1SUDOERS(5) BSD File Formats Manual SUDOERS(5)
2
4 sudoers — default sudo security policy plugin
5
7 The sudoers policy plugin determines a user's sudo privileges. It is the
8 default sudo policy plugin. The policy is driven by the /etc/sudoers
9 file or, optionally, in LDAP. The policy format is described in detail
10 in the SUDOERS FILE FORMAT section. For information on storing sudoers
11 policy information in LDAP, see sudoers.ldap(5).
12
13 Configuring sudo.conf for sudoers
14 sudo consults the sudo.conf(5) file to determine which plugins to load.
15 If no sudo.conf(5) file is present, or if it contains no Plugin lines,
16 sudoers will be used for auditing, policy decisions and I/O logging. To
17 explicitly configure sudo.conf(5) to use the sudoers plugin, the follow‐
18 ing configuration can be used.
19
20 Plugin sudoers_audit sudoers.so
21 Plugin sudoers_policy sudoers.so
22 Plugin sudoers_io sudoers.so
23
24 Starting with sudo 1.8.5, it is possible to specify optional arguments to
25 the sudoers plugin in the sudo.conf(5) file. Plugin arguments, if any,
26 should be listed after the path to the plugin (i.e., after sudoers.so).
27 The arguments are only effective for the plugin that opens (and parses)
28 the sudoers file.
29
30 For sudo version 1.9.1 and higher, this is the sudoers_audit plugin. For
31 older versions, it is the sudoers_policy plugin. Multiple arguments may
32 be specified, separated by white space. For example:
33
34 Plugin sudoers_audit sudoers.so sudoers_mode=0400 error_recovery=false
35
36 The following plugin arguments are supported:
37
38 error_recovery=bool
39 The error_recovery argument can be used to control whether sudoers
40 should attempt to recover from syntax errors in the sudoers file.
41 If set to true (the default), sudoers will try to recover from a
42 syntax error by discarding the portion of the line that contains
43 the error until the end of the line. A value of false will disable
44 error recovery. Prior to version 1.9.3, no error recovery was per‐
45 formed.
46
47 ldap_conf=pathname
48 The ldap_conf argument can be used to override the default path to
49 the ldap.conf file.
50
51 ldap_secret=pathname
52 The ldap_secret argument can be used to override the default path
53 to the ldap.secret file.
54
55 sudoers_file=pathname
56 The sudoers_file argument can be used to override the default path
57 to the sudoers file.
58
59 sudoers_uid=user-ID
60 The sudoers_uid argument can be used to override the default owner
61 of the sudoers file. It should be specified as a numeric user-ID.
62
63 sudoers_gid=group-ID
64 The sudoers_gid argument can be used to override the default group
65 of the sudoers file. It must be specified as a numeric group-ID
66 (not a group name).
67
68 sudoers_mode=mode
69 The sudoers_mode argument can be used to override the default file
70 mode for the sudoers file. It should be specified as an octal
71 value.
72
73 For more information on configuring sudo.conf(5), refer to its manual.
74
75 User Authentication
76 The sudoers security policy requires that most users authenticate them‐
77 selves before they can use sudo. A password is not required if the in‐
78 voking user is root, if the target user is the same as the invoking user,
79 or if the policy has disabled authentication for the user or command.
80 Unlike su(1), when sudoers requires authentication, it validates the in‐
81 voking user's credentials, not the target user's (or root's) credentials.
82 This can be changed via the rootpw, targetpw and runaspw flags, described
83 later.
84
85 If a user who is not listed in the policy tries to run a command via
86 sudo, mail is sent to the proper authorities. The address used for such
87 mail is configurable via the mailto Defaults entry (described later) and
88 defaults to root.
89
90 No mail will be sent if an unauthorized user tries to run sudo with the
91 -l or -v option unless there is an authentication error and either the
92 mail_always or mail_badpass flags are enabled. This allows users to de‐
93 termine for themselves whether or not they are allowed to use sudo. By
94 default, all attempts to run sudo (successful or not) are logged, regard‐
95 less of whether or not mail is sent.
96
97 If sudo is run by root and the SUDO_USER environment variable is set, the
98 sudoers policy will use this value to determine who the actual user is.
99 This can be used by a user to log commands through sudo even when a root
100 shell has been invoked. It also allows the -e option to remain useful
101 even when invoked via a sudo-run script or program. Note, however, that
102 the sudoers file lookup is still done for root, not the user specified by
103 SUDO_USER.
104
105 sudoers uses per-user time stamp files for credential caching. Once a
106 user has been authenticated, a record is written containing the user-ID
107 that was used to authenticate, the terminal session ID, the start time of
108 the session leader (or parent process) and a time stamp (using a mono‐
109 tonic clock if one is available). The user may then use sudo without a
110 password for a short period of time (5 minutes unless overridden by the
111 timestamp_timeout option). By default, sudoers uses a separate record
112 for each terminal, which means that a user's login sessions are authenti‐
113 cated separately. The timestamp_type option can be used to select the
114 type of time stamp record sudoers will use.
115
116 Logging
117 By default, sudoers logs both successful and unsuccessful attempts (as
118 well as errors). The log_allowed and log_denied flags can be used to
119 control this behavior. Messages can be logged to syslog(3), a log file,
120 or both. The default is to log to syslog(3) but this is configurable via
121 the syslog and logfile settings. See EVENT LOGGING for a description of
122 the log file format.
123
124 sudoers is also capable of running a command in a pseudo-terminal and
125 logging input and/or output. The standard input, standard output, and
126 standard error can be logged even when not associated with a terminal.
127 For more information about I/O logging, see the I/O LOGGING section.
128
129 Starting with version 1.9, the log_servers setting may be used to send
130 event and I/O log data to a remote server running sudo_logsrvd or another
131 service that implements the protocol described by sudo_logsrv.proto(5).
132
133 Command environment
134 Since environment variables can influence program behavior, sudoers pro‐
135 vides a means to restrict which variables from the user's environment are
136 inherited by the command to be run. There are two distinct ways sudoers
137 can deal with environment variables.
138
139 By default, the env_reset flag is enabled. This causes commands to be
140 executed with a new, minimal environment. On AIX (and Linux systems
141 without PAM), the environment is initialized with the contents of the
142 /etc/environment file. The HOME, MAIL, SHELL, LOGNAME and USER environ‐
143 ment variables are initialized based on the target user and the SUDO_*
144 variables are set based on the invoking user. Additional variables, such
145 as DISPLAY, PATH and TERM, are preserved from the invoking user's envi‐
146 ronment if permitted by the env_check, or env_keep options. A few envi‐
147 ronment variables are treated specially. If the PATH and TERM variables
148 are not preserved from the user's environment, they will be set to de‐
149 fault values. The LOGNAME and USER are handled as a single entity. If
150 one of them is preserved (or removed) from the user's environment, the
151 other will be as well. If LOGNAME and USER are to be preserved but only
152 one of them is present in the user's environment, the other will be set
153 to the same value. This avoids an inconsistent environment where one of
154 the variables describing the user name is set to the invoking user and
155 one is set to the target user. Environment variables with a value begin‐
156 ning with ‘()’ are removed unless both the name and value parts are
157 matched by env_keep or env_check, as they may be interpreted as functions
158 by the bash shell. Prior to version 1.8.11, such variables were always
159 removed.
160
161 If, however, the env_reset flag is disabled, any variables not explicitly
162 denied by the env_check and env_delete options are allowed and their val‐
163 ues are inherited from the invoking process. Prior to version 1.8.21,
164 environment variables with a value beginning with ‘()’ were always re‐
165 moved. Beginning with version 1.8.21, a pattern in env_delete is used to
166 match bash shell functions instead. Since it is not possible to block
167 all potentially dangerous environment variables, use of the default
168 env_reset behavior is encouraged.
169
170 Environment variables specified by env_check, env_delete, or env_keep may
171 include one or more ‘*’ characters which will match zero or more charac‐
172 ters. No other wildcard characters are supported.
173
174 By default, environment variables are matched by name. However, if the
175 pattern includes an equal sign (‘=’), both the variables name and value
176 must match. For example, a bash shell function could be matched as fol‐
177 lows:
178
179 env_keep += "BASH_FUNC_my_func%%=()*"
180
181 Without the ‘=()*’ suffix, this would not match, as bash shell functions
182 are not preserved by default.
183
184 The complete list of environment variables that are preserved or removed,
185 as modified by global Defaults parameters in sudoers, is displayed when
186 sudo is run by root with the -V option. The list of environment vari‐
187 ables to remove varies based on the operating system sudo is running on.
188
189 Other settings may influence the command environment:
190
191 • sudoers options such as always_set_home, secure_path, set_logname,
192 set_home, and setenv.
193
194 • Command tags, such as SETENV and NOSETENV. Note that SETENV is im‐
195 plied if the command matched is ALL.
196
197 • sudo options, such as -E and -i.
198
199 On systems that support PAM where the pam_env module is enabled for sudo,
200 variables in the PAM environment may be merged in to the environment. If
201 a variable in the PAM environment is already present in the user's envi‐
202 ronment, the value will only be overridden if the variable was not pre‐
203 served by sudoers. When env_reset is enabled, variables preserved from
204 the invoking user's environment by the env_keep list take precedence over
205 those in the PAM environment. When env_reset is disabled, variables
206 present the invoking user's environment take precedence over those in the
207 PAM environment unless they match a pattern in the env_delete list.
208
209 The dynamic linker on most operating systems will remove variables that
210 can control dynamic linking from the environment of set-user-ID executa‐
211 bles, including sudo. Depending on the operating system this may include
212 _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others. These type
213 of variables are removed from the environment before sudo even begins ex‐
214 ecution and, as such, it is not possible for sudo to preserve them.
215
216 As a special case, if the -i option (initial login) is specified, sudoers
217 will initialize the environment regardless of the value of env_reset.
218 The DISPLAY, PATH and TERM variables remain unchanged; HOME, MAIL, SHELL,
219 USER, and LOGNAME are set based on the target user. On AIX (and Linux
220 systems without PAM), the contents of /etc/environment are also included.
221 All other environment variables are removed unless permitted by env_keep
222 or env_check, described above.
223
224 Finally, the restricted_env_file and env_file files are applied, if
225 present. The variables in restricted_env_file are applied first and are
226 subject to the same restrictions as the invoking user's environment, as
227 detailed above. The variables in env_file are applied last and are not
228 subject to these restrictions. In both cases, variables present in the
229 files will only be set to their specified values if they would not con‐
230 flict with an existing environment variable.
231
233 The sudoers file is composed of two types of entries: aliases (basically
234 variables) and user specifications (which specify who may run what).
235
236 When multiple entries match for a user, they are applied in order. Where
237 there are multiple matches, the last match is used (which is not neces‐
238 sarily the most specific match).
239
240 The sudoers file grammar will be described below in Extended Backus-Naur
241 Form (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly
242 simple, and the definitions below are annotated.
243
244 Resource limits
245 By default, sudoers uses the operating system's native method of setting
246 resource limits for the target user. On Linux systems, resource limits
247 are usually set by the pam_limits.so PAM module. On some BSD systems,
248 the /etc/login.conf file specifies resource limits for the user. On AIX
249 systems, resource limits are configured in the /etc/security/limits file.
250 If there is no system mechanism to set per-user resource limits, the com‐
251 mand will run with the same limits as the invoking user. The one excep‐
252 tion to this is the core dump file size, which is set by sudoers to 0 by
253 default. Disabling core dumps by default makes it possible to avoid po‐
254 tential security problems where the core file is treated as trusted in‐
255 put.
256
257 Resource limits may also be set in the sudoers file itself, in which case
258 they override those set by the system. See the rlimit_as, rlimit_core,
259 rlimit_cpu, rlimit_data, rlimit_fsize, rlimit_locks, rlimit_memlock,
260 rlimit_nofile, rlimit_nproc, rlimit_rss, rlimit_stack options described
261 below. Resource limits in sudoers may be specified in one of the follow‐
262 ing formats:
263
264 “value”
265 Both the soft and hard resource limits are set to the same value.
266 The special value “infinity” can be used to indicate that the
267 value is unlimited.
268
269 “soft,hard”
270 Two comma-separated values. The soft limit is set to the first
271 value and the hard limit is set to the second. Both values must
272 either be enclosed in a set of double quotes, or the comma must
273 be escaped with a backslash (‘\’). The special value “infinity”
274 may be used in place of either value.
275
276 “default”
277 The default resource limit for the user will be used. This may
278 be a user-specific value (see above) or the value of the resource
279 limit when sudo was invoked for systems that don't support per-
280 user limits.
281
282 “user” The invoking user's resource limits will be preserved when run‐
283 ning the command.
284
285 For example, to restore the historic core dump file size behavior, a line
286 like the following may be used.
287
288 Defaults rlimit_core=default
289
290 Resource limits in sudoers are only supported by version 1.8.7 or higher.
291
292 Quick guide to EBNF
293 EBNF is a concise and exact way of describing the grammar of a language.
294 Each EBNF definition is made up of production rules. For example:
295
296 symbol ::= definition | alternate1 | alternate2 ...
297
298 Each production rule references others and thus makes up a grammar for
299 the language. EBNF also contains the following operators, which many
300 readers will recognize from regular expressions. Do not, however, con‐
301 fuse them with “wildcard” characters, which have different meanings.
302
303 ? Means that the preceding symbol (or group of symbols) is optional.
304 That is, it may appear once or not at all.
305
306 * Means that the preceding symbol (or group of symbols) may appear
307 zero or more times.
308
309 + Means that the preceding symbol (or group of symbols) may appear
310 one or more times.
311
312 Parentheses may be used to group symbols together. For clarity, we will
313 use single quotes ('') to designate what is a verbatim character string
314 (as opposed to a symbol name).
315
316 Aliases
317 There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and
318 Cmnd_Alias. Beginning with sudo 1.9.0, Cmd_Alias may be used in place of
319 Cmnd_Alias if desired.
320
321 Alias ::= 'User_Alias' User_Alias_Spec (':' User_Alias_Spec)* |
322 'Runas_Alias' Runas_Alias_Spec (':' Runas_Alias_Spec)* |
323 'Host_Alias' Host_Alias_Spec (':' Host_Alias_Spec)* |
324 'Cmnd_Alias' Cmnd_Alias_Spec (':' Cmnd_Alias_Spec)* |
325 'Cmd_Alias' Cmnd_Alias_Spec (':' Cmnd_Alias_Spec)*
326
327 User_Alias ::= NAME
328
329 User_Alias_Spec ::= User_Alias '=' User_List
330
331 Runas_Alias ::= NAME
332
333 Runas_Alias_Spec ::= Runas_Alias '=' Runas_List
334
335 Host_Alias ::= NAME
336
337 Host_Alias_Spec ::= Host_Alias '=' Host_List
338
339 Cmnd_Alias ::= NAME
340
341 Cmnd_Alias_Spec ::= Cmnd_Alias '=' Cmnd_List
342
343 NAME ::= [A-Z]([A-Z][0-9]_)*
344
345 Each alias definition is of the form
346
347 Alias_Type NAME = item1, item2, ...
348
349 where Alias_Type is one of User_Alias, Runas_Alias, Host_Alias, or
350 Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and under‐
351 score characters (‘_’). A NAME must start with an uppercase letter. It
352 is possible to put several alias definitions of the same type on a single
353 line, joined by a colon (‘:’). For example:
354
355 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
356
357 It is a syntax error to redefine an existing alias. It is possible to
358 use the same name for aliases of different types, but this is not recom‐
359 mended.
360
361 The definitions of what constitutes a valid alias member follow.
362
363 User_List ::= User |
364 User ',' User_List
365
366 User ::= '!'* user name |
367 '!'* #user-ID |
368 '!'* %group |
369 '!'* %#group-ID |
370 '!'* +netgroup |
371 '!'* %:nonunix_group |
372 '!'* %:#nonunix_gid |
373 '!'* User_Alias
374
375 A User_List is made up of one or more user names, user-IDs (prefixed with
376 ‘#’), system group names and IDs (prefixed with ‘%’ and ‘%#’ respec‐
377 tively), netgroups (prefixed with ‘+’), non-Unix group names and IDs
378 (prefixed with ‘%:’ and ‘%:#’ respectively), and User_Aliases. Each list
379 item may be prefixed with zero or more ‘!’ operators. An odd number of
380 ‘!’ operators negate the value of the item; an even number just cancel
381 each other out. User netgroups are matched using the user and domain
382 members only; the host member is not used when matching.
383
384 A user name, user-ID, group, group-ID, netgroup, nonunix_group or
385 nonunix_gid may be enclosed in double quotes to avoid the need for escap‐
386 ing special characters. Alternately, special characters may be specified
387 in escaped hex mode, e.g., \x20 for space. When using double quotes, any
388 prefix characters must be included inside the quotes.
389
390 The actual nonunix_group and nonunix_gid syntax depends on the underlying
391 group provider plugin. For instance, the QAS AD plugin supports the fol‐
392 lowing formats:
393
394 • Group in the same domain: "%:Group Name"
395
396 • Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
397
398 • Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
399
400 See GROUP PROVIDER PLUGINS for more information.
401
402 Quotes around group names are optional. Unquoted strings must use a
403 backslash (‘\’) to escape spaces and special characters. See Other
404 special characters and reserved words for a list of characters that need
405 to be escaped.
406
407 Runas_List ::= Runas_Member |
408 Runas_Member ',' Runas_List
409
410 Runas_Member ::= '!'* user name |
411 '!'* #user-ID |
412 '!'* %group |
413 '!'* %#group-ID |
414 '!'* %:nonunix_group |
415 '!'* %:#nonunix_gid |
416 '!'* +netgroup |
417 '!'* Runas_Alias |
418 '!'* ALL
419
420 A Runas_List is similar to a User_List except that instead of
421 User_Aliases it can contain Runas_Aliases. User names and groups are
422 matched as strings. In other words, two users (groups) with the same
423 user (group) ID are considered to be distinct. If you wish to match all
424 user names with the same user-ID (e.g., root and toor), you can use a
425 user-ID instead of a name (#0 in the example given). The user-ID or
426 group-ID specified in a Runas_Member need not be listed in the password
427 or group database.
428
429 Host_List ::= Host |
430 Host ',' Host_List
431
432 Host ::= '!'* host name |
433 '!'* ip_addr |
434 '!'* network(/netmask)? |
435 '!'* +netgroup |
436 '!'* Host_Alias |
437 '!'* ALL
438
439 A Host_List is made up of one or more host names, IP addresses, network
440 numbers, netgroups (prefixed with ‘+’), and other aliases. Again, the
441 value of an item may be negated with the ‘!’ operator. Host netgroups
442 are matched using the host (both qualified and unqualified) and domain
443 members only; the user member is not used when matching. If you specify
444 a network number without a netmask, sudo will query each of the local
445 host's network interfaces and, if the network number corresponds to one
446 of the hosts's network interfaces, will use the netmask of that inter‐
447 face. The netmask may be specified either in standard IP address nota‐
448 tion (e.g., 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR notation
449 (number of bits, e.g., 24 or 64). A host name may include shell-style
450 wildcards (see the Wildcards section below), but unless the hostname com‐
451 mand on your machine returns the fully qualified host name, you'll need
452 to use the fqdn flag for wildcards to be useful. sudo only inspects ac‐
453 tual network interfaces; this means that IP address 127.0.0.1 (localhost)
454 will never match. Also, the host name “localhost” will only match if
455 that is the actual host name, which is usually only the case for non-net‐
456 worked systems.
457
458 digest ::= [A-Fa-f0-9]+ |
459 [A-Za-z0-9\+/=]+
460
461 Digest_Spec ::= "sha224" ':' digest |
462 "sha256" ':' digest |
463 "sha384" ':' digest |
464 "sha512" ':' digest
465
466 Digest_List ::= Digest_Spec |
467 Digest_Spec ',' Digest_List
468
469 Cmnd_List ::= Cmnd |
470 Cmnd ',' Cmnd_List
471
472 command name ::= regex |
473 file name
474
475 command ::= command name |
476 command name args |
477 command name regex |
478 command name '""' |
479 ALL
480
481 Edit_Spec ::= "sudoedit" file name+ |
482 "sudoedit" regex |
483 "sudoedit"
484
485 List_Spec ::= "list"
486
487 Cmnd ::= Digest_List? '!'* command |
488 '!'* directory |
489 '!'* Edit_Spec |
490 '!'* List_Spec |
491 '!'* Cmnd_Alias
492
493 A Cmnd_List is a list of one or more commands, directories, or aliases.
494 A command is a fully qualified file name, which may include shell-style
495 wildcards (see the Wildcards section below), or a regular expression that
496 starts with ‘^’ and ends with ‘$’ (see the Regular expressions section
497 below). A directory is a fully qualified path name ending in a ‘/’.
