1SUDOERS(5)                  BSD File Formats Manual                 SUDOERS(5)
2

NAME

4     sudoers — default sudo security policy module
5

DESCRIPTION

7     The sudoers policy module determines a user's sudo privileges.  It is the
8     default sudo policy plugin.  The policy is driven by the /etc/sudoers
9     file or, optionally in LDAP.  The policy format is described in detail in
10     the SUDOERS FILE FORMAT section.  For information on storing sudoers pol‐
11     icy information in LDAP, please see sudoers.ldap(5).
12
13   Authentication and logging
14     The sudoers security policy requires that most users authenticate them‐
15     selves before they can use sudo.  A password is not required if the
16     invoking user is root, if the target user is the same as the invoking
17     user, or if the policy has disabled authentication for the user or com‐
18     mand.  Unlike su(1), when sudoers requires authentication, it validates
19     the invoking user's credentials, not the target user's (or root's) cre‐
20     dentials.  This can be changed via the rootpw, targetpw and runaspw
21     flags, described later.
22
23     If a user who is not listed in the policy tries to run a command via
24     sudo, mail is sent to the proper authorities.  The address used for such
25     mail is configurable via the mailto Defaults entry (described later) and
26     defaults to root.
27
28     Note that mail will not be sent if an unauthorized user tries to run sudo
29     with the -l or -v option.  This allows users to determine for themselves
30     whether or not they are allowed to use sudo.
31
32     If sudo is run by root and the SUDO_USER environment variable is set, the
33     sudoers policy will use this value to determine who the actual user is.
34     This can be used by a user to log commands through sudo even when a root
35     shell has been invoked.  It also allows the -e option to remain useful
36     even when invoked via a sudo-run script or program.  Note, however, that
37     the sudoers lookup is still done for root, not the user specified by
38     SUDO_USER.
39
40     sudoers uses time stamp files for credential caching.  Once a user has
41     been authenticated, the time stamp is updated and the user may then use
42     sudo without a password for a short period of time (5 minutes unless
43     overridden by the timeout option).  By default, sudoers uses a tty-based
44     time stamp which means that there is a separate time stamp for each of a
45     user's login sessions.  The tty_tickets option can be disabled to force
46     the use of a single time stamp for all of a user's sessions.
47
48     sudoers can log both successful and unsuccessful attempts (as well as
49     errors) to syslog(3), a log file, or both.  By default, sudoers will log
50     via syslog(3) but this is changeable via the syslog and logfile Defaults
51     settings.
52
53     sudoers also supports logging a command's input and output streams.  I/O
54     logging is not on by default but can be enabled using the log_input and
55     log_output Defaults flags as well as the LOG_INPUT and LOG_OUTPUT command
56     tags.
57
58   Command environment
59     Since environment variables can influence program behavior, sudoers pro‐
60     vides a means to restrict which variables from the user's environment are
61     inherited by the command to be run.  There are two distinct ways sudoers
62     can deal with environment variables.
63
64     By default, the env_reset option is enabled.  This causes commands to be
65     executed with a new, minimal environment.  On AIX (and Linux systems
66     without PAM), the environment is initialized with the contents of the
67     /etc/environment file.  The new environment contains the TERM, PATH,
68     HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in addi‐
69     tion to variables from the invoking process permitted by the env_check
70     and env_keep options.  This is effectively a whitelist for environment
71     variables.
72
73     If, however, the env_reset option is disabled, any variables not explic‐
74     itly denied by the env_check and env_delete options are inherited from
75     the invoking process.  In this case, env_check and env_delete behave like
76     a blacklist.  Since it is not possible to blacklist all potentially dan‐
77     gerous environment variables, use of the default env_reset behavior is
78     encouraged.
79
80     In all cases, environment variables with a value beginning with () are
81     removed as they could be interpreted as bash functions.  The list of
82     environment variables that sudo allows or denies is contained in the out‐
83     put of “sudo -V” when run as root.
84
85     Note that the dynamic linker on most operating systems will remove vari‐
86     ables that can control dynamic linking from the environment of setuid
87     executables, including sudo.  Depending on the operating system this may
88     include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others.
89     These type of variables are removed from the environment before sudo even
90     begins execution and, as such, it is not possible for sudo to preserve
91     them.
92
93     As a special case, if sudo's -i option (initial login) is specified,
94     sudoers will initialize the environment regardless of the value of
95     env_reset.  The DISPLAY, PATH and TERM variables remain unchanged; HOME,
96     MAIL, SHELL, USER, and LOGNAME are set based on the target user.  On AIX
97     (and Linux systems without PAM), the contents of /etc/environment are
98     also included.  All other environment variables are removed.
99
100     Finally, if the env_file option is defined, any variables present in that
101     file will be set to their specified values as long as they would not con‐
102     flict with an existing environment variable.
103

