW\*(C`PATH\*(C'\fR is on a machine that is currently
unreachable.
.SH "SECURITY NOTES"
.IX Header "SECURITY NOTES"
\&\fBsudo\fR tries to be safe when executing external commands.
.PP
There are two distinct ways to deal with environment variables.
By default, the \fIenv_reset\fR \fIsudoers\fR option is enabled.
This causes commands to be executed with a minimal environment
containing \f(CW\*(C`TERM\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR
and \f(CW\*(C`USERNAME\*(C'\fR in addition to variables from the invoking process
permitted by the \fIenv_check\fR and \fIenv_keep\fR \fIsudoers\fR options.
There is effectively a whitelist for environment variables.
.PP
If, however, the \fIenv_reset\fR option is disabled in \fIsudoers\fR, any
variables not explicitly denied by the \fIenv_check\fR and \fIenv_delete\fR
options are inherited from the invoking process. In this case,
\&\fIenv_check\fR and \fIenv_delete\fR behave like a blacklist. Since it
is not possible to blacklist all potentially dangerous environment
variables, use of the default \fIenv_reset\fR behavior is encouraged.
.PP
In all cases, environment variables with a value beginning with
\&\f(CW\*(C`()\*(C'\fR are removed as they could be interpreted as \fBbash\fR functions.
The list of environment variables that \fBsudo\fR allows or denies is
contained in the output of \f(CW\*(C`sudo \-V\*(C'\fR when run as root.
.PP
Note that the dynamic linker on most operating systems will remove
variables that can control dynamic linking from the environment of
setuid executables, including \fBsudo\fR. Depending on the operating
system this may include \f(CW\*(C`_RLD*\*(C'\fR, \f(CW\*(C`DYLD_*\*(C'\fR, \f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`LDR_*\*(C'\fR,
\&\f(CW\*(C`LIBPATH\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR, and others. These type of variables are
removed from the environment before \fBsudo\fR even begins execution
and, as such, it is not possible for \fBsudo\fR to preserve them.
.PP
To prevent command spoofing, \fBsudo\fR checks \*(L".\*(R" and "" (both denoting
current directory) last when searching for a command in the user's
\&\s-1PATH\s0 (if one or both are in the \s-1PATH\s0). Note, however, that the
actual \f(CW\*(C`PATH\*(C'\fR environment variable is \fInot\fR modified and is passed
unchanged to the program that \fBsudo\fR executes.
.PP
\&\fBsudo\fR will check the ownership of its timestamp directory
(\fI@timedir@\fR by default) and ignore the directory's contents if
it is not owned by root or if it is writable by a user other than
root. On systems that allow non-root users to give away files via
\&\fIchown\fR\|(2), if the timestamp directory is located in a directory
writable by anyone (e.g., \fI/tmp\fR), it is possible for a user to
create the timestamp directory before \fBsudo\fR is run. However,
because \fBsudo\fR checks the ownership and mode of the directory and
its contents, the only damage that can be done is to \*(L"hide\*(R" files
by putting them in the timestamp dir. This is unlikely to happen
since once the timestamp dir is owned by root and inaccessible by
any other user, the user placing files there would be unable to get
them back out. To get around this issue you can use a directory
that is not world-writable for the timestamps (\fI/var/adm/sudo\fR for
instance) or create \fI@timedir@\fR with the appropriate owner (root)
and permissions (0700) in the system startup files.
.PP
\&\fBsudo\fR will not honor timestamps set far in the future.
Timestamps with a date greater than current_time + 2 * \f(CW\*(C`TIMEOUT\*(C'\fR
will be ignored and sudo will log and complain. This is done to
keep a user from creating his/her own timestamp with a bogus
date on systems that allow users to give away files.
.PP
Please note that \fBsudo\fR will normally only log the command it
explicitly runs. If a user runs a command such as \f(CW\*(C`sudo su\*(C'\fR or
\&\f(CW\*(C`sudo sh\*(C'\fR, subsequent commands run from that shell will \fInot\fR be
logged, nor will \fBsudo\fR's access control affect them. The same
is true for commands that offer shell escapes (including most
editors). Because of this, care must be taken when giving users
access to commands via \fBsudo\fR to verify that the command does not
inadvertently give the user an effective root shell. For more
information, please see the \f(CW\*(C`PREVENTING SHELL ESCAPES\*(C'\fR section in
\&\fIsudoers\fR\|(@mansectform@).
.SH "ENVIRONMENT"
.IX Header "ENVIRONMENT"
\&\fBsudo\fR utilizes the following environment variables:
.ie n .IP "\*(C`EDITOR\*(C'" 16
.el .IP "\f(CW\*(C`EDITOR\*(C'\fR" 16
.IX Item "EDITOR"
Default editor to use in \fB\-e\fR (sudoedit) mode if neither \f(CW\*(C`SUDO_EDITOR\*(C'\fR
nor \f(CW\*(C`VISUAL\*(C'\fR is set
.ie n .IP "\*(C`HOME\*(C'" 16
.el .IP "\f(CW\*(C`HOME\*(C'\fR" 16
.IX Item "HOME"
In \fB\-s\fR or \fB\-H\fR mode (or if sudo was configured with the
\&\-\-enable\-shell\-sets\-home option), set to homedir of the target user
.ie n .IP "\*(C`PATH\*(C'" 16
.el .IP "\f(CW\*(C`PATH\*(C'\fR" 16
.IX Item "PATH"
Set to a sane value if the \fIsecure_path\fR sudoers option is set.
.ie n .IP "\*(C`SHELL\*(C'" 16
.el .IP "\f(CW\*(C`SHELL\*(C'\fR" 16
.IX Item "SHELL"
Used to determine shell to run with \f(CW\*(C`\-s\*(C'\fR option
.ie n .IP "\*(C`SUDO_ASKPASS\*(C'" 16
.el .IP "\f(CW\*(C`SUDO_ASKPASS\*(C'\fR" 16
.IX Item "SUDO_ASKPASS"
Specifies the path to a helper program used to read the password
if no terminal is available or if the \f(CW\*(C`\-A\*(C'\fR option is specified.
.ie n .IP "\*(C`SUDO_COMMAND\*(C'" 16
.el .IP "\f(CW\*(C`SUDO_COMMAND\*(C'\fR" 16
.IX Item "SUDO_COMMAND"
Set to the command run by sudo
.ie n .IP "\*(C`SUDO_EDITOR\*(C'" 16
.el .IP "\f(CW\*(C`SUDO_EDITOR\*(C'\fR" 16
.IX Item "SUDO_EDITOR"
Default editor to use in \fB\-e\fR (sudoedit) mode
.ie n .IP "\*(C`SUDO_GID\*(C'" 16
.el .IP "\f(CW\*(C`SUDO_GID\*(C'\fR" 16
.IX Item "SUDO_GID"
Set to the group \s-1ID\s0 of the user who invoked sudo
.ie n .IP "\*(C`SUDO_PROMPT\*(C'" 16
.el .IP "\f(CW\*(C`SUDO_PROMPT\*(C'\fR" 16
.IX Item "SUDO_PROMPT"
Used as the default password prompt
.ie n .IP "\*(C`SUDO_PS1\*(C'" 16
.el .IP "\f(CW\*(C`SUDO_PS1\*(C'\fR" 16
.IX Item "SUDO_PS1"
If set, \f(CW\*(C`PS1\*(C'\fR will be set to its value for the program being run
.ie n .IP "\*(C`SUDO_UID\*(C'" 16
.el .IP "\f(CW\*(C`SUDO_UID\*(C'\fR" 16
.IX Item "SUDO_UID"
Set to the user \s-1ID\s0 of the user who invoked sudo
.ie n .IP "\*(C`SUDO_USER\*(C'" 16
.el .IP "\f(CW\*(C`SUDO_USER\*(C'\fR" 16
.IX Item "SUDO_USER"
Set to the login of the user who invoked sudo
.ie n .IP "\*(C`USER\*(C'" 16
.el .IP "\f(CW\*(C`USER\*(C'\fR" 16
.IX Item "USER"
Set to the target user (root unless the \fB\-u\fR option is specified)
.ie n .IP "\*(C`VISUAL\*(C'" 16
.el .IP "\f(CW\*(C`VISUAL\*(C'\fR" 16
.IX Item "VISUAL"
Default editor to use in \fB\-e\fR (sudoedit) mode if \f(CW\*(C`SUDO_EDITOR\*(C'\fR
is not set
.SH "FILES"
.IX Header "FILES"
.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24
.el .IP "\fI@sysconfdir@/sudoers\fR" 24
.IX Item "@sysconfdir@/sudoers"
List of who can run what
.ie n .IP "\fI@timedir@\fR" 24
.el .IP "\fI@timedir@\fR" 24
.IX Item "@timedir@"
Directory containing timestamps
.IP "\fI/etc/environment\fR" 24
.IX Item "/etc/environment"
Initial environment for \fB\-i\fR mode on Linux and \s-1AIX\s0
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Note: the following examples assume suitable \fIsudoers\fR\|(@mansectform@) entries.
.PP
To get a file listing of an unreadable directory:
.PP
.Vb 1
\& $ sudo ls /usr/local/protected
.Ve
.PP
To list the home directory of user yaz on a machine where the
file system holding ~yaz is not exported as root:
.PP
.Vb 1
\& $ sudo \-u yaz ls ~yaz
.Ve
.PP
To edit the \fIindex.html\fR file as user www:
.PP
.Vb 1
\& $ sudo \-u www vi ~www/htdocs/index.html
.Ve
.PP
To view system logs only accessible to root and users in the adm group:
.PP
.Vb 1
\& $ sudo \-g adm view /var/log/syslog
.Ve
.PP
To run an editor as jim with a different primary group:
.PP
.Vb 1
\& $ sudo \-u jim \-g audio vi ~jim/sound.txt
.Ve
.PP
To shutdown a machine:
.PP
.Vb 1
\& $ sudo shutdown \-r +15 "quick reboot"
.Ve
.PP
To make a usage listing of the directories in the /home
partition. Note that this runs the commands in a sub-shell
to make the \f(CW\*(C`cd\*(C'\fR and file redirection work.
.PP
.Vb 1
\& $ sudo sh \-c "cd /home ; du \-s * | sort \-rn > USAGE"
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2),
@LCMAN@\&\fIlogin_cap\fR\|(3),
\&\fIpasswd\fR\|(@mansectform@), \fIsudoers\fR\|(5), \fIvisudo\fR\|(@mansectsu@)
.SH "AUTHORS"
.IX Header "AUTHORS"
Many people have worked on \fBsudo\fR over the years; this
version consists of code written primarily by:
.PP
.Vb 1
\& Todd C. Miller
.Ve
.PP
See the \s-1HISTORY\s0 file in the \fBsudo\fR distribution or visit
http://www.sudo.ws/sudo/history.html for a short history
of \fBsudo\fR.
.SH "CAVEATS"
.IX Header "CAVEATS"
There is no easy way to prevent a user from gaining a root shell
if that user is allowed to run arbitrary commands via \fBsudo\fR.
Also, many programs (such as editors) allow the user to run commands
via shell escapes, thus avoiding \fBsudo\fR's checks. However, on
most systems it is possible to prevent shell escapes with \fBsudo\fR's
\&\fInoexec\fR functionality. See the \fIsudoers\fR\|(@mansectform@) manual
for details.
.PP
It is not meaningful to run the \f(CW\*(C`cd\*(C'\fR command directly via sudo, e.g.,
.PP
.Vb 1
\& $ sudo cd /usr/local/protected
.Ve
.PP
since when the command exits the parent process (your shell) will
still be the same. Please see the \s-1EXAMPLES\s0 section for more information.
.PP
If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from
creating their own program that gives them a root shell regardless
of any '!' elements in the user specification.
.PP
Running shell scripts via \fBsudo\fR can expose the same kernel bugs that
make setuid shell scripts unsafe on some operating systems (if your \s-1OS\s0
has a /dev/fd/ directory, setuid shell scripts are generally safe).
.SH "BUGS"
.IX Header "BUGS"
If you feel you have found a bug in \fBsudo\fR, please submit a bug report
at http://www.sudo.ws/sudo/bugs/
.SH "SUPPORT"
.IX Header "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
search the archives.
.SH "DISCLAIMER"
.IX Header "DISCLAIMER"
\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
for complete details.

23
doc/sudo.man.pl Normal file
View File

@@ -0,0 +1,23 @@
#!/usr/bin/perl -p
BEGIN {
%tags = ( 'a', '@BAMAN@', 'c', '@LCMAN@', 'r', '@SEMAN@', 't', '@SEMAN@');
$t = undef;
}
if (/^\.IP(.*-([acrt]))?/) {
$t = $1 ? $tags{$2} : undef;
} elsif (/-a.*auth_type/) {
$_ = $tags{'a'} . $_;
} elsif (/(-c.*class.*\||login_cap)/) {
$_ = $tags{'c'} . $_;
} elsif (/-r.*role.*-t.*type/) {
$_ = $tags{'r'} . $_;
}
# Fix up broken pod2man formatting of F<@foo@/bar>
s/\\fI\\f(\(C)?I\@([^\@]*)\\fI\@/\\fI\@$2\@/g;
# comment out Compile-time-specific lines in DESCRIPTION
if ($t) {
$_ = $t . $_;
}

