1SUDOERS(5) BSD File Formats Manual SUDOERS(5)
2
4 sudoers — default sudo security policy plugin
5
7 The sudoers policy plugin determines a user's sudo privileges. It is the
8 default sudo policy plugin. The policy is driven by the /etc/sudoers
9 file or, optionally, in LDAP. The policy format is described in detail
10 in the SUDOERS FILE FORMAT section. For information on storing sudoers
11 policy information in LDAP, see sudoers.ldap(5).
12
13 Configuring sudo.conf for sudoers
14 sudo consults the sudo.conf(5) file to determine which plugins to load.
15 If no sudo.conf(5) file is present, or if it contains no Plugin lines,
16 sudoers will be used for auditing, policy decisions and I/O logging. To
17 explicitly configure sudo.conf(5) to use the sudoers plugin, the follow‐
18 ing configuration can be used.
19
20 Plugin sudoers_audit sudoers.so
21 Plugin sudoers_policy sudoers.so
22 Plugin sudoers_io sudoers.so
23
24 Starting with sudo 1.8.5, it is possible to specify optional arguments to
25 the sudoers plugin in the sudo.conf(5) file. Plugin arguments, if any,
26 should be listed after the path to the plugin (i.e., after sudoers.so).
27 The arguments are only effective for the plugin that opens (and parses)
28 the sudoers file.
29
30 For sudo version 1.9.1 and higher, this is the sudoers_audit plugin. For
31 older versions, it is the sudoers_policy plugin. Multiple arguments may
32 be specified, separated by white space. For example:
33
34 Plugin sudoers_audit sudoers.so sudoers_mode=0400 error_recovery=false
35
36 The following plugin arguments are supported:
37
38 error_recovery=bool
39 The error_recovery argument can be used to control whether sudoers
40 should attempt to recover from syntax errors in the sudoers file.
41 If set to true (the default), sudoers will try to recover from a
42 syntax error by discarding the portion of the line that contains
43 the error until the end of the line. A value of false will disable
44 error recovery. Prior to version 1.9.3, no error recovery was per‐
45 formed.
46
47 ldap_conf=pathname
48 The ldap_conf argument can be used to override the default path to
49 the ldap.conf file.
50
51 ldap_secret=pathname
52 The ldap_secret argument can be used to override the default path
53 to the ldap.secret file.
54
55 sudoers_file=pathname
56 The sudoers_file argument can be used to override the default path
57 to the sudoers file.
58
59 sudoers_uid=user-ID
60 The sudoers_uid argument can be used to override the default owner
61 of the sudoers file. It should be specified as a numeric user-ID.
62
63 sudoers_gid=group-ID
64 The sudoers_gid argument can be used to override the default group
65 of the sudoers file. It must be specified as a numeric group-ID
66 (not a group name).
67
68 sudoers_mode=mode
69 The sudoers_mode argument can be used to override the default file
70 mode for the sudoers file. It should be specified as an octal
71 value.
72
73 For more information on configuring sudo.conf(5), refer to its manual.
74
75 User Authentication
76 The sudoers security policy requires that most users authenticate them‐
77 selves before they can use sudo. A password is not required if the in‐
78 voking user is root, if the target user is the same as the invoking user,
79 or if the policy has disabled authentication for the user or command.
80 Unlike su(1), when sudoers requires authentication, it validates the in‐
81 voking user's credentials, not the target user's (or root's) credentials.
82 This can be changed via the rootpw, targetpw and runaspw flags, described
83 later.
84
85 If a user who is not listed in the policy tries to run a command via
86 sudo, mail is sent to the proper authorities. The address used for such
87 mail is configurable via the mailto Defaults entry (described later) and
88 defaults to root.
89
90 No mail will be sent if an unauthorized user tries to run sudo with the
91 -l or -v option unless there is an authentication error and either the
92 mail_always or mail_badpass flags are enabled. This allows users to de‐
93 termine for themselves whether or not they are allowed to use sudo. By
94 default, all attempts to run sudo (successful or not) are logged, regard‐
95 less of whether or not mail is sent.
96
97 If sudo is run by root and the SUDO_USER environment variable is set, the
98 sudoers policy will use this value to determine who the actual user is.
99 This can be used by a user to log commands through sudo even when a root
100 shell has been invoked. It also allows the -e option to remain useful
101 even when invoked via a sudo-run script or program. Note, however, that
102 the sudoers file lookup is still done for root, not the user specified by
103 SUDO_USER.
104
105 sudoers uses per-user time stamp files for credential caching. Once a
106 user has been authenticated, a record is written containing the user-ID
107 that was used to authenticate, the terminal session ID, the start time of
108 the session leader (or parent process) and a time stamp (using a mono‐
109 tonic clock if one is available). The user may then use sudo without a
110 password for a short period of time (5 minutes unless overridden by the
111 timestamp_timeout option). By default, sudoers uses a separate record
112 for each terminal, which means that a user's login sessions are authenti‐
113 cated separately. The timestamp_type option can be used to select the
114 type of time stamp record sudoers will use.
115
116 Logging
117 By default, sudoers logs both successful and unsuccessful attempts (as
118 well as errors). The log_allowed and log_denied flags can be used to
119 control this behavior. Messages can be logged to syslog(3), a log file,
120 or both. The default is to log to syslog(3) but this is configurable via
121 the syslog and logfile settings. See EVENT LOGGING for a description of
122 the log file format.
123
124 sudoers is also capable of running a command in a pseudo-terminal and
125 logging input and/or output. The standard input, standard output, and
126 standard error can be logged even when not associated with a terminal.
127 For more information about I/O logging, see the I/O LOGGING section.
128
129 Starting with version 1.9, the log_servers setting may be used to send
130 event and I/O log data to a remote server running sudo_logsrvd or another
131 service that implements the protocol described by sudo_logsrv.proto(5).
132
133 Command environment
134 Since environment variables can influence program behavior, sudoers pro‐
135 vides a means to restrict which variables from the user's environment are
136 inherited by the command to be run. There are two distinct ways sudoers
137 can deal with environment variables.
138
139 By default, the env_reset flag is enabled. This causes commands to be
140 executed with a new, minimal environment. On AIX (and Linux systems
141 without PAM), the environment is initialized with the contents of the
142 /etc/environment file. The HOME, MAIL, SHELL, LOGNAME and USER environ‐
143 ment variables are initialized based on the target user and the SUDO_*
144 variables are set based on the invoking user. Additional variables, such
145 as DISPLAY, PATH and TERM, are preserved from the invoking user's envi‐
146 ronment if permitted by the env_check, or env_keep options. A few envi‐
147 ronment variables are treated specially. If the PATH and TERM variables
148 are not preserved from the user's environment, they will be set to de‐
149 fault values. The LOGNAME and USER are handled as a single entity. If
150 one of them is preserved (or removed) from the user's environment, the
151 other will be as well. If LOGNAME and USER are to be preserved but only
152 one of them is present in the user's environment, the other will be set
153 to the same value. This avoids an inconsistent environment where one of
154 the variables describing the user name is set to the invoking user and
155 one is set to the target user. Environment variables with a value begin‐
156 ning with ‘()’ are removed unless both the name and value parts are
157 matched by env_keep or env_check, as they may be interpreted as functions
158 by the bash shell. Prior to version 1.8.11, such variables were always
159 removed.
160
161 If, however, the env_reset flag is disabled, any variables not explicitly
162 denied by the env_check and env_delete options are allowed and their val‐
163 ues are inherited from the invoking process. Prior to version 1.8.21,
164 environment variables with a value beginning with ‘()’ were always re‐
165 moved. Beginning with version 1.8.21, a pattern in env_delete is used to
166 match bash shell functions instead. Since it is not possible to block
167 all potentially dangerous environment variables, use of the default
168 env_reset behavior is encouraged.
169
170 Environment variables specified by env_check, env_delete, or env_keep may
171 include one or more ‘*’ characters which will match zero or more charac‐
172 ters. No other wildcard characters are supported.
173
174 By default, environment variables are matched by name. However, if the
175 pattern includes an equal sign (‘=’), both the variables name and value
176 must match. For example, a bash shell function could be matched as fol‐
177 lows:
178
179 env_keep += "BASH_FUNC_my_func%%=()*"
180
181 Without the ‘=()*’ suffix, this would not match, as bash shell functions
182 are not preserved by default.
183
184 The complete list of environment variables that are preserved or removed,
185 as modified by global Defaults parameters in sudoers, is displayed when
186 sudo is run by root with the -V option. The list of environment vari‐
187 ables to remove varies based on the operating system sudo is running on.
188
189 Other sudoers options may influence the command environment, such as
190 always_set_home, secure_path, set_logname, and set_home.
191
192 On systems that support PAM where the pam_env module is enabled for sudo,
193 variables in the PAM environment may be merged in to the environment. If
194 a variable in the PAM environment is already present in the user's envi‐
195 ronment, the value will only be overridden if the variable was not pre‐
196 served by sudoers. When env_reset is enabled, variables preserved from
197 the invoking user's environment by the env_keep list take precedence over
198 those in the PAM environment. When env_reset is disabled, variables
199 present the invoking user's environment take precedence over those in the
200 PAM environment unless they match a pattern in the env_delete list.
201
202 The dynamic linker on most operating systems will remove variables that
203 can control dynamic linking from the environment of set-user-ID executa‐
204 bles, including sudo. Depending on the operating system this may include
205 _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others. These type
206 of variables are removed from the environment before sudo even begins ex‐
207 ecution and, as such, it is not possible for sudo to preserve them.
208
209 As a special case, if the -i option (initial login) is specified, sudoers
210 will initialize the environment regardless of the value of env_reset.
211 The DISPLAY, PATH and TERM variables remain unchanged; HOME, MAIL, SHELL,
212 USER, and LOGNAME are set based on the target user. On AIX (and Linux
213 systems without PAM), the contents of /etc/environment are also included.
214 All other environment variables are removed unless permitted by env_keep
215 or env_check, described above.
216
217 Finally, the restricted_env_file and env_file files are applied, if
218 present. The variables in restricted_env_file are applied first and are
219 subject to the same restrictions as the invoking user's environment, as
220 detailed above. The variables in env_file are applied last and are not
221 subject to these restrictions. In both cases, variables present in the
222 files will only be set to their specified values if they would not con‐
223 flict with an existing environment variable.
224
226 The sudoers file is composed of two types of entries: aliases (basically
227 variables) and user specifications (which specify who may run what).
228
229 When multiple entries match for a user, they are applied in order. Where
230 there are multiple matches, the last match is used (which is not neces‐
231 sarily the most specific match).
232
233 The sudoers file grammar will be described below in Extended Backus-Naur
234 Form (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly
235 simple, and the definitions below are annotated.
236
237 Resource limits
238 By default, sudoers uses the operating system's native method of setting
239 resource limits for the target user. On Linux systems, resource limits
240 are usually set by the pam_limits.so PAM module. On some BSD systems,
241 the /etc/login.conf file specifies resource limits for the user. On AIX
242 systems, resource limits are configured in the /etc/security/limits file.
243 If there is no system mechanism to set per-user resource limits, the com‐
244 mand will run with the same limits as the invoking user. The one excep‐
245 tion to this is the core dump file size, which is set by sudoers to 0 by
246 default. Disabling core dumps by default makes it possible to avoid po‐
247 tential security problems where the core file is treated as trusted in‐
248 put.
249
250 Resource limits may also be set in the sudoers file itself, in which case
251 they override those set by the system. See the rlimit_as, rlimit_core,
252 rlimit_cpu, rlimit_data, rlimit_fsize, rlimit_locks, rlimit_memlock,
253 rlimit_nofile, rlimit_nproc, rlimit_rss, rlimit_stack options described
254 below. Resource limits in sudoers may be specified in one of the follow‐
255 ing formats:
256
257 “value”
258 Both the soft and hard resource limits are set to the same value.
259 The special value “infinity” can be used to indicate that the
260 value is unlimited.
261
262 “soft,hard”
263 Two comma-separated values. The soft limit is set to the first
264 value and the hard limit is set to the second. Both values must
265 either be enclosed in a set of double quotes, or the comma must
266 be escaped with a backslash (‘\’). The special value “infinity”
267 may be used in place of either value.
268
269 “default”
270 The default resource limit for the user will be used. This may
271 be a user-specific value (see above) or the value of the resource
272 limit when sudo was invoked for systems that don't support per-
273 user limits.
274
275 “user” The invoking user's resource limits will be preserved when run‐
276 ning the command.
277
278 For example, to restore the historic core dump file size behavior, a line
279 like the following may be used.
280
281 Defaults rlimit_core=default
282
283 Resource limits in sudoers are only supported by version 1.8.7 or higher.
284
285 Quick guide to EBNF
286 EBNF is a concise and exact way of describing the grammar of a language.
287 Each EBNF definition is made up of production rules. For example:
288
289 symbol ::= definition | alternate1 | alternate2 ...
290
291 Each production rule references others and thus makes up a grammar for
292 the language. EBNF also contains the following operators, which many
293 readers will recognize from regular expressions. Do not, however, con‐
294 fuse them with “wildcard” characters, which have different meanings.
295
296 ? Means that the preceding symbol (or group of symbols) is optional.
297 That is, it may appear once or not at all.
298
299 * Means that the preceding symbol (or group of symbols) may appear
300 zero or more times.
301
302 + Means that the preceding symbol (or group of symbols) may appear
303 one or more times.
304
305 Parentheses may be used to group symbols together. For clarity, we will
306 use single quotes ('') to designate what is a verbatim character string
307 (as opposed to a symbol name).
308
309 Aliases
310 There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and
311 Cmnd_Alias. Beginning with sudo 1.9.0, Cmd_Alias may be used in place of
312 Cmnd_Alias if desired.
313
314 Alias ::= 'User_Alias' User_Alias_Spec (':' User_Alias_Spec)* |
315 'Runas_Alias' Runas_Alias_Spec (':' Runas_Alias_Spec)* |
316 'Host_Alias' Host_Alias_Spec (':' Host_Alias_Spec)* |
317 'Cmnd_Alias' Cmnd_Alias_Spec (':' Cmnd_Alias_Spec)* |
318 'Cmd_Alias' Cmnd_Alias_Spec (':' Cmnd_Alias_Spec)*
319
320 User_Alias ::= NAME
321
322 User_Alias_Spec ::= User_Alias '=' User_List
323
324 Runas_Alias ::= NAME
325
326 Runas_Alias_Spec ::= Runas_Alias '=' Runas_List
327
328 Host_Alias ::= NAME
329
330 Host_Alias_Spec ::= Host_Alias '=' Host_List
331
332 Cmnd_Alias ::= NAME
333
334 Cmnd_Alias_Spec ::= Cmnd_Alias '=' Cmnd_List
335
336 NAME ::= [A-Z]([A-Z][0-9]_)*
337
338 Each alias definition is of the form
339
340 Alias_Type NAME = item1, item2, ...
341
342 where Alias_Type is one of User_Alias, Runas_Alias, Host_Alias, or
343 Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and under‐
344 score characters (‘_’). A NAME must start with an uppercase letter. It
345 is possible to put several alias definitions of the same type on a single
346 line, joined by a colon (‘:’). For example:
347
348 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
349
350 It is a syntax error to redefine an existing alias. It is possible to
351 use the same name for aliases of different types, but this is not recom‐
352 mended.
353
354 The definitions of what constitutes a valid alias member follow.
355
356 User_List ::= User |
357 User ',' User_List
358
359 User ::= '!'* user name |
360 '!'* #user-ID |
361 '!'* %group |
362 '!'* %#group-ID |
363 '!'* +netgroup |
364 '!'* %:nonunix_group |
365 '!'* %:#nonunix_gid |
366 '!'* User_Alias
367
368 A User_List is made up of one or more user names, user-IDs (prefixed with
369 ‘#’), system group names and IDs (prefixed with ‘%’ and ‘%#’ respec‐
370 tively), netgroups (prefixed with ‘+’), non-Unix group names and IDs
371 (prefixed with ‘%:’ and ‘%:#’ respectively), and User_Aliases. Each list
372 item may be prefixed with zero or more ‘!’ operators. An odd number of
373 ‘!’ operators negate the value of the item; an even number just cancel
374 each other out. User netgroups are matched using the user and domain
375 members only; the host member is not used when matching.
376
377 A user name, user-ID, group, group-ID, netgroup, nonunix_group or
378 nonunix_gid may be enclosed in double quotes to avoid the need for escap‐
379 ing special characters. Alternately, special characters may be specified
380 in escaped hex mode, e.g., \x20 for space. When using double quotes, any
381 prefix characters must be included inside the quotes.
382
383 The actual nonunix_group and nonunix_gid syntax depends on the underlying
384 group provider plugin. For instance, the QAS AD plugin supports the fol‐
385 lowing formats:
386
387 • Group in the same domain: "%:Group Name"
388
389 • Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
390
391 • Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
392
393 See GROUP PROVIDER PLUGINS for more information.
394
395 Quotes around group names are optional. Unquoted strings must use a
396 backslash (‘\’) to escape spaces and special characters. See Other
397 special characters and reserved words for a list of characters that need
398 to be escaped.
399
400 Runas_List ::= Runas_Member |
401 Runas_Member ',' Runas_List
402
403 Runas_Member ::= '!'* user name |
404 '!'* #user-ID |
405 '!'* %group |
406 '!'* %#group-ID |
407 '!'* %:nonunix_group |
408 '!'* %:#nonunix_gid |
409 '!'* +netgroup |
410 '!'* Runas_Alias |
411 '!'* ALL
412
413 A Runas_List is similar to a User_List except that instead of
414 User_Aliases it can contain Runas_Aliases. User names and groups are
415 matched as strings. In other words, two users (groups) with the same
416 user (group) ID are considered to be distinct. If you wish to match all
417 user names with the same user-ID (e.g., root and toor), you can use a
418 user-ID instead of a name (#0 in the example given). The user-ID or
419 group-ID specified in a Runas_Member need not be listed in the password
420 or group database.
421
422 Host_List ::= Host |
423 Host ',' Host_List
424
425 Host ::= '!'* host name |
426 '!'* ip_addr |
427 '!'* network(/netmask)? |
428 '!'* +netgroup |
429 '!'* Host_Alias |
430 '!'* ALL
431
432 A Host_List is made up of one or more host names, IP addresses, network
433 numbers, netgroups (prefixed with ‘+’), and other aliases. Again, the
434 value of an item may be negated with the ‘!’ operator. Host netgroups
435 are matched using the host (both qualified and unqualified) and domain
436 members only; the user member is not used when matching. If you specify
437 a network number without a netmask, sudo will query each of the local
438 host's network interfaces and, if the network number corresponds to one
439 of the hosts's network interfaces, will use the netmask of that inter‐
440 face. The netmask may be specified either in standard IP address nota‐
441 tion (e.g., 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR notation
442 (number of bits, e.g., 24 or 64). A host name may include shell-style
443 wildcards (see the Wildcards section below), but unless the hostname com‐
444 mand on your machine returns the fully qualified host name, you'll need
445 to use the fqdn flag for wildcards to be useful. sudo only inspects ac‐
446 tual network interfaces; this means that IP address 127.0.0.1 (localhost)
447 will never match. Also, the host name “localhost” will only match if
448 that is the actual host name, which is usually only the case for non-net‐
449 worked systems.
450
451 digest ::= [A-Fa-f0-9]+ |
452 [A-Za-z0-9\+/=]+
453
454 Digest_Spec ::= "sha224" ':' digest |
455 "sha256" ':' digest |
456 "sha384" ':' digest |
457 "sha512" ':' digest
458
459 Digest_List ::= Digest_Spec |
460 Digest_Spec ',' Digest_List
461
462 Cmnd_List ::= Cmnd |
463 Cmnd ',' Cmnd_List
464
465 command name ::= regex |
466 file name
467
468 command ::= command name |
469 command name args |
470 command name regex |
471 command name '""' |
472 ALL
473
474 Edit_Spec ::= "sudoedit" file name+ |
475 "sudoedit" regex |
476 "sudoedit"
477
478 List_Spec ::= "list"
479
480 Cmnd ::= Digest_List? '!'* command |
481 '!'* directory |
482 '!'* Edit_Spec |
483 '!'* List_Spec |
484 '!'* Cmnd_Alias
485
486 A Cmnd_List is a list of one or more commands, directories, or aliases.
487 A command is a fully qualified file name, which may include shell-style
488 wildcards (see the Wildcards section below), or a regular expression that
489 starts with ‘^’ and ends with ‘$’ (see the Regular expressions section
490 below). A directory is a fully qualified path name ending in a ‘/’.