SUDOERS FILE FORMAT

105     The sudoers file is composed of two types of entries: aliases (basically
106     variables) and user specifications (which specify who may run what).
107
108     When multiple entries match for a user, they are applied in order.  Where
109     there are multiple matches, the last match is used (which is not neces‐
110     sarily the most specific match).
111
112     The sudoers grammar will be described below in Extended Backus-Naur Form
113     (EBNF).  Don't despair if you are unfamiliar with EBNF; it is fairly sim‐
114     ple, and the definitions below are annotated.
115
116   Quick guide to EBNF
117     EBNF is a concise and exact way of describing the grammar of a language.
118     Each EBNF definition is made up of production rules.  E.g.,
119
120     symbol ::= definition | alternate1 | alternate2 ...
121
122     Each production rule references others and thus makes up a grammar for
123     the language.  EBNF also contains the following operators, which many
124     readers will recognize from regular expressions.  Do not, however, con‐
125     fuse them with “wildcard” characters, which have different meanings.
126
127     ?     Means that the preceding symbol (or group of symbols) is optional.
128           That is, it may appear once or not at all.
129
130     *     Means that the preceding symbol (or group of symbols) may appear
131           zero or more times.
132
133     +     Means that the preceding symbol (or group of symbols) may appear
134           one or more times.
135
136     Parentheses may be used to group symbols together.  For clarity, we will
137     use single quotes ('') to designate what is a verbatim character string
138     (as opposed to a symbol name).
139
140   Aliases
141     There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and
142     Cmnd_Alias.
143
144     Alias ::= 'User_Alias'  User_Alias (':' User_Alias)* |
145               'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
146               'Host_Alias'  Host_Alias (':' Host_Alias)* |
147               'Cmnd_Alias'  Cmnd_Alias (':' Cmnd_Alias)*
148
149     User_Alias ::= NAME '=' User_List
150
151     Runas_Alias ::= NAME '=' Runas_List
152
153     Host_Alias ::= NAME '=' Host_List
154
155     Cmnd_Alias ::= NAME '=' Cmnd_List
156
157     NAME ::= [A-Z]([A-Z][0-9]_)*
158
159     Each alias definition is of the form
160
161     Alias_Type NAME = item1, item2, ...
162
163     where Alias_Type is one of User_Alias, Runas_Alias, Host_Alias, or
164     Cmnd_Alias.  A NAME is a string of uppercase letters, numbers, and under‐
165     score characters (‘_’).  A NAME must start with an uppercase letter.  It
166     is possible to put several alias definitions of the same type on a single
167     line, joined by a colon (‘:’).  E.g.,
168
169     Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
170
171     The definitions of what constitutes a valid alias member follow.
172
173     User_List ::= User |
174                   User ',' User_List
175
176     User ::= '!'* user name |
177              '!'* #uid |
178              '!'* %group |
179              '!'* %#gid |
180              '!'* +netgroup |
181              '!'* %:nonunix_group |
182              '!'* %:#nonunix_gid |
183              '!'* User_Alias
184
185     A User_List is made up of one or more user names, user ids (prefixed with
186     ‘#’), system group names and ids (prefixed with ‘%’ and ‘%#’ respec‐
187     tively), netgroups (prefixed with ‘+’), non-Unix group names and IDs
188     (prefixed with ‘%:’ and ‘%:#’ respectively) and User_Aliases. Each list
189     item may be prefixed with zero or more ‘!’ operators.  An odd number of
190     ‘!’ operators negate the value of the item; an even number just cancel
191     each other out.
192
193     A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may
194     be enclosed in double quotes to avoid the need for escaping special char‐
195     acters.  Alternately, special characters may be specified in escaped hex
196     mode, e.g. \x20 for space.  When using double quotes, any prefix charac‐
197     ters must be included inside the quotes.
198
199     The actual nonunix_group and nonunix_gid syntax depends on the underlying
200     group provider plugin (see the group_plugin description below).  For
201     instance, the QAS AD plugin supports the following formats:
202
203     ·     Group in the same domain: "%:Group Name"
204
205     ·     Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
206
207     ·     Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
208
209     Note that quotes around group names are optional.  Unquoted strings must
210     use a backslash (‘\’) to escape spaces and special characters.  See Other
211     special characters and reserved words for a list of characters that need
212     to be escaped.
213
214     Runas_List ::= Runas_Member |
215                    Runas_Member ',' Runas_List
216
217     Runas_Member ::= '!'* user name |
218                      '!'* #uid |
219                      '!'* %group |
220                      '!'* %#gid |
221                      '!'* %:nonunix_group |
222                      '!'* %:#nonunix_gid |
223                      '!'* +netgroup |
224                      '!'* Runas_Alias
225
226     A Runas_List is similar to a User_List except that instead of
227     User_Aliases it can contain Runas_Aliases.  Note that user names and
228     groups are matched as strings.  In other words, two users (groups) with
229     the same uid (gid) are considered to be distinct.  If you wish to match
230     all user names with the same uid (e.g. root and toor), you can use a uid
231     instead (#0 in the example given).
232
233     Host_List ::= Host |
234                   Host ',' Host_List
235
236     Host ::= '!'* host name |
237              '!'* ip_addr |
238              '!'* network(/netmask)? |
239              '!'* +netgroup |
240              '!'* Host_Alias
241
242     A Host_List is made up of one or more host names, IP addresses, network
243     numbers, netgroups (prefixed with ‘+’) and other aliases.  Again, the
244     value of an item may be negated with the ‘!’ operator.  If you do not
245     specify a netmask along with the network number, sudo will query each of
246     the local host's network interfaces and, if the network number corre‐
247     sponds to one of the hosts's network interfaces, the corresponding net‐
248     mask will be used.  The netmask may be specified either in standard IP
249     address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR
250     notation (number of bits, e.g. 24 or 64).  A host name may include shell-
251     style wildcards (see the Wildcards section below), but unless the host
252     name command on your machine returns the fully qualified host name,
253     you'll need to use the fqdn option for wildcards to be useful.  Note that
254     sudo only inspects actual network interfaces; this means that IP address
255     127.0.0.1 (localhost) will never match.  Also, the host name “localhost”
256     will only match if that is the actual host name, which is usually only
257     the case for non-networked systems.
258
259     Cmnd_List ::= Cmnd |
260                   Cmnd ',' Cmnd_List
261
262     command name ::= file name |
263                      file name args |
264                      file name '""'
265
266     Cmnd ::= '!'* command name |
267              '!'* directory |
268              '!'* "sudoedit" |
269              '!'* Cmnd_Alias
270
271     A Cmnd_List is a list of one or more command names, directories, and
272     other aliases.  A command name is a fully qualified file name which may
273     include shell-style wildcards (see the Wildcards section below).  A sim‐
274     ple file name allows the user to run the command with any arguments
275     he/she wishes.  However, you may also specify command line arguments
276     (including wildcards).  Alternately, you can specify "" to indicate that
277     the command may only be run without command line arguments.  A directory
278     is a fully qualified path name ending in a ‘/’.  When you specify a
279     directory in a Cmnd_List, the user will be able to run any file within
280     that directory (but not in any sub-directories therein).
281
282     If a Cmnd has associated command line arguments, then the arguments in
283     the Cmnd must match exactly those given by the user on the command line
284     (or match the wildcards if there are any).  Note that the following char‐
285     acters must be escaped with a ‘\’ if they are used in command arguments:
286     ‘,’, ‘:’, ‘=’, ‘\’.  The special command “sudoedit” is used to permit a
287     user to run sudo with the -e option (or as sudoedit).  It may take com‐
288     mand line arguments just as a normal command does.
289
290   Defaults
291     Certain configuration options may be changed from their default values at
292     run-time via one or more Default_Entry lines.  These may affect all users
293     on any host, all users on a specific host, a specific user, a specific
294     command, or commands being run as a specific user.  Note that per-command
295     entries may not include command line arguments.  If you need to specify
296     arguments, define a Cmnd_Alias and reference that instead.
297
298     Default_Type ::= 'Defaults' |
299                      'Defaults' '@' Host_List |
300                      'Defaults' ':' User_List |
301                      'Defaults' '!' Cmnd_List |
302                      'Defaults' '>' Runas_List
303
304     Default_Entry ::= Default_Type Parameter_List
305
306     Parameter_List ::= Parameter |
307                        Parameter ',' Parameter_List
308
309     Parameter ::= Parameter '=' Value |
310                   Parameter '+=' Value |
311                   Parameter '-=' Value |
312                   '!'* Parameter
313
314     Parameters may be flags, integer values, strings, or lists.  Flags are
315     implicitly boolean and can be turned off via the ‘!’ operator.  Some
316     integer, string and list parameters may also be used in a boolean context
317     to disable them.  Values may be enclosed in double quotes ("") when they
318     contain multiple words.  Special characters may be escaped with a back‐
319     slash (‘\’).
320
321     Lists have two additional assignment operators, += and -=.  These opera‐
322     tors are used to add to and delete from a list respectively.  It is not
323     an error to use the -= operator to remove an element that does not exist
324     in a list.
325
326     Defaults entries are parsed in the following order: generic, host and
327     user Defaults first, then runas Defaults and finally command defaults.
328
329     See SUDOERS OPTIONS for a list of supported Defaults parameters.
330
331   User specification
332     User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
333                   (':' Host_List '=' Cmnd_Spec_List)*
334
335     Cmnd_Spec_List ::= Cmnd_Spec |
336                        Cmnd_Spec ',' Cmnd_Spec_List
337
338     Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
339
340     Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
341
342     SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
343
344     Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
345                   'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
346                   'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
347
348     A user specification determines which commands a user may run (and as
349     what user) on specified hosts.  By default, commands are run as root, but
350     this can be changed on a per-command basis.
351
352     The basic structure of a user specification is “who where = (as_whom)
353     what”.  Let's break that down into its constituent parts:
354
355   Runas_Spec
356     A Runas_Spec determines the user and/or the group that a command may be
357     run as.  A fully-specified Runas_Spec consists of two Runas_Lists (as
358     defined above) separated by a colon (‘:’) and enclosed in a set of paren‐
359     theses.  The first Runas_List indicates which users the command may be
360     run as via sudo's -u option.  The second defines a list of groups that
361     can be specified via sudo's -g option.  If both Runas_Lists are speci‐
362     fied, the command may be run with any combination of users and groups
363     listed in their respective Runas_Lists. If only the first is specified,
364     the command may be run as any user in the list but no -g option may be
365     specified.  If the first Runas_List is empty but the second is specified,
366     the command may be run as the invoking user with the group set to any
367     listed in the Runas_List.  If both Runas_Lists are empty, the command may
368     only be run as the invoking user.  If no Runas_Spec is specified the com‐
369     mand may be run as root and no group may be specified.
370
371     A Runas_Spec sets the default for the commands that follow it.  What this
372     means is that for the entry:
373
374     dgb     boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
375
376     The user dgb may run /bin/ls, /bin/kill, and /usr/bin/lprm—but only as
377     operator.  E.g.,
378