673
doc/sudo.pod Normal file
View File

@@ -0,0 +1,673 @@
Copyright (c) 1994-1996, 1998-2005, 2007-2009
Todd C. Miller <Todd.Miller@courtesan.com>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Sponsored in part by the Defense Advanced Research Projects
Agency (DARPA) and Air Force Research Laboratory, Air Force
Materiel Command, USAF, under agreement number F39502-99-1-0512.
=pod
=head1 NAME
sudo, sudoedit - execute a command as another user
=head1 SYNOPSIS
B<sudo> B<-h> | B<-K> | B<-k> | B<-L> | B<-V>
B<sudo> B<-v> [B<-AknS>]
S<[B<-a> I<auth_type>]>
S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
S<[B<-u> I<username>|I<#uid>]>
B<sudo> B<-l[l]> [B<-AknS>]
S<[B<-a> I<auth_type>]>
S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
S<[B<-U> I<user name>]> S<[B<-u> I<user name>|I<#uid>]> [I<command>]
B<sudo> [B<-AbEHnPS>]
S<[B<-a> I<auth_type>]>
S<[B<-C> I<fd>]>
S<[B<-c> I<class>|I<->]>
S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
S<[B<-r> I<role>]> S<[B<-t> I<type>]>
S<[B<-u> I<user name>|I<#uid>]>
S<[B<VAR>=I<value>]> S<[B<-i> | B<-s>]> [I<command>]
B<sudoedit> [B<-AnS>]
S<[B<-a> I<auth_type>]>
S<[B<-C> I<fd>]>
S<[B<-c> I<class>|I<->]>
S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
S<[B<-u> I<user name>|I<#uid>]> file ...
=head1 DESCRIPTION
B<sudo> allows a permitted user to execute a I<command> as the
superuser or another user, as specified in the I<sudoers> file.
The real and effective uid and gid are set to match those of the
target user as specified in the passwd file and the group vector
is initialized based on the group file (unless the B<-P> option was
specified). If the invoking user is root or if the target user is
the same as the invoking user, no password is required. Otherwise,
B<sudo> requires that users authenticate themselves with a password
by default (NOTE: in the default configuration this is the user's
password, not the root password). Once a user has been authenticated,
a timestamp is updated and the user may then use sudo without a
password for a short period of time (C<@timeout@> minutes unless
overridden in I<sudoers>).
When invoked as B<sudoedit>, the B<-e> option (described below),
is implied.
B<sudo> determines who is an authorized user by consulting the file
F<@sysconfdir@/sudoers>. By running B<sudo> with the B<-v> option,
a user can update the time stamp without running a I<command>. The
password prompt itself will also time out if the user's password
is not entered within C<@password_timeout@> minutes (unless overridden
via I<sudoers>).
If a user who is not listed in the I<sudoers> file tries to run a
command via B<sudo>, mail is sent to the proper authorities, as
defined at configure time or in the I<sudoers> file (defaults to
C<@mailto@>). Note that the mail will not be sent if an unauthorized
user tries to run sudo with the B<-l> or B<-v> option. This allows
users to determine for themselves whether or not they are allowed
to use B<sudo>.
If B<sudo> is run by root and the C<SUDO_USER> environment variable
is set, B<sudo> will use this value to determine who the actual
user is. This can be used by a user to log commands through sudo
even when a root shell has been invoked. It also allows the B<-e>
option to remain useful even when being run via a sudo-run script or
program. Note however, that the sudoers lookup is still done for
root, not the user specified by C<SUDO_USER>.
B<sudo> can log both successful and unsuccessful attempts (as well
as errors) to syslog(3), a log file, or both. By default B<sudo>
will log via syslog(3) but this is changeable at configure time
or via the I<sudoers> file.
=head1 OPTIONS
B<sudo> accepts the following command line options:
=over 12
=item -A
Normally, if B<sudo> requires a password, it will read it from the
current terminal. If the B<-A> (I<askpass>) option is specified,
a (possibly graphical) helper program is executed to read the
user's password and output the password to the standard output. If
the C<SUDO_ASKPASS> environment variable is set, it specifies the
path to the helper program. Otherwise, the value specified by the
I<askpass> option in L<sudoers(5)> is used.
=item -a I<type>
The B<-a> (I<authentication type>) option causes B<sudo> to use the
specified authentication type when validating the user, as allowed
by F</etc/login.conf>. The system administrator may specify a list
of sudo-specific authentication methods by adding an "auth-sudo"
entry in F</etc/login.conf>. This option is only available on systems
that support BSD authentication.
=item -b
The B<-b> (I<background>) option tells B<sudo> to run the given
command in the background. Note that if you use the B<-b>
option you cannot use shell job control to manipulate the process.
=item -C I<fd>
Normally, B<sudo> will close all open file descriptors other than
standard input, standard output and standard error. The B<-C>
(I<close from>) option allows the user to specify a starting point
above the standard error (file descriptor three). Values less than
three are not permitted. This option is only available if the
administrator has enabled the I<closefrom_override> option in
L<sudoers(5)>.
=item -c I<class>
The B<-c> (I<class>) option causes B<sudo> to run the specified command
with resources limited by the specified login class. The I<class>
argument can be either a class name as defined in F</etc/login.conf>,
or a single '-' character. Specifying a I<class> of C<-> indicates
that the command should be run restricted by the default login
capabilities for the user the command is run as. If the I<class>
argument specifies an existing user class, the command must be run
as root, or the B<sudo> command must be run from a shell that is already
root. This option is only available on systems with BSD login classes.
=item -E
The B<-E> (I<preserve> I<environment>) option will override the
I<env_reset> option in L<sudoers(5)>). It is only
available when either the matching command has the C<SETENV> tag
or the I<setenv> option is set in L<sudoers(5)>.
=item -e
The B<-e> (I<edit>) option indicates that, instead of running
a command, the user wishes to edit one or more files. In lieu
of a command, the string "sudoedit" is used when consulting
the I<sudoers> file. If the user is authorized by I<sudoers>
the following steps are taken:
=over 4
=item 1.
Temporary copies are made of the files to be edited with the owner
set to the invoking user.
=item 2.
The editor specified by the C<SUDO_EDITOR>, C<VISUAL> or C<EDITOR>
environment variables is run to edit the temporary files. If none
of C<SUDO_EDITOR>, C<VISUAL> or C<EDITOR> are set, the first program
listed in the I<editor> I<sudoers> variable is used.
=item 3.
If they have been modified, the temporary files are copied back to
their original location and the temporary versions are removed.
=back
If the specified file does not exist, it will be created. Note
that unlike most commands run by B<sudo>, the editor is run with
the invoking user's environment unmodified. If, for some reason,
B<sudo> is unable to update a file with its edited version, the
user will receive a warning and the edited copy will remain in a
temporary file.
=item -g I<group>
Normally, B<sudo> sets the primary group to the one specified by
the passwd database for the user the command is being run as (by
default, root). The B<-g> (I<group>) option causes B<sudo> to run
the specified command with the primary group set to I<group>. To
specify a I<gid> instead of a I<group name>, use I<#gid>. When
running commands as a I<gid>, many shells require that the '#' be
escaped with a backslash ('\'). If no B<-u> option is specified,
the command will be run as the invoking user (not root). In either
case, the primary group will be set to I<group>.
=item -H
The B<-H> (I<HOME>) option sets the C<HOME> environment variable
to the homedir of the target user (root by default) as specified
in passwd(5). By default, B<sudo> does not modify C<HOME>
(see I<set_home> and I<always_set_home> in L<sudoers(5)>).
=item -h
The B<-h> (I<help>) option causes B<sudo> to print a usage message and exit.
=item -i [command]
The B<-i> (I<simulate initial login>) option runs the shell specified
in the L<passwd(5)> entry of the target user as a login shell. This
means that login-specific resource files such as C<.profile> or
C<.login> will be read by the shell. If a command is specified,
it is passed to the shell for execution. Otherwise, an interactive
shell is executed. B<sudo> attempts to change to that user's home
directory before running the shell. It also initializes the
environment, leaving I<DISPLAY> and I<TERM> unchanged, setting
I<HOME>, I<SHELL>, I<USER>, I<LOGNAME>, and I<PATH>, as well as
the contents of F</etc/environment> on Linux and AIX systems.
All other environment variables are removed.
=item -K
The B<-K> (sure I<kill>) option is like B<-k> except that it removes
the user's timestamp entirely and may not be used in conjunction
with a command or other option. This option does not require a
password.
=item -k
When used by itself, the B<-k> (I<kill>) option to B<sudo> invalidates
the user's timestamp by setting the time on it to the Epoch. The
next time B<sudo> is run a password will be required. This option
does not require a password and was added to allow a user to revoke
B<sudo> permissions from a .logout file.
When used in conjunction with a command or an option that may require
a password, the B<-k> option will cause B<sudo> to ignore the user's
timestamp file. As a result, B<sudo> will prompt for a password
(if one is required by I<sudoers>) and will not update the user's
timestamp file.
=item -L
The B<-L> (I<list> defaults) option will list the parameters that
may be set in a I<Defaults> line along with a short description for
each. This option will be removed from a future version of B<sudo>.
=item -l[l] [I<command>]
If no I<command> is specified, the B<-l> (I<list>) option will list
the allowed (and forbidden) commands for the invoking user (or the
user specified by the B<-U> option) on the current host. If a
I<command> is specified and is permitted by I<sudoers>, the
fully-qualified path to the command is displayed along with any
command line arguments. If I<command> is specified but not allowed,
B<sudo> will exit with a status value of 1. If the B<-l> option is
specified with an B<l> argument (i.e. B<-ll>), or if B<-l>
is specified multiple times, a longer list format is used.
=item -n
The B<-n> (I<non-interactive>) option prevents B<sudo> from prompting
the user for a password. If a password is required for the command
to run, B<sudo> will display an error messages and exit.
=item -P
The B<-P> (I<preserve> I<group vector>) option causes B<sudo> to
preserve the invoking user's group vector unaltered. By default,
B<sudo> will initialize the group vector to the list of groups the
target user is in. The real and effective group IDs, however, are
still set to match the target user.
=item -p I<prompt>
The B<-p> (I<prompt>) option allows you to override the default
password prompt and use a custom one. The following percent (`C<%>')
escapes are supported:
=over 4
=item C<%H>
expanded to the local host name including the domain name
(on if the machine's host name is fully qualified or the I<fqdn>
I<sudoers> option is set)
=item C<%h>
expanded to the local host name without the domain name
=item C<%p>
expanded to the user whose password is being asked for (respects the
I<rootpw>, I<targetpw> and I<runaspw> flags in I<sudoers>)
=item C<%U>
expanded to the login name of the user the command will
be run as (defaults to root)
=item C<%u>
expanded to the invoking user's login name
=item C<%%>
two consecutive C<%> characters are collapsed into a single C<%> character
=back
The prompt specified by the B<-p> option will override the system
password prompt on systems that support PAM unless the
I<passprompt_override> flag is disabled in I<sudoers>.
=item -r I<role>
The B<-r> (I<role>) option causes the new (SELinux) security context to
have the role specified by I<role>.
=item -S
The B<-S> (I<stdin>) option causes B<sudo> to read the password from
the standard input instead of the terminal device. The password must
be followed by a newline character.
=item -s [command]
The B<-s> (I<shell>) option runs the shell specified by the I<SHELL>
environment variable if it is set or the shell as specified in
L<passwd(5)>. If a command is specified, it is passed to the shell
for execution. Otherwise, an interactive shell is executed.
=item -t I<type>
The B<-t> (I<type>) option causes the new (SELinux) security context to
have the type specified by I<type>. If no type is specified, the default
type is derived from the specified role.
=item -U I<user>
The B<-U> (I<other user>) option is used in conjunction with the B<-l>
option to specify the user whose privileges should be listed. Only
root or a user with B<sudo> C<ALL> on the current host may use this
option.
=item -u I<user>
The B<-u> (I<user>) option causes B<sudo> to run the specified
command as a user other than I<root>. To specify a I<uid> instead
of a I<user name>, use I<#uid>. When running commands as a I<uid>,
many shells require that the '#' be escaped with a backslash ('\').
Note that if the I<targetpw> Defaults option is set (see L<sudoers(5)>)
it is not possible to run commands with a uid not listed in the
password database.
=item -V
The B<-V> (I<version>) option causes B<sudo> to print the version
number and exit. If the invoking user is already root the B<-V>
option will print out a list of the defaults B<sudo> was compiled
with as well as the machine's local network addresses.
=item -v
If given the B<-v> (I<validate>) option, B<sudo> will update the
user's timestamp, prompting for the user's password if necessary.
This extends the B<sudo> timeout for another C<@timeout@> minutes
(or whatever the timeout is set to in I<sudoers>) but does not run
a command.
=item --
The B<--> option indicates that B<sudo> should stop processing command
line arguments. It is most useful in conjunction with the B<-s> option.
=back
Environment variables to be set for the command may also be passed
on the command line in the form of B<VAR>=I<value>, e.g.
B<LD_LIBRARY_PATH>=I</usr/local/pkg/lib>. Variables passed on the
command line are subject to the same restrictions as normal environment
variables with one important exception. If the I<setenv> option
is set in I<sudoers>, the command to be run has the C<SETENV> tag
set or the command matched is C<ALL>, the user may set variables
that would overwise be forbidden. See L<sudoers(5)> for more information.
=head1 RETURN VALUES
Upon successful execution of a program, the exit status from B<sudo>
will simply be the exit status of the program that was executed.
Otherwise, B<sudo> quits with an exit value of 1 if there is a
configuration/permission problem or if B<sudo> cannot execute the
given command. In the latter case the error string is printed to
stderr. If B<sudo> cannot L<stat(2)> one or more entries in the user's
C<PATH> an error is printed on stderr. (If the directory does not
exist or if it is not really a directory, the entry is ignored and
no error is printed.) This should not happen under normal
circumstances. The most common reason for L<stat(2)> to return
"permission denied" is if you are running an automounter and one
of the directories in your C<PATH> is on a machine that is currently
unreachable.
=head1 SECURITY NOTES
B<sudo> tries to be safe when executing external commands.
There are two distinct ways to deal with environment variables.
By default, the I<env_reset> I<sudoers> option is enabled.
This causes commands to be executed with a minimal environment
containing C<TERM>, C<PATH>, C<HOME>, C<SHELL>, C<LOGNAME>, C<USER>
and C<USERNAME> in addition to variables from the invoking process
permitted by the I<env_check> and I<env_keep> I<sudoers> options.
There is effectively a whitelist for environment variables.
If, however, the I<env_reset> option is disabled in I<sudoers>, any
variables not explicitly denied by the I<env_check> and I<env_delete>
options are inherited from the invoking process. In this case,
I<env_check> and I<env_delete> behave like a blacklist. Since it
is not possible to blacklist all potentially dangerous environment
variables, use of the default I<env_reset> behavior is encouraged.
In all cases, environment variables with a value beginning with
C<()> are removed as they could be interpreted as B<bash> functions.
The list of environment variables that B<sudo> allows or denies is
contained in the output of C<sudo -V> when run as root.
Note that the dynamic linker on most operating systems will remove
variables that can control dynamic linking from the environment of
setuid executables, including B<sudo>. Depending on the operating
system this may include C<_RLD*>, C<DYLD_*>, C<LD_*>, C<LDR_*>,
C<LIBPATH>, C<SHLIB_PATH>, and others. These type of variables are
removed from the environment before B<sudo> even begins execution
and, as such, it is not possible for B<sudo> to preserve them.
To prevent command spoofing, B<sudo> checks "." and "" (both denoting
current directory) last when searching for a command in the user's
PATH (if one or both are in the PATH). Note, however, that the
actual C<PATH> environment variable is I<not> modified and is passed
unchanged to the program that B<sudo> executes.
B<sudo> will check the ownership of its timestamp directory
(F<@timedir@> by default) and ignore the directory's contents if
it is not owned by root or if it is writable by a user other than
root. On systems that allow non-root users to give away files via
L<chown(2)>, if the timestamp directory is located in a directory
writable by anyone (e.g., F</tmp>), it is possible for a user to
create the timestamp directory before B<sudo> is run. However,
because B<sudo> checks the ownership and mode of the directory and
its contents, the only damage that can be done is to "hide" files
by putting them in the timestamp dir. This is unlikely to happen
since once the timestamp dir is owned by root and inaccessible by
any other user, the user placing files there would be unable to get
them back out. To get around this issue you can use a directory
that is not world-writable for the timestamps (F</var/adm/sudo> for
instance) or create F<@timedir@> with the appropriate owner (root)
and permissions (0700) in the system startup files.
B<sudo> will not honor timestamps set far in the future.
Timestamps with a date greater than current_time + 2 * C<TIMEOUT>
will be ignored and sudo will log and complain. This is done to
keep a user from creating his/her own timestamp with a bogus
date on systems that allow users to give away files.
Please note that B<sudo> will normally only log the command it
explicitly runs. If a user runs a command such as C<sudo su> or
C<sudo sh>, subsequent commands run from that shell will I<not> be
logged, nor will B<sudo>'s access control affect them. The same
is true for commands that offer shell escapes (including most
editors). Because of this, care must be taken when giving users
access to commands via B<sudo> to verify that the command does not
inadvertently give the user an effective root shell. For more
information, please see the C<PREVENTING SHELL ESCAPES> section in
L<sudoers(5)>.
=head1 ENVIRONMENT
B<sudo> utilizes the following environment variables:
=over 16
=item C<EDITOR>
Default editor to use in B<-e> (sudoedit) mode if neither C<SUDO_EDITOR>
nor C<VISUAL> is set
=item C<HOME>
In B<-s> or B<-H> mode (or if sudo was configured with the
--enable-shell-sets-home option), set to homedir of the target user
=item C<PATH>
Set to a sane value if the I<secure_path> sudoers option is set.
=item C<SHELL>
Used to determine shell to run with C<-s> option
=item C<SUDO_ASKPASS>
Specifies the path to a helper program used to read the password
if no terminal is available or if the C<-A> option is specified.
=item C<SUDO_COMMAND>
Set to the command run by sudo
=item C<SUDO_EDITOR>
Default editor to use in B<-e> (sudoedit) mode
=item C<SUDO_GID>
Set to the group ID of the user who invoked sudo
=item C<SUDO_PROMPT>
Used as the default password prompt
=item C<SUDO_PS1>
If set, C<PS1> will be set to its value for the program being run
=item C<SUDO_UID>
Set to the user ID of the user who invoked sudo
=item C<SUDO_USER>
Set to the login of the user who invoked sudo
=item C<USER>
Set to the target user (root unless the B<-u> option is specified)
=item C<VISUAL>
Default editor to use in B<-e> (sudoedit) mode if C<SUDO_EDITOR>
is not set
=back
=head1 FILES
=over 24
=item F<@sysconfdir@/sudoers>
List of who can run what
=item F<@timedir@>
Directory containing timestamps
=item F</etc/environment>
Initial environment for B<-i> mode on Linux and AIX
=back
=head1 EXAMPLES
Note: the following examples assume suitable L<sudoers(5)> entries.
To get a file listing of an unreadable directory:
$ sudo ls /usr/local/protected
To list the home directory of user yaz on a machine where the
file system holding ~yaz is not exported as root:
$ sudo -u yaz ls ~yaz
To edit the F<index.html> file as user www:
$ sudo -u www vi ~www/htdocs/index.html
To view system logs only accessible to root and users in the adm group:
$ sudo -g adm view /var/log/syslog
To run an editor as jim with a different primary group:
$ sudo -u jim -g audio vi ~jim/sound.txt
To shutdown a machine:
$ sudo shutdown -r +15 "quick reboot"
To make a usage listing of the directories in the /home
partition. Note that this runs the commands in a sub-shell
to make the C<cd> and file redirection work.
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
=head1 SEE ALSO
L<grep(1)>, L<su(1)>, L<stat(2)>,
L<login_cap(3)>,
L<passwd(5)>, L<sudoers(5)>, L<visudo(8)>
=head1 AUTHORS
Many people have worked on B<sudo> over the years; this
version consists of code written primarily by:
Todd C. Miller
See the HISTORY file in the B<sudo> distribution or visit
http://www.sudo.ws/sudo/history.html for a short history
of B<sudo>.
=head1 CAVEATS
There is no easy way to prevent a user from gaining a root shell
if that user is allowed to run arbitrary commands via B<sudo>.
Also, many programs (such as editors) allow the user to run commands
via shell escapes, thus avoiding B<sudo>'s checks. However, on
most systems it is possible to prevent shell escapes with B<sudo>'s
I<noexec> functionality. See the L<sudoers(5)> manual
for details.
It is not meaningful to run the C<cd> command directly via sudo, e.g.,
$ sudo cd /usr/local/protected
since when the command exits the parent process (your shell) will
still be the same. Please see the EXAMPLES section for more information.
If users have sudo C<ALL> there is nothing to prevent them from
creating their own program that gives them a root shell regardless
of any '!' elements in the user specification.
Running shell scripts via B<sudo> can expose the same kernel bugs that
make setuid shell scripts unsafe on some operating systems (if your OS
has a /dev/fd/ directory, setuid shell scripts are generally safe).
=head1 BUGS
If you feel you have found a bug in B<sudo>, please submit a bug report
at http://www.sudo.ws/sudo/bugs/
=head1 SUPPORT
Limited free support is available via the sudo-users mailing list,
see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
=head1 DISCLAIMER
B<sudo> is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the LICENSE
file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
for complete details.