498 When you specify a directory in a Cmnd_List, the user will be able to run
499 any file within that directory (but not in any sub-directories therein).
500 If no command line arguments are specified, the user may run the command
501 with any arguments they choose. Command line arguments can include wild‐
502 cards or be a regular expression that starts with ‘^’ and ends with ‘$’.
503 If the command line arguments consist of ‘""’, the command may only be
504 run with no arguments.
505
506 If a Cmnd has associated command line arguments, the arguments in the
507 Cmnd must match those given by the user on the command line. If the ar‐
508 guments in a Cmnd begin with the ‘^’ character, they will be interpreted
509 as a regular expression and matched accordingly. Otherwise, shell-style
510 wildcards are used when matching. Unless a regular expression is speci‐
511 fied, the following characters must be escaped with a ‘\’ if they are
512 used in command arguments: ‘,’, ‘:’, ‘=’, ‘\’. To prevent arguments in a
513 Cmnd that begin with a ‘^’ character from being interpreted as a regular
514 expression, the ‘^’ must be escaped with a ‘\’.
515
516 There are two commands built into sudo itself: “list” and “sudoedit”.
517 Unlike other commands, these two must be specified in the sudoers file
518 without a leading path.
519
520 The “list” built-in can be used to permit a user to list another user's
521 privileges with sudo's -U option. For example, “sudo -l -U otheruser”.
522 A user with the “list” privilege is able to list another user's privi‐
523 leges even if they don't have permission to run commands as that user.
524 By default, only root or a user with the ability to run any command as
525 either root or the specified user on the current host may use the -U op‐
526 tion. No command line arguments may be specified with the “list” built-
527 in.
528
529 The “sudoedit” built-in is used to permit a user to run sudo with the -e
530 option (or as sudoedit). It may take command line arguments just as a
531 normal command does. Unlike other commands, “sudoedit” is built into
532 sudo itself and must be specified in the sudoers file without a leading
533 path. If a leading path is present, for example /usr/bin/sudoedit, the
534 path name will be silently converted to “sudoedit”. A fully-qualified
535 path for sudoedit is treated as an error by visudo.
536
537 A command may be preceded by a Digest_List, a comma-separated list of one
538 or more Digest_Spec entries. If a Digest_List is present, the command
539 will only match successfully if it can be verified using one of the SHA-2
540 digests in the list. Starting with version 1.9.0, the ALL reserved word
541 can be used in conjunction with a Digest_List. The following digest for‐
542 mats are supported: sha224, sha256, sha384, and sha512. The string may
543 be specified in either hex or base64 format (base64 is more compact).
544 There are several utilities capable of generating SHA-2 digests in hex
545 format such as openssl, shasum, sha224sum, sha256sum, sha384sum,
546 sha512sum.
547
548 For example, using openssl:
549
550 $ openssl dgst -sha224 /bin/ls
551 SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
552
553 It is also possible to use openssl to generate base64 output:
554
555 $ openssl dgst -binary -sha224 /bin/ls | openssl base64
556 EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
557
558 Warning, if the user has write access to the command itself (directly or
559 via a sudo command), it may be possible for the user to replace the com‐
560 mand after the digest check has been performed but before the command is
561 executed. A similar race condition exists on systems that lack the
562 fexecve(2) system call when the directory in which the command is located
563 is writable by the user. See the description of the fdexec setting for
564 more information on how sudo executes commands that have an associated
565 digest.
566
567 Command digests are only supported by version 1.8.7 or higher.
568
569 Defaults
570 Certain configuration options may be changed from their default values at
571 run-time via one or more Default_Entry lines. These may affect all users
572 on any host (‘Defaults’), all users on a specific host (‘Defaults@host’),
573 a specific user (‘Defaults:user’), a specific command (‘Defaults!cmnd’),
574 or commands being run as a specific user (‘Defaults>runasuser’).
575
576 White space is not permitted between ‘Defaults’ and the ‘@’, ‘:’, ‘!’, or
577 ‘>’ characters. While a comma-separated list may be used in place of a
578 single value after the ‘@’, ‘:’, ‘!’, or ‘>’ character, using an alias
579 instead of a list is often improve readability. Per-command entries may
580 not include command line arguments. If you need to specify arguments,
581 define a Cmnd_Alias and reference that instead.
582
583 Default_Type ::= 'Defaults' |
584 'Defaults@' Host_List |
585 'Defaults:' User_List |
586 'Defaults!' Cmnd_List |
587 'Defaults>' Runas_List
588
589 Default_Entry ::= Default_Type Parameter_List
590
591 Parameter_List ::= Parameter |
592 Parameter ',' Parameter_List
593
594 Parameter ::= Parameter '=' Value |
595 Parameter '+=' Value |
596 Parameter '-=' Value |
597 '!'* Parameter
598
599 Parameters may be flags, integer values, strings, or lists. Flags are
600 implicitly boolean and can be turned off via the ‘!’ operator. Some in‐
601 teger, string and list parameters may also be used in a boolean context
602 to disable them. Values may be enclosed in double quotes ("") when they
603 contain multiple words. Special characters may be escaped with a back‐
604 slash (‘\’).
605
606 To include a literal backslash character in a command line argument you
607 must escape the backslash twice. For example, to match ‘\n’ as part of a
608 command line argument, you must use ‘\\\\n’ in the sudoers file. This is
609 due to there being two levels of escaping, one in the sudoers parser it‐
610 self and another when command line arguments are matched by the
611 fnmatch(3) or regexec(3) function.
612
613 Lists have two additional assignment operators, ‘+=’ and ‘-=’. These op‐
614 erators are used to add to and delete from a list respectively. It is
615 not an error to use the ‘-=’ operator to remove an element that does not
616 exist in a list.
617
618 Defaults entries are parsed in the following order: global, host, user,
619 and runas Defaults first, then command defaults. If there are multiple
620 Defaults settings of the same type, the last matching setting is used.
621 The following Defaults settings are parsed before all others since they
622 may affect subsequent entries: fqdn, group_plugin, runas_default,
623 sudoers_locale.
624
625 See SUDOERS OPTIONS for a list of supported Defaults parameters.
626
627 User specification
628 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
629 (':' Host_List '=' Cmnd_Spec_List)*
630
631 Cmnd_Spec_List ::= Cmnd_Spec |
632 Cmnd_Spec ',' Cmnd_Spec_List
633
634 Cmnd_Spec ::= Runas_Spec? Option_Spec* (Tag_Spec ':')* Cmnd
635
636 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
637
638 Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)
639
640 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
641
642 Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp')
643
644 Timeout_Spec ::= 'TIMEOUT=timeout'
645
646 Chdir_Spec ::= 'CWD=directory'
647
648 Chroot_Spec ::= 'CHROOT=directory'
649
650 Tag_Spec ::= ('EXEC' | 'NOEXEC' | 'FOLLOW' | 'NOFOLLOW' |
651 'LOG_INPUT' | 'NOLOG_INPUT' | 'LOG_OUTPUT' |
652 'NOLOG_OUTPUT' | 'MAIL' | 'NOMAIL' | 'INTERCEPT' |
653 'NOINTERCEPT' | 'PASSWD' | 'NOPASSWD' | 'SETENV' |
654 'NOSETENV')
655
656 A user specification determines which commands a user may run (and as
657 what user) on specified hosts. By default, commands are run as root (un‐
658 less runas_default has been set to a different value) but this can also
659 be changed on a per-command basis.
660
661 The basic structure of a user specification is “who where = (as_whom)
662 what”. Let's break that down into its constituent parts:
663
664 Runas_Spec
665 A Runas_Spec determines the user and/or the group that a command may be
666 run as. A fully-specified Runas_Spec consists of two Runas_Lists (as de‐
667 fined above) separated by a colon (‘:’) and enclosed in a set of paren‐
668 theses. The first Runas_List indicates which users the command may be
669 run as via the -u option. The second defines a list of groups that may
670 be specified via the -g option (in addition to any of the target user's
671 groups). If both Runas_Lists are specified, the command may be run with
672 any combination of users and groups listed in their respective
673 Runas_Lists. If only the first is specified, the command may be run as
674 any user in the list and, optionally, with any group the target user be‐
675 longs to. If the first Runas_List is empty but the second is specified,
676 the command may be run as the invoking user with the group set to any
677 listed in the Runas_List. If both Runas_Lists are empty, the command may
678 only be run as the invoking user and the group, if specified, must be one
679 that the invoking user is a member of. If no Runas_Spec is specified,
680 the command may only be run as the runas_default user (root by default)
681 and the group, if specified, must be one that the runas_default user is a
682 member of.
683
684 A Runas_Spec sets the default for the commands that follow it. What this
685 means is that for the entry:
686
687 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
688
689 The user dgb may run /bin/ls, /bin/kill, and /usr/bin/lprm on the host
690 boulder—but only as operator. For example:
691
692 $ sudo -u operator /bin/ls
693
694 It is also possible to override a Runas_Spec later on in an entry. If we
695 modify the entry like so:
696
697 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
698
699 Then user dgb is now allowed to run /bin/ls as operator, but /bin/kill
700 and /usr/bin/lprm as root.
701
702 We can extend this to allow dgb to run /bin/ls with either the user or
703 group set to operator:
704
705 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
706 /usr/bin/lprm
707
708 While the group portion of the Runas_Spec permits the user to run as com‐
709 mand with that group, it does not force the user to do so. If no group
710 is specified on the command line, the command will run with the group
711 listed in the target user's password database entry. The following would
712 all be permitted by the sudoers entry above:
713
714 $ sudo -u operator /bin/ls
715 $ sudo -u operator -g operator /bin/ls
716 $ sudo -g operator /bin/ls
717
718 In the following example, user tcm may run commands that access a modem
719 device file with the dialer group.
720
721 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
722 /usr/local/bin/minicom
723
724 In this example only the group will be set, the command still runs as
725 user tcm. For example:
726
727 $ sudo -g dialer /usr/bin/cu
728
729 Multiple users and groups may be present in a Runas_Spec, in which case
730 the user may select any combination of users and groups via the -u and -g
731 options. In this example:
732
733 alan ALL = (root, bin : operator, system) ALL
734
735 user alan may run any command as either user root or bin, optionally set‐
736 ting the group to operator or system.
737
738 Option_Spec
739 A Cmnd may have zero or more options associated with it. Options may
740 consist of SELinux roles and/or types, start and/or end dates and command
741 timeouts. Once an option is set for a Cmnd, subsequent Cmnds in the
742 Cmnd_Spec_List, inherit that option unless it is overridden by another
743 option. Option names are reserved words in sudoers. This means that
744 none of the valid option names (see below) can be used when declaring an
745 alias.
746
747 SELinux_Spec
748 On systems with SELinux support, sudoers file entries may optionally have
749 an SELinux role and/or type associated with a command. This can be used
750 to implement a form of role-based access control (RBAC). If a role or
751 type is specified with the command it will override any default values
752 specified in sudoers. A role or type specified on the command line, how‐
753 ever, will supersede the values in sudoers.
754
755 Date_Spec
756 sudoers rules can be specified with a start and end date via the
757 NOTBEFORE and NOTAFTER settings. The time stamp must be specified in
758 “Generalized Time” as defined by RFC 4517. The format is effectively
759 ‘yyyymmddHHMMSSZ’ where the minutes and seconds are optional. The ‘Z’
760 suffix indicates that the time stamp is in Coordinated Universal Time
761 (UTC). It is also possible to specify a timezone offset from UTC in
762 hours and minutes instead of a ‘Z’. For example, ‘-0500’ would corre‐
763 spond to Eastern Standard time in the US. As an extension, if no ‘Z’ or
764 timezone offset is specified, local time will be used.
765
766 The following are all valid time stamps:
767
768 20170214083000Z
769 2017021408Z
770 20160315220000-0500
771 20151201235900
772
773 Timeout_Spec
774 A command may have a timeout associated with it. If the timeout expires
775 before the command has exited, the command will be terminated. The time‐
776 out may be specified in combinations of days, hours, minutes, and seconds
777 with a single-letter case-insensitive suffix that indicates the unit of
778 time. For example, a timeout of 7 days, 8 hours, 30 minutes, and 10 sec‐
779 onds would be written as ‘7d8h30m10s’. If a number is specified without
780 a unit, seconds are assumed. Any of the days, minutes, hours, or seconds
781 may be omitted. The order must be from largest to smallest unit and a
782 unit may not be specified more than once.
783
784 The following are all valid timeout values: ‘7d8h30m10s’, ‘14d’, ‘8h30m’,
785 ‘600s’, ‘3600’. The following are invalid timeout values: ‘12m2w1d’,
786 ‘30s10m4h’, ‘1d2d3h’.
787
788 This setting is only supported by version 1.8.20 or higher.
789
790 Chdir_Spec
791 The working directory that the command will be run in can be specified
792 using the CWD setting. The directory must be a fully-qualified path name
793 beginning with a ‘/’ or ‘~’ character, or the special value “*”. A value
794 of “*” indicates that the user may specify the working directory by run‐
795 ning sudo with the -D option. By default, commands are run from the in‐
796 voking user's current working directory, unless the -i option is given.
797 Path names of the form ~user/path/name are interpreted as being relative
798 to the named user's home directory. If the user name is omitted, the
799 path will be relative to the runas user's home directory.
800
801 This setting is only supported by version 1.9.3 or higher.
802
803 Chroot_Spec
804 The root directory that the command will be run in can be specified using
805 the CHROOT setting. The directory must be a fully-qualified path name
806 beginning with a ‘/’ or ‘~’ character, or the special value “*”. A value
807 of “*” indicates that the user may specify the root directory by running
808 sudo with the -R option. This setting can be used to run the command in
809 a chroot(2) “sandbox” similar to the chroot(8) utility. Path names of
810 the form ~user/path/name are interpreted as being relative to the named
811 user's home directory. If the user name is omitted, the path will be
812 relative to the runas user's home directory.
813
814 This setting is only supported by version 1.9.3 or higher.
815
816 Tag_Spec
817 A command may have zero or more tags associated with it. The following
818 tag values are supported: EXEC, NOEXEC, FOLLOW, NOFOLLOW, LOG_INPUT,
819 NOLOG_INPUT, LOG_OUTPUT, NOLOG_OUTPUT, MAIL, NOMAIL, INTERCEPT,
820 NOINTERCEPT, PASSWD, NOPASSWD, SETENV, and NOSETENV. Once a tag is set
821 on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag unless
822 it is overridden by the opposite tag (in other words, PASSWD overrides
823 NOPASSWD and NOEXEC overrides EXEC).
824
825 EXEC and NOEXEC
826
827 If sudo has been compiled with noexec support and the underlying oper‐
828 ating system supports it, the NOEXEC tag can be used to prevent a dy‐
829 namically-linked executable from running further commands itself.
830
831 In the following example, user aaron may run /usr/bin/more and
832 /usr/bin/vi but shell escapes will be disabled.
833
834 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
835
836 See the Preventing shell escapes section below for more details on how
837 NOEXEC works and whether or not it will work on your system.
838
839 FOLLOW and NOFOLLOW
840
841 Starting with version 1.8.15, sudoedit will not open a file that is a
842 symbolic link unless the sudoedit_follow flag is enabled. The FOLLOW
843 and NOFOLLOW tags override the value of sudoedit_follow and can be used
844 to permit (or deny) the editing of symbolic links on a per-command ba‐
845 sis. These tags are only effective for the sudoedit command and are
846 ignored for all other commands.
847
848 LOG_INPUT and NOLOG_INPUT
849
850 These tags override the value of the log_input flag on a per-command
851 basis. For more information, see I/O LOGGING.
852
853 LOG_OUTPUT and NOLOG_OUTPUT
854
855 These tags override the value of the log_output flag on a per-command
856 basis. For more information, see I/O LOGGING.
857
858 MAIL and NOMAIL
859
860 These tags provide fine-grained control over whether mail will be sent
861 when a user runs a command by overriding the value of the
862 mail_all_cmnds flag on a per-command basis. They have no effect when
863 sudo is run with the -l or -v options. A NOMAIL tag will also override
864 the mail_always and mail_no_perms options. For more information, see
865 the descriptions of mail_all_cmnds, mail_always, and mail_no_perms in
866 the SUDOERS OPTIONS section below.
867
868 PASSWD and NOPASSWD
869
870 By default, sudo requires that a user authenticate before running a
871 command. This behavior can be modified via the NOPASSWD tag. Like a
872 Runas_Spec, the NOPASSWD tag sets a default for the commands that fol‐
873 low it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used
874 to reverse things. For example:
875
876 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
877
878 would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm
879 as root on the machine “rushmore” without authenticating himself. If
880 we only want ray to be able to run /bin/kill without a password the en‐
881 try would be:
882
883 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
884
885 Note, however, that the PASSWD tag has no effect on users who are in
886 the group specified by the exempt_group setting.
887
888 By default, if the NOPASSWD tag is applied to any of a user's entries
889 for the current host, the user will be able to run ‘sudo -l’ without a
890 password. Additionally, a user may only run ‘sudo -v’ without a pass‐
891 word if all of the user's entries for the current host have the
892 NOPASSWD tag. This behavior may be overridden via the verifypw and
893 listpw options.
894
895 SETENV and NOSETENV
896
897 These tags override the value of the setenv flag on a per-command ba‐
898 sis. If SETENV has been set for a command, the user may disable the
899 env_reset flag from the command line via the -E option. Additionally,
900 environment variables set on the command line are not subject to the
901 restrictions imposed by env_check, env_delete, or env_keep. As such,
902 only trusted users should be allowed to set variables in this manner.
903 If the command matched is ALL, the SETENV tag is implied for that com‐
904 mand; this default may be overridden by use of the NOSETENV tag.
905
906 INTERCEPT and NOINTERCEPT
907
908 If sudo has been compiled with intercept support and the underlying op‐
909 erating system supports it, the INTERCEPT tag can be used to cause pro‐
910 grams spawned by a command to be validated against sudoers and logged
911 just like they would be if run through sudo directly. This is useful
912 in conjunction with commands that allow shell escapes such as editors,
913 shells, and paginators. There is additional overhead due to the policy
914 check that may add latency when running commands such as shell scripts
915 that execute a large number of sub-commands. For interactive commands,
916 such as a shell or editor, the overhead is not usually noticeable.
917
918 In the following example, user chuck may run any command on the machine
919 “research” in intercept mode.
920
921 chuck research = INTERCEPT: ALL
922
923 See the Preventing shell escapes section below for more details on how
924 INTERCEPT works and whether or not it will work on your system.
925
926 Wildcards
927 sudo allows shell-style wildcards (aka meta or glob characters) to be
928 used in host names, path names, and command line arguments in the sudoers
929 file. Wildcard matching is done via the glob(3) and fnmatch(3) functions
930 as specified by IEEE Std 1003.1 (“POSIX.1”).
931
932 * Matches any set of zero or more characters (including white
933 space).
934
935 ? Matches any single character (including white space).
936
937 [...] Matches any character in the specified range.
938
939 [!...] Matches any character not in the specified range.
940
941 \x For any character ‘x’, evaluates to ‘x’. This is used to escape
942 special characters such as: ‘*’, ‘?’, ‘[’, and ‘]’.
943
944 These are not regular expressions. Unlike a regular expression there is
945 no way to match one or more characters within a range.
946
947 Character classes may be used if your system's glob(3) and fnmatch(3)
948 functions support them. However, because the ‘:’ character has special
949 meaning in sudoers, it must be escaped. For example:
950
951 /bin/ls [[\:alpha\:]]*
952
953 Would match any file name beginning with a letter.
954
955 A forward slash (‘/’) will not be matched by wildcards used in the file
956 name portion of the command. This is to make a path like:
957
958 /usr/bin/*
959
960 match /usr/bin/who but not /usr/bin/X11/xterm.
961
962 When matching the command line arguments, however, a slash does get
963 matched by wildcards since command line arguments may contain arbitrary
964 strings and not just path names.
