isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
d2dcea30cbbab148b6c43dd85d825ebaa972a57d
sudo/sudoers.pod
Todd C. Miller a11c148681 typos
1999-06-22 10:38:39 +00:00

329 lines
10 KiB
Plaintext
Raw Blame History

=cut
$Sudo$
=pod
=head1 NAME
sudoers - list of which users may execute what as root
=head1 DESCRIPTION
The I<sudoers> file is composed of an optional host alias section,
an optional command alias section and the user specification section.
All command or host aliases need to start with their respective keywords
(ie: Host_Alias, User_Alias, Runas_Alias or Cmnd_Alias).
If there are multiple occurrences of a user, the logical union of the
entries will be used. Note that if there is an entry that denies access
to a command that is followed by an entry that grants access the user
will be allowed to run the command.
=head2 user specification format:
user access_group [: access_group] ...
access_group ::= host-list = [(runas-list)] [NOPASSWD:] [op]cmnd_type
[,[(user-list)] [NOPASSWD|PASSWD:] [op]cmnd_type] ...
cmnd_type ::= a command OR a command alias.
op ::= the logical "!" NOT operator.
=head2 host alias section format:
Host_Alias HOSTALIAS = host-list
Host_Alias ::= a keyword.
HOSTALIAS ::= an upper-case alias name.
host-list ::= a comma separated list of hosts, netgroups,
ip addresses, networks. A logical "!"
NOT operator may be prefixed to any of these.
=head2 user alias section format:
User_Alias USERALIAS = user-list
User_Alias ::= a keyword.
USERALIAS ::= an upper-case alias name.
user-list ::= a comma separated list of users, groups, netgroups.
A logical "!" NOT operator may be prefixed to any
of these.
=head2 runas alias section format:
Runas_Alias RUNASALIAS = runas-list
Runas_Alias ::= a keyword.
RUNASALIAS ::= an upper-case alias name.
runas-list ::= a comma separated list of users, groups, netgroups.
A logical "!" NOT operator may be prefixed to any
of these.
=head2 command alias section format:
Cmnd_Alias CMNDALIAS = cmnd-list
Cmnd_Alias ::= a keyword.
CMNDALIAS ::= an upper-case alias name.
cmnd-list ::= a comma separated list commands.
A logical "!" NOT operator may be prefixed to any
of these.
=head2 command specification:
path arg1 arg2 .. argn = command
path ::= a fully qualified pathname.
arg[1..n] ::= optional command line arguments.
=head2 persistence of modifiers
When a I<runas-list> is specified for an I<access_group>, it
affects all commands in the I<access_group>. For example, given:
oper bigserver = (root, sysadm) /usr/bin/kill, /bin/rm
User C<oper> will be able to run C</usr/bin/kill> and C</bin/rm>
as B<root> or B<sysadm> on the machine, C<bigserver>. The
I<runas-list> is "sticky" across entries in the comma-separated
I<access_group>. You can override the I<runas-list> with another
one, at which point the new I<runas-list> becomes the default for
that I<access_group>. For example, given:
oper bigserver = (root, sysadm) /usr/bin/kill, (root) /bin/rm, \
/bin/rmdir
User C<oper> can still run C</usr/bin/kill> as B<root> or B<sysadm> but
can only run C</bin/rm> and C</bin/rmdir> as B<root>.
Similarly, the B<NOPASSWD> modifier is also persistent across an
I<access_group>. For example given:
oper bigserver = NOPASSWD: /usr/bin/kill, /bin/rm, /bin/rmdir
User C<oper> will be able to run C</usr/bin/kill>, C</bin/rm>, and
C</bin/rmdir> as B<root> without a password. If we change that to:
oper bigserver = NOPASSWD: /usr/bin/kill, PASSWD: /bin/rm, /bin/rmdir
User C<oper> can still run C</usr/bin/kill> without a password but
must give a password to run C</bin/rm> and C</bin/rmdir>.
=head2 wildcards (aka meta characters):
B<sudo> allows shell-style I<wildcards> along with command arguments
in the I<sudoers> file. Wildcard matching is done via the B<POSIX>
C<fnmatch(3)> routine.
=over 8
=item C<*>
Matches any set of zero or more characters.
=item C<?>
Matches any single character.
=item C<[...]>
Matches any character in the specified range.
=item C<[!...]>
Matches any character B<not> in the specified range.
=item C<\x>
For any character "x", evaluates to "x". This is used to
escape special characters such as: "*", "?", "[", and "}".
=back
=head2 exceptions to wildcard rules:
The following exceptions apply to the above rules:
=over 8
=item C<"">
If the empty string C<""> is the only command line argument in the
I<sudoers> entry it means that command may take B<no> arguments.
=back
=head2 other special characters and reserved words:
Text after a pound sign (B<#>) is considered a comment.
Words that begin with a percent sign (B<%>) are assumed to
be UN*X groups (%staff refers to users in the group I<staff>).
Words that begin with a plus sign (B<+>) are assumed to
be netgroups (B<+cshosts> refers to the netgroup I<cshosts>).
Long lines can be newline escaped with the backslash B<\> character.
The reserved word B<NOPASSWD> indicates that a user need not
enter a password for the command listed in that entry. The
B<NOPASSWD> modifier is persistent across entries in a I<user-list>
and can be reversed with the B<PASSWD> modifier.
The reserved alias I<ALL> can be used for both {Host,User,Cmnd}_Alias.
B<DO NOT> define an alias of I<ALL>, it will B<NOT> be used.
Note that I<ALL> implies the entire universe of hosts/users/commands.