491 When you specify a directory in a Cmnd_List, the user will be able to run
492 any file within that directory (but not in any sub-directories therein).
493 If no command line arguments are specified, the user may run the command
494 with any arguments they choose. Command line arguments can include wild‐
495 cards or be a regular expression that starts with ‘^’ and ends with ‘$’.
496 If the command line arguments consist of ‘""’, the command may only be
497 run with no arguments.
498
499 If a Cmnd has associated command line arguments, the arguments in the
500 Cmnd must match those given by the user on the command line. If the ar‐
501 guments in a Cmnd begin with the ‘^’ character, they will be interpreted
502 as a regular expression and matched accordingly. Otherwise, shell-style
503 wildcards are used when matching. Unless a regular expression is speci‐
504 fied, the following characters must be escaped with a ‘\’ if they are
505 used in command arguments: ‘,’, ‘:’, ‘=’, ‘\’. To prevent arguments in a
506 Cmnd that begin with a ‘^’ character from being interpreted as a regular
507 expression, the ‘^’ must be escaped with a ‘\’.
508
509 There are two commands built into sudo itself: “list” and “sudoedit”.
510 Unlike other commands, these two must be specified in the sudoers file
511 without a leading path.
512
513 The “list” built-in can be used to permit a user to list another user's
514 privileges with sudo's -U option. For example, “sudo -l -U otheruser”.
515 A user with the “list” privilege is able to list another user's privi‐
516 leges even if they don't have permission to run commands as that user.
517 By default, only root or a user with the ability to run any command as
518 either root or the specified user on the current host may use the -U op‐
519 tion. No command line arguments may be specified with the “list” built-
520 in.
521
522 The “sudoedit” built-in is used to permit a user to run sudo with the -e
523 option (or as sudoedit). It may take command line arguments just as a
524 normal command does. Unlike other commands, “sudoedit” is built into
525 sudo itself and must be specified in the sudoers file without a leading
526 path. If a leading path is present, for example /usr/bin/sudoedit, the
527 path name will be silently converted to “sudoedit”. A fully-qualified
528 path for sudoedit is treated as an error by visudo.
529
530 A command may be preceded by a Digest_List, a comma-separated list of one
531 or more Digest_Spec entries. If a Digest_List is present, the command
532 will only match successfully if it can be verified using one of the SHA-2
533 digests in the list. Starting with version 1.9.0, the ALL reserved word
534 can be used in conjunction with a Digest_List. The following digest for‐
535 mats are supported: sha224, sha256, sha384, and sha512. The string may
536 be specified in either hex or base64 format (base64 is more compact).
537 There are several utilities capable of generating SHA-2 digests in hex
538 format such as openssl, shasum, sha224sum, sha256sum, sha384sum,
539 sha512sum.
540
541 For example, using openssl:
542
543 $ openssl dgst -sha224 /bin/ls
544 SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
545
546 It is also possible to use openssl to generate base64 output:
547
548 $ openssl dgst -binary -sha224 /bin/ls | openssl base64
549 EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
550
551 Warning, if the user has write access to the command itself (directly or
552 via a sudo command), it may be possible for the user to replace the com‐
553 mand after the digest check has been performed but before the command is
554 executed. A similar race condition exists on systems that lack the
555 fexecve(2) system call when the directory in which the command is located
556 is writable by the user. See the description of the fdexec setting for
557 more information on how sudo executes commands that have an associated
558 digest.
559
560 Command digests are only supported by version 1.8.7 or higher.
561
562 Defaults
563 Certain configuration options may be changed from their default values at
564 run-time via one or more Default_Entry lines. These may affect all users
565 on any host, all users on a specific host, a specific user, a specific
566 command, or commands being run as a specific user. Per-command entries
567 may not include command line arguments. If you need to specify argu‐
568 ments, define a Cmnd_Alias and reference that instead.
569
570 Default_Type ::= 'Defaults' |
571 'Defaults' '@' Host_List |
572 'Defaults' ':' User_List |
573 'Defaults' '!' Cmnd_List |
574 'Defaults' '>' Runas_List
575
576 Default_Entry ::= Default_Type Parameter_List
577
578 Parameter_List ::= Parameter |
579 Parameter ',' Parameter_List
580
581 Parameter ::= Parameter '=' Value |
582 Parameter '+=' Value |
583 Parameter '-=' Value |
584 '!'* Parameter
585
586 Parameters may be flags, integer values, strings, or lists. Flags are
587 implicitly boolean and can be turned off via the ‘!’ operator. Some in‐
588 teger, string and list parameters may also be used in a boolean context
589 to disable them. Values may be enclosed in double quotes ("") when they
590 contain multiple words. Special characters may be escaped with a back‐
591 slash (‘\’).
592
593 To include a literal backslash character in a command line argument you
594 must escape the backslash twice. For example, to match ‘\n’ as part of a
595 command line argument, you must use ‘\\\\n’ in the sudoers file. This is
596 due to there being two levels of escaping, one in the sudoers parser it‐
597 self and another when command line arguments are matched by the
598 fnmatch(3) or regexec(3) function.
599
600 Lists have two additional assignment operators, ‘+=’ and ‘-=’. These op‐
601 erators are used to add to and delete from a list respectively. It is
602 not an error to use the ‘-=’ operator to remove an element that does not
603 exist in a list.
604
605 Defaults entries are parsed in the following order: global, host, user,
606 and runas Defaults first, then command defaults. If there are multiple
607 Defaults settings of the same type, the last matching setting is used.
608 The following Defaults settings are parsed before all others since they
609 may affect subsequent entries: fqdn, group_plugin, runas_default,
610 sudoers_locale.
611
612 See SUDOERS OPTIONS for a list of supported Defaults parameters.
613
614 User specification
615 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
616 (':' Host_List '=' Cmnd_Spec_List)*
617
618 Cmnd_Spec_List ::= Cmnd_Spec |
619 Cmnd_Spec ',' Cmnd_Spec_List
620
621 Cmnd_Spec ::= Runas_Spec? Option_Spec* (Tag_Spec ':')* Cmnd
622
623 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
624
625 Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)
626
627 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
628
629 Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp')
630
631 Timeout_Spec ::= 'TIMEOUT=timeout'
632
633 Chdir_Spec ::= 'CWD=directory'
634
635 Chroot_Spec ::= 'CHROOT=directory'
636
637 Tag_Spec ::= ('EXEC' | 'NOEXEC' | 'FOLLOW' | 'NOFOLLOW' |
638 'LOG_INPUT' | 'NOLOG_INPUT' | 'LOG_OUTPUT' |
639 'NOLOG_OUTPUT' | 'MAIL' | 'NOMAIL' | 'INTERCEPT' |
640 'NOINTERCEPT' | 'PASSWD' | 'NOPASSWD' | 'SETENV' |
641 'NOSETENV')
642
643 A user specification determines which commands a user may run (and as
644 what user) on specified hosts. By default, commands are run as root (un‐
645 less runas_default has been set to a different value) but this can also
646 be changed on a per-command basis.
647
648 The basic structure of a user specification is “who where = (as_whom)
649 what”. Let's break that down into its constituent parts:
650
651 Runas_Spec
652 A Runas_Spec determines the user and/or the group that a command may be
653 run as. A fully-specified Runas_Spec consists of two Runas_Lists (as de‐
654 fined above) separated by a colon (‘:’) and enclosed in a set of paren‐
655 theses. The first Runas_List indicates which users the command may be
656 run as via the -u option. The second defines a list of groups that may
657 be specified via the -g option (in addition to any of the target user's
658 groups). If both Runas_Lists are specified, the command may be run with
659 any combination of users and groups listed in their respective
660 Runas_Lists. If only the first is specified, the command may be run as
661 any user in the list and, optionally, with any group the target user be‐
662 longs to. If the first Runas_List is empty but the second is specified,
663 the command may be run as the invoking user with the group set to any
664 listed in the Runas_List. If both Runas_Lists are empty, the command may
665 only be run as the invoking user and the group, if specified, must be one
666 that the invoking user is a member of. If no Runas_Spec is specified,
667 the command may only be run as the runas_default user (root by default)
668 and the group, if specified, must be one that the runas_default user is a
669 member of.
670
671 A Runas_Spec sets the default for the commands that follow it. What this
672 means is that for the entry:
673
674 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
675
676 The user dgb may run /bin/ls, /bin/kill, and /usr/bin/lprm on the host
677 boulder—but only as operator. For example:
678
679 $ sudo -u operator /bin/ls
680
681 It is also possible to override a Runas_Spec later on in an entry. If we
682 modify the entry like so:
683
684 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
685
686 Then user dgb is now allowed to run /bin/ls as operator, but /bin/kill
687 and /usr/bin/lprm as root.
688
689 We can extend this to allow dgb to run /bin/ls with either the user or
690 group set to operator:
691
692 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
693 /usr/bin/lprm
694
695 While the group portion of the Runas_Spec permits the user to run as com‐
696 mand with that group, it does not force the user to do so. If no group
697 is specified on the command line, the command will run with the group
698 listed in the target user's password database entry. The following would
699 all be permitted by the sudoers entry above:
700
701 $ sudo -u operator /bin/ls
702 $ sudo -u operator -g operator /bin/ls
703 $ sudo -g operator /bin/ls
704
705 In the following example, user tcm may run commands that access a modem
706 device file with the dialer group.
707
708 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
709 /usr/local/bin/minicom
710
711 In this example only the group will be set, the command still runs as
712 user tcm. For example:
713
714 $ sudo -g dialer /usr/bin/cu
715
716 Multiple users and groups may be present in a Runas_Spec, in which case
717 the user may select any combination of users and groups via the -u and -g
718 options. In this example:
719
720 alan ALL = (root, bin : operator, system) ALL
721
722 user alan may run any command as either user root or bin, optionally set‐
723 ting the group to operator or system.
724
725 Option_Spec
726 A Cmnd may have zero or more options associated with it. Options may
727 consist of SELinux roles and/or types, start and/or end dates and command
728 timeouts. Once an option is set for a Cmnd, subsequent Cmnds in the
729 Cmnd_Spec_List, inherit that option unless it is overridden by another
730 option. Option names are reserved words in sudoers. This means that
731 none of the valid option names (see below) can be used when declaring an
732 alias.
733
734 SELinux_Spec
735 On systems with SELinux support, sudoers file entries may optionally have
736 an SELinux role and/or type associated with a command. This can be used
737 to implement a form of role-based access control (RBAC). If a role or
738 type is specified with the command it will override any default values
739 specified in sudoers. A role or type specified on the command line, how‐
740 ever, will supersede the values in sudoers.
741
742 Date_Spec
743 sudoers rules can be specified with a start and end date via the
744 NOTBEFORE and NOTAFTER settings. The time stamp must be specified in
745 “Generalized Time” as defined by RFC 4517. The format is effectively
746 ‘yyyymmddHHMMSSZ’ where the minutes and seconds are optional. The ‘Z’
747 suffix indicates that the time stamp is in Coordinated Universal Time
748 (UTC). It is also possible to specify a timezone offset from UTC in
749 hours and minutes instead of a ‘Z’. For example, ‘-0500’ would corre‐
750 spond to Eastern Standard time in the US. As an extension, if no ‘Z’ or
751 timezone offset is specified, local time will be used.
752
753 The following are all valid time stamps:
754
755 20170214083000Z
756 2017021408Z
757 20160315220000-0500
758 20151201235900
759
760 Timeout_Spec
761 A command may have a timeout associated with it. If the timeout expires
762 before the command has exited, the command will be terminated. The time‐
763 out may be specified in combinations of days, hours, minutes, and seconds
764 with a single-letter case-insensitive suffix that indicates the unit of
765 time. For example, a timeout of 7 days, 8 hours, 30 minutes, and 10 sec‐
766 onds would be written as ‘7d8h30m10s’. If a number is specified without
767 a unit, seconds are assumed. Any of the days, minutes, hours, or seconds
768 may be omitted. The order must be from largest to smallest unit and a
769 unit may not be specified more than once.
770
771 The following are all valid timeout values: ‘7d8h30m10s’, ‘14d’, ‘8h30m’,
772 ‘600s’, ‘3600’. The following are invalid timeout values: ‘12m2w1d’,
773 ‘30s10m4h’, ‘1d2d3h’.
774
775 This setting is only supported by version 1.8.20 or higher.
776
777 Chdir_Spec
778 The working directory that the command will be run in can be specified
779 using the CWD setting. The directory must be a fully-qualified path name
780 beginning with a ‘/’ or ‘~’ character, or the special value “*”. A value
781 of “*” indicates that the user may specify the working directory by run‐
782 ning sudo with the -D option. By default, commands are run from the in‐
783 voking user's current working directory, unless the -i option is given.
784 Path names of the form ~user/path/name are interpreted as being relative
785 to the named user's home directory. If the user name is omitted, the
786 path will be relative to the runas user's home directory.
787
788 This setting is only supported by version 1.9.3 or higher.
789
790 Chroot_Spec
791 The root directory that the command will be run in can be specified using
792 the CHROOT setting. The directory must be a fully-qualified path name
793 beginning with a ‘/’ or ‘~’ character, or the special value “*”. A value
794 of “*” indicates that the user may specify the root directory by running
795 sudo with the -R option. This setting can be used to run the command in
796 a chroot(2) “sandbox” similar to the chroot(8) utility. Path names of
797 the form ~user/path/name are interpreted as being relative to the named
798 user's home directory. If the user name is omitted, the path will be
799 relative to the runas user's home directory.
800
801 This setting is only supported by version 1.9.3 or higher.
802
803 Tag_Spec
804 A command may have zero or more tags associated with it. The following
805 tag values are supported: EXEC, NOEXEC, FOLLOW, NOFOLLOW, LOG_INPUT,
806 NOLOG_INPUT, LOG_OUTPUT, NOLOG_OUTPUT, MAIL, NOMAIL, INTERCEPT,
807 NOINTERCEPT, PASSWD, NOPASSWD, SETENV, and NOSETENV. Once a tag is set
808 on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag unless
809 it is overridden by the opposite tag (in other words, PASSWD overrides
810 NOPASSWD and NOEXEC overrides EXEC).
811
812 EXEC and NOEXEC
813
814 If sudo has been compiled with noexec support and the underlying oper‐
815 ating system supports it, the NOEXEC tag can be used to prevent a dy‐
816 namically-linked executable from running further commands itself.
817
818 In the following example, user aaron may run /usr/bin/more and
819 /usr/bin/vi but shell escapes will be disabled.
820
821 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
822
823 See the Preventing shell escapes section below for more details on how
824 NOEXEC works and whether or not it will work on your system.
825
826 FOLLOW and NOFOLLOW
827
828 Starting with version 1.8.15, sudoedit will not open a file that is a
829 symbolic link unless the sudoedit_follow flag is enabled. The FOLLOW
830 and NOFOLLOW tags override the value of sudoedit_follow and can be used
831 to permit (or deny) the editing of symbolic links on a per-command ba‐
832 sis. These tags are only effective for the sudoedit command and are
833 ignored for all other commands.
834
835 LOG_INPUT and NOLOG_INPUT
836
837 These tags override the value of the log_input flag on a per-command
838 basis. For more information, see I/O LOGGING.
839
840 LOG_OUTPUT and NOLOG_OUTPUT
841
842 These tags override the value of the log_output flag on a per-command
843 basis. For more information, see I/O LOGGING.
844
845 MAIL and NOMAIL
846
847 These tags provide fine-grained control over whether mail will be sent
848 when a user runs a command by overriding the value of the
849 mail_all_cmnds flag on a per-command basis. They have no effect when
850 sudo is run with the -l or -v options. A NOMAIL tag will also override
851 the mail_always and mail_no_perms options. For more information, see
852 the descriptions of mail_all_cmnds, mail_always, and mail_no_perms in
853 the SUDOERS OPTIONS section below.
854
855 PASSWD and NOPASSWD
856
857 By default, sudo requires that a user authenticate before running a
858 command. This behavior can be modified via the NOPASSWD tag. Like a
859 Runas_Spec, the NOPASSWD tag sets a default for the commands that fol‐
860 low it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used
861 to reverse things. For example:
862
863 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
864
865 would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm
866 as root on the machine “rushmore” without authenticating himself. If
867 we only want ray to be able to run /bin/kill without a password the en‐
868 try would be:
869
870 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
871
872 Note, however, that the PASSWD tag has no effect on users who are in
873 the group specified by the exempt_group setting.
874
875 By default, if the NOPASSWD tag is applied to any of a user's entries
876 for the current host, the user will be able to run ‘sudo -l’ without a
877 password. Additionally, a user may only run ‘sudo -v’ without a pass‐
878 word if all of the user's entries for the current host have the
879 NOPASSWD tag. This behavior may be overridden via the verifypw and
880 listpw options.
881
882 SETENV and NOSETENV
883
884 These tags override the value of the setenv flag on a per-command ba‐
885 sis. If SETENV has been set for a command, the user may disable the
886 env_reset flag from the command line via the -E option. Additionally,
887 environment variables set on the command line are not subject to the
888 restrictions imposed by env_check, env_delete, or env_keep. As such,
889 only trusted users should be allowed to set variables in this manner.
890 If the command matched is ALL, the SETENV tag is implied for that com‐
891 mand; this default may be overridden by use of the NOSETENV tag.
892
893 INTERCEPT and NOINTERCEPT
894
895 If sudo has been compiled with intercept support and the underlying op‐
896 erating system supports it, the INTERCEPT tag can be used to cause pro‐
897 grams spawned by a command to be validated against sudoers and logged
898 just like they would be if run through sudo directly. This is useful
899 in conjunction with commands that allow shell escapes such as editors,
900 shells, and paginators. There is additional overhead due to the policy
901 check that may add latency when running commands such as shell scripts
902 that execute a large number of sub-commands. For interactive commands,
903 such as a shell or editor, the overhead is not usually noticeable.
904
905 In the following example, user chuck may run any command on the machine
906 “research” in intercept mode.
907
908 chuck research = INTERCEPT: ALL
909
910 See the Preventing shell escapes section below for more details on how
911 INTERCEPT works and whether or not it will work on your system.
912
913 Wildcards
914 sudo allows shell-style wildcards (aka meta or glob characters) to be
915 used in host names, path names, and command line arguments in the sudoers
916 file. Wildcard matching is done via the glob(3) and fnmatch(3) functions
917 as specified by IEEE Std 1003.1 (“POSIX.1”).
918
919 * Matches any set of zero or more characters (including white
920 space).
921
922 ? Matches any single character (including white space).
923
924 [...] Matches any character in the specified range.
925
926 [!...] Matches any character not in the specified range.
927
928 \x For any character ‘x’, evaluates to ‘x’. This is used to escape
929 special characters such as: ‘*’, ‘?’, ‘[’, and ‘]’.
930
931 These are not regular expressions. Unlike a regular expression there is
932 no way to match one or more characters within a range.
933
934 Character classes may be used if your system's glob(3) and fnmatch(3)
935 functions support them. However, because the ‘:’ character has special
936 meaning in sudoers, it must be escaped. For example:
937
938 /bin/ls [[\:alpha\:]]*
939
940 Would match any file name beginning with a letter.
941
942 A forward slash (‘/’) will not be matched by wildcards used in the file
943 name portion of the command. This is to make a path like:
944
945 /usr/bin/*
946
947 match /usr/bin/who but not /usr/bin/X11/xterm.
948
949 When matching the command line arguments, however, a slash does get
950 matched by wildcards since command line arguments may contain arbitrary
951 strings and not just path names.
952
953 Wildcards in command line arguments should be used with care.
954 Wildcards can match any character, including white space. In most cases,
955 it is safer to use a regular expression to match command line arguments.
956 For more information, see Wildcards in command arguments below.
957
958 Exceptions to wildcard rules
959 The following exceptions apply to the above rules:
960
961 "" If the empty string ‘""’ is the only command line argument in
962 the sudoers file entry it means that command is not allowed to
963 be run with any arguments.