1650
doc/sudoers.cat Normal file
View File

File diff suppressed because it is too large Load Diff

792
doc/sudoers.ldap.cat Normal file
View File

@@ -0,0 +1,792 @@
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
NNAAMMEE
sudoers.ldap - sudo LDAP configuration
DDEESSCCRRIIPPTTIIOONN
In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be configured via
LAP. This can be especially useful for synchronizing _s_u_d_o_e_r_s in a
large, distributed environment.
Using LDAP for _s_u_d_o_e_r_s has several benefits:
+o ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety. When LDAP is
used, there are only two or three LDAP queries per invocation.
This makes it especially fast and particularly usable in LDAP
environments.
+o ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s. It is not
possible to load LDAP data into the server that does not conform to
the sudoers schema, so proper syntax is guaranteed. It is still
possible to have typos in a user or host name, but this will not
prevent ssuuddoo from running.
+o It is possible to specify per-entry options that override the
global default options. _/_e_t_c_/_s_u_d_o_e_r_s only supports default options
and limited options associated with user/host/commands/aliases.
The syntax is complicated and can be difficult for users to
understand. Placing the options directly in the entry is more
natural.
+o The vviissuuddoo program is no longer needed. vviissuuddoo provides locking
and syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file. Since LDAP updates
are atomic, locking is no longer necessary. Because syntax is
checked when the data is inserted into LDAP, there is no need for a
specialized tool to check syntax.
Another major difference between LDAP and file-based _s_u_d_o_e_r_s is that in
LDAP, ssuuddoo-specific Aliases are not supported.
For the most part, there is really no need for ssuuddoo-specific Aliases.
Unix groups or user netgroups can be used in place of User_Aliases and
RunasAliases. Host netgroups can be used in place of HostAliases.
Since Unix groups and netgroups can also be stored in LDAP there is no
real need for ssuuddoo-specific aliases.
Cmnd_Aliases are not really required either since it is possible to
have multiple users listed in a sudoRole. Instead of defining a
Cmnd_Alias that is referenced by multiple users, one can create a
sudoRole that contains the commands and assign multiple users to it.
SSUUDDOOeerrss LLDDAAPP ccoonnttaaiinneerr
The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers LDAP
container.
Sudo first looks for the cn=default entry in the SUDOers container. If
found, the multi-valued sudoOption attribute is parsed in the same
1.7.3b2 December 19, 2009 1
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
manner as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following
example, the SSH_AUTH_SOCK variable will be preserved in the
environment for all users.
dn: cn=defaults,ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: env_keep+=SSH_AUTH_SOCK
The equivalent of a sudoer in LDAP is a sudoRole. It consists of the
following components:
ssuuddooUUsseerr
A user name, uid (prefixed with '#'), Unix group (prefixed with a
'%') or user netgroup (prefixed with a '+').
ssuuddooHHoosstt
A host name, IP address, IP network, or host netgroup (prefixed
with a '+'). The special value ALL will match any host.
ssuuddooCCoommmmaanndd
A Unix command with optional command line arguments, potentially
including globbing characters (aka wild cards). The special value
ALL will match any command. If a command is prefixed with an
exclamation point '!', the user will be prohibited from running
that command.
ssuuddooOOppttiioonn
Identical in function to the global options described above, but
specific to the sudoRole in which it resides.
ssuuddooRRuunnAAssUUsseerr
A user name or uid (prefixed with '#') that commands may be run as
or a Unix group (prefixed with a '%') or user netgroup (prefixed
with a '+') that contains a list of users that commands may be run
as. The special value ALL will match any user.
ssuuddooRRuunnAAssGGrroouupp
A Unix group or gid (prefixed with '#') that commands may be run
as. The special value ALL will match any group.
Each component listed above should contain a single value, but there
may be multiple instances of each component type. A sudoRole must
contain at least one sudoUser, sudoHost and sudoCommand.
The following example allows users in group wheel to run any command on
any host via ssuuddoo:
1.7.3b2 December 19, 2009 2
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoHost: ALL
sudoCommand: ALL
AAnnaattoommyy ooff LLDDAAPP ssuuddooeerrss llooookkuupp
When looking up a sudoer using LDAP there are only two or three LDAP
queries per invocation. The first query is to parse the global
options. The second is to match against the user's name and the groups
that the user belongs to. (The special ALL tag is matched in this
query too.) If no match is returned for the user's name and groups, a
third query returns all entries containing user netgroups and checks to
see if the user belongs to any of them.
DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss
There are some subtle differences in the way sudoers is handled once in
LDAP. Probably the biggest is that according to the RFC, LDAP ordering
is arbitrary and you cannot expect that Attributes and Entries are
returned in any specific order. If there are conflicting command rules
on an entry, the negative takes precedence. This is called paranoid
behavior (not necessarily the most specific match).
Here is an example:
# /etc/sudoers:
# Allow all commands except shell
johnny ALL=(root) ALL,!/bin/sh
# Always allows all commands because ALL is matched last
puddles ALL=(root) !/bin/sh,ALL
# LDAP equivalent of johnny
# Allows all commands except shell
dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
objectClass: sudoRole
objectClass: top
cn: role1
sudoUser: johnny
sudoHost: ALL
sudoCommand: ALL
sudoCommand: !/bin/sh
# LDAP equivalent of puddles
# Notice that even though ALL comes last, it still behaves like
# role1 since the LDAP code assumes the more paranoid configuration
dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
objectClass: sudoRole
objectClass: top
cn: role2
sudoUser: puddles
sudoHost: ALL
sudoCommand: !/bin/sh
1.7.3b2 December 19, 2009 3
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
sudoCommand: ALL
Another difference is that negations on the Host, User or Runas are
currently ignorred. For example, the following attributes do not
behave the way one might expect.
# does not match all but joe
# rather, does not match anyone
sudoUser: !joe
# does not match all but joe
# rather, matches everyone including Joe
sudoUser: ALL
sudoUser: !joe
# does not match all but web01
# rather, matches all hosts including web01
sudoHost: ALL
sudoHost: !web01
SSuuddooeerrss SScchheemmaa
In order to use ssuuddoo's LDAP support, the ssuuddoo schema must be installed
on your LDAP server. In addition, be sure to index the 'sudoUser'
attribute.
Three versions of the schema: one for OpenLDAP servers
(_s_c_h_e_m_a_._O_p_e_n_L_D_A_P), one for Netscape-derived servers (_s_c_h_e_m_a_._i_P_l_a_n_e_t),
and one for Microsoft Active Directory (_s_c_h_e_m_a_._A_c_t_i_v_e_D_i_r_e_c_t_o_r_y) may be
found in the ssuuddoo distribution.
The schema for ssuuddoo in OpenLDAP form is included in the EXAMPLES
section.
CCoonnffiigguurriinngg llddaapp..ccoonnff
Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients.
As such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo
parses _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from
those described in the _l_d_a_p_._c_o_n_f(4) manual.
Also note that on systems using the OpenLDAP libraries, default values
specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are
not used.
Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f that are
supported by ssuuddoo are honored. Configuration options are listed below
in upper case but are parsed in a case-independent manner.
UURRII ldap[s]://[hostname[:port]] ...
Specifies a whitespace-delimited list of one or more URIs
describing the LDAP server(s) to connect to. The _p_r_o_t_o_c_o_l may be
either llddaapp or llddaappss, the latter being for servers that support TLS
(SSL) encryption. If no _p_o_r_t is specified, the default is port 389
for ldap:// or port 636 for ldaps://. If no _h_o_s_t_n_a_m_e is specified,
1.7.3b2 December 19, 2009 4
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
ssuuddoo will connect to llooccaallhhoosstt. Only systems using the OpenSSL
libraries support the mixing of ldap:// and ldaps:// URIs. The
Netscape-derived libraries used on most commercial versions of Unix
are only capable of supporting one or the other.
HHOOSSTT name[:port] ...
If no UURRII is specified, the HHOOSSTT parameter specifies a whitespace-
delimited list of LDAP servers to connect to. Each host may
include an optional _p_o_r_t separated by a colon (':'). The HHOOSSTT
parameter is deprecated in favor of the UURRII specification and is
included for backwards compatibility.
PPOORRTT port_number
If no UURRII is specified, the PPOORRTT parameter specifies the default
port to connect to on the LDAP server if a HHOOSSTT parameter does not
specify the port itself. If no PPOORRTT parameter is used, the default
is port 389 for LDAP and port 636 for LDAP over TLS (SSL). The
PPOORRTT parameter is deprecated in favor of the UURRII specification and
is included for backwards compatibility.
BBIINNDD__TTIIMMEELLIIMMIITT seconds
The BBIINNDD__TTIIMMEELLIIMMIITT parameter specifies the amount of time, in
seconds, to wait while trying to connect to an LDAP server. If
multiple UURRIIs or HHOOSSTTs are specified, this is the amount of time to
wait before trying the next one in the list.
TTIIMMEELLIIMMIITT seconds
The TTIIMMEELLIIMMIITT parameter specifies the amount of time, in seconds,
to wait for a response to an LDAP query.
SSUUDDOOEERRSS__BBAASSEE base
The base DN to use when performing ssuuddoo LDAP queries. Typically
this is of the form ou=SUDOers,dc=example,dc=com for the domain
example.com.
SSUUDDOOEERRSS__DDEEBBUUGG debug_level
This sets the debug level for ssuuddoo LDAP queries. Debugging
information is printed to the standard error. A value of 1 results
in a moderate amount of debugging information. A value of 2 shows
the results of the matches themselves. This parameter should not
be set in a production environment as the extra information is
likely to confuse users.
BBIINNDDDDNN DN
The BBIINNDDDDNN parameter specifies the identity, in the form of a
Distinguished Name (DN), to use when performing LDAP operations.
If not specified, LDAP operations are performed with an anonymous
identity. By default, most LDAP servers will allow anonymous
access.
BBIINNDDPPWW secret
The BBIINNDDPPWW parameter specifies the password to use when performing
LDAP operations. This is typically used in conjunction with the
BBIINNDDDDNN parameter.
1.7.3b2 December 19, 2009 5
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
RROOOOTTBBIINNDDDDNN DN
The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a
Distinguished Name (DN), to use when performing privileged LDAP
operations, such as _s_u_d_o_e_r_s queries. The password corresponding to
the identity should be stored in _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t. If not
specified, the BBIINNDDDDNN identity is used (if any).
LLDDAAPP__VVEERRSSIIOONN number
The version of the LDAP protocol to use when connecting to the
server. The default value is protocol version 3.
SSSSLL on/true/yes/off/false/no
If the SSSSLL parameter is set to on, true or yes, TLS (SSL)
encryption is always used when communicating with the LDAP server.
Typically, this involves connecting to the server on port 636
(ldaps).
SSSSLL start_tls
If the SSSSLL parameter is set to start_tls, the LDAP server
connection is initiated normally and TLS encryption is begun before
the bind credentials are sent. This has the advantage of not
requiring a dedicated port for encrypted communications. This
parameter is only supported by LDAP servers that honor the
start_tls extension, such as the OpenLDAP server.
TTLLSS__CCHHEECCKKPPEEEERR on/true/yes/off/false/no
If enabled, TTLLSS__CCHHEECCKKPPEEEERR will cause the LDAP server's TLS
certificated to be verified. If the server's TLS certificate
cannot be verified (usually because it is signed by an unknown
certificate authority), ssuuddoo will be unable to connect to it. If
TTLLSS__CCHHEECCKKPPEEEERR is disabled, no check is made.
TTLLSS__CCAACCEERRTTFFIILLEE file name
The path to a certificate authority bundle which contains the
certificates for all the Certificate Authorities the client knows
to be valid, e.g. _/_e_t_c_/_s_s_l_/_c_a_-_b_u_n_d_l_e_._p_e_m. This option is only
supported by the OpenLDAP libraries.
TTLLSS__CCAACCEERRTTDDIIRR directory
Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory
containing individual Certificate Authority certificates, e.g.
_/_e_t_c_/_s_s_l_/_c_e_r_t_s. The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is
checked after TTLLSS__CCAACCEERRTTFFIILLEE. This option is only supported by the
OpenLDAP libraries.
TTLLSS__CCEERRTT file name
The path to a file containing the client certificate which can be
used to authenticate the client to the LDAP server. The
certificate type depends on the LDAP libraries used.
OpenLDAP:
tls_cert /etc/ssl/client_cert.pem
Netscape-derived:
1.7.3b2 December 19, 2009 6
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
tls_cert /var/ldap/cert7.db
When using Netscape-derived libraries, this file may also contain
Certificate Authority certificates.
TTLLSS__KKEEYY file name
The path to a file containing the private key which matches the
certificate specified by TTLLSS__CCEERRTT. The private key must not be
password-protected. The key type depends on the LDAP libraries
used.
OpenLDAP:
tls_key /etc/ssl/client_key.pem
Netscape-derived:
tls_key /var/ldap/key3.db
TTLLSS__RRAANNDDFFIILLEE file name
The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source
for systems that lack a random device. It is generally used in
conjunction with _p_r_n_g_d or _e_g_d. This option is only supported by
the OpenLDAP libraries.
TTLLSS__CCIIPPHHEERRSS cipher list
The TTLLSS__CCIIPPHHEERRSS parameter allows the administer to restrict which
encryption algorithms may be used for TLS (SSL) connections. See
the OpenSSL manual for a list of valid ciphers. This option is
only supported by the OpenLDAP libraries.
UUSSEE__SSAASSLL on/true/yes/off/false/no
Enable UUSSEE__SSAASSLL for LDAP servers that support SASL authentication.
SSAASSLL__AAUUTTHH__IIDD identity
The SASL user name to use when connecting to the LDAP server. By
default, ssuuddoo will use an anonymous connection.
RROOOOTTUUSSEE__SSAASSLL on/true/yes/off/false/no
Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting
to an LDAP server from a privileged process, such as ssuuddoo.
RROOOOTTSSAASSLL__AAUUTTHH__IIDD identity
The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled.
SSAASSLL__SSEECCPPRROOPPSS none/properties
SASL security properties or _n_o_n_e for no properties. See the SASL
programmer's manual for details.
KKRRBB55__CCCCNNAAMMEE file name
The path to the Kerberos 5 credential cache to use when
authenticating with the remote server.
See the ldap.conf entry in the EXAMPLES section.
1.7.3b2 December 19, 2009 7
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff
Unless it is disabled at build time, ssuuddoo consults the Name Service
Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order.
Sudo looks for a line beginning with sudoers: and uses this to
determine the search order. Note that ssuuddoo does not stop searching
after the first match and later matches take precedence over earlier
ones.
The following sources are recognized:
files read sudoers from F</etc/sudoers>
ldap read sudoers from LDAP
In addition, the entry [NOTFOUND=return] will short-circuit the search
if the user was not found in the preceding source.
To consult LDAP first followed by the local sudoers file (if it
exists), use:
sudoers: ldap files
The local _s_u_d_o_e_r_s file can be ignored completely by using:
sudoers: ldap
If the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f file is not present or there is no sudoers
line, the following default is assumed:
sudoers: files
Note that _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f is supported even when the underlying
operating system does not use an nsswitch.conf file.
CCoonnffiigguurriinngg nneettssvvcc..ccoonnff
On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of
_/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f. ssuuddoo simply treats _n_e_t_s_v_c_._c_o_n_f as a variant of
_n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the
file format itself still applies.
To consult LDAP first followed by the local sudoers file (if it
exists), use:
sudoers = ldap, files
The local _s_u_d_o_e_r_s file can be ignored completely by using:
sudoers = ldap
To treat LDAP as authoratative and only use the local sudoers file if
the user is not present in LDAP, use:
sudoers = ldap = auth, files
Note that in the above example, the auth qualfier only affects user
1.7.3b2 December 19, 2009 8
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries.
If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers
line, the following default is assumed:
sudoers = files
FFIILLEESS
_/_e_t_c_/_l_d_a_p_._c_o_n_f LDAP configuration file
_/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f determines sudoers source order
_/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f determines sudoers source order on AIX
EEXXAAMMPPLLEESS
EExxaammppllee llddaapp..ccoonnff
# Either specify one or more URIs or one or more host:port pairs.
# If neither is specified sudo will default to localhost, port 389.
#
#host ldapserver
#host ldapserver1 ldapserver2:390
#
# Default port if host is specified without one, defaults to 389.
#port 389
#
# URI will override the host and port settings.
uri ldap://ldapserver
#uri ldaps://secureldapserver
#uri ldaps://secureldapserver ldap://ldapserver
#
# The amount of time, in seconds, to wait while trying to connect to
# an LDAP server.
bind_timelimit 30
#
# The amount of time, in seconds, to wait while performing an LDAP query.
timelimit 30
#
# must be set or sudo will ignore LDAP
sudoers_base ou=SUDOers,dc=example,dc=com
#
# verbose sudoers matching from ldap
#sudoers_debug 2
#
# optional proxy credentials
#binddn <who to search as>
#bindpw <password>
#rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
#
# LDAP protocol version, defaults to 3
#ldap_version 3
#
# Define if you want to use an encrypted LDAP connection.
# Typically, you must also set the port to 636 (ldaps).
#ssl on
1.7.3b2 December 19, 2009 9
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
#
# Define if you want to use port 389 and switch to
# encryption before the bind credentials are sent.
# Only supported by LDAP servers that support the start_tls
# extension such as OpenLDAP.
#ssl start_tls
#
# Additional TLS options follow that allow tweaking of the
# SSL/TLS connection.
#
#tls_checkpeer yes # verify server SSL certificate
#tls_checkpeer no # ignore server SSL certificate
#
# If you enable tls_checkpeer, specify either tls_cacertfile
# or tls_cacertdir. Only supported when using OpenLDAP.
#
#tls_cacertfile /etc/certs/trusted_signers.pem
#tls_cacertdir /etc/certs
#
# For systems that don't have /dev/random
# use this along with PRNGD or EGD.pl to seed the
# random number pool to generate cryptographic session keys.
# Only supported when using OpenLDAP.
#
#tls_randfile /etc/egd-pool
#
# You may restrict which ciphers are used. Consult your SSL
# documentation for which options go here.
# Only supported when using OpenLDAP.
#
#tls_ciphers <cipher-list>
#
# Sudo can provide a client certificate when communicating to
# the LDAP server.
# Tips:
# * Enable both lines at the same time.
# * Do not password protect the key file.
# * Ensure the keyfile is only readable by root.
#
# For OpenLDAP:
#tls_cert /etc/certs/client_cert.pem
#tls_key /etc/certs/client_key.pem
#
# For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
# a directory, in which case the files in the directory must have the
# default names (e.g. cert8.db and key4.db), or the path to the cert
# and key files themselves. However, a bug in version 5.0 of the LDAP
# SDK will prevent specific file names from working. For this reason
# it is suggested that tls_cert and tls_key be set to a directory,
# not a file name.
#
# The certificate database specified by tls_cert may contain CA certs
# and/or the client's cert. If the client's cert is included, tls_key
# should be specified as well.
1.7.3b2 December 19, 2009 10
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
# For backward compatibility, "sslpath" may be used in place of tls_cert.
#tls_cert /var/ldap
#tls_key /var/ldap
#
# If using SASL authentication for LDAP (OpenSSL)
# use_sasl yes
# sasl_auth_id <SASL user name>
# rootuse_sasl yes
# rootsasl_auth_id <SASL user name for root access>
# sasl_secprops none
# krb5_ccname /etc/.ldapcache
SSuuddoo sscchheemmaa ffoorr OOppeennLLDDAAPP
The following schema is in OpenLDAP format. Simply copy it to the
schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include
line in slapd.conf and restart ssllaappdd.
attributetype ( 1.3.6.1.4.1.15953.9.1.1
NAME 'sudoUser'
DESC 'User(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.2
NAME 'sudoHost'
DESC 'Host(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.3
NAME 'sudoCommand'
DESC 'Command(s) to be executed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.4
NAME 'sudoRunAs'
DESC 'User(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.5
NAME 'sudoOption'
DESC 'Options(s) followed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.6
NAME 'sudoRunAsUser'
DESC 'User(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1.7.3b2 December 19, 2009 11
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
attributetype ( 1.3.6.1.4.1.15953.9.1.7
NAME 'sudoRunAsGroup'
DESC 'Group(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
DESC 'Sudoer Entries'
MUST ( cn )
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
sudoRunAsGroup $ sudoOption $ description )
)
SSEEEE AALLSSOO
_l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(5)
CCAAVVEEAATTSS
The way that _s_u_d_o_e_r_s is parsed differs between Note that there are
differences in the way that LDAP-based _s_u_d_o_e_r_s is parsed compared to
file-based _s_u_d_o_e_r_s. See the "Differences between LDAP and non-LDAP
sudoers" section for more information.
BBUUGGSS
If you feel you have found a bug in ssuuddoo, please submit a bug report at
http://www.sudo.ws/sudo/bugs/
SSUUPPPPOORRTT
Limited free support is available via the sudo-users mailing list, see
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
DDIISSCCLLAAIIMMEERR
ssuuddoo is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed.
See the LICENSE file distributed with ssuuddoo or
http://www.sudo.ws/sudo/license.html for complete details.
1.7.3b2 December 19, 2009 12