965
966 Wildcards in command line arguments should be used with care.
967 Wildcards can match any character, including white space. In most cases,
968 it is safer to use a regular expression to match command line arguments.
969 For more information, see Wildcards in command arguments below.
970
971 Exceptions to wildcard rules
972 The following exceptions apply to the above rules:
973
974 "" If the empty string ‘""’ is the only command line argument in
975 the sudoers file entry it means that command is not allowed to
976 be run with any arguments.
977
978 sudoedit Command line arguments to the sudoedit built-in command should
979 always be path names, so a forward slash (‘/’) will not be
980 matched by a wildcard.
981
982 Regular expressions
983 Starting with version 1.9.10, it is possible to use regular expressions
984 for path names and command line arguments. Regular expressions are more
985 expressive than shell-style wildcards and are usually safer because they
986 provide a greater degree of control when matching. The type of regular
987 expressions supported by sudoers are POSIX extended regular expressions,
988 similar to those used by the egrep(1) utility. They are usually docu‐
989 mented in the regex(7) or re_format(7) manual, depending on the system.
990 As an extension, if the regular expression begins with “(?i)”, it will be
991 matched in a case-insensitive manner.
992
993 In sudoers, regular expressions must start with a ‘^’ character and end
994 with a ‘$’. This makes it explicit what is, or is not, a regular expres‐
995 sion. Either the path name, the command line arguments or both may be
996 regular expressions. Because the path name and arguments are matched
997 separately, it is even possible to use wildcards for the path name and
998 regular expressions for the arguments. It is not possible to use a sin‐
999 gle regular expression to match both the command and its arguments. Reg‐
1000 ular expressions in sudoers are limited to 1024 characters.
1001
1002 There is no need to escape sudoers special characters in a regular ex‐
1003 pression other than the pound sign (‘#’).
1004
1005 In the following example, user john can run the passwd(1) command as root
1006 on any host but is not allowed to change root's password. This kind of
1007 rule is impossible to express safely using wildcards.
1008
1009 john ALL = /usr/bin/passwd ^[a-zA-Z0-9_]+$,\
1010 !/usr/bin/passwd root
1011
1012 It is also possible to use a regular expression in conjunction with
1013 sudoedit rules. The following rule would give user bob the ability to
1014 edit the /etc/motd, /etc/issue, and /etc/hosts files only.
1015
1016 bob ALL = sudoedit ^/etc/(motd|issue|hosts)$
1017
1018 Regular expressions may also be used to match the command itself. In
1019 this example, a regular expression is used to allow user sid to run the
1020 /usr/sbin/groupadd, /usr/sbin/groupmod, /usr/sbin/groupdel,
1021 /usr/sbin/useradd, /usr/sbin/usermod, and /usr/sbin/userdel commands as
1022 root.
1023
1024 sid ALL = ^/usr/sbin/(group|user)(add|mod|del)$
1025
1026 One disadvantage of using a regular expression to match the command name
1027 is that it is not possible to match relative paths such as ./useradd or
1028 ../sbin/useradd. This has security implications when a regular expres‐
1029 sion is used for the command name in conjunction with the negation opera‐
1030 tor, ‘!’, as such rules can be trivially bypassed. Because of this, us‐
1031 ing a negated regular expression for the command name is strongly
1032 discouraged. This does not apply to negated commands that only use a
1033 regular expression to match the command arguments. See Regular
1034 expressions in command names below for more information.
1035
1036 Including other files from within sudoers
1037 It is possible to include other sudoers files from within the sudoers
1038 file currently being parsed using the @include and @includedir direc‐
1039 tives. For compatibility with sudo versions prior to 1.9.1, #include and
1040 #includedir are also accepted.
1041
1042 An include file can be used, for example, to keep a site-wide sudoers
1043 file in addition to a local, per-machine file. For the sake of this ex‐
1044 ample the site-wide sudoers file will be /etc/sudoers and the per-machine
1045 one will be /etc/sudoers.local. To include /etc/sudoers.local from
1046 within /etc/sudoers one would use the following line in /etc/sudoers:
1047
1048 @include /etc/sudoers.local
1049
1050 When sudo reaches this line it will suspend processing of the current
1051 file (/etc/sudoers) and switch to /etc/sudoers.local. Upon reaching the
1052 end of /etc/sudoers.local, the rest of /etc/sudoers will be processed.
1053 Files that are included may themselves include other files. A hard limit
1054 of 128 nested include files is enforced to prevent include file loops.
1055
1056 Starting with version 1.9.1, the path to the include file may contain
1057 white space if it is escaped with a backslash (‘\’). Alternately, the
1058 entire path may be enclosed in double quotes (""), in which case no es‐
1059 caping is necessary. To include a literal backslash in the path, ‘\\’
1060 should be used.
1061
1062 If the path to the include file is not fully-qualified (does not begin
1063 with a ‘/’), it must be located in the same directory as the sudoers file
1064 it was included from. For example, if /etc/sudoers contains the line:
1065
1066 @include sudoers.local
1067
1068 the file that will be included is /etc/sudoers.local.
1069
1070 The file name may also include the ‘%h’ escape, signifying the short form
1071 of the host name. In other words, if the machine's host name is
1072 “xerxes”, then
1073
1074 @include /etc/sudoers.%h
1075
1076 will cause sudo to include the file /etc/sudoers.xerxes.
1077
1078 The @includedir directive can be used to create a sudoers.d directory
1079 that the system package manager can drop sudoers file rules into as part
1080 of package installation. For example, given:
1081
1082 @includedir /etc/sudoers.d
1083
1084 sudo will suspend processing of the current file and read each file in
1085 /etc/sudoers.d, skipping file names that end in ‘~’ or contain a ‘.’
1086 character to avoid causing problems with package manager or editor tempo‐
1087 rary/backup files.
1088
1089 Files are parsed in sorted lexical order. That is,
1090 /etc/sudoers.d/01_first will be parsed before /etc/sudoers.d/10_second.
1091 Be aware that because the sorting is lexical, not numeric,
1092 /etc/sudoers.d/1_whoops would be loaded after /etc/sudoers.d/10_second.
1093 Using a consistent number of leading zeroes in the file names can be used
1094 to avoid such problems. After parsing the files in the directory, con‐
1095 trol returns to the file that contained the @includedir directive.
1096
1097 Unlike files included via @include, visudo will not edit the files in a
1098 @includedir directory unless one of them contains a syntax error. It is
1099 still possible to run visudo with the -f flag to edit the files directly,
1100 but this will not catch the redefinition of an alias that is also present
1101 in a different file.
1102
1103 Other special characters and reserved words
1104 The pound sign (‘#’) is used to indicate a comment (unless it is part of
1105 a #include directive or unless it occurs in the context of a user name
1106 and is followed by one or more digits, in which case it is treated as a
1107 user-ID). Both the comment character and any text after it, up to the
1108 end of the line, are ignored.
1109
1110 The reserved word ALL is a built-in alias that always causes a match to
1111 succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
1112 User_Alias, Runas_Alias, or Host_Alias. Attempting to define an alias
1113 named ALL will result in a syntax error. Using ALL can be dangerous
1114 since in a command context, it allows the user to run any command on the
1115 system.
1116
1117 The following option names permitted in an Option_Spec are also consid‐
1118 ered reserved words: CHROOT, ROLE, TYPE, TIMEOUT, CWD, NOTBEFORE and
1119 NOTAFTER. Attempting to define an alias with the same name as one of the
1120 options will result in a syntax error.
1121
1122 An exclamation point (‘!’) can be used as a logical not operator in a
1123 list or alias as well as in front of a Cmnd. This allows one to exclude
1124 certain values. For the ‘!’ operator to be effective, there must be
1125 something for it to exclude. For example, to match all users except for
1126 root one would use:
1127
1128 ALL, !root
1129
1130 If the ALL, is omitted, as in:
1131
1132 !root
1133
1134 it would explicitly deny root but not match any other users. This is
1135 different from a true “negation” operator.
1136
1137 Note, however, that using a ‘!’ in conjunction with the built-in ALL
1138 alias to allow a user to run “all but a few” commands rarely works as in‐
1139 tended (see SECURITY NOTES below).
1140
1141 Long lines can be continued with a backslash (‘\’) as the last character
1142 on the line.
1143
1144 White space between elements in a list as well as special syntactic char‐
1145 acters in a User Specification (‘=’, ‘:’, ‘(’, ‘)’) is optional.
1146
1147 The following characters must be escaped with a backslash (‘\’) when used
1148 as part of a word (e.g., a user name or host name): ‘!’, ‘=’, ‘:’, ‘,’,
1149 ‘(’, ‘)’, ‘\’.
1150
1152 sudo's behavior can be modified by Default_Entry lines, as explained ear‐
1153 lier. A list of all supported Defaults parameters, grouped by type, are
1154 listed below.
1155
1156 Boolean Flags:
1157
1158 always_query_group_plugin
1159 If a group_plugin is configured, use it to resolve
1160 groups of the form ‘%group’ as long as there is not
1161 also a system group of the same name. Normally, only
1162 groups of the form ‘%:group’ are passed to the
1163 group_plugin. This flag is off by default.
1164
1165 always_set_home If enabled, sudo will set the HOME environment variable
1166 to the home directory of the target user (which is the
1167 runas_default user unless the -u option is used). This
1168 flag is largely obsolete and has no effect unless the
1169 env_reset flag has been disabled or HOME is present in
1170 the env_keep list, both of which are strongly discour‐
1171 aged. This flag is off by default.
1172
1173 authenticate If set, users must authenticate themselves via a pass‐
1174 word (or other means of authentication) before they may
1175 run commands. This default may be overridden via the
1176 PASSWD and NOPASSWD tags. This flag is on by default.
1177
1178 case_insensitive_group
1179 If enabled, group names in sudoers will be matched in a
1180 case insensitive manner. This may be necessary when
1181 users are stored in LDAP or AD. This flag is on by de‐
1182 fault.
1183
1184 case_insensitive_user
1185 If enabled, user names in sudoers will be matched in a
1186 case insensitive manner. This may be necessary when
1187 groups are stored in LDAP or AD. This flag is on by
1188 default.
1189
1190 closefrom_override
1191 If set, the user may use the -C option which overrides
1192 the default starting point at which sudo begins closing
1193 open file descriptors. This flag is off by default.
1194
1195 compress_io If set, and sudo is configured to log a command's input
1196 or output, the I/O logs will be compressed using zlib.
1197 This flag is on by default when sudo is compiled with
1198 zlib support.
1199
1200 exec_background By default, sudo runs a command as the foreground
1201 process as long as sudo itself is running in the fore‐
1202 ground. When the exec_background flag is enabled and
1203 the command is being run in a pseudo-terminal (due to
1204 I/O logging or the use_pty flag), the command will be
1205 run as a background process. Attempts to read from the
1206 controlling terminal (or to change terminal settings)
1207 will result in the command being suspended with the
1208 SIGTTIN signal (or SIGTTOU in the case of terminal set‐
1209 tings). If this happens when sudo is a foreground
1210 process, the command will be granted the controlling
1211 terminal and resumed in the foreground with no user in‐
1212 tervention required. The advantage of initially run‐
1213 ning the command in the background is that sudo need
1214 not read from the terminal unless the command explic‐
1215 itly requests it. Otherwise, any terminal input must
1216 be passed to the command, whether it has required it or
1217 not (the kernel buffers terminals so it is not possible
1218 to tell whether the command really wants the input).
1219 This is different from historic sudo behavior or when
1220 the command is not being run in a pseudo-terminal.
1221
1222 For this to work seamlessly, the operating system must
1223 support the automatic restarting of system calls. Un‐
1224 fortunately, not all operating systems do this by de‐
1225 fault, and even those that do may have bugs. For exam‐
1226 ple, macOS fails to restart the tcgetattr(3) and
1227 tcsetattr(3) functions (this is a bug in macOS). Fur‐
1228 thermore, because this behavior depends on the command
1229 stopping with the SIGTTIN or SIGTTOU signals, programs
1230 that catch these signals and suspend themselves with a
1231 different signal (usually SIGTOP) will not be automati‐
1232 cally foregrounded. Some versions of the linux su(1)
1233 command behave this way. This flag is off by default.
1234
1235 This setting is only supported by version 1.8.7 or
1236 higher. It has no effect unless I/O logging is enabled
1237 or the use_pty flag is enabled.
1238
1239 env_editor If set, visudo will use the value of the SUDO_EDITOR,
1240 VISUAL or EDITOR environment variables before falling
1241 back on the default editor list. visudo is typically
1242 run as root so this flag may allow a user with visudo
1243 privileges to run arbitrary commands as root without
1244 logging. An alternative is to place a colon-separated
1245 list of “safe” editors int the editor setting. visudo
1246 will then only use SUDO_EDITOR, VISUAL or EDITOR if
1247 they match a value specified in editor. If the
1248 env_reset flag is enabled, the SUDO_EDITOR, VISUAL
1249 and/or EDITOR environment variables must be present in
1250 the env_keep list for the env_editor flag to function
1251 when visudo is invoked via sudo. This flag is on by
1252 default.
1253
1254 env_reset If set, sudo will run the command in a minimal environ‐
1255 ment containing the TERM, PATH, HOME, MAIL, SHELL,
1256 LOGNAME, USER and SUDO_* variables. Any variables in
1257 the caller's environment or in the file specified by
1258 the restricted_env_file setting that match the env_keep
1259 and env_check lists are then added, followed by any
1260 variables present in the file specified by the env_file
1261 setting (if any). The contents of the env_keep and
1262 env_check lists, as modified by global Defaults parame‐
1263 ters in sudoers, are displayed when sudo is run by root
1264 with the -V option. If the secure_path setting is en‐
1265 abled, its value will be used for the PATH environment
1266 variable. This flag is on by default.
1267
1268 fast_glob Normally, sudo uses the glob(3) function to do shell-
1269 style globbing when matching path names. However,
1270 since it accesses the file system, glob(3) can take a
1271 long time to complete for some patterns, especially
1272 when the pattern references a network file system that
1273 is mounted on demand (auto mounted). The fast_glob
1274 flag causes sudo to use the fnmatch(3) function, which
1275 does not access the file system to do its matching.
1276 The disadvantage of fast_glob is that it is unable to
1277 match relative paths such as ./ls or ../bin/ls. This
1278 has security implications when path names that include
1279 globbing characters are used with the negation opera‐
1280 tor, ‘!’, as such rules can be trivially bypassed. As
1281 such, this flag should not be used when the sudoers
1282 file contains rules that contain negated path names
1283 which include globbing characters. This flag is off by
1284 default.
1285
1286 log_passwords Most programs that require a user's password will dis‐
1287 able echo before reading the password to avoid display‐
1288 ing the plaintext password on the screen. However, if
1289 terminal input is being logged (see I/O LOGGING), the
1290 password will still be present in the I/O log. If the
1291 log_passwords option is disabled, sudoers will attempt
1292 to prevent passwords from being logged. It does this
1293 by using the regular expressions in passprompt_regex to
1294 match a password prompt in the terminal output buffer.
1295 When a match is found, input characters in the I/O log
1296 will be replaced with ‘*’ until either a line feed or
1297 carriage return is found in the terminal input or a new
1298 terminal output buffer is received. If, however, a
1299 program displays characters as the user types (such as
1300 sudo when pwfeedback is set), only the first character
1301 of the password will be replaced in the I/O log. This
1302 option has no effect unless log_input or log_ttyin are
1303 also set. This flag is on by default.
1304
1305 This setting is only supported by version 1.9.10 or
1306 higher.
1307
1308 fqdn Set this flag if you want to put fully qualified host
1309 names in the sudoers file when the local host name (as
1310 returned by the ‘hostname’ command) does not contain
1311 the domain name. In other words, instead of myhost you
1312 would use myhost.mydomain.edu. You may still use the
1313 short form if you wish (and even mix the two). This
1314 flag is only effective when the “canonical” host name,
1315 as returned by the getaddrinfo(3) or gethostbyname(3)
1316 function, is a fully-qualified domain name. This is
1317 usually the case when the system is configured to use
1318 DNS for host name resolution.
1319
1320 If the system is configured to use the /etc/hosts file
1321 in preference to DNS, the “canonical” host name may not
1322 be fully-qualified. The order that sources are queried
1323 for host name resolution is usually specified in the
1324 /etc/nsswitch.conf, /etc/netsvc.conf, /etc/host.conf,
1325 or, in some cases, /etc/resolv.conf file. In the
1326 /etc/hosts file, the first host name of the entry is
1327 considered to be the “canonical” name; subsequent names
1328 are aliases that are not used by sudoers. For example,
1329 the following hosts file line for the machine “xyzzy”
1330 has the fully-qualified domain name as the “canonical”
1331 host name, and the short version as an alias.
1332
1333 192.168.1.1 xyzzy.sudo.ws xyzzy
1334
1335 If the machine's hosts file entry is not formatted
1336 properly, the fqdn flag will not be effective if it is
1337 queried before DNS.
1338
1339 Beware that when using DNS for host name resolution,
1340 turning on fqdn requires sudoers to make DNS lookups
1341 which renders sudo unusable if DNS stops working (for
1342 example if the machine is disconnected from the net‐
1343 work). Just like with the hosts file, you must use the
1344 “canonical” name as DNS knows it. That is, you may not
1345 use a host alias (CNAME entry) due to performance is‐
1346 sues and the fact that there is no way to get all
1347 aliases from DNS.
1348
1349 This flag is off by default.
1350
1351 ignore_audit_errors
1352 Allow commands to be run even if sudoers cannot write
1353 to the audit log. If enabled, an audit log write fail‐
1354 ure is not treated as a fatal error. If disabled, a
1355 command may only be run after the audit event is suc‐
1356 cessfully written. This flag is only effective on sys‐
1357 tems for which sudoers supports audit logging, includ‐
1358 ing FreeBSD, Linux, macOS, and Solaris. This flag is
1359 on by default.
1360
1361 ignore_dot If set, sudo will ignore "." or "" (both denoting the
1362 current directory) in the PATH environment variable;
1363 the PATH itself is not modified. This flag is on by
1364 default.
1365
1366 ignore_iolog_errors
1367 Allow commands to be run even if sudoers cannot write
1368 to the I/O log (local or remote). If enabled, an I/O
1369 log write failure is not treated as a fatal error. If
1370 disabled, the command will be terminated if the I/O log
1371 cannot be written to. This flag is off by default.
1372
1373 ignore_logfile_errors
1374 Allow commands to be run even if sudoers cannot write
1375 to the log file. If enabled, a log file write failure
1376 is not treated as a fatal error. If disabled, a com‐
1377 mand may only be run after the log file entry is suc‐
1378 cessfully written. This flag only has an effect when
1379 sudoers is configured to use file-based logging via the
1380 logfile setting. This flag is on by default.
1381
1382 ignore_local_sudoers
1383 If set via LDAP, parsing of /etc/sudoers will be
1384 skipped. This is intended for sites that wish to pre‐
1385 vent the usage of local sudoers files so that only LDAP
1386 is used. This thwarts the efforts of rogue operators
1387 who would attempt to add roles to /etc/sudoers. When
1388 this flag is enabled, /etc/sudoers does not even need
1389 to exist. Since this flag tells sudo how to behave
1390 when no specific LDAP entries have been matched, this
1391 sudoOption is only meaningful for the ‘cn=defaults’
1392 section. This flag is off by default.
1393
1394 ignore_unknown_defaults
1395 If set, sudo will not produce a warning if it encoun‐
1396 ters an unknown Defaults entry in the sudoers file or
1397 an unknown sudoOption in LDAP. This flag is off by de‐
1398 fault.
1399
1400 insults If set, sudo will insult users when they enter an in‐
1401 correct password. This flag is off by default.
1402
1403 log_allowed If set, sudoers will log commands allowed by the policy
1404 to the system audit log (where supported) as well as to
1405 syslog and/or a log file. This flag is on by default.
1406
1407 This setting is only supported by version 1.8.29 or
1408 higher.
1409
1410 log_denied If set, sudoers will log commands denied by the policy
1411 to the system audit log (where supported) as well as to
1412 syslog and/or a log file. This flag is on by default.
1413
1414 This setting is only supported by version 1.8.29 or
1415 higher.
1416
1417 log_exit_status If set, sudoers will log the exit value of commands
1418 that are run to syslog and/or a log file. If a command
1419 was terminated by a signal, the signal name is logged
1420 as well. This flag is off by default.