379     $ sudo -u operator /bin/ls
380
381     It is also possible to override a Runas_Spec later on in an entry.  If we
382     modify the entry like so:
383
384     dgb     boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
385
386     Then user dgb is now allowed to run /bin/ls as operator, but /bin/kill
387     and /usr/bin/lprm as root.
388
389     We can extend this to allow dgb to run /bin/ls with either the user or
390     group set to operator:
391
392     dgb     boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
393             /usr/bin/lprm
394
395     Note that while the group portion of the Runas_Spec permits the user to
396     run as command with that group, it does not force the user to do so.  If
397     no group is specified on the command line, the command will run with the
398     group listed in the target user's password database entry.  The following
399     would all be permitted by the sudoers entry above:
400
401     $ sudo -u operator /bin/ls
402     $ sudo -u operator -g operator /bin/ls
403     $ sudo -g operator /bin/ls
404
405     In the following example, user tcm may run commands that access a modem
406     device file with the dialer group.
407
408     tcm     boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
409             /usr/local/bin/minicom
410
411     Note that in this example only the group will be set, the command still
412     runs as user tcm.  E.g.
413
414     $ sudo -g dialer /usr/bin/cu
415
416     Multiple users and groups may be present in a Runas_Spec, in which case
417     the user may select any combination of users and groups via the -u and -g
418     options.  In this example:
419
420     alan    ALL = (root, bin : operator, system) ALL
421
422     user alan may run any command as either user root or bin, optionally set‐
423     ting the group to operator or system.
424
425   SELinux_Spec
426     On systems with SELinux support, sudoers entries may optionally have an
427     SELinux role and/or type associated with a command.  If a role or type is
428     specified with the command it will override any default values specified
429     in sudoers.  A role or type specified on the command line, however, will
430     supersede the values in sudoers.
431
432   Tag_Spec
433     A command may have zero or more tags associated with it.  There are ten
434     possible tag values: NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV,
435     LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT.  Once a tag is set
436     on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag unless
437     it is overridden by the opposite tag (in other words, PASSWD overrides
438     NOPASSWD and NOEXEC overrides EXEC).
439
440     NOPASSWD and PASSWD
441
442     By default, sudo requires that a user authenticate him or herself before
443     running a command.  This behavior can be modified via the NOPASSWD tag.
444     Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that
445     follow it in the Cmnd_Spec_List.  Conversely, the PASSWD tag can be used
446     to reverse things.  For example:
447
448     ray     rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
449
450     would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm as
451     root on the machine rushmore without authenticating himself.  If we only
452     want ray to be able to run /bin/kill without a password the entry would
453     be:
454
455     ray     rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
456
457     Note, however, that the PASSWD tag has no effect on users who are in the
458     group specified by the exempt_group option.
459
460     By default, if the NOPASSWD tag is applied to any of the entries for a
461     user on the current host, he or she will be able to run “sudo -l” without
462     a password.  Additionally, a user may only run “sudo -v” without a pass‐
463     word if the NOPASSWD tag is present for all a user's entries that pertain
464     to the current host.  This behavior may be overridden via the verifypw
465     and listpw options.
466
467     NOEXEC and EXEC
468
469     If sudo has been compiled with noexec support and the underlying operat‐
470     ing system supports it, the NOEXEC tag can be used to prevent a dynami‐
471     cally-linked executable from running further commands itself.
472
473     In the following example, user aaron may run /usr/bin/more and
474     /usr/bin/vi but shell escapes will be disabled.
475
476     aaron   shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
477
478     See the Preventing shell escapes section below for more details on how
479     NOEXEC works and whether or not it will work on your system.
480
481     SETENV and NOSETENV
482
483     These tags override the value of the setenv option on a per-command
484     basis.  Note that if SETENV has been set for a command, the user may dis‐
485     able the env_reset option from the command line via the -E option.  Addi‐
486     tionally, environment variables set on the command line are not subject
487     to the restrictions imposed by env_check, env_delete, or env_keep.  As
488     such, only trusted users should be allowed to set variables in this man‐
489     ner.  If the command matched is ALL, the SETENV tag is implied for that
490     command; this default may be overridden by use of the NOSETENV tag.
491
492     LOG_INPUT and NOLOG_INPUT
493
494     These tags override the value of the log_input option on a per-command
495     basis.  For more information, see the description of log_input in the
496     SUDOERS OPTIONS section below.
497
498     LOG_OUTPUT and NOLOG_OUTPUT
499
500     These tags override the value of the log_output option on a per-command
501     basis.  For more information, see the description of log_output in the
502     SUDOERS OPTIONS section below.
503
504   Wildcards
505     sudo allows shell-style wildcards (aka meta or glob characters) to be
506     used in host names, path names and command line arguments in the sudoers
507     file.  Wildcard matching is done via the POSIX glob(3) and fnmatch(3)
508     routines.  Note that these are not regular expressions.
509
510     *         Matches any set of zero or more characters.
511
512     ?         Matches any single character.
513
514     [...]     Matches any character in the specified range.
515
516     [!...]    Matches any character not in the specified range.
517
518     \x        For any character ‘x’, evaluates to ‘x’.  This is used to
519               escape special characters such as: ‘*’, ‘?’, ‘[’, and ‘]’.
520
521     POSIX character classes may also be used if your system's glob(3) and
522     fnmatch(3) functions support them.  However, because the ‘:’ character
523     has special meaning in sudoers, it must be escaped.  For example:
524
525         /bin/ls [[alpha]]*
526
527     Would match any file name beginning with a letter.
528
529     Note that a forward slash (‘/’) will not be matched by wildcards used in
530     the path name.  This is to make a path like:
531
532         /usr/bin/*
533
534     match /usr/bin/who but not /usr/bin/X11/xterm.
535
536     When matching the command line arguments, however, a slash does get
537     matched by wildcards since command line arguments may contain arbitrary
538     strings and not just path names.
539
540     Wildcards in command line arguments should be used with care.  Because
541     command line arguments are matched as a single, concatenated string, a
542     wildcard such as ‘?’ or ‘*’ can match multiple words.  For example, while
543     a sudoers entry like:
544
545         %operator ALL = /bin/cat /var/log/messages*
546
547     will allow command like:
548
549         $ sudo cat /var/log/messages.1
550
551     It will also allow:
552
553         $ sudo cat /var/log/messages /etc/shadow
554
555     which is probably not what was intended.
556
557   Exceptions to wildcard rules
558     The following exceptions apply to the above rules:
559
560     ""        If the empty string "" is the only command line argument in the
561               sudoers entry it means that command is not allowed to be run
562               with any arguments.
563
564     sudoedit  Command line arguments to the sudoedit built-in command should
565               always be path names, so a forward slash (‘/’) will not be
566               matched by a wildcard.
567
568   Including other files from within sudoers
569     It is possible to include other sudoers files from within the sudoers
570     file currently being parsed using the #include and #includedir direc‐
571     tives.
572
573     This can be used, for example, to keep a site-wide sudoers file in addi‐
574     tion to a local, per-machine file.  For the sake of this example the
575     site-wide sudoers will be /etc/sudoers and the per-machine one will be
576     /etc/sudoers.local.  To include /etc/sudoers.local from within
577     /etc/sudoers we would use the following line in /etc/sudoers:
578
579         #include /etc/sudoers.local
580
581     When sudo reaches this line it will suspend processing of the current
582     file (/etc/sudoers) and switch to /etc/sudoers.local.  Upon reaching the
583     end of /etc/sudoers.local, the rest of /etc/sudoers will be processed.
584     Files that are included may themselves include other files.  A hard limit
585     of 128 nested include files is enforced to prevent include file loops.
586
587     If the path to the include file is not fully-qualified (does not begin
588     with a ‘/’, it must be located in the same directory as the sudoers file
589     it was included from.  For example, if /etc/sudoers contains the line:
590
591         #include sudoers.local
592
593     the file that will be included is /etc/sudoers.local.
594
595     The file name may also include the %h escape, signifying the short form
596     of the host name.  In other words, if the machine's host name is
597     “xerxes”, then
598
599         #include /etc/sudoers.%h
600
601     will cause sudo to include the file /etc/sudoers.xerxes.
602
603     The #includedir directive can be used to create a sudo.d directory that
604     the system package manager can drop sudoers rules into as part of package
605     installation.  For example, given:
606
607         #includedir /etc/sudoers.d
608
609     sudo will read each file in /etc/sudoers.d, skipping file names that end
610     in ‘~’ or contain a ‘.’ character to avoid causing problems with package
611     manager or editor temporary/backup files.  Files are parsed in sorted
612     lexical order.  That is, /etc/sudoers.d/01_first will be parsed before
613     /etc/sudoers.d/10_second.  Be aware that because the sorting is lexical,
614     not numeric, /etc/sudoers.d/1_whoops would be loaded after
615     /etc/sudoers.d/10_second.  Using a consistent number of leading zeroes in
616     the file names can be used to avoid such problems.
617
618     Note that unlike files included via #include, visudo will not edit the
619     files in a #includedir directory unless one of them contains a syntax
620     error.  It is still possible to run visudo with the -f flag to edit the
621     files directly.
622
623   Other special characters and reserved words
624     The pound sign (‘#’) is used to indicate a comment (unless it is part of
625     a #include directive or unless it occurs in the context of a user name
626     and is followed by one or more digits, in which case it is treated as a
627     uid).  Both the comment character and any text after it, up to the end of
628     the line, are ignored.
629
630     The reserved word ALL is a built-in alias that always causes a match to
631     succeed.  It can be used wherever one might otherwise use a Cmnd_Alias,
632     User_Alias, Runas_Alias, or Host_Alias.  You should not try to define
633     your own alias called ALL as the built-in alias will be used in prefer‐
634     ence to your own.  Please note that using ALL can be dangerous since in a
635     command context, it allows the user to run any command on the system.
636
637     An exclamation point (‘!’) can be used as a logical not operator in a
638     list or alias as well as in front of a Cmnd.  This allows one to exclude
639     certain values.  For the ‘!’ operator to be effective, there must be
640     something for it to exclude.  For example, to match all users except for
641     root one would use:
642
643         ALL,!root
644
645     If the ALL, is omitted, as in:
646
647         !root
648
649     it would explicitly deny root but not match any other users.  This is
650     different from a true “negation” operator.
651
652     Note, however, that using a ‘!’ in conjunction with the built-in ALL
653     alias to allow a user to run “all but a few” commands rarely works as
654     intended (see SECURITY NOTES below).
655
656     Long lines can be continued with a backslash (‘\’) as the last character
657     on the line.
658
659     White space between elements in a list as well as special syntactic char‐
660     acters in a User Specification (‘=’, ‘:’, ‘(’, ‘)’) is optional.
661
662     The following characters must be escaped with a backslash (‘\’) when used
663     as part of a word (e.g. a user name or host name): ‘!’, ‘=’, ‘:’, ‘,’,
664     ‘(’, ‘)’, ‘\’.
665