815
doc/sudoers.ldap.man.in Normal file
View File

@@ -0,0 +1,815 @@
.\" Copyright (c) 2003-2009
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C`
. ds C'
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
.el \{\
. de IX
..
.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
.TH SUDOERS.LDAP @mansectform@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
sudoers.ldap \- sudo LDAP configuration
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
In addition to the standard \fIsudoers\fR file, \fBsudo\fR may be configured
via \s-1LAP\s0. This can be especially useful for synchronizing \fIsudoers\fR
in a large, distributed environment.
.PP
Using \s-1LDAP\s0 for \fIsudoers\fR has several benefits:
.IP "\(bu" 4
\&\fBsudo\fR no longer needs to read \fIsudoers\fR in its entirety. When
\&\s-1LDAP\s0 is used, there are only two or three \s-1LDAP\s0 queries per invocation.
This makes it especially fast and particularly usable in \s-1LDAP\s0
environments.
.IP "\(bu" 4
\&\fBsudo\fR no longer exits if there is a typo in \fIsudoers\fR.
It is not possible to load \s-1LDAP\s0 data into the server that does
not conform to the sudoers schema, so proper syntax is guaranteed.
It is still possible to have typos in a user or host name, but
this will not prevent \fBsudo\fR from running.
.IP "\(bu" 4
It is possible to specify per-entry options that override the global
default options. \fI@sysconfdir@/sudoers\fR only supports default options and
limited options associated with user/host/commands/aliases. The
syntax is complicated and can be difficult for users to understand.
Placing the options directly in the entry is more natural.
.IP "\(bu" 4
The \fBvisudo\fR program is no longer needed. \fBvisudo\fR provides
locking and syntax checking of the \fI@sysconfdir@/sudoers\fR file.
Since \s-1LDAP\s0 updates are atomic, locking is no longer necessary.
Because syntax is checked when the data is inserted into \s-1LDAP\s0, there
is no need for a specialized tool to check syntax.
.PP
Another major difference between \s-1LDAP\s0 and file-based \fIsudoers\fR
is that in \s-1LDAP\s0, \fBsudo\fR\-specific Aliases are not supported.
.PP
For the most part, there is really no need for \fBsudo\fR\-specific
Aliases. Unix groups or user netgroups can be used in place of
User_Aliases and RunasAliases. Host netgroups can be used in place
of HostAliases. Since Unix groups and netgroups can also be stored
in \s-1LDAP\s0 there is no real need for \fBsudo\fR\-specific aliases.
.PP
Cmnd_Aliases are not really required either since it is possible
to have multiple users listed in a sudoRole. Instead of defining
a Cmnd_Alias that is referenced by multiple users, one can create
a sudoRole that contains the commands and assign multiple users
to it.
.SS "SUDOers \s-1LDAP\s0 container"
.IX Subsection "SUDOers LDAP container"
The \fIsudoers\fR configuration is contained in the \f(CW\*(C`ou=SUDOers\*(C'\fR \s-1LDAP\s0
container.
.PP
Sudo first looks for the \f(CW\*(C`cn=default\*(C'\fR entry in the SUDOers container.
If found, the multi-valued \f(CW\*(C`sudoOption\*(C'\fR attribute is parsed in the
same manner as a global \f(CW\*(C`Defaults\*(C'\fR line in \fI@sysconfdir@/sudoers\fR. In
the following example, the \f(CW\*(C`SSH_AUTH_SOCK\*(C'\fR variable will be preserved
in the environment for all users.
.PP
.Vb 6
\& dn: cn=defaults,ou=SUDOers,dc=example,dc=com
\& objectClass: top
\& objectClass: sudoRole
\& cn: defaults
\& description: Default sudoOption\*(Aqs go here
\& sudoOption: env_keep+=SSH_AUTH_SOCK
.Ve
.PP
The equivalent of a sudoer in \s-1LDAP\s0 is a \f(CW\*(C`sudoRole\*(C'\fR. It consists of
the following components:
.IP "\fBsudoUser\fR" 4
.IX Item "sudoUser"
A user name, uid (prefixed with \f(CW\*(Aq#\*(Aq\fR), Unix group (prefixed with
a \f(CW\*(Aq%\*(Aq\fR) or user netgroup (prefixed with a \f(CW\*(Aq+\*(Aq\fR).
.IP "\fBsudoHost\fR" 4
.IX Item "sudoHost"
A host name, \s-1IP\s0 address, \s-1IP\s0 network, or host netgroup (prefixed
with a \f(CW\*(Aq+\*(Aq\fR).
The special value \f(CW\*(C`ALL\*(C'\fR will match any host.
.IP "\fBsudoCommand\fR" 4
.IX Item "sudoCommand"
A Unix command with optional command line arguments, potentially
including globbing characters (aka wild cards).
The special value \f(CW\*(C`ALL\*(C'\fR will match any command.
If a command is prefixed with an exclamation point \f(CW\*(Aq!\*(Aq\fR, the
user will be prohibited from running that command.
.IP "\fBsudoOption\fR" 4
.IX Item "sudoOption"
Identical in function to the global options described above, but
specific to the \f(CW\*(C`sudoRole\*(C'\fR in which it resides.
.IP "\fBsudoRunAsUser\fR" 4
.IX Item "sudoRunAsUser"
A user name or uid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run
as or a Unix group (prefixed with a \f(CW\*(Aq%\*(Aq\fR) or user netgroup (prefixed
with a \f(CW\*(Aq+\*(Aq\fR) that contains a list of users that commands may be
run as.
The special value \f(CW\*(C`ALL\*(C'\fR will match any user.
.IP "\fBsudoRunAsGroup\fR" 4
.IX Item "sudoRunAsGroup"
A Unix group or gid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run as.
The special value \f(CW\*(C`ALL\*(C'\fR will match any group.
.PP
Each component listed above should contain a single value, but there
may be multiple instances of each component type. A sudoRole must
contain at least one \f(CW\*(C`sudoUser\*(C'\fR, \f(CW\*(C`sudoHost\*(C'\fR and \f(CW\*(C`sudoCommand\*(C'\fR.
.PP
The following example allows users in group wheel to run any command
on any host via \fBsudo\fR:
.PP
.Vb 7
\& dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
\& objectClass: top
\& objectClass: sudoRole
\& cn: %wheel
\& sudoUser: %wheel
\& sudoHost: ALL
\& sudoCommand: ALL
.Ve
.SS "Anatomy of \s-1LDAP\s0 sudoers lookup"
.IX Subsection "Anatomy of LDAP sudoers lookup"
When looking up a sudoer using \s-1LDAP\s0 there are only two or three
\&\s-1LDAP\s0 queries per invocation. The first query is to parse the global
options. The second is to match against the user's name and the
groups that the user belongs to. (The special \s-1ALL\s0 tag is matched
in this query too.) If no match is returned for the user's name
and groups, a third query returns all entries containing user
netgroups and checks to see if the user belongs to any of them.
.SS "Differences between \s-1LDAP\s0 and non-LDAP sudoers"
.IX Subsection "Differences between LDAP and non-LDAP sudoers"
There are some subtle differences in the way sudoers is handled
once in \s-1LDAP\s0. Probably the biggest is that according to the \s-1RFC\s0,
\&\s-1LDAP\s0 ordering is arbitrary and you cannot expect that Attributes
and Entries are returned in any specific order. If there are
conflicting command rules on an entry, the negative takes precedence.
This is called paranoid behavior (not necessarily the most specific
match).
.PP
Here is an example:
.PP
.Vb 5
\& # /etc/sudoers:
\& # Allow all commands except shell
\& johnny ALL=(root) ALL,!/bin/sh
\& # Always allows all commands because ALL is matched last
\& puddles ALL=(root) !/bin/sh,ALL
\&
\& # LDAP equivalent of johnny
\& # Allows all commands except shell
\& dn: cn=role1,ou=Sudoers,dc=my\-domain,dc=com
\& objectClass: sudoRole
\& objectClass: top
\& cn: role1
\& sudoUser: johnny
\& sudoHost: ALL
\& sudoCommand: ALL
\& sudoCommand: !/bin/sh
\&
\& # LDAP equivalent of puddles
\& # Notice that even though ALL comes last, it still behaves like
\& # role1 since the LDAP code assumes the more paranoid configuration
\& dn: cn=role2,ou=Sudoers,dc=my\-domain,dc=com
\& objectClass: sudoRole
\& objectClass: top
\& cn: role2
\& sudoUser: puddles
\& sudoHost: ALL
\& sudoCommand: !/bin/sh
\& sudoCommand: ALL
.Ve
.PP
Another difference is that negations on the Host, User or Runas are
currently ignorred. For example, the following attributes do not
behave the way one might expect.
.PP
.Vb 3
\& # does not match all but joe
\& # rather, does not match anyone
\& sudoUser: !joe
\&
\& # does not match all but joe
\& # rather, matches everyone including Joe
\& sudoUser: ALL
\& sudoUser: !joe
\&
\& # does not match all but web01
\& # rather, matches all hosts including web01
\& sudoHost: ALL
\& sudoHost: !web01
.Ve
.SS "Sudoers Schema"
.IX Subsection "Sudoers Schema"
In order to use \fBsudo\fR's \s-1LDAP\s0 support, the \fBsudo\fR schema must be
installed on your \s-1LDAP\s0 server. In addition, be sure to index the
\&'sudoUser' attribute.
.PP
Three versions of the schema: one for OpenLDAP servers (\fIschema.OpenLDAP\fR),
one for Netscape-derived servers (\fIschema.iPlanet\fR), and one for
Microsoft Active Directory (\fIschema.ActiveDirectory\fR) may
be found in the \fBsudo\fR distribution.
.PP
The schema for \fBsudo\fR in OpenLDAP form is included in the \s-1EXAMPLES\s0
section.
.SS "Configuring ldap.conf"
.IX Subsection "Configuring ldap.conf"
Sudo reads the \fI@ldap_conf@\fR file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients.
As such, most of the settings are not \fBsudo\fR\-specific. Note that
\&\fBsudo\fR parses \fI@ldap_conf@\fR itself and may support options
that differ from those described in the \fIldap.conf\fR\|(@mansectform@) manual.
.PP
Also note that on systems using the OpenLDAP libraries, default
values specified in \fI/etc/openldap/ldap.conf\fR or the user's
\&\fI.ldaprc\fR files are not used.
.PP
Only those options explicitly listed in \fI@ldap_conf@\fR that are
supported by \fBsudo\fR are honored. Configuration options are listed
below in upper case but are parsed in a case-independent manner.
.IP "\fB\s-1URI\s0\fR ldap[s]://[hostname[:port]] ..." 4
.IX Item "URI ldap[s]://[hostname[:port]] ..."
Specifies a whitespace-delimited list of one or more URIs describing
the \s-1LDAP\s0 server(s) to connect to. The \fIprotocol\fR may be either \fBldap\fR
or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0 (\s-1SSL\s0)
encryption. If no \fIport\fR is specified, the default is port 389 for
\&\f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR. If no \fIhostname\fR is specified,
\&\fBsudo\fR will connect to \fBlocalhost\fR. Only systems using the OpenSSL
libraries support the mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs.
The Netscape-derived libraries used on most commercial versions of
Unix are only capable of supporting one or the other.
.IP "\fB\s-1HOST\s0\fR name[:port] ..." 4
.IX Item "HOST name[:port] ..."
If no \fB\s-1URI\s0\fR is specified, the \fB\s-1HOST\s0\fR parameter specifies a
whitespace-delimited list of \s-1LDAP\s0 servers to connect to. Each host
may include an optional \fIport\fR separated by a colon (':'). The
\&\fB\s-1HOST\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR specification
and is included for backwards compatibility.
.IP "\fB\s-1PORT\s0\fR port_number" 4
.IX Item "PORT port_number"
If no \fB\s-1URI\s0\fR is specified, the \fB\s-1PORT\s0\fR parameter specifies the
default port to connect to on the \s-1LDAP\s0 server if a \fB\s-1HOST\s0\fR parameter
does not specify the port itself. If no \fB\s-1PORT\s0\fR parameter is used,
the default is port 389 for \s-1LDAP\s0 and port 636 for \s-1LDAP\s0 over \s-1TLS\s0
(\s-1SSL\s0). The \fB\s-1PORT\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR
specification and is included for backwards compatibility.
.IP "\fB\s-1BIND_TIMELIMIT\s0\fR seconds" 4
.IX Item "BIND_TIMELIMIT seconds"
The \fB\s-1BIND_TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds,
to wait while trying to connect to an \s-1LDAP\s0 server. If multiple \fB\s-1URI\s0\fRs or
\&\fB\s-1HOST\s0\fRs are specified, this is the amount of time to wait before trying
the next one in the list.
.IP "\fB\s-1TIMELIMIT\s0\fR seconds" 4
.IX Item "TIMELIMIT seconds"
The \fB\s-1TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds,
to wait for a response to an \s-1LDAP\s0 query.
.IP "\fB\s-1SUDOERS_BASE\s0\fR base" 4
.IX Item "SUDOERS_BASE base"
The base \s-1DN\s0 to use when performing \fBsudo\fR \s-1LDAP\s0 queries. Typically
this is of the form \f(CW\*(C`ou=SUDOers,dc=example,dc=com\*(C'\fR for the domain
\&\f(CW\*(C`example.com\*(C'\fR.
.IP "\fB\s-1SUDOERS_DEBUG\s0\fR debug_level" 4
.IX Item "SUDOERS_DEBUG debug_level"
This sets the debug level for \fBsudo\fR \s-1LDAP\s0 queries. Debugging
information is printed to the standard error. A value of 1 results
in a moderate amount of debugging information. A value of 2 shows
the results of the matches themselves. This parameter should not
be set in a production environment as the extra information is
likely to confuse users.
.IP "\fB\s-1BINDDN\s0\fR \s-1DN\s0" 4
.IX Item "BINDDN DN"
The \fB\s-1BINDDN\s0\fR parameter specifies the identity, in the form of a
Distinguished Name (\s-1DN\s0), to use when performing \s-1LDAP\s0 operations.
If not specified, \s-1LDAP\s0 operations are performed with an anonymous
identity. By default, most \s-1LDAP\s0 servers will allow anonymous access.
.IP "\fB\s-1BINDPW\s0\fR secret" 4
.IX Item "BINDPW secret"
The \fB\s-1BINDPW\s0\fR parameter specifies the password to use when performing
\&\s-1LDAP\s0 operations. This is typically used in conjunction with the
\&\fB\s-1BINDDN\s0\fR parameter.
.IP "\fB\s-1ROOTBINDDN\s0\fR \s-1DN\s0" 4
.IX Item "ROOTBINDDN DN"
The \fB\s-1ROOTBINDDN\s0\fR parameter specifies the identity, in the form of
a Distinguished Name (\s-1DN\s0), to use when performing privileged \s-1LDAP\s0
operations, such as \fIsudoers\fR queries. The password corresponding
to the identity should be stored in \fI@ldap_secret@\fR.
If not specified, the \fB\s-1BINDDN\s0\fR identity is used (if any).
.IP "\fB\s-1LDAP_VERSION\s0\fR number" 4
.IX Item "LDAP_VERSION number"
The version of the \s-1LDAP\s0 protocol to use when connecting to the server.
The default value is protocol version 3.
.IP "\fB\s-1SSL\s0\fR on/true/yes/off/false/no" 4
.IX Item "SSL on/true/yes/off/false/no"
If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`on\*(C'\fR, \f(CW\*(C`true\*(C'\fR or \f(CW\*(C`yes\*(C'\fR, \s-1TLS\s0
(\s-1SSL\s0) encryption is always used when communicating with the \s-1LDAP\s0