1421
1422 This setting is only supported by version 1.9.8 or
1423 higher.
1424
1425 log_host If set, the host name will be included in log entries
1426 written to the file configured by the logfile setting.
1427 This flag is off by default.
1428
1429 log_input If set, sudo will run the command in a pseudo-terminal
1430 (if sudo was run from a terminal) and log all user in‐
1431 put. If the standard input is not connected to the
1432 user's terminal, due to I/O redirection or because the
1433 command is part of a pipeline, that input is also
1434 logged. For more information about I/O logging, see
1435 the I/O LOGGING section. This flag is off by default.
1436
1437 log_output If set, sudo will run the command in a pseudo-terminal
1438 (if sudo was run from a terminal) and log all output
1439 that is sent to the user's terminal, the standard out‐
1440 put or the standard error. If the standard output or
1441 standard error is not connected to the user's terminal,
1442 due to I/O redirection or because the command is part
1443 of a pipeline, that output is also logged. For more
1444 information about I/O logging, see the I/O LOGGING sec‐
1445 tion. This flag is off by default.
1446
1447 log_server_keepalive
1448 If set, sudo will enable the TCP keepalive socket op‐
1449 tion on the connection to the log server. This enables
1450 the periodic transmission of keepalive messages to the
1451 server. If the server does not respond to a message,
1452 the connection will be closed and the running command
1453 will be terminated unless the ignore_iolog_errors flag
1454 (I/O logging enabled) or the ignore_log_errors flag
1455 (I/O logging disabled) is set. This flag is on by de‐
1456 fault.
1457
1458 This setting is only supported by version 1.9.0 or
1459 higher.
1460
1461 log_server_verify
1462 If set, the server certificate received during the TLS
1463 handshake must be valid and it must contain either the
1464 server name (from log_servers) or its IP address. If
1465 either of these conditions is not met, the TLS hand‐
1466 shake will fail. This flag is on by default.
1467
1468 This setting is only supported by version 1.9.0 or
1469 higher.
1470
1471 log_stderr If set, sudo will log the standard error if it is not
1472 connected to the user's terminal. This can be used to
1473 log output to a pipe or redirected to a file. This
1474 flag is off by default but is enabled when either the
1475 log_output flag or the LOG_OUTPUT command tag is set.
1476
1477 log_stdin If set, sudo will log the standard input if it is not
1478 connected to the user's terminal. This can be used to
1479 log input from a pipe or redirected from a file. This
1480 flag is off by default but is enabled when either the
1481 log_input flag or the LOG_INPUT command tag is set.
1482
1483 log_stdout If set, sudo will log the standard output if it is not
1484 connected to the user's terminal. This can be used to
1485 log output to a pipe or redirected to a file. This
1486 flag is off by default but is enabled when either the
1487 log_output flag or the LOG_OUTPUT command tag is set.
1488
1489 log_subcmds If set, sudoers will log when a command spawns a child
1490 process and executes a program using the execve(2),
1491 execl(3), execle(3), execlp(3), execv(3), execvp(3),
1492 execvpe(3), or system(3) library functions. For exam‐
1493 ple, if a shell is run by sudo, the individual commands
1494 run via the shell will be logged. This flag is off by
1495 default.
1496
1497 The log_subcmds flag uses the same underlying mechanism
1498 as the intercept setting. See Preventing shell escapes
1499 for more information on what systems support this op‐
1500 tion and its limitations. This setting is only sup‐
1501 ported by version 1.9.8 or higher and is incompatible
1502 with SELinux RBAC support unless the system supports
1503 seccomp(2) filter mode.
1504
1505 log_ttyin If set, sudo will run the command in a pseudo-terminal
1506 and log user keystrokes sent to the user's terminal, if
1507 one is present. This flag is off by default but is en‐
1508 abled when either the log_input flag or the LOG_INPUT
1509 command tag is set. If no terminal is present, for ex‐
1510 ample when running a remote command using ssh(1), this
1511 flag will have no effect.
1512
1513 log_ttyout If set, sudo will run the command in a pseudo-terminal
1514 and log all output displayed on the user's terminal, if
1515 one is present. This flag is off by default but is en‐
1516 abled when either the log_output flag or the LOG_OUTPUT
1517 command tag is set. If no terminal is present, for ex‐
1518 ample when running a remote command using ssh(1), this
1519 flag will have no effect.
1520
1521 log_year If set, the four-digit year will be logged in the (non-
1522 syslog) sudo log file. This flag is off by default.
1523
1524 long_otp_prompt When validating with a One Time Password (OTP) scheme
1525 such as S/Key or OPIE, a two-line prompt is used to
1526 make it easier to cut and paste the challenge to a lo‐
1527 cal window. It's not as pretty as the default but some
1528 people find it more convenient. This flag is off by
1529 default.
1530
1531 mail_all_cmnds Send mail to the mailto user every time a user attempts
1532 to run a command via sudo (this includes sudoedit). No
1533 mail will be sent if the user runs sudo with the -l or
1534 -v option unless there is an authentication error and
1535 the mail_badpass flag is also set. This flag is off by
1536 default.
1537
1538 mail_always Send mail to the mailto user every time a user runs
1539 sudo. This flag is off by default.
1540
1541 mail_badpass Send mail to the mailto user if the user running sudo
1542 does not enter the correct password. If the command
1543 the user is attempting to run is not permitted by
1544 sudoers and one of the mail_all_cmnds, mail_always,
1545 mail_no_host, mail_no_perms or mail_no_user flags are
1546 set, this flag will have no effect. This flag is off
1547 by default.
1548
1549 mail_no_host If set, mail will be sent to the mailto user if the in‐
1550 voking user exists in the sudoers file, but is not al‐
1551 lowed to run commands on the current host. This flag
1552 is off by default.
1553
1554 mail_no_perms If set, mail will be sent to the mailto user if the in‐
1555 voking user is allowed to use sudo but the command they
1556 are trying is not listed in their sudoers file entry or
1557 is explicitly denied. This flag is off by default.
1558
1559 mail_no_user If set, mail will be sent to the mailto user if the in‐
1560 voking user is not in the sudoers file. This flag is
1561 on by default.
1562
1563 match_group_by_gid
1564 By default, sudoers will look up each group the user is
1565 a member of by group-ID to determine the group name
1566 (this is only done once). The resulting list of the
1567 user's group names is used when matching groups listed
1568 in the sudoers file. This works well on systems where
1569 the number of groups listed in the sudoers file is
1570 larger than the number of groups a typical user belongs
1571 to. On systems where group lookups are slow, where
1572 users may belong to a large number of groups, or where
1573 the number of groups listed in the sudoers file is rel‐
1574 atively small, it may be prohibitively expensive and
1575 running commands via sudo may take longer than normal.
1576 On such systems it may be faster to use the
1577 match_group_by_gid flag to avoid resolving the user's
1578 group-IDs to group names. In this case, sudoers must
1579 look up any group name listed in the sudoers file and
1580 use the group-ID instead of the group name when deter‐
1581 mining whether the user is a member of the group.
1582
1583 If match_group_by_gid is enabled, group database
1584 lookups performed by sudoers will be keyed by group
1585 name as opposed to group-ID. On systems where there
1586 are multiple sources for the group database, it is pos‐
1587 sible to have conflicting group names or group-IDs in
1588 the local /etc/group file and the remote group data‐
1589 base. On such systems, enabling or disabling
1590 match_group_by_gid can be used to choose whether group
1591 database queries are performed by name (enabled) or ID
1592 (disabled), which may aid in working around group entry
1593 conflicts.
1594
1595 The match_group_by_gid flag has no effect when sudoers
1596 data is stored in LDAP. This flag is off by default.
1597
1598 This setting is only supported by version 1.8.18 or
1599 higher.
1600
1601 intercept If set, all commands run via sudo will behave as if the
1602 INTERCEPT tag has been set, unless overridden by an
1603 NOINTERCEPT tag. See the description of INTERCEPT and
1604 NOINTERCEPT above as well as the Preventing shell
1605 escapes section at the end of this manual. This flag
1606 is off by default.
1607
1608 This setting is only supported by version 1.9.8 or
1609 higher and is incompatible with SELinux RBAC support
1610 unless the system supports seccomp(2) filter mode.
1611
1612 intercept_allow_setid
1613 On most systems, the dynamic loader will ignore
1614 LD_PRELOAD (or the equivalent) when running set-user-ID
1615 and set-group-ID programs, effectively disabling inter‐
1616 cept mode. To prevent this from happening, sudoers
1617 will not permit a set-user-ID or set-group-ID program
1618 to be run in intercept mode unless
1619 intercept_allow_setid is enable. This flag has no ef‐
1620 fect unless the intercept flag is enabled or the
1621 INTERCEPT tag has been set for the command. This flag
1622 is on by default when the intercept_type option is set
1623 to trace, otherwise it default to off.
1624
1625 This setting is only supported by version 1.9.8 or
1626 higher.
1627
1628 intercept_authenticate
1629 If set, commands run by an intercepted process must be
1630 authenticated when the user's time stamp is not cur‐
1631 rent. For example, if a shell is run with intercept
1632 enabled, as soon as the invoking user's time stamp is
1633 out of date, subsequent commands will need to be au‐
1634 thenticated. This flag has no effect unless the
1635 intercept flag is enabled or the INTERCEPT tag has been
1636 set for the command. This flag is off by default.
1637
1638 This setting is only supported by version 1.9.8 or
1639 higher.
1640
1641 intercept_verify If set, sudo will attempt to verify that a command run
1642 in intercept mode has the expected path name, command
1643 line arguments and environment.
1644
1645 The process will be stopped after execve(2) has com‐
1646 pleted but before the new command has had a chance to
1647 run. To verify the command, sudo will read the com‐
1648 mand's path from /proc/PID/exe, the command line argu‐
1649 ments and environment from the process's memory, and
1650 compare them against the arguments that were passed to
1651 execve(2). In the event of a mismatch, the command
1652 will be sent a SIGKILL signal and terminated.
1653
1654 This can help prevent a time of check versus time of
1655 use issue with intercept mode where the execve(2) argu‐
1656 ments could be altered after the sudoers policy check.
1657 The checks can only be performed if the proc(5) file
1658 system is available. This flag has no effect unless
1659 the intercept flag is enabled or the INTERCEPT tag has
1660 been set for the command and the intercept_type option
1661 is set to trace. This flag is on by default.
1662
1663 This setting is only supported by version 1.9.12 or
1664 higher.
1665
1666 netgroup_tuple If set, netgroup lookups will be performed using the
1667 full netgroup tuple: host name, user name, and domain
1668 (if one is set). Historically, sudo only matched the
1669 user name and domain for netgroups used in a User_List
1670 and only matched the host name and domain for netgroups
1671 used in a Host_List. This flag is off by default.
1672
1673 noexec If set, all commands run via sudo will behave as if the
1674 NOEXEC tag has been set, unless overridden by an EXEC
1675 tag. See the description of EXEC and NOEXEC above as
1676 well as the Preventing shell escapes section at the end
1677 of this manual. This flag is off by default.
1678
1679 noninteractive_auth
1680 If set, authentication will be attempted even in non-
1681 interactive mode (when sudo's -n option is specified).
1682 This allows authentication methods that don't require
1683 user interaction to succeed. Authentication methods
1684 that require input from the user's terminal will still
1685 fail. If disabled, authentication will not be at‐
1686 tempted in non-interactive mode. This flag is off by
1687 default.
1688
1689 This setting is only supported by version 1.9.10 or
1690 higher.
1691
1692 pam_acct_mgmt On systems that use PAM for authentication, sudo will
1693 perform PAM account validation for the invoking user by
1694 default. The actual checks performed depend on which
1695 PAM modules are configured. If enabled, account vali‐
1696 dation will be performed regardless of whether or not a
1697 password is required. This flag is on by default.
1698
1699 This setting is only supported by version 1.8.28 or
1700 higher.
1701
1702 pam_rhost On systems that use PAM for authentication, sudo will
1703 set the PAM remote host value to the name of the local
1704 host when the pam_rhost flag is enabled. On Linux sys‐
1705 tems, enabling pam_rhost may result in DNS lookups of
1706 the local host name when PAM is initialized. On So‐
1707 laris versions prior to Solaris 8, pam_rhost must be
1708 enabled if pam_ruser is also enabled to avoid a crash
1709 in the Solaris PAM implementation.
1710
1711 This flag is off by default on systems other than So‐
1712 laris.
1713
1714 This setting is only supported by version 1.9.0 or
1715 higher.
1716
1717 pam_ruser On systems that use PAM for authentication, sudo will
1718 set the PAM remote user value to the name of the user
1719 that invoked sudo when the pam_ruser flag is enabled.
1720 This flag is on by default.
1721
1722 This setting is only supported by version 1.9.0 or
1723 higher.
1724
1725 pam_session On systems that use PAM for authentication, sudo will
1726 create a new PAM session for the command to be run in.
1727 Unless sudo is given the -i or -s options, PAM session
1728 modules are run with the “silent” flag enabled. This
1729 prevents last login information from being displayed
1730 for every command on some systems. Disabling
1731 pam_session may be needed on older PAM implementations
1732 or on operating systems where opening a PAM session
1733 changes the utmp or wtmp files. If PAM session support
1734 is disabled, resource limits may not be updated for the
1735 command being run. If pam_session, pam_setcred, and
1736 use_pty are disabled, log_servers has not been set and
1737 I/O logging has not been configured, sudo will execute
1738 the command directly instead of running it as a child
1739 process. This flag is on by default.
1740
1741 This setting is only supported by version 1.8.7 or
1742 higher.
1743
1744 pam_setcred On systems that use PAM for authentication, sudo will
1745 attempt to establish credentials for the target user by
1746 default, if supported by the underlying authentication
1747 system. One example of a credential is a Kerberos
1748 ticket. If pam_session, pam_setcred, and use_pty are
1749 disabled, log_servers has not been set and I/O logging
1750 has not been configured, sudo will execute the command
1751 directly instead of running it as a child process.
1752 This flag is on by default.
1753
1754 This setting is only supported by version 1.8.8 or
1755 higher.
1756
1757 passprompt_override
1758 If set, the prompt specified by passprompt or the
1759 SUDO_PROMPT environment variable will always be used
1760 and will replace the prompt provided by a PAM module or
1761 other authentication method. This flag is off by de‐
1762 fault.
1763
1764 path_info Normally, sudo will tell the user when a command could
1765 not be found in their PATH environment variable. Some
1766 sites may wish to disable this as it could be used to
1767 gather information on the location of executables that
1768 the normal user does not have access to. The disadvan‐
1769 tage is that if the executable is simply not in the
1770 user's PATH, sudo will tell the user that they are not
1771 allowed to run it, which can be confusing. This flag
1772 is on by default.
1773
1774 preserve_groups By default, sudo will initialize the group vector to
1775 the list of groups the target user is in. When
1776 preserve_groups is set, the user's existing group vec‐
1777 tor is left unaltered. The real and effective group-
1778 IDs, however, are still set to match the target user.
1779 This flag is off by default.
1780
1781 pwfeedback By default, sudo reads the password like most other
1782 Unix programs, by turning off echo until the user hits
1783 the return (or enter) key. Some users become confused
1784 by this as it appears to them that sudo has hung at
1785 this point. When pwfeedback is set, sudo will provide
1786 visual feedback when the user presses a key. This does
1787 have a security impact as an onlooker may be able to
1788 determine the length of the password being entered.
1789 This flag is off by default.
1790
1791 requiretty If set, sudo will only run when the user is logged in
1792 to a real tty. When this flag is set, sudo can only be
1793 run from a login session and not via other means such
1794 as cron(8) or cgi-bin scripts. This flag is off by de‐
1795 fault.
1796
1797 root_sudo If set, root is allowed to run sudo too. Disabling
1798 this prevents users from “chaining” sudo commands to
1799 get a root shell by doing something like ‘sudo sudo
1800 /bin/sh’. Note, however, that turning off root_sudo
1801 will also prevent root from running sudoedit. Dis‐
1802 abling root_sudo provides no real additional security;
1803 it exists purely for historical reasons. This flag is
1804 on by default.
1805
1806 rootpw If set, sudo will prompt for the root password instead
1807 of the password of the invoking user when running a
1808 command or editing a file. This flag is off by de‐
1809 fault.
1810
1811 runas_allow_unknown_id
1812 If enabled, allow matching of runas user and group IDs
1813 that are not present in the password or group data‐
1814 bases. In addition to explicitly matching unknown user
1815 or group IDs in a Runas_List, this option also allows
1816 the ALL alias to match unknown IDs. This flag is off
1817 by default.
1818
1819 This setting is only supported by version 1.8.30 or
1820 higher. Older versions of sudo always allowed matching
1821 of unknown user and group IDs.
1822
1823 runas_check_shell
1824 If enabled, sudo will only run commands as a user whose
1825 shell appears in the /etc/shells file, even if the in‐
1826 voking user's Runas_List would otherwise permit it. If
1827 no /etc/shells file is present, a system-dependent list
1828 of built-in default shells is used. On many operating
1829 systems, system users such as “bin”, do not have a
1830 valid shell and this flag can be used to prevent com‐
1831 mands from being run as those users. This flag is off
1832 by default.
1833
1834 This setting is only supported by version 1.8.30 or
1835 higher.
1836
1837 runaspw If set, sudo will prompt for the password of the user
1838 defined by the runas_default option (defaults to root)
1839 instead of the password of the invoking user when run‐
1840 ning a command or editing a file. This flag is off by
1841 default.
1842
1843 selinux If enabled, the user may specify an SELinux role and/or
1844 type to use when running the command, as permitted by
1845 the SELinux policy. If SELinux is disabled on the sys‐
1846 tem, this flag has no effect. This flag is on by de‐
1847 fault.
1848
1849 set_home If enabled and sudo is invoked with the -s option, the
1850 HOME environment variable will be set to the home di‐
1851 rectory of the target user (which is the runas_default
1852 user unless the -u option is used). This flag is
1853 largely obsolete and has no effect unless the env_reset
1854 flag has been disabled or HOME is present in the
1855 env_keep list, both of which are strongly discouraged.
1856 This flag is off by default.
1857
1858 set_logname Normally, sudo will set the LOGNAME and USER environ‐
1859 ment variables to the name of the target user (the user
1860 specified by runas_default unless the -u option is
1861 given). However, since some programs (including the
1862 RCS revision control system) use LOGNAME to determine
1863 the real identity of the user, it may be desirable to
1864 change this behavior. This can be done by negating the
1865 set_logname option. The set_logname option will have
1866 no effect if the env_reset option has not been disabled
1867 and the env_keep list contains LOGNAME or USER. This
1868 flag is on by default.
1869
1870 set_utmp When enabled, sudo will create an entry in the utmp (or
1871 utmpx) file when a pseudo-terminal is allocated. A
1872 pseudo-terminal is allocated by sudo when it is running
1873 in a terminal and one or more of the log_input,
1874 log_output, log_stdin, log_stdout, log_stderr,
1875 log_ttyin, log_ttyout, or use_pty flags is enabled. By
1876 default, the new entry will be a copy of the user's ex‐
1877 isting utmp entry (if any), with the tty, time, type,
1878 and pid fields updated. This flag is on by default.
1879
1880 setenv Allow the user to disable the env_reset option from the
1881 command line via the -E option. Additionally, environ‐
1882 ment variables set via the command line are not subject
1883 to the restrictions imposed by env_check, env_delete,
1884 or env_keep. As such, only trusted users should be al‐
1885 lowed to set variables in this manner. This flag is
1886 off by default.
1887
1888 shell_noargs If set and sudo is invoked with no arguments it acts as
1889 if the -s option had been given. That is, it runs a
1890 shell as root (the shell is determined by the SHELL en‐
1891 vironment variable if it is set, falling back on the
1892 shell listed in the invoking user's /etc/passwd entry
1893 if not). This flag is off by default.
1894
1895 stay_setuid Normally, when sudo executes a command the real and ef‐
1896 fective user-IDs are set to the target user (root by
1897 default). This option changes that behavior such that
1898 the real user-ID is left as the invoking user's user-
1899 ID. In other words, this makes sudo act as a set-user-
1900 ID wrapper. This can be useful on systems that disable
1901 some potentially dangerous functionality when a program
1902 is run set-user-ID. This option is only effective on
1903 systems that support either the setreuid(2) or
1904 setresuid(2) system call. This flag is off by default.
