1SUDOERS(5) BSD File Formats Manual SUDOERS(5)
2
4 sudoers — default sudo security policy plugin
5
7 The sudoers policy plugin determines a user's sudo privileges. It is the
8 default sudo policy plugin. The policy is driven by the /etc/sudoers
9 file or, optionally in LDAP. The policy format is described in detail in
10 the SUDOERS FILE FORMAT section. For information on storing sudoers pol‐
11 icy information in LDAP, please see sudoers.ldap(5).
12 Configuring sudo.conf for sudoers
14 sudo consults the sudo.conf(5) file to determine which policy and and I/O
15 logging plugins to load. If no sudo.conf(5) file is present, or if it
16 contains no Plugin lines, sudoers will be used for policy decisions and
17 I/O logging. To explicitly configure sudo.conf(5) to use the sudoers
18 plugin, the following configuration can be used.
19 Plugin sudoers_policy sudoers.so
21 Plugin sudoers_io sudoers.so
22 Starting with sudo 1.8.5, it is possible to specify optional arguments to
24 the sudoers plugin in the sudo.conf(5) file. These arguments, if
25 present, should be listed after the path to the plugin (i.e. after
26 sudoers.so). Multiple arguments may be specified, separated by white
27 space. For example:
28 Plugin sudoers_policy sudoers.so sudoers_mode=0400
30 The following plugin arguments are supported:
32 ldap_conf=pathname
34 The ldap_conf argument can be used to override the default path
35 to the ldap.conf file.
36 ldap_secret=pathname
38 The ldap_secret argument can be used to override the default
39 path to the ldap.secret file.
40 sudoers_file=pathname
42 The sudoers_file argument can be used to override the default
43 path to the sudoers file.
44 sudoers_uid=uid
46 The sudoers_uid argument can be used to override the default
47 owner of the sudoers file. It should be specified as a numeric
48 user ID.
49 sudoers_gid=gid
51 The sudoers_gid argument can be used to override the default
52 group of the sudoers file. It must be specified as a numeric
53 group ID (not a group name).
54 sudoers_mode=mode
56 The sudoers_mode argument can be used to override the default
57 file mode for the sudoers file. It should be specified as an
58 octal value.
59 For more information on configuring sudo.conf(5), please refer to its
61 manual.
62 User Authentication
64 The sudoers security policy requires that most users authenticate them‐
65 selves before they can use sudo. A password is not required if the
66 invoking user is root, if the target user is the same as the invoking
67 user, or if the policy has disabled authentication for the user or com‐
68 mand. Unlike su(1), when sudoers requires authentication, it validates
69 the invoking user's credentials, not the target user's (or root's) cre‐
70 dentials. This can be changed via the rootpw, targetpw and runaspw
71 flags, described later.
72 If a user who is not listed in the policy tries to run a command via
74 sudo, mail is sent to the proper authorities. The address used for such
75 mail is configurable via the mailto Defaults entry (described later) and
76 defaults to root.
77 Note that no mail will be sent if an unauthorized user tries to run sudo
79 with the -l or -v option unless there is an authentication error and
80 either the mail_always or mail_badpass flags are enabled. This allows
81 users to determine for themselves whether or not they are allowed to use
82 sudo. All attempts to run sudo (successful or not) will be logged,
83 regardless of whether or not mail is sent.
84 If sudo is run by root and the SUDO_USER environment variable is set, the
86 sudoers policy will use this value to determine who the actual user is.
87 This can be used by a user to log commands through sudo even when a root
88 shell has been invoked. It also allows the -e option to remain useful
89 even when invoked via a sudo-run script or program. Note, however, that
90 the sudoers file lookup is still done for root, not the user specified by
91 SUDO_USER.
92 sudoers uses per-user time stamp files for credential caching. Once a
94 user has been authenticated, a record is written containing the user ID
95 that was used to authenticate, the terminal session ID, the start time of
96 the session leader (or parent process) and a time stamp (using a mono‐
97 tonic clock if one is available). The user may then use sudo without a
98 password for a short period of time (5 minutes unless overridden by the
99 timestamp_timeout option). By default, sudoers uses a separate record
100 for each terminal, which means that a user's login sessions are authenti‐
101 cated separately. The timestamp_type option can be used to select the
102 type of time stamp record sudoers will use.
103 Logging
105 sudoers can log both successful and unsuccessful attempts (as well as
106 errors) to syslog(3), a log file, or both. By default, sudoers will log
107 via syslog(3) but this is changeable via the syslog and logfile Defaults
108 settings. See LOG FORMAT for a description of the log file format.
109 sudoers is also capable of running a command in a pseudo-tty and logging
111 all input and/or output. The standard input, standard output and stan‐
112 dard error can be logged even when not associated with a terminal. I/O
113 logging is not on by default but can be enabled using the log_input and
114 log_output options as well as the LOG_INPUT and LOG_OUTPUT command tags.
115 See I/O LOG FILES for details on how I/O log files are stored.
116 Command environment
118 Since environment variables can influence program behavior, sudoers pro‐
119 vides a means to restrict which variables from the user's environment are
120 inherited by the command to be run. There are two distinct ways sudoers
121 can deal with environment variables.
122 By default, the env_reset option is enabled. This causes commands to be
124 executed with a new, minimal environment. On AIX (and Linux systems
125 without PAM), the environment is initialized with the contents of the
126 /etc/environment file. The new environment contains the TERM, PATH,
127 HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in addi‐
128 tion to variables from the invoking process permitted by the env_check
129 and env_keep options. This is effectively a whitelist for environment
130 variables. The environment variables LOGNAME, USER and USERNAME are
131 treated specially. If one or more variables are preserved from the
132 invoking process, any of the three remaining variables (that were not
133 explicitly preserved) will be set to the same value as the first one in
134 the list that was preserved. This avoids an inconsistent environment
135 where some of the variables describing the user name are set to the
136 invoking user and some are set to the target user. () are removed unless
137 both the name and value parts are matched by env_keep or env_check, as
138 they may be interpreted as functions by the bash shell. Prior to version
139 1.8.11, such variables were always removed.
140 If, however, the env_reset option is disabled, any variables not explic‐
142 itly denied by the env_check and env_delete options are inherited from
143 the invoking process. In this case, env_check and env_delete behave like
144 a blacklist. Prior to version 1.8.21, environment variables with a value
145 beginning with () were always removed. Beginning with version 1.8.21, a
146 pattern in env_delete is used to match bash shell functions instead.
147 Since it is not possible to blacklist all potentially dangerous environ‐
148 ment variables, use of the default env_reset behavior is encouraged.
149 Environment variables specified by env_check, env_delete, or env_keep may
151 include one or more ‘*’ characters which will match zero or more charac‐
152 ters. No other wildcard characters are supported.
153 By default, environment variables are matched by name. However, if the
155 pattern includes an equal sign (‘=’), both the variables name and value
156 must match. For example, a bash shell function could be matched as fol‐
157 lows:
158 env_keep += "BASH_FUNC_my_func%%=()*"
160 Without the “=()*” suffix, this would not match, as bash shell functions
162 are not preserved by default.
163 The complete list of environment variables that sudo allows or denies is
165 contained in the output of “sudo -V” when run as root. Please note that
166 this list varies based on the operating system sudo is running on.
167 On systems that support PAM where the pam_env module is enabled for sudo,
169 variables in the PAM environment may be merged in to the environment. If
170 a variable in the PAM environment is already present in the user's envi‐
171 ronment, the value will only be overridden if the variable was not pre‐
172 served by sudoers. When env_reset is enabled, variables preserved from
173 the invoking user's environment by the env_keep list take precedence over
174 those in the PAM environment. When env_reset is disabled, variables
175 present the invoking user's environment take precedence over those in the
176 PAM environment unless they match a pattern in the env_delete list.
177 Note that the dynamic linker on most operating systems will remove vari‐
179 ables that can control dynamic linking from the environment of setuid
180 executables, including sudo. Depending on the operating system this may
181 include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others.
182 These type of variables are removed from the environment before sudo even
183 begins execution and, as such, it is not possible for sudo to preserve
184 them.
185 As a special case, if sudo's -i option (initial login) is specified,
187 sudoers will initialize the environment regardless of the value of
188 env_reset. The DISPLAY, PATH and TERM variables remain unchanged; HOME,
189 MAIL, SHELL, USER, and LOGNAME are set based on the target user. On AIX
190 (and Linux systems without PAM), the contents of /etc/environment are
191 also included. All other environment variables are removed unless per‐
192 mitted by env_keep or env_check, described above.
193 Finally, the restricted_env_file and env_file files are applied, if
195 present. The variables in restricted_env_file are applied first and are
196 subject to the same restrictions as the invoking user's environment, as
197 detailed above. The variables in env_file are applied last and are not
198 subject to these restrictions. In both cases, variables present in the
199 files will only be set to their specified values if they would not con‐
200 flict with an existing environment variable.
201
203 The sudoers file is composed of two types of entries: aliases (basically
204 variables) and user specifications (which specify who may run what).
205 When multiple entries match for a user, they are applied in order. Where
207 there are multiple matches, the last match is used (which is not neces‐
208 sarily the most specific match).
209 The sudoers file grammar will be described below in Extended Backus-Naur
211 Form (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly
212 simple, and the definitions below are annotated.
213 Quick guide to EBNF
215 EBNF is a concise and exact way of describing the grammar of a language.
216 Each EBNF definition is made up of production rules. E.g.,
217 symbol ::= definition | alternate1 | alternate2 ...
219 Each production rule references others and thus makes up a grammar for
221 the language. EBNF also contains the following operators, which many
222 readers will recognize from regular expressions. Do not, however, con‐
223 fuse them with “wildcard” characters, which have different meanings.
224 ? Means that the preceding symbol (or group of symbols) is optional.
226 That is, it may appear once or not at all.
227 * Means that the preceding symbol (or group of symbols) may appear
229 zero or more times.
230 + Means that the preceding symbol (or group of symbols) may appear
232 one or more times.
233 Parentheses may be used to group symbols together. For clarity, we will
235 use single quotes ('') to designate what is a verbatim character string
236 (as opposed to a symbol name).
237 Aliases
239 There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and
240 Cmnd_Alias.
241 Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
243 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
244 'Host_Alias' Host_Alias (':' Host_Alias)* |
245 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
246 User_Alias ::= NAME '=' User_List
248 Runas_Alias ::= NAME '=' Runas_List
250 Host_Alias ::= NAME '=' Host_List
252 Cmnd_Alias ::= NAME '=' Cmnd_List
254 NAME ::= [A-Z]([A-Z][0-9]_)*
256 Each alias definition is of the form
258 Alias_Type NAME = item1, item2, ...
260 where Alias_Type is one of User_Alias, Runas_Alias, Host_Alias, or
262 Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and under‐
263 score characters (‘_’). A NAME must start with an uppercase letter. It
264 is possible to put several alias definitions of the same type on a single
265 line, joined by a colon (‘:’). E.g.,
266 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
268 It is a syntax error to redefine an existing alias. It is possible to
270 use the same name for aliases of different types, but this is not recom‐
271 mended.
272 The definitions of what constitutes a valid alias member follow.
274 User_List ::= User |
276 User ',' User_List
277 User ::= '!'* user name |
279 '!'* #uid |
280 '!'* %group |
281 '!'* %#gid |
282 '!'* +netgroup |
283 '!'* %:nonunix_group |
284 '!'* %:#nonunix_gid |
285 '!'* User_Alias
286 A User_List is made up of one or more user names, user IDs (prefixed with
288 ‘#’), system group names and IDs (prefixed with ‘%’ and ‘%#’ respec‐
289 tively), netgroups (prefixed with ‘+’), non-Unix group names and IDs
290 (prefixed with ‘%:’ and ‘%:#’ respectively) and User_Aliases. Each list
291 item may be prefixed with zero or more ‘!’ operators. An odd number of
292 ‘!’ operators negate the value of the item; an even number just cancel
293 each other out. User netgroups are matched using the user and domain
294 members only; the host member is not used when matching.
295 A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may
297 be enclosed in double quotes to avoid the need for escaping special char‐
298 acters. Alternately, special characters may be specified in escaped hex
299 mode, e.g. \x20 for space. When using double quotes, any prefix charac‐
300 ters must be included inside the quotes.
301 The actual nonunix_group and nonunix_gid syntax depends on the underlying
303 group provider plugin. For instance, the QAS AD plugin supports the fol‐
304 lowing formats:
305 · Group in the same domain: "%:Group Name"
307 · Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
309 · Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
311 See GROUP PROVIDER PLUGINS for more information.
313 Note that quotes around group names are optional. Unquoted strings must
315 use a backslash (‘\’) to escape spaces and special characters. See Other
316 special characters and reserved words for a list of characters that need
317 to be escaped.
