isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f9b80fcad4f623a2e5cc49f8b65620ee4cc4feaf
sudo/sudoers.html
Todd C. Miller de6f4fac36 regen based on sudo.pod, sudoers.pod, and visudo.pod
1999-01-17 21:31:39 +00:00

514 lines
13 KiB
HTML
Raw Blame History

<HTML>
<HEAD>
<TITLE>sudoers - list of which users may execute what as root
</TITLE>
</HEAD>
<BODY>
<!-- INDEX BEGIN -->
<UL>
<LI><A HREF="#NAME">NAME</A>
<LI><A HREF="#DESCRIPTION">DESCRIPTION</A>
<UL>
<LI><A HREF="#user_specification_format_">user specification format:</A>
<LI><A HREF="#host_alias_section_format_">host alias section format:</A>
<LI><A HREF="#user_alias_section_format_">user alias section format:</A>
<LI><A HREF="#runas_alias_section_format_">runas alias section format:</A>
<LI><A HREF="#command_alias_section_format_">command alias section format:</A>
<LI><A HREF="#command_specification_">command specification:</A>
<LI><A HREF="#wildcards_aka_meta_characters_">wildcards (aka meta characters):</A>
<LI><A HREF="#exceptions_to_wildcard_rules_">exceptions to wildcard rules:</A>
<LI><A HREF="#other_special_characters_and_res">other special characters and reserved words:</A>
</UL>
<LI><A HREF="#EXAMPLES">EXAMPLES</A>
<UL>
<LI><A HREF="#Host_Alias_specifications_">Host Alias specifications:</A>
<LI><A HREF="#User_Alias_specifications_">User Alias specifications:</A>
<LI><A HREF="#Command_alias_specifications_">Command alias specifications:</A>
<LI><A HREF="#User_specifications_">User specifications:</A>
</UL>
<LI><A HREF="#CAVEATS">CAVEATS</A>
<LI><A HREF="#FILES">FILES</A>
<LI><A HREF="#SEE_ALSO">SEE ALSO</A>
</UL>
<!-- INDEX END -->
<HR>
<P>
<HR>
<H1><A NAME="NAME">NAME
</A></H1>
sudoers - list of which users may execute what as root
<P>
<P>
<HR>
<H1><A NAME="DESCRIPTION">DESCRIPTION
</A></H1>
The <EM>sudoers</EM> file is composed of an optional host alias section, an optional command
alias section and the user specification section. All command or host
aliases need to start with their respective keywords (ie: Host_Alias,
User_Alias, Runas_Alias or Cmnd_Alias). If there are multiple occurrences
of a user, the union of the entries will be used.
<P>
<P>
<HR>
<H2><A NAME="user_specification_format_">user specification format:
</A></H2>
<PRE> user access_group [: access_group] ...
</PRE>
<P>
<PRE> access_group ::= host_type = [(runas_list)] [NOPASSWD:] [op]cmnd_type
[,[(user_list)] [NOPASSWD:] [op]cmnd_type] ...
host_type ::= a lower-case hostname, netgroup, ip address,
network number, network number/netmask,
or host alias.
runas_list ::= comma-separated list of users, groups,
netgroups or Runas_Aliases the user may run
commands as (default is root).
cmnd_type ::= a command OR a command alias.
op ::= the logical &quot;!&quot; NOT operator.
</PRE>
<P>
<P>
<HR>
<H2><A NAME="host_alias_section_format_">host alias section format:
</A></H2>
<PRE> Host_Alias HOSTALIAS = host-list
</PRE>
<P>
<PRE> Host_Alias ::= a keyword.
HOSTALIAS ::= an upper-case alias name.
host-list ::= a comma separated list of hosts, netgroups,
ip addresses, networks.
</PRE>
<P>
<P>
<HR>
<H2><A NAME="user_alias_section_format_">user alias section format:
</A></H2>
<PRE> User_Alias USERALIAS = user-list
</PRE>
<P>
<PRE> User_Alias ::= a keyword.
USERALIAS ::= an upper-case alias name.
user-list ::= a comma separated list of users, groups, netgroups.
</PRE>
<P>
<P>
<HR>
<H2><A NAME="runas_alias_section_format_">runas alias section format:
</A></H2>
<PRE> Runas_Alias RUNASALIAS = runas-list
</PRE>
<P>
<PRE> Runas_Alias ::= a keyword.
