isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e37e1e56b641f25a1a2ee8ea3f18b48bb6e02eb3
sudo/sudoers.pod
Todd C. Miller a58e3f4b1b better example of su but not root su
1998-02-07 02:55:51 +00:00

292 lines
8.7 KiB
Plaintext
Raw Blame History

=cut
$Id$
=pod
=head1 NAME
sudoers - list of which users may execute what as root
=head1 DESCRIPTION
The I<sudoers> file is composed of an optional host alias section,
an optional command alias section and the user specification section.
All command or host aliases need to start with their respective keywords
(ie: Host_Alias, User_Alias, Runas_Alias or Cmnd_Alias).
If there are multiple occurrences of a user, the union of the entries
will be used.
=head2 user specification format:
user access_group [: access_group] ...
access_group ::= host_type = [(runas_list)] [NOPASSWD:] [op]cmnd_type
[,[(user_list)] [NOPASSWD:] [op]cmnd_type] ...
host_type ::= a lower-case hostname, netgroup, ip address,
network number, network number/netmask,
or host alias.
runas_list ::= comma-separated list of users, groups,
netgroups or Runas_Aliases the user may run
commands as (default is root).
cmnd_type ::= a command OR a command alias.
op ::= the logical "!" NOT operator.
=head2 host alias section format:
Host_Alias HOSTALIAS = host-list
Host_Alias ::= a keyword.
HOSTALIAS ::= an upper-case alias name.
host-list ::= a comma separated list of hosts, netgroups,
ip addresses, networks.
=head2 user alias section format:
User_Alias USERALIAS = user-list
User_Alias ::= a keyword.
USERALIAS ::= an upper-case alias name.
user-list ::= a comma separated list of users, groups, netgroups.
=head2 runas alias section format:
Runas_Alias RUNASALIAS = runas-list
Runas_Alias ::= a keyword.
RUNASALIAS ::= an upper-case alias name.
runas-list ::= a comma separated list of users, groups, netgroups.
=head2 command alias section format:
Cmnd_Alias CMNDALIAS = cmnd-list
Cmnd_Alias ::= a keyword.
CMNDALIAS ::= an upper-case alias name.
cmnd-list ::= a comma separated list commands.
=head2 command specification:
path arg1 arg2 .. argn = command
path ::= a fully qualified pathname.
arg[1..n] ::= optional command line arguments.
=head2 wildcards (aka meta characters):
B<sudo> allows shell-style I<wildcards> along with command arguments
in the I<sudoers> file. Wildcard matching is done via the B<POSIX>
C<fnmatch(3)> routine.
=over 8
=item C<*>
Matches any set of zero or more characters.
=item C<?>
Matches any single character.
=item C<[...]>
Matches any character in the specified range.
=item C<[!...]>
Matches any character B<not> in the specified range.
=item C<\x>
For any character "x", evaluates to "x". This is used to
escape special characters such as: "*", "?", "[", and "}".
=back
=head2 exceptions to wildcard rules:
The following exceptions apply to the above rules:
=over 8
=item C<"">
If the empty string C<""> is the only command line argument in the
I<sudoers> entry it means that command may take B<no> arguments.
=back
=head2 other special characters and reserved words:
Text after a pound sign (B<#>) is considered a comment.
Words that begin with a percent sign (B<%>) are assumed to
be UN*X groups (%staff refers to users in the group I<staff>).
Words that begin with a plus sign (B<+>) are assumed to
be netgroups (B<+cshosts> refers to the netgroup I<cshosts>).
Long lines can be newline escaped with the backslash B<\> character.
The reserved word B<NOPASSWD> indicates that a user need not
enter a password for the command listed in that entry.
The reserved alias I<ALL> can be used for both {Host,User,Cmnd}_Alias.
B<DO NOT> define an alias of I<ALL>, it will B<NOT> be used.
Note that I<ALL> implies the entire universe of hosts/users/commands.
You can subtract elements from the universe by using the syntax:
user host=ALL,!ALIAS1,!/etc/halt...
Note that the "!" notation only works in a user's command list. You
may not use it to subtract elements in a User_Alias, Host_Alias,
Cmnd_Alias or user list.
Commands may have optional command line arguments. If they do,
then the arguments in the I<sudoers> file must exactly match those
on the command line. It is also possible to have a command's
arguments span multiple lines as long as the line continuance
character "\" is used. The following characters must be escaped
with a "\" if used in command arguments: ",", ":", "=", "\".