server. Typically, this involves connecting to the server on port
636 (ldaps).
.IP "\fB\s-1SSL\s0\fR start_tls" 4
.IX Item "SSL start_tls"
If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`start_tls\*(C'\fR, the \s-1LDAP\s0 server
connection is initiated normally and \s-1TLS\s0 encryption is begun before
the bind credentials are sent. This has the advantage of not
requiring a dedicated port for encrypted communications. This
parameter is only supported by \s-1LDAP\s0 servers that honor the \f(CW\*(C`start_tls\*(C'\fR
extension, such as the OpenLDAP server.
.IP "\fB\s-1TLS_CHECKPEER\s0\fR on/true/yes/off/false/no" 4
.IX Item "TLS_CHECKPEER on/true/yes/off/false/no"
If enabled, \fB\s-1TLS_CHECKPEER\s0\fR will cause the \s-1LDAP\s0 server's \s-1TLS\s0
certificated to be verified. If the server's \s-1TLS\s0 certificate cannot
be verified (usually because it is signed by an unknown certificate
authority), \fBsudo\fR will be unable to connect to it. If \fB\s-1TLS_CHECKPEER\s0\fR
is disabled, no check is made.
.IP "\fB\s-1TLS_CACERTFILE\s0\fR file name" 4
.IX Item "TLS_CACERTFILE file name"
The path to a certificate authority bundle which contains the certificates
for all the Certificate Authorities the client knows to be valid,
e.g. \fI/etc/ssl/ca\-bundle.pem\fR.
This option is only supported by the OpenLDAP libraries.
.IP "\fB\s-1TLS_CACERTDIR\s0\fR directory" 4
.IX Item "TLS_CACERTDIR directory"
Similar to \fB\s-1TLS_CACERTFILE\s0\fR but instead of a file, it is a
directory containing individual Certificate Authority certificates,
e.g. \fI/etc/ssl/certs\fR.
The directory specified by \fB\s-1TLS_CACERTDIR\s0\fR is checked after
\&\fB\s-1TLS_CACERTFILE\s0\fR.
This option is only supported by the OpenLDAP libraries.
.IP "\fB\s-1TLS_CERT\s0\fR file name" 4
.IX Item "TLS_CERT file name"
The path to a file containing the client certificate which can
be used to authenticate the client to the \s-1LDAP\s0 server.
The certificate type depends on the \s-1LDAP\s0 libraries used.
.Sp
OpenLDAP:
\f(CW\*(C`tls_cert /etc/ssl/client_cert.pem\*(C'\fR
.Sp
Netscape-derived:
\f(CW\*(C`tls_cert /var/ldap/cert7.db\*(C'\fR
.Sp
When using Netscape-derived libraries, this file may also contain
Certificate Authority certificates.
.IP "\fB\s-1TLS_KEY\s0\fR file name" 4
.IX Item "TLS_KEY file name"
The path to a file containing the private key which matches the
certificate specified by \fB\s-1TLS_CERT\s0\fR. The private key must not be
password-protected. The key type depends on the \s-1LDAP\s0 libraries
used.
.Sp
OpenLDAP:
\f(CW\*(C`tls_key /etc/ssl/client_key.pem\*(C'\fR
.Sp
Netscape-derived:
\f(CW\*(C`tls_key /var/ldap/key3.db\*(C'\fR
.IP "\fB\s-1TLS_RANDFILE\s0\fR file name" 4
.IX Item "TLS_RANDFILE file name"
The \fB\s-1TLS_RANDFILE\s0\fR parameter specifies the path to an entropy
source for systems that lack a random device. It is generally used
in conjunction with \fIprngd\fR or \fIegd\fR.
This option is only supported by the OpenLDAP libraries.
.IP "\fB\s-1TLS_CIPHERS\s0\fR cipher list" 4
.IX Item "TLS_CIPHERS cipher list"
The \fB\s-1TLS_CIPHERS\s0\fR parameter allows the administer to restrict
which encryption algorithms may be used for \s-1TLS\s0 (\s-1SSL\s0) connections.
See the OpenSSL manual for a list of valid ciphers.
This option is only supported by the OpenLDAP libraries.
.IP "\fB\s-1USE_SASL\s0\fR on/true/yes/off/false/no" 4
.IX Item "USE_SASL on/true/yes/off/false/no"
Enable \fB\s-1USE_SASL\s0\fR for \s-1LDAP\s0 servers that support \s-1SASL\s0 authentication.
.IP "\fB\s-1SASL_AUTH_ID\s0\fR identity" 4
.IX Item "SASL_AUTH_ID identity"
The \s-1SASL\s0 user name to use when connecting to the \s-1LDAP\s0 server.
By default, \fBsudo\fR will use an anonymous connection.
.IP "\fB\s-1ROOTUSE_SASL\s0\fR on/true/yes/off/false/no" 4
.IX Item "ROOTUSE_SASL on/true/yes/off/false/no"
Enable \fB\s-1ROOTUSE_SASL\s0\fR to enable \s-1SASL\s0 authentication when connecting
to an \s-1LDAP\s0 server from a privileged process, such as \fBsudo\fR.
.IP "\fB\s-1ROOTSASL_AUTH_ID\s0\fR identity" 4
.IX Item "ROOTSASL_AUTH_ID identity"
The \s-1SASL\s0 user name to use when \fB\s-1ROOTUSE_SASL\s0\fR is enabled.
.IP "\fB\s-1SASL_SECPROPS\s0\fR none/properties" 4
.IX Item "SASL_SECPROPS none/properties"
\&\s-1SASL\s0 security properties or \fInone\fR for no properties. See the
\&\s-1SASL\s0 programmer's manual for details.
.IP "\fB\s-1KRB5_CCNAME\s0\fR file name" 4
.IX Item "KRB5_CCNAME file name"
The path to the Kerberos 5 credential cache to use when authenticating
with the remote server.
.PP
See the \f(CW\*(C`ldap.conf\*(C'\fR entry in the \s-1EXAMPLES\s0 section.
.SS "Configuring nsswitch.conf"
.IX Subsection "Configuring nsswitch.conf"
Unless it is disabled at build time, \fBsudo\fR consults the Name
Service Switch file, \fI@nsswitch_conf@\fR, to specify the \fIsudoers\fR
search order. Sudo looks for a line beginning with \f(CW\*(C`sudoers\*(C'\fR: and
uses this to determine the search order. Note that \fBsudo\fR does
not stop searching after the first match and later matches take
precedence over earlier ones.
.PP
The following sources are recognized:
.PP
.Vb 2
\& files read sudoers from F<@sysconfdir@/sudoers>
\& ldap read sudoers from LDAP
.Ve
.PP
In addition, the entry \f(CW\*(C`[NOTFOUND=return]\*(C'\fR will short-circuit the
search if the user was not found in the preceding source.
.PP
To consult \s-1LDAP\s0 first followed by the local sudoers file (if it
exists), use:
.PP
.Vb 1
\& sudoers: ldap files
.Ve
.PP
The local \fIsudoers\fR file can be ignored completely by using:
.PP
.Vb 1
\& sudoers: ldap
.Ve
.PP
If the \fI@nsswitch_conf@\fR file is not present or there is no
sudoers line, the following default is assumed:
.PP
.Vb 1
\& sudoers: files
.Ve
.PP
Note that \fI@nsswitch_conf@\fR is supported even when the underlying
operating system does not use an nsswitch.conf file.
.SS "Configuring netsvc.conf"
.IX Subsection "Configuring netsvc.conf"
On \s-1AIX\s0 systems, the \fI@netsvc_conf@\fR file is consulted instead of
\&\fI@nsswitch_conf@\fR. \fBsudo\fR simply treats \fInetsvc.conf\fR as a
variant of \fInsswitch.conf\fR; information in the previous section
unrelated to the file format itself still applies.
.PP
To consult \s-1LDAP\s0 first followed by the local sudoers file (if it
exists), use:
.PP
.Vb 1
\& sudoers = ldap, files
.Ve
.PP
The local \fIsudoers\fR file can be ignored completely by using:
.PP
.Vb 1
\& sudoers = ldap
.Ve
.PP
To treat \s-1LDAP\s0 as authoratative and only use the local sudoers file
if the user is not present in \s-1LDAP\s0, use:
.PP
.Vb 1
\& sudoers = ldap = auth, files
.Ve
.PP
Note that in the above example, the \f(CW\*(C`auth\*(C'\fR qualfier only affects
user lookups; both \s-1LDAP\s0 and \fIsudoers\fR will be queried for \f(CW\*(C`Defaults\*(C'\fR
entries.
.PP
If the \fI@netsvc_conf@\fR file is not present or there is no
sudoers line, the following default is assumed:
.PP
.Vb 1
\& sudoers = files
.Ve
.SH "FILES"
.IX Header "FILES"
.ie n .IP "\fI@ldap_conf@\fR" 24
.el .IP "\fI@ldap_conf@\fR" 24
.IX Item "@ldap_conf@"
\&\s-1LDAP\s0 configuration file
.ie n .IP "\fI@nsswitch_conf@\fR" 24
.el .IP "\fI@nsswitch_conf@\fR" 24
.IX Item "@nsswitch_conf@"
determines sudoers source order
.ie n .IP "\fI@netsvc_conf@\fR" 24
.el .IP "\fI@netsvc_conf@\fR" 24
.IX Item "@netsvc_conf@"
determines sudoers source order on \s-1AIX\s0
.SH "EXAMPLES"
.IX Header "EXAMPLES"
.SS "Example ldap.conf"
.IX Subsection "Example ldap.conf"
.Vb 10
\& # Either specify one or more URIs or one or more host:port pairs.
\& # If neither is specified sudo will default to localhost, port 389.
\& #
\& #host ldapserver
\& #host ldapserver1 ldapserver2:390
\& #
\& # Default port if host is specified without one, defaults to 389.
\& #port 389
\& #
\& # URI will override the host and port settings.
\& uri ldap://ldapserver
\& #uri ldaps://secureldapserver
\& #uri ldaps://secureldapserver ldap://ldapserver
\& #
\& # The amount of time, in seconds, to wait while trying to connect to
\& # an LDAP server.
\& bind_timelimit 30
\& #
\& # The amount of time, in seconds, to wait while performing an LDAP query.
\& timelimit 30
\& #
\& # must be set or sudo will ignore LDAP
\& sudoers_base ou=SUDOers,dc=example,dc=com
\& #
\& # verbose sudoers matching from ldap
\& #sudoers_debug 2
\& #
\& # optional proxy credentials
\& #binddn <who to search as>
\& #bindpw <password>
\& #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
\& #
\& # LDAP protocol version, defaults to 3
\& #ldap_version 3
\& #
\& # Define if you want to use an encrypted LDAP connection.
\& # Typically, you must also set the port to 636 (ldaps).
\& #ssl on
\& #
\& # Define if you want to use port 389 and switch to
\& # encryption before the bind credentials are sent.
\& # Only supported by LDAP servers that support the start_tls
\& # extension such as OpenLDAP.
\& #ssl start_tls
\& #
\& # Additional TLS options follow that allow tweaking of the
\& # SSL/TLS connection.
\& #
\& #tls_checkpeer yes # verify server SSL certificate
\& #tls_checkpeer no # ignore server SSL certificate
\& #
\& # If you enable tls_checkpeer, specify either tls_cacertfile
\& # or tls_cacertdir. Only supported when using OpenLDAP.
\& #
\& #tls_cacertfile /etc/certs/trusted_signers.pem
\& #tls_cacertdir /etc/certs
\& #
\& # For systems that don\*(Aqt have /dev/random
\& # use this along with PRNGD or EGD.pl to seed the
\& # random number pool to generate cryptographic session keys.
\& # Only supported when using OpenLDAP.
\& #
\& #tls_randfile /etc/egd\-pool
\& #
\& # You may restrict which ciphers are used. Consult your SSL
\& # documentation for which options go here.
\& # Only supported when using OpenLDAP.
\& #
\& #tls_ciphers <cipher\-list>
\& #
\& # Sudo can provide a client certificate when communicating to
\& # the LDAP server.
\& # Tips:
\& # * Enable both lines at the same time.
\& # * Do not password protect the key file.
\& # * Ensure the keyfile is only readable by root.
\& #
\& # For OpenLDAP:
\& #tls_cert /etc/certs/client_cert.pem
\& #tls_key /etc/certs/client_key.pem
\& #
\& # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
\& # a directory, in which case the files in the directory must have the
\& # default names (e.g. cert8.db and key4.db), or the path to the cert
\& # and key files themselves. However, a bug in version 5.0 of the LDAP
\& # SDK will prevent specific file names from working. For this reason
\& # it is suggested that tls_cert and tls_key be set to a directory,
\& # not a file name.
\& #
\& # The certificate database specified by tls_cert may contain CA certs
\& # and/or the client\*(Aqs cert. If the client\*(Aqs cert is included, tls_key
\& # should be specified as well.
\& # For backward compatibility, "sslpath" may be used in place of tls_cert.
\& #tls_cert /var/ldap
\& #tls_key /var/ldap
\& #
\& # If using SASL authentication for LDAP (OpenSSL)
\& # use_sasl yes
\& # sasl_auth_id <SASL user name>
\& # rootuse_sasl yes
\& # rootsasl_auth_id <SASL user name for root access>
\& # sasl_secprops none
\& # krb5_ccname /etc/.ldapcache
.Ve
.SS "Sudo schema for OpenLDAP"
.IX Subsection "Sudo schema for OpenLDAP"
The following schema is in OpenLDAP format. Simply copy it to the
schema directory (e.g. \fI/etc/openldap/schema\fR), add the proper
\&\f(CW\*(C`include\*(C'\fR line in \f(CW\*(C`slapd.conf\*(C'\fR and restart \fBslapd\fR.
.PP
.Vb 6
\& attributetype ( 1.3.6.1.4.1.15953.9.1.1
\& NAME \*(AqsudoUser\*(Aq
\& DESC \*(AqUser(s) who may run sudo\*(Aq
\& EQUALITY caseExactIA5Match
\& SUBSTR caseExactIA5SubstringsMatch
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
\&
\& attributetype ( 1.3.6.1.4.1.15953.9.1.2
\& NAME \*(AqsudoHost\*(Aq
\& DESC \*(AqHost(s) who may run sudo\*(Aq
\& EQUALITY caseExactIA5Match
\& SUBSTR caseExactIA5SubstringsMatch
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
\&
\& attributetype ( 1.3.6.1.4.1.15953.9.1.3
\& NAME \*(AqsudoCommand\*(Aq
\& DESC \*(AqCommand(s) to be executed by sudo\*(Aq
\& EQUALITY caseExactIA5Match
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
\&
\& attributetype ( 1.3.6.1.4.1.15953.9.1.4
\& NAME \*(AqsudoRunAs\*(Aq
\& DESC \*(AqUser(s) impersonated by sudo\*(Aq
\& EQUALITY caseExactIA5Match
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
\&
\& attributetype ( 1.3.6.1.4.1.15953.9.1.5
\& NAME \*(AqsudoOption\*(Aq
\& DESC \*(AqOptions(s) followed by sudo\*(Aq
\& EQUALITY caseExactIA5Match
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
\&
\& attributetype ( 1.3.6.1.4.1.15953.9.1.6
\& NAME \*(AqsudoRunAsUser\*(Aq
\& DESC \*(AqUser(s) impersonated by sudo\*(Aq
\& EQUALITY caseExactIA5Match
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
\&
\& attributetype ( 1.3.6.1.4.1.15953.9.1.7
\& NAME \*(AqsudoRunAsGroup\*(Aq
\& DESC \*(AqGroup(s) impersonated by sudo\*(Aq
\& EQUALITY caseExactIA5Match
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
\&
\& objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME \*(AqsudoRole\*(Aq SUP top STRUCTURAL
\& DESC \*(AqSudoer Entries\*(Aq
\& MUST ( cn )
\& MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
\& sudoRunAsGroup $ sudoOption $ description )
\& )
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIldap.conf\fR\|(@mansectform@), \fIsudoers\fR\|(5)
.SH "CAVEATS"
.IX Header "CAVEATS"
The way that \fIsudoers\fR is parsed differs between Note that there
are differences in the way that LDAP-based \fIsudoers\fR is parsed
compared to file-based \fIsudoers\fR. See the \*(L"Differences between
\&\s-1LDAP\s0 and non-LDAP sudoers\*(R" section for more information.
.SH "BUGS"
.IX Header "BUGS"
If you feel you have found a bug in \fBsudo\fR, please submit a bug report
at http://www.sudo.ws/sudo/bugs/
.SH "SUPPORT"
.IX Header "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
search the archives.
.SH "DISCLAIMER"
.IX Header "DISCLAIMER"
\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
for complete details.

