1SUDOERS(5)                  BSD File Formats Manual                 SUDOERS(5)
2

NAME

4     sudoers — default sudo security policy plugin
5

DESCRIPTION

7     The sudoers policy plugin determines a user's sudo privileges.  It is the
8     default sudo policy plugin.  The policy is driven by the /etc/sudoers
9     file or, optionally in LDAP.  The policy format is described in detail in
10     the SUDOERS FILE FORMAT section.  For information on storing sudoers pol‐
11     icy information in LDAP, please see sudoers.ldap(5).
12
13   Configuring sudo.conf for sudoers
14     sudo consults the sudo.conf(5) file to determine which policy and and I/O
15     logging plugins to load.  If no sudo.conf(5) file is present, or if it
16     contains no Plugin lines, sudoers will be used for policy decisions and
17     I/O logging.  To explicitly configure sudo.conf(5) to use the sudoers
18     plugin, the following configuration can be used.
19
20           Plugin sudoers_policy sudoers.so
21           Plugin sudoers_io sudoers.so
22
23     Starting with sudo 1.8.5, it is possible to specify optional arguments to
24     the sudoers plugin in the sudo.conf(5) file.  These arguments, if
25     present, should be listed after the path to the plugin (i.e. after
26     sudoers.so).  Multiple arguments may be specified, separated by white
27     space.  For example:
28
29           Plugin sudoers_policy sudoers.so sudoers_mode=0400
30
31     The following plugin arguments are supported:
32
33     ldap_conf=pathname
34               The ldap_conf argument can be used to override the default path
35               to the ldap.conf file.
36
37     ldap_secret=pathname
38               The ldap_secret argument can be used to override the default
39               path to the ldap.secret file.
40
41     sudoers_file=pathname
42               The sudoers_file argument can be used to override the default
43               path to the sudoers file.
44
45     sudoers_uid=uid
46               The sudoers_uid argument can be used to override the default
47               owner of the sudoers file.  It should be specified as a numeric
48               user ID.
49
50     sudoers_gid=gid
51               The sudoers_gid argument can be used to override the default
52               group of the sudoers file.  It must be specified as a numeric
53               group ID (not a group name).
54
55     sudoers_mode=mode
56               The sudoers_mode argument can be used to override the default
57               file mode for the sudoers file.  It should be specified as an
58               octal value.
59
60     For more information on configuring sudo.conf(5), please refer to its
61     manual.
62
63   User Authentication
64     The sudoers security policy requires that most users authenticate them‐
65     selves before they can use sudo.  A password is not required if the
66     invoking user is root, if the target user is the same as the invoking
67     user, or if the policy has disabled authentication for the user or com‐
68     mand.  Unlike su(1), when sudoers requires authentication, it validates
69     the invoking user's credentials, not the target user's (or root's) cre‐
70     dentials.  This can be changed via the rootpw, targetpw and runaspw
71     flags, described later.
72
73     If a user who is not listed in the policy tries to run a command via
74     sudo, mail is sent to the proper authorities.  The address used for such
75     mail is configurable via the mailto Defaults entry (described later) and
76     defaults to root.
77
78     Note that no mail will be sent if an unauthorized user tries to run sudo
79     with the -l or -v option unless there is an authentication error and
80     either the mail_always or mail_badpass flags are enabled.  This allows
81     users to determine for themselves whether or not they are allowed to use
82     sudo.  All attempts to run sudo (successful or not) will be logged,
83     regardless of whether or not mail is sent.
84
85     If sudo is run by root and the SUDO_USER environment variable is set, the
86     sudoers policy will use this value to determine who the actual user is.
87     This can be used by a user to log commands through sudo even when a root
88     shell has been invoked.  It also allows the -e option to remain useful
89     even when invoked via a sudo-run script or program.  Note, however, that
90     the sudoers file lookup is still done for root, not the user specified by
91     SUDO_USER.
92
93     sudoers uses per-user time stamp files for credential caching.  Once a
94     user has been authenticated, a record is written containing the user ID
95     that was used to authenticate, the terminal session ID, the start time of
96     the session leader (or parent process) and a time stamp (using a mono‐
97     tonic clock if one is available).  The user may then use sudo without a
98     password for a short period of time (5 minutes unless overridden by the
99     timestamp_timeout option).  By default, sudoers uses a separate record
100     for each terminal, which means that a user's login sessions are authenti‐
101     cated separately.  The timestamp_type option can be used to select the
102     type of time stamp record sudoers will use.
103
104   Logging
105     sudoers can log both successful and unsuccessful attempts (as well as
106     errors) to syslog(3), a log file, or both.  By default, sudoers will log
107     via syslog(3) but this is changeable via the syslog and logfile Defaults
108     settings.  See LOG FORMAT for a description of the log file format.
109
110     sudoers is also capable of running a command in a pseudo-tty and logging
111     all input and/or output.  The standard input, standard output and stan‐
112     dard error can be logged even when not associated with a terminal.  I/O
113     logging is not on by default but can be enabled using the log_input and
114     log_output options as well as the LOG_INPUT and LOG_OUTPUT command tags.
115     See I/O LOG FILES for details on how I/O log files are stored.
116
117   Command environment
118     Since environment variables can influence program behavior, sudoers pro‐
119     vides a means to restrict which variables from the user's environment are
120     inherited by the command to be run.  There are two distinct ways sudoers
121     can deal with environment variables.
122
123     By default, the env_reset option is enabled.  This causes commands to be
124     executed with a new, minimal environment.  On AIX (and Linux systems
125     without PAM), the environment is initialized with the contents of the
126     /etc/environment file.  The new environment contains the TERM, PATH,
127     HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in addi‐
128     tion to variables from the invoking process permitted by the env_check
129     and env_keep options.  This is effectively a whitelist for environment
130     variables.  The environment variables LOGNAME, USER and USERNAME are
131     treated specially.  If one or more variables are preserved from the
132     invoking process, any of the three remaining variables (that were not
133     explicitly preserved) will be set to the same value as the first one in
134     the list that was preserved.  This avoids an inconsistent environment
135     where some of the variables describing the user name are set to the
136     invoking user and some are set to the target user.  () are removed unless
137     both the name and value parts are matched by env_keep or env_check, as
138     they may be interpreted as functions by the bash shell.  Prior to version
139     1.8.11, such variables were always removed.
140
141     If, however, the env_reset option is disabled, any variables not explic‐
142     itly denied by the env_check and env_delete options are inherited from
143     the invoking process.  In this case, env_check and env_delete behave like
144     a blacklist.  Prior to version 1.8.21, environment variables with a value
145     beginning with () were always removed.  Beginning with version 1.8.21, a
146     pattern in env_delete is used to match bash shell functions instead.
147     Since it is not possible to blacklist all potentially dangerous environ‐
148     ment variables, use of the default env_reset behavior is encouraged.
149
150     Environment variables specified by env_check, env_delete, or env_keep may
151     include one or more ‘*’ characters which will match zero or more charac‐
152     ters.  No other wildcard characters are supported.
153
154     By default, environment variables are matched by name.  However, if the
155     pattern includes an equal sign (‘=’), both the variables name and value
156     must match.  For example, a bash shell function could be matched as fol‐
157     lows:
158
159         env_keep += "BASH_FUNC_my_func%%=()*"
160
161     Without the “=()*” suffix, this would not match, as bash shell functions
162     are not preserved by default.
163
164     The complete list of environment variables that sudo allows or denies is
165     contained in the output of “sudo -V” when run as root.  Please note that
166     this list varies based on the operating system sudo is running on.
167
168     On systems that support PAM where the pam_env module is enabled for sudo,
169     variables in the PAM environment may be merged in to the environment.  If
170     a variable in the PAM environment is already present in the user's envi‐
171     ronment, the value will only be overridden if the variable was not pre‐
172     served by sudoers.  When env_reset is enabled, variables preserved from
173     the invoking user's environment by the env_keep list take precedence over
174     those in the PAM environment.  When env_reset is disabled, variables
175     present the invoking user's environment take precedence over those in the
176     PAM environment unless they match a pattern in the env_delete list.
177
178     Note that the dynamic linker on most operating systems will remove vari‐
179     ables that can control dynamic linking from the environment of setuid
180     executables, including sudo.  Depending on the operating system this may
181     include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others.
182     These type of variables are removed from the environment before sudo even
183     begins execution and, as such, it is not possible for sudo to preserve
184     them.
185
186     As a special case, if sudo's -i option (initial login) is specified,
187     sudoers will initialize the environment regardless of the value of
188     env_reset.  The DISPLAY, PATH and TERM variables remain unchanged; HOME,
189     MAIL, SHELL, USER, and LOGNAME are set based on the target user.  On AIX
190     (and Linux systems without PAM), the contents of /etc/environment are
191     also included.  All other environment variables are removed unless per‐
192     mitted by env_keep or env_check, described above.
193
194     Finally, the restricted_env_file and env_file files are applied, if
195     present.  The variables in restricted_env_file are applied first and are
196     subject to the same restrictions as the invoking user's environment, as
197     detailed above.  The variables in env_file are applied last and are not
198     subject to these restrictions.  In both cases, variables present in the
199     files will only be set to their specified values if they would not con‐
200     flict with an existing environment variable.
201