SUDOERS OPTIONS

667     sudo's behavior can be modified by Default_Entry lines, as explained ear‐
668     lier.  A list of all supported Defaults parameters, grouped by type, are
669     listed below.
670
671     Boolean Flags:
672
673     always_set_home   If enabled, sudo will set the HOME environment variable
674                       to the home directory of the target user (which is root
675                       unless the -u option is used).  This effectively means
676                       that the -H option is always implied.  Note that HOME
677                       is already set when the the env_reset option is
678                       enabled, so always_set_home is only effective for con‐
679                       figurations where either env_reset is disabled or HOME
680                       is present in the env_keep list.  This flag is off by
681                       default.
682
683     authenticate      If set, users must authenticate themselves via a pass‐
684                       word (or other means of authentication) before they may
685                       run commands.  This default may be overridden via the
686                       PASSWD and NOPASSWD tags.  This flag is on by default.
687
688     closefrom_override
689                       If set, the user may use sudo's -C option which over‐
690                       rides the default starting point at which sudo begins
691                       closing open file descriptors.  This flag is off by
692                       default.
693
694     compress_io       If set, and sudo is configured to log a command's input
695                       or output, the I/O logs will be compressed using zlib.
696                       This flag is on by default when sudo is compiled with
697                       zlib support.
698
699     env_editor        If set, visudo will use the value of the EDITOR or
700                       VISUAL environment variables before falling back on the
701                       default editor list.  Note that this may create a secu‐
702                       rity hole as it allows the user to run any arbitrary
703                       command as root without logging.  A safer alternative
704                       is to place a colon-separated list of editors in the
705                       editor variable.  visudo will then only use the EDITOR
706                       or VISUAL if they match a value specified in editor.
707                       This flag is on by default.
708
709     env_reset         If set, sudo will run the command in a minimal environ‐
710                       ment containing the TERM, PATH, HOME, MAIL, SHELL,
711                       LOGNAME, USER, USERNAME and SUDO_* variables.  Any
712                       variables in the caller's environment that match the
713                       env_keep and env_check lists are then added, followed
714                       by any variables present in the file specified by the
715                       env_file option (if any).  The default contents of the
716                       env_keep and env_check lists are displayed when sudo is
717                       run by root with the -V option.  If the secure_path
718                       option is set, its value will be used for the PATH
719                       environment variable.  This flag is on by default.
720
721     fast_glob         Normally, sudo uses the glob(3) function to do shell-
722                       style globbing when matching path names.  However,
723                       since it accesses the file system, glob(3) can take a
724                       long time to complete for some patterns, especially
725                       when the pattern references a network file system that
726                       is mounted on demand (auto mounted).  The fast_glob
727                       option causes sudo to use the fnmatch(3) function,
728                       which does not access the file system to do its match‐
729                       ing.  The disadvantage of fast_glob is that it is
730                       unable to match relative path names such as ./ls or
731                       ../bin/ls.  This has security implications when path
732                       names that include globbing characters are used with
733                       the negation operator, ‘!’, as such rules can be triv‐
734                       ially bypassed.  As such, this option should not be
735                       used when sudoers contains rules that contain negated
736                       path names which include globbing characters.  This
737                       flag is off by default.
738
739     fqdn              Set this flag if you want to put fully qualified host
740                       names in the sudoers file when the local host name (as
741                       returned by the hostname command) does not contain the
742                       domain name.  In other words, instead of myhost you
743                       would use myhost.mydomain.edu.  You may still use the
744                       short form if you wish (and even mix the two).  This
745                       option is only effective when the “canonical” host
746                       name, as returned by the getaddrinfo() or
747                       gethostbyname() function, is a fully-qualified domain
748                       name.  This is usually the case when the system is con‐
749                       figured to use DNS for host name resolution.
750
751                       If the system is configured to use the /etc/hosts file
752                       in preference to DNS, the “canonical” host name may not
753                       be fully-qualified.  The order that sources are queried
754                       for hosts name resolution is usually specified in the
755                       /etc/nsswitch.conf, /etc/netsvc.conf, /etc/host.conf,
756                       or, in some cases, /etc/resolv.conf file.  In the
757                       /etc/hosts file, the first host name of the entry is
758                       considered to be the “canonical” name; subsequent names
759                       are aliases that are not used by sudoers.  For example,
760                       the following hosts file line for the machine “xyzzy”
761                       has the fully-qualified domain name as the “canonical”
762                       host name, and the short version as an alias.
763
764                             192.168.1.1    xyzzy.sudo.ws xyzzy
765
766                       If the machine's hosts file entry is not formatted
767                       properly, the fqdn option will not be effective if it
768                       is queried before DNS.
769
770                       Beware that when using DNS for host name resolution,
771                       turning on fqdn requires sudoers to make DNS lookups
772                       which renders sudo unusable if DNS stops working (for
773                       example if the machine is disconnected from the net‐
774                       work).  Also note that just like with the hosts file,
775                       you must use the “canonical” name as DNS knows it.
776                       That is, you may not use a host alias (CNAME entry) due
777                       to performance issues and the fact that there is no way
778                       to get all aliases from DNS.
779
780                       This flag is off by default.
781
782     ignore_dot        If set, sudo will ignore "." or "" (both denoting cur‐
783                       rent directory) in the PATH environment variable; the
784                       PATH itself is not modified.  This flag is on by
785                       default.
786
787     ignore_local_sudoers
788                       If set via LDAP, parsing of /etc/sudoers will be
789                       skipped.  This is intended for Enterprises that wish to
790                       prevent the usage of local sudoers files so that only
791                       LDAP is used.  This thwarts the efforts of rogue opera‐
792                       tors who would attempt to add roles to /etc/sudoers.
793                       When this option is present, /etc/sudoers does not even
794                       need to exist.  Since this option tells sudo how to
795                       behave when no specific LDAP entries have been matched,
796                       this sudoOption is only meaningful for the cn=defaults
797                       section.  This flag is off by default.
798
799     insults           If set, sudo will insult users when they enter an
800                       incorrect password.  This flag is off by default.
801
802     log_host          If set, the host name will be logged in the (non-sys‐
803                       log) sudo log file.  This flag is off by default.
804
805     log_input         If set, sudo will run the command in a pseudo tty and
806                       log all user input.  If the standard input is not con‐
807                       nected to the user's tty, due to I/O redirection or
808                       because the command is part of a pipeline, that input
809                       is also captured and stored in a separate log file.
810
811                       Input is logged to the directory specified by the
812                       iolog_dir option (/var/log/sudo-io by default) using a
813                       unique session ID that is included in the normal sudo
814                       log line, prefixed with “TSID=”.  The iolog_file option
815                       may be used to control the format of the session ID.
816
817                       Note that user input may contain sensitive information
818                       such as passwords (even if they are not echoed to the
819                       screen), which will be stored in the log file unen‐
820                       crypted.  In most cases, logging the command output via
821                       log_output is all that is required.
822
823     log_output        If set, sudo will run the command in a pseudo tty and
824                       log all output that is sent to the screen, similar to
825                       the script(1) command.  If the standard output or stan‐
826                       dard error is not connected to the user's tty, due to
827                       I/O redirection or because the command is part of a
828                       pipeline, that output is also captured and stored in
829                       separate log files.
830
831                       Output is logged to the directory specified by the
832                       iolog_dir option (/var/log/sudo-io by default) using a
833                       unique session ID that is included in the normal sudo
834                       log line, prefixed with “TSID=”.  The iolog_file option
835                       may be used to control the format of the session ID.
836
837                       Output logs may be viewed with the sudoreplay(8) util‐
838                       ity, which can also be used to list or search the
839                       available logs.
840
841     log_year          If set, the four-digit year will be logged in the (non-
842                       syslog) sudo log file.  This flag is off by default.
843
844     long_otp_prompt   When validating with a One Time Password (OTP) scheme
845                       such as S/Key or OPIE, a two-line prompt is used to
846                       make it easier to cut and paste the challenge to a
847                       local window.  It's not as pretty as the default but
848                       some people find it more convenient.  This flag is off
849                       by default.
850
851     mail_always       Send mail to the mailto user every time a users runs
852                       sudo.  This flag is off by default.
853
854     mail_badpass      Send mail to the mailto user if the user running sudo
855                       does not enter the correct password.  If the command
856                       the user is attempting to run is not permitted by
857                       sudoers and one of the mail_always, mail_no_host,
858                       mail_no_perms or mail_no_user flags are set, this flag
859                       will have no effect.  This flag is off by default.
860
861     mail_no_host      If set, mail will be sent to the mailto user if the
862                       invoking user exists in the sudoers file, but is not
863                       allowed to run commands on the current host.  This flag
864                       is off by default.
865
866     mail_no_perms     If set, mail will be sent to the mailto user if the
867                       invoking user is allowed to use sudo but the command
868                       they are trying is not listed in their sudoers file
869                       entry or is explicitly denied.  This flag is off by
870                       default.
871
872     mail_no_user      If set, mail will be sent to the mailto user if the
873                       invoking user is not in the sudoers file.  This flag is
874                       on by default.
875
876     noexec            If set, all commands run via sudo will behave as if the
877                       NOEXEC tag has been set, unless overridden by a EXEC
878                       tag.  See the description of NOEXEC and EXEC below as
879                       well as the Preventing shell escapes section at the end
880                       of this manual.  This flag is off by default.
881
882     path_info         Normally, sudo will tell the user when a command could
883                       not be found in their PATH environment variable.  Some
884                       sites may wish to disable this as it could be used to
885                       gather information on the location of executables that
886                       the normal user does not have access to.  The disadvan‐
887                       tage is that if the executable is simply not in the
888                       user's PATH, sudo will tell the user that they are not
889                       allowed to run it, which can be confusing.  This flag
890                       is on by default.
891
892     passprompt_override
893                       The password prompt specified by passprompt will nor‐
894                       mally only be used if the password prompt provided by
895                       systems such as PAM matches the string “Password:”.  If
896                       passprompt_override is set, passprompt will always be
897                       used.  This flag is off by default.
898
899     preserve_groups   By default, sudo will initialize the group vector to
900                       the list of groups the target user is in.  When
901                       preserve_groups is set, the user's existing group vec‐
902                       tor is left unaltered.  The real and effective group
903                       IDs, however, are still set to match the target user.
904                       This flag is off by default.
905
906     pwfeedback        By default, sudo reads the password like most other
907                       Unix programs, by turning off echo until the user hits
908                       the return (or enter) key.  Some users become confused
909                       by this as it appears to them that sudo has hung at
910                       this point.  When pwfeedback is set, sudo will provide
911                       visual feedback when the user presses a key.  Note that
912                       this does have a security impact as an onlooker may be
913                       able to determine the length of the password being
914                       entered.  This flag is off by default.
915
916     requiretty        If set, sudo will only run when the user is logged in
917                       to a real tty.  When this flag is set, sudo can only be
918                       run from a login session and not via other means such
919                       as cron(8) or cgi-bin scripts.  This flag is off by
920                       default.
921
922     root_sudo         If set, root is allowed to run sudo too.  Disabling
923                       this prevents users from “chaining” sudo commands to
924                       get a root shell by doing something like “sudo sudo
925                       /bin/sh”.  Note, however, that turning off root_sudo
926                       will also prevent root from running sudoedit.  Dis‐
927                       abling root_sudo provides no real additional security;
928                       it exists purely for historical reasons.  This flag is
929                       on by default.
930
931     rootpw            If set, sudo will prompt for the root password instead
932                       of the password of the invoking user.  This flag is off
933                       by default.
934
935     runaspw           If set, sudo will prompt for the password of the user
936                       defined by the runas_default option (defaults to root)
937                       instead of the password of the invoking user.  This
938                       flag is off by default.
939
940     set_home          If enabled and sudo is invoked with the -s option the
941                       HOME environment variable will be set to the home
942                       directory of the target user (which is root unless the
943                       -u option is used).  This effectively makes the -s
944                       option imply -H.  Note that HOME is already set when
945                       the the env_reset option is enabled, so set_home is
946                       only effective for configurations where either
947                       env_reset is disabled or HOME is present in the
948                       env_keep list.  This flag is off by default.
949
950     set_logname       Normally, sudo will set the LOGNAME, USER and USERNAME
951                       environment variables to the name of the target user
952                       (usually root unless the -u option is given).  However,
953                       since some programs (including the RCS revision control
954                       system) use LOGNAME to determine the real identity of
955                       the user, it may be desirable to change this behavior.
956                       This can be done by negating the set_logname option.
957                       Note that if the env_reset option has not been dis‐
958                       abled, entries in the env_keep list will override the
959                       value of set_logname.  This flag is on by default.
960
961     set_utmp          When enabled, sudo will create an entry in the utmp (or
962                       utmpx) file when a pseudo-tty is allocated.  A pseudo-
963                       tty is allocated by sudo when the log_input, log_output
964                       or use_pty flags are enabled.  By default, the new
965                       entry will be a copy of the user's existing utmp entry
966                       (if any), with the tty, time, type and pid fields
967                       updated.  This flag is on by default.
968
969     setenv            Allow the user to disable the env_reset option from the
970                       command line via the -E option.  Additionally, environ‐
971                       ment variables set via the command line are not subject
972                       to the restrictions imposed by env_check, env_delete,
973                       or env_keep.  As such, only trusted users should be
974                       allowed to set variables in this manner.  This flag is
975                       off by default.
976
977     shell_noargs      If set and sudo is invoked with no arguments it acts as
978                       if the -s option had been given.  That is, it runs a
979                       shell as root (the shell is determined by the SHELL
980                       environment variable if it is set, falling back on the
981                       shell listed in the invoking user's /etc/passwd entry
982                       if not).  This flag is off by default.
983
984     stay_setuid       Normally, when sudo executes a command the real and
985                       effective UIDs are set to the target user (root by
986                       default).  This option changes that behavior such that
987                       the real UID is left as the invoking user's UID.  In
988                       other words, this makes sudo act as a setuid wrapper.
989                       This can be useful on systems that disable some poten‐
990                       tially dangerous functionality when a program is run
991                       setuid.  This option is only effective on systems that
992                       support either the setreuid(2) or setresuid(2) system
993                       call.  This flag is off by default.
994
995     targetpw          If set, sudo will prompt for the password of the user
996                       specified by the -u option (defaults to root) instead
997                       of the password of the invoking user.  In addition, the
998                       time stamp file name will include the target user's
999                       name.  Note that this flag precludes the use of a uid
1000                       not listed in the passwd database as an argument to the
1001                       -u option.  This flag is off by default.
1002
1003     tty_tickets       If set, users must authenticate on a per-tty basis.
1004                       With this flag enabled, sudo will use a file named for
1005                       the tty the user is logged in on in the user's time
1006                       stamp directory.  If disabled, the time stamp of the
1007                       directory is used instead.  This flag is on by default.
1008
1009     umask_override    If set, sudo will set the umask as specified by sudoers
1010                       without modification.  This makes it possible to spec‐
1011                       ify a more permissive umask in sudoers than the user's
1012                       own umask and matches historical behavior.  If
1013                       umask_override is not set, sudo will set the umask to
1014                       be the union of the user's umask and what is specified
1015                       in sudoers.  This flag is off by default.  If set, sudo
1016                       will run the command in a pseudo-pty even if no I/O
1017                       logging is being gone.  A malicious program run under
1018                       sudo could conceivably fork a background process that