1905
1906 sudoedit_checkdir
1907 If set, sudoedit will check all directory components of
1908 the path to be edited for writability by the invoking
1909 user. Symbolic links will not be followed in writable
1910 directories and sudoedit will refuse to edit a file lo‐
1911 cated in a writable directory. These restrictions are
1912 not enforced when sudoedit is run by root. On some
1913 systems, if all directory components of the path to be
1914 edited are not readable by the target user, sudoedit
1915 will be unable to edit the file. This flag is on by
1916 default.
1917
1918 This setting was first introduced in version 1.8.15 but
1919 initially suffered from a race condition. The check
1920 for symbolic links in writable intermediate directories
1921 was added in version 1.8.16.
1922
1923 sudoedit_follow By default, sudoedit will not follow symbolic links
1924 when opening files. The sudoedit_follow option can be
1925 enabled to allow sudoedit to open symbolic links. It
1926 may be overridden on a per-command basis by the FOLLOW
1927 and NOFOLLOW tags. This flag is off by default.
1928
1929 This setting is only supported by version 1.8.15 or
1930 higher.
1931
1932 syslog_pid When logging via syslog(3), include the process ID in
1933 the log entry. This flag is off by default.
1934
1935 This setting is only supported by version 1.8.21 or
1936 higher.
1937
1938 targetpw If set, sudo will prompt for the password of the user
1939 specified by the -u option (defaults to the value of
1940 runas_default) instead of the password of the invoking
1941 user when running a command or editing a file. This
1942 flag precludes the use of a user-ID not listed in the
1943 passwd database as an argument to the -u option. This
1944 flag is off by default.
1945
1946 tty_tickets If set, users must authenticate on a per-tty basis.
1947 With this flag enabled, sudo will use a separate record
1948 in the time stamp file for each terminal. If disabled,
1949 a single record is used for all login sessions.
1950
1951 This option has been superseded by the timestamp_type
1952 option.
1953
1954 umask_override If set, sudo will set the umask as specified in the
1955 sudoers file without modification. This makes it pos‐
1956 sible to specify a umask in the sudoers file that is
1957 more permissive than the user's own umask and matches
1958 historical behavior. If umask_override is not set,
1959 sudo will set the umask to be the union of the user's
1960 umask and what is specified in sudoers. This flag is
1961 off by default.
1962
1963 use_netgroups If set, netgroups (prefixed with ‘+’), may be used in
1964 place of a user or host. For LDAP-based sudoers, net‐
1965 group support requires an expensive sub-string match on
1966 the server unless the NETGROUP_BASE directive is
1967 present in the /etc/ldap.conf file. If netgroups are
1968 not needed, this option can be disabled to reduce the
1969 load on the LDAP server. This flag is on by default.
1970
1971 use_pty If set, and sudo is running in a terminal, the command
1972 will be run in a new pseudo-terminal. If the sudo
1973 process is not attached to a terminal, use_pty has no
1974 effect.
1975
1976 A malicious program run under sudo may be capable of
1977 injecting commands into the user's terminal or running
1978 a background process that retains access to the user's
1979 terminal device even after the main program has fin‐
1980 ished executing. By running the command in a separate
1981 pseudo-terminal, this attack is no longer possible.
1982 This flag is on by default for sudo 1.9.14 and above.
1983
1984 user_command_timeouts
1985 If set, the user may specify a timeout on the command
1986 line. If the timeout expires before the command has
1987 exited, the command will be terminated. If a timeout
1988 is specified both in the sudoers file and on the com‐
1989 mand line, the smaller of the two timeouts will be
1990 used. See the Timeout_Spec section for a description
1991 of the timeout syntax. This flag is off by default.
1992
1993 This setting is only supported by version 1.8.20 or
1994 higher.
1995
1996 utmp_runas If set, sudo will store the name of the runas user when
1997 updating the utmp (or utmpx) file. By default, sudo
1998 stores the name of the invoking user. This flag is off
1999 by default.
2000
2001 visiblepw By default, sudo will refuse to run if the user must
2002 enter a password but it is not possible to disable echo
2003 on the terminal. If the visiblepw flag is set, sudo
2004 will prompt for a password even when it would be visi‐
2005 ble on the screen. This makes it possible to run
2006 things like ‘ssh somehost sudo ls’ since by default,
2007 ssh(1) does not allocate a tty when running a command.
2008 This flag is off by default.
2009
2010 Integers:
2011
2012 closefrom Before it executes a command, sudo will close all open
2013 file descriptors other than standard input, standard
2014 output, and standard error (file descriptors 0-2). The
2015 closefrom option can be used to specify a different
2016 file descriptor at which to start closing. The default
2017 is 3.
2018
2019 command_timeout The maximum amount of time a command is allowed to run
2020 before it is terminated. See the Timeout_Spec section
2021 for a description of the timeout syntax.
2022
2023 This setting is only supported by version 1.8.20 or
2024 higher.
2025
2026 log_server_timeout
2027 The maximum amount of time to wait when connecting to a
2028 log server or waiting for a server response. See the
2029 Timeout_Spec section for a description of the timeout
2030 syntax. The default value is 30 seconds.
2031
2032 This setting is only supported by version 1.9.0 or
2033 higher.
2034
2035 maxseq The maximum sequence number that will be substituted
2036 for the ‘%{seq}’ escape in the I/O log file (see the
2037 iolog_dir description below for more information).
2038 While the value substituted for ‘%{seq}’ is in base 36,
2039 maxseq itself should be expressed in decimal. Values
2040 larger than 2176782336 (which corresponds to the base
2041 36 sequence number “ZZZZZZ”) will be silently truncated
2042 to 2176782336. The default value is 2176782336.
2043
2044 Once the local sequence number reaches the value of
2045 maxseq, it will “roll over” to zero, after which
2046 sudoers will truncate and re-use any existing I/O log
2047 path names.
2048
2049 This setting is only supported by version 1.8.7 or
2050 higher.
2051
2052 passwd_tries The number of tries a user gets to enter his/her pass‐
2053 word before sudo logs the failure and exits. The de‐
2054 fault is 3.
2055
2056 syslog_maxlen On many systems, syslog(3) has a relatively small log
2057 buffer. IETF RFC 5424 states that syslog servers must
2058 support messages of at least 480 bytes and should sup‐
2059 port messages up to 2048 bytes. By default, sudoers
2060 creates log messages up to 980 bytes which corresponds
2061 to the historic BSD syslog implementation which used a
2062 1024 byte buffer to store the message, date, hostname,
2063 and program name. To prevent syslog messages from be‐
2064 ing truncated, sudoers will split up log messages that
2065 are larger than syslog_maxlen bytes. When a message is
2066 split, additional parts will include the string
2067 “(command continued)” after the user name and before
2068 the continued command line arguments.
2069
2070 This setting is only supported by version 1.8.19 or
2071 higher.
2072
2073 Integers that can be used in a boolean context:
2074
2075 loglinelen Number of characters per line for the file log. This
2076 value is used to decide when to wrap lines for nicer
2077 log files. This has no effect on the syslog log file,
2078 only the file log. The default is 80 (use 0 or negate
2079 the option to disable word wrap).
2080
2081 passwd_timeout Number of minutes before the sudo password prompt times
2082 out, or 0 for no timeout. The timeout may include a
2083 fractional component if minute granularity is insuffi‐
2084 cient, for example 2.5. The default is 5.
2085
2086 timestamp_timeout
2087 Number of minutes that can elapse before sudo will ask
2088 for a password again. The timeout may include a frac‐
2089 tional component if minute granularity is insufficient,
2090 for example 2.5. The default is 5. Set this to 0 to
2091 always prompt for a password. If set to a value less
2092 than 0 the user's time stamp will not expire until the
2093 system is rebooted. This can be used to allow users to
2094 create or delete their own time stamps via ‘sudo -v’
2095 and ‘sudo -k’ respectively.
2096
2097 umask File mode creation mask to use when running the com‐
2098 mand. Negate this option or set it to 0777 to prevent
2099 sudoers from changing the umask. Unless the
2100 umask_override flag is set, the actual umask will be
2101 the union of the user's umask and the value of the
2102 umask setting, which defaults to 0022. This guarantees
2103 that sudo never lowers the umask when running a com‐
2104 mand.
2105
2106 If umask is explicitly set in sudoers, it will override
2107 any umask setting in PAM or login.conf. If umask is
2108 not set in sudoers, the umask specified by PAM or lo‐
2109 gin.conf will take precedence. The umask setting in
2110 PAM is not used for sudoedit, which does not create a
2111 new PAM session.
2112
2113 Strings:
2114
2115 authfail_message Message that is displayed after a user fails to authen‐
2116 ticate. The message may include the ‘%d’ escape which
2117 will expand to the number of failed password attempts.
2118 If set, it overrides the default message, “%d incorrect
2119 password attempt(s)”.
2120
2121 badpass_message Message that is displayed if a user enters an incorrect
2122 password. The default is “Sorry, try again.” unless
2123 insults are enabled.
2124
2125 editor A colon (‘:’) separated list of editor path names used
2126 by sudoedit and visudo. For sudoedit, this list is
2127 used to find an editor when none of the SUDO_EDITOR,
2128 VISUAL or EDITOR environment variables are set to an
2129 editor that exists and is executable. For visudo, it
2130 is used as a white list of allowed editors; visudo will
2131 choose the editor that matches the user's SUDO_EDITOR,
2132 VISUAL or EDITOR environment variable if possible, or
2133 the first editor in the list that exists and is exe‐
2134 cutable if not. Unless invoked as sudoedit, sudo does
2135 not preserve the SUDO_EDITOR, VISUAL or EDITOR environ‐
2136 ment variables unless they are present in the env_keep
2137 list or the env_reset option is disabled. The default
2138 is /usr/bin/nano:/usr/bin/vim:/usr/bin/vi.
2139
2140 intercept_type The underlying mechanism used by the intercept and
2141 log_subcmds options. It has the following possible
2142 values:
2143
2144 dso Preload a dynamic shared object (shared li‐
2145 brary) that intercepts the execve(2), execl(3),
2146 execle(3), execlp(3), execv(3), execvp(3),
2147 execvpe(3), and system(3) library functions. A
2148 value of dso is incompatible with sudo's
2149 SELinux RBAC support.
2150
2151 trace Use ptrace(2) to intercept the execve(2) system
2152 call. This is only supported on Linux systems
2153 where seccomp(2) filtering is enabled. If the
2154 /proc/sys/kernel/seccomp/actions_avail file is
2155 missing or does not contain a “trap” element,
2156 setting intercept_type to trace will have no
2157 effect and dso will be used instead.
2158
2159 The default is to use trace if it is supported by the
2160 system and dso if it is not.
2161
2162 iolog_dir The top-level directory to use when constructing the
2163 path name for the input/output log directory. Only
2164 used if the log_input or log_output options are enabled
2165 or when the LOG_INPUT or LOG_OUTPUT tags are present
2166 for a command. The session sequence number, if any, is
2167 stored in the directory. The default is
2168 /var/log/sudo-io.
2169
2170 The following percent (‘%’) escape sequences are sup‐
2171 ported:
2172
2173 %{seq}
2174 expanded to a monotonically increasing base-36
2175 sequence number, such as 0100A5, where every two
2176 digits are used to form a new directory, e.g.,
2177 01/00/A5
2178
2179 %{user}
2180 expanded to the invoking user's login name
2181
2182 %{group}
2183 expanded to the name of the invoking user's real
2184 group-ID
2185
2186 %{runas_user}
2187 expanded to the login name of the user the com‐
2188 mand will be run as (e.g., root)
2189
2190 %{runas_group}
2191 expanded to the group name of the user the com‐
2192 mand will be run as (e.g., wheel)
2193
2194 %{hostname}
2195 expanded to the local host name without the do‐
2196 main name
2197
2198 %{command}
2199 expanded to the base name of the command being
2200 run
2201
2202 In addition, any escape sequences supported by the sys‐
2203 tem's strftime(3) function will be expanded.
2204
2205 To include a literal ‘%’ character, the string ‘%%’
2206 should be used.
2207
2208 iolog_file The path name, relative to iolog_dir, in which to store
2209 input/output logs when the log_input or log_output op‐
2210 tions are enabled or when the LOG_INPUT or LOG_OUTPUT
2211 tags are present for a command. iolog_file may contain
2212 directory components. The default is ‘%{seq}’.
2213
2214 See the iolog_dir option above for a list of supported
2215 percent (‘%’) escape sequences.
2216
2217 In addition to the escape sequences, path names that
2218 end in six or more Xs will have the Xs replaced with a
2219 unique combination of digits and letters, similar to
2220 the mktemp(3) function.
2221
2222 If the path created by concatenating iolog_dir and
2223 iolog_file already exists, the existing I/O log file
2224 will be truncated and overwritten unless iolog_file
2225 ends in six or more Xs.
2226
2227 iolog_flush If set, sudo will flush I/O log data to disk after each
2228 write instead of buffering it. This makes it possible
2229 to view the logs in real-time as the program is execut‐
2230 ing but may significantly reduce the effectiveness of
2231 I/O log compression. This flag is off by default.
2232
2233 This setting is only supported by version 1.8.20 or
2234 higher.
2235
2236 iolog_group The group name to look up when setting the group-ID on
2237 new I/O log files and directories. If iolog_group is
2238 not set, the primary group-ID of the user specified by
2239 iolog_user is used. If neither iolog_group nor
2240 iolog_user are set, I/O log files and directories are
2241 created with group-ID 0.
2242
2243 This setting is only supported by version 1.8.19 or
2244 higher.
2245
2246 iolog_mode The file mode to use when creating I/O log files. Mode
2247 bits for read and write permissions for owner, group,
2248 or other are honored, everything else is ignored. The
2249 file permissions will always include the owner read and
2250 write bits, even if they are not present in the speci‐
2251 fied mode. When creating I/O log directories, search
2252 (execute) bits are added to match the read and write
2253 bits specified by iolog_mode. Defaults to 0600 (read
2254 and write by user only).
2255
2256 This setting is only supported by version 1.8.19 or
2257 higher.
2258
2259 iolog_user The user name to look up when setting the user and
2260 group-IDs on new I/O log files and directories. If
2261 iolog_group is set, it will be used instead of the
2262 user's primary group-ID. By default, I/O log files and
2263 directories are created with user and group-ID 0.
2264
2265 This setting can be useful when the I/O logs are stored
2266 on a Network File System (NFS) share. Having a dedi‐
2267 cated user own the I/O log files means that sudoers
2268 does not write to the log files as user-ID 0, which is
2269 usually not permitted by NFS.
2270
2271 This setting is only supported by version 1.8.19 or
2272 higher.
2273
2274 lecture_status_dir
2275 The directory in which sudo stores per-user lecture
2276 status files. Once a user has received the lecture, a
2277 zero-length file is created in this directory so that
2278 sudo will not lecture the user again. This directory
2279 should not be cleared when the system reboots. The de‐
2280 fault is /var/db/sudo/lectured.
2281
2282 log_server_cabundle
2283 The path to a certificate authority bundle file, in PEM
2284 format, to use instead of the system's default certifi‐
2285 cate authority database when authenticating the log
2286 server. The default is to use the system's default
2287 certificate authority database. This setting has no
2288 effect unless log_servers is set and the remote log
2289 server is secured with TLS.
2290
2291 This setting is only supported by version 1.9.0 or
2292 higher.
2293
2294 log_server_peer_cert
2295 The path to the sudo client's certificate file, in PEM
2296 format. This setting is required when the remote log
2297 server is secured with TLS and client certificate vali‐
2298 dation is enabled. For sudo_logsrvd, client certifi‐
2299 cate validation is controlled by the tls_checkpeer op‐
2300 tion, which defaults to false.
2301
2302 This setting is only supported by version 1.9.0 or
2303 higher.
2304
2305 log_server_peer_key
2306 The path to the sudo client's private key file, in PEM
2307 format. This setting is required when the remote log
2308 server is secured with TLS and client certificate vali‐
2309 dation is enabled. For sudo_logsrvd, client certifi‐
2310 cate validation is controlled by the tls_checkpeer
2311 flag, which defaults to false.
2312
2313 This setting is only supported by version 1.9.0 or
2314 higher.
2315
2316 mailsub Subject of the mail sent to the mailto user. The es‐
2317 cape ‘%h’ will expand to the host name of the machine.
2318 Default is “*** SECURITY information for %h ***”.
2319
2320 noexec_file As of sudo version 1.8.1 this option is no longer sup‐
2321 ported. The path to the noexec file should now be set
2322 in the sudo.conf(5) file.
2323
2324 pam_askpass_service
2325 On systems that use PAM for authentication, this is the
2326 service name used when the -A option is specified. The
2327 default value is either ‘sudo’ or ‘sudo-i’, depending
2328 on whether or not the -i option is also specified. See
2329 the description of pam_service for more information.
2330
2331 This setting is only supported by version 1.9.9 or
2332 higher.
2333
2334 pam_login_service
2335 On systems that use PAM for authentication, this is the
2336 service name used when the -i option is specified. The
2337 default value is ‘sudo-i’. See the description of
2338 pam_service for more information.
2339
2340 This setting is only supported by version 1.8.8 or
2341 higher.
2342
2343 pam_service On systems that use PAM for authentication, the service
2344 name specifies the PAM policy to apply. This usually
2345 corresponds to an entry in the pam.conf file or a file
2346 in the /etc/pam.d directory. The default value is
2347 ‘sudo’.
2348
2349 This setting is only supported by version 1.8.8 or
2350 higher.
2351
2352 passprompt The default prompt to use when asking for a password;
2353 can be overridden via the -p option or the SUDO_PROMPT
2354 environment variable. The following percent (‘%’) es‐
2355 cape sequences are supported:
2356
2357 %H expanded to the local host name including the do‐
2358 main name (only if the machine's host name is
2359 fully qualified or the fqdn option is set)
2360
2361 %h expanded to the local host name without the do‐
2362 main name
2363
2364 %p expanded to the user whose password is being
2365 asked for (respects the rootpw, targetpw and
2366 runaspw flags in sudoers)
2367
2368 %U expanded to the login name of the user the com‐
2369 mand will be run as (defaults to root)
2370
2371 %u expanded to the invoking user's login name
2372
2373 %% two consecutive ‘%’ characters are collapsed into
2374 a single ‘%’ character
2375
2376 On systems that use PAM for authentication, passprompt
2377 will only be used if the prompt provided by the PAM
2378 module matches the string “Password: ” or “username's
2379 Password: ”. This ensures that the passprompt setting
2380 does not interfere with challenge-response style au‐
2381 thentication. The passprompt_override flag can be used
2382 to change this behavior.
2383
2384 The default value is ‘[sudo] password for %p: ’.
2385
2386 role The default SELinux role to use when constructing a new
2387 security context to run the command. The default role
2388 may be overridden on a per-command basis in the sudoers
2389 file or via command line options. This option is only
2390 available when sudo is built with SELinux support.
2391
2392 runas_default The default user to run commands as if the -u option is
2393 not specified on the command line. This defaults to
2394 root.
2395
2396 sudoers_locale Locale to use when parsing the sudoers file, logging
2397 commands, and sending email. Changing the locale may
2398 affect how sudoers is interpreted. Defaults to ‘C’.
2399
2400 timestamp_type sudoers uses per-user time stamp files for credential
2401 caching. The timestamp_type option can be used to
2402 specify the type of time stamp record used. It has the
2403 following possible values:
2404
2405 global A single time stamp record is used for all of a
2406 user's login sessions, regardless of the termi‐
2407 nal or parent process ID. An additional record
2408 is used to serialize password prompts when sudo
2409 is used multiple times in a pipeline, but this
2410 does not affect authentication.
2411
2412 ppid A single time stamp record is used for all pro‐
2413 cesses with the same parent process ID (usually
2414 the shell). Commands run from the same shell
2415 (or other common parent process) will not re‐
2416 quire a password for timestamp_timeout minutes
2417 (5 by default). Commands run via sudo with a
2418 different parent process ID, for example from a
2419 shell script, will be authenticated separately.
2420
2421 tty One time stamp record is used for each termi‐
2422 nal, which means that a user's login sessions
2423 are authenticated separately. If no terminal
2424 is present, the behavior is the same as ppid.