318 Runas_List ::= Runas_Member |
320 Runas_Member ',' Runas_List
321 Runas_Member ::= '!'* user name |
323 '!'* #uid |
324 '!'* %group |
325 '!'* %#gid |
326 '!'* %:nonunix_group |
327 '!'* %:#nonunix_gid |
328 '!'* +netgroup |
329 '!'* Runas_Alias
330 A Runas_List is similar to a User_List except that instead of
332 User_Aliases it can contain Runas_Aliases. Note that user names and
333 groups are matched as strings. In other words, two users (groups) with
334 the same uid (gid) are considered to be distinct. If you wish to match
335 all user names with the same uid (e.g. root and toor), you can use a uid
336 instead (#0 in the example given).
337 Host_List ::= Host |
339 Host ',' Host_List
340 Host ::= '!'* host name |
342 '!'* ip_addr |
343 '!'* network(/netmask)? |
344 '!'* +netgroup |
345 '!'* Host_Alias
346 A Host_List is made up of one or more host names, IP addresses, network
348 numbers, netgroups (prefixed with ‘+’) and other aliases. Again, the
349 value of an item may be negated with the ‘!’ operator. Host netgroups
350 are matched using the host (both qualified and unqualified) and domain
351 members only; the user member is not used when matching. If you specify
352 a network number without a netmask, sudo will query each of the local
353 host's network interfaces and, if the network number corresponds to one
354 of the hosts's network interfaces, will use the netmask of that inter‐
355 face. The netmask may be specified either in standard IP address nota‐
356 tion (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR notation
357 (number of bits, e.g. 24 or 64). A host name may include shell-style
358 wildcards (see the Wildcards section below), but unless the host name
359 command on your machine returns the fully qualified host name, you'll
360 need to use the fqdn option for wildcards to be useful. Note that sudo
361 only inspects actual network interfaces; this means that IP address
362 127.0.0.1 (localhost) will never match. Also, the host name “localhost”
363 will only match if that is the actual host name, which is usually only
364 the case for non-networked systems.
365 digest ::= [A-Fa-f0-9]+ |
367 [[A-Za-z0-9+/=]+
368 Digest_Spec ::= "sha224" ':' digest |
370 "sha256" ':' digest |
371 "sha384" ':' digest |
372 "sha512" ':' digest
373 Cmnd_List ::= Cmnd |
375 Cmnd ',' Cmnd_List
376 command name ::= file name |
378 file name args |
379 file name '""'
380 Cmnd ::= Digest_Spec? '!'* command name |
382 '!'* directory |
383 '!'* "sudoedit" |
384 '!'* Cmnd_Alias
385 A Cmnd_List is a list of one or more command names, directories, and
387 other aliases. A command name is a fully qualified file name which may
388 include shell-style wildcards (see the Wildcards section below). A sim‐
389 ple file name allows the user to run the command with any arguments
390 he/she wishes. However, you may also specify command line arguments
391 (including wildcards). Alternately, you can specify "" to indicate that
392 the command may only be run without command line arguments. A directory
393 is a fully qualified path name ending in a ‘/’. When you specify a
394 directory in a Cmnd_List, the user will be able to run any file within
395 that directory (but not in any sub-directories therein).
396 If a Cmnd has associated command line arguments, then the arguments in
398 the Cmnd must match exactly those given by the user on the command line
399 (or match the wildcards if there are any). Note that the following char‐
400 acters must be escaped with a ‘\’ if they are used in command arguments:
401 ‘,’, ‘:’, ‘=’, ‘\’. The built-in command “sudoedit” is used to permit a
402 user to run sudo with the -e option (or as sudoedit). It may take com‐
403 mand line arguments just as a normal command does. Note that “sudoedit”
404 is a command built into sudo itself and must be specified in the sudoers
405 file without a leading path.
406 If a command name is prefixed with a Digest_Spec, the command will only
408 match successfully if it can be verified using the specified SHA-2
409 digest. The following digest formats are supported: sha224, sha256,
410 sha384 and sha512. The string may be specified in either hex or base64
411 format (base64 is more compact). There are several utilities capable of
412 generating SHA-2 digests in hex format such as openssl, shasum,
413 sha224sum, sha256sum, sha384sum, sha512sum.
414 For example, using openssl:
416 $ openssl dgst -sha224 /bin/ls
418 SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
419 It is also possible to use openssl to generate base64 output:
421 $ openssl dgst -binary -sha224 /bin/ls | openssl base64
423 EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
424 Warning, if the user has write access to the command itself (directly or
426 via a sudo command), it may be possible for the user to replace the com‐
427 mand after the digest check has been performed but before the command is
428 executed. A similar race condition exists on systems that lack the
429 fexecve(2) system call when the directory in which the command is located
430 is writable by the user. See the description of the fdexec setting for
431 more information on how sudo executes commands that have an associated
432 digest.
433 Command digests are only supported by version 1.8.7 or higher.
435 Defaults
437 Certain configuration options may be changed from their default values at
438 run-time via one or more Default_Entry lines. These may affect all users
439 on any host, all users on a specific host, a specific user, a specific
440 command, or commands being run as a specific user. Note that per-command
441 entries may not include command line arguments. If you need to specify
442 arguments, define a Cmnd_Alias and reference that instead.
443 Default_Type ::= 'Defaults' |
445 'Defaults' '@' Host_List |
446 'Defaults' ':' User_List |
447 'Defaults' '!' Cmnd_List |
448 'Defaults' '>' Runas_List
449 Default_Entry ::= Default_Type Parameter_List
451 Parameter_List ::= Parameter |
453 Parameter ',' Parameter_List
454 Parameter ::= Parameter '=' Value |
456 Parameter '+=' Value |
457 Parameter '-=' Value |
458 '!'* Parameter
459 Parameters may be flags, integer values, strings, or lists. Flags are
461 implicitly boolean and can be turned off via the ‘!’ operator. Some
462 integer, string and list parameters may also be used in a boolean context
463 to disable them. Values may be enclosed in double quotes ("") when they
464 contain multiple words. Special characters may be escaped with a back‐
465 slash (‘\’).
466 Lists have two additional assignment operators, += and -=. These opera‐
468 tors are used to add to and delete from a list respectively. It is not
469 an error to use the -= operator to remove an element that does not exist
470 in a list.
471 Defaults entries are parsed in the following order: generic, host, user
473 and runas Defaults first, then command defaults. If there are multiple
474 Defaults settings of the same type, the last matching setting is used.
475 The following Defaults settings are parsed before all others since they
476 may affect subsequent entries: fqdn, group_plugin, runas_default,
477 sudoers_locale.
478 See SUDOERS OPTIONS for a list of supported Defaults parameters.
480 User specification
482 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
483 (':' Host_List '=' Cmnd_Spec_List)*
484 Cmnd_Spec_List ::= Cmnd_Spec |
486 Cmnd_Spec ',' Cmnd_Spec_List
487 Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd
489 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
491 Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec)
493 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
495 Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp')
497 Timeout_Spec ::= 'TIMEOUT=timeout'
499 Tag_Spec ::= ('EXEC:' | 'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' |
501 'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' |
502 'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'PASSWD:' |
503 'NOPASSWD:' | 'SETENV:' | 'NOSETENV:')
504 A user specification determines which commands a user may run (and as
506 what user) on specified hosts. By default, commands are run as root, but
507 this can be changed on a per-command basis.
508 The basic structure of a user specification is “who where = (as_whom)
510 what”. Let's break that down into its constituent parts:
511 Runas_Spec
513 A Runas_Spec determines the user and/or the group that a command may be
514 run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
515 defined above) separated by a colon (‘:’) and enclosed in a set of paren‐
516 theses. The first Runas_List indicates which users the command may be
517 run as via sudo's -u option. The second defines a list of groups that
518 can be specified via sudo's -g option. If both Runas_Lists are speci‐
519 fied, the command may be run with any combination of users and groups
520 listed in their respective Runas_Lists. If only the first is specified,
521 the command may be run as any user in the list but no -g option may be
522 specified. If the first Runas_List is empty but the second is specified,
523 the command may be run as the invoking user with the group set to any
524 listed in the Runas_List. If both Runas_Lists are empty, the command may
525 only be run as the invoking user. If no Runas_Spec is specified the com‐
526 mand may be run as root and no group may be specified.
527 A Runas_Spec sets the default for the commands that follow it. What this
529 means is that for the entry:
530 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
532 The user dgb may run /bin/ls, /bin/kill, and /usr/bin/lprm on the host
534 boulder—but only as operator. E.g.,
535 $ sudo -u operator /bin/ls
537 It is also possible to override a Runas_Spec later on in an entry. If we
539 modify the entry like so:
540 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
542 Then user dgb is now allowed to run /bin/ls as operator, but /bin/kill
544 and /usr/bin/lprm as root.
545 We can extend this to allow dgb to run /bin/ls with either the user or
547 group set to operator:
548 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
550 /usr/bin/lprm
551 Note that while the group portion of the Runas_Spec permits the user to
553 run as command with that group, it does not force the user to do so. If
554 no group is specified on the command line, the command will run with the
555 group listed in the target user's password database entry. The following
556 would all be permitted by the sudoers entry above:
557 $ sudo -u operator /bin/ls
559 $ sudo -u operator -g operator /bin/ls
560 $ sudo -g operator /bin/ls
561 In the following example, user tcm may run commands that access a modem
563 device file with the dialer group.
564 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
566 /usr/local/bin/minicom
567 Note that in this example only the group will be set, the command still
569 runs as user tcm. E.g.
570 $ sudo -g dialer /usr/bin/cu
572 Multiple users and groups may be present in a Runas_Spec, in which case
574 the user may select any combination of users and groups via the -u and -g
575 options. In this example:
576 alan ALL = (root, bin : operator, system) ALL
578 user alan may run any command as either user root or bin, optionally set‐
580 ting the group to operator or system.
581 Option_Spec
583 A Cmnd may have zero or more options associated with it. Depending on
584 the system, options may consist of SELinux roles and/or types, Solaris
585 privileges sets, and command timeouts. Once an option is set for a Cmnd,
586 subsequent Cmnds in the Cmnd_Spec_List, inherit that option unless it is
587 overridden by another option.
588 SELinux_Spec
590 On systems with SELinux support, sudoers file entries may optionally have
591 an SELinux role and/or type associated with a command. If a role or type
592 is specified with the command it will override any default values speci‐
593 fied in sudoers. A role or type specified on the command line, however,
594 will supersede the values in sudoers.
595 Date_Spec
597 sudoers rules can be specified with a start and end date via the
598 NOTBEFORE and NOTAFTER settings. The time stamp must be specified in
599 Generalized Time as defined by RFC 4517. The format is effectively
600 yyyymmddHHMMSSZ where the minutes and seconds are optional. The ‘Z’ suf‐
601 fix indicates that the time stamp is in Coordinated Universal Time (UTC).
602 It is also possible to specify a timezone offset from UTC in hours and
603 minutes instead of a ‘Z’. For example, ‘-0500’ would correspond to East‐
604 ern Standard time in the US. As an extension, if no ‘Z’ or timezone off‐
605 set is specified, local time will be used.
606 The following are all valid time stamps:
608 20170214083000Z
610 2017021408Z
611 20160315220000-0500
612 20151201235900
613 Timeout_Spec
615 A command may have a timeout associated with it. If the timeout expires
616 before the command has exited, the command will be terminated. The time‐
617 out may be specified in combinations of days, hours, minutes and seconds
618 with a single-letter case-insensitive suffix that indicates the unit of
619 time. For example, a timeout of 7 days, 8 hours, 30 minutes and 10 sec‐
620 onds would be written as 7d8h30m10s. If a number is specified without a
621 unit, seconds are assumed. Any of the days, minutes, hours or seconds
622 may be omitted. The order must be from largest to smallest unit and a
623 unit may not be specified more than once.
624 The following are all valid timeout values: 7d8h30m10s, 14d, 8h30m, 600s,
626 3600. The following are invalid timeout values: 12m2w1d, 30s10m4h,
627 1d2d3h.
628 This option is only supported by version 1.8.20 or higher.
630 Tag_Spec
632 A command may have zero or more tags associated with it. The following
633 tag values are supported: EXEC, NOEXEC, FOLLOW, NOFOLLOW, LOG_INPUT,
634 NOLOG_INPUT, LOG_OUTPUT, NOLOG_OUTPUT, MAIL, NOMAIL, PASSWD, NOPASSWD,
635 SETENV, and NOSETENV. Once a tag is set on a Cmnd, subsequent Cmnds in
636 the Cmnd_Spec_List, inherit the tag unless it is overridden by the oppo‐
637 site tag (in other words, PASSWD overrides NOPASSWD and NOEXEC overrides
638 EXEC).
639 EXEC and NOEXEC
641 If sudo has been compiled with noexec support and the underlying oper‐
643 ating system supports it, the NOEXEC tag can be used to prevent a
644 dynamically-linked executable from running further commands itself.
645 In the following example, user aaron may run /usr/bin/more and
647 /usr/bin/vi but shell escapes will be disabled.