730
doc/sudoers.ldap.pod Normal file
View File

@@ -0,0 +1,730 @@
Copyright (c) 2003-2009
Todd C. Miller <Todd.Miller@courtesan.com>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
=pod
=head1 NAME
sudoers.ldap - sudo LDAP configuration
=head1 DESCRIPTION
In addition to the standard I<sudoers> file, B<sudo> may be configured
via LAP. This can be especially useful for synchronizing I<sudoers>
in a large, distributed environment.
Using LDAP for I<sudoers> has several benefits:
=over 4
=item *
B<sudo> no longer needs to read I<sudoers> in its entirety. When
LDAP is used, there are only two or three LDAP queries per invocation.
This makes it especially fast and particularly usable in LDAP
environments.
=item *
B<sudo> no longer exits if there is a typo in I<sudoers>.
It is not possible to load LDAP data into the server that does
not conform to the sudoers schema, so proper syntax is guaranteed.
It is still possible to have typos in a user or host name, but
this will not prevent B<sudo> from running.
=item *
It is possible to specify per-entry options that override the global
default options. F<@sysconfdir@/sudoers> only supports default options and
limited options associated with user/host/commands/aliases. The
syntax is complicated and can be difficult for users to understand.
Placing the options directly in the entry is more natural.
=item *
The B<visudo> program is no longer needed. B<visudo> provides
locking and syntax checking of the F<@sysconfdir@/sudoers> file.
Since LDAP updates are atomic, locking is no longer necessary.
Because syntax is checked when the data is inserted into LDAP, there
is no need for a specialized tool to check syntax.
=back
Another major difference between LDAP and file-based I<sudoers>
is that in LDAP, B<sudo>-specific Aliases are not supported.
For the most part, there is really no need for B<sudo>-specific
Aliases. Unix groups or user netgroups can be used in place of
User_Aliases and RunasAliases. Host netgroups can be used in place
of HostAliases. Since Unix groups and netgroups can also be stored
in LDAP there is no real need for B<sudo>-specific aliases.
Cmnd_Aliases are not really required either since it is possible
to have multiple users listed in a sudoRole. Instead of defining
a Cmnd_Alias that is referenced by multiple users, one can create
a sudoRole that contains the commands and assign multiple users
to it.
=head2 SUDOers LDAP container
The I<sudoers> configuration is contained in the C<ou=SUDOers> LDAP
container.
Sudo first looks for the C<cn=default> entry in the SUDOers container.
If found, the multi-valued C<sudoOption> attribute is parsed in the
same manner as a global C<Defaults> line in F<@sysconfdir@/sudoers>. In
the following example, the C<SSH_AUTH_SOCK> variable will be preserved
in the environment for all users.
dn: cn=defaults,ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: env_keep+=SSH_AUTH_SOCK
The equivalent of a sudoer in LDAP is a C<sudoRole>. It consists of
the following components:
=over 4
=item B<sudoUser>
A user name, uid (prefixed with C<'#'>), Unix group (prefixed with
a C<'%'>) or user netgroup (prefixed with a C<'+'>).
=item B<sudoHost>
A host name, IP address, IP network, or host netgroup (prefixed
with a C<'+'>).
The special value C<ALL> will match any host.
=item B<sudoCommand>
A Unix command with optional command line arguments, potentially
including globbing characters (aka wild cards).
The special value C<ALL> will match any command.
If a command is prefixed with an exclamation point C<'!'>, the
user will be prohibited from running that command.
=item B<sudoOption>
Identical in function to the global options described above, but
specific to the C<sudoRole> in which it resides.
=item B<sudoRunAsUser>
A user name or uid (prefixed with C<'#'>) that commands may be run
as or a Unix group (prefixed with a C<'%'>) or user netgroup (prefixed
with a C<'+'>) that contains a list of users that commands may be
run as.
The special value C<ALL> will match any user.
=item B<sudoRunAsGroup>
A Unix group or gid (prefixed with C<'#'>) that commands may be run as.
The special value C<ALL> will match any group.
=back
Each component listed above should contain a single value, but there
may be multiple instances of each component type. A sudoRole must
contain at least one C<sudoUser>, C<sudoHost> and C<sudoCommand>.
The following example allows users in group wheel to run any command
on any host via B<sudo>:
dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoHost: ALL
sudoCommand: ALL
=head2 Anatomy of LDAP sudoers lookup
When looking up a sudoer using LDAP there are only two or three
LDAP queries per invocation. The first query is to parse the global
options. The second is to match against the user's name and the
groups that the user belongs to. (The special ALL tag is matched
in this query too.) If no match is returned for the user's name
and groups, a third query returns all entries containing user
netgroups and checks to see if the user belongs to any of them.
=head2 Differences between LDAP and non-LDAP sudoers
There are some subtle differences in the way sudoers is handled
once in LDAP. Probably the biggest is that according to the RFC,
LDAP ordering is arbitrary and you cannot expect that Attributes
and Entries are returned in any specific order. If there are
conflicting command rules on an entry, the negative takes precedence.
This is called paranoid behavior (not necessarily the most specific
match).
Here is an example:
# /etc/sudoers:
# Allow all commands except shell
johnny ALL=(root) ALL,!/bin/sh
# Always allows all commands because ALL is matched last
puddles ALL=(root) !/bin/sh,ALL
# LDAP equivalent of johnny
# Allows all commands except shell
dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
objectClass: sudoRole
objectClass: top
cn: role1
sudoUser: johnny
sudoHost: ALL
sudoCommand: ALL
sudoCommand: !/bin/sh
# LDAP equivalent of puddles
# Notice that even though ALL comes last, it still behaves like
# role1 since the LDAP code assumes the more paranoid configuration
dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
objectClass: sudoRole
objectClass: top
cn: role2
sudoUser: puddles
sudoHost: ALL
sudoCommand: !/bin/sh
sudoCommand: ALL
Another difference is that negations on the Host, User or Runas are
currently ignorred. For example, the following attributes do not
behave the way one might expect.
# does not match all but joe
# rather, does not match anyone
sudoUser: !joe
# does not match all but joe
# rather, matches everyone including Joe
sudoUser: ALL
sudoUser: !joe
# does not match all but web01
# rather, matches all hosts including web01
sudoHost: ALL
sudoHost: !web01
=head2 Sudoers Schema
In order to use B<sudo>'s LDAP support, the B<sudo> schema must be
installed on your LDAP server. In addition, be sure to index the
'sudoUser' attribute.
Three versions of the schema: one for OpenLDAP servers (F<schema.OpenLDAP>),
one for Netscape-derived servers (F<schema.iPlanet>), and one for
Microsoft Active Directory (F<schema.ActiveDirectory>) may
be found in the B<sudo> distribution.
The schema for B<sudo> in OpenLDAP form is included in the L<EXAMPLES>
section.
=head2 Configuring ldap.conf
Sudo reads the F<@ldap_conf@> file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients.
As such, most of the settings are not B<sudo>-specific. Note that
B<sudo> parses F<@ldap_conf@> itself and may support options
that differ from those described in the L<ldap.conf(5)> manual.
Also note that on systems using the OpenLDAP libraries, default
values specified in F</etc/openldap/ldap.conf> or the user's
F<.ldaprc> files are not used.
Only those options explicitly listed in F<@ldap_conf@> that are
supported by B<sudo> are honored. Configuration options are listed
below in upper case but are parsed in a case-independent manner.
=over 4
=item B<URI> ldap[s]://[hostname[:port]] ...
Specifies a whitespace-delimited list of one or more URIs describing
the LDAP server(s) to connect to. The I<protocol> may be either B<ldap>
or B<ldaps>, the latter being for servers that support TLS (SSL)
encryption. If no I<port> is specified, the default is port 389 for
C<ldap://> or port 636 for C<ldaps://>. If no I<hostname> is specified,
B<sudo> will connect to B<localhost>. Only systems using the OpenSSL
libraries support the mixing of C<ldap://> and C<ldaps://> URIs.
The Netscape-derived libraries used on most commercial versions of
Unix are only capable of supporting one or the other.
=item B<HOST> name[:port] ...
If no B<URI> is specified, the B<HOST> parameter specifies a
whitespace-delimited list of LDAP servers to connect to. Each host
may include an optional I<port> separated by a colon (':'). The
B<HOST> parameter is deprecated in favor of the B<URI> specification
and is included for backwards compatibility.
=item B<PORT> port_number
If no B<URI> is specified, the B<PORT> parameter specifies the
default port to connect to on the LDAP server if a B<HOST> parameter
does not specify the port itself. If no B<PORT> parameter is used,
the default is port 389 for LDAP and port 636 for LDAP over TLS
(SSL). The B<PORT> parameter is deprecated in favor of the B<URI>
specification and is included for backwards compatibility.
=item B<BIND_TIMELIMIT> seconds
The B<BIND_TIMELIMIT> parameter specifies the amount of time, in seconds,
to wait while trying to connect to an LDAP server. If multiple B<URI>s or
B<HOST>s are specified, this is the amount of time to wait before trying
the next one in the list.
=item B<TIMELIMIT> seconds
The B<TIMELIMIT> parameter specifies the amount of time, in seconds,
to wait for a response to an LDAP query.
=item B<SUDOERS_BASE> base
The base DN to use when performing B<sudo> LDAP queries. Typically
this is of the form C<ou=SUDOers,dc=example,dc=com> for the domain
C<example.com>.
=item B<SUDOERS_DEBUG> debug_level
This sets the debug level for B<sudo> LDAP queries. Debugging
information is printed to the standard error. A value of 1 results
in a moderate amount of debugging information. A value of 2 shows
the results of the matches themselves. This parameter should not
be set in a production environment as the extra information is
likely to confuse users.
=item B<BINDDN> DN
The B<BINDDN> parameter specifies the identity, in the form of a
Distinguished Name (DN), to use when performing LDAP operations.
If not specified, LDAP operations are performed with an anonymous
identity. By default, most LDAP servers will allow anonymous access.
=item B<BINDPW> secret
The B<BINDPW> parameter specifies the password to use when performing
LDAP operations. This is typically used in conjunction with the
B<BINDDN> parameter.
=item B<ROOTBINDDN> DN
The B<ROOTBINDDN> parameter specifies the identity, in the form of
a Distinguished Name (DN), to use when performing privileged LDAP
operations, such as I<sudoers> queries. The password corresponding
to the identity should be stored in F<@ldap_secret@>.
If not specified, the B<BINDDN> identity is used (if any).
=item B<LDAP_VERSION> number
The version of the LDAP protocol to use when connecting to the server.
The default value is protocol version 3.
=item B<SSL> on/true/yes/off/false/no
If the B<SSL> parameter is set to C<on>, C<true> or C<yes>, TLS
(SSL) encryption is always used when communicating with the LDAP
server. Typically, this involves connecting to the server on port
636 (ldaps).
=item B<SSL> start_tls
If the B<SSL> parameter is set to C<start_tls>, the LDAP server
connection is initiated normally and TLS encryption is begun before
the bind credentials are sent. This has the advantage of not
requiring a dedicated port for encrypted communications. This
parameter is only supported by LDAP servers that honor the C<start_tls>
extension, such as the OpenLDAP server.
=item B<TLS_CHECKPEER> on/true/yes/off/false/no
If enabled, B<TLS_CHECKPEER> will cause the LDAP server's TLS
certificated to be verified. If the server's TLS certificate cannot
be verified (usually because it is signed by an unknown certificate
authority), B<sudo> will be unable to connect to it. If B<TLS_CHECKPEER>
is disabled, no check is made.
=item B<TLS_CACERTFILE> file name
The path to a certificate authority bundle which contains the certificates
for all the Certificate Authorities the client knows to be valid,
e.g. F</etc/ssl/ca-bundle.pem>.
This option is only supported by the OpenLDAP libraries.
=item B<TLS_CACERTDIR> directory
Similar to B<TLS_CACERTFILE> but instead of a file, it is a
directory containing individual Certificate Authority certificates,
e.g. F</etc/ssl/certs>.
The directory specified by B<TLS_CACERTDIR> is checked after
B<TLS_CACERTFILE>.
This option is only supported by the OpenLDAP libraries.
=item B<TLS_CERT> file name
The path to a file containing the client certificate which can
be used to authenticate the client to the LDAP server.
The certificate type depends on the LDAP libraries used.
OpenLDAP:
C<tls_cert /etc/ssl/client_cert.pem>
Netscape-derived:
C<tls_cert /var/ldap/cert7.db>
When using Netscape-derived libraries, this file may also contain
Certificate Authority certificates.
=item B<TLS_KEY> file name
The path to a file containing the private key which matches the
certificate specified by B<TLS_CERT>. The private key must not be
password-protected. The key type depends on the LDAP libraries
used.
OpenLDAP:
C<tls_key /etc/ssl/client_key.pem>
Netscape-derived:
C<tls_key /var/ldap/key3.db>
=item B<TLS_RANDFILE> file name
The B<TLS_RANDFILE> parameter specifies the path to an entropy
source for systems that lack a random device. It is generally used
in conjunction with I<prngd> or I<egd>.
This option is only supported by the OpenLDAP libraries.
=item B<TLS_CIPHERS> cipher list
The B<TLS_CIPHERS> parameter allows the administer to restrict
which encryption algorithms may be used for TLS (SSL) connections.
See the OpenSSL manual for a list of valid ciphers.
This option is only supported by the OpenLDAP libraries.
=item B<USE_SASL> on/true/yes/off/false/no
Enable B<USE_SASL> for LDAP servers that support SASL authentication.
=item B<SASL_AUTH_ID> identity
The SASL user name to use when connecting to the LDAP server.
By default, B<sudo> will use an anonymous connection.
=item B<ROOTUSE_SASL> on/true/yes/off/false/no
Enable B<ROOTUSE_SASL> to enable SASL authentication when connecting
to an LDAP server from a privileged process, such as B<sudo>.
=item B<ROOTSASL_AUTH_ID> identity
The SASL user name to use when B<ROOTUSE_SASL> is enabled.
=item B<SASL_SECPROPS> none/properties
SASL security properties or I<none> for no properties. See the
SASL programmer's manual for details.
=item B<KRB5_CCNAME> file name
The path to the Kerberos 5 credential cache to use when authenticating
with the remote server.
=back
See the C<ldap.conf> entry in the L<EXAMPLES> section.
=head2 Configuring nsswitch.conf
Unless it is disabled at build time, B<sudo> consults the Name
Service Switch file, F<@nsswitch_conf@>, to specify the I<sudoers>
search order. Sudo looks for a line beginning with C<sudoers>: and
uses this to determine the search order. Note that B<sudo> does
not stop searching after the first match and later matches take
precedence over earlier ones.
The following sources are recognized:
files read sudoers from F<@sysconfdir@/sudoers>
ldap read sudoers from LDAP
In addition, the entry C<[NOTFOUND=return]> will short-circuit the
search if the user was not found in the preceding source.
To consult LDAP first followed by the local sudoers file (if it
exists), use:
sudoers: ldap files
The local I<sudoers> file can be ignored completely by using:
sudoers: ldap
If the F<@nsswitch_conf@> file is not present or there is no
sudoers line, the following default is assumed:
sudoers: files
Note that F<@nsswitch_conf@> is supported even when the underlying
operating system does not use an nsswitch.conf file.
=head2 Configuring netsvc.conf
On AIX systems, the F<@netsvc_conf@> file is consulted instead of
F<@nsswitch_conf@>. B<sudo> simply treats I<netsvc.conf> as a
variant of I<nsswitch.conf>; information in the previous section
unrelated to the file format itself still applies.
To consult LDAP first followed by the local sudoers file (if it
exists), use:
sudoers = ldap, files
The local I<sudoers> file can be ignored completely by using:
sudoers = ldap
To treat LDAP as authoratative and only use the local sudoers file
if the user is not present in LDAP, use:
sudoers = ldap = auth, files
Note that in the above example, the C<auth> qualfier only affects
user lookups; both LDAP and I<sudoers> will be queried for C<Defaults>
entries.
If the F<@netsvc_conf@> file is not present or there is no
sudoers line, the following default is assumed:
sudoers = files
=head1 FILES
=over 24
=item F<@ldap_conf@>
LDAP configuration file
=item F<@nsswitch_conf@>
determines sudoers source order
=item F<@netsvc_conf@>
determines sudoers source order on AIX
=back
=head1 EXAMPLES
=head2 Example ldap.conf
# Either specify one or more URIs or one or more host:port pairs.
# If neither is specified sudo will default to localhost, port 389.
#
#host ldapserver
#host ldapserver1 ldapserver2:390
#
# Default port if host is specified without one, defaults to 389.
#port 389
#
# URI will override the host and port settings.
uri ldap://ldapserver
#uri ldaps://secureldapserver
#uri ldaps://secureldapserver ldap://ldapserver
#
# The amount of time, in seconds, to wait while trying to connect to
# an LDAP server.
bind_timelimit 30
#
# The amount of time, in seconds, to wait while performing an LDAP query.
timelimit 30
#
# must be set or sudo will ignore LDAP
sudoers_base ou=SUDOers,dc=example,dc=com
#
# verbose sudoers matching from ldap
#sudoers_debug 2
#
# optional proxy credentials
#binddn <who to search as>
#bindpw <password>
#rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
#
# LDAP protocol version, defaults to 3
#ldap_version 3
#
# Define if you want to use an encrypted LDAP connection.
# Typically, you must also set the port to 636 (ldaps).
#ssl on
#
# Define if you want to use port 389 and switch to
# encryption before the bind credentials are sent.
# Only supported by LDAP servers that support the start_tls
# extension such as OpenLDAP.
#ssl start_tls
#
# Additional TLS options follow that allow tweaking of the
# SSL/TLS connection.
#
#tls_checkpeer yes # verify server SSL certificate
#tls_checkpeer no # ignore server SSL certificate
#
# If you enable tls_checkpeer, specify either tls_cacertfile
# or tls_cacertdir. Only supported when using OpenLDAP.
#
#tls_cacertfile /etc/certs/trusted_signers.pem
#tls_cacertdir /etc/certs
#
# For systems that don't have /dev/random
# use this along with PRNGD or EGD.pl to seed the
# random number pool to generate cryptographic session keys.
# Only supported when using OpenLDAP.
#
#tls_randfile /etc/egd-pool
#
# You may restrict which ciphers are used. Consult your SSL
# documentation for which options go here.
# Only supported when using OpenLDAP.
#
#tls_ciphers <cipher-list>
#
# Sudo can provide a client certificate when communicating to
# the LDAP server.
# Tips:
# * Enable both lines at the same time.
# * Do not password protect the key file.
# * Ensure the keyfile is only readable by root.
#
# For OpenLDAP:
#tls_cert /etc/certs/client_cert.pem
#tls_key /etc/certs/client_key.pem
#
# For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
# a directory, in which case the files in the directory must have the
# default names (e.g. cert8.db and key4.db), or the path to the cert
# and key files themselves. However, a bug in version 5.0 of the LDAP
# SDK will prevent specific file names from working. For this reason
# it is suggested that tls_cert and tls_key be set to a directory,
# not a file name.
#
# The certificate database specified by tls_cert may contain CA certs
# and/or the client's cert. If the client's cert is included, tls_key
# should be specified as well.
# For backward compatibility, "sslpath" may be used in place of tls_cert.
#tls_cert /var/ldap
#tls_key /var/ldap
#
# If using SASL authentication for LDAP (OpenSSL)
# use_sasl yes
# sasl_auth_id <SASL user name>
# rootuse_sasl yes
# rootsasl_auth_id <SASL user name for root access>
# sasl_secprops none
# krb5_ccname /etc/.ldapcache
=head2 Sudo schema for OpenLDAP
The following schema is in OpenLDAP format. Simply copy it to the
schema directory (e.g. F</etc/openldap/schema>), add the proper
C<include> line in C<slapd.conf> and restart B<slapd>.
attributetype ( 1.3.6.1.4.1.15953.9.1.1
NAME 'sudoUser'
DESC 'User(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.2
NAME 'sudoHost'
DESC 'Host(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.3
NAME 'sudoCommand'
DESC 'Command(s) to be executed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.4
NAME 'sudoRunAs'
DESC 'User(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.5
NAME 'sudoOption'
DESC 'Options(s) followed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.6
NAME 'sudoRunAsUser'
DESC 'User(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.7
NAME 'sudoRunAsGroup'
DESC 'Group(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
DESC 'Sudoer Entries'
MUST ( cn )
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
sudoRunAsGroup $ sudoOption $ description )
)
=head1 SEE ALSO
L<ldap.conf(5)>, L<sudoers(5)>
=head1 CAVEATS
The way that I<sudoers> is parsed differs between Note that there
are differences in the way that LDAP-based I<sudoers> is parsed
compared to file-based I<sudoers>. See the L<Differences between
LDAP and non-LDAP sudoers> section for more information.
=head1 BUGS
If you feel you have found a bug in B<sudo>, please submit a bug report
at http://www.sudo.ws/sudo/bugs/
=head1 SUPPORT
Limited free support is available via the sudo-users mailing list,
see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
=head1 DISCLAIMER
B<sudo> is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the LICENSE
file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
for complete details.

1673
doc/sudoers.man.in Normal file
View File

File diff suppressed because it is too large Load Diff

25
doc/sudoers.man.pl Normal file
View File

@@ -0,0 +1,25 @@
#!/usr/bin/perl -p
BEGIN {
$t = undef;
}
if (/^\./) {
if (/^\.I[PX].*use_loginclass/) {
$t = '@LCMAN@';
} elsif (/^\.I[PX].*(role|type)/) {
$t = '@SEMAN@';
} else {
$t = undef;
}
}
# Fix up broken pod2man formatting of F<@foo@/bar>
s/\\fI\\f(\(C)?I\@([^\@]*)\\fI\@/\\fI\@$2\@/g;
s/\\f\(\CW\@([^\@]*)\\fR\@/\@$1\@/g;
#\f(CW@secure_path\fR@
# Comment out Compile-time-specific lines in DESCRIPTION
if ($t) {
$_ = $t . $_;
}

1618
doc/sudoers.pod Normal file
View File

File diff suppressed because it is too large Load Diff

330
doc/sudoreplay.cat Normal file
View File

@@ -0,0 +1,330 @@
SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
NNAAMMEE
sudoreplay - replay sudo session logs
SSYYNNOOPPSSIISS
ssuuddoorreeppllaayy [--dd _d_i_r_e_c_t_o_r_y] [--mm _m_a_x___w_a_i_t] [--ss _s_p_e_e_d___f_a_c_t_o_r] ID
ssuuddoorreeppllaayy [--dd _d_i_r_e_c_t_o_r_y] -l [search expression]
DDEESSCCRRIIPPTTIIOONN
ssuuddoorreeppllaayy plays back or lists the session logs created by ssuuddoo. When
replaying, ssuuddoorreeppllaayy can play the session back in real-time, or the
playback speed may be adjusted (faster or slower) based on the command
line options. The _I_D should be a six character sequence of digits and
upper case letters, e.g. 0100A5, which is logged by ssuuddoo when a
command is run with session logging enabled.
In list mode, ssuuddoorreeppllaayy can be used to find the ID of a session based
on a number of criteria such as the user, tty or command run.
In replay mode, if the standard output has not been redirected,
ssuuddoorreeppllaayy will act on the following keys:
' ' (space)
Pause output; press any key to resume.
'<' Reduce the playback speed by one half.
'>' Double the playback speed.
OOPPTTIIOONNSS
ssuuddoorreeppllaayy accepts the following command line options:
-d _d_i_r_e_c_t_o_r_y
Use _d_i_r_e_c_t_o_r_y to for the session logs instead of the
default, _/_v_a_r_/_l_o_g_/_s_u_d_o_-_s_e_s_s_i_o_n_s.
-l Enable "list mode". In this mode, ssuuddoorreeppllaayy will list
available session IDs. If a _s_e_a_r_c_h _e_x_p_r_e_s_s_i_o_n is
specified, it will be used to restrict the IDs that are
displayed. An expression is composed of the following
predicates:
command _c_o_m_m_a_n_d _p_a_t_t_e_r_n
Evaluates to true if the command run matches
_c_o_m_m_a_n_d _p_a_t_t_e_r_n. On systems with POSIX regular
expression support, the pattern may be an extended
regular expression. On systems without POSIX
regular expression support, a simple substring
match is performed instead.
cwd _d_i_r_e_c_t_o_r_y
Evaluates to true if the command was run with the
specified current working directory.
1.7.3b2 December 19, 2009 1
SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
fromdate _d_a_t_e
Evaluates to true if the command was run on or
after _d_a_t_e. See "Date and time format" for a
description of supported date and time formats.
group _r_u_n_a_s___g_r_o_u_p
Evaluates to true if the command was run with the
specified _r_u_n_a_s___g_r_o_u_p. Note that unless a
_r_u_n_a_s___g_r_o_u_p was explicitly specified when ssuuddoo was
run this field will be empty in the log.
runas _r_u_n_a_s___u_s_e_r
Evaluates to true if the command was run as the
specified _r_u_n_a_s___u_s_e_r. Note that ssuuddoo runs commands
as user _r_o_o_t by default.
todate _d_a_t_e
Evaluates to true if the command was run on or
prior to _d_a_t_e. See "Date and time format" for a
description of supported date and time formats.
tty _t_t_y Evaluates to true if the command was run on the
specified terminal device. The _t_t_y should be
specified without the _/_d_e_v_/ prefix, e.g. _t_t_y_0_1
instead of _/_d_e_v_/_t_t_y_0_1.
user _u_s_e_r _n_a_m_e
Evaluates to true if the ID matches a command run
by _u_s_e_r _n_a_m_e.
Predicates may be abbreviated to the shortest unique string
(currently all predicates may be shortened to a single
character).
Predicates may be combined using _a_n_d, _o_r and _! operators as
well as '(' and ')' for grouping (note that parentheses
must generally be escaped from the shell). The _a_n_d
operator is optional, adjacent predicates have an implied
_a_n_d unless separated by an _o_r.
-m _m_a_x___w_a_i_t Specify an upper bound on how long to wait between key
presses or output data. By default, ssuuddoo__rreeppllaayy will
accurately reproduce the delays between key presses or
program output. However, this can be tedious when the
session includes long pauses. When the _-_m option is
specified, ssuuddoorreeppllaayy will limit these pauses to at most
_m_a_x___w_a_i_t seconds. The value may be specified as a floating
point number, .e.g. _2_._5.
-s _s_p_e_e_d___f_a_c_t_o_r
This option causes ssuuddoorreeppllaayy to adjust the number of
seconds it will wait between key presses or program output.
This can be used to slow down or speed up the display. For
example, a _s_p_e_e_d___f_a_c_t_o_r of _2 would make the output twice as
1.7.3b2 December 19, 2009 2
SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
fast whereas a _s_p_e_e_d___f_a_c_t_o_r of <.5> would make the output
twice as slow.
-V The --VV (version) option causes ssuuddoorreeppllaayy to print its
version number and exit.
DDaattee aanndd ttiimmee ffoorrmmaatt
The time and date may be specified multiple ways, common formats
include:
HH:MM:SS am MM/DD/CCYY timezone
24 hour time may be used in place of am/pm.
HH:MM:SS am Month, Day Year timezone
24 hour time may be used in place of am/pm, and month and day
names may be abbreviated. Note that month and day of the week
names must be specified in English.
CCYY-MM-DD HH:MM:SS
ISO time format
DD Month CCYY HH:MM:SS
The month name may be abbreviated.
Either time or date may be omitted, the am/pm and timezone are
optional. If no date is specified, the current day is assumed; if no
time is specified, the first second of the specified date is used. The
less significant parts of both time and date may also be omitted, in
which case zero is assumed. For example, the following are all valid:
The following are all valid time and date specifications:
now The current time and date.
tomorrow
Exactly one day from now.
yesterday
24 hours ago.
2 hours ago
2 hours ago.
next Friday
The first second of the next Friday.
this week
The current time but the first day of the coming week.
a fortnight ago
The current time but 14 days ago.
10:01 am 9/17/2009
10:01 am, September 17, 2009.
1.7.3b2 December 19, 2009 3
SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
10:01 am
10:01 am on the current day.
10 10:00 am on the current day.
9/17/2009
00:00 am, September 17, 2009.
10:01 am Sep 17, 2009
10:01 am, September 17, 2009.
FFIILLEESS
_/_v_a_r_/_l_o_g_/_s_u_d_o_-_s_e_s_s_i_o_n The default session directory.
_/_v_a_r_/_l_o_g_/_s_u_d_o_-_s_e_s_s_i_o_n_/_0_0_/_0_0_/_0_1
Example session log info.
_/_v_a_r_/_l_o_g_/_s_u_d_o_-_s_e_s_s_i_o_n_/_0_0_/_0_0_/_0_1_._s_c_r
Example session transcript file.
_/_v_a_r_/_l_o_g_/_s_u_d_o_-_s_e_s_s_i_o_n_/_0_0_/_0_0_/_0_1_._t_i_m
Example session timing file.
EEXXAAMMPPLLEESS
List sessions run by user _m_i_l_l_e_r_t:
sudoreplay -l user millert
List sessions run by user _b_o_b with a command containing the string vi:
sudoreplay -l user bob command vi
List sessions run by user _j_e_f_f that match a regular expression:
sudoreplay -l user jeff command '/bin/[a-z]*sh'
List sessions run by jeff or bob on the console:
sudoreplay -l ( user jeff or user bob ) tty console
SSEEEE AALLSSOO
_s_u_d_o(1m), _s_c_r_i_p_t(1)
AAUUTTHHOORR
Todd C. Miller
BBUUGGSS
If you feel you have found a bug in ssuuddoorreeppllaayy, please submit a bug
report at http://www.sudo.ws/sudo/bugs/
SSUUPPPPOORRTT
Limited free support is available via the sudo-users mailing list, see
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
1.7.3b2 December 19, 2009 4
SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
DDIISSCCLLAAIIMMEERR
ssuuddoorreeppllaayy is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed.
See the LICENSE file distributed with ssuuddoo or
http://www.sudo.ws/sudo/license.html for complete details.
1.7.3b2 December 19, 2009 5