You can subtract elements from the universe by using the syntax:
user host=ALL,!ALIAS1,!/sbin/halt...
Commands may have optional command line arguments. If they do,
then the arguments in the I<sudoers> file must exactly match those
on the command line. It is also possible to have a command's
arguments span multiple lines as long as the line continuance
character "\" is used. The following characters must be escaped
with a "\" if used in command arguments: ",", ":", "=", "\".
=head1 EXAMPLES
# Host alias specification
Host_Alias HUB=houdini:\
REMOTE=merlin,kodiakthorn,spirit
Host_Alias SERVERS=houdini,merlin,kodiakthorn,spirit
Host_Alias CUNETS=128.138.0.0/255.255.0.0
Host_Alias CSNETS=128.138.243.0,128.138.204.0,\
128.138.205.192
# User alias specification
User_Alias FULLTIME=millert,dowdy,mikef
User_Alias PARTTIME=juola,mccreary,tor
# Runas alias specification
Runas_Alias OP=root,operator
# Command alias specification
Cmnd_Alias LPCS=/usr/sbin/lpc,/usr/bin/lprm
Cmnd_Alias SHELLS=/bin/sh,/bin/csh,/bin/tcsh,/bin/ksh
Cmnd_Alias SU=/usr/bin/su
Cmnd_Alias MISC=/bin/rm,/bin/cat:\
SHUTDOWN=/sbin/halt,/sbin/shutdown
# User specification
FULLTIME ALL=(ALL) NOPASSWD: ALL
%wheel ALL=ALL
PARTTIME ALL=ALL,!SHELLS,!SU
+interns +openlabs=ALL,!SHELLS,!SU
britt REMOTE=SHUTDOWN:ALL=LPCS
jimbo CUNETS=/usr/bin/su [!-]*,!/usr/bin/su *root*
nieusma SERVERS=SHUTDOWN,/sbin/reboot:\
HUB=ALL,!SHELLS
jill houdini=/sbin/shutdown -[hr] now,MISC
markm HUB=ALL,!MISC,!/sbin/shutdown,!/sbin/halt
davehieb merlin=(OP) ALL:SERVERS=/sbin/halt:\
kodiakthorn=NOPASSWD: ALL
steve CSNETS=(operator) /usr/op_commands/
=head2 Host Alias specifications:
The are four I<host aliases>. The first actually contains
two I<aliases>. It sets C<HUB> to be C<houdini> and C<REMOTE>
to the three machines C<merlin>, C<kodiakthorn> and C<spirit>.
Similarly, C<SERVERS> is set to the machines C<houdini>, C<merlin>,
C<kodiakthorn> and C<spirit>. The C<CSNETS> alias will match
any host on the 128.138.243.0, 128.138.204.0, or 128.138.205.192
nets. The C<CUNETS> alias will match any host on the 128.138.0.0
(class B) network. Note that these are B<network> addresses, not ip
addresses. Unless an explicit netmask is given, the local I<netmask>
is used to determine whether or not the current host belongs to a network.
=head2 User Alias specifications:
The two I<user aliases> simply groups the C<FULLTIME> and
C<PARTTIME> folks into two separate aliases.
=head2 Command alias specifications:
Command aliases are lists of commands with or without associated
command line arguments. The entries above should be self-explanatory.
=head2 User specifications:
=over 16
=item FULLTIME
Full-time sysadmins in the C<FULLTIME> alias may run any
command on any host as any user without a password.
=item %wheel
Any user in the UN*X group C<wheel> may run any
command on any host.
=item PARTTIME
Part-time sysadmins in the C<PARTTIME> alias may run any
command except those in the C<SHELLS> and C<SU> aliases
on any host.
=item +interns
Any user in the netgroup C<interns> may run any
command except those in the C<SHELLS> and C<SU> aliases
on any host that is in the C<openlabs> netgroup.
=item britt
The user C<britt> may run commands in the C<SHUTDOWN> alias
on the C<REMOTE> machines and commands in the C<LPCS> alias
on any machine.
=item jimbo
The user C<jimbo> may C<su> to any user save root on the
machines on C<CUNETS> (which is explicitly listed as a class
B network).
=item nieusma
The user C<nieusma> may run commands in the C<SHUTDOWN> alias
as well as F</sbin/reboot> on the C<SERVER> machines and
any command except those in the C<SHELLS> alias on the C<HUB>
machines.
=item jill
The user C<jill> may run C</sbin/shutdown -h now> or
C</sbin/shutdown -r now> as well as the commands in the
C<MISC> alias on houdini.
=item markm
The user C<markm> may run any command on the C<HUB> machines
except F</sbin/shutdown>, F</sbin/halt>, and commands listed
in the C<MISC> alias.
=item davehieb
The user C<davehieb> may run any command on C<merlin> as any
user in the Runas_Alias OP (ie: root or operator). He may
also run F</sbin/halt> on the C<SERVERS> and any command
on C<kodiakthorn> (no password required on C<kodiakthorn>).
=item steve
The user C<steve> may run any command in the F</usr/op_commands/>
directory as user C<operator> on the machines on C<CSNETS>.
=back
=head1 CAVEATS
The I<sudoers> file should B<always> be edited by the B<visudo>
command which locks the file and does grammatical checking. It is
imperative that the I<sudoers> be free of syntax errors since sudo
will not run with a syntactically incorrect I<sudoers> file.
=head1 FILES
/etc/sudoers file of authorized users.
/etc/netgroup list of network groups.
=head1 SEE ALSO
sudo(8), visudo(8), su(1), fnmatch(3).
Reference in New Issue View Git Blame Copy Permalink