648 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
650 See the Preventing shell escapes section below for more details on how
652 NOEXEC works and whether or not it will work on your system.
653 FOLLOW and NOFOLLOW Starting with version 1.8.15, sudoedit will not open
655 a file that is a symbolic link unless the sudoedit_follow option is
656 enabled. The FOLLOW and NOFOLLOW tags override the value of
657 sudoedit_follow and can be used to permit (or deny) the editing of sym‐
658 bolic links on a per-command basis. These tags are only effective for
659 the sudoedit command and are ignored for all other commands.
660 LOG_INPUT and NOLOG_INPUT
662 These tags override the value of the log_input option on a per-command
664 basis. For more information, see the description of log_input in the
665 SUDOERS OPTIONS section below.
666 LOG_OUTPUT and NOLOG_OUTPUT
668 These tags override the value of the log_output option on a per-command
670 basis. For more information, see the description of log_output in the
671 SUDOERS OPTIONS section below.
672 MAIL and NOMAIL
674 These tags provide fine-grained control over whether mail will be sent
676 when a user runs a command by overriding the value of the
677 mail_all_cmnds option on a per-command basis. They have no effect when
678 sudo is run with the -l or -v options. A NOMAIL tag will also override
679 the mail_always and mail_no_perms options. For more information, see
680 the descriptions of mail_all_cmnds, mail_always, and mail_no_perms in
681 the SUDOERS OPTIONS section below.
682 PASSWD and NOPASSWD
684 By default, sudo requires that a user authenticate him or herself
686 before running a command. This behavior can be modified via the
687 NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
688 the commands that follow it in the Cmnd_Spec_List. Conversely, the
689 PASSWD tag can be used to reverse things. For example:
690 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
692 would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm
694 as root on the machine rushmore without authenticating himself. If we
695 only want ray to be able to run /bin/kill without a password the entry
696 would be:
697 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
699 Note, however, that the PASSWD tag has no effect on users who are in
701 the group specified by the exempt_group option.
702 By default, if the NOPASSWD tag is applied to any of the entries for a
704 user on the current host, he or she will be able to run “sudo -l” with‐
705 out a password. Additionally, a user may only run “sudo -v” without a
706 password if the NOPASSWD tag is present for all a user's entries that
707 pertain to the current host. This behavior may be overridden via the
708 verifypw and listpw options.
709 SETENV and NOSETENV
711 These tags override the value of the setenv option on a per-command
713 basis. Note that if SETENV has been set for a command, the user may
714 disable the env_reset option from the command line via the -E option.
715 Additionally, environment variables set on the command line are not
716 subject to the restrictions imposed by env_check, env_delete, or
717 env_keep. As such, only trusted users should be allowed to set vari‐
718 ables in this manner. If the command matched is ALL, the SETENV tag is
719 implied for that command; this default may be overridden by use of the
720 NOSETENV tag.
721 Wildcards
723 sudo allows shell-style wildcards (aka meta or glob characters) to be
724 used in host names, path names and command line arguments in the sudoers
725 file. Wildcard matching is done via the glob(3) and fnmatch(3) functions
726 as specified by IEEE Std 1003.1 (“POSIX.1”).
727 * Matches any set of zero or more characters (including white
729 space).
730 ? Matches any single character (including white space).
732 [...] Matches any character in the specified range.
734 [!...] Matches any character not in the specified range.
736 \x For any character ‘x’, evaluates to ‘x’. This is used to
738 escape special characters such as: ‘*’, ‘?’, ‘[’, and ‘]’.
739 Note that these are not regular expressions. Unlike a regular expression
741 there is no way to match one or more characters within a range.
742 Character classes may be used if your system's glob(3) and fnmatch(3)
744 functions support them. However, because the ‘:’ character has special
745 meaning in sudoers, it must be escaped. For example:
746 /bin/ls [[\:alpha\:]]*
748 Would match any file name beginning with a letter.
750 Note that a forward slash (‘/’) will not be matched by wildcards used in
752 the file name portion of the command. This is to make a path like:
753 /usr/bin/*
755 match /usr/bin/who but not /usr/bin/X11/xterm.
757 When matching the command line arguments, however, a slash does get
759 matched by wildcards since command line arguments may contain arbitrary
760 strings and not just path names.
761 Wildcards in command line arguments should be used with care.
763 Command line arguments are matched as a single, concatenated string.
764 This mean a wildcard character such as ‘?’ or ‘*’ will match across word
765 boundaries, which may be unexpected. For example, while a sudoers entry
766 like:
767 %operator ALL = /bin/cat /var/log/messages*
769 will allow command like:
771 $ sudo cat /var/log/messages.1
773 It will also allow:
775 $ sudo cat /var/log/messages /etc/shadow
777 which is probably not what was intended. In most cases it is better to
779 do command line processing outside of the sudoers file in a scripting
780 language.
781 Exceptions to wildcard rules
783 The following exceptions apply to the above rules:
784 "" If the empty string "" is the only command line argument in the
786 sudoers file entry it means that command is not allowed to be
787 run with any arguments.
788 sudoedit Command line arguments to the sudoedit built-in command should
790 always be path names, so a forward slash (‘/’) will not be
791 matched by a wildcard.
792 Including other files from within sudoers
794 It is possible to include other sudoers files from within the sudoers
795 file currently being parsed using the #include and #includedir direc‐
796 tives.
797 This can be used, for example, to keep a site-wide sudoers file in addi‐
799 tion to a local, per-machine file. For the sake of this example the
800 site-wide sudoers file will be /etc/sudoers and the per-machine one will
801 be /etc/sudoers.local. To include /etc/sudoers.local from within
802 /etc/sudoers we would use the following line in /etc/sudoers:
803 #include /etc/sudoers.local
805 When sudo reaches this line it will suspend processing of the current
807 file (/etc/sudoers) and switch to /etc/sudoers.local. Upon reaching the
808 end of /etc/sudoers.local, the rest of /etc/sudoers will be processed.
809 Files that are included may themselves include other files. A hard limit
810 of 128 nested include files is enforced to prevent include file loops.
811 If the path to the include file is not fully-qualified (does not begin
813 with a ‘/’), it must be located in the same directory as the sudoers file
814 it was included from. For example, if /etc/sudoers contains the line:
815 #include sudoers.local
817 the file that will be included is /etc/sudoers.local.
819 The file name may also include the %h escape, signifying the short form
821 of the host name. In other words, if the machine's host name is
822 “xerxes”, then
823 #include /etc/sudoers.%h
825 will cause sudo to include the file /etc/sudoers.xerxes.
827 The #includedir directive can be used to create a sudoers.d directory
829 that the system package manager can drop sudoers file rules into as part
830 of package installation. For example, given:
831 #includedir /etc/sudoers.d
833 sudo will suspend processing of the current file and read each file in
835 /etc/sudoers.d, skipping file names that end in ‘~’ or contain a ‘.’
836 character to avoid causing problems with package manager or editor tempo‐
837 rary/backup files. Files are parsed in sorted lexical order. That is,
838 /etc/sudoers.d/01_first will be parsed before /etc/sudoers.d/10_second.
839 Be aware that because the sorting is lexical, not numeric,
840 /etc/sudoers.d/1_whoops would be loaded after /etc/sudoers.d/10_second.
841 Using a consistent number of leading zeroes in the file names can be used
842 to avoid such problems. After parsing the files in the directory, con‐
843 trol returns to the file that contained the #includedir directive.
844 Note that unlike files included via #include, visudo will not edit the
846 files in a #includedir directory unless one of them contains a syntax
847 error. It is still possible to run visudo with the -f flag to edit the
848 files directly, but this will not catch the redefinition of an alias that
849 is also present in a different file.
850 Other special characters and reserved words
852 The pound sign (‘#’) is used to indicate a comment (unless it is part of
853 a #include directive or unless it occurs in the context of a user name
854 and is followed by one or more digits, in which case it is treated as a
855 uid). Both the comment character and any text after it, up to the end of
856 the line, are ignored.
857 The reserved word ALL is a built-in alias that always causes a match to
859 succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
860 User_Alias, Runas_Alias, or Host_Alias. You should not try to define
861 your own alias called ALL as the built-in alias will be used in prefer‐
862 ence to your own. Please note that using ALL can be dangerous since in a
863 command context, it allows the user to run any command on the system.
864 An exclamation point (‘!’) can be used as a logical not operator in a
866 list or alias as well as in front of a Cmnd. This allows one to exclude
867 certain values. For the ‘!’ operator to be effective, there must be
868 something for it to exclude. For example, to match all users except for
869 root one would use:
870 ALL,!root
872 If the ALL, is omitted, as in:
874 !root
876 it would explicitly deny root but not match any other users. This is
878 different from a true “negation” operator.
879 Note, however, that using a ‘!’ in conjunction with the built-in ALL
881 alias to allow a user to run “all but a few” commands rarely works as
882 intended (see SECURITY NOTES below).
883 Long lines can be continued with a backslash (‘\’) as the last character
885 on the line.
886 White space between elements in a list as well as special syntactic char‐
888 acters in a User Specification (‘=’, ‘:’, ‘(’, ‘)’) is optional.
889 The following characters must be escaped with a backslash (‘\’) when used
891 as part of a word (e.g. a user name or host name): ‘!’, ‘=’, ‘:’, ‘,’,
892 ‘(’, ‘)’, ‘\’.
893
895 sudo's behavior can be modified by Default_Entry lines, as explained ear‐
896 lier. A list of all supported Defaults parameters, grouped by type, are
897 listed below.
898 Boolean Flags:
900 always_query_group_plugin
902 If a group_plugin is configured, use it to resolve
903 groups of the form %group as long as there is not also
904 a system group of the same name. Normally, only groups
905 of the form %:group are passed to the group_plugin.
906 This flag is off by default.
907 always_set_home If enabled, sudo will set the HOME environment variable
909 to the home directory of the target user (which is root
910 unless the -u option is used). This effectively means
911 that the -H option is always implied. Note that by
912 default, HOME will be set to the home directory of the
913 target user when the env_reset option is enabled, so
914 always_set_home only has an effect for configurations
915 where either env_reset is disabled or HOME is present
916 in the env_keep list. This flag is off by default.
917 authenticate If set, users must authenticate themselves via a pass‐
919 word (or other means of authentication) before they may
920 run commands. This default may be overridden via the
921 PASSWD and NOPASSWD tags. This flag is on by default.
922 case_insensitive_group
924 If enabled, group names in sudoers will be matched in a
925 case insensitive manner. This may be necessary when
926 users are stored in LDAP or AD. This flag is on by
927 default.
928 case_insensitive_user
930 If enabled, user names in sudoers will be matched in a
931 case insensitive manner. This may be necessary when
932 groups are stored in LDAP or AD. This flag is on by
933 default.
934 closefrom_override
936 If set, the user may use sudo's -C option which over‐
937 rides the default starting point at which sudo begins
938 closing open file descriptors. This flag is off by
939 default.
940 compress_io If set, and sudo is configured to log a command's input
942 or output, the I/O logs will be compressed using zlib.
943 This flag is on by default when sudo is compiled with
944 zlib support.
945 exec_background By default, sudo runs a command as the foreground
947 process as long as sudo itself is running in the fore‐
948 ground. When the exec_background flag is enabled and
949 the command is being run in a pty (due to I/O logging
950 or the use_pty flag), the command will be run as a
951 background process. Attempts to read from the control‐
952 ling terminal (or to change terminal settings) will
953 result in the command being suspended with the SIGTTIN
954 signal (or SIGTTOU in the case of terminal settings).
955 If this happens when sudo is a foreground process, the
956 command will be granted the controlling terminal and
957 resumed in the foreground with no user intervention
958 required. The advantage of initially running the com‐
959 mand in the background is that sudo need not read from
960 the terminal unless the command explicitly requests it.
961 Otherwise, any terminal input must be passed to the
962 command, whether it has required it or not (the kernel
963 buffers terminals so it is not possible to tell whether
964 the command really wants the input). This is different
965 from historic sudo behavior or when the command is not
966 being run in a pty.
967 For this to work seamlessly, the operating system must
969 support the automatic restarting of system calls.
970 Unfortunately, not all operating systems do this by
971 default, and even those that do may have bugs. For
972 example, macOS fails to restart the tcgetattr() and
973 tcsetattr() system calls (this is a bug in macOS).
974 Furthermore, because this behavior depends on the com‐
975 mand stopping with the SIGTTIN or SIGTTOU signals, pro‐
976 grams that catch these signals and suspend themselves
977 with a different signal (usually SIGTOP) will not be
978 automatically foregrounded. Some versions of the linux
979 su(1) command behave this way. This flag is off by
980 default.
981 This setting is only supported by version 1.8.7 or
983 higher. It has no effect unless I/O logging is enabled
984 or the use_pty flag is enabled.