964
965 sudoedit Command line arguments to the sudoedit built-in command should
966 always be path names, so a forward slash (‘/’) will not be
967 matched by a wildcard.
968
969 Regular expressions
970 Starting with version 1.9.10, it is possible to use regular expressions
971 for path names and command line arguments. Regular expressions are more
972 expressive than shell-style wildcards and are usually safer because they
973 provide a greater degree of control when matching. The type of regular
974 expressions supported by sudoers are POSIX extended regular expressions,
975 similar to those used by the egrep(1) utility. They are usually docu‐
976 mented in the regex(7) or re_format(7) manual, depending on the system.
977 As an extension, if the regular expression begins with “(?i)”, it will be
978 matched in a case-insensitive manner.
979
980 In sudoers, regular expressions must start with a ‘^’ character and end
981 with a ‘$’. This makes it explicit what is, or is not, a regular expres‐
982 sion. Either the path name, the command line arguments or both may be
983 regular expressions. Because the path name and arguments are matched
984 separately, it is even possible to use wildcards for the path name and
985 regular expressions for the arguments. It is not possible to use a sin‐
986 gle regular expression to match both the command and its arguments. Reg‐
987 ular expressions in sudoers are limited to 1024 characters.
988
989 There is no need to escape sudoers special characters in a regular ex‐
990 pression other than the pound sign (‘#’).
991
992 In the following example, user john can run the passwd(1) command as root
993 on any host but is not allowed to change root's password. This kind of
994 rule is impossible to express safely using wildcards.
995
996 john ALL = /usr/bin/passwd ^[a-zA-Z0-9_]+$,\
997 !/usr/bin/passwd root
998
999 It is also possible to use a regular expression in conjunction with
1000 sudoedit rules. The following rule would give user bob the ability to
1001 edit the /etc/motd, /etc/issue, and /etc/hosts files only.
1002
1003 bob ALL = sudoedit ^/etc/(motd|issue|hosts)$
1004
1005 Regular expressions may also be used to match the command itself. In
1006 this example, a regular expression is used to allow user sid to run the
1007 /usr/sbin/groupadd, /usr/sbin/groupmod, /usr/sbin/groupdel,
1008 /usr/sbin/useradd, /usr/sbin/usermod, and /usr/sbin/userdel commands as
1009 root.
1010
1011 sid ALL = ^/usr/sbin/(group|user)(add|mod|del)$
1012
1013 One disadvantage of using a regular expression to match the command name
1014 is that it is not possible to match relative paths such as ./useradd or
1015 ../sbin/useradd. This has security implications when a regular expres‐
1016 sion is used for the command name in conjunction with the negation opera‐
1017 tor, ‘!’, as such rules can be trivially bypassed. Because of this, us‐
1018 ing a negated regular expression for the command name is strongly
1019 discouraged. This does not apply to negated commands that only use a
1020 regular expression to match the command arguments. See Regular
1021 expressions in command names below for more information.
1022
1023 Including other files from within sudoers
1024 It is possible to include other sudoers files from within the sudoers
1025 file currently being parsed using the @include and @includedir direc‐
1026 tives. For compatibility with sudo versions prior to 1.9.1, #include and
1027 #includedir are also accepted.
1028
1029 An include file can be used, for example, to keep a site-wide sudoers
1030 file in addition to a local, per-machine file. For the sake of this ex‐
1031 ample the site-wide sudoers file will be /etc/sudoers and the per-machine
1032 one will be /etc/sudoers.local. To include /etc/sudoers.local from
1033 within /etc/sudoers one would use the following line in /etc/sudoers:
1034
1035 @include /etc/sudoers.local
1036
1037 When sudo reaches this line it will suspend processing of the current
1038 file (/etc/sudoers) and switch to /etc/sudoers.local. Upon reaching the
1039 end of /etc/sudoers.local, the rest of /etc/sudoers will be processed.
1040 Files that are included may themselves include other files. A hard limit
1041 of 128 nested include files is enforced to prevent include file loops.
1042
1043 Starting with version 1.9.1, the path to the include file may contain
1044 white space if it is escaped with a backslash (‘\’). Alternately, the
1045 entire path may be enclosed in double quotes (""), in which case no es‐
1046 caping is necessary. To include a literal backslash in the path, ‘\\’
1047 should be used.
1048
1049 If the path to the include file is not fully-qualified (does not begin
1050 with a ‘/’), it must be located in the same directory as the sudoers file
1051 it was included from. For example, if /etc/sudoers contains the line:
1052
1053 @include sudoers.local
1054
1055 the file that will be included is /etc/sudoers.local.
1056
1057 The file name may also include the ‘%h’ escape, signifying the short form
1058 of the host name. In other words, if the machine's host name is
1059 “xerxes”, then
1060
1061 @include /etc/sudoers.%h
1062
1063 will cause sudo to include the file /etc/sudoers.xerxes.
1064
1065 The @includedir directive can be used to create a sudoers.d directory
1066 that the system package manager can drop sudoers file rules into as part
1067 of package installation. For example, given:
1068
1069 @includedir /etc/sudoers.d
1070
1071 sudo will suspend processing of the current file and read each file in
1072 /etc/sudoers.d, skipping file names that end in ‘~’ or contain a ‘.’
1073 character to avoid causing problems with package manager or editor tempo‐
1074 rary/backup files.
1075
1076 Files are parsed in sorted lexical order. That is,
1077 /etc/sudoers.d/01_first will be parsed before /etc/sudoers.d/10_second.
1078 Be aware that because the sorting is lexical, not numeric,
1079 /etc/sudoers.d/1_whoops would be loaded after /etc/sudoers.d/10_second.
1080 Using a consistent number of leading zeroes in the file names can be used
1081 to avoid such problems. After parsing the files in the directory, con‐
1082 trol returns to the file that contained the @includedir directive.
1083
1084 Unlike files included via @include, visudo will not edit the files in a
1085 @includedir directory unless one of them contains a syntax error. It is
1086 still possible to run visudo with the -f flag to edit the files directly,
1087 but this will not catch the redefinition of an alias that is also present
1088 in a different file.
1089
1090 Other special characters and reserved words
1091 The pound sign (‘#’) is used to indicate a comment (unless it is part of
1092 a #include directive or unless it occurs in the context of a user name
1093 and is followed by one or more digits, in which case it is treated as a
1094 user-ID). Both the comment character and any text after it, up to the
1095 end of the line, are ignored.
1096
1097 The reserved word ALL is a built-in alias that always causes a match to
1098 succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
1099 User_Alias, Runas_Alias, or Host_Alias. Attempting to define an alias
1100 named ALL will result in a syntax error. Using ALL can be dangerous
1101 since in a command context, it allows the user to run any command on the
1102 system.
1103
1104 The following option names permitted in an Option_Spec are also consid‐
1105 ered reserved words: CHROOT, ROLE, TYPE, TIMEOUT, CWD, NOTBEFORE and
1106 NOTAFTER. Attempting to define an alias with the same name as one of the
1107 options will result in a syntax error.
1108
1109 An exclamation point (‘!’) can be used as a logical not operator in a
1110 list or alias as well as in front of a Cmnd. This allows one to exclude
1111 certain values. For the ‘!’ operator to be effective, there must be
1112 something for it to exclude. For example, to match all users except for
1113 root one would use:
1114
1115 ALL, !root
1116
1117 If the ALL, is omitted, as in:
1118
1119 !root
1120
1121 it would explicitly deny root but not match any other users. This is
1122 different from a true “negation” operator.
1123
1124 Note, however, that using a ‘!’ in conjunction with the built-in ALL
1125 alias to allow a user to run “all but a few” commands rarely works as in‐
1126 tended (see SECURITY NOTES below).
1127
1128 Long lines can be continued with a backslash (‘\’) as the last character
1129 on the line.
1130
1131 White space between elements in a list as well as special syntactic char‐
1132 acters in a User Specification (‘=’, ‘:’, ‘(’, ‘)’) is optional.
1133
1134 The following characters must be escaped with a backslash (‘\’) when used
1135 as part of a word (e.g., a user name or host name): ‘!’, ‘=’, ‘:’, ‘,’,
1136 ‘(’, ‘)’, ‘\’.
1137
1139 sudo's behavior can be modified by Default_Entry lines, as explained ear‐
1140 lier. A list of all supported Defaults parameters, grouped by type, are
1141 listed below.
1142
1143 Boolean Flags:
1144
1145 always_query_group_plugin
1146 If a group_plugin is configured, use it to resolve
1147 groups of the form ‘%group’ as long as there is not
1148 also a system group of the same name. Normally, only
1149 groups of the form ‘%:group’ are passed to the
1150 group_plugin. This flag is off by default.
1151
1152 always_set_home If enabled, sudo will set the HOME environment variable
1153 to the home directory of the target user (which is the
1154 runas_default user unless the -u option is used). This
1155 flag is largely obsolete and has no effect unless the
1156 env_reset flag has been disabled or HOME is present in
1157 the env_keep list, both of which are strongly discour‐
1158 aged. This flag is off by default.
1159
1160 authenticate If set, users must authenticate themselves via a pass‐
1161 word (or other means of authentication) before they may
1162 run commands. This default may be overridden via the
1163 PASSWD and NOPASSWD tags. This flag is on by default.
1164
1165 case_insensitive_group
1166 If enabled, group names in sudoers will be matched in a
1167 case insensitive manner. This may be necessary when
1168 users are stored in LDAP or AD. This flag is on by de‐
1169 fault.
1170
1171 case_insensitive_user
1172 If enabled, user names in sudoers will be matched in a
1173 case insensitive manner. This may be necessary when
1174 groups are stored in LDAP or AD. This flag is on by
1175 default.
1176
1177 closefrom_override
1178 If set, the user may use the -C option which overrides
1179 the default starting point at which sudo begins closing
1180 open file descriptors. This flag is off by default.
1181
1182 compress_io If set, and sudo is configured to log a command's input
1183 or output, the I/O logs will be compressed using zlib.
1184 This flag is on by default when sudo is compiled with
1185 zlib support.
1186
1187 exec_background By default, sudo runs a command as the foreground
1188 process as long as sudo itself is running in the fore‐
1189 ground. When the exec_background flag is enabled and
1190 the command is being run in a pseudo-terminal (due to
1191 I/O logging or the use_pty flag), the command will be
1192 run as a background process. Attempts to read from the
1193 controlling terminal (or to change terminal settings)
1194 will result in the command being suspended with the
1195 SIGTTIN signal (or SIGTTOU in the case of terminal set‐
1196 tings). If this happens when sudo is a foreground
1197 process, the command will be granted the controlling
1198 terminal and resumed in the foreground with no user in‐
1199 tervention required. The advantage of initially run‐
1200 ning the command in the background is that sudo need
1201 not read from the terminal unless the command explic‐
1202 itly requests it. Otherwise, any terminal input must
1203 be passed to the command, whether it has required it or
1204 not (the kernel buffers terminals so it is not possible
1205 to tell whether the command really wants the input).
1206 This is different from historic sudo behavior or when
1207 the command is not being run in a pseudo-terminal.
1208
1209 For this to work seamlessly, the operating system must
1210 support the automatic restarting of system calls. Un‐
1211 fortunately, not all operating systems do this by de‐
1212 fault, and even those that do may have bugs. For exam‐
1213 ple, macOS fails to restart the tcgetattr(3) and
1214 tcsetattr(3) functions (this is a bug in macOS). Fur‐
1215 thermore, because this behavior depends on the command
1216 stopping with the SIGTTIN or SIGTTOU signals, programs
1217 that catch these signals and suspend themselves with a
1218 different signal (usually SIGTOP) will not be automati‐
1219 cally foregrounded. Some versions of the linux su(1)
1220 command behave this way. This flag is off by default.
1221
1222 This setting is only supported by version 1.8.7 or
1223 higher. It has no effect unless I/O logging is enabled
1224 or the use_pty flag is enabled.
1225
1226 env_editor If set, visudo will use the value of the SUDO_EDITOR,
1227 VISUAL or EDITOR environment variables before falling
1228 back on the default editor list. visudo is typically
1229 run as root so this flag may allow a user with visudo
1230 privileges to run arbitrary commands as root without
1231 logging. An alternative is to place a colon-separated
1232 list of “safe” editors int the editor setting. visudo
1233 will then only use SUDO_EDITOR, VISUAL or EDITOR if
1234 they match a value specified in editor. If the
1235 env_reset flag is enabled, the SUDO_EDITOR, VISUAL
1236 and/or EDITOR environment variables must be present in
1237 the env_keep list for the env_editor flag to function
1238 when visudo is invoked via sudo. This flag is on by
1239 default.
1240
1241 env_reset If set, sudo will run the command in a minimal environ‐
1242 ment containing the TERM, PATH, HOME, MAIL, SHELL,
1243 LOGNAME, USER and SUDO_* variables. Any variables in
1244 the caller's environment or in the file specified by
1245 the restricted_env_file setting that match the env_keep
1246 and env_check lists are then added, followed by any
1247 variables present in the file specified by the env_file
1248 setting (if any). The contents of the env_keep and
1249 env_check lists, as modified by global Defaults parame‐
1250 ters in sudoers, are displayed when sudo is run by root
1251 with the -V option. If the secure_path setting is en‐
1252 abled, its value will be used for the PATH environment
1253 variable. This flag is on by default.
1254
1255 fast_glob Normally, sudo uses the glob(3) function to do shell-
1256 style globbing when matching path names. However,
1257 since it accesses the file system, glob(3) can take a
1258 long time to complete for some patterns, especially
1259 when the pattern references a network file system that
1260 is mounted on demand (auto mounted). The fast_glob
1261 flag causes sudo to use the fnmatch(3) function, which
1262 does not access the file system to do its matching.
1263 The disadvantage of fast_glob is that it is unable to
1264 match relative paths such as ./ls or ../bin/ls. This
1265 has security implications when path names that include
1266 globbing characters are used with the negation opera‐
1267 tor, ‘!’, as such rules can be trivially bypassed. As
1268 such, this flag should not be used when the sudoers
1269 file contains rules that contain negated path names
1270 which include globbing characters. This flag is off by
1271 default.
1272
1273 log_passwords Most programs that require a user's password will dis‐
1274 able echo before reading the password to avoid display‐
1275 ing the plaintext password on the screen. However, if
1276 terminal input is being logged (see I/O LOGGING), the
1277 password will still be present in the I/O log. If the
1278 log_passwords option is disabled, sudoers will attempt
1279 to prevent passwords from being logged. It does this
1280 by using the regular expressions in passprompt_regex to
1281 match a password prompt in the terminal output buffer.
1282 When a match is found, input characters in the I/O log
1283 will be replaced with ‘*’ until either a line feed or
1284 carriage return is found in the terminal input or a new
1285 terminal output buffer is received. If, however, a
1286 program displays characters as the user types (such as
1287 sudo when pwfeedback is set), only the first character
1288 of the password will be replaced in the I/O log. This
1289 option has no effect unless log_input or log_ttyin are
1290 also set. This flag is on by default.
1291
1292 This setting is only supported by version 1.9.10 or
1293 higher.
1294
1295 fqdn Set this flag if you want to put fully qualified host
1296 names in the sudoers file when the local host name (as
1297 returned by the ‘hostname’ command) does not contain
1298 the domain name. In other words, instead of myhost you
1299 would use myhost.mydomain.edu. You may still use the
1300 short form if you wish (and even mix the two). This
1301 flag is only effective when the “canonical” host name,
1302 as returned by the getaddrinfo(3) or gethostbyname(3)
1303 function, is a fully-qualified domain name. This is
1304 usually the case when the system is configured to use
1305 DNS for host name resolution.
1306
1307 If the system is configured to use the /etc/hosts file
1308 in preference to DNS, the “canonical” host name may not
1309 be fully-qualified. The order that sources are queried
1310 for host name resolution is usually specified in the
1311 /etc/nsswitch.conf, /etc/netsvc.conf, /etc/host.conf,
1312 or, in some cases, /etc/resolv.conf file. In the
1313 /etc/hosts file, the first host name of the entry is
1314 considered to be the “canonical” name; subsequent names
1315 are aliases that are not used by sudoers. For example,
1316 the following hosts file line for the machine “xyzzy”
1317 has the fully-qualified domain name as the “canonical”
1318 host name, and the short version as an alias.
1319
1320 192.168.1.1 xyzzy.sudo.ws xyzzy
1321
1322 If the machine's hosts file entry is not formatted
1323 properly, the fqdn flag will not be effective if it is
1324 queried before DNS.
1325
1326 Beware that when using DNS for host name resolution,
1327 turning on fqdn requires sudoers to make DNS lookups
1328 which renders sudo unusable if DNS stops working (for
1329 example if the machine is disconnected from the net‐
1330 work). Just like with the hosts file, you must use the
1331 “canonical” name as DNS knows it. That is, you may not
1332 use a host alias (CNAME entry) due to performance is‐
1333 sues and the fact that there is no way to get all
1334 aliases from DNS.
1335
1336 This flag is off by default.
1337
1338 ignore_audit_errors
1339 Allow commands to be run even if sudoers cannot write
1340 to the audit log. If enabled, an audit log write fail‐
1341 ure is not treated as a fatal error. If disabled, a
1342 command may only be run after the audit event is suc‐
1343 cessfully written. This flag is only effective on sys‐
1344 tems for which sudoers supports audit logging, includ‐
1345 ing FreeBSD, Linux, macOS, and Solaris. This flag is
1346 on by default.
1347
1348 ignore_dot If set, sudo will ignore "." or "" (both denoting the
1349 current directory) in the PATH environment variable;
1350 the PATH itself is not modified. This flag is on by
1351 default.
1352
1353 ignore_iolog_errors
1354 Allow commands to be run even if sudoers cannot write
1355 to the I/O log (local or remote). If enabled, an I/O
1356 log write failure is not treated as a fatal error. If
1357 disabled, the command will be terminated if the I/O log
1358 cannot be written to. This flag is off by default.
1359
1360 ignore_logfile_errors
1361 Allow commands to be run even if sudoers cannot write
1362 to the log file. If enabled, a log file write failure
1363 is not treated as a fatal error. If disabled, a com‐
1364 mand may only be run after the log file entry is suc‐
1365 cessfully written. This flag only has an effect when
1366 sudoers is configured to use file-based logging via the
1367 logfile setting. This flag is on by default.
1368
1369 ignore_local_sudoers
1370 If set via LDAP, parsing of /etc/sudoers will be
1371 skipped. This is intended for sites that wish to pre‐
1372 vent the usage of local sudoers files so that only LDAP
1373 is used. This thwarts the efforts of rogue operators
1374 who would attempt to add roles to /etc/sudoers. When
1375 this flag is enabled, /etc/sudoers does not even need
1376 to exist. Since this flag tells sudo how to behave
1377 when no specific LDAP entries have been matched, this
1378 sudoOption is only meaningful for the ‘cn=defaults’
1379 section. This flag is off by default.
1380
1381 ignore_unknown_defaults
1382 If set, sudo will not produce a warning if it encoun‐
1383 ters an unknown Defaults entry in the sudoers file or
1384 an unknown sudoOption in LDAP. This flag is off by de‐
1385 fault.
1386
1387 insults If set, sudo will insult users when they enter an in‐
1388 correct password. This flag is off by default.
1389
1390 log_allowed If set, sudoers will log commands allowed by the policy
1391 to the system audit log (where supported) as well as to
1392 syslog and/or a log file. This flag is on by default.
1393
1394 This setting is only supported by version 1.8.29 or
1395 higher.
1396
1397 log_denied If set, sudoers will log commands denied by the policy
1398 to the system audit log (where supported) as well as to
1399 syslog and/or a log file. This flag is on by default.
1400
1401 This setting is only supported by version 1.8.29 or
1402 higher.
1403
1404 log_exit_status If set, sudoers will log the exit value of commands
1405 that are run to syslog and/or a log file. If a command
1406 was terminated by a signal, the signal name is logged
1407 as well. This flag is off by default.
1408
1409 This setting is only supported by version 1.9.8 or
1410 higher.
1411
1412 log_host If set, the host name will be included in log entries
1413 written to the file configured by the logfile setting.