381
doc/sudoreplay.man.in Normal file
View File

@@ -0,0 +1,381 @@
.\" Copyright (c) 2009 Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C`
. ds C'
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
.el \{\
. de IX
..
.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SUDOREPLAY @mansectsu@"
.TH SUDOREPLAY @mansectsu@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
sudoreplay \- replay sudo session logs
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBsudoreplay\fR [\fB\-d\fR \fIdirectory\fR] [\fB\-m\fR \fImax_wait\fR] [\fB\-s\fR \fIspeed_factor\fR] \s-1ID\s0
.PP
\&\fBsudoreplay\fR [\fB\-d\fR \fIdirectory\fR] \-l [search expression]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBsudoreplay\fR plays back or lists the session logs created by
\&\fBsudo\fR. When replaying, \fBsudoreplay\fR can play the session back
in real-time, or the playback speed may be adjusted (faster or
slower) based on the command line options. The \fI\s-1ID\s0\fR should be
a six character sequence of digits and upper case letters, e.g.
0100A5, which is logged by \fBsudo\fR when a command is run with
session logging enabled.
.PP
In list mode, \fBsudoreplay\fR can be used to find the \s-1ID\s0 of a session
based on a number of criteria such as the user, tty or command run.
.PP
In replay mode, if the standard output has not been redirected,
\&\fBsudoreplay\fR will act on the following keys:
.IP "' ' (space)" 8
.IX Item "' ' (space)"
Pause output; press any key to resume.
.IP "'<'" 8
Reduce the playback speed by one half.
.IP "'>'" 8
Double the playback speed.
.SH "OPTIONS"
.IX Header "OPTIONS"
\&\fBsudoreplay\fR accepts the following command line options:
.IP "\-d \fIdirectory\fR" 12
.IX Item "-d directory"
Use \fIdirectory\fR to for the session logs instead of the default,
\&\fI/var/log/sudo\-sessions\fR.
.IP "\-l" 12
.IX Item "-l"
Enable \*(L"list mode\*(R". In this mode, \fBsudoreplay\fR will list available
session IDs. If a \fIsearch expression\fR is specified, it will be
used to restrict the IDs that are displayed. An expression is
composed of the following predicates:
.RS 12
.IP "command \fIcommand pattern\fR" 8
.IX Item "command command pattern"
Evaluates to true if the command run matches \fIcommand pattern\fR.
On systems with \s-1POSIX\s0 regular expression support, the pattern may
be an extended regular expression. On systems without \s-1POSIX\s0 regular
expression support, a simple substring match is performed instead.
.IP "cwd \fIdirectory\fR" 8
.IX Item "cwd directory"
Evaluates to true if the command was run with the specified current
working directory.
.IP "fromdate \fIdate\fR" 8
.IX Item "fromdate date"
Evaluates to true if the command was run on or after \fIdate\fR.
See \*(L"Date and time format\*(R" for a description of supported
date and time formats.
.IP "group \fIrunas_group\fR" 8
.IX Item "group runas_group"
Evaluates to true if the command was run with the specified
\&\fIrunas_group\fR. Note that unless a \fIrunas_group\fR was explicitly
specified when \fBsudo\fR was run this field will be empty in the log.
.IP "runas \fIrunas_user\fR" 8
.IX Item "runas runas_user"
Evaluates to true if the command was run as the specified \fIrunas_user\fR.
Note that \fBsudo\fR runs commands as user \fIroot\fR by default.
.IP "todate \fIdate\fR" 8
.IX Item "todate date"
Evaluates to true if the command was run on or prior to \fIdate\fR.
See \*(L"Date and time format\*(R" for a description of supported
date and time formats.
.IP "tty \fItty\fR" 8
.IX Item "tty tty"
Evaluates to true if the command was run on the specified terminal
device. The \fItty\fR should be specified without the \fI/dev/\fR prefix,
e.g. \fItty01\fR instead of \fI/dev/tty01\fR.
.IP "user \fIuser name\fR" 8
.IX Item "user user name"
Evaluates to true if the \s-1ID\s0 matches a command run by \fIuser name\fR.
.RE
.RS 12
.Sp
Predicates may be abbreviated to the shortest unique string (currently
all predicates may be shortened to a single character).
.Sp
Predicates may be combined using \fIand\fR, \fIor\fR and \fI!\fR operators
as well as \f(CW\*(Aq(\*(Aq\fR and \f(CW\*(Aq)\*(Aq\fR for grouping (note that parentheses
must generally be escaped from the shell). The \fIand\fR operator is
optional, adjacent predicates have an implied \fIand\fR unless separated
by an \fIor\fR.
.RE
.IP "\-m \fImax_wait\fR" 12
.IX Item "-m max_wait"
Specify an upper bound on how long to wait between key presses or
output data. By default, \fBsudo_replay\fR will accurately reproduce
the delays between key presses or program output. However, this
can be tedious when the session includes long pauses. When the
\&\fI\-m\fR option is specified, \fBsudoreplay\fR will limit these pauses
to at most \fImax_wait\fR seconds. The value may be specified as a
floating point number, .e.g. \fI2.5\fR.
.IP "\-s \fIspeed_factor\fR" 12
.IX Item "-s speed_factor"
This option causes \fBsudoreplay\fR to adjust the number of seconds
it will wait between key presses or program output. This can be
used to slow down or speed up the display. For example, a
\&\fIspeed_factor\fR of \fI2\fR would make the output twice as fast whereas
a \fIspeed_factor\fR of <.5> would make the output twice as slow.
.IP "\-V" 12
.IX Item "-V"
The \fB\-V\fR (version) option causes \fBsudoreplay\fR to print its version number
and exit.
.SS "Date and time format"
.IX Subsection "Date and time format"
The time and date may be specified multiple ways, common formats include:
.IP "\s-1HH:MM:SS\s0 am \s-1MM/DD/CCYY\s0 timezone" 8
.IX Item "HH:MM:SS am MM/DD/CCYY timezone"
24 hour time may be used in place of am/pm.
.IP "\s-1HH:MM:SS\s0 am Month, Day Year timezone" 8
.IX Item "HH:MM:SS am Month, Day Year timezone"
24 hour time may be used in place of am/pm, and month and day names
may be abbreviated. Note that month and day of the week names must
be specified in English.
.IP "CCYY-MM-DD \s-1HH:MM:SS\s0" 8
.IX Item "CCYY-MM-DD HH:MM:SS"
\&\s-1ISO\s0 time format
.IP "\s-1DD\s0 Month \s-1CCYY\s0 \s-1HH:MM:SS\s0" 8
.IX Item "DD Month CCYY HH:MM:SS"
The month name may be abbreviated.
.PP
Either time or date may be omitted, the am/pm and timezone are
optional. If no date is specified, the current day is assumed; if
no time is specified, the first second of the specified date is
used. The less significant parts of both time and date may also
be omitted, in which case zero is assumed. For example, the following
are all valid:
.PP
The following are all valid time and date specifications:
.IP "now" 8
.IX Item "now"
The current time and date.
.IP "tomorrow" 8
.IX Item "tomorrow"
Exactly one day from now.
.IP "yesterday" 8
.IX Item "yesterday"
24 hours ago.
.IP "2 hours ago" 8
.IX Item "2 hours ago"
2 hours ago.
.IP "next Friday" 8
.IX Item "next Friday"
The first second of the next Friday.
.IP "this week" 8
.IX Item "this week"
The current time but the first day of the coming week.
.IP "a fortnight ago" 8
.IX Item "a fortnight ago"
The current time but 14 days ago.
.IP "10:01 am 9/17/2009" 8
.IX Item "10:01 am 9/17/2009"
10:01 am, September 17, 2009.
.IP "10:01 am" 8
.IX Item "10:01 am"
10:01 am on the current day.
.IP "10" 8
.IX Item "10"
10:00 am on the current day.
.IP "9/17/2009" 8
.IX Item "9/17/2009"
00:00 am, September 17, 2009.
.IP "10:01 am Sep 17, 2009" 8
.IX Item "10:01 am Sep 17, 2009"
10:01 am, September 17, 2009.
.SH "FILES"
.IX Header "FILES"
.IP "\fI/var/log/sudo\-session\fR" 24
.IX Item "/var/log/sudo-session"
The default session directory.
.IP "\fI/var/log/sudo\-session/00/00/01\fR" 24
.IX Item "/var/log/sudo-session/00/00/01"
Example session log info.
.IP "\fI/var/log/sudo\-session/00/00/01.scr\fR" 24
.IX Item "/var/log/sudo-session/00/00/01.scr"
Example session transcript file.
.IP "\fI/var/log/sudo\-session/00/00/01.tim\fR" 24
.IX Item "/var/log/sudo-session/00/00/01.tim"
Example session timing file.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
List sessions run by user \fImillert\fR:
.PP
.Vb 1
\& sudoreplay \-l user millert
.Ve
.PP
List sessions run by user \fIbob\fR with a command containing the string vi:
.PP
.Vb 1
\& sudoreplay \-l user bob command vi
.Ve
.PP
List sessions run by user \fIjeff\fR that match a regular expression:
.PP
.Vb 1
\& sudoreplay \-l user jeff command \*(Aq/bin/[a\-z]*sh\*(Aq
.Ve
.PP
List sessions run by jeff or bob on the console:
.PP
.Vb 1
\& sudoreplay \-l ( user jeff or user bob ) tty console
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIsudo\fR\|(@mansectsu@), \fIscript\fR\|(1)
.SH "AUTHOR"
.IX Header "AUTHOR"
Todd C. Miller
.SH "BUGS"
.IX Header "BUGS"
If you feel you have found a bug in \fBsudoreplay\fR, please submit a bug report
at http://www.sudo.ws/sudo/bugs/
.SH "SUPPORT"
.IX Header "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
search the archives.
.SH "DISCLAIMER"
.IX Header "DISCLAIMER"
\&\fBsudoreplay\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
for complete details.

313
doc/sudoreplay.pod Normal file
View File

@@ -0,0 +1,313 @@
Copyright (c) 2009 Todd C. Miller <Todd.Miller@courtesan.com>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
=pod
=head1 NAME
sudoreplay - replay sudo session logs
=head1 SYNOPSIS
B<sudoreplay> [B<-d> I<directory>] [B<-m> I<max_wait>] [B<-s> I<speed_factor>] ID
B<sudoreplay> [B<-d> I<directory>] -l [search expression]
=head1 DESCRIPTION
B<sudoreplay> plays back or lists the session logs created by
B<sudo>. When replaying, B<sudoreplay> can play the session back
in real-time, or the playback speed may be adjusted (faster or
slower) based on the command line options. The I<ID> should be
a six character sequence of digits and upper case letters, e.g.
0100A5, which is logged by B<sudo> when a command is run with
session logging enabled.
In list mode, B<sudoreplay> can be used to find the ID of a session
based on a number of criteria such as the user, tty or command run.
In replay mode, if the standard output has not been redirected,
B<sudoreplay> will act on the following keys:
=over 8
=item ' ' (space)
Pause output; press any key to resume.
=item '<'
Reduce the playback speed by one half.
=item '>'
Double the playback speed.
=back
=head1 OPTIONS
B<sudoreplay> accepts the following command line options:
=over 12
=item -d I<directory>
Use I<directory> to for the session logs instead of the default,
F</var/log/sudo-sessions>.
=item -l
Enable "list mode". In this mode, B<sudoreplay> will list available
session IDs. If a I<search expression> is specified, it will be
used to restrict the IDs that are displayed. An expression is
composed of the following predicates:
=over 8
=item command I<command pattern>
Evaluates to true if the command run matches I<command pattern>.
On systems with POSIX regular expression support, the pattern may
be an extended regular expression. On systems without POSIX regular
expression support, a simple substring match is performed instead.
=item cwd I<directory>
Evaluates to true if the command was run with the specified current
working directory.
=item fromdate I<date>
Evaluates to true if the command was run on or after I<date>.
See L<"Date and time format"> for a description of supported
date and time formats.
=item group I<runas_group>
Evaluates to true if the command was run with the specified
I<runas_group>. Note that unless a I<runas_group> was explicitly
specified when B<sudo> was run this field will be empty in the log.
=item runas I<runas_user>
Evaluates to true if the command was run as the specified I<runas_user>.
Note that B<sudo> runs commands as user I<root> by default.
=item todate I<date>
Evaluates to true if the command was run on or prior to I<date>.
See L<"Date and time format"> for a description of supported
date and time formats.
=item tty I<tty>
Evaluates to true if the command was run on the specified terminal
device. The I<tty> should be specified without the F</dev/> prefix,
e.g. F<tty01> instead of F</dev/tty01>.
=item user I<user name>
Evaluates to true if the ID matches a command run by I<user name>.
=back
Predicates may be abbreviated to the shortest unique string (currently
all predicates may be shortened to a single character).
Predicates may be combined using I<and>, I<or> and I<!> operators
as well as C<'('> and C<')'> for grouping (note that parentheses
must generally be escaped from the shell). The I<and> operator is
optional, adjacent predicates have an implied I<and> unless separated
by an I<or>.
=item -m I<max_wait>
Specify an upper bound on how long to wait between key presses or
output data. By default, B<sudo_replay> will accurately reproduce
the delays between key presses or program output. However, this
can be tedious when the session includes long pauses. When the
I<-m> option is specified, B<sudoreplay> will limit these pauses
to at most I<max_wait> seconds. The value may be specified as a
floating point number, .e.g. I<2.5>.
=item -s I<speed_factor>
This option causes B<sudoreplay> to adjust the number of seconds
it will wait between key presses or program output. This can be
used to slow down or speed up the display. For example, a
I<speed_factor> of I<2> would make the output twice as fast whereas
a I<speed_factor> of <.5> would make the output twice as slow.
=item -V
The B<-V> (version) option causes B<sudoreplay> to print its version number
and exit.
=back
=head2 Date and time format
The time and date may be specified multiple ways, common formats include:
=over 8
=item HH:MM:SS am MM/DD/CCYY timezone
24 hour time may be used in place of am/pm.
=item HH:MM:SS am Month, Day Year timezone
24 hour time may be used in place of am/pm, and month and day names
may be abbreviated. Note that month and day of the week names must
be specified in English.
=item CCYY-MM-DD HH:MM:SS
ISO time format
=item DD Month CCYY HH:MM:SS
The month name may be abbreviated.
=back
Either time or date may be omitted, the am/pm and timezone are
optional. If no date is specified, the current day is assumed; if
no time is specified, the first second of the specified date is
used. The less significant parts of both time and date may also
be omitted, in which case zero is assumed. For example, the following
are all valid:
The following are all valid time and date specifications:
=over 8
=item now
The current time and date.
=item tomorrow
Exactly one day from now.
=item yesterday
24 hours ago.
=item 2 hours ago
2 hours ago.
=item next Friday
The first second of the next Friday.
=item this week
The current time but the first day of the coming week.
=item a fortnight ago
The current time but 14 days ago.
=item 10:01 am 9/17/2009
10:01 am, September 17, 2009.
=item 10:01 am
10:01 am on the current day.
=item 10
10:00 am on the current day.
=item 9/17/2009
00:00 am, September 17, 2009.
=item 10:01 am Sep 17, 2009
10:01 am, September 17, 2009.
=back
=head1 FILES
=over 24
=item F</var/log/sudo-session>
The default session directory.
=item F</var/log/sudo-session/00/00/01>
Example session log info.
=item F</var/log/sudo-session/00/00/01.scr>
Example session transcript file.
=item F</var/log/sudo-session/00/00/01.tim>
Example session timing file.
=back
=head1 EXAMPLES
List sessions run by user I<millert>:
sudoreplay -l user millert
List sessions run by user I<bob> with a command containing the string vi:
sudoreplay -l user bob command vi
List sessions run by user I<jeff> that match a regular expression:
sudoreplay -l user jeff command '/bin/[a-z]*sh'
List sessions run by jeff or bob on the console:
sudoreplay -l ( user jeff or user bob ) tty console
=head1 SEE ALSO
L<sudo(8)>, L<script(1)>
=head1 AUTHOR
Todd C. Miller
=head1 BUGS
If you feel you have found a bug in B<sudoreplay>, please submit a bug report
at http://www.sudo.ws/sudo/bugs/
=head1 SUPPORT
Limited free support is available via the sudo-users mailing list,
see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
=head1 DISCLAIMER
B<sudoreplay> is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the LICENSE
file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
for complete details.