985 env_editor If set, visudo will use the value of the SUDO_EDITOR,
987 VISUAL or EDITOR environment variables before falling
988 back on the default editor list. Note that this may
989 create a security hole as it allows the user to run any
990 arbitrary command as root without logging. A safer
991 alternative is to place a colon-separated list of edi‐
992 tors in the editor variable. visudo will then only use
993 SUDO_EDITOR, VISUAL or EDITOR if they match a value
994 specified in editor. If the env_reset flag is enabled,
995 the SUDO_EDITOR, VISUAL and/or EDITOR environment vari‐
996 ables must be present in the env_keep list for the
997 env_editor flag to function when visudo is invoked via
998 sudo. This flag is on by default.
999 env_reset If set, sudo will run the command in a minimal environ‐
1001 ment containing the TERM, PATH, HOME, MAIL, SHELL,
1002 LOGNAME, USER, USERNAME and SUDO_* variables. Any
1003 variables in the caller's environment or in the file
1004 specified by the restricted_env_file option that match
1005 the env_keep and env_check lists are then added, fol‐
1006 lowed by any variables present in the file specified by
1007 the env_file option (if any). The contents of the
1008 env_keep and env_check lists, as modified by global
1009 Defaults parameters in sudoers, are displayed when sudo
1010 is run by root with the -V option. If the secure_path
1011 option is set, its value will be used for the PATH
1012 environment variable. This flag is on by default.
1013 fast_glob Normally, sudo uses the glob(3) function to do shell-
1015 style globbing when matching path names. However,
1016 since it accesses the file system, glob(3) can take a
1017 long time to complete for some patterns, especially
1018 when the pattern references a network file system that
1019 is mounted on demand (auto mounted). The fast_glob
1020 option causes sudo to use the fnmatch(3) function,
1021 which does not access the file system to do its match‐
1022 ing. The disadvantage of fast_glob is that it is
1023 unable to match relative path names such as ./ls or
1024 ../bin/ls. This has security implications when path
1025 names that include globbing characters are used with
1026 the negation operator, ‘!’, as such rules can be triv‐
1027 ially bypassed. As such, this option should not be
1028 used when the sudoers file contains rules that contain
1029 negated path names which include globbing characters.
1030 This flag is off by default.
1031 fqdn Set this flag if you want to put fully qualified host
1033 names in the sudoers file when the local host name (as
1034 returned by the hostname command) does not contain the
1035 domain name. In other words, instead of myhost you
1036 would use myhost.mydomain.edu. You may still use the
1037 short form if you wish (and even mix the two). This
1038 option is only effective when the “canonical” host
1039 name, as returned by the getaddrinfo() or
1040 gethostbyname() function, is a fully-qualified domain
1041 name. This is usually the case when the system is con‐
1042 figured to use DNS for host name resolution.
1043 If the system is configured to use the /etc/hosts file
1045 in preference to DNS, the “canonical” host name may not
1046 be fully-qualified. The order that sources are queried
1047 for host name resolution is usually specified in the
1048 /etc/nsswitch.conf, /etc/netsvc.conf, /etc/host.conf,
1049 or, in some cases, /etc/resolv.conf file. In the
1050 /etc/hosts file, the first host name of the entry is
1051 considered to be the “canonical” name; subsequent names
1052 are aliases that are not used by sudoers. For example,
1053 the following hosts file line for the machine “xyzzy”
1054 has the fully-qualified domain name as the “canonical”
1055 host name, and the short version as an alias.
1056 192.168.1.1 xyzzy.sudo.ws xyzzy
1058 If the machine's hosts file entry is not formatted
1060 properly, the fqdn option will not be effective if it
1061 is queried before DNS.
1062 Beware that when using DNS for host name resolution,
1064 turning on fqdn requires sudoers to make DNS lookups
1065 which renders sudo unusable if DNS stops working (for
1066 example if the machine is disconnected from the net‐
1067 work). Also note that just like with the hosts file,
1068 you must use the “canonical” name as DNS knows it.
1069 That is, you may not use a host alias (CNAME entry) due
1070 to performance issues and the fact that there is no way
1071 to get all aliases from DNS.
1072 This flag is off by default.
1074 ignore_audit_errors
1076 Allow commands to be run even if sudoers cannot write
1077 to the audit log. If enabled, an audit log write fail‐
1078 ure is not treated as a fatal error. If disabled, a
1079 command may only be run after the audit event is suc‐
1080 cessfully written. This flag is only effective on sys‐
1081 tems for which sudoers supports audit logging, includ‐
1082 ing FreeBSD, Linux, macOS and Solaris. This flag is on
1083 by default.
1084 ignore_dot If set, sudo will ignore "." or "" (both denoting cur‐
1086 rent directory) in the PATH environment variable; the
1087 PATH itself is not modified. This flag is on by
1088 default.
1089 ignore_iolog_errors
1091 Allow commands to be run even if sudoers cannot write
1092 to the I/O log. If enabled, an I/O log write failure
1093 is not treated as a fatal error. If disabled, the com‐
1094 mand will be terminated if the I/O log cannot be writ‐
1095 ten to. This flag is off by default.
1096 ignore_logfile_errors
1098 Allow commands to be run even if sudoers cannot write
1099 to the log file. If enabled, a log file write failure
1100 is not treated as a fatal error. If disabled, a com‐
1101 mand may only be run after the log file entry is suc‐
1102 cessfully written. This flag only has an effect when
1103 sudoers is configured to use file-based logging via the
1104 logfile option. This flag is on by default.
1105 ignore_local_sudoers
1107 If set via LDAP, parsing of /etc/sudoers will be
1108 skipped. This is intended for Enterprises that wish to
1109 prevent the usage of local sudoers files so that only
1110 LDAP is used. This thwarts the efforts of rogue opera‐
1111 tors who would attempt to add roles to /etc/sudoers.
1112 When this option is present, /etc/sudoers does not even
1113 need to exist. Since this option tells sudo how to
1114 behave when no specific LDAP entries have been matched,
1115 this sudoOption is only meaningful for the cn=defaults
1116 section. This flag is off by default.
1117 ignore_unknown_defaults
1119 If set, sudo will not produce a warning if it encoun‐
1120 ters an unknown Defaults entry in the sudoers file or
1121 an unknown sudoOption in LDAP. This flag is off by
1122 default.
1123 insults If set, sudo will insult users when they enter an
1125 incorrect password. This flag is off by default.
1126 log_host If set, the host name will be logged in the (non-sys‐
1128 log) sudo log file. This flag is off by default.
1129 log_input If set, sudo will run the command in a pseudo-tty and
1131 log all user input. If the standard input is not con‐
1132 nected to the user's tty, due to I/O redirection or
1133 because the command is part of a pipeline, that input
1134 is also captured and stored in a separate log file.
1135 Anything sent to the standard input will be consumed,
1136 regardless of whether or not the command run via sudo
1137 is actually reading the standard input. This may have
1138 unexpected results when using sudo in a shell script
1139 that expects to process the standard input. For more
1140 information about I/O logging, see the I/O LOG FILES
1141 section. This flag is off by default.
1142 log_output If set, sudo will run the command in a pseudo-tty and
1144 log all output that is sent to the screen, similar to
1145 the script(1) command. For more information about I/O
1146 logging, see the I/O LOG FILES section. This flag is
1147 off by default.
1148 log_year If set, the four-digit year will be logged in the (non-
1150 syslog) sudo log file. This flag is off by default.
1151 long_otp_prompt When validating with a One Time Password (OTP) scheme
1153 such as S/Key or OPIE, a two-line prompt is used to
1154 make it easier to cut and paste the challenge to a
1155 local window. It's not as pretty as the default but
1156 some people find it more convenient. This flag is off
1157 by default.
1158 mail_all_cmnds Send mail to the mailto user every time a user attempts
1160 to run a command via sudo (this includes sudoedit). No
1161 mail will be sent if the user runs sudo with the -l or
1162 -v option unless there is an authentication error and
1163 the mail_badpass flag is also set. This flag is off by
1164 default.
1165 mail_always Send mail to the mailto user every time a user runs
1167 sudo. This flag is off by default.
1168 mail_badpass Send mail to the mailto user if the user running sudo
1170 does not enter the correct password. If the command
1171 the user is attempting to run is not permitted by
1172 sudoers and one of the mail_all_cmnds, mail_always,
1173 mail_no_host, mail_no_perms or mail_no_user flags are
1174 set, this flag will have no effect. This flag is off
1175 by default.
1176 mail_no_host If set, mail will be sent to the mailto user if the
1178 invoking user exists in the sudoers file, but is not
1179 allowed to run commands on the current host. This flag
1180 is off by default.
1181 mail_no_perms If set, mail will be sent to the mailto user if the
1183 invoking user is allowed to use sudo but the command
1184 they are trying is not listed in their sudoers file
1185 entry or is explicitly denied. This flag is off by
1186 default.
1187 mail_no_user If set, mail will be sent to the mailto user if the
1189 invoking user is not in the sudoers file. This flag is
1190 on by default.
1191 match_group_by_gid
1193 By default, sudoers will look up each group the user is
1194 a member of by group ID to determine the group name
1195 (this is only done once). The resulting list of the
1196 user's group names is used when matching groups listed
1197 in the sudoers file. This works well on systems where
1198 the number of groups listed in the sudoers file is
1199 larger than the number of groups a typical user belongs
1200 to. On systems where group lookups are slow, where
1201 users may belong to a large number of groups, and where
1202 the number of groups listed in the sudoers file is rel‐
1203 atively small, it may be prohibitively expensive and
1204 running commands via sudo may take longer than normal.
1205 On such systems it may be faster to use the
1206 match_group_by_gid flag to avoid resolving the user's
1207 group IDs to group names. In this case, sudoers must
1208 look up any group name listed in the sudoers file and
1209 use the group ID instead of the group name when deter‐
1210 mining whether the user is a member of the group.
1211 Note that if match_group_by_gid is enabled, group data‐
1213 base lookups performed by sudoers will be keyed by
1214 group name as opposed to group ID. On systems where
1215 there are multiple sources for the group database, it
1216 is possible to have conflicting group names or group
1217 IDs in the local /etc/group file and the remote group
1218 database. On such systems, enabling or disabling
1219 match_group_by_gid can be used to choose whether group
1220 database queries are performed by name (enabled) or ID
1221 (disabled), which may aid in working around group entry
1222 conflicts.
1223 The match_group_by_gid flag has no effect when sudoers
1225 data is stored in LDAP. This flag is off by default.
1226 This setting is only supported by version 1.8.18 or
1228 higher.
1229 netgroup_tuple If set, netgroup lookups will be performed using the
1231 full netgroup tuple: host name, user name and domain
1232 (if one is set). Historically, sudo only matched the
1233 user name and domain for netgroups used in a User_List
1234 and only matched the host name and domain for netgroups
1235 used in a Host_List. This flag is off by default.
1236 noexec If set, all commands run via sudo will behave as if the
1238 NOEXEC tag has been set, unless overridden by an EXEC
1239 tag. See the description of EXEC and NOEXEC above as
1240 well as the Preventing shell escapes section at the end
1241 of this manual. This flag is off by default.
1242 pam_session On systems that use PAM for authentication, sudo will
1244 create a new PAM session for the command to be run in.
1245 Disabling pam_session may be needed on older PAM imple‐
1246 mentations or on operating systems where opening a PAM
1247 session changes the utmp or wtmp files. If PAM session
1248 support is disabled, resource limits may not be updated
1249 for the command being run. If pam_session,
1250 pam_setcred, and use_pty are disabled and I/O logging
1251 has not been configured, sudo will execute the command
1252 directly instead of running it as a child process.
1253 This flag is on by default.
1254 This setting is only supported by version 1.8.7 or
1256 higher.
1257 pam_setcred On systems that use PAM for authentication, sudo will
1259 attempt to establish credentials for the target user by
1260 default, if supported by the underlying authentication
1261 system. One example of a credential is a Kerberos
1262 ticket. If pam_session, pam_setcred, and use_pty are
1263 disabled and I/O logging has not been configured, sudo
1264 will execute the command directly instead of running it
1265 as a child process. This flag is on by default.
1266 This setting is only supported by version 1.8.8 or
1268 higher.
1269 passprompt_override
1271 If set, the prompt specified by passprompt or the
1272 SUDO_PROMPT environment variable will always be used
1273 and will replace the prompt provided by a PAM module or
1274 other authentication method. This flag is off by
1275 default.
1276 path_info Normally, sudo will tell the user when a command could
1278 not be found in their PATH environment variable. Some
1279 sites may wish to disable this as it could be used to
1280 gather information on the location of executables that
1281 the normal user does not have access to. The disadvan‐
1282 tage is that if the executable is simply not in the
1283 user's PATH, sudo will tell the user that they are not
1284 allowed to run it, which can be confusing. This flag
1285 is on by default.