SUDOERS FILE FORMAT

203     The sudoers file is composed of two types of entries: aliases (basically
204     variables) and user specifications (which specify who may run what).
205
206     When multiple entries match for a user, they are applied in order.  Where
207     there are multiple matches, the last match is used (which is not neces‐
208     sarily the most specific match).
209
210     The sudoers file grammar will be described below in Extended Backus-Naur
211     Form (EBNF).  Don't despair if you are unfamiliar with EBNF; it is fairly
212     simple, and the definitions below are annotated.
213
214   Quick guide to EBNF
215     EBNF is a concise and exact way of describing the grammar of a language.
216     Each EBNF definition is made up of production rules.  E.g.,
217
218     symbol ::= definition | alternate1 | alternate2 ...
219
220     Each production rule references others and thus makes up a grammar for
221     the language.  EBNF also contains the following operators, which many
222     readers will recognize from regular expressions.  Do not, however, con‐
223     fuse them with “wildcard” characters, which have different meanings.
224
225     ?     Means that the preceding symbol (or group of symbols) is optional.
226           That is, it may appear once or not at all.
227
228     *     Means that the preceding symbol (or group of symbols) may appear
229           zero or more times.
230
231     +     Means that the preceding symbol (or group of symbols) may appear
232           one or more times.
233
234     Parentheses may be used to group symbols together.  For clarity, we will
235     use single quotes ('') to designate what is a verbatim character string
236     (as opposed to a symbol name).
237
238   Aliases
239     There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and
240     Cmnd_Alias.
241
242     Alias ::= 'User_Alias'  User_Alias (':' User_Alias)* |
243               'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
244               'Host_Alias'  Host_Alias (':' Host_Alias)* |
245               'Cmnd_Alias'  Cmnd_Alias (':' Cmnd_Alias)*
246
247     User_Alias ::= NAME '=' User_List
248
249     Runas_Alias ::= NAME '=' Runas_List
250
251     Host_Alias ::= NAME '=' Host_List
252
253     Cmnd_Alias ::= NAME '=' Cmnd_List
254
255     NAME ::= [A-Z]([A-Z][0-9]_)*
256
257     Each alias definition is of the form
258
259     Alias_Type NAME = item1, item2, ...
260
261     where Alias_Type is one of User_Alias, Runas_Alias, Host_Alias, or
262     Cmnd_Alias.  A NAME is a string of uppercase letters, numbers, and under‐
263     score characters (‘_’).  A NAME must start with an uppercase letter.  It
264     is possible to put several alias definitions of the same type on a single
265     line, joined by a colon (‘:’).  E.g.,
266
267     Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
268
269     It is a syntax error to redefine an existing alias.  It is possible to
270     use the same name for aliases of different types, but this is not recom‐
271     mended.
272
273     The definitions of what constitutes a valid alias member follow.
274
275     User_List ::= User |
276                   User ',' User_List
277
278     User ::= '!'* user name |
279              '!'* #uid |
280              '!'* %group |
281              '!'* %#gid |
282              '!'* +netgroup |
283              '!'* %:nonunix_group |
284              '!'* %:#nonunix_gid |
285              '!'* User_Alias
286
287     A User_List is made up of one or more user names, user IDs (prefixed with
288     ‘#’), system group names and IDs (prefixed with ‘%’ and ‘%#’ respec‐
289     tively), netgroups (prefixed with ‘+’), non-Unix group names and IDs
290     (prefixed with ‘%:’ and ‘%:#’ respectively) and User_Aliases. Each list
291     item may be prefixed with zero or more ‘!’ operators.  An odd number of
292     ‘!’ operators negate the value of the item; an even number just cancel
293     each other out.  User netgroups are matched using the user and domain
294     members only; the host member is not used when matching.
295
296     A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may
297     be enclosed in double quotes to avoid the need for escaping special char‐
298     acters.  Alternately, special characters may be specified in escaped hex
299     mode, e.g. \x20 for space.  When using double quotes, any prefix charac‐
300     ters must be included inside the quotes.
301
302     The actual nonunix_group and nonunix_gid syntax depends on the underlying
303     group provider plugin.  For instance, the QAS AD plugin supports the fol‐
304     lowing formats:
305
306     ·  Group in the same domain: "%:Group Name"
307
308     ·  Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
309
310     ·  Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
311
312     See GROUP PROVIDER PLUGINS for more information.
313
314     Note that quotes around group names are optional.  Unquoted strings must
315     use a backslash (‘\’) to escape spaces and special characters.  See Other
316     special characters and reserved words for a list of characters that need
317     to be escaped.
318
319     Runas_List ::= Runas_Member |
320                    Runas_Member ',' Runas_List
321
322     Runas_Member ::= '!'* user name |
323                      '!'* #uid |
324                      '!'* %group |
325                      '!'* %#gid |
326                      '!'* %:nonunix_group |
327                      '!'* %:#nonunix_gid |
328                      '!'* +netgroup |
329                      '!'* Runas_Alias
330
331     A Runas_List is similar to a User_List except that instead of
332     User_Aliases it can contain Runas_Aliases.  Note that user names and
333     groups are matched as strings.  In other words, two users (groups) with
334     the same uid (gid) are considered to be distinct.  If you wish to match
335     all user names with the same uid (e.g. root and toor), you can use a uid
336     instead (#0 in the example given).
337
338     Host_List ::= Host |
339                   Host ',' Host_List
340
341     Host ::= '!'* host name |
342              '!'* ip_addr |
343              '!'* network(/netmask)? |
344              '!'* +netgroup |
345              '!'* Host_Alias
346
347     A Host_List is made up of one or more host names, IP addresses, network
348     numbers, netgroups (prefixed with ‘+’) and other aliases.  Again, the
349     value of an item may be negated with the ‘!’ operator.  Host netgroups
350     are matched using the host (both qualified and unqualified) and domain
351     members only; the user member is not used when matching.  If you specify
352     a network number without a netmask, sudo will query each of the local
353     host's network interfaces and, if the network number corresponds to one
354     of the hosts's network interfaces, will use the netmask of that inter‐
355     face.  The netmask may be specified either in standard IP address nota‐
356     tion (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR notation
357     (number of bits, e.g. 24 or 64).  A host name may include shell-style
358     wildcards (see the Wildcards section below), but unless the host name
359     command on your machine returns the fully qualified host name, you'll
360     need to use the fqdn option for wildcards to be useful.  Note that sudo
361     only inspects actual network interfaces; this means that IP address
362     127.0.0.1 (localhost) will never match.  Also, the host name “localhost”
363     will only match if that is the actual host name, which is usually only
364     the case for non-networked systems.
365
366     digest ::= [A-Fa-f0-9]+ |
367                [[A-Za-z0-9+/=]+
368
369     Digest_Spec ::= "sha224" ':' digest |
370                     "sha256" ':' digest |
371                     "sha384" ':' digest |
372                     "sha512" ':' digest
373
374     Cmnd_List ::= Cmnd |
375                   Cmnd ',' Cmnd_List
376
377     command name ::= file name |
378                      file name args |
379                      file name '""'
380
381     Cmnd ::= Digest_Spec? '!'* command name |
382              '!'* directory |
383              '!'* "sudoedit" |
384              '!'* Cmnd_Alias
385
386     A Cmnd_List is a list of one or more command names, directories, and
387     other aliases.  A command name is a fully qualified file name which may
388     include shell-style wildcards (see the Wildcards section below).  A sim‐
389     ple file name allows the user to run the command with any arguments
390     he/she wishes.  However, you may also specify command line arguments
391     (including wildcards).  Alternately, you can specify "" to indicate that
392     the command may only be run without command line arguments.  A directory
393     is a fully qualified path name ending in a ‘/’.  When you specify a
394     directory in a Cmnd_List, the user will be able to run any file within
395     that directory (but not in any sub-directories therein).
396
397     If a Cmnd has associated command line arguments, then the arguments in
398     the Cmnd must match exactly those given by the user on the command line
399     (or match the wildcards if there are any).  Note that the following char‐
400     acters must be escaped with a ‘\’ if they are used in command arguments:
401     ‘,’, ‘:’, ‘=’, ‘\’.  The built-in command “sudoedit” is used to permit a
402     user to run sudo with the -e option (or as sudoedit).  It may take com‐
403     mand line arguments just as a normal command does.  Note that “sudoedit”
404     is a command built into sudo itself and must be specified in the sudoers
405     file without a leading path.
406
407     If a command name is prefixed with a Digest_Spec, the command will only
408     match successfully if it can be verified using the specified SHA-2
409     digest.  The following digest formats are supported: sha224, sha256,
410     sha384 and sha512.  The string may be specified in either hex or base64
411     format (base64 is more compact).  There are several utilities capable of
412     generating SHA-2 digests in hex format such as openssl, shasum,
413     sha224sum, sha256sum, sha384sum, sha512sum.
414
415     For example, using openssl:
416
417     $ openssl dgst -sha224 /bin/ls
418     SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
419
420     It is also possible to use openssl to generate base64 output:
421
422     $ openssl dgst -binary -sha224 /bin/ls | openssl base64
423     EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
424
425     Warning, if the user has write access to the command itself (directly or
426     via a sudo command), it may be possible for the user to replace the com‐
427     mand after the digest check has been performed but before the command is
428     executed.  A similar race condition exists on systems that lack the
429     fexecve(2) system call when the directory in which the command is located
430     is writable by the user.  See the description of the fdexec setting for
431     more information on how sudo executes commands that have an associated
432     digest.
433
434     Command digests are only supported by version 1.8.7 or higher.
435
436   Defaults
437     Certain configuration options may be changed from their default values at
438     run-time via one or more Default_Entry lines.  These may affect all users
439     on any host, all users on a specific host, a specific user, a specific
440     command, or commands being run as a specific user.  Note that per-command
441     entries may not include command line arguments.  If you need to specify
442     arguments, define a Cmnd_Alias and reference that instead.
443
444     Default_Type ::= 'Defaults' |
445                      'Defaults' '@' Host_List |
446                      'Defaults' ':' User_List |
447                      'Defaults' '!' Cmnd_List |
448                      'Defaults' '>' Runas_List
449
450     Default_Entry ::= Default_Type Parameter_List
451
452     Parameter_List ::= Parameter |
453                        Parameter ',' Parameter_List
454
455     Parameter ::= Parameter '=' Value |
456                   Parameter '+=' Value |
457                   Parameter '-=' Value |
458                   '!'* Parameter
459
460     Parameters may be flags, integer values, strings, or lists.  Flags are
461     implicitly boolean and can be turned off via the ‘!’ operator.  Some
462     integer, string and list parameters may also be used in a boolean context
463     to disable them.  Values may be enclosed in double quotes ("") when they
464     contain multiple words.  Special characters may be escaped with a back‐
465     slash (‘\’).
466
467     Lists have two additional assignment operators, += and -=.  These opera‐
468     tors are used to add to and delete from a list respectively.  It is not
469     an error to use the -= operator to remove an element that does not exist
470     in a list.
471
472     Defaults entries are parsed in the following order: generic, host, user
473     and runas Defaults first, then command defaults.  If there are multiple
474     Defaults settings of the same type, the last matching setting is used.
475     The following Defaults settings are parsed before all others since they
476     may affect subsequent entries: fqdn, group_plugin, runas_default,
477     sudoers_locale.
478
479     See SUDOERS OPTIONS for a list of supported Defaults parameters.
480
481   User specification
482     User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
483                   (':' Host_List '=' Cmnd_Spec_List)*
484
485     Cmnd_Spec_List ::= Cmnd_Spec |
486                        Cmnd_Spec ',' Cmnd_Spec_List
487
488     Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd
489
490     Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
491
492     Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec)
493
494     SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
495
496     Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp')
497
498     Timeout_Spec ::= 'TIMEOUT=timeout'
499
500     Tag_Spec ::= ('EXEC:' | 'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' |
501                   'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' |
502                   'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'PASSWD:' |
503                   'NOPASSWD:' | 'SETENV:' | 'NOSETENV:')
504
505     A user specification determines which commands a user may run (and as
506     what user) on specified hosts.  By default, commands are run as root, but
507     this can be changed on a per-command basis.
508
509     The basic structure of a user specification is “who where = (as_whom)
510     what”.  Let's break that down into its constituent parts:
511
512   Runas_Spec
513     A Runas_Spec determines the user and/or the group that a command may be
514     run as.  A fully-specified Runas_Spec consists of two Runas_Lists (as
515     defined above) separated by a colon (‘:’) and enclosed in a set of paren‐
516     theses.  The first Runas_List indicates which users the command may be
517     run as via sudo's -u option.  The second defines a list of groups that
518     can be specified via sudo's -g option.  If both Runas_Lists are speci‐
519     fied, the command may be run with any combination of users and groups
520     listed in their respective Runas_Lists. If only the first is specified,
521     the command may be run as any user in the list but no -g option may be
522     specified.  If the first Runas_List is empty but the second is specified,
523     the command may be run as the invoking user with the group set to any
524     listed in the Runas_List.  If both Runas_Lists are empty, the command may
525     only be run as the invoking user.  If no Runas_Spec is specified the com‐
526     mand may be run as root and no group may be specified.
527
528     A Runas_Spec sets the default for the commands that follow it.  What this
529     means is that for the entry:
530
531     dgb     boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
532
533     The user dgb may run /bin/ls, /bin/kill, and /usr/bin/lprm on the host
534     boulder—but only as operator.  E.g.,
535
536     $ sudo -u operator /bin/ls
537
538     It is also possible to override a Runas_Spec later on in an entry.  If we
539     modify the entry like so:
540
541     dgb     boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
542
543     Then user dgb is now allowed to run /bin/ls as operator, but /bin/kill
544     and /usr/bin/lprm as root.
545
546     We can extend this to allow dgb to run /bin/ls with either the user or
547     group set to operator:
548
549     dgb     boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
550             /usr/bin/lprm
551
552     Note that while the group portion of the Runas_Spec permits the user to
553     run as command with that group, it does not force the user to do so.  If
554     no group is specified on the command line, the command will run with the
555     group listed in the target user's password database entry.  The following
556     would all be permitted by the sudoers entry above:
557
558     $ sudo -u operator /bin/ls
559     $ sudo -u operator -g operator /bin/ls
560     $ sudo -g operator /bin/ls
561
562     In the following example, user tcm may run commands that access a modem
563     device file with the dialer group.
564
565     tcm     boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
566             /usr/local/bin/minicom
567
568     Note that in this example only the group will be set, the command still
569     runs as user tcm.  E.g.
570
571     $ sudo -g dialer /usr/bin/cu
572
573     Multiple users and groups may be present in a Runas_Spec, in which case
574     the user may select any combination of users and groups via the -u and -g
575     options.  In this example:
576
577     alan    ALL = (root, bin : operator, system) ALL
578
579     user alan may run any command as either user root or bin, optionally set‐
580     ting the group to operator or system.
581
582   Option_Spec
583     A Cmnd may have zero or more options associated with it.  Depending on
584     the system, options may consist of SELinux roles and/or types, Solaris
585     privileges sets, and command timeouts.  Once an option is set for a Cmnd,
586     subsequent Cmnds in the Cmnd_Spec_List, inherit that option unless it is
587     overridden by another option.
588
589   SELinux_Spec
590     On systems with SELinux support, sudoers file entries may optionally have
591     an SELinux role and/or type associated with a command.  If a role or type
592     is specified with the command it will override any default values speci‐
593     fied in sudoers.  A role or type specified on the command line, however,
594     will supersede the values in sudoers.
595
596   Date_Spec
597     sudoers rules can be specified with a start and end date via the
598     NOTBEFORE and NOTAFTER settings.  The time stamp must be specified in
599     Generalized Time as defined by RFC 4517.  The format is effectively
600     yyyymmddHHMMSSZ where the minutes and seconds are optional.  The ‘Z’ suf‐
601     fix indicates that the time stamp is in Coordinated Universal Time (UTC).
602     It is also possible to specify a timezone offset from UTC in hours and
603     minutes instead of a ‘Z’.  For example, ‘-0500’ would correspond to East‐
604     ern Standard time in the US.  As an extension, if no ‘Z’ or timezone off‐
605     set is specified, local time will be used.
606
607     The following are all valid time stamps:
608
609         20170214083000Z
610         2017021408Z
611         20160315220000-0500
612         20151201235900
613
614   Timeout_Spec
615     A command may have a timeout associated with it.  If the timeout expires
616     before the command has exited, the command will be terminated.  The time‐
617     out may be specified in combinations of days, hours, minutes and seconds
618     with a single-letter case-insensitive suffix that indicates the unit of
619     time.  For example, a timeout of 7 days, 8 hours, 30 minutes and 10 sec‐
620     onds would be written as 7d8h30m10s.  If a number is specified without a
621     unit, seconds are assumed.  Any of the days, minutes, hours or seconds
622     may be omitted.  The order must be from largest to smallest unit and a
623     unit may not be specified more than once.
624
625     The following are all valid timeout values: 7d8h30m10s, 14d, 8h30m, 600s,
626     3600.  The following are invalid timeout values: 12m2w1d, 30s10m4h,
627     1d2d3h.
628
629     This option is only supported by version 1.8.20 or higher.
630
631   Tag_Spec
632     A command may have zero or more tags associated with it.  The following
633     tag values are supported: EXEC, NOEXEC, FOLLOW, NOFOLLOW, LOG_INPUT,
634     NOLOG_INPUT, LOG_OUTPUT, NOLOG_OUTPUT, MAIL, NOMAIL, PASSWD, NOPASSWD,
635     SETENV, and NOSETENV.  Once a tag is set on a Cmnd, subsequent Cmnds in
636     the Cmnd_Spec_List, inherit the tag unless it is overridden by the oppo‐
637     site tag (in other words, PASSWD overrides NOPASSWD and NOEXEC overrides
638     EXEC).
639
640     EXEC and NOEXEC
641
642       If sudo has been compiled with noexec support and the underlying oper‐
643       ating system supports it, the NOEXEC tag can be used to prevent a
644       dynamically-linked executable from running further commands itself.
645
646       In the following example, user aaron may run /usr/bin/more and
647       /usr/bin/vi but shell escapes will be disabled.
648
649       aaron   shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
650
651       See the Preventing shell escapes section below for more details on how
652       NOEXEC works and whether or not it will work on your system.
653
654     FOLLOW and NOFOLLOW Starting with version 1.8.15, sudoedit will not open
655       a file that is a symbolic link unless the sudoedit_follow option is
656       enabled.  The FOLLOW and NOFOLLOW tags override the value of
657       sudoedit_follow and can be used to permit (or deny) the editing of sym‐
658       bolic links on a per-command basis.  These tags are only effective for
659       the sudoedit command and are ignored for all other commands.
660
661     LOG_INPUT and NOLOG_INPUT
662
663       These tags override the value of the log_input option on a per-command
664       basis.  For more information, see the description of log_input in the
665       SUDOERS OPTIONS section below.
666
667     LOG_OUTPUT and NOLOG_OUTPUT
668
669       These tags override the value of the log_output option on a per-command
670       basis.  For more information, see the description of log_output in the
671       SUDOERS OPTIONS section below.
672
673     MAIL and NOMAIL
674
675       These tags provide fine-grained control over whether mail will be sent
676       when a user runs a command by overriding the value of the
677       mail_all_cmnds option on a per-command basis.  They have no effect when
678       sudo is run with the -l or -v options.  A NOMAIL tag will also override
679       the mail_always and mail_no_perms options.  For more information, see
680       the descriptions of mail_all_cmnds, mail_always, and mail_no_perms in
681       the SUDOERS OPTIONS section below.
682
683     PASSWD and NOPASSWD
684
685       By default, sudo requires that a user authenticate him or herself
686       before running a command.  This behavior can be modified via the
687       NOPASSWD tag.  Like a Runas_Spec, the NOPASSWD tag sets a default for
688       the commands that follow it in the Cmnd_Spec_List.  Conversely, the
689       PASSWD tag can be used to reverse things.  For example:
690
691       ray     rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
692
693       would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm
694       as root on the machine rushmore without authenticating himself.  If we
695       only want ray to be able to run /bin/kill without a password the entry
696       would be:
697
698       ray     rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
699
700       Note, however, that the PASSWD tag has no effect on users who are in
701       the group specified by the exempt_group option.
702
703       By default, if the NOPASSWD tag is applied to any of the entries for a
704       user on the current host, he or she will be able to run “sudo -l” with‐
705       out a password.  Additionally, a user may only run “sudo -v” without a
706       password if the NOPASSWD tag is present for all a user's entries that
707       pertain to the current host.  This behavior may be overridden via the
708       verifypw and listpw options.
709
710     SETENV and NOSETENV
711
712       These tags override the value of the setenv option on a per-command
713       basis.  Note that if SETENV has been set for a command, the user may
714       disable the env_reset option from the command line via the -E option.
715       Additionally, environment variables set on the command line are not
716       subject to the restrictions imposed by env_check, env_delete, or
717       env_keep.  As such, only trusted users should be allowed to set vari‐
718       ables in this manner.  If the command matched is ALL, the SETENV tag is
719       implied for that command; this default may be overridden by use of the
720       NOSETENV tag.
721
722   Wildcards
723     sudo allows shell-style wildcards (aka meta or glob characters) to be
724     used in host names, path names and command line arguments in the sudoers
725     file.  Wildcard matching is done via the glob(3) and fnmatch(3) functions
726     as specified by IEEE Std 1003.1 (“POSIX.1”).
727
728     *         Matches any set of zero or more characters (including white
729               space).
730
731     ?         Matches any single character (including white space).
732
733     [...]     Matches any character in the specified range.
734
735     [!...]    Matches any character not in the specified range.
736
737     \x        For any character ‘x’, evaluates to ‘x’.  This is used to
738               escape special characters such as: ‘*’, ‘?’, ‘[’, and ‘]’.
739
740     Note that these are not regular expressions.  Unlike a regular expression
741     there is no way to match one or more characters within a range.
742
743     Character classes may be used if your system's glob(3) and fnmatch(3)
744     functions support them.  However, because the ‘:’ character has special
745     meaning in sudoers, it must be escaped.  For example:
746
747         /bin/ls [[\:alpha\:]]*
748
749     Would match any file name beginning with a letter.
750
751     Note that a forward slash (‘/’) will not be matched by wildcards used in
752     the file name portion of the command.  This is to make a path like:
753
754         /usr/bin/*
755
756     match /usr/bin/who but not /usr/bin/X11/xterm.
757
758     When matching the command line arguments, however, a slash does get
759     matched by wildcards since command line arguments may contain arbitrary
760     strings and not just path names.
761
762     Wildcards in command line arguments should be used with care.
763     Command line arguments are matched as a single, concatenated string.
764     This mean a wildcard character such as ‘?’ or ‘*’ will match across word
765     boundaries, which may be unexpected.  For example, while a sudoers entry
766     like:
767
768         %operator ALL = /bin/cat /var/log/messages*
769
770     will allow command like:
771
772         $ sudo cat /var/log/messages.1
773
774     It will also allow:
775
776         $ sudo cat /var/log/messages /etc/shadow
777
778     which is probably not what was intended.  In most cases it is better to
779     do command line processing outside of the sudoers file in a scripting
780     language.
781
782   Exceptions to wildcard rules
783     The following exceptions apply to the above rules:
784
785     ""        If the empty string "" is the only command line argument in the
786               sudoers file entry it means that command is not allowed to be
787               run with any arguments.
788
789     sudoedit  Command line arguments to the sudoedit built-in command should
790               always be path names, so a forward slash (‘/’) will not be
791               matched by a wildcard.
792
793   Including other files from within sudoers
794     It is possible to include other sudoers files from within the sudoers
795     file currently being parsed using the #include and #includedir direc‐
796     tives.
797
798     This can be used, for example, to keep a site-wide sudoers file in addi‐
799     tion to a local, per-machine file.  For the sake of this example the
800     site-wide sudoers file will be /etc/sudoers and the per-machine one will
801     be /etc/sudoers.local.  To include /etc/sudoers.local from within
802     /etc/sudoers we would use the following line in /etc/sudoers:
803
804         #include /etc/sudoers.local
805
806     When sudo reaches this line it will suspend processing of the current
807     file (/etc/sudoers) and switch to /etc/sudoers.local.  Upon reaching the
808     end of /etc/sudoers.local, the rest of /etc/sudoers will be processed.
809     Files that are included may themselves include other files.  A hard limit
810     of 128 nested include files is enforced to prevent include file loops.
811
812     If the path to the include file is not fully-qualified (does not begin
813     with a ‘/’), it must be located in the same directory as the sudoers file
814     it was included from.  For example, if /etc/sudoers contains the line:
815
816         #include sudoers.local
817
818     the file that will be included is /etc/sudoers.local.
819
820     The file name may also include the %h escape, signifying the short form
821     of the host name.  In other words, if the machine's host name is
822     “xerxes”, then
823
824         #include /etc/sudoers.%h
825
826     will cause sudo to include the file /etc/sudoers.xerxes.
827
828     The #includedir directive can be used to create a sudoers.d directory
829     that the system package manager can drop sudoers file rules into as part
830     of package installation.  For example, given:
831
832         #includedir /etc/sudoers.d
833
834     sudo will suspend processing of the current file and read each file in
835     /etc/sudoers.d, skipping file names that end in ‘~’ or contain a ‘.’
836     character to avoid causing problems with package manager or editor tempo‐
837     rary/backup files.  Files are parsed in sorted lexical order.  That is,
838     /etc/sudoers.d/01_first will be parsed before /etc/sudoers.d/10_second.
839     Be aware that because the sorting is lexical, not numeric,
840     /etc/sudoers.d/1_whoops would be loaded after /etc/sudoers.d/10_second.
841     Using a consistent number of leading zeroes in the file names can be used
842     to avoid such problems.  After parsing the files in the directory, con‐
843     trol returns to the file that contained the #includedir directive.
844
845     Note that unlike files included via #include, visudo will not edit the
846     files in a #includedir directory unless one of them contains a syntax
847     error.  It is still possible to run visudo with the -f flag to edit the
848     files directly, but this will not catch the redefinition of an alias that
849     is also present in a different file.
850
851   Other special characters and reserved words
852     The pound sign (‘#’) is used to indicate a comment (unless it is part of
853     a #include directive or unless it occurs in the context of a user name
854     and is followed by one or more digits, in which case it is treated as a
855     uid).  Both the comment character and any text after it, up to the end of
856     the line, are ignored.
857
858     The reserved word ALL is a built-in alias that always causes a match to
859     succeed.  It can be used wherever one might otherwise use a Cmnd_Alias,
860     User_Alias, Runas_Alias, or Host_Alias.  You should not try to define
861     your own alias called ALL as the built-in alias will be used in prefer‐
862     ence to your own.  Please note that using ALL can be dangerous since in a
863     command context, it allows the user to run any command on the system.
864
865     An exclamation point (‘!’) can be used as a logical not operator in a
866     list or alias as well as in front of a Cmnd.  This allows one to exclude
867     certain values.  For the ‘!’ operator to be effective, there must be
868     something for it to exclude.  For example, to match all users except for
869     root one would use:
870
871         ALL,!root
872
873     If the ALL, is omitted, as in:
874
875         !root
876
877     it would explicitly deny root but not match any other users.  This is
878     different from a true “negation” operator.
879
880     Note, however, that using a ‘!’ in conjunction with the built-in ALL
881     alias to allow a user to run “all but a few” commands rarely works as
882     intended (see SECURITY NOTES below).
883
884     Long lines can be continued with a backslash (‘\’) as the last character
885     on the line.
886
887     White space between elements in a list as well as special syntactic char‐
888     acters in a User Specification (‘=’, ‘:’, ‘(’, ‘)’) is optional.
889
890     The following characters must be escaped with a backslash (‘\’) when used
891     as part of a word (e.g. a user name or host name): ‘!’, ‘=’, ‘:’, ‘,’,
892     ‘(’, ‘)’, ‘\’.
893