1019                       retains to the user's terminal device after the main
1020                       program has finished executing.  Use of this option
1021                       will make that impossible.  This flag is off by
1022                       default.
1023
1024     utmp_runas        If set, sudo will store the name of the runas user when
1025                       updating the utmp (or utmpx) file.  By default, sudo
1026                       stores the name of the invoking user.  This flag is off
1027                       by default.
1028
1029     visiblepw         By default, sudo will refuse to run if the user must
1030                       enter a password but it is not possible to disable echo
1031                       on the terminal.  If the visiblepw flag is set, sudo
1032                       will prompt for a password even when it would be visi‐
1033                       ble on the screen.  This makes it possible to run
1034                       things like “ssh somehost sudo ls” since by default,
1035                       ssh(1) does not allocate a tty when running a command.
1036                       This flag is off by default.
1037
1038     Integers:
1039
1040     closefrom         Before it executes a command, sudo will close all open
1041                       file descriptors other than standard input, standard
1042                       output and standard error (ie: file descriptors 0-2).
1043                       The closefrom option can be used to specify a different
1044                       file descriptor at which to start closing.  The default
1045                       is 3.
1046
1047     passwd_tries      The number of tries a user gets to enter his/her pass‐
1048                       word before sudo logs the failure and exits.  The
1049                       default is 3.
1050
1051     Integers that can be used in a boolean context:
1052
1053     loglinelen        Number of characters per line for the file log.  This
1054                       value is used to decide when to wrap lines for nicer
1055                       log files.  This has no effect on the syslog log file,
1056                       only the file log.  The default is 80 (use 0 or negate
1057                       the option to disable word wrap).
1058
1059     passwd_timeout    Number of minutes before the sudo password prompt times
1060                       out, or 0 for no timeout.  The timeout may include a
1061                       fractional component if minute granularity is insuffi‐
1062                       cient, for example 2.5.  The default is 5.
1063
1064     timestamp_timeout
1065                       Number of minutes that can elapse before sudo will ask
1066                       for a passwd again.  The timeout may include a frac‐
1067                       tional component if minute granularity is insufficient,
1068                       for example 2.5.  The default is 5.  Set this to 0 to
1069                       always prompt for a password.  If set to a value less
1070                       than 0 the user's time stamp will never expire.  This
1071                       can be used to allow users to create or delete their
1072                       own time stamps via “sudo -v” and “sudo -k” respec‐
1073                       tively.
1074
1075     umask             Umask to use when running the command.  Negate this
1076                       option or set it to 0777 to preserve the user's umask.
1077                       The actual umask that is used will be the union of the
1078                       user's umask and the value of the umask option, which
1079                       defaults to 0022.  This guarantees that sudo never low‐
1080                       ers the umask when running a command.  Note: on systems
1081                       that use PAM, the default PAM configuration may specify
1082                       its own umask which will override the value set in
1083                       sudoers.
1084
1085     Strings:
1086
1087     badpass_message   Message that is displayed if a user enters an incorrect
1088                       password.  The default is Sorry, try again. unless
1089                       insults are enabled.
1090
1091     editor            A colon (‘:’) separated list of editors allowed to be
1092                       used with visudo.  visudo will choose the editor that
1093                       matches the user's EDITOR environment variable if pos‐
1094                       sible, or the first editor in the list that exists and
1095                       is executable.  The default is /usr/local/bin/vi.
1096
1097     iolog_dir         The top-level directory to use when constructing the
1098                       path name for the input/output log directory.  Only
1099                       used if the log_input or log_output options are enabled
1100                       or when the LOG_INPUT or LOG_OUTPUT tags are present
1101                       for a command.  The session sequence number, if any, is
1102                       stored in the directory.  The default is
1103                       /var/log/sudo-io.
1104
1105                       The following percent (‘%’) escape sequences are sup‐
1106                       ported:
1107
1108                       %{seq}
1109                             expanded to a monotonically increasing base-36
1110                             sequence number, such as 0100A5, where every two
1111                             digits are used to form a new directory, e.g.
1112                             01/00/A5
1113
1114                       %{user}
1115                             expanded to the invoking user's login name
1116
1117                       %{group}
1118                             expanded to the name of the invoking user's real
1119                             group ID
1120
1121                       %{runas_user}
1122                             expanded to the login name of the user the com‐
1123                             mand will be run as (e.g. root)
1124
1125                       %{runas_group}
1126                             expanded to the group name of the user the com‐
1127                             mand will be run as (e.g. wheel)
1128
1129                       %{hostname}
1130                             expanded to the local host name without the
1131                             domain name
1132
1133                       %{command}
1134                             expanded to the base name of the command being
1135                             run
1136
1137                       In addition, any escape sequences supported by the sys‐
1138                       tem's strftime(3) function will be expanded.
1139
1140                       To include a literal ‘%’ character, the string ‘%%’
1141                       should be used.
1142
1143     iolog_file        The path name, relative to iolog_dir, in which to store
1144                       input/output logs when the log_input or log_output
1145                       options are enabled or when the LOG_INPUT or LOG_OUTPUT
1146                       tags are present for a command.  Note that iolog_file
1147                       may contain directory components.  The default is
1148                       “%{seq}”.
1149
1150                       See the iolog_dir option above for a list of supported
1151                       percent (‘%’) escape sequences.
1152
1153                       In addition to the escape sequences, path names that
1154                       end in six or more Xs will have the Xs replaced with a
1155                       unique combination of digits and letters, similar to
1156                       the mktemp(3) function.
1157
1158     mailsub           Subject of the mail sent to the mailto user.  The
1159                       escape %h will expand to the host name of the machine.
1160                       Default is “*** SECURITY information for %h ***”.
1161
1162     noexec_file       This option is no longer supported.  The path to the
1163                       noexec file should now be set in the /etc/sudo.conf
1164                       file.
1165
1166     pam_login_service
1167                       On systems that use PAM for authentication, this is the
1168                       service name used when the -i option is specified.  The
1169                       default value is “sudo-i”.  See the description of
1170                       pam_service for more information.
1171
1172     pam_service       On systems that use PAM for authentication, the service
1173                       name specifies the PAM policy to apply.  This usually
1174                       corresponds to an entry in the pam.conf file or a file
1175                       in the /etc/pam.d directory.  The default value is
1176                       “sudo”.
1177
1178     passprompt        The default prompt to use when asking for a password;
1179                       can be overridden via the -p option or the SUDO_PROMPT
1180                       environment variable.  The following percent (‘%’)
1181                       escape sequences are supported:
1182
1183                       %H    expanded to the local host name including the
1184                             domain name (only if the machine's host name is
1185                             fully qualified or the fqdn option is set)
1186
1187                       %h    expanded to the local host name without the
1188                             domain name
1189
1190                       %p    expanded to the user whose password is being
1191                             asked for (respects the rootpw, targetpw and
1192                             runaspw flags in sudoers)
1193
1194                       %U    expanded to the login name of the user the com‐
1195                             mand will be run as (defaults to root)
1196
1197                       %u    expanded to the invoking user's login name
1198
1199                       %%    two consecutive % characters are collapsed into a
1200                             single % character
1201
1202                       The default value is “[sudo] password for %p:”.  The
1203                       default SELinux role to use when constructing a new
1204                       security context to run the command.  The default role
1205                       may be overridden on a per-command basis in sudoers or
1206                       via command line options.  This option is only avail‐
1207                       able when sudo is built with SELinux support.
1208
1209     runas_default     The default user to run commands as if the -u option is
1210                       not specified on the command line.  This defaults to
1211                       root.
1212
1213     syslog_badpri     Syslog priority to use when user authenticates unsuc‐
1214                       cessfully.  Defaults to alert.
1215
1216                       The following syslog priorities are supported: alert,
1217                       crit, debug, emerg, err, info, notice, and warning.
1218
1219     syslog_goodpri    Syslog priority to use when user authenticates success‐
1220                       fully.  Defaults to notice.
1221
1222                       See syslog_badpri for the list of supported syslog pri‐
1223                       orities.
1224
1225     sudoers_locale    Locale to use when parsing the sudoers file, logging
1226                       commands, and sending email.  Note that changing the
1227                       locale may affect how sudoers is interpreted.  Defaults
1228                       to “C”.
1229
1230     timestampdir      The directory in which sudo stores its time stamp
1231                       files.  The default is /var/db/sudo.
1232
1233     timestampowner    The owner of the time stamp directory and the time
1234                       stamps stored therein.  The default is root.
1235
1236     type              The default SELinux type to use when constructing a new
1237                       security context to run the command.  The default type
1238                       may be overridden on a per-command basis in sudoers or
1239                       via command line options.  This option is only avail‐
1240                       able when sudo is built with SELinux support.
1241
1242     Strings that can be used in a boolean context:
1243
1244     env_file      The env_file option specifies the fully qualified path to a
1245                   file containing variables to be set in the environment of
1246                   the program being run.  Entries in this file should either
1247                   be of the form “VARIABLE=value” or “export VARIABLE=value”.
1248                   The value may optionally be surrounded by single or double
1249                   quotes.  Variables in this file are subject to other sudo
1250                   environment settings such as env_keep and env_check.
1251
1252     exempt_group  Users in this group are exempt from password and PATH
1253                   requirements.  The group name specified should not include
1254                   a % prefix.  This is not set by default.
1255
1256     group_plugin  A string containing a sudoers group plugin with optional
1257                   arguments.  This can be used to implement support for the
1258                   nonunix_group syntax described earlier.  The string should
1259                   consist of the plugin path, either fully-qualified or rela‐
1260                   tive to the /usr/libexec directory, followed by any config‐
1261                   uration arguments the plugin requires.  These arguments (if
1262                   any) will be passed to the plugin's initialization func‐
1263                   tion.  If arguments are present, the string must be
1264                   enclosed in double quotes ("").
1265
1266                   For example, given /etc/sudo-group, a group file in Unix
1267                   group format, the sample group plugin can be used:
1268
1269                   Defaults group_plugin="sample_group.so /etc/sudo-group"
1270
1271                   For more information see sudo_plugin(5).
1272
1273     lecture       This option controls when a short lecture will be printed
1274                   along with the password prompt.  It has the following pos‐
1275                   sible values:
1276
1277                   always  Always lecture the user.
1278
1279                   never   Never lecture the user.
1280
1281                   once    Only lecture the user the first time they run sudo.
1282
1283                   If no value is specified, a value of once is implied.
1284                   Negating the option results in a value of never being used.
1285                   The default value is once.
1286
1287     lecture_file  Path to a file containing an alternate sudo lecture that
1288                   will be used in place of the standard lecture if the named
1289                   file exists.  By default, sudo uses a built-in lecture.
1290
1291     listpw        This option controls when a password will be required when
1292                   a user runs sudo with the -l option.  It has the following
1293                   possible values:
1294
1295                   all       All the user's sudoers entries for the current
1296                             host must have the NOPASSWD flag set to avoid
1297                             entering a password.
1298
1299                   always    The user must always enter a password to use the
1300                             -l option.
1301
1302                   any       At least one of the user's sudoers entries for
1303                             the current host must have the NOPASSWD flag set
1304                             to avoid entering a password.
1305
1306                   never     The user need never enter a password to use the
1307                             -l option.
1308
1309                   If no value is specified, a value of any is implied.
1310                   Negating the option results in a value of never being used.
1311                   The default value is any.
1312
1313     logfile       Path to the sudo log file (not the syslog log file).  Set‐
1314                   ting a path turns on logging to a file; negating this
1315                   option turns it off.  By default, sudo logs via syslog.
1316
1317     mailerflags   Flags to use when invoking mailer. Defaults to -t.
1318
1319     mailerpath    Path to mail program used to send warning mail.  Defaults
1320                   to the path to sendmail found at configure time.
1321
1322     mailfrom      Address to use for the “from” address when sending warning
1323                   and error mail.  The address should be enclosed in double
1324                   quotes ("") to protect against sudo interpreting the @
1325                   sign.  Defaults to the name of the user running sudo.
1326
1327     mailto        Address to send warning and error mail to.  The address
1328                   should be enclosed in double quotes ("") to protect against
1329                   sudo interpreting the @ sign.  Defaults to root.
1330
1331     secure_path   Path used for every command run from sudo.  If you don't
1332                   trust the people running sudo to have a sane PATH environ‐
1333                   ment variable you may want to use this.  Another use is if
1334                   you want to have the “root path” be separate from the “user
1335                   path”.  Users in the group specified by the exempt_group
1336                   option are not affected by secure_path.  This option is not
1337                   set by default.
1338
1339     syslog        Syslog facility if syslog is being used for logging (negate
1340                   to disable syslog logging).  Defaults to authpriv.
1341
1342                   The following syslog facilities are supported: authpriv (if
1343                   your OS supports it), auth, daemon, user, local0, local1,
1344                   local2, local3, local4, local5, local6, and local7.
1345
1346     verifypw      This option controls when a password will be required when
1347                   a user runs sudo with the -v option.  It has the following
1348                   possible values:
1349
1350                   all     All the user's sudoers entries for the current host
1351                           must have the NOPASSWD flag set to avoid entering a
1352                           password.
1353
1354                   always  The user must always enter a password to use the -v
1355                           option.
1356
1357                   any     At least one of the user's sudoers entries for the
1358                           current host must have the NOPASSWD flag set to
1359                           avoid entering a password.
1360
1361                   never   The user need never enter a password to use the -v
1362                           option.
1363
1364                   If no value is specified, a value of all is implied.
1365                   Negating the option results in a value of never being used.
1366                   The default value is all.
1367
1368     Lists that can be used in a boolean context:
1369
1370     env_check         Environment variables to be removed from the user's
1371                       environment if unless they are considered “safe”.  For
1372                       all variables except TZ, “safe” means that the vari‐
1373                       able's value does not contain any ‘%’ or ‘/’ charac‐
1374                       ters.  This can be used to guard against printf-style
1375                       format vulnerabilities in poorly-written programs.  The
1376                       TZ variable is considerd unsafe if any of the following
1377                       are true:
1378
1379                       ·   It consists of a fully-qualified path name, option‐
1380                           ally prefixed with a colon (‘:’), that does not
1381                           match the location of the zoneinfo directory.
1382
1383                       ·   It contains a .. path element.
1384
1385                       ·   It contains white space or non-printable charac‐
1386                           ters.
1387
1388                       ·   It is longer than the value of PATH_MAX.
1389
1390                       The argument may be a double-quoted, space-separated
1391                       list or a single value without double-quotes.  The list
1392                       can be replaced, added to, deleted from, or disabled by
1393                       using the =, +=, -=, and ! operators respectively.
1394                       Regardless of whether the env_reset option is enabled
1395                       or disabled, variables specified by env_check will be
1396                       preserved in the environment if they pass the aforemen‐
1397                       tioned check.  The default list of environment vari‐
1398                       ables to check is displayed when sudo is run by root
1399                       with the -V option.
1400
1401     env_delete        Environment variables to be removed from the user's
1402                       environment when the env_reset option is not in effect.
1403                       The argument may be a double-quoted, space-separated
1404                       list or a single value without double-quotes.  The list
1405                       can be replaced, added to, deleted from, or disabled by
1406                       using the =, +=, -=, and ! operators respectively.  The
1407                       default list of environment variables to remove is dis‐
1408                       played when sudo is run by root with the -V option.
1409                       Note that many operating systems will remove poten‐
1410                       tially dangerous variables from the environment of any
1411                       setuid process (such as sudo).
1412
1413     env_keep          Environment variables to be preserved in the user's
1414                       environment when the env_reset option is in effect.
1415                       This allows fine-grained control over the environment
1416                       sudo-spawned processes will receive.  The argument may
1417                       be a double-quoted, space-separated list or a single
1418                       value without double-quotes.  The list can be replaced,
1419                       added to, deleted from, or disabled by using the =, +=,
1420                       -=, and ! operators respectively.  The default list of
1421                       variables to keep is displayed when sudo is run by root
1422                       with the -V option.
1423