1286 preserve_groups By default, sudo will initialize the group vector to
1288 the list of groups the target user is in. When
1289 preserve_groups is set, the user's existing group vec‐
1290 tor is left unaltered. The real and effective group
1291 IDs, however, are still set to match the target user.
1292 This flag is off by default.
1293 pwfeedback By default, sudo reads the password like most other
1295 Unix programs, by turning off echo until the user hits
1296 the return (or enter) key. Some users become confused
1297 by this as it appears to them that sudo has hung at
1298 this point. When pwfeedback is set, sudo will provide
1299 visual feedback when the user presses a key. Note that
1300 this does have a security impact as an onlooker may be
1301 able to determine the length of the password being
1302 entered. This flag is off by default.
1303 requiretty If set, sudo will only run when the user is logged in
1305 to a real tty. When this flag is set, sudo can only be
1306 run from a login session and not via other means such
1307 as cron(8) or cgi-bin scripts. This flag is off by
1308 default.
1309 root_sudo If set, root is allowed to run sudo too. Disabling
1311 this prevents users from “chaining” sudo commands to
1312 get a root shell by doing something like “sudo sudo
1313 /bin/sh”. Note, however, that turning off root_sudo
1314 will also prevent root from running sudoedit. Dis‐
1315 abling root_sudo provides no real additional security;
1316 it exists purely for historical reasons. This flag is
1317 on by default.
1318 rootpw If set, sudo will prompt for the root password instead
1320 of the password of the invoking user when running a
1321 command or editing a file. This flag is off by
1322 default.
1323 runaspw If set, sudo will prompt for the password of the user
1325 defined by the runas_default option (defaults to root)
1326 instead of the password of the invoking user when run‐
1327 ning a command or editing a file. This flag is off by
1328 default.
1329 set_home If enabled and sudo is invoked with the -s option the
1331 HOME environment variable will be set to the home
1332 directory of the target user (which is root unless the
1333 -u option is used). This effectively makes the -s
1334 option imply -H. Note that HOME is already set when
1335 the env_reset option is enabled, so set_home is only
1336 effective for configurations where either env_reset is
1337 disabled or HOME is present in the env_keep list. This
1338 flag is off by default.
1339 set_logname Normally, sudo will set the LOGNAME, USER and USERNAME
1341 environment variables to the name of the target user
1342 (usually root unless the -u option is given). However,
1343 since some programs (including the RCS revision control
1344 system) use LOGNAME to determine the real identity of
1345 the user, it may be desirable to change this behavior.
1346 This can be done by negating the set_logname option.
1347 Note that set_logname will have no effect if the
1348 env_reset option has not been disabled and the env_keep
1349 list contains LOGNAME, USER or USERNAME. This flag is
1350 on by default.
1351 set_utmp When enabled, sudo will create an entry in the utmp (or
1353 utmpx) file when a pseudo-tty is allocated. A pseudo-
1354 tty is allocated by sudo when the log_input, log_output
1355 or use_pty flags are enabled. By default, the new
1356 entry will be a copy of the user's existing utmp entry
1357 (if any), with the tty, time, type and pid fields
1358 updated. This flag is on by default.
1359 setenv Allow the user to disable the env_reset option from the
1361 command line via the -E option. Additionally, environ‐
1362 ment variables set via the command line are not subject
1363 to the restrictions imposed by env_check, env_delete,
1364 or env_keep. As such, only trusted users should be
1365 allowed to set variables in this manner. This flag is
1366 off by default.
1367 shell_noargs If set and sudo is invoked with no arguments it acts as
1369 if the -s option had been given. That is, it runs a
1370 shell as root (the shell is determined by the SHELL
1371 environment variable if it is set, falling back on the
1372 shell listed in the invoking user's /etc/passwd entry
1373 if not). This flag is off by default.
1374 stay_setuid Normally, when sudo executes a command the real and
1376 effective UIDs are set to the target user (root by
1377 default). This option changes that behavior such that
1378 the real UID is left as the invoking user's UID. In
1379 other words, this makes sudo act as a setuid wrapper.
1380 This can be useful on systems that disable some poten‐
1381 tially dangerous functionality when a program is run
1382 setuid. This option is only effective on systems that
1383 support either the setreuid(2) or setresuid(2) system
1384 call. This flag is off by default.
1385 sudoedit_checkdir
1387 If set, sudoedit will check all directory components of
1388 the path to be edited for writability by the invoking
1389 user. Symbolic links will not be followed in writable
1390 directories and sudoedit will refuse to edit a file
1391 located in a writable directory. These restrictions
1392 are not enforced when sudoedit is run by root. On some
1393 systems, if all directory components of the path to be
1394 edited are not readable by the target user, sudoedit
1395 will be unable to edit the file. This flag is on by
1396 default.
1397 This setting was first introduced in version 1.8.15 but
1399 initially suffered from a race condition. The check
1400 for symbolic links in writable intermediate directories
1401 was added in version 1.8.16.
1402 sudoedit_follow By default, sudoedit will not follow symbolic links
1404 when opening files. The sudoedit_follow option can be
1405 enabled to allow sudoedit to open symbolic links. It
1406 may be overridden on a per-command basis by the FOLLOW
1407 and NOFOLLOW tags. This flag is off by default.
1408 This setting is only supported by version 1.8.15 or
1410 higher.
1411 syslog_pid When logging via syslog(3), include the process ID in
1413 the log entry. This flag is off by default.
1414 This setting is only supported by version 1.8.21 or
1416 higher.
1417 targetpw If set, sudo will prompt for the password of the user
1419 specified by the -u option (defaults to root) instead
1420 of the password of the invoking user when running a
1421 command or editing a file. Note that this flag pre‐
1422 cludes the use of a uid not listed in the passwd data‐
1423 base as an argument to the -u option. This flag is off
1424 by default.
1425 tty_tickets If set, users must authenticate on a per-tty basis.
1427 With this flag enabled, sudo will use a separate record
1428 in the time stamp file for each terminal. If disabled,
1429 a single record is used for all login sessions.
1430 This option has been superseded by the timestamp_type
1432 option.
1433 umask_override If set, sudo will set the umask as specified in the
1435 sudoers file without modification. This makes it pos‐
1436 sible to specify a umask in the sudoers file that is
1437 more permissive than the user's own umask and matches
1438 historical behavior. If umask_override is not set,
1439 sudo will set the umask to be the union of the user's
1440 umask and what is specified in sudoers. This flag is
1441 off by default.
1442 use_netgroups If set, netgroups (prefixed with ‘+’), may be used in
1444 place of a user or host. For LDAP-based sudoers, net‐
1445 group support requires an expensive sub-string match on
1446 the server unless the NETGROUP_BASE directive is
1447 present in the /etc/sudo-ldap.conf file. If netgroups
1448 are not needed, this option can be disabled to reduce
1449 the load on the LDAP server. This flag is on by
1450 default.
1451 use_pty If set, and sudo is running in a terminal, the command
1453 will be run in a pseudo-pty (even if no I/O logging is
1454 being done). If the sudo process is not attached to a
1455 terminal, use_pty has no effect.
1456 A malicious program run under sudo may be capable of
1458 injecting injecting commands into the user's terminal
1459 or running a background process that retains access to
1460 the user's terminal device even after the main program
1461 has finished executing. By running the command in a
1462 separate pseudo-pty, this attack is no longer possible.
1463 This flag is off by default.
1464 user_command_timeouts
1466 If set, the user may specify a timeout on the command
1467 line. If the timeout expires before the command has
1468 exited, the command will be terminated. If a timeout
1469 is specified both in the sudoers file and on the com‐
1470 mand line, the smaller of the two timeouts will be
1471 used. See the Timeout_Spec section for a description
1472 of the timeout syntax. This flag is off by default.
1473 This setting is only supported by version 1.8.20 or
1475 higher.
1476 utmp_runas If set, sudo will store the name of the runas user when
1478 updating the utmp (or utmpx) file. By default, sudo
1479 stores the name of the invoking user. This flag is off
1480 by default.
1481 visiblepw By default, sudo will refuse to run if the user must
1483 enter a password but it is not possible to disable echo
1484 on the terminal. If the visiblepw flag is set, sudo
1485 will prompt for a password even when it would be visi‐
1486 ble on the screen. This makes it possible to run
1487 things like “ssh somehost sudo ls” since by default,
1488 ssh(1) does not allocate a tty when running a command.
1489 This flag is off by default.
1490 Integers:
1492 closefrom Before it executes a command, sudo will close all open
1494 file descriptors other than standard input, standard
1495 output and standard error (ie: file descriptors 0-2).
1496 The closefrom option can be used to specify a different
1497 file descriptor at which to start closing. The default
1498 is 3.
1499 command_timeout The maximum amount of time a command is allowed to run
1501 before it is terminated. See the Timeout_Spec section
1502 for a description of the timeout syntax.
1503 This setting is only supported by version 1.8.20 or
1505 higher.
1506 maxseq The maximum sequence number that will be substituted
1508 for the “%{seq}” escape in the I/O log file (see the
1509 iolog_dir description above for more information).
1510 While the value substituted for “%{seq}” is in base 36,
1511 maxseq itself should be expressed in decimal. Values
1512 larger than 2176782336 (which corresponds to the base
1513 36 sequence number “ZZZZZZ”) will be silently truncated
1514 to 2176782336. The default value is 2176782336.
1515 Once the local sequence number reaches the value of
1517 maxseq, it will “roll over” to zero, after which
1518 sudoers will truncate and re-use any existing I/O log
1519 path names.
1520 This setting is only supported by version 1.8.7 or
1522 higher.
1523 passwd_tries The number of tries a user gets to enter his/her pass‐
1525 word before sudo logs the failure and exits. The
1526 default is 3.
1527 syslog_maxlen On many systems, syslog(3) has a relatively small log
1529 buffer. IETF RFC 5424 states that syslog servers must
1530 support messages of at least 480 bytes and should sup‐
1531 port messages up to 2048 bytes. By default, sudoers
1532 creates log messages up to 980 bytes which corresponds
1533 to the historic BSD syslog implementation which used a
1534 1024 byte buffer to store the message, date, hostname
1535 and program name. To prevent syslog messages from
1536 being truncated, sudoers will split up log messages
1537 that are larger than syslog_maxlen bytes. When a mes‐
1538 sage is split, additional parts will include the string
1539 “(command continued)” after the user name and before
1540 the continued command line arguments.
1541 This setting is only supported by version 1.8.19 or
1543 higher.
1544 Integers that can be used in a boolean context:
1546 loglinelen Number of characters per line for the file log. This
1548 value is used to decide when to wrap lines for nicer
1549 log files. This has no effect on the syslog log file,
1550 only the file log. The default is 80 (use 0 or negate
1551 the option to disable word wrap).
1552 passwd_timeout Number of minutes before the sudo password prompt times
1554 out, or 0 for no timeout. The timeout may include a
1555 fractional component if minute granularity is insuffi‐
1556 cient, for example 2.5. The default is 5.
1557 timestamp_timeout
1559 Number of minutes that can elapse before sudo will ask
1560 for a passwd again. The timeout may include a frac‐
1561 tional component if minute granularity is insufficient,
1562 for example 2.5. The default is 5. Set this to 0 to
1563 always prompt for a password. If set to a value less
1564 than 0 the user's time stamp will not expire until the
1565 system is rebooted. This can be used to allow users to
1566 create or delete their own time stamps via “sudo -v”
1567 and “sudo -k” respectively.
1568 umask Umask to use when running the command. Negate this
1570 option or set it to 0777 to preserve the user's umask.
1571 The actual umask that is used will be the union of the
1572 user's umask and the value of the umask option, which
1573 defaults to 0022. This guarantees that sudo never low‐
1574 ers the umask when running a command. Note: on systems
1575 that use PAM, the default PAM configuration may specify
1576 its own umask which will override the value set in
1577 sudoers.
1578 Strings:
1580 authfail_message Message that is displayed after a user fails to authen‐
1582 ticate. The message may include the ‘%d’ escape which
1583 will expand to the number of failed password attempts.
1584 If set, it overrides the default message, %d incorrect
1585 password attempt(s).
1586 badpass_message Message that is displayed if a user enters an incorrect
1588 password. The default is Sorry, try again. unless
1589 insults are enabled.
1590 editor A colon (‘:’) separated list of editors path names used
1592 by sudoedit and visudo. For sudoedit, this list is
1593 used to find an editor when none of the SUDO_EDITOR,
1594 VISUAL or EDITOR environment variables are set to an
1595 editor that exists and is executable. For visudo, it
1596 is used as a white list of allowed editors; visudo will
1597 choose the editor that matches the user's SUDO_EDITOR,
1598 VISUAL or EDITOR environment variable if possible, or
1599 the first editor in the list that exists and is exe‐
1600 cutable if not. Unless invoked as sudoedit, sudo does
1601 not preserve the SUDO_EDITOR, VISUAL and EDITOR envi‐
1602 ronment variables by default, even when the env_reset
1603 option is enabled. The default is /usr/bin/vi.
1604 iolog_dir The top-level directory to use when constructing the
1606 path name for the input/output log directory. Only
1607 used if the log_input or log_output options are enabled
1608 or when the LOG_INPUT or LOG_OUTPUT tags are present
1609 for a command. The session sequence number, if any, is
1610 stored in the directory. The default is
1611 /var/log/sudo-io.