SUDOERS OPTIONS

895     sudo's behavior can be modified by Default_Entry lines, as explained ear‐
896     lier.  A list of all supported Defaults parameters, grouped by type, are
897     listed below.
898
899     Boolean Flags:
900
901     always_query_group_plugin
902                       If a group_plugin is configured, use it to resolve
903                       groups of the form %group as long as there is not also
904                       a system group of the same name.  Normally, only groups
905                       of the form %:group are passed to the group_plugin.
906                       This flag is off by default.
907
908     always_set_home   If enabled, sudo will set the HOME environment variable
909                       to the home directory of the target user (which is root
910                       unless the -u option is used).  This effectively means
911                       that the -H option is always implied.  Note that by
912                       default, HOME will be set to the home directory of the
913                       target user when the env_reset option is enabled, so
914                       always_set_home only has an effect for configurations
915                       where either env_reset is disabled or HOME is present
916                       in the env_keep list.  This flag is off by default.
917
918     authenticate      If set, users must authenticate themselves via a pass‐
919                       word (or other means of authentication) before they may
920                       run commands.  This default may be overridden via the
921                       PASSWD and NOPASSWD tags.  This flag is on by default.
922
923     case_insensitive_group
924                       If enabled, group names in sudoers will be matched in a
925                       case insensitive manner.  This may be necessary when
926                       users are stored in LDAP or AD.  This flag is on by
927                       default.
928
929     case_insensitive_user
930                       If enabled, user names in sudoers will be matched in a
931                       case insensitive manner.  This may be necessary when
932                       groups are stored in LDAP or AD.  This flag is on by
933                       default.
934
935     closefrom_override
936                       If set, the user may use sudo's -C option which over‐
937                       rides the default starting point at which sudo begins
938                       closing open file descriptors.  This flag is off by
939                       default.
940
941     compress_io       If set, and sudo is configured to log a command's input
942                       or output, the I/O logs will be compressed using zlib.
943                       This flag is on by default when sudo is compiled with
944                       zlib support.
945
946     exec_background   By default, sudo runs a command as the foreground
947                       process as long as sudo itself is running in the fore‐
948                       ground.  When the exec_background flag is enabled and
949                       the command is being run in a pty (due to I/O logging
950                       or the use_pty flag), the command will be run as a
951                       background process.  Attempts to read from the control‐
952                       ling terminal (or to change terminal settings) will
953                       result in the command being suspended with the SIGTTIN
954                       signal (or SIGTTOU in the case of terminal settings).
955                       If this happens when sudo is a foreground process, the
956                       command will be granted the controlling terminal and
957                       resumed in the foreground with no user intervention
958                       required.  The advantage of initially running the com‐
959                       mand in the background is that sudo need not read from
960                       the terminal unless the command explicitly requests it.
961                       Otherwise, any terminal input must be passed to the
962                       command, whether it has required it or not (the kernel
963                       buffers terminals so it is not possible to tell whether
964                       the command really wants the input).  This is different
965                       from historic sudo behavior or when the command is not
966                       being run in a pty.
967
968                       For this to work seamlessly, the operating system must
969                       support the automatic restarting of system calls.
970                       Unfortunately, not all operating systems do this by
971                       default, and even those that do may have bugs.  For
972                       example, macOS fails to restart the tcgetattr() and
973                       tcsetattr() system calls (this is a bug in macOS).
974                       Furthermore, because this behavior depends on the com‐
975                       mand stopping with the SIGTTIN or SIGTTOU signals, pro‐
976                       grams that catch these signals and suspend themselves
977                       with a different signal (usually SIGTOP) will not be
978                       automatically foregrounded.  Some versions of the linux
979                       su(1) command behave this way.  This flag is off by
980                       default.
981
982                       This setting is only supported by version 1.8.7 or
983                       higher.  It has no effect unless I/O logging is enabled
984                       or the use_pty flag is enabled.
985
986     env_editor        If set, visudo will use the value of the SUDO_EDITOR,
987                       VISUAL or EDITOR environment variables before falling
988                       back on the default editor list.  Note that this may
989                       create a security hole as it allows the user to run any
990                       arbitrary command as root without logging.  A safer
991                       alternative is to place a colon-separated list of edi‐
992                       tors in the editor variable.  visudo will then only use
993                       SUDO_EDITOR, VISUAL or EDITOR if they match a value
994                       specified in editor.  If the env_reset flag is enabled,
995                       the SUDO_EDITOR, VISUAL and/or EDITOR environment vari‐
996                       ables must be present in the env_keep list for the
997                       env_editor flag to function when visudo is invoked via
998                       sudo.  This flag is on by default.
999
1000     env_reset         If set, sudo will run the command in a minimal environ‐
1001                       ment containing the TERM, PATH, HOME, MAIL, SHELL,
1002                       LOGNAME, USER, USERNAME and SUDO_* variables.  Any
1003                       variables in the caller's environment or in the file
1004                       specified by the restricted_env_file option that match
1005                       the env_keep and env_check lists are then added, fol‐
1006                       lowed by any variables present in the file specified by
1007                       the env_file option (if any).  The contents of the
1008                       env_keep and env_check lists, as modified by global
1009                       Defaults parameters in sudoers, are displayed when sudo
1010                       is run by root with the -V option.  If the secure_path
1011                       option is set, its value will be used for the PATH
1012                       environment variable.  This flag is on by default.
1013
1014     fast_glob         Normally, sudo uses the glob(3) function to do shell-
1015                       style globbing when matching path names.  However,
1016                       since it accesses the file system, glob(3) can take a
1017                       long time to complete for some patterns, especially
1018                       when the pattern references a network file system that
1019                       is mounted on demand (auto mounted).  The fast_glob
1020                       option causes sudo to use the fnmatch(3) function,
1021                       which does not access the file system to do its match‐
1022                       ing.  The disadvantage of fast_glob is that it is
1023                       unable to match relative path names such as ./ls or
1024                       ../bin/ls.  This has security implications when path
1025                       names that include globbing characters are used with
1026                       the negation operator, ‘!’, as such rules can be triv‐
1027                       ially bypassed.  As such, this option should not be
1028                       used when the sudoers file contains rules that contain
1029                       negated path names which include globbing characters.
1030                       This flag is off by default.
1031
1032     fqdn              Set this flag if you want to put fully qualified host
1033                       names in the sudoers file when the local host name (as
1034                       returned by the hostname command) does not contain the
1035                       domain name.  In other words, instead of myhost you
1036                       would use myhost.mydomain.edu.  You may still use the
1037                       short form if you wish (and even mix the two).  This
1038                       option is only effective when the “canonical” host
1039                       name, as returned by the getaddrinfo() or
1040                       gethostbyname() function, is a fully-qualified domain
1041                       name.  This is usually the case when the system is con‐
1042                       figured to use DNS for host name resolution.
1043
1044                       If the system is configured to use the /etc/hosts file
1045                       in preference to DNS, the “canonical” host name may not
1046                       be fully-qualified.  The order that sources are queried
1047                       for host name resolution is usually specified in the
1048                       /etc/nsswitch.conf, /etc/netsvc.conf, /etc/host.conf,
1049                       or, in some cases, /etc/resolv.conf file.  In the
1050                       /etc/hosts file, the first host name of the entry is
1051                       considered to be the “canonical” name; subsequent names
1052                       are aliases that are not used by sudoers.  For example,
1053                       the following hosts file line for the machine “xyzzy”
1054                       has the fully-qualified domain name as the “canonical”
1055                       host name, and the short version as an alias.
1056
1057                             192.168.1.1    xyzzy.sudo.ws xyzzy
1058
1059                       If the machine's hosts file entry is not formatted
1060                       properly, the fqdn option will not be effective if it
1061                       is queried before DNS.
1062
1063                       Beware that when using DNS for host name resolution,
1064                       turning on fqdn requires sudoers to make DNS lookups
1065                       which renders sudo unusable if DNS stops working (for
1066                       example if the machine is disconnected from the net‐
1067                       work).  Also note that just like with the hosts file,
1068                       you must use the “canonical” name as DNS knows it.
1069                       That is, you may not use a host alias (CNAME entry) due
1070                       to performance issues and the fact that there is no way
1071                       to get all aliases from DNS.
1072
1073                       This flag is off by default.
1074
1075     ignore_audit_errors
1076                       Allow commands to be run even if sudoers cannot write
1077                       to the audit log.  If enabled, an audit log write fail‐
1078                       ure is not treated as a fatal error.  If disabled, a
1079                       command may only be run after the audit event is suc‐
1080                       cessfully written.  This flag is only effective on sys‐
1081                       tems for which sudoers supports audit logging, includ‐
1082                       ing FreeBSD, Linux, macOS and Solaris.  This flag is on
1083                       by default.
1084
1085     ignore_dot        If set, sudo will ignore "." or "" (both denoting cur‐
1086                       rent directory) in the PATH environment variable; the
1087                       PATH itself is not modified.  This flag is on by
1088                       default.
1089
1090     ignore_iolog_errors
1091                       Allow commands to be run even if sudoers cannot write
1092                       to the I/O log.  If enabled, an I/O log write failure
1093                       is not treated as a fatal error.  If disabled, the com‐
1094                       mand will be terminated if the I/O log cannot be writ‐
1095                       ten to.  This flag is off by default.
1096
1097     ignore_logfile_errors
1098                       Allow commands to be run even if sudoers cannot write
1099                       to the log file.  If enabled, a log file write failure
1100                       is not treated as a fatal error.  If disabled, a com‐
1101                       mand may only be run after the log file entry is suc‐
1102                       cessfully written.  This flag only has an effect when
1103                       sudoers is configured to use file-based logging via the
1104                       logfile option.  This flag is on by default.
1105
1106     ignore_local_sudoers
1107                       If set via LDAP, parsing of /etc/sudoers will be
1108                       skipped.  This is intended for Enterprises that wish to
1109                       prevent the usage of local sudoers files so that only
1110                       LDAP is used.  This thwarts the efforts of rogue opera‐
1111                       tors who would attempt to add roles to /etc/sudoers.
1112                       When this option is present, /etc/sudoers does not even
1113                       need to exist.  Since this option tells sudo how to
1114                       behave when no specific LDAP entries have been matched,
1115                       this sudoOption is only meaningful for the cn=defaults
1116                       section.  This flag is off by default.
1117
1118     ignore_unknown_defaults
1119                       If set, sudo will not produce a warning if it encoun‐
1120                       ters an unknown Defaults entry in the sudoers file or
1121                       an unknown sudoOption in LDAP.  This flag is off by
1122                       default.
1123
1124     insults           If set, sudo will insult users when they enter an
1125                       incorrect password.  This flag is off by default.
1126
1127     log_host          If set, the host name will be logged in the (non-sys‐
1128                       log) sudo log file.  This flag is off by default.
1129
1130     log_input         If set, sudo will run the command in a pseudo-tty and
1131                       log all user input.  If the standard input is not con‐
1132                       nected to the user's tty, due to I/O redirection or
1133                       because the command is part of a pipeline, that input
1134                       is also captured and stored in a separate log file.
1135                       Anything sent to the standard input will be consumed,
1136                       regardless of whether or not the command run via sudo
1137                       is actually reading the standard input.  This may have
1138                       unexpected results when using sudo in a shell script
1139                       that expects to process the standard input.  For more
1140                       information about I/O logging, see the I/O LOG FILES
1141                       section.  This flag is off by default.
1142
1143     log_output        If set, sudo will run the command in a pseudo-tty and
1144                       log all output that is sent to the screen, similar to
1145                       the script(1) command.  For more information about I/O
1146                       logging, see the I/O LOG FILES section.  This flag is
1147                       off by default.
1148
1149     log_year          If set, the four-digit year will be logged in the (non-
1150                       syslog) sudo log file.  This flag is off by default.
1151
1152     long_otp_prompt   When validating with a One Time Password (OTP) scheme
1153                       such as S/Key or OPIE, a two-line prompt is used to
1154                       make it easier to cut and paste the challenge to a
1155                       local window.  It's not as pretty as the default but
1156                       some people find it more convenient.  This flag is off
1157                       by default.
1158
1159     mail_all_cmnds    Send mail to the mailto user every time a user attempts
1160                       to run a command via sudo (this includes sudoedit).  No
1161                       mail will be sent if the user runs sudo with the -l or
1162                       -v option unless there is an authentication error and
1163                       the mail_badpass flag is also set.  This flag is off by
1164                       default.
1165
1166     mail_always       Send mail to the mailto user every time a user runs
1167                       sudo.  This flag is off by default.
1168
1169     mail_badpass      Send mail to the mailto user if the user running sudo
1170                       does not enter the correct password.  If the command
1171                       the user is attempting to run is not permitted by
1172                       sudoers and one of the mail_all_cmnds, mail_always,
1173                       mail_no_host, mail_no_perms or mail_no_user flags are
1174                       set, this flag will have no effect.  This flag is off
1175                       by default.
1176
1177     mail_no_host      If set, mail will be sent to the mailto user if the
1178                       invoking user exists in the sudoers file, but is not
1179                       allowed to run commands on the current host.  This flag
1180                       is off by default.
1181
1182     mail_no_perms     If set, mail will be sent to the mailto user if the
1183                       invoking user is allowed to use sudo but the command
1184                       they are trying is not listed in their sudoers file
1185                       entry or is explicitly denied.  This flag is off by
1186                       default.
1187
1188     mail_no_user      If set, mail will be sent to the mailto user if the
1189                       invoking user is not in the sudoers file.  This flag is
1190                       on by default.
1191
1192     match_group_by_gid
1193                       By default, sudoers will look up each group the user is
1194                       a member of by group ID to determine the group name
1195                       (this is only done once).  The resulting list of the
1196                       user's group names is used when matching groups listed
1197                       in the sudoers file.  This works well on systems where
1198                       the number of groups listed in the sudoers file is
1199                       larger than the number of groups a typical user belongs
1200                       to.  On systems where group lookups are slow, where
1201                       users may belong to a large number of groups, and where
1202                       the number of groups listed in the sudoers file is rel‐
1203                       atively small, it may be prohibitively expensive and
1204                       running commands via sudo may take longer than normal.
1205                       On such systems it may be faster to use the
1206                       match_group_by_gid flag to avoid resolving the user's
1207                       group IDs to group names.  In this case, sudoers must
1208                       look up any group name listed in the sudoers file and
1209                       use the group ID instead of the group name when deter‐
1210                       mining whether the user is a member of the group.
1211
1212                       Note that if match_group_by_gid is enabled, group data‐
1213                       base lookups performed by sudoers will be keyed by
1214                       group name as opposed to group ID.  On systems where
1215                       there are multiple sources for the group database, it
1216                       is possible to have conflicting group names or group
1217                       IDs in the local /etc/group file and the remote group
1218                       database.  On such systems, enabling or disabling
1219                       match_group_by_gid can be used to choose whether group
1220                       database queries are performed by name (enabled) or ID
1221                       (disabled), which may aid in working around group entry
1222                       conflicts.
1223
1224                       The match_group_by_gid flag has no effect when sudoers
1225                       data is stored in LDAP.  This flag is off by default.
1226
1227                       This setting is only supported by version 1.8.18 or
1228                       higher.
1229
1230     netgroup_tuple    If set, netgroup lookups will be performed using the
1231                       full netgroup tuple: host name, user name and domain
1232                       (if one is set).  Historically, sudo only matched the
1233                       user name and domain for netgroups used in a User_List
1234                       and only matched the host name and domain for netgroups
1235                       used in a Host_List.  This flag is off by default.
1236
1237     noexec            If set, all commands run via sudo will behave as if the
1238                       NOEXEC tag has been set, unless overridden by an EXEC
1239                       tag.  See the description of EXEC and NOEXEC above as
1240                       well as the Preventing shell escapes section at the end
1241                       of this manual.  This flag is off by default.
1242
1243     pam_session       On systems that use PAM for authentication, sudo will
1244                       create a new PAM session for the command to be run in.
1245                       Disabling pam_session may be needed on older PAM imple‐
1246                       mentations or on operating systems where opening a PAM
1247                       session changes the utmp or wtmp files.  If PAM session
1248                       support is disabled, resource limits may not be updated
1249                       for the command being run.  If pam_session,
1250                       pam_setcred, and use_pty are disabled and I/O logging
1251                       has not been configured, sudo will execute the command
1252                       directly instead of running it as a child process.
1253                       This flag is on by default.
1254
1255                       This setting is only supported by version 1.8.7 or
1256                       higher.
1257
1258     pam_setcred       On systems that use PAM for authentication, sudo will
1259                       attempt to establish credentials for the target user by
1260                       default, if supported by the underlying authentication
1261                       system.  One example of a credential is a Kerberos
1262                       ticket.  If pam_session, pam_setcred, and use_pty are
1263                       disabled and I/O logging has not been configured, sudo
1264                       will execute the command directly instead of running it
1265                       as a child process.  This flag is on by default.
1266
1267                       This setting is only supported by version 1.8.8 or
1268                       higher.
1269
1270     passprompt_override
1271                       If set, the prompt specified by passprompt or the
1272                       SUDO_PROMPT environment variable will always be used
1273                       and will replace the prompt provided by a PAM module or
1274                       other authentication method.  This flag is off by
1275                       default.
1276