1414 This flag is off by default.
1415
1416 log_input If set, sudo will run the command in a pseudo-terminal
1417 (if sudo was run from a terminal) and log all user in‐
1418 put. If the standard input is not connected to the
1419 user's terminal, due to I/O redirection or because the
1420 command is part of a pipeline, that input is also
1421 logged. For more information about I/O logging, see
1422 the I/O LOGGING section. This flag is off by default.
1423
1424 log_output If set, sudo will run the command in a pseudo-terminal
1425 (if sudo was run from a terminal) and log all output
1426 that is sent to the user's terminal, the standard out‐
1427 put or the standard error. If the standard output or
1428 standard error is not connected to the user's terminal,
1429 due to I/O redirection or because the command is part
1430 of a pipeline, that output is also logged. For more
1431 information about I/O logging, see the I/O LOGGING sec‐
1432 tion. This flag is off by default.
1433
1434 log_server_keepalive
1435 If set, sudo will enable the TCP keepalive socket op‐
1436 tion on the connection to the log server. This enables
1437 the periodic transmission of keepalive messages to the
1438 server. If the server does not respond to a message,
1439 the connection will be closed and the running command
1440 will be terminated unless the ignore_iolog_errors flag
1441 (I/O logging enabled) or the ignore_log_errors flag
1442 (I/O logging disabled) is set. This flag is on by de‐
1443 fault.
1444
1445 This setting is only supported by version 1.9.0 or
1446 higher.
1447
1448 log_server_verify
1449 If set, the server certificate received during the TLS
1450 handshake must be valid and it must contain either the
1451 server name (from log_servers) or its IP address. If
1452 either of these conditions is not met, the TLS hand‐
1453 shake will fail. This flag is on by default.
1454
1455 This setting is only supported by version 1.9.0 or
1456 higher.
1457
1458 log_stderr If set, sudo will log the standard error if it is not
1459 connected to the user's terminal. This can be used to
1460 log output to a pipe or redirected to a file. This
1461 flag is off by default but is enabled when either the
1462 log_output flag or the LOG_OUTPUT command tag is set.
1463
1464 log_stdin If set, sudo will log the standard input if it is not
1465 connected to the user's terminal. This can be used to
1466 log input from a pipe or redirected from a file. This
1467 flag is off by default but is enabled when either the
1468 log_input flag or the LOG_INPUT command tag is set.
1469
1470 log_stdout If set, sudo will log the standard output if it is not
1471 connected to the user's terminal. This can be used to
1472 log output to a pipe or redirected to a file. This
1473 flag is off by default but is enabled when either the
1474 log_output flag or the LOG_OUTPUT command tag is set.
1475
1476 log_subcmds If set, sudoers will log when a command spawns a child
1477 process and executes a program using the execve(2),
1478 execl(3), execle(3), execlp(3), execv(3), execvp(3),
1479 execvpe(3), or system(3) library functions. For exam‐
1480 ple, if a shell is run by sudo, the individual commands
1481 run via the shell will be logged. This flag is off by
1482 default.
1483
1484 The log_subcmds flag uses the same underlying mechanism
1485 as the intercept setting. See Preventing shell escapes
1486 for more information on what systems support this op‐
1487 tion and its limitations. This setting is only sup‐
1488 ported by version 1.9.8 or higher and is incompatible
1489 with SELinux RBAC support unless the system supports
1490 seccomp(2) filter mode.
1491
1492 log_ttyin If set, sudo will run the command in a pseudo-terminal
1493 and log user keystrokes sent to the user's terminal, if
1494 one is present. This flag is off by default but is en‐
1495 abled when either the log_input flag or the LOG_INPUT
1496 command tag is set. If no terminal is present, for ex‐
1497 ample when running a remote command using ssh(1), this
1498 flag will have no effect.
1499
1500 log_ttyout If set, sudo will run the command in a pseudo-terminal
1501 and log all output displayed on the user's terminal, if
1502 one is present. This flag is off by default but is en‐
1503 abled when either the log_output flag or the LOG_OUTPUT
1504 command tag is set. If no terminal is present, for ex‐
1505 ample when running a remote command using ssh(1), this
1506 flag will have no effect.
1507
1508 log_year If set, the four-digit year will be logged in the (non-
1509 syslog) sudo log file. This flag is off by default.
1510
1511 long_otp_prompt When validating with a One Time Password (OTP) scheme
1512 such as S/Key or OPIE, a two-line prompt is used to
1513 make it easier to cut and paste the challenge to a lo‐
1514 cal window. It's not as pretty as the default but some
1515 people find it more convenient. This flag is off by
1516 default.
1517
1518 mail_all_cmnds Send mail to the mailto user every time a user attempts
1519 to run a command via sudo (this includes sudoedit). No
1520 mail will be sent if the user runs sudo with the -l or
1521 -v option unless there is an authentication error and
1522 the mail_badpass flag is also set. This flag is off by
1523 default.
1524
1525 mail_always Send mail to the mailto user every time a user runs
1526 sudo. This flag is off by default.
1527
1528 mail_badpass Send mail to the mailto user if the user running sudo
1529 does not enter the correct password. If the command
1530 the user is attempting to run is not permitted by
1531 sudoers and one of the mail_all_cmnds, mail_always,
1532 mail_no_host, mail_no_perms or mail_no_user flags are
1533 set, this flag will have no effect. This flag is off
1534 by default.
1535
1536 mail_no_host If set, mail will be sent to the mailto user if the in‐
1537 voking user exists in the sudoers file, but is not al‐
1538 lowed to run commands on the current host. This flag
1539 is off by default.
1540
1541 mail_no_perms If set, mail will be sent to the mailto user if the in‐
1542 voking user is allowed to use sudo but the command they
1543 are trying is not listed in their sudoers file entry or
1544 is explicitly denied. This flag is off by default.
1545
1546 mail_no_user If set, mail will be sent to the mailto user if the in‐
1547 voking user is not in the sudoers file. This flag is
1548 on by default.
1549
1550 match_group_by_gid
1551 By default, sudoers will look up each group the user is
1552 a member of by group-ID to determine the group name
1553 (this is only done once). The resulting list of the
1554 user's group names is used when matching groups listed
1555 in the sudoers file. This works well on systems where
1556 the number of groups listed in the sudoers file is
1557 larger than the number of groups a typical user belongs
1558 to. On systems where group lookups are slow, where
1559 users may belong to a large number of groups, or where
1560 the number of groups listed in the sudoers file is rel‐
1561 atively small, it may be prohibitively expensive and
1562 running commands via sudo may take longer than normal.
1563 On such systems it may be faster to use the
1564 match_group_by_gid flag to avoid resolving the user's
1565 group-IDs to group names. In this case, sudoers must
1566 look up any group name listed in the sudoers file and
1567 use the group-ID instead of the group name when deter‐
1568 mining whether the user is a member of the group.
1569
1570 If match_group_by_gid is enabled, group database
1571 lookups performed by sudoers will be keyed by group
1572 name as opposed to group-ID. On systems where there
1573 are multiple sources for the group database, it is pos‐
1574 sible to have conflicting group names or group-IDs in
1575 the local /etc/group file and the remote group data‐
1576 base. On such systems, enabling or disabling
1577 match_group_by_gid can be used to choose whether group
1578 database queries are performed by name (enabled) or ID
1579 (disabled), which may aid in working around group entry
1580 conflicts.
1581
1582 The match_group_by_gid flag has no effect when sudoers
1583 data is stored in LDAP. This flag is off by default.
1584
1585 This setting is only supported by version 1.8.18 or
1586 higher.
1587
1588 intercept If set, all commands run via sudo will behave as if the
1589 INTERCEPT tag has been set, unless overridden by an
1590 NOINTERCEPT tag. See the description of INTERCEPT and
1591 NOINTERCEPT above as well as the Preventing shell
1592 escapes section at the end of this manual. This flag
1593 is off by default.
1594
1595 This setting is only supported by version 1.9.8 or
1596 higher and is incompatible with SELinux RBAC support
1597 unless the system supports seccomp(2) filter mode.
1598
1599 intercept_allow_setid
1600 On most systems, the dynamic loader will ignore
1601 LD_PRELOAD (or the equivalent) when running set-user-ID
1602 and set-group-ID programs, effectively disabling inter‐
1603 cept mode. To prevent this from happening, sudoers
1604 will not permit a set-user-ID or set-group-ID program
1605 to be run in intercept mode unless
1606 intercept_allow_setid is enable. This flag has no ef‐
1607 fect unless the intercept flag is enabled or the
1608 INTERCEPT tag has been set for the command. This flag
1609 is on by default when the intercept_type option is set
1610 to trace, otherwise it default to off.
1611
1612 This setting is only supported by version 1.9.8 or
1613 higher.
1614
1615 intercept_authenticate
1616 If set, commands run by an intercepted process must be
1617 authenticated when the user's time stamp is not cur‐
1618 rent. For example, if a shell is run with intercept
1619 enabled, as soon as the invoking user's time stamp is
1620 out of date, subsequent commands will need to be au‐
1621 thenticated. This flag has no effect unless the
1622 intercept flag is enabled or the INTERCEPT tag has been
1623 set for the command. This flag is off by default.
1624
1625 This setting is only supported by version 1.9.8 or
1626 higher.
1627
1628 intercept_verify If set, sudo will attempt to verify that a command run
1629 in intercept mode has the expected path name, command
1630 line arguments and environment.
1631
1632 The process will be stopped after execve(2) has com‐
1633 pleted but before the new command has had a chance to
1634 run. To verify the command, sudo will read the com‐
1635 mand's path from /proc/PID/exe, the command line argu‐
1636 ments and environment from the process's memory, and
1637 compare them against the arguments that were passed to
1638 execve(2). In the event of a mismatch, the command
1639 will be sent a SIGKILL signal and terminated.
1640
1641 This can help prevent a time of check versus time of
1642 use issue with intercept mode where the execve(2) argu‐
1643 ments could be altered after the sudoers policy check.
1644 The checks can only be performed if the proc(5) file
1645 system is available. This flag has no effect unless
1646 the intercept flag is enabled or the INTERCEPT tag has
1647 been set for the command and the intercept_type option
1648 is set to trace. This flag is on by default.
1649
1650 This setting is only supported by version 1.9.12 or
1651 higher.
1652
1653 netgroup_tuple If set, netgroup lookups will be performed using the
1654 full netgroup tuple: host name, user name, and domain
1655 (if one is set). Historically, sudo only matched the
1656 user name and domain for netgroups used in a User_List
1657 and only matched the host name and domain for netgroups
1658 used in a Host_List. This flag is off by default.
1659
1660 noexec If set, all commands run via sudo will behave as if the
1661 NOEXEC tag has been set, unless overridden by an EXEC
1662 tag. See the description of EXEC and NOEXEC above as
1663 well as the Preventing shell escapes section at the end
1664 of this manual. This flag is off by default.
1665
1666 noninteractive_auth
1667 If set, authentication will be attempted even in non-
1668 interactive mode (when sudo's -n option is specified).
1669 This allows authentication methods that don't require
1670 user interaction to succeed. Authentication methods
1671 that require input from the user's terminal will still
1672 fail. If disabled, authentication will not be at‐
1673 tempted in non-interactive mode. This flag is off by
1674 default.
1675
1676 This setting is only supported by version 1.9.10 or
1677 higher.
1678
1679 pam_acct_mgmt On systems that use PAM for authentication, sudo will
1680 perform PAM account validation for the invoking user by
1681 default. The actual checks performed depend on which
1682 PAM modules are configured. If enabled, account vali‐
1683 dation will be performed regardless of whether or not a
1684 password is required. This flag is on by default.
1685
1686 This setting is only supported by version 1.8.28 or
1687 higher.
1688
1689 pam_rhost On systems that use PAM for authentication, sudo will
1690 set the PAM remote host value to the name of the local
1691 host when the pam_rhost flag is enabled. On Linux sys‐
1692 tems, enabling pam_rhost may result in DNS lookups of
1693 the local host name when PAM is initialized. On So‐
1694 laris versions prior to Solaris 8, pam_rhost must be
1695 enabled if pam_ruser is also enabled to avoid a crash
1696 in the Solaris PAM implementation.
1697
1698 This flag is off by default on systems other than So‐
1699 laris.
1700
1701 This setting is only supported by version 1.9.0 or
1702 higher.
1703
1704 pam_ruser On systems that use PAM for authentication, sudo will
1705 set the PAM remote user value to the name of the user
1706 that invoked sudo when the pam_ruser flag is enabled.
1707 This flag is on by default.
1708
1709 This setting is only supported by version 1.9.0 or
1710 higher.
1711
1712 pam_session On systems that use PAM for authentication, sudo will
1713 create a new PAM session for the command to be run in.
1714 Unless sudo is given the -i or -s options, PAM session
1715 modules are run with the “silent” flag enabled. This
1716 prevents last login information from being displayed
1717 for every command on some systems. Disabling
1718 pam_session may be needed on older PAM implementations
1719 or on operating systems where opening a PAM session
1720 changes the utmp or wtmp files. If PAM session support
1721 is disabled, resource limits may not be updated for the
1722 command being run. If pam_session, pam_setcred, and
1723 use_pty are disabled, log_servers has not been set and
1724 I/O logging has not been configured, sudo will execute
1725 the command directly instead of running it as a child
1726 process. This flag is on by default.
1727
1728 This setting is only supported by version 1.8.7 or
1729 higher.
1730
1731 pam_setcred On systems that use PAM for authentication, sudo will
1732 attempt to establish credentials for the target user by
1733 default, if supported by the underlying authentication
1734 system. One example of a credential is a Kerberos
1735 ticket. If pam_session, pam_setcred, and use_pty are
1736 disabled, log_servers has not been set and I/O logging
1737 has not been configured, sudo will execute the command
1738 directly instead of running it as a child process.
1739 This flag is on by default.
1740
1741 This setting is only supported by version 1.8.8 or
1742 higher.
1743
1744 passprompt_override
1745 If set, the prompt specified by passprompt or the
1746 SUDO_PROMPT environment variable will always be used
1747 and will replace the prompt provided by a PAM module or
1748 other authentication method. This flag is off by de‐
1749 fault.
1750
1751 path_info Normally, sudo will tell the user when a command could
1752 not be found in their PATH environment variable. Some
1753 sites may wish to disable this as it could be used to
1754 gather information on the location of executables that
1755 the normal user does not have access to. The disadvan‐
1756 tage is that if the executable is simply not in the
1757 user's PATH, sudo will tell the user that they are not
1758 allowed to run it, which can be confusing. This flag
1759 is on by default.
1760
1761 preserve_groups By default, sudo will initialize the group vector to
1762 the list of groups the target user is in. When
1763 preserve_groups is set, the user's existing group vec‐
1764 tor is left unaltered. The real and effective group-
1765 IDs, however, are still set to match the target user.
1766 This flag is off by default.
1767
1768 pwfeedback By default, sudo reads the password like most other
1769 Unix programs, by turning off echo until the user hits
1770 the return (or enter) key. Some users become confused
1771 by this as it appears to them that sudo has hung at
1772 this point. When pwfeedback is set, sudo will provide
1773 visual feedback when the user presses a key. This does
1774 have a security impact as an onlooker may be able to
1775 determine the length of the password being entered.
1776 This flag is off by default.
1777
1778 requiretty If set, sudo will only run when the user is logged in
1779 to a real tty. When this flag is set, sudo can only be
1780 run from a login session and not via other means such
1781 as cron(8) or cgi-bin scripts. This flag is off by de‐
1782 fault.
1783
1784 root_sudo If set, root is allowed to run sudo too. Disabling
1785 this prevents users from “chaining” sudo commands to
1786 get a root shell by doing something like ‘sudo sudo
1787 /bin/sh’. Note, however, that turning off root_sudo
1788 will also prevent root from running sudoedit. Dis‐
1789 abling root_sudo provides no real additional security;
1790 it exists purely for historical reasons. This flag is
1791 on by default.
1792
1793 rootpw If set, sudo will prompt for the root password instead
1794 of the password of the invoking user when running a
1795 command or editing a file. This flag is off by de‐
1796 fault.
1797
1798 runas_allow_unknown_id
1799 If enabled, allow matching of runas user and group IDs
1800 that are not present in the password or group data‐
1801 bases. In addition to explicitly matching unknown user
1802 or group IDs in a Runas_List, this option also allows
1803 the ALL alias to match unknown IDs. This flag is off
1804 by default.
1805
1806 This setting is only supported by version 1.8.30 or
1807 higher. Older versions of sudo always allowed matching
1808 of unknown user and group IDs.
1809
1810 runas_check_shell
1811 If enabled, sudo will only run commands as a user whose
1812 shell appears in the /etc/shells file, even if the in‐
1813 voking user's Runas_List would otherwise permit it. If
1814 no /etc/shells file is present, a system-dependent list
1815 of built-in default shells is used. On many operating
1816 systems, system users such as “bin”, do not have a
1817 valid shell and this flag can be used to prevent com‐
1818 mands from being run as those users. This flag is off
1819 by default.
1820
1821 This setting is only supported by version 1.8.30 or
1822 higher.
1823
1824 runaspw If set, sudo will prompt for the password of the user
1825 defined by the runas_default option (defaults to root)
1826 instead of the password of the invoking user when run‐
1827 ning a command or editing a file. This flag is off by
1828 default.
1829
1830 selinux If enabled, the user may specify an SELinux role and/or
1831 type to use when running the command, as permitted by
1832 the SELinux policy. If SELinux is disabled on the sys‐
1833 tem, this flag has no effect. This flag is on by de‐
1834 fault.
1835
1836 set_home If enabled and sudo is invoked with the -s option, the
1837 HOME environment variable will be set to the home di‐
1838 rectory of the target user (which is the runas_default
1839 user unless the -u option is used). This flag is
1840 largely obsolete and has no effect unless the env_reset
1841 flag has been disabled or HOME is present in the
1842 env_keep list, both of which are strongly discouraged.
1843 This flag is off by default.
1844
1845 set_logname Normally, sudo will set the LOGNAME and USER environ‐
1846 ment variables to the name of the target user (the user
1847 specified by runas_default unless the -u option is
1848 given). However, since some programs (including the
1849 RCS revision control system) use LOGNAME to determine
1850 the real identity of the user, it may be desirable to
1851 change this behavior. This can be done by negating the
1852 set_logname option. The set_logname option will have
1853 no effect if the env_reset option has not been disabled
1854 and the env_keep list contains LOGNAME or USER. This
1855 flag is on by default.
1856
1857 set_utmp When enabled, sudo will create an entry in the utmp (or
1858 utmpx) file when a pseudo-terminal is allocated. A
1859 pseudo-terminal is allocated by sudo when it is running
1860 in a terminal and one or more of the log_input,
1861 log_output, log_stdin, log_stdout, log_stderr,
1862 log_ttyin, log_ttyout, or use_pty flags is enabled. By
1863 default, the new entry will be a copy of the user's ex‐
1864 isting utmp entry (if any), with the tty, time, type,
1865 and pid fields updated. This flag is on by default.
1866
1867 setenv Allow the user to disable the env_reset option from the
1868 command line via the -E option. Additionally, environ‐
1869 ment variables set via the command line are not subject
1870 to the restrictions imposed by env_check, env_delete,
1871 or env_keep. As such, only trusted users should be al‐
1872 lowed to set variables in this manner. This flag is
1873 off by default.
1874
1875 shell_noargs If set and sudo is invoked with no arguments it acts as
1876 if the -s option had been given. That is, it runs a
1877 shell as root (the shell is determined by the SHELL en‐
1878 vironment variable if it is set, falling back on the
1879 shell listed in the invoking user's /etc/passwd entry
1880 if not). This flag is off by default.
1881
1882 stay_setuid Normally, when sudo executes a command the real and ef‐
1883 fective user-IDs are set to the target user (root by
1884 default). This option changes that behavior such that
1885 the real user-ID is left as the invoking user's user-
1886 ID. In other words, this makes sudo act as a set-user-
1887 ID wrapper. This can be useful on systems that disable
1888 some potentially dangerous functionality when a program
1889 is run set-user-ID. This option is only effective on
1890 systems that support either the setreuid(2) or
1891 setresuid(2) system call. This flag is off by default.