1612 The following percent (‘%’) escape sequences are sup‐
1614 ported:
1615 %{seq}
1617 expanded to a monotonically increasing base-36
1618 sequence number, such as 0100A5, where every two
1619 digits are used to form a new directory, e.g.
1620 01/00/A5
1621 %{user}
1623 expanded to the invoking user's login name
1624 %{group}
1626 expanded to the name of the invoking user's real
1627 group ID
1628 %{runas_user}
1630 expanded to the login name of the user the com‐
1631 mand will be run as (e.g. root)
1632 %{runas_group}
1634 expanded to the group name of the user the com‐
1635 mand will be run as (e.g. wheel)
1636 %{hostname}
1638 expanded to the local host name without the
1639 domain name
1640 %{command}
1642 expanded to the base name of the command being
1643 run
1644 In addition, any escape sequences supported by the sys‐
1646 tem's strftime(3) function will be expanded.
1647 To include a literal ‘%’ character, the string ‘%%’
1649 should be used.
1650 iolog_file The path name, relative to iolog_dir, in which to store
1652 input/output logs when the log_input or log_output
1653 options are enabled or when the LOG_INPUT or LOG_OUTPUT
1654 tags are present for a command. Note that iolog_file
1655 may contain directory components. The default is
1656 “%{seq}”.
1657 See the iolog_dir option above for a list of supported
1659 percent (‘%’) escape sequences.
1660 In addition to the escape sequences, path names that
1662 end in six or more Xs will have the Xs replaced with a
1663 unique combination of digits and letters, similar to
1664 the mktemp(3) function.
1665 If the path created by concatenating iolog_dir and
1667 iolog_file already exists, the existing I/O log file
1668 will be truncated and overwritten unless iolog_file
1669 ends in six or more Xs.
1670 iolog_flush If set, sudo will flush I/O log data to disk after each
1672 write instead of buffering it. This makes it possible
1673 to view the logs in real-time as the program is execut‐
1674 ing but may significantly reduce the effectiveness of
1675 I/O log compression. This flag is off by default.
1676 This setting is only supported by version 1.8.20 or
1678 higher.
1679 iolog_group The group name to look up when setting the group ID on
1681 new I/O log files and directories. If iolog_group is
1682 not set, the primary group ID of the user specified by
1683 iolog_user is used. If neither iolog_group nor
1684 iolog_user are set, I/O log files and directories are
1685 created with group ID 0.
1686 This setting is only supported by version 1.8.19 or
1688 higher.
1689 iolog_mode The file mode to use when creating I/O log files. Mode
1691 bits for read and write permissions for owner, group or
1692 other are honored, everything else is ignored. The
1693 file permissions will always include the owner read and
1694 write bits, even if they are not present in the speci‐
1695 fied mode. When creating I/O log directories, search
1696 (execute) bits are added to to match the read and write
1697 bits specified by iolog_mode. Defaults to 0600 (read
1698 and write by user only).
1699 This setting is only supported by version 1.8.19 or
1701 higher.
1702 iolog_user The user name to look up when setting the user and
1704 group IDs on new I/O log files and directories. If
1705 iolog_group is set, it will be used instead of the
1706 user's primary group ID. By default, I/O log files and
1707 directories are created with user and group ID 0.
1708 This setting can be useful when the I/O logs are stored
1710 on a Network File System (NFS) share. Having a dedi‐
1711 cated user own the I/O log files means that sudoers
1712 does not write to the log files as user ID 0, which is
1713 usually not permitted by NFS.
1714 This setting is only supported by version 1.8.19 or
1716 higher.
1717 lecture_status_dir
1719 The directory in which sudo stores per-user lecture
1720 status files. Once a user has received the lecture, a
1721 zero-length file is created in this directory so that
1722 sudo will not lecture the user again. This directory
1723 should not be cleared when the system reboots. The
1724 default is /var/db/sudo/lectured.
1725 mailsub Subject of the mail sent to the mailto user. The
1727 escape %h will expand to the host name of the machine.
1728 Default is “*** SECURITY information for %h ***”.
1729 noexec_file As of sudo version 1.8.1 this option is no longer sup‐
1731 ported. The path to the noexec file should now be set
1732 in the sudo.conf(5) file.
1733 pam_login_service
1735 On systems that use PAM for authentication, this is the
1736 service name used when the -i option is specified. The
1737 default value is “sudo-i”. See the description of
1738 pam_service for more information.
1739 This setting is only supported by version 1.8.8 or
1741 higher.
1742 pam_service On systems that use PAM for authentication, the service
1744 name specifies the PAM policy to apply. This usually
1745 corresponds to an entry in the pam.conf file or a file
1746 in the /etc/pam.d directory. The default value is
1747 “sudo”.
1748 This setting is only supported by version 1.8.8 or
1750 higher.
1751 passprompt The default prompt to use when asking for a password;
1753 can be overridden via the -p option or the SUDO_PROMPT
1754 environment variable. The following percent (‘%’)
1755 escape sequences are supported:
1756 %H expanded to the local host name including the
1758 domain name (only if the machine's host name is
1759 fully qualified or the fqdn option is set)
1760 %h expanded to the local host name without the
1762 domain name
1763 %p expanded to the user whose password is being
1765 asked for (respects the rootpw, targetpw and
1766 runaspw flags in sudoers)
1767 %U expanded to the login name of the user the com‐
1769 mand will be run as (defaults to root)
1770 %u expanded to the invoking user's login name
1772 %% two consecutive % characters are collapsed into a
1774 single % character
1775 On systems that use PAM for authentication, passprompt
1777 will only be used if the prompt provided by the PAM
1778 module matches the string “Password: ” or “username's
1779 Password: ”. This ensures that the passprompt setting
1780 does not interfere with challenge-response style
1781 authentication. The passprompt_override flag can be
1782 used to change this behavior.
1783 The default value is “[sudo] password for %p: ”.
1785 role The default SELinux role to use when constructing a new
1787 security context to run the command. The default role
1788 may be overridden on a per-command basis in the sudoers
1789 file or via command line options. This option is only
1790 available when sudo is built with SELinux support.
1791 runas_default The default user to run commands as if the -u option is
1793 not specified on the command line. This defaults to
1794 root.
1795 sudoers_locale Locale to use when parsing the sudoers file, logging
1797 commands, and sending email. Note that changing the
1798 locale may affect how sudoers is interpreted. Defaults
1799 to “C”.
1800 timestamp_type sudoers uses per-user time stamp files for credential
1802 caching. The timestamp_type option can be used to
1803 specify the type of time stamp record used. It has the
1804 following possible values:
1805 global A single time stamp record is used for all of a
1807 user's login sessions, regardless of the termi‐
1808 nal or parent process ID. An additional record
1809 is used to serialize password prompts when sudo
1810 is used multiple times in a pipeline, but this
1811 does not affect authentication.
1812 ppid A single time stamp record is used for all pro‐
1814 cesses with the same parent process ID (usually
1815 the shell). Commands run from the same shell
1816 (or other common parent process) will not
1817 require a password for timestamp_timeout min‐
1818 utes (5 by default). Commands run via sudo
1819 with a different parent process ID, for example
1820 from a shell script, will be authenticated sep‐
1821 arately.
1822 tty One time stamp record is used for each termi‐
1824 nal, which means that a user's login sessions
1825 are authenticated separately. If no terminal
1826 is present, the behavior is the same as ppid.
1827 Commands run from the same terminal will not
1828 require a password for timestamp_timeout min‐
1829 utes (5 by default).
1830 kernel The time stamp is stored in the kernel as an
1832 attribute of the terminal device. If no termi‐
1833 nal is present, the behavior is the same as
1834 ppid. Negative timestamp_timeout values are
1835 not supported and positive values are limited
1836 to a maximum of 60 minutes. This is currently
1837 only supported on OpenBSD.
1838 The default value is tty.
1840 This setting is only supported by version 1.8.21 or
1842 higher.
1843 timestampdir The directory in which sudo stores its time stamp
1845 files. This directory should be cleared when the sys‐
1846 tem reboots. The default is /run/sudo/ts.
1847 timestampowner The owner of the lecture status directory, time stamp
1849 directory and all files stored therein. The default is
1850 root.
1851 type The default SELinux type to use when constructing a new
1853 security context to run the command. The default type
1854 may be overridden on a per-command basis in the sudoers
1855 file or via command line options. This option is only
1856 available when sudo is built with SELinux support.
1857 Strings that can be used in a boolean context:
1859 env_file The env_file option specifies the fully qualified path to a
1861 file containing variables to be set in the environment of
1862 the program being run. Entries in this file should either
1863 be of the form “VARIABLE=value” or “export VARIABLE=value”.
1864 The value may optionally be surrounded by single or double
1865 quotes. Variables in this file are only added if the vari‐
1866 able does not already exist in the environment. This file
1867 is considered to be part of the security policy, its con‐
1868 tents are not subject to other sudo environment restric‐
1869 tions such as env_keep and env_check.
1870 exempt_group Users in this group are exempt from password and PATH
1872 requirements. The group name specified should not include
1873 a % prefix. This is not set by default.
1874 fdexec Determines whether sudo will execute a command by its path
1876 or by an open file descriptor. It has the following possi‐
1877 ble values:
1878 always Always execute by file descriptor.
1880 never Never execute by file descriptor.
1882 digest_only
1884 Only execute by file descriptor if the command has
1885 an associated digest in the sudoers file.
1886 The default value is digest_only. This avoids a time of
1888 check versus time of use race condition when the command is
1889 located in a directory writable by the invoking user.
1890 Note that fdexec will change the first element of the argu‐
1892 ment vector for scripts ($0 in the shell) due to the way
1893 the kernel runs script interpreters. Instead of being a
1894 normal path, it will refer to a file descriptor. For exam‐
1895 ple, /dev/fd/4 on Solaris and /proc/self/fd/4 on Linux. A
1896 workaround is to use the SUDO_COMMAND environment variable
1897 instead.
1898 The fdexec setting is only used when the command is matched
1900 by path name. It has no effect if the command is matched
1901 by the built-in ALL alias.
1902 This setting is only supported by version 1.8.20 or higher.
1904 If the operating system does not support the fexecve(2)
1905 system call, this setting has no effect.
1906 group_plugin A string containing a sudoers group plugin with optional
1908 arguments. The string should consist of the plugin path,
1909 either fully-qualified or relative to the /usr/libexec/sudo
1910 directory, followed by any configuration arguments the
1911 plugin requires. These arguments (if any) will be passed
1912 to the plugin's initialization function. If arguments are
1913 present, the string must be enclosed in double quotes ("").
1914 For more information see GROUP PROVIDER PLUGINS.
1916 lecture This option controls when a short lecture will be printed
1918 along with the password prompt. It has the following pos‐
1919 sible values:
1920 always Always lecture the user.
1922 never Never lecture the user.
1924 once Only lecture the user the first time they run sudo.
1926 If no value is specified, a value of once is implied.
1928 Negating the option results in a value of never being used.
1929 The default value is once.
1930 lecture_file Path to a file containing an alternate sudo lecture that
1932 will be used in place of the standard lecture if the named
1933 file exists. By default, sudo uses a built-in lecture.
1934 listpw This option controls when a password will be required when
1936 a user runs sudo with the -l option. It has the following
1937 possible values:
1938 all All the user's sudoers file entries for the cur‐
1940 rent host must have the NOPASSWD flag set to
1941 avoid entering a password.
1942 always The user must always enter a password to use the
1944 -l option.
1945 any At least one of the user's sudoers file entries
1947 for the current host must have the NOPASSWD flag
1948 set to avoid entering a password.
1949 never The user need never enter a password to use the
1951 -l option.
1952 If no value is specified, a value of any is implied.
1954 Negating the option results in a value of never being used.
1955 The default value is any.
1956 logfile Path to the sudo log file (not the syslog log file). Set‐
1958 ting a path turns on logging to a file; negating this
1959 option turns it off. By default, sudo logs via syslog.
1960 mailerflags Flags to use when invoking mailer. Defaults to -t.
1962 mailerpath Path to mail program used to send warning mail. Defaults
1964 to the path to sendmail found at configure time.
1965 mailfrom Address to use for the “from” address when sending warning
1967 and error mail. The address should be enclosed in double
1968 quotes ("") to protect against sudo interpreting the @
1969 sign. Defaults to the name of the user running sudo.
1970 mailto Address to send warning and error mail to. The address
1972 should be enclosed in double quotes ("") to protect against
1973 sudo interpreting the @ sign. Defaults to root.