LOG FORMAT

1425     sudoers can log events using either syslog(3) or a simple log file.  In
1426     each case the log format is almost identical.
1427
1428   Accepted command log entries
1429     Commands that sudo runs are logged using the following format (split into
1430     multiple lines for readability):
1431
1432         date hostname progname: username : TTY=ttyname ; PWD=cwd ; \
1433             USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \
1434             ENV=env_vars COMMAND=command
1435
1436     Where the fields are as follows:
1437
1438     date          The date the command was run.  Typically, this is in the
1439                   format “MMM, DD, HH:MM:SS”.  If logging via syslog(3), the
1440                   actual date format is controlled by the syslog daemon.  If
1441                   logging to a file and the log_year option is enabled, the
1442                   date will also include the year.
1443
1444     hostname      The name of the host sudo was run on.  This field is only
1445                   present when logging via syslog(3).
1446
1447     progname      The name of the program, usually sudo or sudoedit.  This
1448                   field is only present when logging via syslog(3).
1449
1450     username      The login name of the user who ran sudo.
1451
1452     ttyname       The short name of the terminal (e.g. “console”, “tty01”, or
1453                   “pts/0”) sudo was run on, or “unknown” if there was no ter‐
1454                   minal present.
1455
1456     cwd           The current working directory that sudo was run in.
1457
1458     runasuser     The user the command was run as.
1459
1460     runasgroup    The group the command was run as if one was specified on
1461                   the command line.
1462
1463     logid         An I/O log identifier that can be used to replay the com‐
1464                   mand's output.  This is only present when the log_input or
1465                   log_output option is enabled.
1466
1467     env_vars      A list of environment variables specified on the command
1468                   line, if specified.
1469
1470     command       The actual command that was executed.
1471
1472     Messages are logged using the locale specified by sudoers_locale, which
1473     defaults to the “C” locale.
1474
1475   Denied command log entries
1476     If the user is not allowed to run the command, the reason for the denial
1477     will follow the user name.  Possible reasons include:
1478
1479     user NOT in sudoers
1480       The user is not listed in the sudoers file.
1481
1482     user NOT authorized on host
1483       The user is listed in the sudoers file but is not allowed to run com‐
1484       mands on the host.
1485
1486     command not allowed
1487       The user is listed in the sudoers file for the host but they are not
1488       allowed to run the specified command.
1489
1490     3 incorrect password attempts
1491       The user failed to enter their password after 3 tries.  The actual num‐
1492       ber of tries will vary based on the number of failed attempts and the
1493       value of the passwd_tries option.
1494
1495     a password is required
1496       sudo's -n option was specified but a password was required.
1497
1498     sorry, you are not allowed to set the following environment variables
1499       The user specified environment variables on the command line that were
1500       not allowed by sudoers.
1501
1502   Error log entries
1503     If an error occurs, sudoers will log a message and, in most cases, send a
1504     message to the administrator via email.  Possible errors include:
1505
1506     parse error in /etc/sudoers near line N
1507       sudoers encountered an error when parsing the specified file.  In some
1508       cases, the actual error may be one line above or below the line number
1509       listed, depending on the type of error.
1510
1511     problem with defaults entries
1512       The sudoers file contains one or more unknown Defaults settings.  This
1513       does not prevent sudo from running, but the sudoers file should be
1514       checked using visudo.
1515
1516     timestamp owner (username): No such user
1517       The time stamp directory owner, as specified by the timestampowner set‐
1518       ting, could not be found in the password database.
1519
1520     unable to open/read /etc/sudoers
1521       The sudoers file could not be opened for reading.  This can happen when
1522       the sudoers file is located on a remote file system that maps user ID 0
1523       to a different value.  Normally, sudoers tries to open sudoers using
1524       group permissions to avoid this problem.  Consider changing the owner‐
1525       ship of /etc/sudoers by adding an option like “sudoers_uid=N” (where
1526       ‘N’ is the user ID that owns the sudoers file) to the sudoers plugin
1527       line in the /etc/sudo.conf file.
1528
1529     unable to stat /etc/sudoers
1530       The /etc/sudoers file is missing.
1531
1532     /etc/sudoers is not a regular file
1533       The /etc/sudoers file exists but is not a regular file or symbolic
1534       link.
1535
1536     /etc/sudoers is owned by uid N, should be 0
1537       The sudoers file has the wrong owner.  If you wish to change the
1538       sudoers file owner, please add “sudoers_uid=N” (where ‘N’ is the user
1539       ID that owns the sudoers file) to the sudoers plugin line in the
1540       /etc/sudo.conf file.
1541
1542     /etc/sudoers is world writable
1543       The permissions on the sudoers file allow all users to write to it.
1544       The sudoers file must not be world-writable, the default file mode is
1545       0440 (readable by owner and group, writable by none).  The default mode
1546       may be changed via the “sudoers_mode” option to the sudoers plugin line
1547       in the /etc/sudo.conf file.
1548
1549     /etc/sudoers is owned by gid N, should be 1
1550       The sudoers file has the wrong group ownership.  If you wish to change
1551       the sudoers file group ownership, please add “sudoers_gid=N” (where ‘N’
1552       is the group ID that owns the sudoers file) to the sudoers plugin line
1553       in the /etc/sudo.conf file.
1554
1555     unable to open /var/db/sudo/username/ttyname
1556       sudoers was unable to read or create the user's time stamp file.
1557
1558     unable to write to /var/db/sudo/username/ttyname
1559       sudoers was unable to write to the user's time stamp file.
1560
1561     unable to mkdir to /var/db/sudo/username
1562       sudoers was unable to create the user's time stamp directory.
1563
1564   Notes on logging via syslog
1565     By default, sudoers logs messages via syslog(3).  The date, hostname, and
1566     progname fields are added by the syslog daemon, not sudoers itself.  As
1567     such, they may vary in format on different systems.
1568
1569     On most systems, syslog(3) has a relatively small log buffer.  To prevent
1570     the command line arguments from being truncated, sudoers will split up
1571     log messages that are larger than 960 characters (not including the date,
1572     hostname, and the string “sudo”).  When a message is split, additional
1573     parts will include the string “(command continued)” after the user name
1574     and before the continued command line arguments.
1575
1576   Notes on logging to a file
1577     If the logfile option is set, sudoers will log to a local file, such as
1578     /var/log/sudo.  When logging to a file, sudoers uses a format similar to
1579     syslog(3), with a few important differences:
1580
1581     1.   The progname and hostname fields are not present.
1582
1583     2.   If the log_year option is enabled, the date will also include the
1584          year.
1585
1586     3.   Lines that are longer than loglinelen characters (80 by default) are
1587          word-wrapped and continued on the next line with a four character
1588          indent.  This makes entries easier to read for a human being, but
1589          makes it more difficult to use grep(1) on the log files.  If the
1590          loglinelen option is set to 0 (or negated with a ‘!’), word wrap
1591          will be disabled.
1592