1277     path_info         Normally, sudo will tell the user when a command could
1278                       not be found in their PATH environment variable.  Some
1279                       sites may wish to disable this as it could be used to
1280                       gather information on the location of executables that
1281                       the normal user does not have access to.  The disadvan‐
1282                       tage is that if the executable is simply not in the
1283                       user's PATH, sudo will tell the user that they are not
1284                       allowed to run it, which can be confusing.  This flag
1285                       is on by default.
1286
1287     preserve_groups   By default, sudo will initialize the group vector to
1288                       the list of groups the target user is in.  When
1289                       preserve_groups is set, the user's existing group vec‐
1290                       tor is left unaltered.  The real and effective group
1291                       IDs, however, are still set to match the target user.
1292                       This flag is off by default.
1293
1294     pwfeedback        By default, sudo reads the password like most other
1295                       Unix programs, by turning off echo until the user hits
1296                       the return (or enter) key.  Some users become confused
1297                       by this as it appears to them that sudo has hung at
1298                       this point.  When pwfeedback is set, sudo will provide
1299                       visual feedback when the user presses a key.  Note that
1300                       this does have a security impact as an onlooker may be
1301                       able to determine the length of the password being
1302                       entered.  This flag is off by default.
1303
1304     requiretty        If set, sudo will only run when the user is logged in
1305                       to a real tty.  When this flag is set, sudo can only be
1306                       run from a login session and not via other means such
1307                       as cron(8) or cgi-bin scripts.  This flag is off by
1308                       default.
1309
1310     root_sudo         If set, root is allowed to run sudo too.  Disabling
1311                       this prevents users from “chaining” sudo commands to
1312                       get a root shell by doing something like “sudo sudo
1313                       /bin/sh”.  Note, however, that turning off root_sudo
1314                       will also prevent root from running sudoedit.  Dis‐
1315                       abling root_sudo provides no real additional security;
1316                       it exists purely for historical reasons.  This flag is
1317                       on by default.
1318
1319     rootpw            If set, sudo will prompt for the root password instead
1320                       of the password of the invoking user when running a
1321                       command or editing a file.  This flag is off by
1322                       default.
1323
1324     runaspw           If set, sudo will prompt for the password of the user
1325                       defined by the runas_default option (defaults to root)
1326                       instead of the password of the invoking user when run‐
1327                       ning a command or editing a file.  This flag is off by
1328                       default.
1329
1330     set_home          If enabled and sudo is invoked with the -s option the
1331                       HOME environment variable will be set to the home
1332                       directory of the target user (which is root unless the
1333                       -u option is used).  This effectively makes the -s
1334                       option imply -H.  Note that HOME is already set when
1335                       the env_reset option is enabled, so set_home is only
1336                       effective for configurations where either env_reset is
1337                       disabled or HOME is present in the env_keep list.  This
1338                       flag is off by default.
1339
1340     set_logname       Normally, sudo will set the LOGNAME, USER and USERNAME
1341                       environment variables to the name of the target user
1342                       (usually root unless the -u option is given).  However,
1343                       since some programs (including the RCS revision control
1344                       system) use LOGNAME to determine the real identity of
1345                       the user, it may be desirable to change this behavior.
1346                       This can be done by negating the set_logname option.
1347                       Note that set_logname will have no effect if the
1348                       env_reset option has not been disabled and the env_keep
1349                       list contains LOGNAME, USER or USERNAME.  This flag is
1350                       on by default.
1351
1352     set_utmp          When enabled, sudo will create an entry in the utmp (or
1353                       utmpx) file when a pseudo-tty is allocated.  A pseudo-
1354                       tty is allocated by sudo when the log_input, log_output
1355                       or use_pty flags are enabled.  By default, the new
1356                       entry will be a copy of the user's existing utmp entry
1357                       (if any), with the tty, time, type and pid fields
1358                       updated.  This flag is on by default.
1359
1360     setenv            Allow the user to disable the env_reset option from the
1361                       command line via the -E option.  Additionally, environ‐
1362                       ment variables set via the command line are not subject
1363                       to the restrictions imposed by env_check, env_delete,
1364                       or env_keep.  As such, only trusted users should be
1365                       allowed to set variables in this manner.  This flag is
1366                       off by default.
1367
1368     shell_noargs      If set and sudo is invoked with no arguments it acts as
1369                       if the -s option had been given.  That is, it runs a
1370                       shell as root (the shell is determined by the SHELL
1371                       environment variable if it is set, falling back on the
1372                       shell listed in the invoking user's /etc/passwd entry
1373                       if not).  This flag is off by default.
1374
1375     stay_setuid       Normally, when sudo executes a command the real and
1376                       effective UIDs are set to the target user (root by
1377                       default).  This option changes that behavior such that
1378                       the real UID is left as the invoking user's UID.  In
1379                       other words, this makes sudo act as a setuid wrapper.
1380                       This can be useful on systems that disable some poten‐
1381                       tially dangerous functionality when a program is run
1382                       setuid.  This option is only effective on systems that
1383                       support either the setreuid(2) or setresuid(2) system
1384                       call.  This flag is off by default.
1385
1386     sudoedit_checkdir
1387                       If set, sudoedit will check all directory components of
1388                       the path to be edited for writability by the invoking
1389                       user.  Symbolic links will not be followed in writable
1390                       directories and sudoedit will refuse to edit a file
1391                       located in a writable directory.  These restrictions
1392                       are not enforced when sudoedit is run by root.  On some
1393                       systems, if all directory components of the path to be
1394                       edited are not readable by the target user, sudoedit
1395                       will be unable to edit the file.  This flag is on by
1396                       default.
1397
1398                       This setting was first introduced in version 1.8.15 but
1399                       initially suffered from a race condition.  The check
1400                       for symbolic links in writable intermediate directories
1401                       was added in version 1.8.16.
1402
1403     sudoedit_follow   By default, sudoedit will not follow symbolic links
1404                       when opening files.  The sudoedit_follow option can be
1405                       enabled to allow sudoedit to open symbolic links.  It
1406                       may be overridden on a per-command basis by the FOLLOW
1407                       and NOFOLLOW tags.  This flag is off by default.
1408
1409                       This setting is only supported by version 1.8.15 or
1410                       higher.
1411
1412     syslog_pid        When logging via syslog(3), include the process ID in
1413                       the log entry.  This flag is off by default.
1414
1415                       This setting is only supported by version 1.8.21 or
1416                       higher.
1417
1418     targetpw          If set, sudo will prompt for the password of the user
1419                       specified by the -u option (defaults to root) instead
1420                       of the password of the invoking user when running a
1421                       command or editing a file.  Note that this flag pre‐
1422                       cludes the use of a uid not listed in the passwd data‐
1423                       base as an argument to the -u option.  This flag is off
1424                       by default.
1425
1426     tty_tickets       If set, users must authenticate on a per-tty basis.
1427                       With this flag enabled, sudo will use a separate record
1428                       in the time stamp file for each terminal.  If disabled,
1429                       a single record is used for all login sessions.
1430
1431                       This option has been superseded by the timestamp_type
1432                       option.
1433
1434     umask_override    If set, sudo will set the umask as specified in the
1435                       sudoers file without modification.  This makes it pos‐
1436                       sible to specify a umask in the sudoers file that is
1437                       more permissive than the user's own umask and matches
1438                       historical behavior.  If umask_override is not set,
1439                       sudo will set the umask to be the union of the user's
1440                       umask and what is specified in sudoers.  This flag is
1441                       off by default.
1442
1443     use_netgroups     If set, netgroups (prefixed with ‘+’), may be used in
1444                       place of a user or host.  For LDAP-based sudoers, net‐
1445                       group support requires an expensive sub-string match on
1446                       the server unless the NETGROUP_BASE directive is
1447                       present in the /etc/sudo-ldap.conf file.  If netgroups
1448                       are not needed, this option can be disabled to reduce
1449                       the load on the LDAP server.  This flag is on by
1450                       default.
1451
1452     use_pty           If set, and sudo is running in a terminal, the command
1453                       will be run in a pseudo-pty (even if no I/O logging is
1454                       being done).  If the sudo process is not attached to a
1455                       terminal, use_pty has no effect.
1456
1457                       A malicious program run under sudo may be capable of
1458                       injecting injecting commands into the user's terminal
1459                       or running a background process that retains access to
1460                       the user's terminal device even after the main program
1461                       has finished executing.  By running the command in a
1462                       separate pseudo-pty, this attack is no longer possible.
1463                       This flag is off by default.
1464
1465     user_command_timeouts
1466                       If set, the user may specify a timeout on the command
1467                       line.  If the timeout expires before the command has
1468                       exited, the command will be terminated.  If a timeout
1469                       is specified both in the sudoers file and on the com‐
1470                       mand line, the smaller of the two timeouts will be
1471                       used.  See the Timeout_Spec section for a description
1472                       of the timeout syntax.  This flag is off by default.
1473
1474                       This setting is only supported by version 1.8.20 or
1475                       higher.
1476
1477     utmp_runas        If set, sudo will store the name of the runas user when
1478                       updating the utmp (or utmpx) file.  By default, sudo
1479                       stores the name of the invoking user.  This flag is off
1480                       by default.
1481
1482     visiblepw         By default, sudo will refuse to run if the user must
1483                       enter a password but it is not possible to disable echo
1484                       on the terminal.  If the visiblepw flag is set, sudo
1485                       will prompt for a password even when it would be visi‐
1486                       ble on the screen.  This makes it possible to run
1487                       things like “ssh somehost sudo ls” since by default,
1488                       ssh(1) does not allocate a tty when running a command.
1489                       This flag is off by default.
1490
1491     Integers:
1492
1493     closefrom         Before it executes a command, sudo will close all open
1494                       file descriptors other than standard input, standard
1495                       output and standard error (ie: file descriptors 0-2).
1496                       The closefrom option can be used to specify a different
1497                       file descriptor at which to start closing.  The default
1498                       is 3.
1499
1500     command_timeout   The maximum amount of time a command is allowed to run
1501                       before it is terminated.  See the Timeout_Spec section
1502                       for a description of the timeout syntax.
1503
1504                       This setting is only supported by version 1.8.20 or
1505                       higher.
1506
1507     maxseq            The maximum sequence number that will be substituted
1508                       for the “%{seq}” escape in the I/O log file (see the
1509                       iolog_dir description above for more information).
1510                       While the value substituted for “%{seq}” is in base 36,
1511                       maxseq itself should be expressed in decimal.  Values
1512                       larger than 2176782336 (which corresponds to the base
1513                       36 sequence number “ZZZZZZ”) will be silently truncated
1514                       to 2176782336.  The default value is 2176782336.
1515
1516                       Once the local sequence number reaches the value of
1517                       maxseq, it will “roll over” to zero, after which
1518                       sudoers will truncate and re-use any existing I/O log
1519                       path names.
1520
1521                       This setting is only supported by version 1.8.7 or
1522                       higher.
1523
1524     passwd_tries      The number of tries a user gets to enter his/her pass‐
1525                       word before sudo logs the failure and exits.  The
1526                       default is 3.
1527
1528     syslog_maxlen     On many systems, syslog(3) has a relatively small log
1529                       buffer.  IETF RFC 5424 states that syslog servers must
1530                       support messages of at least 480 bytes and should sup‐
1531                       port messages up to 2048 bytes.  By default, sudoers
1532                       creates log messages up to 980 bytes which corresponds
1533                       to the historic BSD syslog implementation which used a
1534                       1024 byte buffer to store the message, date, hostname
1535                       and program name.  To prevent syslog messages from
1536                       being truncated, sudoers will split up log messages
1537                       that are larger than syslog_maxlen bytes.  When a mes‐
1538                       sage is split, additional parts will include the string
1539                       “(command continued)” after the user name and before
1540                       the continued command line arguments.
1541
1542                       This setting is only supported by version 1.8.19 or
1543                       higher.
1544
1545     Integers that can be used in a boolean context:
1546
1547     loglinelen        Number of characters per line for the file log.  This
1548                       value is used to decide when to wrap lines for nicer
1549                       log files.  This has no effect on the syslog log file,
1550                       only the file log.  The default is 80 (use 0 or negate
1551                       the option to disable word wrap).
1552
1553     passwd_timeout    Number of minutes before the sudo password prompt times
1554                       out, or 0 for no timeout.  The timeout may include a
1555                       fractional component if minute granularity is insuffi‐
1556                       cient, for example 2.5.  The default is 5.
1557
1558     timestamp_timeout
1559                       Number of minutes that can elapse before sudo will ask
1560                       for a passwd again.  The timeout may include a frac‐
1561                       tional component if minute granularity is insufficient,
1562                       for example 2.5.  The default is 5.  Set this to 0 to
1563                       always prompt for a password.  If set to a value less
1564                       than 0 the user's time stamp will not expire until the
1565                       system is rebooted.  This can be used to allow users to
1566                       create or delete their own time stamps via “sudo -v”
1567                       and “sudo -k” respectively.
1568
1569     umask             Umask to use when running the command.  Negate this
1570                       option or set it to 0777 to preserve the user's umask.
1571                       The actual umask that is used will be the union of the
1572                       user's umask and the value of the umask option, which
1573                       defaults to 0022.  This guarantees that sudo never low‐
1574                       ers the umask when running a command.  Note: on systems
1575                       that use PAM, the default PAM configuration may specify
1576                       its own umask which will override the value set in
1577                       sudoers.
1578
1579     Strings:
1580
1581     authfail_message  Message that is displayed after a user fails to authen‐
1582                       ticate.  The message may include the ‘%d’ escape which
1583                       will expand to the number of failed password attempts.
1584                       If set, it overrides the default message, %d incorrect
1585                       password attempt(s).
1586
1587     badpass_message   Message that is displayed if a user enters an incorrect
1588                       password.  The default is Sorry, try again. unless
1589                       insults are enabled.
1590
1591     editor            A colon (‘:’) separated list of editors path names used
1592                       by sudoedit and visudo.  For sudoedit, this list is
1593                       used to find an editor when none of the SUDO_EDITOR,
1594                       VISUAL or EDITOR environment variables are set to an
1595                       editor that exists and is executable.  For visudo, it
1596                       is used as a white list of allowed editors; visudo will
1597                       choose the editor that matches the user's SUDO_EDITOR,
1598                       VISUAL or EDITOR environment variable if possible, or
1599                       the first editor in the list that exists and is exe‐
1600                       cutable if not.  Unless invoked as sudoedit, sudo does
1601                       not preserve the SUDO_EDITOR, VISUAL and EDITOR envi‐
1602                       ronment variables by default, even when the env_reset
1603                       option is enabled.  The default is /usr/bin/vi.
1604
1605     iolog_dir         The top-level directory to use when constructing the
1606                       path name for the input/output log directory.  Only
1607                       used if the log_input or log_output options are enabled
1608                       or when the LOG_INPUT or LOG_OUTPUT tags are present
1609                       for a command.  The session sequence number, if any, is
1610                       stored in the directory.  The default is
1611                       /var/log/sudo-io.
1612
1613                       The following percent (‘%’) escape sequences are sup‐
1614                       ported:
1615
1616                       %{seq}
1617                             expanded to a monotonically increasing base-36
1618                             sequence number, such as 0100A5, where every two
1619                             digits are used to form a new directory, e.g.
1620                             01/00/A5
1621
1622                       %{user}
1623                             expanded to the invoking user's login name
1624
1625                       %{group}
1626                             expanded to the name of the invoking user's real
1627                             group ID
1628
1629                       %{runas_user}
1630                             expanded to the login name of the user the com‐
1631                             mand will be run as (e.g. root)
1632
1633                       %{runas_group}
1634                             expanded to the group name of the user the com‐
1635                             mand will be run as (e.g. wheel)
1636
1637                       %{hostname}
1638                             expanded to the local host name without the
1639                             domain name
1640
1641                       %{command}
1642                             expanded to the base name of the command being
1643                             run
1644
1645                       In addition, any escape sequences supported by the sys‐
1646                       tem's strftime(3) function will be expanded.
1647
1648                       To include a literal ‘%’ character, the string ‘%%’
1649                       should be used.
1650
1651     iolog_file        The path name, relative to iolog_dir, in which to store
1652                       input/output logs when the log_input or log_output
1653                       options are enabled or when the LOG_INPUT or LOG_OUTPUT
1654                       tags are present for a command.  Note that iolog_file
1655                       may contain directory components.  The default is
1656                       “%{seq}”.
1657
1658                       See the iolog_dir option above for a list of supported
1659                       percent (‘%’) escape sequences.
1660
1661                       In addition to the escape sequences, path names that
1662                       end in six or more Xs will have the Xs replaced with a
1663                       unique combination of digits and letters, similar to
1664                       the mktemp(3) function.
1665
1666                       If the path created by concatenating iolog_dir and
1667                       iolog_file already exists, the existing I/O log file
1668                       will be truncated and overwritten unless iolog_file
1669                       ends in six or more Xs.
1670
1671     iolog_flush       If set, sudo will flush I/O log data to disk after each
1672                       write instead of buffering it.  This makes it possible
1673                       to view the logs in real-time as the program is execut‐
1674                       ing but may significantly reduce the effectiveness of
1675                       I/O log compression.  This flag is off by default.
1676
1677                       This setting is only supported by version 1.8.20 or
1678                       higher.
1679