RUNASALIAS ::= an upper-case alias name.
runas-list ::= a comma separated list of users, groups, netgroups.
</PRE>
<P>
<P>
<HR>
<H2><A NAME="command_alias_section_format_">command alias section format:
</A></H2>
<PRE> Cmnd_Alias CMNDALIAS = cmnd-list
</PRE>
<P>
<PRE> Cmnd_Alias ::= a keyword.
CMNDALIAS ::= an upper-case alias name.
cmnd-list ::= a comma separated list commands.
</PRE>
<P>
<P>
<HR>
<H2><A NAME="command_specification_">command specification:
</A></H2>
<PRE> path arg1 arg2 .. argn = command
</PRE>
<P>
<PRE> path ::= a fully qualified pathname.
arg[1..n] ::= optional command line arguments.
</PRE>
<P>
<P>
<HR>
<H2><A NAME="wildcards_aka_meta_characters_">wildcards (aka meta characters):
</A></H2>
<STRONG>sudo</STRONG> allows shell-style <EM>wildcards</EM> along with command arguments in the <EM>sudoers</EM> file. Wildcard matching is done via the <STRONG>POSIX</STRONG>
<CODE>fnmatch(3)</CODE> routine.
<P>
<UL>
<LI><STRONG></STRONG>
Matches any set of zero or more characters.
<P>
<DT><STRONG><A NAME="item__">?
</A></STRONG><DD>
Matches any single character.
<P>
<DT><STRONG><A NAME="item__">[...]
</A></STRONG><DD>
Matches any character in the specified range.
<P>
<DT><STRONG><A NAME="item__">[!...]
</A></STRONG><DD>
Matches any character <STRONG>not</STRONG> in the specified range.
<P>
<DT><STRONG><A NAME="item__x">\x
</A></STRONG><DD>
For any character ``x'', evaluates to ``x''. This is used to escape special
characters such as: ``*'', ``?'', ``['', and ``}''.
<P>
</UL>
<P>
<HR>
<H2><A NAME="exceptions_to_wildcard_rules_">exceptions to wildcard rules:
</A></H2>
The following exceptions apply to the above rules:
<P>
<DL>
<DT><STRONG><A NAME="item__">""
</A></STRONG><DD>
If the empty string <CODE>""</CODE> is the only command line argument in the
<EM>sudoers</EM> entry it means that command may take <STRONG>no</STRONG> arguments.
<P>
</DL>
<P>
<HR>
<H2><A NAME="other_special_characters_and_res">other special characters and reserved words:
</A></H2>
Text after a pound sign (<STRONG>#</STRONG>) is considered a comment. Words that begin with a percent sign (<STRONG>%</STRONG>) are assumed to be UN*X groups (%staff refers to users in the group <EM>staff</EM>). Words that begin with a plus sign (<STRONG>+</STRONG>) are assumed to be netgroups (<STRONG>+cshosts</STRONG> refers to the netgroup <EM>cshosts</EM>). Long lines can be newline escaped with the backslash <STRONG>\</STRONG> character. The reserved word <STRONG>NOPASSWD</STRONG> indicates that a user need not enter a password for the command listed in
that entry.
<P>
The reserved alias <EM>ALL</EM> can be used for both {Host,User,Cmnd}_Alias.
<STRONG>DO NOT</STRONG> define an alias of <EM>ALL</EM>, it will <STRONG>NOT</STRONG> be used. Note that <EM>ALL</EM> implies the entire universe of hosts/users/commands. You can subtract
elements from the universe by using the syntax: user
host=ALL,!ALIAS1,!/etc/halt... Note that the ``!'' notation only works in a
user's command list. You may not use it to subtract elements in a
User_Alias, Host_Alias, Cmnd_Alias or user list.
<P>
Commands may have optional command line arguments. If they do, then the
arguments in the <EM>sudoers</EM> file must exactly match those on the command line. It is also possible to
have a command's arguments span multiple lines as long as the line
continuance character ``\'' is used. The following characters must be
escaped with a ``\'' if used in command arguments: ``,'', ``:'', ``='',
``\''.