2425 Commands run from the same terminal will not
2426 require a password for timestamp_timeout min‐
2427 utes (5 by default).
2428
2429 kernel The time stamp is stored in the kernel as an
2430 attribute of the terminal device. If no termi‐
2431 nal is present, the behavior is the same as
2432 ppid. Negative timestamp_timeout values are
2433 not supported and positive values are limited
2434 to a maximum of 60 minutes. This is currently
2435 only supported on OpenBSD.
2436
2437 The default value is tty.
2438
2439 This setting is only supported by version 1.8.21 or
2440 higher.
2441
2442 timestampdir The directory in which sudo stores its time stamp
2443 files. This directory should be cleared when the sys‐
2444 tem reboots. The default is /run/sudo/ts.
2445
2446 timestampowner The owner of the lecture status directory, time stamp
2447 directory and all files stored therein. The default is
2448 root.
2449
2450 type The default SELinux type to use when constructing a new
2451 security context to run the command. The default type
2452 may be overridden on a per-command basis in the sudoers
2453 file or via command line options. This option is only
2454 available when sudo is built with SELinux support.
2455
2456 Strings that can be used in a boolean context:
2457
2458 admin_flag The admin_flag option specifies the path to a file that is
2459 created the first time a user that is a member of the sudo
2460 or admin groups runs sudo. Only available if sudo is con‐
2461 figured with the --enable-admin-flag option. The default
2462 value is ~/.sudo_as_admin_successful.
2463
2464 env_file The env_file option specifies the fully qualified path to a
2465 file containing variables to be set in the environment of
2466 the program being run. Entries in this file should either
2467 be of the form ‘VARIABLE=value’ or ‘export VARIABLE=value’.
2468 The value may optionally be enclosed in single or double
2469 quotes. Variables in this file are only added if the vari‐
2470 able does not already exist in the environment. This file
2471 is considered to be part of the security policy, its con‐
2472 tents are not subject to other sudo environment restric‐
2473 tions such as env_keep and env_check.
2474
2475 exempt_group Users in this group are exempt from password and PATH re‐
2476 quirements. The group name specified should not include a
2477 ‘%’ prefix. This is not set by default.
2478
2479 fdexec Determines whether sudo will execute a command by its path
2480 or by an open file descriptor. It has the following possi‐
2481 ble values:
2482
2483 always Always execute by file descriptor.
2484
2485 never Never execute by file descriptor.
2486
2487 digest_only
2488 Only execute by file descriptor if the command has
2489 an associated digest in the sudoers file.
2490
2491 The default value is digest_only. This avoids a time of
2492 check versus time of use race condition when the command is
2493 located in a directory writable by the invoking user.
2494
2495 fdexec will change the first element of the argument vector
2496 for scripts ($0 in the shell) due to the way the kernel
2497 runs script interpreters. Instead of being a normal path,
2498 it will refer to a file descriptor. For example, /dev/fd/4
2499 on Solaris and /proc/self/fd/4 on Linux. A workaround is
2500 to use the SUDO_COMMAND environment variable instead.
2501
2502 The fdexec setting is only used when the command is matched
2503 by path name. It has no effect if the command is matched
2504 by the built-in ALL alias.
2505
2506 This setting is only supported by version 1.8.20 or higher.
2507 If the operating system does not support the fexecve(2)
2508 system call, this setting has no effect.
2509
2510 group_plugin A string containing a sudoers group plugin with optional
2511 arguments. The string should consist of the plugin path,
2512 either fully-qualified or relative to the /usr/libexec/sudo
2513 directory, followed by any configuration arguments the
2514 plugin requires. These arguments (if any) will be passed
2515 to the plugin's initialization function. If arguments are
2516 present, the string must be enclosed in double quotes ("").
2517
2518 On 64-bit systems, if the plugin is present but cannot be
2519 loaded, sudoers will look for a 64-bit version and, if it
2520 exists, load that as a fallback. The exact rules for this
2521 vary by system. On Solaris, if the plugin is stored in a
2522 directory ending in “lib”, sudoers will create a fallback
2523 path by appending “/64” to the directory name;
2524 /usr/lib/group_plugin.so becomes
2525 /usr/lib/64/group_plugin.so. On Linux, a directory ending
2526 in “lib” will be transformed to “lib64” as the fallback
2527 path; /usr/lib/group_plugin.so becomes
2528 /usr/lib64/group_plugin.so. On all other systems, the
2529 fallback path is generated by adding a “64” before the file
2530 extension; group_plugin.so becomes group_plugin64.so.
2531
2532 For more information see GROUP PROVIDER PLUGINS.
2533
2534 lecture This option controls when a short lecture will be printed
2535 along with the password prompt. It has the following pos‐
2536 sible values:
2537
2538 always Always lecture the user.
2539
2540 never Never lecture the user.
2541
2542 once Only lecture the user the first time they run sudo.
2543
2544 If no value is specified, a value of once is implied.
2545 Negating the option results in a value of never being used.
2546 The default value is once.
2547
2548 lecture_file Path to a file containing an alternate sudo lecture that
2549 will be used in place of the standard lecture if the named
2550 file exists. By default, sudo uses a built-in lecture.
2551
2552 listpw This option controls when a password will be required when
2553 a user runs sudo with the -l option. It has the following
2554 possible values:
2555
2556 all All the user's sudoers file entries for the current
2557 host must have the NOPASSWD flag set to avoid enter‐
2558 ing a password.
2559
2560 always
2561 The user must always enter a password to use the -l
2562 option.
2563
2564 any At least one of the user's sudoers file entries for
2565 the current host must have the NOPASSWD flag set to
2566 avoid entering a password.
2567
2568 never
2569 The user need never enter a password to use the -l
2570 option.
2571
2572 If no value is specified, a value of any is implied.
2573 Negating the option results in a value of never being used.
2574 The default value is any.
2575
2576 log_format The event log format. Supported log formats are:
2577
2578 json Logs in JSON format. JSON log entries contain the
2579 full user details as well as the execution environ‐
2580 ment if the command was allowed. Due to limitations
2581 of the protocol, JSON events sent via syslog may be
2582 truncated.
2583
2584 sudo Traditional sudo-style logs, see EVENT LOGGING for a
2585 description of the log file format.
2586
2587 This setting affects logs sent via syslog(3) as well as the
2588 file specified by the logfile setting, if any. The default
2589 value is sudo.
2590
2591 logfile Path to the sudo log file (not the syslog log file). Set‐
2592 ting a path turns on logging to a file; negating this op‐
2593 tion turns it off. By default, sudo logs via syslog.
2594
2595 mailerflags Flags to use when invoking mailer. Defaults to -t.
2596
2597 mailerpath Path to mail program used to send warning mail (negate to
2598 prevent sudo from sending mail). Defaults to the path to
2599 sendmail found at configure time.
2600
2601 mailfrom Address to use for the “from” address when sending warning
2602 and error mail. The address should be enclosed in double
2603 quotes ("") to protect against sudo interpreting the ‘@’
2604 sign. Defaults to the name of the user running sudo.
2605
2606 mailto Address to send warning and error mail to (negate to pre‐
2607 vent sudo from sending mail). The address should be en‐
2608 closed in double quotes ("") to protect against sudo inter‐
2609 preting the ‘@’ sign. Defaults to root.
2610
2611 rlimit_as The maximum size to which the process's address space may
2612 grow (in bytes), if supported by the operating system. See
2613 Resource limits for more information.
2614
2615 rlimit_core The largest size core dump file that may be created (in
2616 bytes). See Resource limits for more information. De‐
2617 faults to 0 (no core dump created).
2618
2619 rlimit_cpu The maximum amount of CPU time that the process may use (in
2620 seconds). See Resource limits for more information.
2621
2622 rlimit_data The maximum size of the data segment for the process (in
2623 bytes). See Resource limits for more information.
2624
2625 rlimit_fsize The largest size file that the process may create (in
2626 bytes). See Resource limits for more information.
2627
2628 rlimit_locks The maximum number of locks that the process may establish,
2629 if supported by the operating system. See Resource limits
2630 for more information.
2631
2632 rlimit_memlock
2633 The maximum size that the process may lock in memory (in
2634 bytes), if supported by the operating system. See Resource
2635 limits for more information.
2636
2637 rlimit_nofile
2638 The maximum number of files that the process may have open.
2639 See Resource limits for more information.
2640
2641 rlimit_nproc The maximum number of processes that the user may run si‐
2642 multaneously. See Resource limits for more information.
2643
2644 rlimit_rss The maximum size to which the process's resident set size
2645 may grow (in bytes). See Resource limits for more informa‐
2646 tion.
2647
2648 rlimit_stack The maximum size to which the process's stack may grow (in
2649 bytes). See Resource limits for more information.
2650
2651 restricted_env_file
2652 The restricted_env_file option specifies the fully quali‐
2653 fied path to a file containing variables to be set in the
2654 environment of the program being run. Entries in this file
2655 should either be of the form ‘VARIABLE=value’ or ‘export
2656 VARIABLE=value’. The value may optionally be enclosed in
2657 single or double quotes. Variables in this file are only
2658 added if the variable does not already exist in the envi‐
2659 ronment. Unlike env_file, the file's contents are not
2660 trusted and are processed in a manner similar to that of
2661 the invoking user's environment. If env_reset is enabled,
2662 variables in the file will only be added if they are
2663 matched by either the env_check or env_keep list. If
2664 env_reset is disabled, variables in the file are added as
2665 long as they are not matched by the env_delete list. In
2666 either case, the contents of restricted_env_file are pro‐
2667 cessed before the contents of env_file.
2668
2669 runchroot If set, sudo will use this value for the root directory
2670 when running a command. The special value “*” will allow
2671 the user to specify the root directory via sudo's -R op‐
2672 tion. See the Chroot_Spec section for more details.
2673
2674 It is only possible to use runchroot as a command-specific
2675 Defaults setting if the command exists with the same path
2676 both inside and outside the chroot jail. This restriction
2677 does not apply to global, host, or user-based Defaults set‐
2678 tings or to a Cmnd_Spec that includes a Chroot_Spec.
2679
2680 This setting is only supported by version 1.9.3 or higher.
2681
2682 runcwd If set, sudo will use this value for the working directory
2683 when running a command. The special value “*” will allow
2684 the user to specify the working directory via sudo's -D op‐
2685 tion. See the Chdir_Spec section for more details.
2686
2687 This setting is only supported by version 1.9.3 or higher.
2688
2689 secure_path If set, sudo will use this value in place of the user's
2690 PATH environment variable. This option can be used to re‐
2691 set the PATH to a known good value that contains directo‐
2692 ries for system administrator commands such as /usr/sbin.
2693
2694 Users in the group specified by the exempt_group option are
2695 not affected by secure_path. This option is not set by de‐
2696 fault.
2697
2698 syslog Syslog facility if syslog is being used for logging (negate
2699 to disable syslog logging). Defaults to authpriv.
2700
2701 The following syslog facilities are supported: authpriv (if
2702 your OS supports it), auth, daemon, user, local0, local1,
2703 local2, local3, local4, local5, local6, and local7.
2704
2705 syslog_badpri
2706 Syslog priority to use when the user is not allowed to run
2707 a command or when authentication is unsuccessful. Defaults
2708 to alert.
2709
2710 The following syslog priorities are supported: alert, crit,
2711 debug, emerg, err, info, notice, warning, and none. Negat‐
2712 ing the option or setting it to a value of none will dis‐
2713 able logging of unsuccessful commands.
2714
2715 syslog_goodpri
2716 Syslog priority to use when the user is allowed to run a
2717 command and authentication is successful. Defaults to no‐
2718 tice.
2719
2720 See syslog_badpri for the list of supported syslog priori‐
2721 ties. Negating the option or setting it to a value of none
2722 will disable logging of successful commands.
2723
2724 verifypw This option controls when a password will be required when
2725 a user runs sudo with the -v option. It has the following
2726 possible values:
2727
2728 all All the user's sudoers file entries for the current
2729 host must have the NOPASSWD flag set to avoid en‐
2730 tering a password.
2731
2732 always The user must always enter a password to use the -v
2733 option.
2734
2735 any At least one of the user's sudoers file entries for
2736 the current host must have the NOPASSWD flag set to
2737 avoid entering a password.
2738
2739 never The user need never enter a password to use the -v
2740 option.
2741
2742 If no value is specified, a value of all is implied.
2743 Negating the option results in a value of never being used.
2744 The default value is all.
2745
2746 Lists that can be used in a boolean context:
2747
2748 env_check Environment variables to be removed from the user's en‐
2749 vironment unless they are considered “safe”. For all
2750 variables except TZ, “safe” means that the variable's
2751 value does not contain any ‘%’ or ‘/’ characters. This
2752 can be used to guard against printf-style format vul‐
2753 nerabilities in poorly-written programs. The TZ vari‐
2754 able is considered unsafe if any of the following are
2755 true:
2756
2757 • It consists of a fully-qualified path name, option‐
2758 ally prefixed with a colon (‘:’), that does not
2759 match the location of the zoneinfo directory.
2760
2761 • It contains a .. path element.
2762
2763 • It contains white space or non-printable characters.
2764
2765 • It is longer than the value of PATH_MAX.
2766
2767 The argument may be a double-quoted, space-separated
2768 list or a single value without double-quotes. The list
2769 can be replaced, added to, deleted from, or disabled by
2770 using the ‘=’, ‘+=’, ‘-=’, and ‘!’ operators respec‐
2771 tively. Regardless of whether the env_reset option is
2772 enabled or disabled, variables specified by env_check
2773 will be preserved in the environment if they pass the
2774 aforementioned check. The global list of environment
2775 variables to check is displayed when sudo is run by
2776 root with the -V option.
2777
2778 env_delete Environment variables to be removed from the user's en‐
2779 vironment when the env_reset option is not in effect.
2780 The argument may be a double-quoted, space-separated
2781 list or a single value without double-quotes. The list
2782 can be replaced, added to, deleted from, or disabled by
2783 using the ‘=’, ‘+=’, ‘-=’, and ‘!’ operators respec‐
2784 tively. The global list of environment variables to
2785 remove is displayed when sudo is run by root with the
2786 -V option. Many operating systems will remove poten‐
2787 tially dangerous variables from the environment of any
2788 set-user-ID process (such as sudo).
2789
2790 env_keep Environment variables to be preserved in the user's en‐
2791 vironment when the env_reset option is in effect. This
2792 allows fine-grained control over the environment
2793 sudo-spawned processes will receive. The argument may
2794 be a double-quoted, space-separated list or a single
2795 value without double-quotes. The list can be replaced,
2796 added to, deleted from, or disabled by using the ‘=’,
2797 ‘+=’, ‘-=’, and ‘!’ operators respectively. The global
2798 list of variables to keep is displayed when sudo is run
2799 by root with the -V option.
2800
2801 Preserving the HOME environment variable has security
2802 implications since many programs use it when searching
2803 for configuration or data files. Adding HOME to
2804 env_keep may enable a user to run unrestricted commands
2805 via sudo and is strongly discouraged. Users wishing to
2806 edit files with sudo should run sudoedit (or sudo -e)
2807 to get their accustomed editor configuration instead of
2808 invoking the editor directly.
2809
2810 log_servers A list of one or more servers to use for remote event
2811 and I/O log storage, separated by white space. Log
2812 servers must be running sudo_logsrvd or another service
2813 that implements the protocol described by
2814 sudo_logsrv.proto(5).
2815
2816 Server addresses should be of the form
2817 “host[:port][(tls)]”. The host portion may be a host
2818 name, an IPv4 address, or an IPv6 address in square
2819 brackets.
2820
2821 If the optional tls flag is present, the connection
2822 will be secured with Transport Layer Security (TLS)
2823 version 1.2 or 1.3. Versions of TLS prior to 1.2 are
2824 not supported.
2825
2826 If a port is specified, it may either be a port number
2827 or a well-known service name as defined by the system
2828 service name database. If no port is specified, port
2829 30343 will be used for plaintext connections and port
2830 30344 will be used for TLS connections.
2831
2832 When log_servers is set, event log data will be logged
2833 both locally (see the syslog and log_file settings) as
2834 well as remotely, but I/O log data will only be logged
2835 remotely. If multiple hosts are specified, they will
2836 be attempted in reverse order. If no log servers are
2837 available, the user will not be able to run a command
2838 unless either the ignore_iolog_errors flag (I/O logging
2839 enabled) or the ignore_log_errors flag (I/O logging
2840 disabled) is set. Likewise, if the connection to the
2841 log server is interrupted while sudo is running, the
2842 command will be terminated unless the
2843 ignore_iolog_errors flag (I/O logging enabled) or the
2844 ignore_log_errors flag (I/O logging disabled) is set.
2845
2846 This setting is only supported by version 1.9.0 or
2847 higher.
2848
2849 passprompt_regex A list of POSIX extended regular expressions used to
2850 match password prompts in the terminal output. As an
2851 extension, if the regular expression begins with
2852 “(?i)”, it will be matched in a case-insensitive man‐
2853 ner. Each regular expression is limited to 1024 char‐
2854 acters. This option is only used when log_passwords
2855 has been disabled. The default value is “[Pp]assword[:
2856 ]*”
2857
2858 This setting is only supported by version 1.9.10 or
2859 higher.
2860
2862 The sudoers plugin supports its own plugin interface to allow non-Unix
2863 group lookups which can query a group source other than the standard Unix
2864 group database. This can be used to implement support for the
2865 nonunix_group syntax described earlier.
2866
2867 Group provider plugins are specified via the group_plugin setting. The
2868 argument to group_plugin should consist of the plugin path, either fully-
2869 qualified or relative to the /usr/libexec/sudo directory, followed by any
2870 configuration options the plugin requires. These options (if specified)
2871 will be passed to the plugin's initialization function. If options are
2872 present, the string must be enclosed in double quotes ("").
2873
2874 The following group provider plugins are installed by default:
2875
2876 group_file
2877 The group_file plugin supports an alternate group file that uses
2878 the same syntax as the /etc/group file. The path to the group file
2879 should be specified as an option to the plugin. For example, if
2880 the group file to be used is /etc/sudo-group:
2881
2882 Defaults group_plugin="group_file.so /etc/sudo-group"
2883
2884 system_group
2885 The system_group plugin supports group lookups via the standard C
2886 library functions getgrnam(3) and getgrid(3). This plugin can be
2887 used in instances where the user belongs to groups not present in
2888 the user's supplemental group vector. This plugin takes no op‐
2889 tions:
2890
2891 Defaults group_plugin=system_group.so
2892
2893 The group provider plugin API is described in detail in sudo_plugin(5).
2894
2896 sudoers can log events in either JSON or sudo format, this section de‐
2897 scribes the sudo log format. Depending on sudoers configuration, sudoers
2898 can log events via syslog(3), to a local log file, or both. The log for‐
2899 mat is almost identical in both cases. Any control characters present in
2900 the log data are formatted in octal with a leading ‘#’ character. For
2901 example, a horizontal tab is stored as ‘#011’ and an embedded carriage
2902 return is stored as ‘#015’. In addition, space characters in the command
2903 path are stored as ‘#040’. Command line arguments that contain spaces
2904 are enclosed in single quotes (''). This makes it possible to distin‐
2905 guish multiple command line arguments from a single argument that con‐
2906 tains spaces. Literal single quotes and backslash characters (‘\’) in
2907 command line arguments are escaped with a backslash.
2908
2909 Accepted command log entries
2910 Commands that sudo runs are logged using the following format (split into
2911 multiple lines for readability):
2912
2913 date hostname progname: username : TTY=ttyname ; CHROOT=chroot ; \
2914 PWD=cwd ; USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \
2915 ENV=env_vars COMMAND=command
2916
2917 Where the fields are as follows:
2918
2919 date The date the command was run. Typically, this is in the
2920 format “MMM, DD, HH:MM:SS”. If logging via syslog(3), the
2921 actual date format is controlled by the syslog daemon. If
2922 logging to a file and the log_year option is enabled, the
2923 date will also include the year.
2924
2925 hostname The name of the host sudo was run on. This field is only
2926 present when logging via syslog(3).
2927
2928 progname The name of the program, usually sudo or sudoedit. This
2929 field is only present when logging via syslog(3).
2930
2931 username The login name of the user who ran sudo.
2932
2933 ttyname The short name of the terminal (e.g., “console”, “tty01”,
2934 or “pts/0”) sudo was run on, or “unknown” if there was no
2935 terminal present.