1680     iolog_group       The group name to look up when setting the group ID on
1681                       new I/O log files and directories.  If iolog_group is
1682                       not set, the primary group ID of the user specified by
1683                       iolog_user is used.  If neither iolog_group nor
1684                       iolog_user are set, I/O log files and directories are
1685                       created with group ID 0.
1686
1687                       This setting is only supported by version 1.8.19 or
1688                       higher.
1689
1690     iolog_mode        The file mode to use when creating I/O log files.  Mode
1691                       bits for read and write permissions for owner, group or
1692                       other are honored, everything else is ignored.  The
1693                       file permissions will always include the owner read and
1694                       write bits, even if they are not present in the speci‐
1695                       fied mode.  When creating I/O log directories, search
1696                       (execute) bits are added to to match the read and write
1697                       bits specified by iolog_mode.  Defaults to 0600 (read
1698                       and write by user only).
1699
1700                       This setting is only supported by version 1.8.19 or
1701                       higher.
1702
1703     iolog_user        The user name to look up when setting the user and
1704                       group IDs on new I/O log files and directories.  If
1705                       iolog_group is set, it will be used instead of the
1706                       user's primary group ID.  By default, I/O log files and
1707                       directories are created with user and group ID 0.
1708
1709                       This setting can be useful when the I/O logs are stored
1710                       on a Network File System (NFS) share.  Having a dedi‐
1711                       cated user own the I/O log files means that sudoers
1712                       does not write to the log files as user ID 0, which is
1713                       usually not permitted by NFS.
1714
1715                       This setting is only supported by version 1.8.19 or
1716                       higher.
1717
1718     lecture_status_dir
1719                       The directory in which sudo stores per-user lecture
1720                       status files.  Once a user has received the lecture, a
1721                       zero-length file is created in this directory so that
1722                       sudo will not lecture the user again.  This directory
1723                       should not be cleared when the system reboots.  The
1724                       default is /var/db/sudo/lectured.
1725
1726     mailsub           Subject of the mail sent to the mailto user.  The
1727                       escape %h will expand to the host name of the machine.
1728                       Default is “*** SECURITY information for %h ***”.
1729
1730     noexec_file       As of sudo version 1.8.1 this option is no longer sup‐
1731                       ported.  The path to the noexec file should now be set
1732                       in the sudo.conf(5) file.
1733
1734     pam_login_service
1735                       On systems that use PAM for authentication, this is the
1736                       service name used when the -i option is specified.  The
1737                       default value is “sudo-i”.  See the description of
1738                       pam_service for more information.
1739
1740                       This setting is only supported by version 1.8.8 or
1741                       higher.
1742
1743     pam_service       On systems that use PAM for authentication, the service
1744                       name specifies the PAM policy to apply.  This usually
1745                       corresponds to an entry in the pam.conf file or a file
1746                       in the /etc/pam.d directory.  The default value is
1747                       “sudo”.
1748
1749                       This setting is only supported by version 1.8.8 or
1750                       higher.
1751
1752     passprompt        The default prompt to use when asking for a password;
1753                       can be overridden via the -p option or the SUDO_PROMPT
1754                       environment variable.  The following percent (‘%’)
1755                       escape sequences are supported:
1756
1757                       %H    expanded to the local host name including the
1758                             domain name (only if the machine's host name is
1759                             fully qualified or the fqdn option is set)
1760
1761                       %h    expanded to the local host name without the
1762                             domain name
1763
1764                       %p    expanded to the user whose password is being
1765                             asked for (respects the rootpw, targetpw and
1766                             runaspw flags in sudoers)
1767
1768                       %U    expanded to the login name of the user the com‐
1769                             mand will be run as (defaults to root)
1770
1771                       %u    expanded to the invoking user's login name
1772
1773                       %%    two consecutive % characters are collapsed into a
1774                             single % character
1775
1776                       On systems that use PAM for authentication, passprompt
1777                       will only be used if the prompt provided by the PAM
1778                       module matches the string “Password: ” or “username's
1779                       Password: ”.  This ensures that the passprompt setting
1780                       does not interfere with challenge-response style
1781                       authentication.  The passprompt_override flag can be
1782                       used to change this behavior.
1783
1784                       The default value is “[sudo] password for %p: ”.
1785
1786     role              The default SELinux role to use when constructing a new
1787                       security context to run the command.  The default role
1788                       may be overridden on a per-command basis in the sudoers
1789                       file or via command line options.  This option is only
1790                       available when sudo is built with SELinux support.
1791
1792     runas_default     The default user to run commands as if the -u option is
1793                       not specified on the command line.  This defaults to
1794                       root.
1795
1796     sudoers_locale    Locale to use when parsing the sudoers file, logging
1797                       commands, and sending email.  Note that changing the
1798                       locale may affect how sudoers is interpreted.  Defaults
1799                       to “C”.
1800
1801     timestamp_type    sudoers uses per-user time stamp files for credential
1802                       caching.  The timestamp_type option can be used to
1803                       specify the type of time stamp record used.  It has the
1804                       following possible values:
1805
1806                       global  A single time stamp record is used for all of a
1807                               user's login sessions, regardless of the termi‐
1808                               nal or parent process ID.  An additional record
1809                               is used to serialize password prompts when sudo
1810                               is used multiple times in a pipeline, but this
1811                               does not affect authentication.
1812
1813                       ppid    A single time stamp record is used for all pro‐
1814                               cesses with the same parent process ID (usually
1815                               the shell).  Commands run from the same shell
1816                               (or other common parent process) will not
1817                               require a password for timestamp_timeout min‐
1818                               utes (5 by default).  Commands run via sudo
1819                               with a different parent process ID, for example
1820                               from a shell script, will be authenticated sep‐
1821                               arately.
1822
1823                       tty     One time stamp record is used for each termi‐
1824                               nal, which means that a user's login sessions
1825                               are authenticated separately.  If no terminal
1826                               is present, the behavior is the same as ppid.
1827                               Commands run from the same terminal will not
1828                               require a password for timestamp_timeout min‐
1829                               utes (5 by default).
1830
1831                       kernel  The time stamp is stored in the kernel as an
1832                               attribute of the terminal device.  If no termi‐
1833                               nal is present, the behavior is the same as
1834                               ppid.  Negative timestamp_timeout values are
1835                               not supported and positive values are limited
1836                               to a maximum of 60 minutes.  This is currently
1837                               only supported on OpenBSD.
1838
1839                       The default value is tty.
1840
1841                       This setting is only supported by version 1.8.21 or
1842                       higher.
1843
1844     timestampdir      The directory in which sudo stores its time stamp
1845                       files.  This directory should be cleared when the sys‐
1846                       tem reboots.  The default is /run/sudo/ts.
1847
1848     timestampowner    The owner of the lecture status directory, time stamp
1849                       directory and all files stored therein.  The default is
1850                       root.
1851
1852     type              The default SELinux type to use when constructing a new
1853                       security context to run the command.  The default type
1854                       may be overridden on a per-command basis in the sudoers
1855                       file or via command line options.  This option is only
1856                       available when sudo is built with SELinux support.
1857
1858     Strings that can be used in a boolean context:
1859
1860     env_file      The env_file option specifies the fully qualified path to a
1861                   file containing variables to be set in the environment of
1862                   the program being run.  Entries in this file should either
1863                   be of the form “VARIABLE=value” or “export VARIABLE=value”.
1864                   The value may optionally be surrounded by single or double
1865                   quotes.  Variables in this file are only added if the vari‐
1866                   able does not already exist in the environment.  This file
1867                   is considered to be part of the security policy, its con‐
1868                   tents are not subject to other sudo environment restric‐
1869                   tions such as env_keep and env_check.
1870
1871     exempt_group  Users in this group are exempt from password and PATH
1872                   requirements.  The group name specified should not include
1873                   a % prefix.  This is not set by default.
1874
1875     fdexec        Determines whether sudo will execute a command by its path
1876                   or by an open file descriptor.  It has the following possi‐
1877                   ble values:
1878
1879                   always  Always execute by file descriptor.
1880
1881                   never   Never execute by file descriptor.
1882
1883                   digest_only
1884                           Only execute by file descriptor if the command has
1885                           an associated digest in the sudoers file.
1886
1887                   The default value is digest_only.  This avoids a time of
1888                   check versus time of use race condition when the command is
1889                   located in a directory writable by the invoking user.
1890
1891                   Note that fdexec will change the first element of the argu‐
1892                   ment vector for scripts ($0 in the shell) due to the way
1893                   the kernel runs script interpreters.  Instead of being a
1894                   normal path, it will refer to a file descriptor.  For exam‐
1895                   ple, /dev/fd/4 on Solaris and /proc/self/fd/4 on Linux.  A
1896                   workaround is to use the SUDO_COMMAND environment variable
1897                   instead.
1898
1899                   The fdexec setting is only used when the command is matched
1900                   by path name.  It has no effect if the command is matched
1901                   by the built-in ALL alias.
1902
1903                   This setting is only supported by version 1.8.20 or higher.
1904                   If the operating system does not support the fexecve(2)
1905                   system call, this setting has no effect.
1906
1907     group_plugin  A string containing a sudoers group plugin with optional
1908                   arguments.  The string should consist of the plugin path,
1909                   either fully-qualified or relative to the /usr/libexec/sudo
1910                   directory, followed by any configuration arguments the
1911                   plugin requires.  These arguments (if any) will be passed
1912                   to the plugin's initialization function.  If arguments are
1913                   present, the string must be enclosed in double quotes ("").
1914
1915                   For more information see GROUP PROVIDER PLUGINS.
1916
1917     lecture       This option controls when a short lecture will be printed
1918                   along with the password prompt.  It has the following pos‐
1919                   sible values:
1920
1921                   always  Always lecture the user.
1922
1923                   never   Never lecture the user.
1924
1925                   once    Only lecture the user the first time they run sudo.
1926
1927                   If no value is specified, a value of once is implied.
1928                   Negating the option results in a value of never being used.
1929                   The default value is once.
1930
1931     lecture_file  Path to a file containing an alternate sudo lecture that
1932                   will be used in place of the standard lecture if the named
1933                   file exists.  By default, sudo uses a built-in lecture.
1934
1935     listpw        This option controls when a password will be required when
1936                   a user runs sudo with the -l option.  It has the following
1937                   possible values:
1938
1939                   all       All the user's sudoers file entries for the cur‐
1940                             rent host must have the NOPASSWD flag set to
1941                             avoid entering a password.
1942
1943                   always    The user must always enter a password to use the
1944                             -l option.
1945
1946                   any       At least one of the user's sudoers file entries
1947                             for the current host must have the NOPASSWD flag
1948                             set to avoid entering a password.
1949
1950                   never     The user need never enter a password to use the
1951                             -l option.
1952
1953                   If no value is specified, a value of any is implied.
1954                   Negating the option results in a value of never being used.
1955                   The default value is any.
1956
1957     logfile       Path to the sudo log file (not the syslog log file).  Set‐
1958                   ting a path turns on logging to a file; negating this
1959                   option turns it off.  By default, sudo logs via syslog.
1960
1961     mailerflags   Flags to use when invoking mailer. Defaults to -t.
1962
1963     mailerpath    Path to mail program used to send warning mail.  Defaults
1964                   to the path to sendmail found at configure time.
1965
1966     mailfrom      Address to use for the “from” address when sending warning
1967                   and error mail.  The address should be enclosed in double
1968                   quotes ("") to protect against sudo interpreting the @
1969                   sign.  Defaults to the name of the user running sudo.
1970
1971     mailto        Address to send warning and error mail to.  The address
1972                   should be enclosed in double quotes ("") to protect against
1973                   sudo interpreting the @ sign.  Defaults to root.
1974
1975     restricted_env_file
1976                   The restricted_env_file option specifies the fully quali‐
1977                   fied path to a file containing variables to be set in the
1978                   environment of the program being run.  Entries in this file
1979                   should either be of the form “VARIABLE=value” or “export
1980                   VARIABLE=value”.  The value may optionally be surrounded by
1981                   single or double quotes.  Variables in this file are only
1982                   added if the variable does not already exist in the envi‐
1983                   ronment.  Unlike env_file, the file's contents are not
1984                   trusted and are processed in a manner similar to that of
1985                   the invoking user's environment.  If env_reset is enabled,
1986                   variables in the file will only be added if they are
1987                   matched by either the env_check or env_keep list.  If
1988                   env_reset is disabled, variables in the file are added as
1989                   long as they are not matched by the env_delete list.  In
1990                   either case, the contents of restricted_env_file are pro‐
1991                   cessed before the contents of env_file.
1992
1993     secure_path   Path used for every command run from sudo.  If you don't
1994                   trust the people running sudo to have a sane PATH environ‐
1995                   ment variable you may want to use this.  Another use is if
1996                   you want to have the “root path” be separate from the “user
1997                   path”.  Users in the group specified by the exempt_group
1998                   option are not affected by secure_path.  This option is not
1999                   set by default.
2000
2001     syslog        Syslog facility if syslog is being used for logging (negate
2002                   to disable syslog logging).  Defaults to authpriv.
2003
2004                   The following syslog facilities are supported: authpriv (if
2005                   your OS supports it), auth, daemon, user, local0, local1,
2006                   local2, local3, local4, local5, local6, and local7.
2007
2008     syslog_badpri
2009                   Syslog priority to use when the user is not allowed to run
2010                   a command or when authentication is unsuccessful.  Defaults
2011                   to alert.
2012
2013                   The following syslog priorities are supported: alert, crit,
2014                   debug, emerg, err, info, notice, warning, and none.  Negat‐
2015                   ing the option or setting it to a value of none will dis‐
2016                   able logging of unsuccessful commands.
2017
2018     syslog_goodpri
2019                   Syslog priority to use when the user is allowed to run a
2020                   command and authentication is successful.  Defaults to
2021                   notice.
2022
2023                   See syslog_badpri for the list of supported syslog priori‐
2024                   ties.  Negating the option or setting it to a value of none
2025                   will disable logging of successful commands.
2026
2027     verifypw      This option controls when a password will be required when
2028                   a user runs sudo with the -v option.  It has the following
2029                   possible values:
2030
2031                   all     All the user's sudoers file entries for the current
2032                           host must have the NOPASSWD flag set to avoid
2033                           entering a password.
2034
2035                   always  The user must always enter a password to use the -v
2036                           option.
2037
2038                   any     At least one of the user's sudoers file entries for
2039                           the current host must have the NOPASSWD flag set to
2040                           avoid entering a password.
2041
2042                   never   The user need never enter a password to use the -v
2043                           option.
2044
2045                   If no value is specified, a value of all is implied.
2046                   Negating the option results in a value of never being used.
2047                   The default value is all.
2048
2049     Lists that can be used in a boolean context:
2050
2051     env_check         Environment variables to be removed from the user's
2052                       environment unless they are considered “safe”.  For all
2053                       variables except TZ, “safe” means that the variable's
2054                       value does not contain any ‘%’ or ‘/’ characters.  This
2055                       can be used to guard against printf-style format vul‐
2056                       nerabilities in poorly-written programs.  The TZ vari‐
2057                       able is considered unsafe if any of the following are
2058                       true:
2059
2060                       ·  It consists of a fully-qualified path name, option‐
2061                          ally prefixed with a colon (‘:’), that does not
2062                          match the location of the zoneinfo directory.
2063
2064                       ·  It contains a .. path element.
2065
2066                       ·  It contains white space or non-printable characters.
2067
2068                       ·  It is longer than the value of PATH_MAX.
2069
2070                       The argument may be a double-quoted, space-separated
2071                       list or a single value without double-quotes.  The list
2072                       can be replaced, added to, deleted from, or disabled by
2073                       using the =, +=, -=, and ! operators respectively.
2074                       Regardless of whether the env_reset option is enabled
2075                       or disabled, variables specified by env_check will be
2076                       preserved in the environment if they pass the aforemen‐
2077                       tioned check.  The global list of environment variables
2078                       to check is displayed when sudo is run by root with the
2079                       -V option.
2080
2081     env_delete        Environment variables to be removed from the user's
2082                       environment when the env_reset option is not in effect.
2083                       The argument may be a double-quoted, space-separated
2084                       list or a single value without double-quotes.  The list
2085                       can be replaced, added to, deleted from, or disabled by
2086                       using the =, +=, -=, and ! operators respectively.  The
2087                       global list of environment variables to remove is dis‐
2088                       played when sudo is run by root with the -V option.
2089                       Note that many operating systems will remove poten‐
2090                       tially dangerous variables from the environment of any
2091                       setuid process (such as sudo).
2092
2093     env_keep          Environment variables to be preserved in the user's
2094                       environment when the env_reset option is in effect.
2095                       This allows fine-grained control over the environment
2096                       sudo-spawned processes will receive.  The argument may
2097                       be a double-quoted, space-separated list or a single
2098                       value without double-quotes.  The list can be replaced,
2099                       added to, deleted from, or disabled by using the =, +=,
2100                       -=, and ! operators respectively.  The global list of
2101                       variables to keep is displayed when sudo is run by root
2102                       with the -V option.
2103