<P>
<P>
<HR>
<H1><A NAME="EXAMPLES">EXAMPLES
</A></H1>
<PRE> # Host alias specification
Host_Alias HUB=houdini:\
REMOTE=merlin,kodiakthorn,spirit
Host_Alias SERVERS=houdini,merlin,kodiakthorn,spirit
Host_Alias CUNETS=128.138.0.0/255.255.0.0
Host_Alias CSNETS=128.138.243.0,128.138.204.0,\
128.138.205.192
</PRE>
<P>
<PRE> # User alias specification
User_Alias FULLTIME=millert,dowdy,mikef
User_Alias PARTTIME=juola,mccreary,tor
</PRE>
<P>
<PRE> # Runas alias specification
Runas_Alias OP=root,operator
</PRE>
<P>
<PRE> # Command alias specification
Cmnd_Alias LPCS=/usr/etc/lpc,/usr/ucb/lprm
Cmnd_Alias SHELLS=/bin/sh,/bin/csh,/bin/tcsh,/bin/ksh
Cmnd_Alias SU=/bin/su
Cmnd_Alias MISC=/bin/rm,/bin/cat:\
SHUTDOWN=/etc/halt,/etc/shutdown
</PRE>
<P>
<PRE> # User specification
FULLTIME ALL=(ALL) NOPASSWD: ALL
%wheel ALL=ALL
PARTTIME ALL=ALL,!SHELLS,!SU
+interns +openlabs=ALL,!SHELLS,!SU
britt REMOTE=SHUTDOWN:ALL=LPCS
jimbo CUNETS=/bin/su ?*,!/bin/su *root*
nieusma SERVERS=SHUTDOWN,/etc/reboot:\
HUB=ALL,!SHELLS
jill houdini=/etc/shutdown -[hr] now,MISC
markm HUB=ALL,!MISC,!/etc/shutdown,!/etc/halt
davehieb merlin=(OP) ALL:SERVERS=/etc/halt:\
kodiakthorn=NOPASSWD: ALL
steve CSNETS=(operator) /usr/op_commands/
</PRE>
<P>
<P>
<HR>
<H2><A NAME="Host_Alias_specifications_">Host Alias specifications:
</A></H2>
The are four <EM>host aliases</EM>. The first actually contains two <EM>aliases</EM>. It sets <CODE>HUB</CODE> to be <CODE>houdini</CODE> and <CODE>REMOTE</CODE>
to the three machines <CODE>merlin</CODE>, <CODE>kodiakthorn</CODE> and <CODE>spirit</CODE>. Similarly, <CODE>SERVERS</CODE> is set to the machines <CODE>houdini</CODE>, <CODE>merlin</CODE>,
<CODE>kodiakthorn</CODE> and <CODE>spirit</CODE>. The <CODE>CSNETS</CODE> alias will match any host on the 128.138.243.0, 128.138.204.0, or
128.138.205.192 nets. The <CODE>CUNETS</CODE> alias will match any host on the 128.138.0.0 (class B) network. Note that
these are <STRONG>network</STRONG> addresses, not ip addresses. Unless an explicate netmask is given, the
local <EM>netmask</EM>
is used to determine whether or not the current host belongs to a network.
<P>
<P>
<HR>
<H2><A NAME="User_Alias_specifications_">User Alias specifications:
</A></H2>
The two <EM>user aliases</EM> simply groups the <A HREF="#item_FULLTIME">FULLTIME</A> and
<A HREF="#item_PARTTIME">PARTTIME</A> folks into two separate aliases.
<P>
<P>
<HR>
<H2><A NAME="Command_alias_specifications_">Command alias specifications:
</A></H2>
Command aliases are lists of commands with or without associated command
line arguments. The entries above should be self-explanatory.
<P>
<P>
<HR>
<H2><A NAME="User_specifications_">User specifications:
</A></H2>
<DL>
<DT><STRONG><A NAME="item_FULLTIME">FULLTIME
</A></STRONG><DD>
Full-time sysadmins in the <A HREF="#item_FULLTIME">FULLTIME</A> alias may run any command on any host as any user without a password.
<P>
<DT><STRONG><A NAME="item__wheel">%wheel
</A></STRONG><DD>
Any user in the UN*X group <CODE>wheel</CODE> may run any command on any host.