SUDO.CONF

1594     The /etc/sudo.conf file determines which plugins the sudo front end will
1595     load.  If no /etc/sudo.conf file is present, or it contains no Plugin
1596     lines, sudo will use the sudoers security policy and I/O logging, which
1597     corresponds to the following /etc/sudo.conf file.
1598
1599     #
1600     # Default /etc/sudo.conf file
1601     #
1602     # Format:
1603     #   Plugin plugin_name plugin_path plugin_options ...
1604     #   Path askpass /path/to/askpass
1605     #   Path noexec /path/to/sudo_noexec.so
1606     #   Debug sudo /var/log/sudo_debug all@warn
1607     #   Set disable_coredump true
1608     #
1609     # The plugin_path is relative to /usr/libexec unless
1610     #   fully qualified.
1611     # The plugin_name corresponds to a global symbol in the plugin
1612     #   that contains the plugin interface structure.
1613     # The plugin_options are optional.
1614     #
1615     Plugin policy_plugin sudoers.so
1616     Plugin io_plugin sudoers.so
1617
1618   Plugin options
1619     Starting with sudo 1.8.5, it is possible to pass options to the sudoers
1620     plugin.  Options may be listed after the path to the plugin (i.e. after
1621     sudoers.so); multiple options should be space-separated.  For example:
1622
1623     Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
1624
1625     The following plugin options are supported:
1626
1627     sudoers_file=pathname
1628               The sudoers_file option can be used to override the default
1629               path to the sudoers file.
1630
1631     sudoers_uid=uid
1632               The sudoers_uid option can be used to override the default
1633               owner of the sudoers file.  It should be specified as a numeric
1634               user ID.
1635
1636     sudoers_gid=gid
1637               The sudoers_gid option can be used to override the default
1638               group of the sudoers file.  It should be specified as a numeric
1639               group ID.
1640
1641     sudoers_mode=mode
1642               The sudoers_mode option can be used to override the default
1643               file mode for the sudoers file.  It should be specified as an
1644               octal value.
1645
1646   Debug flags
1647     Versions 1.8.4 and higher of the sudoers plugin supports a debugging
1648     framework that can help track down what the plugin is doing internally if
1649     there is a problem.  This can be configured in the /etc/sudo.conf file as
1650     described in sudo(8).
1651
1652     The sudoers plugin uses the same debug flag format as the sudo front-end:
1653     subsystem@priority.
1654
1655     The priorities used by sudoers, in order of decreasing severity, are:
1656     crit, err, warn, notice, diag, info, trace and debug.  Each priority,
1657     when specified, also includes all priorities higher than it.  For exam‐
1658     ple, a priority of notice would include debug messages logged at notice
1659     and higher.
1660
1661     The following subsystems are used by sudoers:
1662
1663     alias     User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
1664
1665     all       matches every subsystem
1666
1667     audit     BSM and Linux audit code
1668
1669     auth      user authentication
1670
1671     defaults  sudoers Defaults settings
1672
1673     env       environment handling
1674
1675     ldap      LDAP-based sudoers
1676
1677     logging   logging support
1678
1679     match     matching of users, groups, hosts and netgroups in sudoers
1680
1681     netif     network interface handling
1682
1683     nss       network service switch handling in sudoers
1684
1685     parser    sudoers file parsing
1686
1687     perms     permission setting
1688
1689     plugin    The equivalent of main for the plugin.
1690
1691     pty       pseudo-tty related code
1692
1693     rbtree    redblack tree internals
1694
1695     util      utility functions
1696

FILES

1698     /etc/sudo.conf            Sudo front end configuration
1699
1700     /etc/sudoers              List of who can run what
1701
1702     /etc/group                Local groups file
1703
1704     /etc/netgroup             List of network groups
1705
1706     /var/log/sudo-io          I/O log files
1707
1708     /var/db/sudo              Directory containing time stamps for the
1709                               sudoers security policy
1710
1711     /etc/environment          Initial environment for -i mode on AIX and
1712                               Linux systems
1713

EXAMPLES

1715     Below are example sudoers entries.  Admittedly, some of these are a bit
1716     contrived.  First, we allow a few environment variables to pass and then
1717     define our aliases:
1718
1719     # Run X applications through sudo; HOME is used to find the
1720     # .Xauthority file.  Note that other programs use HOME to find
1721     # configuration files and this may lead to privilege escalation!
1722     Defaults env_keep += "DISPLAY HOME"
1723
1724     # User alias specification
1725     User_Alias      FULLTIMERS = millert, mikef, dowdy
1726     User_Alias      PARTTIMERS = bostley, jwfox, crawl
1727     User_Alias      WEBMASTERS = will, wendy, wim
1728
1729     # Runas alias specification
1730     Runas_Alias     OP = root, operator
1731     Runas_Alias     DB = oracle, sybase
1732     Runas_Alias     ADMINGRP = adm, oper
1733
1734     # Host alias specification
1735     Host_Alias      SPARC = bigtime, eclipse, moet, anchor :\
1736                     SGI = grolsch, dandelion, black :\
1737                     ALPHA = widget, thalamus, foobar :\
1738                     HPPA = boa, nag, python
1739     Host_Alias      CUNETS = 128.138.0.0/255.255.0.0
1740     Host_Alias      CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1741     Host_Alias      SERVERS = master, mail, www, ns
1742     Host_Alias      CDROM = orion, perseus, hercules
1743
1744     # Cmnd alias specification
1745     Cmnd_Alias      DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1746                             /usr/sbin/restore, /usr/sbin/rrestore
1747     Cmnd_Alias      KILL = /usr/bin/kill
1748     Cmnd_Alias      PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1749     Cmnd_Alias      SHUTDOWN = /usr/sbin/shutdown
1750     Cmnd_Alias      HALT = /usr/sbin/halt
1751     Cmnd_Alias      REBOOT = /usr/sbin/reboot
1752     Cmnd_Alias      SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
1753                              /usr/local/bin/tcsh, /usr/bin/rsh,\
1754                              /usr/local/bin/zsh
1755     Cmnd_Alias      SU = /usr/bin/su
1756     Cmnd_Alias      PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1757
1758     Here we override some of the compiled in default values.  We want sudo to
1759     log via syslog(3) using the auth facility in all cases.  We don't want to
1760     subject the full time staff to the sudo lecture, user millert need not
1761     give a password, and we don't want to reset the LOGNAME, USER or USERNAME
1762     environment variables when running commands as root.  Additionally, on
1763     the machines in the SERVERS Host_Alias, we keep an additional local log
1764     file and make sure we log the year in each log line since the log entries
1765     will be kept around for several years.  Lastly, we disable shell escapes
1766     for the commands in the PAGERS Cmnd_Alias (/usr/bin/more, /usr/bin/pg and
1767     /usr/bin/less).
1768
1769     # Override built-in defaults
1770     Defaults                syslog=auth
1771     Defaults>root           !set_logname
1772     Defaults:FULLTIMERS     !lecture
1773     Defaults:millert        !authenticate
1774     Defaults@SERVERS        log_year, logfile=/var/log/sudo.log
1775     Defaults!PAGERS         noexec
1776
1777     The User specification is the part that actually determines who may run
1778     what.
1779
1780     root            ALL = (ALL) ALL
1781     %wheel          ALL = (ALL) ALL
1782
1783     We let root and any user in group wheel run any command on any host as
1784     any user.
1785
1786     FULLTIMERS      ALL = NOPASSWD: ALL
1787
1788     Full time sysadmins (millert, mikef, and dowdy) may run any command on
1789     any host without authenticating themselves.
1790
1791     PARTTIMERS      ALL = ALL
1792
1793     Part time sysadmins bostley, jwfox, and crawl) may run any command on any
1794     host but they must authenticate themselves first (since the entry lacks
1795     the NOPASSWD tag).
1796
1797     jack            CSNETS = ALL
1798
1799     The user jack may run any command on the machines in the CSNETS alias
1800     (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0).  Of those
1801     networks, only 128.138.204.0 has an explicit netmask (in CIDR notation)
1802     indicating it is a class C network.  For the other networks in CSNETS,
1803     the local machine's netmask will be used during matching.
1804
1805     lisa            CUNETS = ALL
1806
1807     The user lisa may run any command on any host in the CUNETS alias (the
1808     class B network 128.138.0.0).
1809
1810     operator        ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1811                     sudoedit /etc/printcap, /usr/oper/bin/
1812
1813     The operator user may run commands limited to simple maintenance.  Here,
1814     those are commands related to backups, killing processes, the printing
1815     system, shutting down the system, and any commands in the directory
1816     /usr/oper/bin/.
1817
1818     joe             ALL = /usr/bin/su operator
1819
1820     The user joe may only su(1) to operator.
1821
1822     pete            HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1823
1824     %opers          ALL = (: ADMINGRP) /usr/sbin/
1825
1826     Users in the opers group may run commands in /usr/sbin/ as themselves
1827     with any group in the ADMINGRP Runas_Alias (the adm and oper groups).
1828
1829     The user pete is allowed to change anyone's password except for root on
1830     the HPPA machines.  Note that this assumes passwd(1) does not take multi‐
1831     ple user names on the command line.
1832
1833     bob             SPARC = (OP) ALL : SGI = (OP) ALL
1834
1835     The user bob may run anything on the SPARC and SGI machines as any user
1836     listed in the OP Runas_Alias (root and operator.)
1837
1838     jim             +biglab = ALL
1839
1840     The user jim may run any command on machines in the biglab netgroup.
1841     sudo knows that “biglab” is a netgroup due to the ‘+’ prefix.
1842
1843     +secretaries    ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1844
1845     Users in the secretaries netgroup need to help manage the printers as
1846     well as add and remove users, so they are allowed to run those commands
1847     on all machines.
1848
1849     fred            ALL = (DB) NOPASSWD: ALL
1850
1851     The user fred can run commands as any user in the DB Runas_Alias (oracle
1852     or sybase) without giving a password.
1853
1854     john            ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1855
1856     On the ALPHA machines, user john may su to anyone except root but he is
1857     not allowed to specify any options to the su(1) command.
1858
1859     jen             ALL, !SERVERS = ALL
1860
1861     The user jen may run any command on any machine except for those in the
1862     SERVERS Host_Alias (master, mail, www and ns).
1863
1864     jill            SERVERS = /usr/bin/, !SU, !SHELLS
1865
1866     For any machine in the SERVERS Host_Alias, jill may run any commands in
1867     the directory /usr/bin/ except for those commands belonging to the SU and
1868     SHELLS Cmnd_Aliases.
1869
1870     steve           CSNETS = (operator) /usr/local/op_commands/
1871
1872     The user steve may run any command in the directory /usr/local/op_com‐
1873     mands/ but only as user operator.
1874
1875     matt            valkyrie = KILL
1876
1877     On his personal workstation, valkyrie, matt needs to be able to kill hung
1878     processes.
1879
1880     WEBMASTERS      www = (www) ALL, (root) /usr/bin/su www
1881
1882     On the host www, any user in the WEBMASTERS User_Alias (will, wendy, and
1883     wim), may run any command as user www (which owns the web pages) or sim‐
1884     ply su(1) to www.
1885
1886     ALL             CDROM = NOPASSWD: /sbin/umount /CDROM,\
1887                     /sbin/mount -o nosuidnodev /dev/cd0a /CDROM
1888
1889     Any user may mount or unmount a CD-ROM on the machines in the CDROM
1890     Host_Alias (orion, perseus, hercules) without entering a password.  This
1891     is a bit tedious for users to type, so it is a prime candidate for encap‐
1892     sulating in a shell script.
1893