GROUP PROVIDER PLUGINS

2105     The sudoers plugin supports its own plugin interface to allow non-Unix
2106     group lookups which can query a group source other than the standard Unix
2107     group database.  This can be used to implement support for the
2108     nonunix_group syntax described earlier.
2109
2110     Group provider plugins are specified via the group_plugin Defaults set‐
2111     ting.  The argument to group_plugin should consist of the plugin path,
2112     either fully-qualified or relative to the /usr/libexec/sudo directory,
2113     followed by any configuration options the plugin requires.  These options
2114     (if specified) will be passed to the plugin's initialization function.
2115     If options are present, the string must be enclosed in double quotes
2116     ("").
2117
2118     The following group provider plugins are installed by default:
2119
2120     group_file
2121               The group_file plugin supports an alternate group file that
2122               uses the same syntax as the /etc/group file.  The path to the
2123               group file should be specified as an option to the plugin.  For
2124               example, if the group file to be used is /etc/sudo-group:
2125
2126               Defaults group_plugin="group_file.so /etc/sudo-group"
2127
2128     system_group
2129               The system_group plugin supports group lookups via the standard
2130               C library functions getgrnam() and getgrid().  This plugin can
2131               be used in instances where the user belongs to groups not
2132               present in the user's supplemental group vector.  This plugin
2133               takes no options:
2134
2135               Defaults group_plugin=system_group.so
2136
2137     The group provider plugin API is described in detail in sudo_plugin(5).
2138