1892
1893 sudoedit_checkdir
1894 If set, sudoedit will check all directory components of
1895 the path to be edited for writability by the invoking
1896 user. Symbolic links will not be followed in writable
1897 directories and sudoedit will refuse to edit a file lo‐
1898 cated in a writable directory. These restrictions are
1899 not enforced when sudoedit is run by root. On some
1900 systems, if all directory components of the path to be
1901 edited are not readable by the target user, sudoedit
1902 will be unable to edit the file. This flag is on by
1903 default.
1904
1905 This setting was first introduced in version 1.8.15 but
1906 initially suffered from a race condition. The check
1907 for symbolic links in writable intermediate directories
1908 was added in version 1.8.16.
1909
1910 sudoedit_follow By default, sudoedit will not follow symbolic links
1911 when opening files. The sudoedit_follow option can be
1912 enabled to allow sudoedit to open symbolic links. It
1913 may be overridden on a per-command basis by the FOLLOW
1914 and NOFOLLOW tags. This flag is off by default.
1915
1916 This setting is only supported by version 1.8.15 or
1917 higher.
1918
1919 syslog_pid When logging via syslog(3), include the process ID in
1920 the log entry. This flag is off by default.
1921
1922 This setting is only supported by version 1.8.21 or
1923 higher.
1924
1925 targetpw If set, sudo will prompt for the password of the user
1926 specified by the -u option (defaults to the value of
1927 runas_default) instead of the password of the invoking
1928 user when running a command or editing a file. This
1929 flag precludes the use of a user-ID not listed in the
1930 passwd database as an argument to the -u option. This
1931 flag is off by default.
1932
1933 tty_tickets If set, users must authenticate on a per-tty basis.
1934 With this flag enabled, sudo will use a separate record
1935 in the time stamp file for each terminal. If disabled,
1936 a single record is used for all login sessions.
1937
1938 This option has been superseded by the timestamp_type
1939 option.
1940
1941 umask_override If set, sudo will set the umask as specified in the
1942 sudoers file without modification. This makes it pos‐
1943 sible to specify a umask in the sudoers file that is
1944 more permissive than the user's own umask and matches
1945 historical behavior. If umask_override is not set,
1946 sudo will set the umask to be the union of the user's
1947 umask and what is specified in sudoers. This flag is
1948 off by default.
1949
1950 use_netgroups If set, netgroups (prefixed with ‘+’), may be used in
1951 place of a user or host. For LDAP-based sudoers, net‐
1952 group support requires an expensive sub-string match on
1953 the server unless the NETGROUP_BASE directive is
1954 present in the /etc/ldap.conf file. If netgroups are
1955 not needed, this option can be disabled to reduce the
1956 load on the LDAP server. This flag is on by default.
1957
1958 use_pty If set, and sudo is running in a terminal, the command
1959 will be run in a pseudo-terminal (even if no I/O log‐
1960 ging is being done). If the sudo process is not at‐
1961 tached to a terminal, use_pty has no effect.
1962
1963 A malicious program run under sudo may be capable of
1964 injecting commands into the user's terminal or running
1965 a background process that retains access to the user's
1966 terminal device even after the main program has fin‐
1967 ished executing. By running the command in a separate
1968 pseudo-terminal, this attack is no longer possible.
1969 This flag is off by default.
1970
1971 user_command_timeouts
1972 If set, the user may specify a timeout on the command
1973 line. If the timeout expires before the command has
1974 exited, the command will be terminated. If a timeout
1975 is specified both in the sudoers file and on the com‐
1976 mand line, the smaller of the two timeouts will be
1977 used. See the Timeout_Spec section for a description
1978 of the timeout syntax. This flag is off by default.
1979
1980 This setting is only supported by version 1.8.20 or
1981 higher.
1982
1983 utmp_runas If set, sudo will store the name of the runas user when
1984 updating the utmp (or utmpx) file. By default, sudo
1985 stores the name of the invoking user. This flag is off
1986 by default.
1987
1988 visiblepw By default, sudo will refuse to run if the user must
1989 enter a password but it is not possible to disable echo
1990 on the terminal. If the visiblepw flag is set, sudo
1991 will prompt for a password even when it would be visi‐
1992 ble on the screen. This makes it possible to run
1993 things like ‘ssh somehost sudo ls’ since by default,
1994 ssh(1) does not allocate a tty when running a command.
1995 This flag is off by default.
1996
1997 Integers:
1998
1999 closefrom Before it executes a command, sudo will close all open
2000 file descriptors other than standard input, standard
2001 output, and standard error (file descriptors 0-2). The
2002 closefrom option can be used to specify a different
2003 file descriptor at which to start closing. The default
2004 is 3.
2005
2006 command_timeout The maximum amount of time a command is allowed to run
2007 before it is terminated. See the Timeout_Spec section
2008 for a description of the timeout syntax.
2009
2010 This setting is only supported by version 1.8.20 or
2011 higher.
2012
2013 log_server_timeout
2014 The maximum amount of time to wait when connecting to a
2015 log server or waiting for a server response. See the
2016 Timeout_Spec section for a description of the timeout
2017 syntax. The default value is 30 seconds.
2018
2019 This setting is only supported by version 1.9.0 or
2020 higher.
2021
2022 maxseq The maximum sequence number that will be substituted
2023 for the ‘%{seq}’ escape in the I/O log file (see the
2024 iolog_dir description below for more information).
2025 While the value substituted for ‘%{seq}’ is in base 36,
2026 maxseq itself should be expressed in decimal. Values
2027 larger than 2176782336 (which corresponds to the base
2028 36 sequence number “ZZZZZZ”) will be silently truncated
2029 to 2176782336. The default value is 2176782336.
2030
2031 Once the local sequence number reaches the value of
2032 maxseq, it will “roll over” to zero, after which
2033 sudoers will truncate and re-use any existing I/O log
2034 path names.
2035
2036 This setting is only supported by version 1.8.7 or
2037 higher.
2038
2039 passwd_tries The number of tries a user gets to enter his/her pass‐
2040 word before sudo logs the failure and exits. The de‐
2041 fault is 3.
2042
2043 syslog_maxlen On many systems, syslog(3) has a relatively small log
2044 buffer. IETF RFC 5424 states that syslog servers must
2045 support messages of at least 480 bytes and should sup‐
2046 port messages up to 2048 bytes. By default, sudoers
2047 creates log messages up to 980 bytes which corresponds
2048 to the historic BSD syslog implementation which used a
2049 1024 byte buffer to store the message, date, hostname,
2050 and program name. To prevent syslog messages from be‐
2051 ing truncated, sudoers will split up log messages that
2052 are larger than syslog_maxlen bytes. When a message is
2053 split, additional parts will include the string
2054 “(command continued)” after the user name and before
2055 the continued command line arguments.
2056
2057 This setting is only supported by version 1.8.19 or
2058 higher.
2059
2060 Integers that can be used in a boolean context:
2061
2062 loglinelen Number of characters per line for the file log. This
2063 value is used to decide when to wrap lines for nicer
2064 log files. This has no effect on the syslog log file,
2065 only the file log. The default is 80 (use 0 or negate
2066 the option to disable word wrap).
2067
2068 passwd_timeout Number of minutes before the sudo password prompt times
2069 out, or 0 for no timeout. The timeout may include a
2070 fractional component if minute granularity is insuffi‐
2071 cient, for example 2.5. The default is 5.
2072
2073 timestamp_timeout
2074 Number of minutes that can elapse before sudo will ask
2075 for a password again. The timeout may include a frac‐
2076 tional component if minute granularity is insufficient,
2077 for example 2.5. The default is 5. Set this to 0 to
2078 always prompt for a password. If set to a value less
2079 than 0 the user's time stamp will not expire until the
2080 system is rebooted. This can be used to allow users to
2081 create or delete their own time stamps via ‘sudo -v’
2082 and ‘sudo -k’ respectively.
2083
2084 umask File mode creation mask to use when running the com‐
2085 mand. Negate this option or set it to 0777 to prevent
2086 sudoers from changing the umask. Unless the
2087 umask_override flag is set, the actual umask will be
2088 the union of the user's umask and the value of the
2089 umask setting, which defaults to 0022. This guarantees
2090 that sudo never lowers the umask when running a com‐
2091 mand.
2092
2093 If umask is explicitly set in sudoers, it will override
2094 any umask setting in PAM or login.conf. If umask is
2095 not set in sudoers, the umask specified by PAM or lo‐
2096 gin.conf will take precedence. The umask setting in
2097 PAM is not used for sudoedit, which does not create a
2098 new PAM session.
2099
2100 Strings:
2101
2102 authfail_message Message that is displayed after a user fails to authen‐
2103 ticate. The message may include the ‘%d’ escape which
2104 will expand to the number of failed password attempts.
2105 If set, it overrides the default message, “%d incorrect
2106 password attempt(s)”.
2107
2108 badpass_message Message that is displayed if a user enters an incorrect
2109 password. The default is “Sorry, try again.” unless
2110 insults are enabled.
2111
2112 editor A colon (‘:’) separated list of editor path names used
2113 by sudoedit and visudo. For sudoedit, this list is
2114 used to find an editor when none of the SUDO_EDITOR,
2115 VISUAL or EDITOR environment variables are set to an
2116 editor that exists and is executable. For visudo, it
2117 is used as a white list of allowed editors; visudo will
2118 choose the editor that matches the user's SUDO_EDITOR,
2119 VISUAL or EDITOR environment variable if possible, or
2120 the first editor in the list that exists and is exe‐
2121 cutable if not. Unless invoked as sudoedit, sudo does
2122 not preserve the SUDO_EDITOR, VISUAL or EDITOR environ‐
2123 ment variables unless they are present in the env_keep
2124 list or the env_reset option is disabled. The default
2125 is /usr/bin/nano:/usr/bin/vim:/usr/bin/vi.
2126
2127 intercept_type The underlying mechanism used by the intercept and
2128 log_subcmds options. It has the following possible
2129 values:
2130
2131 dso Preload a dynamic shared object (shared li‐
2132 brary) that intercepts the execve(2), execl(3),
2133 execle(3), execlp(3), execv(3), execvp(3),
2134 execvpe(3), and system(3) library functions. A
2135 value of dso is incompatible with sudo's
2136 SELinux RBAC support.
2137
2138 trace Use ptrace(2) to intercept the execve(2) system
2139 call. This is only supported on Linux systems
2140 where seccomp(2) filtering is enabled. If the
2141 /proc/sys/kernel/seccomp/actions_avail file is
2142 missing or does not contain a “trap” element,
2143 setting intercept_type to trace will have no
2144 effect and dso will be used instead.
2145
2146 The default is to use trace if it is supported by the
2147 system and dso if it is not.
2148
2149 iolog_dir The top-level directory to use when constructing the
2150 path name for the input/output log directory. Only
2151 used if the log_input or log_output options are enabled
2152 or when the LOG_INPUT or LOG_OUTPUT tags are present
2153 for a command. The session sequence number, if any, is
2154 stored in the directory. The default is
2155 /var/log/sudo-io.
2156
2157 The following percent (‘%’) escape sequences are sup‐
2158 ported:
2159
2160 %{seq}
2161 expanded to a monotonically increasing base-36
2162 sequence number, such as 0100A5, where every two
2163 digits are used to form a new directory, e.g.,
2164 01/00/A5
2165
2166 %{user}
2167 expanded to the invoking user's login name
2168
2169 %{group}
2170 expanded to the name of the invoking user's real
2171 group-ID
2172
2173 %{runas_user}
2174 expanded to the login name of the user the com‐
2175 mand will be run as (e.g., root)
2176
2177 %{runas_group}
2178 expanded to the group name of the user the com‐
2179 mand will be run as (e.g., wheel)
2180
2181 %{hostname}
2182 expanded to the local host name without the do‐
2183 main name
2184
2185 %{command}
2186 expanded to the base name of the command being
2187 run
2188
2189 In addition, any escape sequences supported by the sys‐
2190 tem's strftime(3) function will be expanded.
2191
2192 To include a literal ‘%’ character, the string ‘%%’
2193 should be used.
2194
2195 iolog_file The path name, relative to iolog_dir, in which to store
2196 input/output logs when the log_input or log_output op‐
2197 tions are enabled or when the LOG_INPUT or LOG_OUTPUT
2198 tags are present for a command. iolog_file may contain
2199 directory components. The default is ‘%{seq}’.
2200
2201 See the iolog_dir option above for a list of supported
2202 percent (‘%’) escape sequences.
2203
2204 In addition to the escape sequences, path names that
2205 end in six or more Xs will have the Xs replaced with a
2206 unique combination of digits and letters, similar to
2207 the mktemp(3) function.
2208
2209 If the path created by concatenating iolog_dir and
2210 iolog_file already exists, the existing I/O log file
2211 will be truncated and overwritten unless iolog_file
2212 ends in six or more Xs.
2213
2214 iolog_flush If set, sudo will flush I/O log data to disk after each
2215 write instead of buffering it. This makes it possible
2216 to view the logs in real-time as the program is execut‐
2217 ing but may significantly reduce the effectiveness of
2218 I/O log compression. This flag is off by default.
2219
2220 This setting is only supported by version 1.8.20 or
2221 higher.
2222
2223 iolog_group The group name to look up when setting the group-ID on
2224 new I/O log files and directories. If iolog_group is
2225 not set, the primary group-ID of the user specified by
2226 iolog_user is used. If neither iolog_group nor
2227 iolog_user are set, I/O log files and directories are
2228 created with group-ID 0.
2229
2230 This setting is only supported by version 1.8.19 or
2231 higher.
2232
2233 iolog_mode The file mode to use when creating I/O log files. Mode
2234 bits for read and write permissions for owner, group,
2235 or other are honored, everything else is ignored. The
2236 file permissions will always include the owner read and
2237 write bits, even if they are not present in the speci‐
2238 fied mode. When creating I/O log directories, search
2239 (execute) bits are added to match the read and write
2240 bits specified by iolog_mode. Defaults to 0600 (read
2241 and write by user only).
2242
2243 This setting is only supported by version 1.8.19 or
2244 higher.
2245
2246 iolog_user The user name to look up when setting the user and
2247 group-IDs on new I/O log files and directories. If
2248 iolog_group is set, it will be used instead of the
2249 user's primary group-ID. By default, I/O log files and
2250 directories are created with user and group-ID 0.
2251
2252 This setting can be useful when the I/O logs are stored
2253 on a Network File System (NFS) share. Having a dedi‐
2254 cated user own the I/O log files means that sudoers
2255 does not write to the log files as user-ID 0, which is
2256 usually not permitted by NFS.
2257
2258 This setting is only supported by version 1.8.19 or
2259 higher.
2260
2261 lecture_status_dir
2262 The directory in which sudo stores per-user lecture
2263 status files. Once a user has received the lecture, a
2264 zero-length file is created in this directory so that
2265 sudo will not lecture the user again. This directory
2266 should not be cleared when the system reboots. The de‐
2267 fault is /var/db/sudo/lectured.
2268
2269 log_server_cabundle
2270 The path to a certificate authority bundle file, in PEM
2271 format, to use instead of the system's default certifi‐
2272 cate authority database when authenticating the log
2273 server. The default is to use the system's default
2274 certificate authority database. This setting has no
2275 effect unless log_servers is set and the remote log
2276 server is secured with TLS.
2277
2278 This setting is only supported by version 1.9.0 or
2279 higher.
2280
2281 log_server_peer_cert
2282 The path to the sudo client's certificate file, in PEM
2283 format. This setting is required when the remote log
2284 server is secured with TLS and client certificate vali‐
2285 dation is enabled. For sudo_logsrvd, client certifi‐
2286 cate validation is controlled by the tls_checkpeer op‐
2287 tion, which defaults to false.
2288
2289 This setting is only supported by version 1.9.0 or
2290 higher.
2291
2292 log_server_peer_key
2293 The path to the sudo client's private key file, in PEM
2294 format. This setting is required when the remote log
2295 server is secured with TLS and client certificate vali‐
2296 dation is enabled. For sudo_logsrvd, client certifi‐
2297 cate validation is controlled by the tls_checkpeer
2298 flag, which defaults to false.
2299
2300 This setting is only supported by version 1.9.0 or
2301 higher.
2302
2303 mailsub Subject of the mail sent to the mailto user. The es‐
2304 cape ‘%h’ will expand to the host name of the machine.
2305 Default is “*** SECURITY information for %h ***”.
2306
2307 noexec_file As of sudo version 1.8.1 this option is no longer sup‐
2308 ported. The path to the noexec file should now be set
2309 in the sudo.conf(5) file.
2310
2311 pam_askpass_service
2312 On systems that use PAM for authentication, this is the
2313 service name used when the -A option is specified. The
2314 default value is either ‘sudo’ or ‘sudo-i’, depending
2315 on whether or not the -i option is also specified. See
2316 the description of pam_service for more information.
2317
2318 This setting is only supported by version 1.9.9 or
2319 higher.
2320
2321 pam_login_service
2322 On systems that use PAM for authentication, this is the
2323 service name used when the -i option is specified. The
2324 default value is ‘sudo-i’. See the description of
2325 pam_service for more information.
2326
2327 This setting is only supported by version 1.8.8 or
2328 higher.
2329
2330 pam_service On systems that use PAM for authentication, the service
2331 name specifies the PAM policy to apply. This usually
2332 corresponds to an entry in the pam.conf file or a file
2333 in the /etc/pam.d directory. The default value is
2334 ‘sudo’.
2335
2336 This setting is only supported by version 1.8.8 or
2337 higher.
2338
2339 passprompt The default prompt to use when asking for a password;
2340 can be overridden via the -p option or the SUDO_PROMPT
2341 environment variable. The following percent (‘%’) es‐
2342 cape sequences are supported:
2343
2344 %H expanded to the local host name including the do‐
2345 main name (only if the machine's host name is
2346 fully qualified or the fqdn option is set)
2347
2348 %h expanded to the local host name without the do‐
2349 main name
2350
2351 %p expanded to the user whose password is being
2352 asked for (respects the rootpw, targetpw and
2353 runaspw flags in sudoers)
2354
2355 %U expanded to the login name of the user the com‐
2356 mand will be run as (defaults to root)
2357
2358 %u expanded to the invoking user's login name
2359
2360 %% two consecutive ‘%’ characters are collapsed into
2361 a single ‘%’ character
2362
2363 On systems that use PAM for authentication, passprompt
2364 will only be used if the prompt provided by the PAM
2365 module matches the string “Password: ” or “username's
2366 Password: ”. This ensures that the passprompt setting
2367 does not interfere with challenge-response style au‐
2368 thentication. The passprompt_override flag can be used
2369 to change this behavior.
2370
2371 The default value is ‘[sudo] password for %p: ’.
2372
2373 role The default SELinux role to use when constructing a new
2374 security context to run the command. The default role
2375 may be overridden on a per-command basis in the sudoers
2376 file or via command line options. This option is only
2377 available when sudo is built with SELinux support.
2378
2379 runas_default The default user to run commands as if the -u option is
2380 not specified on the command line. This defaults to
2381 root.
2382
2383 sudoers_locale Locale to use when parsing the sudoers file, logging
2384 commands, and sending email. Changing the locale may
2385 affect how sudoers is interpreted. Defaults to ‘C’.
2386
2387 timestamp_type sudoers uses per-user time stamp files for credential
2388 caching. The timestamp_type option can be used to
2389 specify the type of time stamp record used. It has the
2390 following possible values:
2391
2392 global A single time stamp record is used for all of a
2393 user's login sessions, regardless of the termi‐
2394 nal or parent process ID. An additional record
2395 is used to serialize password prompts when sudo
2396 is used multiple times in a pipeline, but this
2397 does not affect authentication.
2398
2399 ppid A single time stamp record is used for all pro‐
2400 cesses with the same parent process ID (usually
2401 the shell). Commands run from the same shell
2402 (or other common parent process) will not re‐
2403 quire a password for timestamp_timeout minutes
2404 (5 by default). Commands run via sudo with a
2405 different parent process ID, for example from a
2406 shell script, will be authenticated separately.
2407
2408 tty One time stamp record is used for each termi‐
2409 nal, which means that a user's login sessions
2410 are authenticated separately. If no terminal
2411 is present, the behavior is the same as ppid.
2412 Commands run from the same terminal will not
2413 require a password for timestamp_timeout min‐
2414 utes (5 by default).