SECURITY NOTES

1895   Limitations of the ‘!’ operator
1896     It is generally not effective to “subtract” commands from ALL using the
1897     ‘!’ operator.  A user can trivially circumvent this by copying the
1898     desired command to a different name and then executing that.  For exam‐
1899     ple:
1900
1901     bill    ALL = ALL, !SU, !SHELLS
1902
1903     Doesn't really prevent bill from running the commands listed in SU or
1904     SHELLS since he can simply copy those commands to a different name, or
1905     use a shell escape from an editor or other program.  Therefore, these
1906     kind of restrictions should be considered advisory at best (and rein‐
1907     forced by policy).
1908
1909     In general, if a user has sudo ALL there is nothing to prevent them from
1910     creating their own program that gives them a root shell (or making their
1911     own copy of a shell) regardless of any ‘!’ elements in the user specifi‐
1912     cation.
1913
1914   Security implications of fast_glob
1915     If the fast_glob option is in use, it is not possible to reliably negate
1916     commands where the path name includes globbing (aka wildcard) characters.
1917     This is because the C library's fnmatch(3) function cannot resolve rela‐
1918     tive paths.  While this is typically only an inconvenience for rules that
1919     grant privileges, it can result in a security issue for rules that sub‐
1920     tract or revoke privileges.
1921
1922     For example, given the following sudoers entry:
1923
1924     john    ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
1925                   /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
1926
1927     User john can still run /usr/bin/passwd root if fast_glob is enabled by
1928     changing to /usr/bin and running ./passwd root instead.
1929
1930   Preventing shell escapes
1931     Once sudo executes a program, that program is free to do whatever it
1932     pleases, including run other programs.  This can be a security issue
1933     since it is not uncommon for a program to allow shell escapes, which lets
1934     a user bypass sudo's access control and logging.  Common programs that
1935     permit shell escapes include shells (obviously), editors, paginators,
1936     mail and terminal programs.
1937
1938     There are two basic approaches to this problem:
1939
1940     restrict  Avoid giving users access to commands that allow the user to
1941               run arbitrary commands.  Many editors have a restricted mode
1942               where shell escapes are disabled, though sudoedit is a better
1943               solution to running editors via sudo.  Due to the large number
1944               of programs that offer shell escapes, restricting users to the
1945               set of programs that do not is often unworkable.
1946
1947     noexec    Many systems that support shared libraries have the ability to
1948               override default library functions by pointing an environment
1949               variable (usually LD_PRELOAD) to an alternate shared library.
1950               On such systems, sudo's noexec functionality can be used to
1951               prevent a program run by sudo from executing any other pro‐
1952               grams.  Note, however, that this applies only to native dynami‐
1953               cally-linked executables.  Statically-linked executables and
1954               foreign executables running under binary emulation are not
1955               affected.
1956
1957               The noexec feature is known to work on SunOS, Solaris, *BSD,
1958               Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and
1959               above.  It should be supported on most operating systems that
1960               support the LD_PRELOAD environment variable.  Check your oper‐
1961               ating system's manual pages for the dynamic linker (usually
1962               ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
1963               LD_PRELOAD is supported.
1964
1965               To enable noexec for a command, use the NOEXEC tag as docu‐
1966               mented in the User Specification section above.  Here is that
1967               example again:
1968
1969               aaron   shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1970
1971               This allows user aaron to run /usr/bin/more and /usr/bin/vi
1972               with noexec enabled.  This will prevent those two commands from
1973               executing other commands (such as a shell).  If you are unsure
1974               whether or not your system is capable of supporting noexec you
1975               can always just try it out and check whether shell escapes work
1976               when noexec is enabled.
1977
1978     Note that restricting shell escapes is not a panacea.  Programs running
1979     as root are still capable of many potentially hazardous operations (such
1980     as changing or overwriting files) that could lead to unintended privilege
1981     escalation.  In the specific case of an editor, a safer approach is to
1982     give the user permission to run sudoedit.
1983
1984   Time stamp file checks
1985     sudoers will check the ownership of its time stamp directory
1986     (/var/db/sudo by default) and ignore the directory's contents if it is
1987     not owned by root or if it is writable by a user other than root.  On
1988     systems that allow non-root users to give away files via chown(2), if the
1989     time stamp directory is located in a world-writable directory (e.g.,
1990     /tmp), it is possible for a user to create the time stamp directory
1991     before sudo is run.  However, because sudoers checks the ownership and
1992     mode of the directory and its contents, the only damage that can be done
1993     is to “hide” files by putting them in the time stamp dir.  This is
1994     unlikely to happen since once the time stamp dir is owned by root and
1995     inaccessible by any other user, the user placing files there would be
1996     unable to get them back out.
1997
1998     sudoers will not honor time stamps set far in the future.  Time stamps
1999     with a date greater than current_time + 2 * TIMEOUT will be ignored and
2000     sudo will log and complain.  This is done to keep a user from creating
2001     his/her own time stamp with a bogus date on systems that allow users to
2002     give away files if the time stamp directory is located in a world-
2003     writable directory.
2004
2005     On systems where the boot time is available, sudoers will ignore time
2006     stamps that date from before the machine booted.
2007
2008     Since time stamp files live in the file system, they can outlive a user's
2009     login session.  As a result, a user may be able to login, run a command
2010     with sudo after authenticating, logout, login again, and run sudo without
2011     authenticating so long as the time stamp file's modification time is
2012     within 5 minutes (or whatever the timeout is set to in sudoers).  When
2013     the tty_tickets option is enabled, the time stamp has per-tty granularity
2014     but still may outlive the user's session.  On Linux systems where the
2015     devpts filesystem is used, Solaris systems with the devices filesystem,
2016     as well as other systems that utilize a devfs filesystem that monotoni‐
2017     cally increase the inode number of devices as they are created (such as
2018     Mac OS X), sudoers is able to determine when a tty-based time stamp file
2019     is stale and will ignore it.  Administrators should not rely on this fea‐
2020     ture as it is not universally available.
2021

SEE ALSO

2023     ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3),
2024     sudoers.ldap(5), sudo_plugin(8), sudo(8), visudo(8)
2025

CAVEATS

2027     The sudoers file should always be edited by the visudo command which
2028     locks the file and does grammatical checking.  It is imperative that
2029     sudoers be free of syntax errors since sudo will not run with a syntacti‐
2030     cally incorrect sudoers file.
2031
2032     When using netgroups of machines (as opposed to users), if you store
2033     fully qualified host name in the netgroup (as is usually the case), you
2034     either need to have the machine's host name be fully qualified as
2035     returned by the hostname command or use the fqdn option in sudoers.
2036

BUGS

2038     If you feel you have found a bug in sudo, please submit a bug report at
2039     http://www.sudo.ws/sudo/bugs/
2040

SUPPORT

2042     Limited free support is available via the sudo-users mailing list, see
2043     http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
2044     archives.
2045

DISCLAIMER

2047     sudo is provided “AS IS” and any express or implied warranties, includ‐
2048     ing, but not limited to, the implied warranties of merchantability and
2049     fitness for a particular purpose are disclaimed.  See the LICENSE file
2050     distributed with sudo or http://www.sudo.ws/sudo/license.html for com‐
2051     plete details.
2052
2053Sudo 1.8.6p3                     July 16, 2012                    Sudo 1.8.6p3