LOG FORMAT

2140     sudoers can log events using either syslog(3) or a simple log file.  The
2141     log format is almost identical in both cases.
2142
2143   Accepted command log entries
2144     Commands that sudo runs are logged using the following format (split into
2145     multiple lines for readability):
2146
2147         date hostname progname: username : TTY=ttyname ; PWD=cwd ; \
2148             USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \
2149             ENV=env_vars COMMAND=command
2150
2151     Where the fields are as follows:
2152
2153     date          The date the command was run.  Typically, this is in the
2154                   format “MMM, DD, HH:MM:SS”.  If logging via syslog(3), the
2155                   actual date format is controlled by the syslog daemon.  If
2156                   logging to a file and the log_year option is enabled, the
2157                   date will also include the year.
2158
2159     hostname      The name of the host sudo was run on.  This field is only
2160                   present when logging via syslog(3).
2161
2162     progname      The name of the program, usually sudo or sudoedit.  This
2163                   field is only present when logging via syslog(3).
2164
2165     username      The login name of the user who ran sudo.
2166
2167     ttyname       The short name of the terminal (e.g. “console”, “tty01”, or
2168                   “pts/0”) sudo was run on, or “unknown” if there was no ter‐
2169                   minal present.
2170
2171     cwd           The current working directory that sudo was run in.
2172
2173     runasuser     The user the command was run as.
2174
2175     runasgroup    The group the command was run as if one was specified on
2176                   the command line.
2177
2178     logid         An I/O log identifier that can be used to replay the com‐
2179                   mand's output.  This is only present when the log_input or
2180                   log_output option is enabled.
2181
2182     env_vars      A list of environment variables specified on the command
2183                   line, if specified.
2184
2185     command       The actual command that was executed.
2186
2187     Messages are logged using the locale specified by sudoers_locale, which
2188     defaults to the “C” locale.
2189
2190   Denied command log entries
2191     If the user is not allowed to run the command, the reason for the denial
2192     will follow the user name.  Possible reasons include:
2193
2194     user NOT in sudoers
2195       The user is not listed in the sudoers file.
2196
2197     user NOT authorized on host
2198       The user is listed in the sudoers file but is not allowed to run com‐
2199       mands on the host.
2200
2201     command not allowed
2202       The user is listed in the sudoers file for the host but they are not
2203       allowed to run the specified command.
2204
2205     3 incorrect password attempts
2206       The user failed to enter their password after 3 tries.  The actual num‐
2207       ber of tries will vary based on the number of failed attempts and the
2208       value of the passwd_tries option.
2209
2210     a password is required
2211       sudo's -n option was specified but a password was required.
2212
2213     sorry, you are not allowed to set the following environment variables
2214       The user specified environment variables on the command line that were
2215       not allowed by sudoers.
2216
2217   Error log entries
2218     If an error occurs, sudoers will log a message and, in most cases, send a
2219     message to the administrator via email.  Possible errors include:
2220
2221     parse error in /etc/sudoers near line N
2222       sudoers encountered an error when parsing the specified file.  In some
2223       cases, the actual error may be one line above or below the line number
2224       listed, depending on the type of error.
2225
2226     problem with defaults entries
2227       The sudoers file contains one or more unknown Defaults settings.  This
2228       does not prevent sudo from running, but the sudoers file should be
2229       checked using visudo.
2230
2231     timestamp owner (username): No such user
2232       The time stamp directory owner, as specified by the timestampowner set‐
2233       ting, could not be found in the password database.
2234
2235     unable to open/read /etc/sudoers
2236       The sudoers file could not be opened for reading.  This can happen when
2237       the sudoers file is located on a remote file system that maps user ID 0
2238       to a different value.  Normally, sudoers tries to open the sudoers file
2239       using group permissions to avoid this problem.  Consider either chang‐
2240       ing the ownership of /etc/sudoers or adding an argument like
2241       “sudoers_uid=N” (where ‘N’ is the user ID that owns the sudoers file)
2242       to the end of the sudoers Plugin line in the sudo.conf(5) file.
2243
2244     unable to stat /etc/sudoers
2245       The /etc/sudoers file is missing.
2246
2247     /etc/sudoers is not a regular file
2248       The /etc/sudoers file exists but is not a regular file or symbolic
2249       link.
2250
2251     /etc/sudoers is owned by uid N, should be 0
2252       The sudoers file has the wrong owner.  If you wish to change the
2253       sudoers file owner, please add “sudoers_uid=N” (where ‘N’ is the user
2254       ID that owns the sudoers file) to the sudoers Plugin line in the
2255       sudo.conf(5) file.
2256
2257     /etc/sudoers is world writable
2258       The permissions on the sudoers file allow all users to write to it.
2259       The sudoers file must not be world-writable, the default file mode is
2260       0440 (readable by owner and group, writable by none).  The default mode
2261       may be changed via the “sudoers_mode” option to the sudoers Plugin line
2262       in the sudo.conf(5) file.
2263
2264     /etc/sudoers is owned by gid N, should be 1
2265       The sudoers file has the wrong group ownership.  If you wish to change
2266       the sudoers file group ownership, please add “sudoers_gid=N” (where ‘N’
2267       is the group ID that owns the sudoers file) to the sudoers Plugin line
2268       in the sudo.conf(5) file.
2269
2270     unable to open /run/sudo/ts/username
2271       sudoers was unable to read or create the user's time stamp file.  This
2272       can happen when timestampowner is set to a user other than root and the
2273       mode on /run/sudo is not searchable by group or other.  The default
2274       mode for /run/sudo is 0711.
2275
2276     unable to write to /run/sudo/ts/username
2277       sudoers was unable to write to the user's time stamp file.
2278
2279     /run/sudo/ts is owned by uid X, should be Y
2280       The time stamp directory is owned by a user other than timestampowner.
2281       This can occur when the value of timestampowner has been changed.
2282       sudoers will ignore the time stamp directory until the owner is cor‐
2283       rected.
2284
2285     /run/sudo/ts is group writable
2286       The time stamp directory is group-writable; it should be writable only
2287       by timestampowner.  The default mode for the time stamp directory is
2288       0700.  sudoers will ignore the time stamp directory until the mode is
2289       corrected.
2290
2291   Notes on logging via syslog
2292     By default, sudoers logs messages via syslog(3).  The date, hostname, and
2293     progname fields are added by the system's syslog() function, not sudoers
2294     itself.  As such, they may vary in format on different systems.
2295
2296     The maximum size of syslog messages varies from system to system.  The
2297     syslog_maxlen setting can be used to change the maximum syslog message
2298     size from the default value of 980 bytes.  For more information, see the
2299     description of syslog_maxlen.
2300
2301   Notes on logging to a file
2302     If the logfile option is set, sudoers will log to a local file, such as
2303     /var/log/sudo.  When logging to a file, sudoers uses a format similar to
2304     syslog(3), with a few important differences:
2305
2306     1.   The progname and hostname fields are not present.
2307
2308     2.   If the log_year option is enabled, the date will also include the
2309          year.
2310
2311     3.   Lines that are longer than loglinelen characters (80 by default) are
2312          word-wrapped and continued on the next line with a four character
2313          indent.  This makes entries easier to read for a human being, but
2314          makes it more difficult to use grep(1) on the log files.  If the
2315          loglinelen option is set to 0 (or negated with a ‘!’), word wrap
2316          will be disabled.
2317

I/O LOG FILES

2319     When I/O logging is enabled, sudo will run the command in a pseudo-tty
2320     and log all user input and/or output, depending on which options are
2321     enabled.  I/O is logged to the directory specified by the iolog_dir
2322     option (/var/log/sudo-io by default) using a unique session ID that is
2323     included in the sudo log line, prefixed with “TSID=”.  The iolog_file
2324     option may be used to control the format of the session ID.
2325
2326     Each I/O log is stored in a separate directory that contains the follow‐
2327     ing files:
2328
2329     log       a text file containing the time the command was run, the name
2330               of the user who ran sudo, the name of the target user, the name
2331               of the target group (optional), the terminal that sudo was run
2332               from, the number of rows and columns of the terminal, the work‐
2333               ing directory the command was run from and the path name of the
2334               command itself (with arguments if present)
2335
2336     timing    a log of the amount of time between, and the number of bytes
2337               in, each I/O log entry (used for session playback)
2338
2339     ttyin     input from the user's tty (what the user types)
2340
2341     stdin     input from a pipe or file
2342
2343     ttyout    output from the pseudo-tty (what the command writes to the
2344               screen)
2345
2346     stdout    standard output to a pipe or redirected to a file
2347
2348     stderr    standard error to a pipe or redirected to a file
2349
2350     All files other than log are compressed in gzip format unless the
2351     compress_io flag has been disabled.  Due to buffering, it is not normally
2352     possible to display the I/O logs in real-time as the program is executing
2353     The I/O log data will not be complete until the program run by sudo has
2354     exited or has been terminated by a signal.  The iolog_flush flag can be
2355     used to disable buffering, in which case I/O log data is written to disk
2356     as soon as it is available.  The output portion of an I/O log file can be
2357     viewed with the sudoreplay(8) utility, which can also be used to list or
2358     search the available logs.
2359
2360     Note that user input may contain sensitive information such as passwords
2361     (even if they are not echoed to the screen), which will be stored in the
2362     log file unencrypted.  In most cases, logging the command output via
2363     log_output or LOG_OUTPUT is all that is required.
2364
2365     Since each session's I/O logs are stored in a separate directory, tradi‐
2366     tional log rotation utilities cannot be used to limit the number of I/O
2367     logs.  The simplest way to limit the number of I/O is by setting the
2368     maxseq option to the maximum number of logs you wish to store.  Once the
2369     I/O log sequence number reaches maxseq, it will be reset to zero and
2370     sudoers will truncate and re-use any existing I/O logs.
2371

FILES

2373     /etc/sudo.conf            Sudo front end configuration
2374
2375     /etc/sudoers              List of who can run what
2376
2377     /etc/group                Local groups file
2378
2379     /etc/netgroup             List of network groups
2380
2381     /var/log/sudo-io          I/O log files
2382
2383     /run/sudo/ts              Directory containing time stamps for the
2384                               sudoers security policy
2385
2386     /var/db/sudo/lectured     Directory containing lecture status files for
2387                               the sudoers security policy
2388
2389     /etc/environment          Initial environment for -i mode on AIX and
2390                               Linux systems
2391

EXAMPLES

2393     Below are example sudoers file entries.  Admittedly, some of these are a
2394     bit contrived.  First, we allow a few environment variables to pass and
2395     then define our aliases:
2396
2397     # Run X applications through sudo; HOME is used to find the
2398     # .Xauthority file.  Note that other programs use HOME to find
2399     # configuration files and this may lead to privilege escalation!
2400     Defaults env_keep += "DISPLAY HOME"
2401
2402     # User alias specification
2403     User_Alias      FULLTIMERS = millert, mikef, dowdy
2404     User_Alias      PARTTIMERS = bostley, jwfox, crawl
2405     User_Alias      WEBMASTERS = will, wendy, wim
2406
2407     # Runas alias specification
2408     Runas_Alias     OP = root, operator
2409     Runas_Alias     DB = oracle, sybase
2410     Runas_Alias     ADMINGRP = adm, oper
2411
2412     # Host alias specification
2413     Host_Alias      SPARC = bigtime, eclipse, moet, anchor :\
2414                     SGI = grolsch, dandelion, black :\
2415                     ALPHA = widget, thalamus, foobar :\
2416                     HPPA = boa, nag, python
2417     Host_Alias      CUNETS = 128.138.0.0/255.255.0.0
2418     Host_Alias      CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
2419     Host_Alias      SERVERS = master, mail, www, ns
2420     Host_Alias      CDROM = orion, perseus, hercules
2421
2422     # Cmnd alias specification
2423     Cmnd_Alias      DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
2424                             /usr/sbin/restore, /usr/sbin/rrestore,\
2425                             sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
2426                             /home/operator/bin/start_backups
2427     Cmnd_Alias      KILL = /usr/bin/kill
2428     Cmnd_Alias      PRINTING = /usr/sbin/lpc, /usr/bin/lprm
2429     Cmnd_Alias      SHUTDOWN = /usr/sbin/shutdown
2430     Cmnd_Alias      HALT = /usr/sbin/halt
2431     Cmnd_Alias      REBOOT = /usr/sbin/reboot
2432     Cmnd_Alias      SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
2433                              /usr/local/bin/tcsh, /usr/bin/rsh,\
2434                              /usr/local/bin/zsh
2435     Cmnd_Alias      SU = /usr/bin/su
2436     Cmnd_Alias      PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
2437
2438     Here we override some of the compiled in default values.  We want sudo to
2439     log via syslog(3) using the auth facility in all cases.  We don't want to
2440     subject the full time staff to the sudo lecture, user millert need not
2441     give a password, and we don't want to reset the LOGNAME, USER or USERNAME
2442     environment variables when running commands as root.  Additionally, on
2443     the machines in the SERVERS Host_Alias, we keep an additional local log
2444     file and make sure we log the year in each log line since the log entries
2445     will be kept around for several years.  Lastly, we disable shell escapes
2446     for the commands in the PAGERS Cmnd_Alias (/usr/bin/more, /usr/bin/pg and
2447     /usr/bin/less).  Note that this will not effectively constrain users with
2448     sudo ALL privileges.
2449
2450     # Override built-in defaults
2451     Defaults                syslog=auth
2452     Defaults>root           !set_logname
2453     Defaults:FULLTIMERS     !lecture
2454     Defaults:millert        !authenticate
2455     Defaults@SERVERS        log_year, logfile=/var/log/sudo.log
2456     Defaults!PAGERS         noexec
2457
2458     The User specification is the part that actually determines who may run
2459     what.
2460
2461     root            ALL = (ALL) ALL
2462     %wheel          ALL = (ALL) ALL
2463
2464     We let root and any user in group wheel run any command on any host as
2465     any user.
2466
2467     FULLTIMERS      ALL = NOPASSWD: ALL
2468
2469     Full time sysadmins (millert, mikef, and dowdy) may run any command on
2470     any host without authenticating themselves.
2471
2472     PARTTIMERS      ALL = ALL
2473
2474     Part time sysadmins bostley, jwfox, and crawl) may run any command on any
2475     host but they must authenticate themselves first (since the entry lacks
2476     the NOPASSWD tag).
2477
2478     jack            CSNETS = ALL
2479
2480     The user jack may run any command on the machines in the CSNETS alias
2481     (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0).  Of those
2482     networks, only 128.138.204.0 has an explicit netmask (in CIDR notation)
2483     indicating it is a class C network.  For the other networks in CSNETS,
2484     the local machine's netmask will be used during matching.
2485
2486     lisa            CUNETS = ALL
2487
2488     The user lisa may run any command on any host in the CUNETS alias (the
2489     class B network 128.138.0.0).
2490
2491     operator        ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
2492                     sudoedit /etc/printcap, /usr/oper/bin/
2493
2494     The operator user may run commands limited to simple maintenance.  Here,
2495     those are commands related to backups, killing processes, the printing
2496     system, shutting down the system, and any commands in the directory
2497     /usr/oper/bin/.  Note that one command in the DUMPS Cmnd_Alias includes a
2498     sha224 digest, /home/operator/bin/start_backups.  This is because the
2499     directory containing the script is writable by the operator user.  If the
2500     script is modified (resulting in a digest mismatch) it will no longer be
2501     possible to run it via sudo.
2502
2503     joe             ALL = /usr/bin/su operator
2504
2505     The user joe may only su(1) to operator.
2506
2507     pete            HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root*
2508
2509     %opers          ALL = (: ADMINGRP) /usr/sbin/
2510
2511     Users in the opers group may run commands in /usr/sbin/ as themselves
2512     with any group in the ADMINGRP Runas_Alias (the adm and oper groups).
2513
2514     The user pete is allowed to change anyone's password except for root on
2515     the HPPA machines.  Because command line arguments are matched as a sin‐
2516     gle, concatenated string, the ‘*’ wildcard will match multiple words.
2517     This example assumes that passwd(1) does not take multiple user names on
2518     the command line.  Note that on GNU systems, options to passwd(1) may be
2519     specified after the user argument.  As a result, this rule will also
2520     allow:
2521
2522         passwd username --expire
2523
2524     which may not be desirable.
2525
2526     bob             SPARC = (OP) ALL : SGI = (OP) ALL
2527
2528     The user bob may run anything on the SPARC and SGI machines as any user
2529     listed in the OP Runas_Alias (root and operator.)
2530
2531     jim             +biglab = ALL
2532
2533     The user jim may run any command on machines in the biglab netgroup.
2534     sudo knows that “biglab” is a netgroup due to the ‘+’ prefix.
2535
2536     +secretaries    ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
2537
2538     Users in the secretaries netgroup need to help manage the printers as
2539     well as add and remove users, so they are allowed to run those commands
2540     on all machines.
2541
2542     fred            ALL = (DB) NOPASSWD: ALL
2543
2544     The user fred can run commands as any user in the DB Runas_Alias (oracle
2545     or sybase) without giving a password.
2546
2547     john            ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
2548
2549     On the ALPHA machines, user john may su to anyone except root but he is
2550     not allowed to specify any options to the su(1) command.
2551
2552     jen             ALL, !SERVERS = ALL
2553
2554     The user jen may run any command on any machine except for those in the
2555     SERVERS Host_Alias (master, mail, www and ns).
2556
2557     jill            SERVERS = /usr/bin/, !SU, !SHELLS
2558
2559     For any machine in the SERVERS Host_Alias, jill may run any commands in
2560     the directory /usr/bin/ except for those commands belonging to the SU and
2561     SHELLS Cmnd_Aliases.  While not specifically mentioned in the rule, the
2562     commands in the PAGERS Cmnd_Alias all reside in /usr/bin and have the
2563     noexec option set.
2564
2565     steve           CSNETS = (operator) /usr/local/op_commands/
2566
2567     The user steve may run any command in the directory /usr/local/op_com‐
2568     mands/ but only as user operator.
2569
2570     matt            valkyrie = KILL
2571
2572     On his personal workstation, valkyrie, matt needs to be able to kill hung
2573     processes.
2574
2575     WEBMASTERS      www = (www) ALL, (root) /usr/bin/su www
2576
2577     On the host www, any user in the WEBMASTERS User_Alias (will, wendy, and
2578     wim), may run any command as user www (which owns the web pages) or sim‐
2579     ply su(1) to www.
2580
2581     ALL             CDROM = NOPASSWD: /sbin/umount /CDROM,\
2582                     /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
2583
2584     Any user may mount or unmount a CD-ROM on the machines in the CDROM
2585     Host_Alias (orion, perseus, hercules) without entering a password.  This
2586     is a bit tedious for users to type, so it is a prime candidate for encap‐
2587     sulating in a shell script.
2588