1974 restricted_env_file
1976 The restricted_env_file option specifies the fully quali‐
1977 fied path to a file containing variables to be set in the
1978 environment of the program being run. Entries in this file
1979 should either be of the form “VARIABLE=value” or “export
1980 VARIABLE=value”. The value may optionally be surrounded by
1981 single or double quotes. Variables in this file are only
1982 added if the variable does not already exist in the envi‐
1983 ronment. Unlike env_file, the file's contents are not
1984 trusted and are processed in a manner similar to that of
1985 the invoking user's environment. If env_reset is enabled,
1986 variables in the file will only be added if they are
1987 matched by either the env_check or env_keep list. If
1988 env_reset is disabled, variables in the file are added as
1989 long as they are not matched by the env_delete list. In
1990 either case, the contents of restricted_env_file are pro‐
1991 cessed before the contents of env_file.
1992 secure_path Path used for every command run from sudo. If you don't
1994 trust the people running sudo to have a sane PATH environ‐
1995 ment variable you may want to use this. Another use is if
1996 you want to have the “root path” be separate from the “user
1997 path”. Users in the group specified by the exempt_group
1998 option are not affected by secure_path. This option is not
1999 set by default.
2000 syslog Syslog facility if syslog is being used for logging (negate
2002 to disable syslog logging). Defaults to authpriv.
2003 The following syslog facilities are supported: authpriv (if
2005 your OS supports it), auth, daemon, user, local0, local1,
2006 local2, local3, local4, local5, local6, and local7.
2007 syslog_badpri
2009 Syslog priority to use when the user is not allowed to run
2010 a command or when authentication is unsuccessful. Defaults
2011 to alert.
2012 The following syslog priorities are supported: alert, crit,
2014 debug, emerg, err, info, notice, warning, and none. Negat‐
2015 ing the option or setting it to a value of none will dis‐
2016 able logging of unsuccessful commands.
2017 syslog_goodpri
2019 Syslog priority to use when the user is allowed to run a
2020 command and authentication is successful. Defaults to
2021 notice.
2022 See syslog_badpri for the list of supported syslog priori‐
2024 ties. Negating the option or setting it to a value of none
2025 will disable logging of successful commands.
2026 verifypw This option controls when a password will be required when
2028 a user runs sudo with the -v option. It has the following
2029 possible values:
2030 all All the user's sudoers file entries for the current
2032 host must have the NOPASSWD flag set to avoid
2033 entering a password.
2034 always The user must always enter a password to use the -v
2036 option.
2037 any At least one of the user's sudoers file entries for
2039 the current host must have the NOPASSWD flag set to
2040 avoid entering a password.
2041 never The user need never enter a password to use the -v
2043 option.
2044 If no value is specified, a value of all is implied.
2046 Negating the option results in a value of never being used.
2047 The default value is all.
2048 Lists that can be used in a boolean context:
2050 env_check Environment variables to be removed from the user's
2052 environment unless they are considered “safe”. For all
2053 variables except TZ, “safe” means that the variable's
2054 value does not contain any ‘%’ or ‘/’ characters. This
2055 can be used to guard against printf-style format vul‐
2056 nerabilities in poorly-written programs. The TZ vari‐
2057 able is considered unsafe if any of the following are
2058 true:
2059 · It consists of a fully-qualified path name, option‐
2061 ally prefixed with a colon (‘:’), that does not
2062 match the location of the zoneinfo directory.
2063 · It contains a .. path element.
2065 · It contains white space or non-printable characters.
2067 · It is longer than the value of PATH_MAX.
2069 The argument may be a double-quoted, space-separated
2071 list or a single value without double-quotes. The list
2072 can be replaced, added to, deleted from, or disabled by
2073 using the =, +=, -=, and ! operators respectively.
2074 Regardless of whether the env_reset option is enabled
2075 or disabled, variables specified by env_check will be
2076 preserved in the environment if they pass the aforemen‐
2077 tioned check. The global list of environment variables
2078 to check is displayed when sudo is run by root with the
2079 -V option.
2080 env_delete Environment variables to be removed from the user's
2082 environment when the env_reset option is not in effect.
2083 The argument may be a double-quoted, space-separated
2084 list or a single value without double-quotes. The list
2085 can be replaced, added to, deleted from, or disabled by
2086 using the =, +=, -=, and ! operators respectively. The
2087 global list of environment variables to remove is dis‐
2088 played when sudo is run by root with the -V option.
2089 Note that many operating systems will remove poten‐
2090 tially dangerous variables from the environment of any
2091 setuid process (such as sudo).
2092 env_keep Environment variables to be preserved in the user's
2094 environment when the env_reset option is in effect.
2095 This allows fine-grained control over the environment
2096 sudo-spawned processes will receive. The argument may
2097 be a double-quoted, space-separated list or a single
2098 value without double-quotes. The list can be replaced,
2099 added to, deleted from, or disabled by using the =, +=,
2100 -=, and ! operators respectively. The global list of
2101 variables to keep is displayed when sudo is run by root
2102 with the -V option.
2103
2105 The sudoers plugin supports its own plugin interface to allow non-Unix
2106 group lookups which can query a group source other than the standard Unix
2107 group database. This can be used to implement support for the
2108 nonunix_group syntax described earlier.
2109 Group provider plugins are specified via the group_plugin Defaults set‐
2111 ting. The argument to group_plugin should consist of the plugin path,
2112 either fully-qualified or relative to the /usr/libexec/sudo directory,
2113 followed by any configuration options the plugin requires. These options
2114 (if specified) will be passed to the plugin's initialization function.
2115 If options are present, the string must be enclosed in double quotes
2116 ("").
2117 The following group provider plugins are installed by default:
2119 group_file
2121 The group_file plugin supports an alternate group file that
2122 uses the same syntax as the /etc/group file. The path to the
2123 group file should be specified as an option to the plugin. For
2124 example, if the group file to be used is /etc/sudo-group:
2125 Defaults group_plugin="group_file.so /etc/sudo-group"
2127 system_group
2129 The system_group plugin supports group lookups via the standard
2130 C library functions getgrnam() and getgrid(). This plugin can
2131 be used in instances where the user belongs to groups not
2132 present in the user's supplemental group vector. This plugin
2133 takes no options:
2134 Defaults group_plugin=system_group.so
2136 The group provider plugin API is described in detail in sudo_plugin(5).
2138
2140 sudoers can log events using either syslog(3) or a simple log file. The
2141 log format is almost identical in both cases.
2142 Accepted command log entries
2144 Commands that sudo runs are logged using the following format (split into
2145 multiple lines for readability):
2146 date hostname progname: username : TTY=ttyname ; PWD=cwd ; \
2148 USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \
2149 ENV=env_vars COMMAND=command
2150 Where the fields are as follows:
2152 date The date the command was run. Typically, this is in the
2154 format “MMM, DD, HH:MM:SS”. If logging via syslog(3), the
2155 actual date format is controlled by the syslog daemon. If
2156 logging to a file and the log_year option is enabled, the
2157 date will also include the year.
2158 hostname The name of the host sudo was run on. This field is only
2160 present when logging via syslog(3).
2161 progname The name of the program, usually sudo or sudoedit. This
2163 field is only present when logging via syslog(3).
2164 username The login name of the user who ran sudo.
2166 ttyname The short name of the terminal (e.g. “console”, “tty01”, or
2168 “pts/0”) sudo was run on, or “unknown” if there was no ter‐
2169 minal present.
2170 cwd The current working directory that sudo was run in.
2172 runasuser The user the command was run as.
2174 runasgroup The group the command was run as if one was specified on
2176 the command line.
2177 logid An I/O log identifier that can be used to replay the com‐
2179 mand's output. This is only present when the log_input or
2180 log_output option is enabled.
2181 env_vars A list of environment variables specified on the command
2183 line, if specified.
2184 command The actual command that was executed.
2186 Messages are logged using the locale specified by sudoers_locale, which
2188 defaults to the “C” locale.
2189 Denied command log entries
2191 If the user is not allowed to run the command, the reason for the denial
2192 will follow the user name. Possible reasons include:
2193 user NOT in sudoers
2195 The user is not listed in the sudoers file.
2196 user NOT authorized on host
2198 The user is listed in the sudoers file but is not allowed to run com‐
2199 mands on the host.
2200 command not allowed
2202 The user is listed in the sudoers file for the host but they are not
2203 allowed to run the specified command.
2204 3 incorrect password attempts
2206 The user failed to enter their password after 3 tries. The actual num‐
2207 ber of tries will vary based on the number of failed attempts and the
2208 value of the passwd_tries option.
2209 a password is required
2211 sudo's -n option was specified but a password was required.
2212 sorry, you are not allowed to set the following environment variables
2214 The user specified environment variables on the command line that were
2215 not allowed by sudoers.
2216 Error log entries
2218 If an error occurs, sudoers will log a message and, in most cases, send a
2219 message to the administrator via email. Possible errors include:
2220 parse error in /etc/sudoers near line N
2222 sudoers encountered an error when parsing the specified file. In some
2223 cases, the actual error may be one line above or below the line number
2224 listed, depending on the type of error.
2225 problem with defaults entries
2227 The sudoers file contains one or more unknown Defaults settings. This
2228 does not prevent sudo from running, but the sudoers file should be
2229 checked using visudo.
2230 timestamp owner (username): No such user
2232 The time stamp directory owner, as specified by the timestampowner set‐
2233 ting, could not be found in the password database.
2234 unable to open/read /etc/sudoers
2236 The sudoers file could not be opened for reading. This can happen when
2237 the sudoers file is located on a remote file system that maps user ID 0
2238 to a different value. Normally, sudoers tries to open the sudoers file
2239 using group permissions to avoid this problem. Consider either chang‐
2240 ing the ownership of /etc/sudoers or adding an argument like
2241 “sudoers_uid=N” (where ‘N’ is the user ID that owns the sudoers file)
2242 to the end of the sudoers Plugin line in the sudo.conf(5) file.
2243 unable to stat /etc/sudoers
2245 The /etc/sudoers file is missing.
2246 /etc/sudoers is not a regular file
2248 The /etc/sudoers file exists but is not a regular file or symbolic
2249 link.
2250 /etc/sudoers is owned by uid N, should be 0
2252 The sudoers file has the wrong owner. If you wish to change the
2253 sudoers file owner, please add “sudoers_uid=N” (where ‘N’ is the user
2254 ID that owns the sudoers file) to the sudoers Plugin line in the
2255 sudo.conf(5) file.
2256 /etc/sudoers is world writable
2258 The permissions on the sudoers file allow all users to write to it.
2259 The sudoers file must not be world-writable, the default file mode is
2260 0440 (readable by owner and group, writable by none). The default mode
2261 may be changed via the “sudoers_mode” option to the sudoers Plugin line
2262 in the sudo.conf(5) file.
2263 /etc/sudoers is owned by gid N, should be 1
2265 The sudoers file has the wrong group ownership. If you wish to change
2266 the sudoers file group ownership, please add “sudoers_gid=N” (where ‘N’
2267 is the group ID that owns the sudoers file) to the sudoers Plugin line
2268 in the sudo.conf(5) file.
2269 unable to open /run/sudo/ts/username
2271 sudoers was unable to read or create the user's time stamp file. This
2272 can happen when timestampowner is set to a user other than root and the
2273 mode on /run/sudo is not searchable by group or other. The default
2274 mode for /run/sudo is 0711.
2275 unable to write to /run/sudo/ts/username
2277 sudoers was unable to write to the user's time stamp file.
2278 /run/sudo/ts is owned by uid X, should be Y
2280 The time stamp directory is owned by a user other than timestampowner.
2281 This can occur when the value of timestampowner has been changed.
2282 sudoers will ignore the time stamp directory until the owner is cor‐
2283 rected.
2284 /run/sudo/ts is group writable
2286 The time stamp directory is group-writable; it should be writable only
2287 by timestampowner. The default mode for the time stamp directory is
2288 0700. sudoers will ignore the time stamp directory until the mode is
2289 corrected.
2290 Notes on logging via syslog
2292 By default, sudoers logs messages via syslog(3). The date, hostname, and
2293 progname fields are added by the system's syslog() function, not sudoers
2294 itself. As such, they may vary in format on different systems.
2295 The maximum size of syslog messages varies from system to system. The
2297 syslog_maxlen setting can be used to change the maximum syslog message
2298 size from the default value of 980 bytes. For more information, see the
2299 description of syslog_maxlen.
2300 Notes on logging to a file
2302 If the logfile option is set, sudoers will log to a local file, such as
2303 /var/log/sudo. When logging to a file, sudoers uses a format similar to
2304 syslog(3), with a few important differences:
2305 1. The progname and hostname fields are not present.
2307 2. If the log_year option is enabled, the date will also include the
2309 year.
2310 3. Lines that are longer than loglinelen characters (80 by default) are
2312 word-wrapped and continued on the next line with a four character
2313 indent. This makes entries easier to read for a human being, but
2314 makes it more difficult to use grep(1) on the log files. If the
2315 loglinelen option is set to 0 (or negated with a ‘!’), word wrap
2316 will be disabled.
2317
2319 When I/O logging is enabled, sudo will run the command in a pseudo-tty
2320 and log all user input and/or output, depending on which options are
2321 enabled. I/O is logged to the directory specified by the iolog_dir
2322 option (/var/log/sudo-io by default) using a unique session ID that is
2323 included in the sudo log line, prefixed with “TSID=”. The iolog_file
2324 option may be used to control the format of the session ID.