<P>
<DT><STRONG><A NAME="item_PARTTIME">PARTTIME
</A></STRONG><DD>
Part-time sysadmins in the <A HREF="#item_PARTTIME">PARTTIME</A> alias may run any command except those in the <CODE>SHELLS</CODE> and <CODE>SU</CODE> aliases on any host.
<P>
<DT><STRONG><A NAME="item__interns">+interns
</A></STRONG><DD>
Any user in the netgroup <CODE>interns</CODE> may run any command except those in the <CODE>SHELLS</CODE> and <CODE>SU</CODE> aliases on any host that is in the <CODE>openlabs</CODE> netgroup.
<P>
<DT><STRONG><A NAME="item_britt">britt
</A></STRONG><DD>
The user <A HREF="#item_britt">britt</A> may run commands in the <CODE>SHUTDOWN</CODE> alias on the <CODE>REMOTE</CODE> machines and commands in the <CODE>LPCS</CODE> alias on any machine.
<P>
<DT><STRONG><A NAME="item_jimbo">jimbo
</A></STRONG><DD>
The user <A HREF="#item_jimbo">jimbo</A> may <CODE>su</CODE> to any user save root on the machines on <CODE>CUNETS</CODE> (which is explicately listed as a class B network).
<P>
<DT><STRONG><A NAME="item_nieusma">nieusma
</A></STRONG><DD>
The user <A HREF="#item_nieusma">nieusma</A> may run commands in the <CODE>SHUTDOWN</CODE> alias as well as <EM>/etc/reboot</EM> on the <CODE>SERVER</CODE> machines and any command except those in the <CODE>SHELLS</CODE> alias on the <CODE>HUB</CODE>
machines.
<P>
<DT><STRONG><A NAME="item_jill">jill
</A></STRONG><DD>
The user <A HREF="#item_jill">jill</A> may run <CODE>/etc/shutdown -h now</CODE> or
<CODE>/etc/shutdown -r now</CODE> as well as the commands in the
<CODE>MISC</CODE> alias on houdini.
<P>
<DT><STRONG><A NAME="item_markm">markm
</A></STRONG><DD>
The user <A HREF="#item_markm">markm</A> may run any command on the <CODE>HUB</CODE> machines except <EM>/etc/shutdown</EM>, <EM>/etc/halt</EM>, and commands listed in the <CODE>MISC</CODE> alias.
<P>
<DT><STRONG><A NAME="item_davehieb">davehieb
</A></STRONG><DD>
The user <A HREF="#item_davehieb">davehieb</A> may run any command on <CODE>merlin</CODE> as any user in the Runas_Alias OP (ie: root or operator). He may also run <EM>/etc/halt</EM> on the <CODE>SERVERS</CODE> and any command on <CODE>kodiakthorn</CODE> (no password required on <CODE>kodiakthorn</CODE>).
<P>
<DT><STRONG><A NAME="item_steve">steve
</A></STRONG><DD>
The user <A HREF="#item_steve">steve</A> may run any command in the <EM>/usr/op_commands/</EM>
directory as user <CODE>operator</CODE> on the machines on <CODE>CSNETS</CODE>.
<P>
</DL>
<P>
<HR>
<H1><A NAME="CAVEATS">CAVEATS
</A></H1>
The <EM>sudoers</EM> file should <STRONG>always</STRONG> be edited by the <STRONG>visudo</STRONG>
command which locks the file and does grammatical checking. It is
imperative that the <EM>sudoers</EM> be free of syntax errors since sudo will not run with a syntactically
incorrect <EM>sudoers</EM> file.
<P>
<P>
<HR>
<H1><A NAME="FILES">FILES
</A></H1>
<PRE> /etc/sudoers file of authorized users.
/etc/netgroup list of network groups.
</PRE>
<P>
<P>
<HR>
<H1><A NAME="SEE_ALSO">SEE ALSO
</A></H1>
<CODE><A HREF="sudo.html">sudo(8)</A>,</CODE> <CODE><A HREF="visudo.html">visudo(8)</A>,</CODE> <CODE>su(1),</CODE> <CODE>fnmatch(3).</CODE>
<P>
</DL>
</BODY>
</HTML>
Reference in New Issue View Git Blame Copy Permalink