SECURITY NOTES

2590   Limitations of the ‘!’ operator
2591     It is generally not effective to “subtract” commands from ALL using the
2592     ‘!’ operator.  A user can trivially circumvent this by copying the
2593     desired command to a different name and then executing that.  For exam‐
2594     ple:
2595
2596     bill    ALL = ALL, !SU, !SHELLS
2597
2598     Doesn't really prevent bill from running the commands listed in SU or
2599     SHELLS since he can simply copy those commands to a different name, or
2600     use a shell escape from an editor or other program.  Therefore, these
2601     kind of restrictions should be considered advisory at best (and rein‐
2602     forced by policy).
2603
2604     In general, if a user has sudo ALL there is nothing to prevent them from
2605     creating their own program that gives them a root shell (or making their
2606     own copy of a shell) regardless of any ‘!’ elements in the user specifi‐
2607     cation.
2608
2609   Security implications of fast_glob
2610     If the fast_glob option is in use, it is not possible to reliably negate
2611     commands where the path name includes globbing (aka wildcard) characters.
2612     This is because the C library's fnmatch(3) function cannot resolve rela‐
2613     tive paths.  While this is typically only an inconvenience for rules that
2614     grant privileges, it can result in a security issue for rules that sub‐
2615     tract or revoke privileges.
2616
2617     For example, given the following sudoers file entry:
2618
2619     john    ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
2620                   /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
2621
2622     User john can still run /usr/bin/passwd root if fast_glob is enabled by
2623     changing to /usr/bin and running ./passwd root instead.
2624
2625   Preventing shell escapes
2626     Once sudo executes a program, that program is free to do whatever it
2627     pleases, including run other programs.  This can be a security issue
2628     since it is not uncommon for a program to allow shell escapes, which lets
2629     a user bypass sudo's access control and logging.  Common programs that
2630     permit shell escapes include shells (obviously), editors, paginators,
2631     mail and terminal programs.
2632
2633     There are two basic approaches to this problem:
2634
2635     restrict  Avoid giving users access to commands that allow the user to
2636               run arbitrary commands.  Many editors have a restricted mode
2637               where shell escapes are disabled, though sudoedit is a better
2638               solution to running editors via sudo.  Due to the large number
2639               of programs that offer shell escapes, restricting users to the
2640               set of programs that do not is often unworkable.
2641
2642     noexec    Many systems that support shared libraries have the ability to
2643               override default library functions by pointing an environment
2644               variable (usually LD_PRELOAD) to an alternate shared library.
2645               On such systems, sudo's noexec functionality can be used to
2646               prevent a program run by sudo from executing any other pro‐
2647               grams.  Note, however, that this applies only to native dynami‐
2648               cally-linked executables.  Statically-linked executables and
2649               foreign executables running under binary emulation are not
2650               affected.
2651
2652               The noexec feature is known to work on SunOS, Solaris, *BSD,
2653               Linux, IRIX, Tru64 UNIX, macOS, HP-UX 11.x and AIX 5.3 and
2654               above.  It should be supported on most operating systems that
2655               support the LD_PRELOAD environment variable.  Check your oper‐
2656               ating system's manual pages for the dynamic linker (usually
2657               ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
2658               LD_PRELOAD is supported.
2659
2660               To enable noexec for a command, use the NOEXEC tag as docu‐
2661               mented in the User Specification section above.  Here is that
2662               example again:
2663
2664               aaron   shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
2665
2666               This allows user aaron to run /usr/bin/more and /usr/bin/vi
2667               with noexec enabled.  This will prevent those two commands from
2668               executing other commands (such as a shell).  If you are unsure
2669               whether or not your system is capable of supporting noexec you
2670               can always just try it out and check whether shell escapes work
2671               when noexec is enabled.
2672
2673     Note that restricting shell escapes is not a panacea.  Programs running
2674     as root are still capable of many potentially hazardous operations (such
2675     as changing or overwriting files) that could lead to unintended privilege
2676     escalation.  In the specific case of an editor, a safer approach is to
2677     give the user permission to run sudoedit (see below).
2678
2679   Secure editing
2680     The sudoers plugin includes sudoedit support which allows users to
2681     securely edit files with the editor of their choice.  As sudoedit is a
2682     built-in command, it must be specified in the sudoers file without a
2683     leading path.  However, it may take command line arguments just as a nor‐
2684     mal command does.  Wildcards used in sudoedit command line arguments are
2685     expected to be path names, so a forward slash (‘/’) will not be matched
2686     by a wildcard.
2687
2688     Unlike other sudo commands, the editor is run with the permissions of the
2689     invoking user and with the environment unmodified.  More information may
2690     be found in the description of the -e option in sudo(8).
2691
2692     For example, to allow user operator to edit the “message of the day”
2693     file:
2694
2695           operator        sudoedit /etc/motd
2696
2697     The operator user then runs sudoedit as follows:
2698
2699           $ sudoedit /etc/motd
2700
2701     The editor will run as the operator user, not root, on a temporary copy
2702     of /etc/motd.  After the file has been edited, /etc/motd will be updated
2703     with the contents of the temporary copy.
2704
2705     Users should never be granted sudoedit permission to edit a file that
2706     resides in a directory the user has write access to, either directly or
2707     via a wildcard.  If the user has write access to the directory it is pos‐
2708     sible to replace the legitimate file with a link to another file, allow‐
2709     ing the editing of arbitrary files.  To prevent this, starting with ver‐
2710     sion 1.8.16, symbolic links will not be followed in writable directories
2711     and sudoedit will refuse to edit a file located in a writable directory
2712     unless the sudoedit_checkdir option has been disabled or the invoking
2713     user is root.  Additionally, in version 1.8.15 and higher, sudoedit will
2714     refuse to open a symbolic link unless either the sudoedit_follow option
2715     is enabled or the sudoedit command is prefixed with the FOLLOW tag in the
2716     sudoers file.
2717
2718   Time stamp file checks
2719     sudoers will check the ownership of its time stamp directory
2720     (/run/sudo/ts by default) and ignore the directory's contents if it is
2721     not owned by root or if it is writable by a user other than root.  Older
2722     versions of sudo stored time stamp files in /tmp; this is no longer rec‐
2723     ommended as it may be possible for a user to create the time stamp them‐
2724     selves on systems that allow unprivileged users to change the ownership
2725     of files they create.
2726
2727     While the time stamp directory should be cleared at reboot time, not all
2728     systems contain a /run or /var/run directory.  To avoid potential prob‐
2729     lems, sudoers will ignore time stamp files that date from before the
2730     machine booted on systems where the boot time is available.
2731
2732     Some systems with graphical desktop environments allow unprivileged users
2733     to change the system clock.  Since sudoers relies on the system clock for
2734     time stamp validation, it may be possible on such systems for a user to
2735     run sudo for longer than timestamp_timeout by setting the clock back.  To
2736     combat this, sudoers uses a monotonic clock (which never moves backwards)
2737     for its time stamps if the system supports it.
2738
2739     sudoers will not honor time stamps set far in the future.  Time stamps
2740     with a date greater than current_time + 2 * TIMEOUT will be ignored and
2741     sudoers will log and complain.
2742
2743     If the timestamp_type option is set to “tty”, the time stamp record
2744     includes the device number of the terminal the user authenticated with.
2745     This provides per-terminal granularity but time stamp records may still
2746     outlive the user's session.
2747
2748     Unless the timestamp_type option is set to “global”, the time stamp
2749     record also includes the session ID of the process that last authenti‐
2750     cated.  This prevents processes in different terminal sessions from using
2751     the same time stamp record.  On systems where a process's start time can
2752     be queried, the start time of the session leader is recorded in the time
2753     stamp record.  If no terminal is present or the timestamp_type option is
2754     set to “ppid”, the start time of the parent process is used instead.  In
2755     most cases this will prevent a time stamp record from being re-used with‐
2756     out the user entering a password when logging out and back in again.
2757

DEBUGGING

2759     Versions 1.8.4 and higher of the sudoers plugin support a flexible debug‐
2760     ging framework that can help track down what the plugin is doing inter‐
2761     nally if there is a problem.  This can be configured in the sudo.conf(5)
2762     file.
2763
2764     The sudoers plugin uses the same debug flag format as the sudo front-end:
2765     subsystem@priority.
2766
2767     The priorities used by sudoers, in order of decreasing severity, are:
2768     crit, err, warn, notice, diag, info, trace and debug.  Each priority,
2769     when specified, also includes all priorities higher than it.  For exam‐
2770     ple, a priority of notice would include debug messages logged at notice
2771     and higher.
2772
2773     The following subsystems are used by the sudoers plugin:
2774
2775     alias     User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
2776
2777     all       matches every subsystem
2778
2779     audit     BSM and Linux audit code
2780
2781     auth      user authentication
2782
2783     defaults  sudoers file Defaults settings
2784
2785     env       environment handling
2786
2787     ldap      LDAP-based sudoers
2788
2789     logging   logging support
2790
2791     match     matching of users, groups, hosts and netgroups in the sudoers
2792               file
2793
2794     netif     network interface handling
2795
2796     nss       network service switch handling in sudoers
2797
2798     parser    sudoers file parsing
2799
2800     perms     permission setting
2801
2802     plugin    The equivalent of main for the plugin.
2803
2804     pty       pseudo-tty related code
2805
2806     rbtree    redblack tree internals
2807
2808     sssd      SSSD-based sudoers
2809
2810     util      utility functions
2811     For example:
2812
2813     Debug sudo /var/log/sudo_debug match@info,nss@info
2814
2815     For more information, see the sudo.conf(5) manual.
2816

SEE ALSO

2818     ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), sudo.conf(5),
2819     sudoers.ldap(5), sudo(8), sudo_plugin(5), sudoers_timestamp(5), visudo(8)
2820

AUTHORS

2822     Many people have worked on sudo over the years; this version consists of
2823     code written primarily by:
2824
2825           Todd C. Miller
2826
2827     See the CONTRIBUTORS file in the sudo distribution
2828     (https://www.sudo.ws/contributors.html) for an exhaustive list of people
2829     who have contributed to sudo.
2830

CAVEATS

2832     The sudoers file should always be edited by the visudo command which
2833     locks the file and does grammatical checking.  It is imperative that the
2834     sudoers file be free of syntax errors since sudo will not run with a syn‐
2835     tactically incorrect sudoers file.
2836
2837     When using netgroups of machines (as opposed to users), if you store
2838     fully qualified host name in the netgroup (as is usually the case), you
2839     either need to have the machine's host name be fully qualified as
2840     returned by the hostname command or use the fqdn option in sudoers.
2841

BUGS

2843     If you feel you have found a bug in sudo, please submit a bug report at
2844     https://bugzilla.sudo.ws/
2845

SUPPORT

2847     Limited free support is available via the sudo-users mailing list, see
2848     https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
2849     the archives.
2850

DISCLAIMER

2852     sudo is provided “AS IS” and any express or implied warranties, includ‐
2853     ing, but not limited to, the implied warranties of merchantability and
2854     fitness for a particular purpose are disclaimed.  See the LICENSE file
2855     distributed with sudo or https://www.sudo.ws/license.html for complete
2856     details.
2857
2858Sudo 1.8.23                     April 18, 2018                     Sudo 1.8.23
Impressum