=head1 EXAMPLES
# Host alias specification
Host_Alias HUB=houdini:\
REMOTE=merlin,kodiakthorn,spirit
Host_Alias SERVERS=houdini,merlin,kodiakthorn,spirit
Host_Alias CUNETS=128.138.0.0/255.255.0.0
Host_Alias CSNETS=128.138.243.0,128.138.204.0,\
128.138.205.192
# User alias specification
User_Alias FULLTIME=millert,dowdy,mikef
User_Alias PARTTIME=juola,mccreary,tor
# Runas alias specification
Runas_Alias OP=root,operator
# Command alias specification
Cmnd_Alias LPCS=/usr/etc/lpc,/usr/ucb/lprm
Cmnd_Alias SHELLS=/bin/sh,/bin/csh,/bin/tcsh,/bin/ksh
Cmnd_Alias SU=/bin/su
Cmnd_Alias MISC=/bin/rm,/bin/cat:\
SHUTDOWN=/etc/halt,/etc/shutdown
# User specification
FULLTIME ALL=(ALL) NOPASSWD: ALL
%wheel ALL=ALL
PARTTIME ALL=ALL,!SHELLS,!SU
+interns +openlabs=ALL,!SHELLS,!SU
britt REMOTE=SHUTDOWN:ALL=LPCS
jimbo CUNETS=/bin/su ?*,!/bin/su *root*
nieusma SERVERS=SHUTDOWN,/etc/reboot:\
HUB=ALL,!SHELLS
jill houdini=/etc/shutdown -[hr] now,MISC
markm HUB=ALL,!MISC,!/etc/shutdown,!/etc/halt
davehieb merlin=(OP) ALL:SERVERS=/etc/halt:\
kodiakthorn=NOPASSWD: ALL
steve CSNETS=(operator) /usr/op_commands/
=head2 Host Alias specifications:
The are four I<host aliases>. The first actually contains
two I<aliases>. It sets C<HUB> to be C<houdini> and C<REMOTE>
to the three machines C<merlin>, C<kodiakthorn> and C<spirit>.
Similarly, C<SERVERS> is set to the machines C<houdini>, C<merlin>,
C<kodiakthorn> and C<spirit>. The C<CSNETS> alias will match
any host on the 128.138.243.0, 128.138.204.0, or 128.138.205.192
nets. The C<CUNETS> alias will match any host on the 128.138.0.0
(class B) network. Note that these are B<network> addresses, not ip
addresses. Unless an explicate netmask is given, the local I<netmask>
is used to determine whether or not the current host belongs to a network.
=head2 User Alias specifications:
The two I<user aliases> simply groups the C<FULLTIME> and
C<PARTTIME> folks into two separate aliases.
=head2 Command alias specifications:
Command aliases are lists of commands with or without associated
command line arguments. The entries above should be self-explanatory.
=head2 User specifications:
=over 16
=item FULLTIME
Full-time sysadmins in the C<FULLTIME> alias may run any
command on any host as any user without a password.
=item %wheel
Any user in the UN*X group C<wheel> may run any
command on any host.
=item PARTTIME
Part-time sysadmins in the C<PARTTIME> alias may run any
command except those in the C<SHELLS> and C<SU> aliases
on any host.
=item +interns
Any user in the netgroup C<interns> may run any
command except those in the C<SHELLS> and C<SU> aliases
on any host that is in the C<openlabs> netgroup.
=item britt
The user C<britt> may run commands in the C<SHUTDOWN> alias
on the C<REMOTE> machines and commands in the C<LPCS> alias
on any machine.
=item jimbo
The user C<jimbo> may C<su> to any user save root on the
machines on C<CUNETS> (which is explicately listed as a class
B network).
=item nieusma
The user C<nieusma> may run commands in the C<SHUTDOWN> alias
as well as F</etc/reboot> on the C<SERVER> machines and
any command except those in the C<SHELLS> alias on the C<HUB>
machines.
=item jill
The user C<jill> may run C</etc/shutdown -h now> or
C</etc/shutdown -r now> as well as the commands in the
C<MISC> alias on houdini.
=item markm
The user C<markm> may run any command on the C<HUB> machines
except F</etc/shutdown>, F</etc/halt>, and commands listed
in the C<MISC> alias.
=item davehieb
The user C<davehieb> may run any command on C<merlin> as any
user in the Runas_Alias OP (ie: root or operator). He may
also run F</etc/halt> on the C<SERVERS> and any command
on C<kodiakthorn> (no password required on C<kodiakthorn>).
=item steve
The user C<steve> may run any command in the F</usr/op_commands/>
directory as user C<operator> on the machines on C<CSNETS>.
=back
=head1 CAVEATS
The I<sudoers> file should B<always> be edited by the B<visudo>
command which locks the file and does grammatical checking. It is
imperative that the I<sudoers> be free of syntax errors since sudo
will not run with a syntactically incorrect I<sudoers> file.
=head1 FILES
/etc/sudoers file of authorized users.
/etc/netgroup list of network groups.
=head1 SEE ALSO
sudo(8), visudo(8), su(1), fnmatch(3).
Reference in New Issue View Git Blame Copy Permalink