2415
2416 kernel The time stamp is stored in the kernel as an
2417 attribute of the terminal device. If no termi‐
2418 nal is present, the behavior is the same as
2419 ppid. Negative timestamp_timeout values are
2420 not supported and positive values are limited
2421 to a maximum of 60 minutes. This is currently
2422 only supported on OpenBSD.
2423
2424 The default value is tty.
2425
2426 This setting is only supported by version 1.8.21 or
2427 higher.
2428
2429 timestampdir The directory in which sudo stores its time stamp
2430 files. This directory should be cleared when the sys‐
2431 tem reboots. The default is /run/sudo/ts.
2432
2433 timestampowner The owner of the lecture status directory, time stamp
2434 directory and all files stored therein. The default is
2435 root.
2436
2437 type The default SELinux type to use when constructing a new
2438 security context to run the command. The default type
2439 may be overridden on a per-command basis in the sudoers
2440 file or via command line options. This option is only
2441 available when sudo is built with SELinux support.
2442
2443 Strings that can be used in a boolean context:
2444
2445 admin_flag The admin_flag option specifies the path to a file that is
2446 created the first time a user that is a member of the sudo
2447 or admin groups runs sudo. Only available if sudo is con‐
2448 figured with the --enable-admin-flag option. The default
2449 value is ~/.sudo_as_admin_successful.
2450
2451 env_file The env_file option specifies the fully qualified path to a
2452 file containing variables to be set in the environment of
2453 the program being run. Entries in this file should either
2454 be of the form ‘VARIABLE=value’ or ‘export VARIABLE=value’.
2455 The value may optionally be enclosed in single or double
2456 quotes. Variables in this file are only added if the vari‐
2457 able does not already exist in the environment. This file
2458 is considered to be part of the security policy, its con‐
2459 tents are not subject to other sudo environment restric‐
2460 tions such as env_keep and env_check.
2461
2462 exempt_group Users in this group are exempt from password and PATH re‐
2463 quirements. The group name specified should not include a
2464 ‘%’ prefix. This is not set by default.
2465
2466 fdexec Determines whether sudo will execute a command by its path
2467 or by an open file descriptor. It has the following possi‐
2468 ble values:
2469
2470 always Always execute by file descriptor.
2471
2472 never Never execute by file descriptor.
2473
2474 digest_only
2475 Only execute by file descriptor if the command has
2476 an associated digest in the sudoers file.
2477
2478 The default value is digest_only. This avoids a time of
2479 check versus time of use race condition when the command is
2480 located in a directory writable by the invoking user.
2481
2482 fdexec will change the first element of the argument vector
2483 for scripts ($0 in the shell) due to the way the kernel
2484 runs script interpreters. Instead of being a normal path,
2485 it will refer to a file descriptor. For example, /dev/fd/4
2486 on Solaris and /proc/self/fd/4 on Linux. A workaround is
2487 to use the SUDO_COMMAND environment variable instead.
2488
2489 The fdexec setting is only used when the command is matched
2490 by path name. It has no effect if the command is matched
2491 by the built-in ALL alias.
2492
2493 This setting is only supported by version 1.8.20 or higher.
2494 If the operating system does not support the fexecve(2)
2495 system call, this setting has no effect.
2496
2497 group_plugin A string containing a sudoers group plugin with optional
2498 arguments. The string should consist of the plugin path,
2499 either fully-qualified or relative to the /usr/libexec/sudo
2500 directory, followed by any configuration arguments the
2501 plugin requires. These arguments (if any) will be passed
2502 to the plugin's initialization function. If arguments are
2503 present, the string must be enclosed in double quotes ("").
2504
2505 On 64-bit systems, if the plugin is present but cannot be
2506 loaded, sudoers will look for a 64-bit version and, if it
2507 exists, load that as a fallback. The exact rules for this
2508 vary by system. On Solaris, if the plugin is stored in a
2509 directory ending in “lib”, sudoers will create a fallback
2510 path by appending “/64” to the directory name;
2511 /usr/lib/group_plugin.so becomes
2512 /usr/lib/64/group_plugin.so. On Linux, a directory ending
2513 in “lib” will be transformed to “lib64” as the fallback
2514 path; /usr/lib/group_plugin.so becomes
2515 /usr/lib64/group_plugin.so. On all other systems, the
2516 fallback path is generated by adding a “64” before the file
2517 extension; group_plugin.so becomes group_plugin64.so.
2518
2519 For more information see GROUP PROVIDER PLUGINS.
2520
2521 lecture This option controls when a short lecture will be printed
2522 along with the password prompt. It has the following pos‐
2523 sible values:
2524
2525 always Always lecture the user.
2526
2527 never Never lecture the user.
2528
2529 once Only lecture the user the first time they run sudo.
2530
2531 If no value is specified, a value of once is implied.
2532 Negating the option results in a value of never being used.
2533 The default value is once.
2534
2535 lecture_file Path to a file containing an alternate sudo lecture that
2536 will be used in place of the standard lecture if the named
2537 file exists. By default, sudo uses a built-in lecture.
2538
2539 listpw This option controls when a password will be required when
2540 a user runs sudo with the -l option. It has the following
2541 possible values:
2542
2543 all All the user's sudoers file entries for the current
2544 host must have the NOPASSWD flag set to avoid enter‐
2545 ing a password.
2546
2547 always
2548 The user must always enter a password to use the -l
2549 option.
2550
2551 any At least one of the user's sudoers file entries for
2552 the current host must have the NOPASSWD flag set to
2553 avoid entering a password.
2554
2555 never
2556 The user need never enter a password to use the -l
2557 option.
2558
2559 If no value is specified, a value of any is implied.
2560 Negating the option results in a value of never being used.
2561 The default value is any.
2562
2563 log_format The event log format. Supported log formats are:
2564
2565 json Logs in JSON format. JSON log entries contain the
2566 full user details as well as the execution environ‐
2567 ment if the command was allowed. Due to limitations
2568 of the protocol, JSON events sent via syslog may be
2569 truncated.
2570
2571 sudo Traditional sudo-style logs, see EVENT LOGGING for a
2572 description of the log file format.
2573
2574 This setting affects logs sent via syslog(3) as well as the
2575 file specified by the logfile setting, if any. The default
2576 value is sudo.
2577
2578 logfile Path to the sudo log file (not the syslog log file). Set‐
2579 ting a path turns on logging to a file; negating this op‐
2580 tion turns it off. By default, sudo logs via syslog.
2581
2582 mailerflags Flags to use when invoking mailer. Defaults to -t.
2583
2584 mailerpath Path to mail program used to send warning mail (negate to
2585 prevent sudo from sending mail). Defaults to the path to
2586 sendmail found at configure time.
2587
2588 mailfrom Address to use for the “from” address when sending warning
2589 and error mail. The address should be enclosed in double
2590 quotes ("") to protect against sudo interpreting the ‘@’
2591 sign. Defaults to the name of the user running sudo.
2592
2593 mailto Address to send warning and error mail to (negate to pre‐
2594 vent sudo from sending mail). The address should be en‐
2595 closed in double quotes ("") to protect against sudo inter‐
2596 preting the ‘@’ sign. Defaults to root.
2597
2598 rlimit_as The maximum size to which the process's address space may
2599 grow (in bytes), if supported by the operating system. See
2600 Resource limits for more information.
2601
2602 rlimit_core The largest size core dump file that may be created (in
2603 bytes). See Resource limits for more information. De‐
2604 faults to 0 (no core dump created).
2605
2606 rlimit_cpu The maximum amount of CPU time that the process may use (in
2607 seconds). See Resource limits for more information.
2608
2609 rlimit_data The maximum size of the data segment for the process (in
2610 bytes). See Resource limits for more information.
2611
2612 rlimit_fsize The largest size file that the process may create (in
2613 bytes). See Resource limits for more information.
2614
2615 rlimit_locks The maximum number of locks that the process may establish,
2616 if supported by the operating system. See Resource limits
2617 for more information.
2618
2619 rlimit_memlock
2620 The maximum size that the process may lock in memory (in
2621 bytes), if supported by the operating system. See Resource
2622 limits for more information.
2623
2624 rlimit_nofile
2625 The maximum number of files that the process may have open.
2626 See Resource limits for more information.
2627
2628 rlimit_nproc The maximum number of processes that the user may run si‐
2629 multaneously. See Resource limits for more information.
2630
2631 rlimit_rss The maximum size to which the process's resident set size
2632 may grow (in bytes). See Resource limits for more informa‐
2633 tion.
2634
2635 rlimit_stack The maximum size to which the process's stack may grow (in
2636 bytes). See Resource limits for more information.
2637
2638 restricted_env_file
2639 The restricted_env_file option specifies the fully quali‐
2640 fied path to a file containing variables to be set in the
2641 environment of the program being run. Entries in this file
2642 should either be of the form ‘VARIABLE=value’ or ‘export
2643 VARIABLE=value’. The value may optionally be enclosed in
2644 single or double quotes. Variables in this file are only
2645 added if the variable does not already exist in the envi‐
2646 ronment. Unlike env_file, the file's contents are not
2647 trusted and are processed in a manner similar to that of
2648 the invoking user's environment. If env_reset is enabled,
2649 variables in the file will only be added if they are
2650 matched by either the env_check or env_keep list. If
2651 env_reset is disabled, variables in the file are added as
2652 long as they are not matched by the env_delete list. In
2653 either case, the contents of restricted_env_file are pro‐
2654 cessed before the contents of env_file.
2655
2656 runchroot If set, sudo will use this value for the root directory
2657 when running a command. The special value “*” will allow
2658 the user to specify the root directory via sudo's -R op‐
2659 tion. See the Chroot_Spec section for more details.
2660
2661 It is only possible to use runchroot as a command-specific
2662 Defaults setting if the command exists with the same path
2663 both inside and outside the chroot jail. This restriction
2664 does not apply to global, host, or user-based Defaults set‐
2665 tings or to a Cmnd_Spec that includes a Chroot_Spec.
2666
2667 This setting is only supported by version 1.9.3 or higher.
2668
2669 runcwd If set, sudo will use this value for the working directory
2670 when running a command. The special value “*” will allow
2671 the user to specify the working directory via sudo's -D op‐
2672 tion. See the Chdir_Spec section for more details.
2673
2674 This setting is only supported by version 1.9.3 or higher.
2675
2676 secure_path If set, sudo will use this value in place of the user's
2677 PATH environment variable. This option can be used to re‐
2678 set the PATH to a known good value that contains directo‐
2679 ries for system administrator commands such as /usr/sbin.
2680
2681 Users in the group specified by the exempt_group option are
2682 not affected by secure_path. This option is not set by de‐
2683 fault.
2684
2685 syslog Syslog facility if syslog is being used for logging (negate
2686 to disable syslog logging). Defaults to authpriv.
2687
2688 The following syslog facilities are supported: authpriv (if
2689 your OS supports it), auth, daemon, user, local0, local1,
2690 local2, local3, local4, local5, local6, and local7.
2691
2692 syslog_badpri
2693 Syslog priority to use when the user is not allowed to run
2694 a command or when authentication is unsuccessful. Defaults
2695 to alert.
2696
2697 The following syslog priorities are supported: alert, crit,
2698 debug, emerg, err, info, notice, warning, and none. Negat‐
2699 ing the option or setting it to a value of none will dis‐
2700 able logging of unsuccessful commands.
2701
2702 syslog_goodpri
2703 Syslog priority to use when the user is allowed to run a
2704 command and authentication is successful. Defaults to no‐
2705 tice.
2706
2707 See syslog_badpri for the list of supported syslog priori‐
2708 ties. Negating the option or setting it to a value of none
2709 will disable logging of successful commands.
2710
2711 verifypw This option controls when a password will be required when
2712 a user runs sudo with the -v option. It has the following
2713 possible values:
2714
2715 all All the user's sudoers file entries for the current
2716 host must have the NOPASSWD flag set to avoid en‐
2717 tering a password.
2718
2719 always The user must always enter a password to use the -v
2720 option.
2721
2722 any At least one of the user's sudoers file entries for
2723 the current host must have the NOPASSWD flag set to
2724 avoid entering a password.
2725
2726 never The user need never enter a password to use the -v
2727 option.
2728
2729 If no value is specified, a value of all is implied.
2730 Negating the option results in a value of never being used.
2731 The default value is all.
2732
2733 Lists that can be used in a boolean context:
2734
2735 env_check Environment variables to be removed from the user's en‐
2736 vironment unless they are considered “safe”. For all
2737 variables except TZ, “safe” means that the variable's
2738 value does not contain any ‘%’ or ‘/’ characters. This
2739 can be used to guard against printf-style format vul‐
2740 nerabilities in poorly-written programs. The TZ vari‐
2741 able is considered unsafe if any of the following are
2742 true:
2743
2744 • It consists of a fully-qualified path name, option‐
2745 ally prefixed with a colon (‘:’), that does not
2746 match the location of the zoneinfo directory.
2747
2748 • It contains a .. path element.
2749
2750 • It contains white space or non-printable characters.
2751
2752 • It is longer than the value of PATH_MAX.
2753
2754 The argument may be a double-quoted, space-separated
2755 list or a single value without double-quotes. The list
2756 can be replaced, added to, deleted from, or disabled by
2757 using the ‘=’, ‘+=’, ‘-=’, and ‘!’ operators respec‐
2758 tively. Regardless of whether the env_reset option is
2759 enabled or disabled, variables specified by env_check
2760 will be preserved in the environment if they pass the
2761 aforementioned check. The global list of environment
2762 variables to check is displayed when sudo is run by
2763 root with the -V option.
2764
2765 env_delete Environment variables to be removed from the user's en‐
2766 vironment when the env_reset option is not in effect.
2767 The argument may be a double-quoted, space-separated
2768 list or a single value without double-quotes. The list
2769 can be replaced, added to, deleted from, or disabled by
2770 using the ‘=’, ‘+=’, ‘-=’, and ‘!’ operators respec‐
2771 tively. The global list of environment variables to
2772 remove is displayed when sudo is run by root with the
2773 -V option. Many operating systems will remove poten‐
2774 tially dangerous variables from the environment of any
2775 set-user-ID process (such as sudo).
2776
2777 env_keep Environment variables to be preserved in the user's en‐
2778 vironment when the env_reset option is in effect. This
2779 allows fine-grained control over the environment
2780 sudo-spawned processes will receive. The argument may
2781 be a double-quoted, space-separated list or a single
2782 value without double-quotes. The list can be replaced,
2783 added to, deleted from, or disabled by using the ‘=’,
2784 ‘+=’, ‘-=’, and ‘!’ operators respectively. The global
2785 list of variables to keep is displayed when sudo is run
2786 by root with the -V option.
2787
2788 Preserving the HOME environment variable has security
2789 implications since many programs use it when searching
2790 for configuration or data files. Adding HOME to
2791 env_keep may enable a user to run unrestricted commands
2792 via sudo and is strongly discouraged. Users wishing to
2793 edit files with sudo should run sudoedit (or sudo -e)
2794 to get their accustomed editor configuration instead of
2795 invoking the editor directly.
2796
2797 log_servers A list of one or more servers to use for remote event
2798 and I/O log storage, separated by white space. Log
2799 servers must be running sudo_logsrvd or another service
2800 that implements the protocol described by
2801 sudo_logsrv.proto(5).
2802
2803 Server addresses should be of the form
2804 “host[:port][(tls)]”. The host portion may be a host
2805 name, an IPv4 address, or an IPv6 address in square
2806 brackets.
2807
2808 If the optional tls flag is present, the connection
2809 will be secured with Transport Layer Security (TLS)
2810 version 1.2 or 1.3. Versions of TLS prior to 1.2 are
2811 not supported.
2812
2813 If a port is specified, it may either be a port number
2814 or a well-known service name as defined by the system
2815 service name database. If no port is specified, port
2816 30343 will be used for plaintext connections and port
2817 30344 will be used for TLS connections.
2818
2819 When log_servers is set, event log data will be logged
2820 both locally (see the syslog and log_file settings) as
2821 well as remotely, but I/O log data will only be logged
2822 remotely. If multiple hosts are specified, they will
2823 be attempted in reverse order. If no log servers are
2824 available, the user will not be able to run a command
2825 unless either the ignore_iolog_errors flag (I/O logging
2826 enabled) or the ignore_log_errors flag (I/O logging
2827 disabled) is set. Likewise, if the connection to the
2828 log server is interrupted while sudo is running, the
2829 command will be terminated unless the
2830 ignore_iolog_errors flag (I/O logging enabled) or the
2831 ignore_log_errors flag (I/O logging disabled) is set.
2832
2833 This setting is only supported by version 1.9.0 or
2834 higher.
2835
2836 passprompt_regex A list of POSIX extended regular expressions used to
2837 match password prompts in the terminal output. As an
2838 extension, if the regular expression begins with
2839 “(?i)”, it will be matched in a case-insensitive man‐
2840 ner. Each regular expression is limited to 1024 char‐
2841 acters. This option is only used when log_passwords
2842 has been disabled. The default value is “[Pp]assword[:
2843 ]*”
2844
2845 This setting is only supported by version 1.9.10 or
2846 higher.
2847
2849 The sudoers plugin supports its own plugin interface to allow non-Unix
2850 group lookups which can query a group source other than the standard Unix
2851 group database. This can be used to implement support for the
2852 nonunix_group syntax described earlier.
2853
2854 Group provider plugins are specified via the group_plugin setting. The
2855 argument to group_plugin should consist of the plugin path, either fully-
2856 qualified or relative to the /usr/libexec/sudo directory, followed by any
2857 configuration options the plugin requires. These options (if specified)
2858 will be passed to the plugin's initialization function. If options are
2859 present, the string must be enclosed in double quotes ("").
2860
2861 The following group provider plugins are installed by default:
2862
2863 group_file
2864 The group_file plugin supports an alternate group file that uses
2865 the same syntax as the /etc/group file. The path to the group file
2866 should be specified as an option to the plugin. For example, if
2867 the group file to be used is /etc/sudo-group:
2868
2869 Defaults group_plugin="group_file.so /etc/sudo-group"
2870
2871 system_group
2872 The system_group plugin supports group lookups via the standard C
2873 library functions getgrnam(3) and getgrid(3). This plugin can be
2874 used in instances where the user belongs to groups not present in
2875 the user's supplemental group vector. This plugin takes no op‐
2876 tions:
2877
2878 Defaults group_plugin=system_group.so
2879
2880 The group provider plugin API is described in detail in sudo_plugin(5).
2881
2883 sudoers can log events in either JSON or sudo format, this section de‐
2884 scribes the sudo log format. Depending on sudoers configuration, sudoers
2885 can log events via syslog(3), to a local log file, or both. The log for‐
2886 mat is almost identical in both cases. Any control characters present in
2887 the log data are formatted in octal with a leading ‘#’ character. For
2888 example, a horizontal tab is stored as ‘#011’ and an embedded carriage
2889 return is stored as ‘#015’. In addition, space characters in the command
2890 path are stored as ‘#040’. Command line arguments that contain spaces
2891 are enclosed in single quotes (''). This makes it possible to distin‐
2892 guish multiple command line arguments from a single argument that con‐
2893 tains spaces. Literal single quotes and backslash characters (‘\’) in
2894 command line arguments are escaped with a backslash.
2895
2896 Accepted command log entries
2897 Commands that sudo runs are logged using the following format (split into
2898 multiple lines for readability):
2899
2900 date hostname progname: username : TTY=ttyname ; CHROOT=chroot ; \
2901 PWD=cwd ; USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \
2902 ENV=env_vars COMMAND=command
2903
2904 Where the fields are as follows:
2905
2906 date The date the command was run. Typically, this is in the
2907 format “MMM, DD, HH:MM:SS”. If logging via syslog(3), the
2908 actual date format is controlled by the syslog daemon. If
2909 logging to a file and the log_year option is enabled, the
2910 date will also include the year.
2911
2912 hostname The name of the host sudo was run on. This field is only
2913 present when logging via syslog(3).
2914
2915 progname The name of the program, usually sudo or sudoedit. This
2916 field is only present when logging via syslog(3).
2917
2918 username The login name of the user who ran sudo.
2919
2920 ttyname The short name of the terminal (e.g., “console”, “tty01”,
2921 or “pts/0”) sudo was run on, or “unknown” if there was no
2922 terminal present.
2923
2924 chroot The root directory that the command was run in, if one was
2925 specified.
2926
2927 cwd The current working directory that sudo was run in.