2936
2937 chroot The root directory that the command was run in, if one was
2938 specified.
2939
2940 cwd The current working directory that sudo was run in.
2941
2942 runasuser The user the command was run as.
2943
2944 runasgroup The group the command was run as if one was specified on
2945 the command line.
2946
2947 logid An I/O log identifier that can be used to replay the com‐
2948 mand's output. This is only present when the log_input or
2949 log_output option is enabled.
2950
2951 env_vars A list of environment variables specified on the command
2952 line, if specified.
2953
2954 command The actual command that was executed, including any command
2955 line arguments.
2956
2957 Messages are logged using the locale specified by sudoers_locale, which
2958 defaults to the ‘C’ locale.
2959
2960 Denied command log entries
2961 If the user is not allowed to run the command, the reason for the denial
2962 will follow the user name. Possible reasons include:
2963
2964 user NOT in sudoers
2965 The user is not listed in the sudoers file.
2966
2967 user NOT authorized on host
2968 The user is listed in the sudoers file but is not allowed to run com‐
2969 mands on the host.
2970
2971 command not allowed
2972 The user is listed in the sudoers file for the host but they are not
2973 allowed to run the specified command.
2974
2975 3 incorrect password attempts
2976 The user failed to enter their password after 3 tries. The actual num‐
2977 ber of tries will vary based on the number of failed attempts and the
2978 value of the passwd_tries option.
2979
2980 a password is required
2981 The -n option was specified but a password was required.
2982
2983 sorry, you are not allowed to set the following environment variables
2984 The user specified environment variables on the command line that were
2985 not allowed by sudoers.
2986
2987 Error log entries
2988 If an error occurs, sudoers will log a message and, in most cases, send a
2989 message to the administrator via email. Possible errors include:
2990
2991 parse error in /etc/sudoers near line N
2992 sudoers encountered an error when parsing the specified file. In some
2993 cases, the actual error may be one line above or below the line number
2994 listed, depending on the type of error.
2995
2996 problem with defaults entries
2997 The sudoers file contains one or more unknown Defaults settings. This
2998 does not prevent sudo from running, but the sudoers file should be
2999 checked using visudo.
3000
3001 timestamp owner (username): No such user
3002 The time stamp directory owner, as specified by the timestampowner set‐
3003 ting, could not be found in the password database.
3004
3005 unable to open/read /etc/sudoers
3006 The sudoers file could not be opened for reading. This can happen when
3007 the sudoers file is located on a remote file system that maps user-ID 0
3008 to a different value. Normally, sudoers tries to open the sudoers file
3009 using group permissions to avoid this problem. Consider either chang‐
3010 ing the ownership of /etc/sudoers or adding an argument like
3011 “sudoers_uid=N” (where ‘N’ is the user-ID that owns the sudoers file)
3012 to the end of the sudoers Plugin line in the sudo.conf(5) file.
3013
3014 unable to open /etc/sudoers
3015 The /etc/sudoers file is missing.
3016
3017 /etc/sudoers is not a regular file
3018 The /etc/sudoers file exists but is not a regular file or symbolic
3019 link.
3020
3021 /etc/sudoers is owned by uid N, should be 0
3022 The sudoers file has the wrong owner. If you wish to change the
3023 sudoers file owner, add “sudoers_uid=N” (where ‘N’ is the user-ID that
3024 owns the sudoers file) to the sudoers Plugin line in the sudo.conf(5)
3025 file.
3026
3027 /etc/sudoers is world writable
3028 The permissions on the sudoers file allow all users to write to it.
3029 The sudoers file must not be world-writable, the default file mode is
3030 0440 (readable by owner and group, writable by none). The default mode
3031 may be changed via the “sudoers_mode” option to the sudoers Plugin line
3032 in the sudo.conf(5) file.
3033
3034 /etc/sudoers is owned by gid N, should be 1
3035 The sudoers file has the wrong group ownership. If you wish to change
3036 the sudoers file group ownership, add “sudoers_gid=N” (where ‘N’ is the
3037 group-ID that owns the sudoers file) to the sudoers Plugin line in the
3038 sudo.conf(5) file.
3039
3040 unable to open /run/sudo/ts/username
3041 sudoers was unable to read or create the user's time stamp file. This
3042 can happen when timestampowner is set to a user other than root and the
3043 mode on /run/sudo is not searchable by group or other. The default
3044 mode for /run/sudo is 0711.
3045
3046 unable to write to /run/sudo/ts/username
3047 sudoers was unable to write to the user's time stamp file.
3048
3049 /run/sudo/ts is owned by uid X, should be Y
3050 The time stamp directory is owned by a user other than timestampowner.
3051 This can occur when the value of timestampowner has been changed.
3052 sudoers will ignore the time stamp directory until the owner is cor‐
3053 rected.
3054
3055 /run/sudo/ts is group writable
3056 The time stamp directory is group-writable; it should be writable only
3057 by timestampowner. The default mode for the time stamp directory is
3058 0700. sudoers will ignore the time stamp directory until the mode is
3059 corrected.
3060
3061 Notes on logging via syslog
3062 By default, sudoers logs messages via syslog(3). The date, hostname, and
3063 progname fields are added by the system's syslog(3) function, not sudoers
3064 itself. As such, they may vary in format on different systems.
3065
3066 The maximum size of syslog messages varies from system to system. The
3067 syslog_maxlen setting can be used to change the maximum syslog message
3068 size from the default value of 980 bytes. For more information, see the
3069 description of syslog_maxlen.
3070
3071 Notes on logging to a file
3072 If the logfile option is set, sudoers will log to a local file, such as
3073 /var/log/sudo. When logging to a file, sudoers uses a format similar to
3074 syslog(3), with a few important differences:
3075
3076 1. The progname field is not present.
3077
3078 2. The hostname is only logged if the log_host option is enabled.
3079
3080 3. The date does not include the year unless the log_year option is en‐
3081 abled.
3082
3083 4. Lines that are longer than loglinelen characters (80 by default) are
3084 word-wrapped and continued on the next line with a four character
3085 indent. This makes entries easier to read for a human being, but
3086 makes it more difficult to use grep(1) on the log files. If the
3087 loglinelen option is set to 0 (or negated with a ‘!’), word wrap
3088 will be disabled.
3089
3091 When I/O logging is enabled, sudo will runs the command in a pseudo-ter‐
3092 minal, logging user input and/or output, depending on which sudoers flags
3093 are enabled. There are five distinct types of I/O that can be logged,
3094 each with a corresponding sudoers flag.
3095
3096 Type Flag Description
3097 terminal input log_ttyin keystrokes entered by the user
3098 terminal output log_ttyout command output displayed to the screen
3099 standard input log_stdin input from a pipe or a file
3100 standard output log_stdout output to a pipe or a file
3101 standard error log_stderr output to a pipe or a file
3102
3103 In addition to flags described the above, the log_input flag and
3104 LOG_INPUT command tag set both log_ttyin and log_stdin. The log_output
3105 flag and LOG_OUTPUT command tag set log_ttyout, log_stdout, and
3106 log_stderr.
3107
3108 To capture terminal input and output, sudo run the command in a pseudo-
3109 terminal, logging the input and output before passing it on to the user.
3110 To capture the standard input, standard output or standard error, sudo
3111 uses a pipe to interpose itself between the input or output stream, log‐
3112 ging the I/O before passing it to the other end of the pipe.
3113
3114 I/O can be logged either to the local machine or to a remote log server.
3115 For local logs, I/O is logged to the directory specified by the iolog_dir
3116 option (/var/log/sudo-io by default) using a unique session ID that is
3117 included in the sudo log line, prefixed with ‘TSID=’. The iolog_file op‐
3118 tion may be used to control the format of the session ID. For remote
3119 logs, the log_servers setting is used to specify one or more log servers
3120 running sudo_logsrvd or another server that implements the protocol de‐
3121 scribed by sudo_logsrv.proto(5).
3122
3123 I/O logging pitfals
3124 When logging standard input, anything sent to the standard input will be
3125 consumed, regardless of whether or not the command run via sudo is ac‐
3126 tively reading the standard input. This may have unexpected results when
3127 using sudo in a shell script that expects to process the standard input.
3128 For example, given the following shell script:
3129
3130 #!/bin/sh
3131 sudo echo testing
3132 echo done
3133
3134 It will behave as expected when the script is passed to the shell as a an
3135 argument:
3136
3137 $ sh test.sh
3138 testing
3139 done
3140
3141 However, if the script is passed to the shell on the standard input, the
3142 ‘sudo echo testing’ command will consume the rest of the script. This
3143 means that the ‘echo done’ statement is never executed.
3144
3145 $ sh -s < test.sh
3146 testing
3147
3148 There are several ways to work around this problem:
3149
3150 1. Redirect the standard input from /dev/null when running a command
3151 via sudo that does not need to read the standard input.
3152
3153 sudo echo testing < /dev/null
3154
3155 2. Pass the script to the shell by path name instead of via the stan‐
3156 dard input.
3157
3158 sh test.sh
3159
3160 3. Disable logging the standard input for commands that do not need to
3161 read the standard input.
3162
3163 Defaults!/bin/echo !log_stdin
3164
3165 Depending on the command, it may not be desirable to log the standard in‐
3166 put or standard output. For example, I/O logging of commands that send
3167 or receive large amount of data via the standard output or standard input
3168 such as rsync(1) and tar(1) could fill up the log file system with super‐
3169 fluous data. It is possible to disable logging of the standard input and
3170 standard output for such commands as follows:
3171
3172 Cmnd_Alias COPY_CMDS = /usr/bin/tar, /usr/bin/cpio, /usr/bin/rsync
3173
3174 # Log input and output but omit stdin and stdout when copying files.
3175 Defaults log_input, log_output
3176 Defaults!COPY_CMDS !log_stdin, !log_stdout
3177
3178 However, be aware that using the log_input flag or the LOG_INPUT command
3179 tag will also enable log_stdin. Likewise, the log_ouput flag or the
3180 LOG_OUTPUT command tag will enable log_stdout and log_stderr. Careful or‐
3181 dering of rules may be necessary to achieve the results that you expect.
3182
3183 I/O log format
3184 For both local and remote I/O logs, each log is stored in a separate di‐
3185 rectory that contains the following files:
3186
3187 log A text file containing information about the command. The
3188 first line consists of the following colon-delimited fields:
3189 the time the command was run, the name of the user who ran
3190 sudo, the name of the target user, the name of the target group
3191 (optional), the terminal that sudo was run from, and the number
3192 of lines and columns of the terminal. The second and third
3193 lines contain the working directory the command was run from
3194 and the path name of the command itself (with arguments if
3195 present).
3196
3197 log.json A JSON-formatted file containing information about the command.
3198 This is similar to the log file but contains additional infor‐
3199 mation and is easily extensible. The log.json file will be
3200 used by sudoreplay(8) in preference to the log file if it ex‐
3201 ists. The file may contain the following elements:
3202
3203 timestamp
3204 A JSON object containing time the command was run. It
3205 consists of two values, seconds and nanoseconds.
3206
3207 columns
3208 The number of columns of the terminal the command ran on,
3209 or zero if no terminal was present.
3210
3211 command
3212 The fully-qualified path of the command that was run.
3213
3214 lines
3215 The number of lines of the terminal the command ran on,
3216 or zero if no terminal was present.
3217
3218 runargv
3219 A JSON array representing the command's argument vector
3220 as passed to the execve(2) system call.
3221
3222 runenv
3223 A JSON array representing the command's environment as
3224 passed to the execve(2) system call.
3225
3226 rungid
3227 The group ID the command ran as. This element is only
3228 present when the user specifies a group on the command
3229 line.
3230
3231 rungroup
3232 The name of the group the command ran as. This element
3233 is only present when the user specifies a group on the
3234 command line.
3235
3236 runuid
3237 The user ID the command ran as.
3238
3239 runuser
3240 The name of the user the command ran as.
3241
3242 submitcwd
3243 The current working directory at the time sudo was run.
3244
3245 submithost
3246 The name of the host the command was run on.
3247
3248 submituser
3249 The name of the user who ran the command via sudo.
3250
3251 ttyname
3252 The path name of the terminal the user invoked sudo from.
3253 If the command was run in a pseudo-terminal, ttyname will
3254 be different from the terminal the command actually ran
3255 in.
3256
3257 timing Timing information used to replay the session. Each line con‐
3258 sists of the I/O log entry type and amount of time since the
3259 last entry, followed by type-specific data. The I/O log entry
3260 types and their corresponding type-specific data are:
3261
3262 0 standard input, number of bytes in the entry
3263 1 standard output, number of bytes in the entry
3264 2 standard error, number of bytes in the entry
3265 3 terminal input, number of bytes in the entry
3266 4 terminal output, number of bytes in the entry
3267 5 window change, new number lines and columns
3268 6 bug compatibility for sudo 1.8.7 terminal output
3269 7 command suspend or resume, signal received
3270
3271 ttyin Raw input from the user's terminal, exactly as it was received.
3272 This file is only present if the log_input or log_ttyin flags
3273 are set and sudo was run from a terminal. No post-processing
3274 is performed. For manual viewing, you may wish to convert car‐
3275 riage return characters in the log to line feeds. For example:
3276 ‘gunzip -c ttyin | tr "\r" "\n"’
3277
3278 stdin The standard input when no terminal is present, or input redi‐
3279 rected from a pipe or file. This file is only present if the
3280 log_input or log_stdin flags are set and the standard input is
3281 not connected to a terminal.
3282
3283 ttyout Output from the pseudo-terminal (what the command writes to the
3284 screen). Terminal-specific post-processing is performed before
3285 the data is logged. This means that, for example, line feeds
3286 are usually converted to line feed/carriage return pairs and
3287 tabs may be expanded to spaces. This file is only present if
3288 the log_output or log_ttyout flags are set and sudo was run
3289 from a terminal.
3290
3291 stdout The standard output when no terminal is present, or output
3292 redirected to a pipe or file. This file is only present if the
3293 log_output or log_stdout flags are set and the standard output
3294 is not connected to a terminal.
3295
3296 stderr The standard error when no terminal is present, or output redi‐
3297 rected to a pipe or file. This file is only present if the
3298 log_output or log_stderr flags are set and the standard error
3299 is not connected to a terminal.
3300
3301 All files other than log are compressed in gzip format unless the
3302 compress_io flag has been disabled. Due to buffering, it is not normally
3303 possible to display the I/O logs in real-time as the program is execut‐
3304 ing. The I/O log data will not be complete until the program run by sudo
3305 has exited or has been terminated by a signal. The iolog_flush flag can
3306 be used to disable buffering, in which case I/O log data is written to
3307 disk as soon as it is available. The output portion of an I/O log file
3308 can be viewed with the sudoreplay(8) utility, which can also be used to
3309 list or search the available logs.
3310
3311 User input may contain sensitive information such as passwords (even if
3312 they are not echoed to the screen), which will be stored in the log file
3313 unencrypted. In most cases, logging the command output via log_output or
3314 LOG_OUTPUT is all that is required. When logging input, consider dis‐
3315 abling the log_passwords flag.
3316
3317 Since each session's I/O logs are stored in a separate directory, tradi‐
3318 tional log rotation utilities cannot be used to limit the number of I/O
3319 logs. The simplest way to limit the number of I/O is by setting the
3320 maxseq option to the maximum number of logs you wish to store. Once the
3321 I/O log sequence number reaches maxseq, it will be reset to zero and
3322 sudoers will truncate and re-use any existing I/O logs.
3323
3325 /etc/sudo.conf Sudo front-end configuration
3326
3327 /etc/sudoers List of who can run what
3328
3329 /etc/group Local groups file
3330
3331 /etc/netgroup List of network groups
3332
3333 /var/log/sudo-io I/O log files
3334
3335 /run/sudo/ts Directory containing time stamps for the
3336 sudoers security policy
3337
3338 /var/db/sudo/lectured Directory containing lecture status files for
3339 the sudoers security policy
3340
3341 /etc/environment Initial environment for -i mode on AIX and
3342 Linux systems
3343
3345 Below are example sudoers file entries. Admittedly, some of these are a
3346 bit contrived. First, we allow a few environment variables to pass and
3347 then define our aliases:
3348
3349 # Run X applications through sudo; HOME is used to find the
3350 # .Xauthority file. Other programs use HOME to locate configuration
3351 # files and this may lead to privilege escalation!
3352 Defaults env_keep += "DISPLAY HOME"
3353
3354 # User alias specification
3355 User_Alias FULLTIMERS = millert, mikef, dowdy
3356 User_Alias PARTTIMERS = bostley, jwfox, crawl
3357 User_Alias WEBADMIN = will, wendy, wim
3358
3359 # Runas alias specification
3360 Runas_Alias OP = root, operator
3361 Runas_Alias DB = oracle, sybase
3362 Runas_Alias ADMINGRP = adm, oper
3363
3364 # Host alias specification
3365 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
3366 SGI = grolsch, dandelion, black :\
3367 ALPHA = widget, thalamus, foobar :\
3368 HPPA = boa, nag, python
3369 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
3370 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
3371 Host_Alias SERVERS = primary, mail, www, ns
3372 Host_Alias CDROM = orion, perseus, hercules
3373
3374 # Cmnd alias specification
3375 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
3376 /usr/sbin/restore, /usr/sbin/rrestore,\
3377 sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
3378 /home/operator/bin/start_backups
3379 Cmnd_Alias KILL = /usr/bin/kill
3380 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
3381 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
3382 Cmnd_Alias HALT = /usr/sbin/halt
3383 Cmnd_Alias REBOOT = /usr/sbin/reboot
3384 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
3385 /usr/local/bin/tcsh, /usr/bin/rsh,\
3386 /usr/local/bin/zsh
3387 Cmnd_Alias SU = /usr/bin/su
3388 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
3389
3390 Here we override some of the compiled in default values. We want sudo to
3391 log via syslog(3) using the auth facility in all cases and for commands
3392 to be run with the target user's home directory as the working directory.
3393 We don't want to subject the full time staff to the sudo lecture and we
3394 want to allow them to run commands in a chroot(2) “sandbox” via the -R
3395 option. User millert need not provide a password and we don't want to
3396 reset the LOGNAME or USER environment variables when running commands as
3397 root. Additionally, on the machines in the SERVERS Host_Alias, we keep
3398 an additional local log file and make sure we log the year in each log
3399 line since the log entries will be kept around for several years.
3400 Lastly, we disable shell escapes for the commands in the PAGERS
3401 Cmnd_Alias (/usr/bin/more, /usr/bin/pg and /usr/bin/less). This will not
3402 effectively constrain users with sudo ALL privileges.
3403
3404 # Override built-in defaults
3405 Defaults syslog=auth,runcwd=~
3406 Defaults>root !set_logname
3407 Defaults:FULLTIMERS !lecture,runchroot=*
3408 Defaults:millert !authenticate
3409 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
3410 Defaults!PAGERS noexec
3411
3412 The User specification is the part that actually determines who may run
3413 what.
3414
3415 root ALL = (ALL) ALL
3416 %wheel ALL = (ALL) ALL
3417
3418 We let root and any user in group wheel run any command on any host as
3419 any user.
3420
3421 FULLTIMERS ALL = NOPASSWD: ALL
3422
3423 Full time sysadmins (millert, mikef, and dowdy) may run any command on
3424 any host without authenticating themselves.
3425
3426 PARTTIMERS ALL = ALL
3427
3428 Part time sysadmins bostley, jwfox, and crawl) may run any command on any
3429 host but they must authenticate themselves first (since the entry lacks
3430 the NOPASSWD tag).
3431
3432 jack CSNETS = ALL
3433
3434 The user jack may run any command on the machines in the CSNETS alias
3435 (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those
3436 networks, only 128.138.204.0 has an explicit netmask (in CIDR notation)
3437 indicating it is a class C network. For the other networks in CSNETS,
3438 the local machine's netmask will be used during matching.
3439
3440 lisa CUNETS = ALL
3441
3442 The user lisa may run any command on any host in the CUNETS alias (the
3443 class B network 128.138.0.0).