198
doc/visudo.cat Normal file
View File

@@ -0,0 +1,198 @@
VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
NNAAMMEE
visudo - edit the sudoers file
SSYYNNOOPPSSIISS
vviissuuddoo [--cc] [--qq] [--ss] [--VV] [--ff _s_u_d_o_e_r_s]
DDEESSCCRRIIPPTTIIOONN
vviissuuddoo edits the _s_u_d_o_e_r_s file in a safe fashion, analogous to _v_i_p_w(1m).
vviissuuddoo locks the _s_u_d_o_e_r_s file against multiple simultaneous edits,
provides basic sanity checks, and checks for parse errors. If the
_s_u_d_o_e_r_s file is currently being edited you will receive a message to
try again later.
There is a hard-coded list of editors that vviissuuddoo will use set at
compile-time that may be overridden via the _e_d_i_t_o_r _s_u_d_o_e_r_s Default
variable. This list defaults to the path to _v_i(1) on your system, as
determined by the _c_o_n_f_i_g_u_r_e script. Normally, vviissuuddoo does not honor
the VISUAL or EDITOR environment variables unless they contain an
editor in the aforementioned editors list. However, if vviissuuddoo is
configured with the _-_-_w_i_t_h_-_e_n_v_e_d_i_t_o_r option or the _e_n_v___e_d_i_t_o_r Default
variable is set in _s_u_d_o_e_r_s, vviissuuddoo will use any the editor defines by
VISUAL or EDITOR. Note that this can be a security hole since it
allows the user to execute any program they wish simply by setting
VISUAL or EDITOR.
vviissuuddoo parses the _s_u_d_o_e_r_s file after the edit and will not save the
changes if there is a syntax error. Upon finding an error, vviissuuddoo will
print a message stating the line number(s) where the error occurred and
the user will receive the "What now?" prompt. At this point the user
may enter "e" to re-edit the _s_u_d_o_e_r_s file, "x" to exit without saving
the changes, or "Q" to quit and save changes. The "Q" option should be
used with extreme care because if vviissuuddoo believes there to be a parse
error, so will ssuuddoo and no one will be able to ssuuddoo again until the
error is fixed. If "e" is typed to edit the _s_u_d_o_e_r_s file after a
parse error has been detected, the cursor will be placed on the line
where the error occurred (if the editor supports this feature).
OOPPTTIIOONNSS
vviissuuddoo accepts the following command line options:
-c Enable cchheecckk--oonnllyy mode. The existing _s_u_d_o_e_r_s file will be
checked for syntax and a message will be printed to the
standard output detailing the status of _s_u_d_o_e_r_s. If the
syntax check completes successfully, vviissuuddoo will exit with
a value of 0. If a syntax error is encountered, vviissuuddoo
will exit with a value of 1.
-f _s_u_d_o_e_r_s Specify and alternate _s_u_d_o_e_r_s file location. With this
option vviissuuddoo will edit (or check) the _s_u_d_o_e_r_s file of your
choice, instead of the default, _/_e_t_c_/_s_u_d_o_e_r_s. The lock
file used is the specified _s_u_d_o_e_r_s file with ".tmp"
appended to it.
-q Enable qquuiieett mode. In this mode details about syntax
1.7.3b2 December 19, 2009 1
VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
errors are not printed. This option is only useful when
combined with the --cc option.
-s Enable ssttrriicctt checking of the _s_u_d_o_e_r_s file. If an alias is
used before it is defined, vviissuuddoo will consider this a
parse error. Note that it is not possible to differentiate
between an alias and a host name or user name that consists
solely of uppercase letters, digits, and the underscore
('_') character.
-V The --VV (version) option causes vviissuuddoo to print its version
number and exit.
EENNVVIIRROONNMMEENNTT
The following environment variables may be consulted depending on the
value of the _e_d_i_t_o_r and _e_n_v___e_d_i_t_o_r _s_u_d_o_e_r_s variables:
VISUAL Invoked by visudo as the editor to use
EDITOR Used by visudo if VISUAL is not set
FFIILLEESS
_/_e_t_c_/_s_u_d_o_e_r_s List of who can run what
_/_e_t_c_/_s_u_d_o_e_r_s_._t_m_p Lock file for visudo
DDIIAAGGNNOOSSTTIICCSS
sudoers file busy, try again later.
Someone else is currently editing the _s_u_d_o_e_r_s file.
/etc/sudoers.tmp: Permission denied
You didn't run vviissuuddoo as root.
Can't find you in the passwd database
Your userid does not appear in the system passwd file.
Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
Either you are trying to use an undeclare
{User,Runas,Host,Cmnd}_Alias or you have a user or host name listed
that consists solely of uppercase letters, digits, and the
underscore ('_') character. In the latter case, you can ignore the
warnings (ssuuddoo will not complain). In --ss (strict) mode these are
errors, not warnings.
Warning: unused {User,Runas,Host,Cmnd}_Alias
The specified {User,Runas,Host,Cmnd}_Alias was defined but never
used. You may wish to comment out or remove the unused alias. In
--ss (strict) mode this is an error, not a warning.
SSEEEE AALLSSOO
_v_i(1), _s_u_d_o_e_r_s(4), _s_u_d_o(1m), _v_i_p_w(8)
AAUUTTHHOORR
Many people have worked on _s_u_d_o over the years; this version of vviissuuddoo
1.7.3b2 December 19, 2009 2
VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
was written by:
Todd Miller
See the HISTORY file in the sudo distribution or visit
http://www.sudo.ws/sudo/history.html for more details.
CCAAVVEEAATTSS
There is no easy way to prevent a user from gaining a root shell if the
editor used by vviissuuddoo allows shell escapes.
BBUUGGSS
If you feel you have found a bug in vviissuuddoo, please submit a bug report
at http://www.sudo.ws/sudo/bugs/
SSUUPPPPOORRTT
Limited free support is available via the sudo-users mailing list, see
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
DDIISSCCLLAAIIMMEERR
vviissuuddoo is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed.
See the LICENSE file distributed with ssuuddoo or
http://www.sudo.ws/sudo/license.html for complete details.
1.7.3b2 December 19, 2009 3

302
doc/visudo.man.in Normal file
View File

@@ -0,0 +1,302 @@
.\" Copyright (c) 1996,1998-2005, 2007-2008
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" Sponsored in part by the Defense Advanced Research Projects
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C`
. ds C'
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
.el \{\
. de IX
..
.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
.TH VISUDO @mansectsu@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
visudo \- edit the sudoers file
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBvisudo\fR [\fB\-c\fR] [\fB\-q\fR] [\fB\-s\fR] [\fB\-V\fR] [\fB\-f\fR \fIsudoers\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBvisudo\fR edits the \fIsudoers\fR file in a safe fashion, analogous to
\&\fIvipw\fR\|(@mansectsu@). \fBvisudo\fR locks the \fIsudoers\fR file against multiple
simultaneous edits, provides basic sanity checks, and checks
for parse errors. If the \fIsudoers\fR file is currently being
edited you will receive a message to try again later.
.PP
There is a hard-coded list of editors that \fBvisudo\fR will use set
at compile-time that may be overridden via the \fIeditor\fR \fIsudoers\fR
\&\f(CW\*(C`Default\*(C'\fR variable. This list defaults to the path to \fIvi\fR\|(1) on
your system, as determined by the \fIconfigure\fR script. Normally,
\&\fBvisudo\fR does not honor the \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR environment
variables unless they contain an editor in the aforementioned editors
list. However, if \fBvisudo\fR is configured with the \fI\-\-with\-enveditor\fR
option or the \fIenv_editor\fR \f(CW\*(C`Default\*(C'\fR variable is set in \fIsudoers\fR,
\&\fBvisudo\fR will use any the editor defines by \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR.
Note that this can be a security hole since it allows the user to
execute any program they wish simply by setting \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR.
.PP
\&\fBvisudo\fR parses the \fIsudoers\fR file after the edit and will
not save the changes if there is a syntax error. Upon finding
an error, \fBvisudo\fR will print a message stating the line number(s)
where the error occurred and the user will receive the
\&\*(L"What now?\*(R" prompt. At this point the user may enter \*(L"e\*(R"
to re-edit the \fIsudoers\fR file, \*(L"x\*(R" to exit without
saving the changes, or \*(L"Q\*(R" to quit and save changes. The
\&\*(L"Q\*(R" option should be used with extreme care because if \fBvisudo\fR
believes there to be a parse error, so will \fBsudo\fR and no one
will be able to \fBsudo\fR again until the error is fixed.
If \*(L"e\*(R" is typed to edit the \fIsudoers\fR file after a parse error
has been detected, the cursor will be placed on the line where the
error occurred (if the editor supports this feature).
.SH "OPTIONS"
.IX Header "OPTIONS"
\&\fBvisudo\fR accepts the following command line options:
.IP "\-c" 12
.IX Item "-c"
Enable \fBcheck-only\fR mode. The existing \fIsudoers\fR file will be
checked for syntax and a message will be printed to the
standard output detailing the status of \fIsudoers\fR.
If the syntax check completes successfully, \fBvisudo\fR will
exit with a value of 0. If a syntax error is encountered,
\&\fBvisudo\fR will exit with a value of 1.
.IP "\-f \fIsudoers\fR" 12
.IX Item "-f sudoers"
Specify and alternate \fIsudoers\fR file location. With this option
\&\fBvisudo\fR will edit (or check) the \fIsudoers\fR file of your choice,
instead of the default, \fI@sysconfdir@/sudoers\fR. The lock file used
is the specified \fIsudoers\fR file with \*(L".tmp\*(R" appended to it.
.IP "\-q" 12
.IX Item "-q"
Enable \fBquiet\fR mode. In this mode details about syntax errors
are not printed. This option is only useful when combined with
the \fB\-c\fR option.
.IP "\-s" 12
.IX Item "-s"
Enable \fBstrict\fR checking of the \fIsudoers\fR file. If an alias is
used before it is defined, \fBvisudo\fR will consider this a parse
error. Note that it is not possible to differentiate between an
alias and a host name or user name that consists solely of uppercase
letters, digits, and the underscore ('_') character.
.IP "\-V" 12
.IX Item "-V"
The \fB\-V\fR (version) option causes \fBvisudo\fR to print its version number
and exit.
.SH "ENVIRONMENT"
.IX Header "ENVIRONMENT"
The following environment variables may be consulted depending on
the value of the \fIeditor\fR and \fIenv_editor\fR \fIsudoers\fR variables:
.ie n .IP "\*(C`VISUAL\*(C'" 16
.el .IP "\f(CW\*(C`VISUAL\*(C'\fR" 16
.IX Item "VISUAL"
Invoked by visudo as the editor to use
.ie n .IP "\*(C`EDITOR\*(C'" 16
.el .IP "\f(CW\*(C`EDITOR\*(C'\fR" 16
.IX Item "EDITOR"
Used by visudo if \s-1VISUAL\s0 is not set
.SH "FILES"
.IX Header "FILES"
.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24
.el .IP "\fI@sysconfdir@/sudoers\fR" 24
.IX Item "@sysconfdir@/sudoers"
List of who can run what
.ie n .IP "\fI@sysconfdir@/sudoers.tmp\fR" 24
.el .IP "\fI@sysconfdir@/sudoers.tmp\fR" 24
.IX Item "@sysconfdir@/sudoers.tmp"
Lock file for visudo
.SH "DIAGNOSTICS"
.IX Header "DIAGNOSTICS"
.IP "sudoers file busy, try again later." 4
.IX Item "sudoers file busy, try again later."
Someone else is currently editing the \fIsudoers\fR file.
.ie n .IP "@sysconfdir@/sudoers.tmp: Permission denied" 4
.el .IP "\f(CW@sysconfdir\fR@/sudoers.tmp: Permission denied" 4
.IX Item "@sysconfdir@/sudoers.tmp: Permission denied"
You didn't run \fBvisudo\fR as root.
.IP "Can't find you in the passwd database" 4
.IX Item "Can't find you in the passwd database"
Your userid does not appear in the system passwd file.
.IP "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined" 4
.IX Item "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined"
Either you are trying to use an undeclare {User,Runas,Host,Cmnd}_Alias
or you have a user or host name listed that consists solely of
uppercase letters, digits, and the underscore ('_') character. In
the latter case, you can ignore the warnings (\fBsudo\fR will not
complain). In \fB\-s\fR (strict) mode these are errors, not warnings.
.IP "Warning: unused {User,Runas,Host,Cmnd}_Alias" 4
.IX Item "Warning: unused {User,Runas,Host,Cmnd}_Alias"
The specified {User,Runas,Host,Cmnd}_Alias was defined but never
used. You may wish to comment out or remove the unused alias. In
\&\fB\-s\fR (strict) mode this is an error, not a warning.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIvi\fR\|(1), \fIsudoers\fR\|(@mansectform@), \fIsudo\fR\|(@mansectsu@), \fIvipw\fR\|(8)
.SH "AUTHOR"
.IX Header "AUTHOR"
Many people have worked on \fIsudo\fR over the years; this version of
\&\fBvisudo\fR was written by:
.PP
.Vb 1
\& Todd Miller
.Ve
.PP
See the \s-1HISTORY\s0 file in the sudo distribution or visit
http://www.sudo.ws/sudo/history.html for more details.
.SH "CAVEATS"
.IX Header "CAVEATS"
There is no easy way to prevent a user from gaining a root shell if
the editor used by \fBvisudo\fR allows shell escapes.
.SH "BUGS"
.IX Header "BUGS"
If you feel you have found a bug in \fBvisudo\fR, please submit a bug report
at http://www.sudo.ws/sudo/bugs/
.SH "SUPPORT"
.IX Header "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
search the archives.
.SH "DISCLAIMER"
.IX Header "DISCLAIMER"
\&\fBvisudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
for complete details.

207
doc/visudo.pod Normal file
View File

@@ -0,0 +1,207 @@
Copyright (c) 1996,1998-2005, 2007-2008
Todd C. Miller <Todd.Miller@courtesan.com>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Sponsored in part by the Defense Advanced Research Projects
Agency (DARPA) and Air Force Research Laboratory, Air Force
Materiel Command, USAF, under agreement number F39502-99-1-0512.
=pod
=head1 NAME
visudo - edit the sudoers file
=head1 SYNOPSIS
B<visudo> [B<-c>] [B<-q>] [B<-s>] [B<-V>] [B<-f> I<sudoers>]
=head1 DESCRIPTION
B<visudo> edits the I<sudoers> file in a safe fashion, analogous to
L<vipw(8)>. B<visudo> locks the I<sudoers> file against multiple
simultaneous edits, provides basic sanity checks, and checks
for parse errors. If the I<sudoers> file is currently being
edited you will receive a message to try again later.
There is a hard-coded list of editors that B<visudo> will use set
at compile-time that may be overridden via the I<editor> I<sudoers>
C<Default> variable. This list defaults to the path to L<vi(1)> on
your system, as determined by the I<configure> script. Normally,
B<visudo> does not honor the C<VISUAL> or C<EDITOR> environment
variables unless they contain an editor in the aforementioned editors
list. However, if B<visudo> is configured with the I<--with-enveditor>
option or the I<env_editor> C<Default> variable is set in I<sudoers>,
B<visudo> will use any the editor defines by C<VISUAL> or C<EDITOR>.
Note that this can be a security hole since it allows the user to
execute any program they wish simply by setting C<VISUAL> or C<EDITOR>.
B<visudo> parses the I<sudoers> file after the edit and will
not save the changes if there is a syntax error. Upon finding
an error, B<visudo> will print a message stating the line number(s)
where the error occurred and the user will receive the
"What now?" prompt. At this point the user may enter "e"
to re-edit the I<sudoers> file, "x" to exit without
saving the changes, or "Q" to quit and save changes. The
"Q" option should be used with extreme care because if B<visudo>
believes there to be a parse error, so will B<sudo> and no one
will be able to B<sudo> again until the error is fixed.
If "e" is typed to edit the I<sudoers> file after a parse error
has been detected, the cursor will be placed on the line where the
error occurred (if the editor supports this feature).
=head1 OPTIONS
B<visudo> accepts the following command line options:
=over 12
=item -c
Enable B<check-only> mode. The existing I<sudoers> file will be
checked for syntax and a message will be printed to the
standard output detailing the status of I<sudoers>.
If the syntax check completes successfully, B<visudo> will
exit with a value of 0. If a syntax error is encountered,
B<visudo> will exit with a value of 1.
=item -f I<sudoers>
Specify and alternate I<sudoers> file location. With this option
B<visudo> will edit (or check) the I<sudoers> file of your choice,
instead of the default, F<@sysconfdir@/sudoers>. The lock file used
is the specified I<sudoers> file with ".tmp" appended to it.
=item -q
Enable B<quiet> mode. In this mode details about syntax errors
are not printed. This option is only useful when combined with
the B<-c> option.
=item -s
Enable B<strict> checking of the I<sudoers> file. If an alias is
used before it is defined, B<visudo> will consider this a parse
error. Note that it is not possible to differentiate between an
alias and a host name or user name that consists solely of uppercase
letters, digits, and the underscore ('_') character.
=item -V
The B<-V> (version) option causes B<visudo> to print its version number
and exit.
=back
=head1 ENVIRONMENT
The following environment variables may be consulted depending on
the value of the I<editor> and I<env_editor> I<sudoers> variables:
=over 16
=item C<VISUAL>
Invoked by visudo as the editor to use
=item C<EDITOR>
Used by visudo if VISUAL is not set
=back
=head1 FILES
=over 24
=item F<@sysconfdir@/sudoers>
List of who can run what
=item F<@sysconfdir@/sudoers.tmp>
Lock file for visudo
=back
=head1 DIAGNOSTICS
=over 4
=item sudoers file busy, try again later.
Someone else is currently editing the I<sudoers> file.
=item @sysconfdir@/sudoers.tmp: Permission denied
You didn't run B<visudo> as root.
=item Can't find you in the passwd database
Your userid does not appear in the system passwd file.
=item Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
Either you are trying to use an undeclare {User,Runas,Host,Cmnd}_Alias
or you have a user or host name listed that consists solely of
uppercase letters, digits, and the underscore ('_') character. In
the latter case, you can ignore the warnings (B<sudo> will not
complain). In B<-s> (strict) mode these are errors, not warnings.
=item Warning: unused {User,Runas,Host,Cmnd}_Alias
The specified {User,Runas,Host,Cmnd}_Alias was defined but never
used. You may wish to comment out or remove the unused alias. In
B<-s> (strict) mode this is an error, not a warning.
=back
=head1 SEE ALSO
L<vi(1)>, L<sudoers(5)>, L<sudo(8)>, L<vipw(8)>
=head1 AUTHOR
Many people have worked on I<sudo> over the years; this version of
B<visudo> was written by:
Todd Miller
See the HISTORY file in the sudo distribution or visit
http://www.sudo.ws/sudo/history.html for more details.
=head1 CAVEATS
There is no easy way to prevent a user from gaining a root shell if
the editor used by B<visudo> allows shell escapes.
=head1 BUGS
If you feel you have found a bug in B<visudo>, please submit a bug report
at http://www.sudo.ws/sudo/bugs/
=head1 SUPPORT
Limited free support is available via the sudo-users mailing list,
see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
=head1 DISCLAIMER
B<visudo> is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the LICENSE
file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
for complete details.