2928
2929 runasuser The user the command was run as.
2930
2931 runasgroup The group the command was run as if one was specified on
2932 the command line.
2933
2934 logid An I/O log identifier that can be used to replay the com‐
2935 mand's output. This is only present when the log_input or
2936 log_output option is enabled.
2937
2938 env_vars A list of environment variables specified on the command
2939 line, if specified.
2940
2941 command The actual command that was executed, including any command
2942 line arguments.
2943
2944 Messages are logged using the locale specified by sudoers_locale, which
2945 defaults to the ‘C’ locale.
2946
2947 Denied command log entries
2948 If the user is not allowed to run the command, the reason for the denial
2949 will follow the user name. Possible reasons include:
2950
2951 user NOT in sudoers
2952 The user is not listed in the sudoers file.
2953
2954 user NOT authorized on host
2955 The user is listed in the sudoers file but is not allowed to run com‐
2956 mands on the host.
2957
2958 command not allowed
2959 The user is listed in the sudoers file for the host but they are not
2960 allowed to run the specified command.
2961
2962 3 incorrect password attempts
2963 The user failed to enter their password after 3 tries. The actual num‐
2964 ber of tries will vary based on the number of failed attempts and the
2965 value of the passwd_tries option.
2966
2967 a password is required
2968 The -n option was specified but a password was required.
2969
2970 sorry, you are not allowed to set the following environment variables
2971 The user specified environment variables on the command line that were
2972 not allowed by sudoers.
2973
2974 Error log entries
2975 If an error occurs, sudoers will log a message and, in most cases, send a
2976 message to the administrator via email. Possible errors include:
2977
2978 parse error in /etc/sudoers near line N
2979 sudoers encountered an error when parsing the specified file. In some
2980 cases, the actual error may be one line above or below the line number
2981 listed, depending on the type of error.
2982
2983 problem with defaults entries
2984 The sudoers file contains one or more unknown Defaults settings. This
2985 does not prevent sudo from running, but the sudoers file should be
2986 checked using visudo.
2987
2988 timestamp owner (username): No such user
2989 The time stamp directory owner, as specified by the timestampowner set‐
2990 ting, could not be found in the password database.
2991
2992 unable to open/read /etc/sudoers
2993 The sudoers file could not be opened for reading. This can happen when
2994 the sudoers file is located on a remote file system that maps user-ID 0
2995 to a different value. Normally, sudoers tries to open the sudoers file
2996 using group permissions to avoid this problem. Consider either chang‐
2997 ing the ownership of /etc/sudoers or adding an argument like
2998 “sudoers_uid=N” (where ‘N’ is the user-ID that owns the sudoers file)
2999 to the end of the sudoers Plugin line in the sudo.conf(5) file.
3000
3001 unable to open /etc/sudoers
3002 The /etc/sudoers file is missing.
3003
3004 /etc/sudoers is not a regular file
3005 The /etc/sudoers file exists but is not a regular file or symbolic
3006 link.
3007
3008 /etc/sudoers is owned by uid N, should be 0
3009 The sudoers file has the wrong owner. If you wish to change the
3010 sudoers file owner, add “sudoers_uid=N” (where ‘N’ is the user-ID that
3011 owns the sudoers file) to the sudoers Plugin line in the sudo.conf(5)
3012 file.
3013
3014 /etc/sudoers is world writable
3015 The permissions on the sudoers file allow all users to write to it.
3016 The sudoers file must not be world-writable, the default file mode is
3017 0440 (readable by owner and group, writable by none). The default mode
3018 may be changed via the “sudoers_mode” option to the sudoers Plugin line
3019 in the sudo.conf(5) file.
3020
3021 /etc/sudoers is owned by gid N, should be 1
3022 The sudoers file has the wrong group ownership. If you wish to change
3023 the sudoers file group ownership, add “sudoers_gid=N” (where ‘N’ is the
3024 group-ID that owns the sudoers file) to the sudoers Plugin line in the
3025 sudo.conf(5) file.
3026
3027 unable to open /run/sudo/ts/username
3028 sudoers was unable to read or create the user's time stamp file. This
3029 can happen when timestampowner is set to a user other than root and the
3030 mode on /run/sudo is not searchable by group or other. The default
3031 mode for /run/sudo is 0711.
3032
3033 unable to write to /run/sudo/ts/username
3034 sudoers was unable to write to the user's time stamp file.
3035
3036 /run/sudo/ts is owned by uid X, should be Y
3037 The time stamp directory is owned by a user other than timestampowner.
3038 This can occur when the value of timestampowner has been changed.
3039 sudoers will ignore the time stamp directory until the owner is cor‐
3040 rected.
3041
3042 /run/sudo/ts is group writable
3043 The time stamp directory is group-writable; it should be writable only
3044 by timestampowner. The default mode for the time stamp directory is
3045 0700. sudoers will ignore the time stamp directory until the mode is
3046 corrected.
3047
3048 Notes on logging via syslog
3049 By default, sudoers logs messages via syslog(3). The date, hostname, and
3050 progname fields are added by the system's syslog(3) function, not sudoers
3051 itself. As such, they may vary in format on different systems.
3052
3053 The maximum size of syslog messages varies from system to system. The
3054 syslog_maxlen setting can be used to change the maximum syslog message
3055 size from the default value of 980 bytes. For more information, see the
3056 description of syslog_maxlen.
3057
3058 Notes on logging to a file
3059 If the logfile option is set, sudoers will log to a local file, such as
3060 /var/log/sudo. When logging to a file, sudoers uses a format similar to
3061 syslog(3), with a few important differences:
3062
3063 1. The progname field is not present.
3064
3065 2. The hostname is only logged if the log_host option is enabled.
3066
3067 3. The date does not include the year unless the log_year option is en‐
3068 abled.
3069
3070 4. Lines that are longer than loglinelen characters (80 by default) are
3071 word-wrapped and continued on the next line with a four character
3072 indent. This makes entries easier to read for a human being, but
3073 makes it more difficult to use grep(1) on the log files. If the
3074 loglinelen option is set to 0 (or negated with a ‘!’), word wrap
3075 will be disabled.
3076
3078 When I/O logging is enabled, sudo will runs the command in a pseudo-ter‐
3079 minal, logging user input and/or output, depending on which sudoers flags
3080 are enabled. There are five distinct types of I/O that can be logged,
3081 each with a corresponding sudoers flag.
3082
3083 Type Flag Description
3084 terminal input log_ttyin keystrokes entered by the user
3085 terminal output log_ttyout command output displayed to the screen
3086 standard input log_stdin input from a pipe or a file
3087 standard output log_stdout output to a pipe or a file
3088 standard error log_stderr output to a pipe or a file
3089
3090 In addition to flags described the above, the log_input flag and
3091 LOG_INPUT command tag set both log_ttyin and log_stdin. The log_output
3092 flag and LOG_OUTPUT command tag set log_ttyout, log_stdout, and
3093 log_stderr.
3094
3095 To capture terminal input and output, sudo run the command in a pseudo-
3096 terminal, logging the input and output before passing it on to the user.
3097 To capture the standard input, standard output or standard error, sudo
3098 uses a pipe to interpose itself between the input or output stream, log‐
3099 ging the I/O before passing it to the other end of the pipe.
3100
3101 I/O can be logged either to the local machine or to a remote log server.
3102 For local logs, I/O is logged to the directory specified by the iolog_dir
3103 option (/var/log/sudo-io by default) using a unique session ID that is
3104 included in the sudo log line, prefixed with ‘TSID=’. The iolog_file op‐
3105 tion may be used to control the format of the session ID. For remote
3106 logs, the log_servers setting is used to specify one or more log servers
3107 running sudo_logsrvd or another server that implements the protocol de‐
3108 scribed by sudo_logsrv.proto(5).
3109
3110 I/O logging pitfals
3111 When logging standard input, anything sent to the standard input will be
3112 consumed, regardless of whether or not the command run via sudo is ac‐
3113 tively reading the standard input. This may have unexpected results when
3114 using sudo in a shell script that expects to process the standard input.
3115 For example, given the following shell script:
3116
3117 #!/bin/sh
3118 sudo echo testing
3119 echo done
3120
3121 It will behave as expected when the script is passed to the shell as a an
3122 argument:
3123
3124 $ sh test.sh
3125 testing
3126 done
3127
3128 However, if the script is passed to the shell on the standard input, the
3129 ‘sudo echo testing’ command will consume the rest of the script. This
3130 means that the ‘echo done’ statement is never executed.
3131
3132 $ sh -s < test.sh
3133 testing
3134
3135 There are several ways to work around this problem:
3136
3137 1. Redirect the standard input from /dev/null when running a command
3138 via sudo that does not need to read the standard input.
3139
3140 sudo echo testing < /dev/null
3141
3142 2. Pass the script to the shell by path name instead of via the stan‐
3143 dard input.
3144
3145 sh test.sh
3146
3147 3. Disable logging the standard input for commands that do not need to
3148 read the standard input.
3149
3150 Defaults!/bin/echo !log_stdin
3151
3152 Depending on the command, it may not be desirable to log the standard in‐
3153 put or standard output. For example, I/O logging of commands that send
3154 or receive large amount of data via the standard output or standard input
3155 such as rsync(1) and tar(1) could fill up the log file system with super‐
3156 fluous data. It is possible to disable logging of the standard input and
3157 standard output for such commands as follows:
3158
3159 Cmnd_Alias COPY_CMDS = /usr/bin/tar, /usr/bin/cpio, /usr/bin/rsync
3160
3161 # Log input and output but omit stdin and stdout when copying files.
3162 Defaults log_input, log_output
3163 Defaults!COPY_CMDS !log_stdin, !log_stdout
3164
3165 However, be aware that using the log_input flag or the LOG_INPUT command
3166 tag will also enable log_stdin. Likewise, the log_ouput flag or the
3167 LOG_OUTPUT command tag will enable log_stdout and log_stderr. Careful or‐
3168 dering of rules may be necessary to achieve the results that you expect.
3169
3170 I/O log format
3171 For both local and remote I/O logs, each log is stored in a separate di‐
3172 rectory that contains the following files:
3173
3174 log A text file containing information about the command. The
3175 first line consists of the following colon-delimited fields:
3176 the time the command was run, the name of the user who ran
3177 sudo, the name of the target user, the name of the target group
3178 (optional), the terminal that sudo was run from, and the number
3179 of lines and columns of the terminal. The second and third
3180 lines contain the working directory the command was run from
3181 and the path name of the command itself (with arguments if
3182 present).
3183
3184 log.json A JSON-formatted file containing information about the command.
3185 This is similar to the log file but contains additional infor‐
3186 mation and is easily extensible. The log.json file will be
3187 used by sudoreplay(8) in preference to the log file if it ex‐
3188 ists. The file may contain the following elements:
3189
3190 timestamp
3191 A JSON object containing time the command was run. It
3192 consists of two values, seconds and nanoseconds.
3193
3194 columns
3195 The number of columns of the terminal the command ran on,
3196 or zero if no terminal was present.
3197
3198 command
3199 The fully-qualified path of the command that was run.
3200
3201 lines
3202 The number of lines of the terminal the command ran on,
3203 or zero if no terminal was present.
3204
3205 runargv
3206 A JSON array representing the command's argument vector
3207 as passed to the execve(2) system call.
3208
3209 runenv
3210 A JSON array representing the command's environment as
3211 passed to the execve(2) system call.
3212
3213 rungid
3214 The group ID the command ran as. This element is only
3215 present when the user specifies a group on the command
3216 line.
3217
3218 rungroup
3219 The name of the group the command ran as. This element
3220 is only present when the user specifies a group on the
3221 command line.
3222
3223 runuid
3224 The user ID the command ran as.
3225
3226 runuser
3227 The name of the user the command ran as.
3228
3229 submitcwd
3230 The current working directory at the time sudo was run.
3231
3232 submithost
3233 The name of the host the command was run on.
3234
3235 submituser
3236 The name of the user who ran the command via sudo.
3237
3238 ttyname
3239 The path name of the terminal the user invoked sudo from.
3240 If the command was run in a pseudo-terminal, ttyname will
3241 be different from the terminal the command actually ran
3242 in.
3243
3244 timing Timing information used to replay the session. Each line con‐
3245 sists of the I/O log entry type and amount of time since the
3246 last entry, followed by type-specific data. The I/O log entry
3247 types and their corresponding type-specific data are:
3248
3249 0 standard input, number of bytes in the entry
3250 1 standard output, number of bytes in the entry
3251 2 standard error, number of bytes in the entry
3252 3 terminal input, number of bytes in the entry
3253 4 terminal output, number of bytes in the entry
3254 5 window change, new number lines and columns
3255 6 bug compatibility for sudo 1.8.7 terminal output
3256 7 command suspend or resume, signal received
3257
3258 ttyin Raw input from the user's terminal, exactly as it was received.
3259 This file is only present if the log_input or log_ttyin flags
3260 are set and sudo was run from a terminal. No post-processing
3261 is performed. For manual viewing, you may wish to convert car‐
3262 riage return characters in the log to line feeds. For example:
3263 ‘gunzip -c ttyin | tr "\r" "\n"’
3264
3265 stdin The standard input when no terminal is present, or input redi‐
3266 rected from a pipe or file. This file is only present if the
3267 log_input or log_stdin flags are set and the standard input is
3268 not connected to a terminal.
3269
3270 ttyout Output from the pseudo-terminal (what the command writes to the
3271 screen). Terminal-specific post-processing is performed before
3272 the data is logged. This means that, for example, line feeds
3273 are usually converted to line feed/carriage return pairs and
3274 tabs may be expanded to spaces. This file is only present if
3275 the log_output or log_ttyout flags are set and sudo was run
3276 from a terminal.
3277
3278 stdout The standard output when no terminal is present, or output
3279 redirected to a pipe or file. This file is only present if the
3280 log_output or log_stdout flags are set and the standard output
3281 is not connected to a terminal.
3282
3283 stderr The standard error when no terminal is present, or output redi‐
3284 rected to a pipe or file. This file is only present if the
3285 log_output or log_stderr flags are set and the standard error
3286 is not connected to a terminal.
3287
3288 All files other than log are compressed in gzip format unless the
3289 compress_io flag has been disabled. Due to buffering, it is not normally
3290 possible to display the I/O logs in real-time as the program is execut‐
3291 ing. The I/O log data will not be complete until the program run by sudo
3292 has exited or has been terminated by a signal. The iolog_flush flag can
3293 be used to disable buffering, in which case I/O log data is written to
3294 disk as soon as it is available. The output portion of an I/O log file
3295 can be viewed with the sudoreplay(8) utility, which can also be used to
3296 list or search the available logs.
3297
3298 User input may contain sensitive information such as passwords (even if
3299 they are not echoed to the screen), which will be stored in the log file
3300 unencrypted. In most cases, logging the command output via log_output or
3301 LOG_OUTPUT is all that is required. When logging input, consider dis‐
3302 abling the log_passwords flag.
3303
3304 Since each session's I/O logs are stored in a separate directory, tradi‐
3305 tional log rotation utilities cannot be used to limit the number of I/O
3306 logs. The simplest way to limit the number of I/O is by setting the
3307 maxseq option to the maximum number of logs you wish to store. Once the
3308 I/O log sequence number reaches maxseq, it will be reset to zero and
3309 sudoers will truncate and re-use any existing I/O logs.
3310
3312 /etc/sudo.conf Sudo front-end configuration
3313
3314 /etc/sudoers List of who can run what
3315
3316 /etc/group Local groups file
3317
3318 /etc/netgroup List of network groups
3319
3320 /var/log/sudo-io I/O log files
3321
3322 /run/sudo/ts Directory containing time stamps for the
3323 sudoers security policy
3324
3325 /var/db/sudo/lectured Directory containing lecture status files for
3326 the sudoers security policy
3327
3328 /etc/environment Initial environment for -i mode on AIX and
3329 Linux systems
3330
3332 Below are example sudoers file entries. Admittedly, some of these are a
3333 bit contrived. First, we allow a few environment variables to pass and
3334 then define our aliases:
3335
3336 # Run X applications through sudo; HOME is used to find the
3337 # .Xauthority file. Other programs use HOME to locate configuration
3338 # files and this may lead to privilege escalation!
3339 Defaults env_keep += "DISPLAY HOME"
3340
3341 # User alias specification
3342 User_Alias FULLTIMERS = millert, mikef, dowdy
3343 User_Alias PARTTIMERS = bostley, jwfox, crawl
3344 User_Alias WEBADMIN = will, wendy, wim
3345
3346 # Runas alias specification
3347 Runas_Alias OP = root, operator
3348 Runas_Alias DB = oracle, sybase
3349 Runas_Alias ADMINGRP = adm, oper
3350
3351 # Host alias specification
3352 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
3353 SGI = grolsch, dandelion, black :\
3354 ALPHA = widget, thalamus, foobar :\
3355 HPPA = boa, nag, python
3356 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
3357 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
3358 Host_Alias SERVERS = primary, mail, www, ns
3359 Host_Alias CDROM = orion, perseus, hercules
3360
3361 # Cmnd alias specification
3362 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
3363 /usr/sbin/restore, /usr/sbin/rrestore,\
3364 sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
3365 /home/operator/bin/start_backups
3366 Cmnd_Alias KILL = /usr/bin/kill
3367 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
3368 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
3369 Cmnd_Alias HALT = /usr/sbin/halt
3370 Cmnd_Alias REBOOT = /usr/sbin/reboot
3371 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
3372 /usr/local/bin/tcsh, /usr/bin/rsh,\
3373 /usr/local/bin/zsh
3374 Cmnd_Alias SU = /usr/bin/su
3375 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
3376
3377 Here we override some of the compiled in default values. We want sudo to
3378 log via syslog(3) using the auth facility in all cases and for commands
3379 to be run with the target user's home directory as the working directory.
3380 We don't want to subject the full time staff to the sudo lecture and we
3381 want to allow them to run commands in a chroot(2) “sandbox” via the -R
3382 option. User millert need not provide a password and we don't want to
3383 reset the LOGNAME or USER environment variables when running commands as
3384 root. Additionally, on the machines in the SERVERS Host_Alias, we keep
3385 an additional local log file and make sure we log the year in each log
3386 line since the log entries will be kept around for several years.
3387 Lastly, we disable shell escapes for the commands in the PAGERS
3388 Cmnd_Alias (/usr/bin/more, /usr/bin/pg and /usr/bin/less). This will not
3389 effectively constrain users with sudo ALL privileges.
3390
3391 # Override built-in defaults
3392 Defaults syslog=auth,runcwd=~
3393 Defaults>root !set_logname
3394 Defaults:FULLTIMERS !lecture,runchroot=*
3395 Defaults:millert !authenticate
3396 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
3397 Defaults!PAGERS noexec
3398
3399 The User specification is the part that actually determines who may run
3400 what.
3401
3402 root ALL = (ALL) ALL
3403 %wheel ALL = (ALL) ALL
3404
3405 We let root and any user in group wheel run any command on any host as
3406 any user.
3407
3408 FULLTIMERS ALL = NOPASSWD: ALL
3409
3410 Full time sysadmins (millert, mikef, and dowdy) may run any command on
3411 any host without authenticating themselves.
3412
3413 PARTTIMERS ALL = ALL
3414
3415 Part time sysadmins bostley, jwfox, and crawl) may run any command on any
3416 host but they must authenticate themselves first (since the entry lacks
3417 the NOPASSWD tag).
3418
3419 jack CSNETS = ALL
3420
3421 The user jack may run any command on the machines in the CSNETS alias
3422 (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those
3423 networks, only 128.138.204.0 has an explicit netmask (in CIDR notation)
3424 indicating it is a class C network. For the other networks in CSNETS,
3425 the local machine's netmask will be used during matching.
3426
3427 lisa CUNETS = ALL
3428
3429 The user lisa may run any command on any host in the CUNETS alias (the
3430 class B network 128.138.0.0).
3431
3432 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
3433 sudoedit /etc/printcap, /usr/oper/bin/
3434
3435 The operator user may run commands limited to simple maintenance. Here,
3436 those are commands related to backups, killing processes, the printing
3437 system, shutting down the system, and any commands in the directory
3438 /usr/oper/bin/. One command in the DUMPS Cmnd_Alias includes a sha224
3439 digest, /home/operator/bin/start_backups. This is because the directory
3440 containing the script is writable by the operator user. If the script is
3441 modified (resulting in a digest mismatch) it will no longer be possible
3442 to run it via sudo.