3444
3445 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
3446 sudoedit /etc/printcap, /usr/oper/bin/
3447
3448 The operator user may run commands limited to simple maintenance. Here,
3449 those are commands related to backups, killing processes, the printing
3450 system, shutting down the system, and any commands in the directory
3451 /usr/oper/bin/. One command in the DUMPS Cmnd_Alias includes a sha224
3452 digest, /home/operator/bin/start_backups. This is because the directory
3453 containing the script is writable by the operator user. If the script is
3454 modified (resulting in a digest mismatch) it will no longer be possible
3455 to run it via sudo.
3456
3457 joe ALL = /usr/bin/su operator
3458
3459 The user joe may only su(1) to operator.
3460
3461 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root*
3462
3463 %opers ALL = (: ADMINGRP) /usr/sbin/
3464
3465 Users in the opers group may run commands in /usr/sbin/ as themselves
3466 with any group in the ADMINGRP Runas_Alias (the adm and oper groups).
3467
3468 The user pete is allowed to change anyone's password except for root on
3469 the HPPA machines. Because command line arguments are matched as a sin‐
3470 gle, concatenated string, the ‘*’ wildcard will match multiple words.
3471 This example assumes that passwd(1) does not take multiple user names on
3472 the command line. On systems with GNU getopt(3), options to passwd(1)
3473 may be specified after the user argument. As a result, this rule will
3474 also allow:
3475
3476 passwd username --expire
3477
3478 which may not be desirable.
3479
3480 bob SPARC = (OP) ALL : SGI = (OP) ALL
3481
3482 The user bob may run anything on the SPARC and SGI machines as any user
3483 listed in the OP Runas_Alias (root and operator.)
3484
3485 jim +biglab = ALL
3486
3487 The user jim may run any command on machines in the biglab netgroup.
3488 sudo knows that “biglab” is a netgroup due to the ‘+’ prefix.
3489
3490 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
3491
3492 Users in the secretaries netgroup need to help manage the printers as
3493 well as add and remove users, so they are allowed to run those commands
3494 on all machines.
3495
3496 fred ALL = (DB) NOPASSWD: ALL
3497
3498 The user fred can run commands as any user in the DB Runas_Alias (oracle
3499 or sybase) without giving a password.
3500
3501 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
3502
3503 On the ALPHA machines, user john may su to anyone except root but he is
3504 not allowed to specify any options to the su(1) command.
3505
3506 jen ALL, !SERVERS = ALL
3507
3508 The user jen may run any command on any machine except for those in the
3509 SERVERS Host_Alias (primary, mail, www, and ns).
3510
3511 jill SERVERS = /usr/bin/, !SU, !SHELLS
3512
3513 For any machine in the SERVERS Host_Alias, jill may run any commands in
3514 the directory /usr/bin/ except for those commands belonging to the SU and
3515 SHELLS Cmnd_Aliases. While not specifically mentioned in the rule, the
3516 commands in the PAGERS Cmnd_Alias all reside in /usr/bin and have the
3517 noexec option set.
3518
3519 steve CSNETS = (operator) /usr/local/op_commands/
3520
3521 The user steve may run any command in the directory /usr/local/op_com‐
3522 mands/ but only as user operator.
3523
3524 matt valkyrie = KILL
3525
3526 On his personal workstation, valkyrie, matt needs to be able to kill hung
3527 processes.
3528
3529 WEBADMIN www = (www) ALL, (root) /usr/bin/su www
3530
3531 On the host www, any user in the WEBADMIN User_Alias (will, wendy, and
3532 wim), may run any command as user www (which owns the web pages) or sim‐
3533 ply su(1) to www.
3534
3535 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
3536 /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
3537
3538 Any user may mount or unmount a CD-ROM on the machines in the CDROM
3539 Host_Alias (orion, perseus, hercules) without entering a password. This
3540 is a bit tedious for users to type, so it is a prime candidate for encap‐
3541 sulating in a shell script.
3542
3544 Limitations of the ‘!’ operator
3545 It is generally not effective to “subtract” commands from ALL using the
3546 ‘!’ operator. A user can trivially circumvent this by copying the de‐
3547 sired command to a different name and then executing that. For example:
3548
3549 bill ALL = ALL, !SU, !SHELLS
3550
3551 Doesn't really prevent bill from running the commands listed in SU or
3552 SHELLS since he can simply copy those commands to a different name, or
3553 use a shell escape from an editor or other program. Therefore, these
3554 kind of restrictions should be considered advisory at best (and rein‐
3555 forced by policy).
3556
3557 In general, if a user has sudo ALL there is nothing to prevent them from
3558 creating their own program that gives them a root shell (or making their
3559 own copy of a shell) regardless of any ‘!’ elements in the user specifi‐
3560 cation.
3561
3562 Security implications of fast_glob
3563 If the fast_glob option is in use, it is not possible to reliably negate
3564 commands where the path name includes globbing (aka wildcard) characters.
3565 This is because the C library's fnmatch(3) function cannot resolve rela‐
3566 tive paths. While this is typically only an inconvenience for rules that
3567 grant privileges, it can result in a security issue for rules that sub‐
3568 tract or revoke privileges.
3569
3570 For example, given the following sudoers file entry:
3571
3572 john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
3573 /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
3574
3575 User john can still run ‘/usr/bin/passwd root’ if fast_glob is enabled by
3576 changing to /usr/bin and running ‘./passwd root’ instead.
3577
3578 Another potential issue is that when sudo executes the command, it must
3579 use the command or path specified by the user instead of a path listed in
3580 the sudoers file. This may lead to a time of check versus time of use
3581 race condition.
3582
3583 Wildcards in command arguments
3584 Command line arguments are matched as a single, concatenated string.
3585 This mean a wildcard character such as ‘?’ or ‘*’ will match across word
3586 boundaries, which may be unexpected. For example, while a sudoers entry
3587 like:
3588
3589 %operator ALL = /bin/cat /var/log/messages*
3590
3591 will allow command like:
3592
3593 $ sudo cat /var/log/messages.1
3594
3595 It will also allow:
3596
3597 $ sudo cat /var/log/messages /etc/shadow
3598
3599 which is probably not what was intended. A safer alternative is to use a
3600 regular expression for matching command line arguments. The above exam‐
3601 ple can be rewritten as a regular expression:
3602
3603 %operator ALL = /bin/cat ^/var/log/messages[^[:space:]]*$
3604
3605 The regular expression will only match a single file with a name that be‐
3606 gins with /var/log/messages and does not include any white space in the
3607 name. It is often better to do command line processing outside of the
3608 sudoers file in a scripting language for anything non-trivial.
3609
3610 Regular expressions in command names
3611 Using a regular expression to match a command name has the same security
3612 implications as using the fast_glob option:
3613
3614 • It is not possible to reliably negate commands when the path name is a
3615 regular expression.
3616
3617 • When sudo executes the command, it must use the command or path speci‐
3618 fied by the user instead of a path listed in the sudoers file. This
3619 may lead to a time of check versus time of use race condition.
3620
3621 These issues do not apply to rules where only the command line options
3622 are matched using a regular expression.
3623
3624 Preventing shell escapes
3625 Once sudo executes a program, that program is free to do whatever it
3626 pleases, including run other programs. This can be a security issue
3627 since it is not uncommon for a program to allow shell escapes, which lets
3628 a user bypass sudo's access control and logging. Common programs that
3629 permit shell escapes include shells (obviously), editors, paginators,
3630 mail, and terminal programs.
3631
3632 There are four basic approaches to this problem:
3633
3634 restrict Avoid giving users access to commands that allow the user to
3635 run arbitrary commands. Many editors have a restricted mode
3636 where shell escapes are disabled, though sudoedit is a better
3637 solution to running editors via sudo. Due to the large number
3638 of programs that offer shell escapes, restricting users to the
3639 set of programs that do not is often unworkable.
3640
3641 intercept On most systems, sudo's intercept functionality can be used to
3642 transparently intercept an attempt to run a new command, allow
3643 or deny it based on sudoers rules, and log the result. For
3644 example, this can be used to restrict the commands run from
3645 within a privileged shell or editor.
3646
3647 There are two underlying mechanisms that may be used to imple‐
3648 ment intercept mode: dso and trace. The intercept_type set‐
3649 ting can be used to select between them.
3650
3651 The first mechanism, dso, overrides the standard C library
3652 functions that are used to execute a command. It does this by
3653 setting an environment variable (usually LD_PRELOAD) to the
3654 path of a dynamic shared object, or shared library, containing
3655 custom versions of the execve(2), execl(3), execle(3),
3656 execlp(3), execv(3), execvp(3), execvpe(3), and system(3) li‐
3657 brary functions that connect back to sudo for a policy deci‐
3658 sion. Note, however, that this applies only to dynamically-
3659 linked executables. It is not possible to intercept commands
3660 for statically-linked executables or executables that run un‐
3661 der binary emulation this way. Because most dynamic loaders
3662 ignore LD_PRELOAD (or the equivalent) when running set-user-ID
3663 and set-group-ID programs, sudoers will not permit such pro‐
3664 grams to be run in intercept mode by default. The dso mecha‐
3665 nism is incompatible with sudo's SELinux RBAC support (but see
3666 below). SELinux disables LD_PRELOAD by default and interferes
3667 with file descriptor inheritance, which sudo relies on.
3668
3669 The second mechanism, trace, is available on Linux systems
3670 that support seccomp(2) filtering. It uses ptrace(2) and
3671 seccomp(2) to intercept the execve(2) system call instead of
3672 pre-loading a dynamic shared object. Both static and dynamic
3673 executables are supported and it is compatible with sudo's
3674 SELinux RBAC mode. Functions utilizing the execveat(2) system
3675 call, such as fexecve(3), are not currently intercepted.
3676
3677 The intercept feature is known to work on Solaris, *BSD,
3678 Linux, macOS, HP-UX 11.x and AIX 5.3 and above. It should be
3679 supported on most operating systems that support the
3680 LD_PRELOAD environment variable or an equivalent. It is not
3681 possible to intercept shell built-in commands or restrict the
3682 ability to read or write sensitive files from within a shell.
3683
3684 To enable intercept mode on a per-command basis, use the
3685 INTERCEPT tag as documented in the User Specification section
3686 above. Here is that example again:
3687
3688 chuck research = INTERCEPT: ALL
3689
3690 This allows user chuck to run any command on the machine
3691 “research” in intercept mode. Any commands run via shell es‐
3692 capes will be validated and logged by sudo. If you are unsure
3693 whether or not your system is capable of supporting intercept,
3694 you can always just try it out and check whether or not exter‐
3695 nal commands run via a shell are logged when intercept is en‐
3696 abled.
3697
3698 There is an inherent race condition between when a command is
3699 checked against sudoers rules and when it is actually exe‐
3700 cuted. If a user is allowed to run arbitrary commands, they
3701 may be able to change the execve(2) arguments in the program
3702 after the sudoers policy check has completed but before the
3703 new command is executed. Starting with version 1.9.12, the
3704 trace method will verify that the command and its arguments
3705 have not changed after execve(2) has completed but before exe‐
3706 cution of the new program has had a chance to run. This is
3707 not the case with the dso method. See the description of the
3708 intercept_verify setting for more information.
3709
3710 log There are two separate but related ways to log additional com‐
3711 mands. The first is to enable I/O logging using the
3712 log_output flag. This will log the command's output but will
3713 not create an event log entry when the additional command is
3714 run. The second is to enable the log_subcmds flag in sudoers
3715 which will create an event log entry every time a new command
3716 is run. If I/O logging is also enabled, the log entry will
3717 include a time offset into the I/O log to indicate when the
3718 command was run. This offset can be passed to the
3719 sudoreplay(8) utility to replay the I/O log at the exact mo‐
3720 ment when the command was run. The log_subcmds flag uses the
3721 same mechanism as intercept (see above) and has the same limi‐
3722 tations.
3723
3724 noexec sudo's noexec functionality can be used to prevent a program
3725 run by sudo from executing any other programs. On most sys‐
3726 tems, it uses the same LD_PRELOAD mechanism as intercept (see
3727 above) and thus the same caveats apply. The noexec function‐
3728 ality is capable of blocking execution of commands run via the
3729 execve(2), execl(3), execle(3), execlp(3), exect(3), execv(3),
3730 execveat(3), execvP(3), execvp(3), execvpe(3), fexecve(3),
3731 popen(3), posix_spawn(3), posix_spawnp(3), system(3), and
3732 wordexp(3) functions. On Linux, a seccomp(2) filter is used
3733 to implement noexec. On Solaris 10 and higher, noexec uses
3734 Solaris privileges instead of the LD_PRELOAD environment vari‐
3735 able.
3736
3737 To enable noexec for a command, use the NOEXEC tag as docu‐
3738 mented in the User Specification section above. Here is that
3739 example again:
3740
3741 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
3742
3743 This allows user aaron to run /usr/bin/more and /usr/bin/vi
3744 with noexec enabled. This will prevent those two commands
3745 from executing other commands (such as a shell). If you are
3746 unsure whether or not your system is capable of supporting
3747 noexec you can always just try it out and check whether shell
3748 escapes work when noexec is enabled.
3749
3750 Restricting shell escapes is not a panacea. Programs running as root are
3751 still capable of many potentially hazardous operations (such as changing
3752 or overwriting files) that could lead to unintended privilege escalation.
3753 In the specific case of an editor, a safer approach is to give the user
3754 permission to run sudoedit (see below).
3755
3756 Secure editing
3757 The sudoers plugin includes sudoedit support which allows users to se‐
3758 curely edit files with the editor of their choice. As sudoedit is a
3759 built-in command, it must be specified in the sudoers file without a
3760 leading path. However, it may take command line arguments just as a nor‐
3761 mal command does. Wildcards used in sudoedit command line arguments are
3762 expected to be path names, so a forward slash (‘/’) will not be matched
3763 by a wildcard.
3764
3765 Unlike other sudo commands, the editor is run with the permissions of the
3766 invoking user and with the environment unmodified. More information may
3767 be found in the description of the -e option in sudo(8).
3768
3769 For example, to allow user operator to edit the “message of the day” file
3770 on any machine:
3771
3772 operator ALL = sudoedit /etc/motd
3773
3774 The operator user then runs sudoedit as follows:
3775
3776 $ sudoedit /etc/motd
3777
3778 The editor will run as the operator user, not root, on a temporary copy
3779 of /etc/motd. After the file has been edited, /etc/motd will be updated
3780 with the contents of the temporary copy.
3781
3782 Users should never be granted sudoedit permission to edit a file that re‐
3783 sides in a directory the user has write access to, either directly or via
3784 a wildcard. If the user has write access to the directory it is possible
3785 to replace the legitimate file with a link to another file, allowing the
3786 editing of arbitrary files. To prevent this, starting with version
3787 1.8.16, symbolic links will not be followed in writable directories and
3788 sudoedit will refuse to edit a file located in a writable directory un‐
3789 less the sudoedit_checkdir option has been disabled or the invoking user
3790 is root. Additionally, in version 1.8.15 and higher, sudoedit will
3791 refuse to open a symbolic link unless either the sudoedit_follow option
3792 is enabled or the sudoedit command is prefixed with the FOLLOW tag in the
3793 sudoers file.
3794
3795 Time stamp file checks
3796 sudoers will check the ownership of its time stamp directory
3797 (/run/sudo/ts by default) and ignore the directory's contents if it is
3798 not owned by root or if it is writable by a user other than root. Older
3799 versions of sudo stored time stamp files in /tmp; this is no longer rec‐
3800 ommended as it may be possible for a user to create the time stamp them‐
3801 selves on systems that allow unprivileged users to change the ownership
3802 of files they create.
3803
3804 While the time stamp directory should be cleared at reboot time, not all
3805 systems contain a /run or /var/run directory. To avoid potential prob‐
3806 lems, sudoers will ignore time stamp files that date from before the ma‐
3807 chine booted on systems where the boot time is available.
3808
3809 Some systems with graphical desktop environments allow unprivileged users
3810 to change the system clock. Since sudoers relies on the system clock for
3811 time stamp validation, it may be possible on such systems for a user to
3812 run sudo for longer than timestamp_timeout by setting the clock back. To
3813 combat this, sudoers uses a monotonic clock (which never moves backwards)
3814 for its time stamps if the system supports it.
3815
3816 sudoers will not honor time stamps set far in the future. Time stamps
3817 with a date greater than current_time + 2 * TIMEOUT will be ignored and
3818 sudoers will log and complain.
3819
3820 If the timestamp_type option is set to “tty”, the time stamp record in‐
3821 cludes the device number of the terminal the user authenticated with.
3822 This provides per-terminal granularity but time stamp records may still
3823 outlive the user's session.
3824
3825 Unless the timestamp_type option is set to “global”, the time stamp
3826 record also includes the session ID of the process that last authenti‐
3827 cated. This prevents processes in different terminal sessions from using
3828 the same time stamp record. On systems where a process's start time can
3829 be queried, the start time of the session leader is recorded in the time
3830 stamp record. If no terminal is present or the timestamp_type option is
3831 set to “ppid”, the start time of the parent process is used instead. In
3832 most cases this will prevent a time stamp record from being re-used with‐
3833 out the user entering a password when logging out and back in again.
3834
3836 Versions 1.8.4 and higher of the sudoers plugin support a flexible debug‐
3837 ging framework that can help track down what the plugin is doing inter‐
3838 nally if there is a problem. This can be configured in the sudo.conf(5)
3839 file.
3840
3841 The sudoers plugin uses the same debug flag format as the sudo front-end:
3842 subsystem@priority.
3843
3844 The priorities used by sudoers, in order of decreasing severity, are:
3845 crit, err, warn, notice, diag, info, trace, and debug. Each priority,
3846 when specified, also includes all priorities higher than it. For exam‐
3847 ple, a priority of notice would include debug messages logged at notice
3848 and higher.
3849
3850 The following subsystems are used by the sudoers plugin:
3851
3852 alias User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
3853
3854 all matches every subsystem
3855
3856 audit BSM and Linux audit code
3857
3858 auth user authentication
3859
3860 defaults sudoers file Defaults settings
3861
3862 env environment handling
3863
3864 ldap LDAP-based sudoers
3865
3866 logging logging support
3867
3868 match matching of users, groups, hosts, and netgroups in the sudoers
3869 file
3870
3871 netif network interface handling
3872
3873 nss network service switch handling in sudoers
3874
3875 parser sudoers file parsing
3876
3877 perms permission setting
3878
3879 plugin The equivalent of main for the plugin.
3880
3881 pty pseudo-terminal related code
3882
3883 rbtree redblack tree internals
3884
3885 sssd SSSD-based sudoers
3886
3887 util utility functions
3888
3889 For example:
3890
3891 Debug sudoers.so /var/log/sudoers_debug match@info,nss@info
3892
3893 For more information, see the sudo.conf(5) manual.
3894
3896 ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), sudo.conf(5),
3897 sudo_plugin(5), sudoers.ldap(5), sudoers_timestamp(5), sudo(8), visudo(8)
3898
3900 Many people have worked on sudo over the years; this version consists of
3901 code written primarily by:
3902
3903 Todd C. Miller
3904
3905 See the CONTRIBUTORS.md file in the sudo distribution
3906 (https://www.sudo.ws/about/contributors/) for an exhaustive list of peo‐
3907 ple who have contributed to sudo.
3908
3910 The sudoers file should always be edited by the visudo utility which
3911 locks the file and checks for syntax errors. If sudoers contains syntax
3912 errors, sudo may refuse to run, which is a serious problem if sudo is
3913 your only method of obtaining superuser privileges. Recent versions of
3914 sudoers will attempt to recover after a syntax error by ignoring the rest
3915 of the line after encountering an error. Older versions of sudo will not
3916 run if sudoers contains a syntax error.
3917
3918 When using netgroups of machines (as opposed to users), if you store
3919 fully qualified host name in the netgroup (as is usually the case), you
3920 either need to have the machine's host name be fully qualified as re‐
3921 turned by the hostname command or use the fqdn option in sudoers.
3922
3924 If you believe you have found a bug in sudo, you can submit a bug report
3925 at https://bugzilla.sudo.ws/
3926
3928 Limited free support is available via the sudo-users mailing list, see
3929 https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
3930 the archives.
3931
3933 sudo is provided “AS IS” and any express or implied warranties, includ‐
3934 ing, but not limited to, the implied warranties of merchantability and
3935 fitness for a particular purpose are disclaimed. See the LICENSE.md file
3936 distributed with sudo or https://www.sudo.ws/about/license/ for complete
3937 details.
3938
3939Sudo 1.9.14p3 June 20, 2023 Sudo 1.9.14p3