3443
3444 joe ALL = /usr/bin/su operator
3445
3446 The user joe may only su(1) to operator.
3447
3448 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root*
3449
3450 %opers ALL = (: ADMINGRP) /usr/sbin/
3451
3452 Users in the opers group may run commands in /usr/sbin/ as themselves
3453 with any group in the ADMINGRP Runas_Alias (the adm and oper groups).
3454
3455 The user pete is allowed to change anyone's password except for root on
3456 the HPPA machines. Because command line arguments are matched as a sin‐
3457 gle, concatenated string, the ‘*’ wildcard will match multiple words.
3458 This example assumes that passwd(1) does not take multiple user names on
3459 the command line. On systems with GNU getopt(3), options to passwd(1)
3460 may be specified after the user argument. As a result, this rule will
3461 also allow:
3462
3463 passwd username --expire
3464
3465 which may not be desirable.
3466
3467 bob SPARC = (OP) ALL : SGI = (OP) ALL
3468
3469 The user bob may run anything on the SPARC and SGI machines as any user
3470 listed in the OP Runas_Alias (root and operator.)
3471
3472 jim +biglab = ALL
3473
3474 The user jim may run any command on machines in the biglab netgroup.
3475 sudo knows that “biglab” is a netgroup due to the ‘+’ prefix.
3476
3477 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
3478
3479 Users in the secretaries netgroup need to help manage the printers as
3480 well as add and remove users, so they are allowed to run those commands
3481 on all machines.
3482
3483 fred ALL = (DB) NOPASSWD: ALL
3484
3485 The user fred can run commands as any user in the DB Runas_Alias (oracle
3486 or sybase) without giving a password.
3487
3488 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
3489
3490 On the ALPHA machines, user john may su to anyone except root but he is
3491 not allowed to specify any options to the su(1) command.
3492
3493 jen ALL, !SERVERS = ALL
3494
3495 The user jen may run any command on any machine except for those in the
3496 SERVERS Host_Alias (primary, mail, www, and ns).
3497
3498 jill SERVERS = /usr/bin/, !SU, !SHELLS
3499
3500 For any machine in the SERVERS Host_Alias, jill may run any commands in
3501 the directory /usr/bin/ except for those commands belonging to the SU and
3502 SHELLS Cmnd_Aliases. While not specifically mentioned in the rule, the
3503 commands in the PAGERS Cmnd_Alias all reside in /usr/bin and have the
3504 noexec option set.
3505
3506 steve CSNETS = (operator) /usr/local/op_commands/
3507
3508 The user steve may run any command in the directory /usr/local/op_com‐
3509 mands/ but only as user operator.
3510
3511 matt valkyrie = KILL
3512
3513 On his personal workstation, valkyrie, matt needs to be able to kill hung
3514 processes.
3515
3516 WEBADMIN www = (www) ALL, (root) /usr/bin/su www
3517
3518 On the host www, any user in the WEBADMIN User_Alias (will, wendy, and
3519 wim), may run any command as user www (which owns the web pages) or sim‐
3520 ply su(1) to www.
3521
3522 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
3523 /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
3524
3525 Any user may mount or unmount a CD-ROM on the machines in the CDROM
3526 Host_Alias (orion, perseus, hercules) without entering a password. This
3527 is a bit tedious for users to type, so it is a prime candidate for encap‐
3528 sulating in a shell script.
3529
3531 Limitations of the ‘!’ operator
3532 It is generally not effective to “subtract” commands from ALL using the
3533 ‘!’ operator. A user can trivially circumvent this by copying the de‐
3534 sired command to a different name and then executing that. For example:
3535
3536 bill ALL = ALL, !SU, !SHELLS
3537
3538 Doesn't really prevent bill from running the commands listed in SU or
3539 SHELLS since he can simply copy those commands to a different name, or
3540 use a shell escape from an editor or other program. Therefore, these
3541 kind of restrictions should be considered advisory at best (and rein‐
3542 forced by policy).
3543
3544 In general, if a user has sudo ALL there is nothing to prevent them from
3545 creating their own program that gives them a root shell (or making their
3546 own copy of a shell) regardless of any ‘!’ elements in the user specifi‐
3547 cation.
3548
3549 Security implications of fast_glob
3550 If the fast_glob option is in use, it is not possible to reliably negate
3551 commands where the path name includes globbing (aka wildcard) characters.
3552 This is because the C library's fnmatch(3) function cannot resolve rela‐
3553 tive paths. While this is typically only an inconvenience for rules that
3554 grant privileges, it can result in a security issue for rules that sub‐
3555 tract or revoke privileges.
3556
3557 For example, given the following sudoers file entry:
3558
3559 john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
3560 /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
3561
3562 User john can still run ‘/usr/bin/passwd root’ if fast_glob is enabled by
3563 changing to /usr/bin and running ‘./passwd root’ instead.
3564
3565 Another potential issue is that when sudo executes the command, it must
3566 use the command or path specified by the user instead of a path listed in
3567 the sudoers file. This may lead to a time of check versus time of use
3568 race condition.
3569
3570 Wildcards in command arguments
3571 Command line arguments are matched as a single, concatenated string.
3572 This mean a wildcard character such as ‘?’ or ‘*’ will match across word
3573 boundaries, which may be unexpected. For example, while a sudoers entry
3574 like:
3575
3576 %operator ALL = /bin/cat /var/log/messages*
3577
3578 will allow command like:
3579
3580 $ sudo cat /var/log/messages.1
3581
3582 It will also allow:
3583
3584 $ sudo cat /var/log/messages /etc/shadow
3585
3586 which is probably not what was intended. A safer alternative is to use a
3587 regular expression for matching command line arguments. The above exam‐
3588 ple can be rewritten as a regular expression:
3589
3590 %operator ALL = /bin/cat ^/var/log/messages[^[:space:]]*$
3591
3592 The regular expression will only match a single file with a name that be‐
3593 gins with /var/log/messages and does not include any white space in the
3594 name. It is often better to do command line processing outside of the
3595 sudoers file in a scripting language for anything non-trivial.
3596
3597 Regular expressions in command names
3598 Using a regular expression to match a command name has the same security
3599 implications as using the fast_glob option:
3600
3601 • It is not possible to reliably negate commands when the path name is a
3602 regular expression.
3603
3604 • When sudo executes the command, it must use the command or path speci‐
3605 fied by the user instead of a path listed in the sudoers file. This
3606 may lead to a time of check versus time of use race condition.
3607
3608 These issues do not apply to rules where only the command line options
3609 are matched using a regular expression.
3610
3611 Preventing shell escapes
3612 Once sudo executes a program, that program is free to do whatever it
3613 pleases, including run other programs. This can be a security issue
3614 since it is not uncommon for a program to allow shell escapes, which lets
3615 a user bypass sudo's access control and logging. Common programs that
3616 permit shell escapes include shells (obviously), editors, paginators,
3617 mail, and terminal programs.
3618
3619 There are four basic approaches to this problem:
3620
3621 restrict Avoid giving users access to commands that allow the user to
3622 run arbitrary commands. Many editors have a restricted mode
3623 where shell escapes are disabled, though sudoedit is a better
3624 solution to running editors via sudo. Due to the large number
3625 of programs that offer shell escapes, restricting users to the
3626 set of programs that do not is often unworkable.
3627
3628 intercept On most systems, sudo's intercept functionality can be used to
3629 transparently intercept an attempt to run a new command, allow
3630 or deny it based on sudoers rules, and log the result. For
3631 example, this can be used to restrict the commands run from
3632 within a privileged shell or editor.
3633
3634 There are two underlying mechanisms that may be used to imple‐
3635 ment intercept mode: dso and trace. The intercept_type set‐
3636 ting can be used to select between them.
3637
3638 The first mechanism, dso, overrides the standard C library
3639 functions that are used to execute a command. It does this by
3640 setting an environment variable (usually LD_PRELOAD) to the
3641 path of a dynamic shared object, or shared library, containing
3642 custom versions of the execve(2), execl(3), execle(3),
3643 execlp(3), execv(3), execvp(3), execvpe(3), and system(3) li‐
3644 brary functions that connect back to sudo for a policy deci‐
3645 sion. Note, however, that this applies only to dynamically-
3646 linked executables. It is not possible to intercept commands
3647 for statically-linked executables or executables that run un‐
3648 der binary emulation this way. Because most dynamic loaders
3649 ignore LD_PRELOAD (or the equivalent) when running set-user-ID
3650 and set-group-ID programs, sudoers will not permit such pro‐
3651 grams to be run in intercept mode by default. The dso mecha‐
3652 nism is incompatible with sudo's SELinux RBAC support (but see
3653 below). SELinux disables LD_PRELOAD by default and interferes
3654 with file descriptor inheritance, which sudo relies on.
3655
3656 The second mechanism, trace, is available on Linux systems
3657 that support seccomp(2) filtering. It uses ptrace(2) and
3658 seccomp(2) to intercept the execve(2) system call instead of
3659 pre-loading a dynamic shared object. Both static and dynamic
3660 executables are supported and it is compatible with sudo's
3661 SELinux RBAC mode. Functions utilizing the execveat(2) system
3662 call, such as fexecve(3), are not currently intercepted.
3663
3664 The intercept feature is known to work on Solaris, *BSD,
3665 Linux, macOS, HP-UX 11.x and AIX 5.3 and above. It should be
3666 supported on most operating systems that support the
3667 LD_PRELOAD environment variable or an equivalent. It is not
3668 possible to intercept shell built-in commands or restrict the
3669 ability to read or write sensitive files from within a shell.
3670
3671 To enable intercept mode on a per-command basis, use the
3672 INTERCEPT tag as documented in the User Specification section
3673 above. Here is that example again:
3674
3675 chuck research = INTERCEPT: ALL
3676
3677 This allows user chuck to run any command on the machine
3678 “research” in intercept mode. Any commands run via shell es‐
3679 capes will be validated and logged by sudo. If you are unsure
3680 whether or not your system is capable of supporting intercept,
3681 you can always just try it out and check whether or not exter‐
3682 nal commands run via a shell are logged when intercept is en‐
3683 abled.
3684
3685 There is an inherent race condition between when a command is
3686 checked against sudoers rules and when it is actually exe‐
3687 cuted. If a user is allowed to run arbitrary commands, they
3688 may be able to change the execve(2) arguments in the program
3689 after the sudoers policy check has completed but before the
3690 new command is executed. Starting with version 1.9.12, the
3691 trace method will verify that the command and its arguments
3692 have not changed after execve(2) has completed but before exe‐
3693 cution of the new program has had a chance to run. This is
3694 not the case with the dso method. See the description of the
3695 intercept_verify setting for more information.
3696
3697 log There are two separate but related ways to log additional com‐
3698 mands. The first is to enable I/O logging using the
3699 log_output flag. This will log the command's output but will
3700 not create an event log entry when the additional command is
3701 run. The second is to enable the log_subcmds flag in sudoers
3702 which will create an event log entry every time a new command
3703 is run. If I/O logging is also enabled, the log entry will
3704 include a time offset into the I/O log to indicate when the
3705 command was run. This offset can be passed to the
3706 sudoreplay(8) utility to replay the I/O log at the exact mo‐
3707 ment when the command was run. The log_subcmds flag uses the
3708 same mechanism as intercept (see above) and has the same limi‐
3709 tations.
3710
3711 noexec sudo's noexec functionality can be used to prevent a program
3712 run by sudo from executing any other programs. On most sys‐
3713 tems, it uses the same LD_PRELOAD mechanism as intercept (see
3714 above) and thus the same caveats apply. The noexec function‐
3715 ality is capable of blocking execution of commands run via the
3716 execve(2), execl(3), execle(3), execlp(3), exect(3), execv(3),
3717 execveat(3), execvP(3), execvp(3), execvpe(3), fexecve(3),
3718 popen(3), posix_spawn(3), posix_spawnp(3), system(3), and
3719 wordexp(3) functions. On Linux, a seccomp(2) filter is used
3720 to implement noexec. On Solaris 10 and higher, noexec uses
3721 Solaris privileges instead of the LD_PRELOAD environment vari‐
3722 able.
3723
3724 To enable noexec for a command, use the NOEXEC tag as docu‐
3725 mented in the User Specification section above. Here is that
3726 example again:
3727
3728 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
3729
3730 This allows user aaron to run /usr/bin/more and /usr/bin/vi
3731 with noexec enabled. This will prevent those two commands
3732 from executing other commands (such as a shell). If you are
3733 unsure whether or not your system is capable of supporting
3734 noexec you can always just try it out and check whether shell
3735 escapes work when noexec is enabled.
3736
3737 Restricting shell escapes is not a panacea. Programs running as root are
3738 still capable of many potentially hazardous operations (such as changing
3739 or overwriting files) that could lead to unintended privilege escalation.
3740 In the specific case of an editor, a safer approach is to give the user
3741 permission to run sudoedit (see below).
3742
3743 Secure editing
3744 The sudoers plugin includes sudoedit support which allows users to se‐
3745 curely edit files with the editor of their choice. As sudoedit is a
3746 built-in command, it must be specified in the sudoers file without a
3747 leading path. However, it may take command line arguments just as a nor‐
3748 mal command does. Wildcards used in sudoedit command line arguments are
3749 expected to be path names, so a forward slash (‘/’) will not be matched
3750 by a wildcard.
3751
3752 Unlike other sudo commands, the editor is run with the permissions of the
3753 invoking user and with the environment unmodified. More information may
3754 be found in the description of the -e option in sudo(8).
3755
3756 For example, to allow user operator to edit the “message of the day” file
3757 on any machine:
3758
3759 operator ALL = sudoedit /etc/motd
3760
3761 The operator user then runs sudoedit as follows:
3762
3763 $ sudoedit /etc/motd
3764
3765 The editor will run as the operator user, not root, on a temporary copy
3766 of /etc/motd. After the file has been edited, /etc/motd will be updated
3767 with the contents of the temporary copy.
3768
3769 Users should never be granted sudoedit permission to edit a file that re‐
3770 sides in a directory the user has write access to, either directly or via
3771 a wildcard. If the user has write access to the directory it is possible
3772 to replace the legitimate file with a link to another file, allowing the
3773 editing of arbitrary files. To prevent this, starting with version
3774 1.8.16, symbolic links will not be followed in writable directories and
3775 sudoedit will refuse to edit a file located in a writable directory un‐
3776 less the sudoedit_checkdir option has been disabled or the invoking user
3777 is root. Additionally, in version 1.8.15 and higher, sudoedit will
3778 refuse to open a symbolic link unless either the sudoedit_follow option
3779 is enabled or the sudoedit command is prefixed with the FOLLOW tag in the
3780 sudoers file.
3781
3782 Time stamp file checks
3783 sudoers will check the ownership of its time stamp directory
3784 (/run/sudo/ts by default) and ignore the directory's contents if it is
3785 not owned by root or if it is writable by a user other than root. Older
3786 versions of sudo stored time stamp files in /tmp; this is no longer rec‐
3787 ommended as it may be possible for a user to create the time stamp them‐
3788 selves on systems that allow unprivileged users to change the ownership
3789 of files they create.
3790
3791 While the time stamp directory should be cleared at reboot time, not all
3792 systems contain a /run or /var/run directory. To avoid potential prob‐
3793 lems, sudoers will ignore time stamp files that date from before the ma‐
3794 chine booted on systems where the boot time is available.
3795
3796 Some systems with graphical desktop environments allow unprivileged users
3797 to change the system clock. Since sudoers relies on the system clock for
3798 time stamp validation, it may be possible on such systems for a user to
3799 run sudo for longer than timestamp_timeout by setting the clock back. To
3800 combat this, sudoers uses a monotonic clock (which never moves backwards)
3801 for its time stamps if the system supports it.
3802
3803 sudoers will not honor time stamps set far in the future. Time stamps
3804 with a date greater than current_time + 2 * TIMEOUT will be ignored and
3805 sudoers will log and complain.
3806
3807 If the timestamp_type option is set to “tty”, the time stamp record in‐
3808 cludes the device number of the terminal the user authenticated with.
3809 This provides per-terminal granularity but time stamp records may still
3810 outlive the user's session.
3811
3812 Unless the timestamp_type option is set to “global”, the time stamp
3813 record also includes the session ID of the process that last authenti‐
3814 cated. This prevents processes in different terminal sessions from using
3815 the same time stamp record. On systems where a process's start time can
3816 be queried, the start time of the session leader is recorded in the time
3817 stamp record. If no terminal is present or the timestamp_type option is
3818 set to “ppid”, the start time of the parent process is used instead. In
3819 most cases this will prevent a time stamp record from being re-used with‐
3820 out the user entering a password when logging out and back in again.
3821
3823 Versions 1.8.4 and higher of the sudoers plugin support a flexible debug‐
3824 ging framework that can help track down what the plugin is doing inter‐
3825 nally if there is a problem. This can be configured in the sudo.conf(5)
3826 file.
3827
3828 The sudoers plugin uses the same debug flag format as the sudo front-end:
3829 subsystem@priority.
3830
3831 The priorities used by sudoers, in order of decreasing severity, are:
3832 crit, err, warn, notice, diag, info, trace, and debug. Each priority,
3833 when specified, also includes all priorities higher than it. For exam‐
3834 ple, a priority of notice would include debug messages logged at notice
3835 and higher.
3836
3837 The following subsystems are used by the sudoers plugin:
3838
3839 alias User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
3840
3841 all matches every subsystem
3842
3843 audit BSM and Linux audit code
3844
3845 auth user authentication
3846
3847 defaults sudoers file Defaults settings
3848
3849 env environment handling
3850
3851 ldap LDAP-based sudoers
3852
3853 logging logging support
3854
3855 match matching of users, groups, hosts, and netgroups in the sudoers
3856 file
3857
3858 netif network interface handling
3859
3860 nss network service switch handling in sudoers
3861
3862 parser sudoers file parsing
3863
3864 perms permission setting
3865
3866 plugin The equivalent of main for the plugin.
3867
3868 pty pseudo-terminal related code
3869
3870 rbtree redblack tree internals
3871
3872 sssd SSSD-based sudoers
3873
3874 util utility functions
3875
3876 For example:
3877
3878 Debug sudoers.so /var/log/sudoers_debug match@info,nss@info
3879
3880 For more information, see the sudo.conf(5) manual.
3881
3883 ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), sudo.conf(5),
3884 sudo_plugin(5), sudoers.ldap(5), sudoers_timestamp(5), sudo(8), visudo(8)
3885
3887 Many people have worked on sudo over the years; this version consists of
3888 code written primarily by:
3889
3890 Todd C. Miller
3891
3892 See the CONTRIBUTORS.md file in the sudo distribution
3893 (https://www.sudo.ws/about/contributors/) for an exhaustive list of peo‐
3894 ple who have contributed to sudo.
3895
3897 The sudoers file should always be edited by the visudo utility which
3898 locks the file and checks for syntax errors. If sudoers contains syntax
3899 errors, sudo may refuse to run, which is a serious problem if sudo is
3900 your only method of obtaining superuser privileges. Recent versions of
3901 sudoers will attempt to recover after a syntax error by ignoring the rest
3902 of the line after encountering an error. Older versions of sudo will not
3903 run if sudoers contains a syntax error.
3904
3905 When using netgroups of machines (as opposed to users), if you store
3906 fully qualified host name in the netgroup (as is usually the case), you
3907 either need to have the machine's host name be fully qualified as re‐
3908 turned by the hostname command or use the fqdn option in sudoers.
3909
3911 If you believe you have found a bug in sudo, you can submit a bug report
3912 at https://bugzilla.sudo.ws/
3913
3915 Limited free support is available via the sudo-users mailing list, see
3916 https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
3917 the archives.
3918
3920 sudo is provided “AS IS” and any express or implied warranties, includ‐
3921 ing, but not limited to, the implied warranties of merchantability and
3922 fitness for a particular purpose are disclaimed. See the LICENSE.md file
3923 distributed with sudo or https://www.sudo.ws/about/license/ for complete
3924 details.
3925
3926Sudo 1.9.13p2 January 16, 2023 Sudo 1.9.13p2