2325 Each I/O log is stored in a separate directory that contains the follow‐
2327 ing files:
2328 log a text file containing the time the command was run, the name
2330 of the user who ran sudo, the name of the target user, the name
2331 of the target group (optional), the terminal that sudo was run
2332 from, the number of rows and columns of the terminal, the work‐
2333 ing directory the command was run from and the path name of the
2334 command itself (with arguments if present)
2335 timing a log of the amount of time between, and the number of bytes
2337 in, each I/O log entry (used for session playback)
2338 ttyin input from the user's tty (what the user types)
2340 stdin input from a pipe or file
2342 ttyout output from the pseudo-tty (what the command writes to the
2344 screen)
2345 stdout standard output to a pipe or redirected to a file
2347 stderr standard error to a pipe or redirected to a file
2349 All files other than log are compressed in gzip format unless the
2351 compress_io flag has been disabled. Due to buffering, it is not normally
2352 possible to display the I/O logs in real-time as the program is executing
2353 The I/O log data will not be complete until the program run by sudo has
2354 exited or has been terminated by a signal. The iolog_flush flag can be
2355 used to disable buffering, in which case I/O log data is written to disk
2356 as soon as it is available. The output portion of an I/O log file can be
2357 viewed with the sudoreplay(8) utility, which can also be used to list or
2358 search the available logs.
2359 Note that user input may contain sensitive information such as passwords
2361 (even if they are not echoed to the screen), which will be stored in the
2362 log file unencrypted. In most cases, logging the command output via
2363 log_output or LOG_OUTPUT is all that is required.
2364 Since each session's I/O logs are stored in a separate directory, tradi‐
2366 tional log rotation utilities cannot be used to limit the number of I/O
2367 logs. The simplest way to limit the number of I/O is by setting the
2368 maxseq option to the maximum number of logs you wish to store. Once the
2369 I/O log sequence number reaches maxseq, it will be reset to zero and
2370 sudoers will truncate and re-use any existing I/O logs.
2371
2373 /etc/sudo.conf Sudo front end configuration
2374 /etc/sudoers List of who can run what
2376 /etc/group Local groups file
2378 /etc/netgroup List of network groups
2380 /var/log/sudo-io I/O log files
2382 /run/sudo/ts Directory containing time stamps for the
2384 sudoers security policy
2385 /var/db/sudo/lectured Directory containing lecture status files for
2387 the sudoers security policy
2388 /etc/environment Initial environment for -i mode on AIX and
2390 Linux systems
2391
2393 Below are example sudoers file entries. Admittedly, some of these are a
2394 bit contrived. First, we allow a few environment variables to pass and
2395 then define our aliases:
2396 # Run X applications through sudo; HOME is used to find the
2398 # .Xauthority file. Note that other programs use HOME to find
2399 # configuration files and this may lead to privilege escalation!
2400 Defaults env_keep += "DISPLAY HOME"
2401 # User alias specification
2403 User_Alias FULLTIMERS = millert, mikef, dowdy
2404 User_Alias PARTTIMERS = bostley, jwfox, crawl
2405 User_Alias WEBMASTERS = will, wendy, wim
2406 # Runas alias specification
2408 Runas_Alias OP = root, operator
2409 Runas_Alias DB = oracle, sybase
2410 Runas_Alias ADMINGRP = adm, oper
2411 # Host alias specification
2413 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
2414 SGI = grolsch, dandelion, black :\
2415 ALPHA = widget, thalamus, foobar :\
2416 HPPA = boa, nag, python
2417 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
2418 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
2419 Host_Alias SERVERS = master, mail, www, ns
2420 Host_Alias CDROM = orion, perseus, hercules
2421 # Cmnd alias specification
2423 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
2424 /usr/sbin/restore, /usr/sbin/rrestore,\
2425 sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
2426 /home/operator/bin/start_backups
2427 Cmnd_Alias KILL = /usr/bin/kill
2428 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
2429 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
2430 Cmnd_Alias HALT = /usr/sbin/halt
2431 Cmnd_Alias REBOOT = /usr/sbin/reboot
2432 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
2433 /usr/local/bin/tcsh, /usr/bin/rsh,\
2434 /usr/local/bin/zsh
2435 Cmnd_Alias SU = /usr/bin/su
2436 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
2437 Here we override some of the compiled in default values. We want sudo to
2439 log via syslog(3) using the auth facility in all cases. We don't want to
2440 subject the full time staff to the sudo lecture, user millert need not
2441 give a password, and we don't want to reset the LOGNAME, USER or USERNAME
2442 environment variables when running commands as root. Additionally, on
2443 the machines in the SERVERS Host_Alias, we keep an additional local log
2444 file and make sure we log the year in each log line since the log entries
2445 will be kept around for several years. Lastly, we disable shell escapes
2446 for the commands in the PAGERS Cmnd_Alias (/usr/bin/more, /usr/bin/pg and
2447 /usr/bin/less). Note that this will not effectively constrain users with
2448 sudo ALL privileges.
2449 # Override built-in defaults
2451 Defaults syslog=auth
2452 Defaults>root !set_logname
2453 Defaults:FULLTIMERS !lecture
2454 Defaults:millert !authenticate
2455 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
2456 Defaults!PAGERS noexec
2457 The User specification is the part that actually determines who may run
2459 what.
2460 root ALL = (ALL) ALL
2462 %wheel ALL = (ALL) ALL
2463 We let root and any user in group wheel run any command on any host as
2465 any user.
2466 FULLTIMERS ALL = NOPASSWD: ALL
2468 Full time sysadmins (millert, mikef, and dowdy) may run any command on
2470 any host without authenticating themselves.
2471 PARTTIMERS ALL = ALL
2473 Part time sysadmins bostley, jwfox, and crawl) may run any command on any
2475 host but they must authenticate themselves first (since the entry lacks
2476 the NOPASSWD tag).
2477 jack CSNETS = ALL
2479 The user jack may run any command on the machines in the CSNETS alias
2481 (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those
2482 networks, only 128.138.204.0 has an explicit netmask (in CIDR notation)
2483 indicating it is a class C network. For the other networks in CSNETS,
2484 the local machine's netmask will be used during matching.
2485 lisa CUNETS = ALL
2487 The user lisa may run any command on any host in the CUNETS alias (the
2489 class B network 128.138.0.0).
2490 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
2492 sudoedit /etc/printcap, /usr/oper/bin/
2493 The operator user may run commands limited to simple maintenance. Here,
2495 those are commands related to backups, killing processes, the printing
2496 system, shutting down the system, and any commands in the directory
2497 /usr/oper/bin/. Note that one command in the DUMPS Cmnd_Alias includes a
2498 sha224 digest, /home/operator/bin/start_backups. This is because the
2499 directory containing the script is writable by the operator user. If the
2500 script is modified (resulting in a digest mismatch) it will no longer be
2501 possible to run it via sudo.
2502 joe ALL = /usr/bin/su operator
2504 The user joe may only su(1) to operator.
2506 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root*
2508 %opers ALL = (: ADMINGRP) /usr/sbin/
2510 Users in the opers group may run commands in /usr/sbin/ as themselves
2512 with any group in the ADMINGRP Runas_Alias (the adm and oper groups).
2513 The user pete is allowed to change anyone's password except for root on
2515 the HPPA machines. Because command line arguments are matched as a sin‐
2516 gle, concatenated string, the ‘*’ wildcard will match multiple words.
2517 This example assumes that passwd(1) does not take multiple user names on
2518 the command line. Note that on GNU systems, options to passwd(1) may be
2519 specified after the user argument. As a result, this rule will also
2520 allow:
2521 passwd username --expire
2523 which may not be desirable.
2525 bob SPARC = (OP) ALL : SGI = (OP) ALL
2527 The user bob may run anything on the SPARC and SGI machines as any user
2529 listed in the OP Runas_Alias (root and operator.)
2530 jim +biglab = ALL
2532 The user jim may run any command on machines in the biglab netgroup.
2534 sudo knows that “biglab” is a netgroup due to the ‘+’ prefix.
2535 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
2537 Users in the secretaries netgroup need to help manage the printers as
2539 well as add and remove users, so they are allowed to run those commands
2540 on all machines.
2541 fred ALL = (DB) NOPASSWD: ALL
2543 The user fred can run commands as any user in the DB Runas_Alias (oracle
2545 or sybase) without giving a password.
2546 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
2548 On the ALPHA machines, user john may su to anyone except root but he is
2550 not allowed to specify any options to the su(1) command.
2551 jen ALL, !SERVERS = ALL
2553 The user jen may run any command on any machine except for those in the
2555 SERVERS Host_Alias (master, mail, www and ns).
2556 jill SERVERS = /usr/bin/, !SU, !SHELLS
2558 For any machine in the SERVERS Host_Alias, jill may run any commands in
2560 the directory /usr/bin/ except for those commands belonging to the SU and
2561 SHELLS Cmnd_Aliases. While not specifically mentioned in the rule, the
2562 commands in the PAGERS Cmnd_Alias all reside in /usr/bin and have the
2563 noexec option set.
2564 steve CSNETS = (operator) /usr/local/op_commands/
2566 The user steve may run any command in the directory /usr/local/op_com‐
2568 mands/ but only as user operator.
2569 matt valkyrie = KILL
2571 On his personal workstation, valkyrie, matt needs to be able to kill hung
2573 processes.
2574 WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
2576 On the host www, any user in the WEBMASTERS User_Alias (will, wendy, and
2578 wim), may run any command as user www (which owns the web pages) or sim‐
2579 ply su(1) to www.
2580 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
2582 /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
2583 Any user may mount or unmount a CD-ROM on the machines in the CDROM
2585 Host_Alias (orion, perseus, hercules) without entering a password. This
2586 is a bit tedious for users to type, so it is a prime candidate for encap‐
2587 sulating in a shell script.
2588
2590 Limitations of the ‘!’ operator
2591 It is generally not effective to “subtract” commands from ALL using the
2592 ‘!’ operator. A user can trivially circumvent this by copying the
2593 desired command to a different name and then executing that. For exam‐
2594 ple:
2595 bill ALL = ALL, !SU, !SHELLS
2597 Doesn't really prevent bill from running the commands listed in SU or
2599 SHELLS since he can simply copy those commands to a different name, or
2600 use a shell escape from an editor or other program. Therefore, these
2601 kind of restrictions should be considered advisory at best (and rein‐
2602 forced by policy).
2603 In general, if a user has sudo ALL there is nothing to prevent them from
2605 creating their own program that gives them a root shell (or making their
2606 own copy of a shell) regardless of any ‘!’ elements in the user specifi‐
2607 cation.
2608 Security implications of fast_glob
2610 If the fast_glob option is in use, it is not possible to reliably negate
2611 commands where the path name includes globbing (aka wildcard) characters.
2612 This is because the C library's fnmatch(3) function cannot resolve rela‐
2613 tive paths. While this is typically only an inconvenience for rules that
2614 grant privileges, it can result in a security issue for rules that sub‐
2615 tract or revoke privileges.
2616 For example, given the following sudoers file entry:
2618 john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
2620 /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
2621 User john can still run /usr/bin/passwd root if fast_glob is enabled by
2623 changing to /usr/bin and running ./passwd root instead.
2624 Preventing shell escapes
2626 Once sudo executes a program, that program is free to do whatever it
2627 pleases, including run other programs. This can be a security issue
2628 since it is not uncommon for a program to allow shell escapes, which lets
2629 a user bypass sudo's access control and logging. Common programs that
2630 permit shell escapes include shells (obviously), editors, paginators,
2631 mail and terminal programs.
2632 There are two basic approaches to this problem:
2634 restrict Avoid giving users access to commands that allow the user to
2636 run arbitrary commands. Many editors have a restricted mode
2637 where shell escapes are disabled, though sudoedit is a better
2638 solution to running editors via sudo. Due to the large number
2639 of programs that offer shell escapes, restricting users to the
2640 set of programs that do not is often unworkable.
2641 noexec Many systems that support shared libraries have the ability to
2643 override default library functions by pointing an environment
2644 variable (usually LD_PRELOAD) to an alternate shared library.
2645 On such systems, sudo's noexec functionality can be used to
2646 prevent a program run by sudo from executing any other pro‐
2647 grams. Note, however, that this applies only to native dynami‐
2648 cally-linked executables. Statically-linked executables and
2649 foreign executables running under binary emulation are not
2650 affected.
2651 The noexec feature is known to work on SunOS, Solaris, *BSD,
2653 Linux, IRIX, Tru64 UNIX, macOS, HP-UX 11.x and AIX 5.3 and
2654 above. It should be supported on most operating systems that
2655 support the LD_PRELOAD environment variable. Check your oper‐
2656 ating system's manual pages for the dynamic linker (usually
2657 ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
2658 LD_PRELOAD is supported.
2659 To enable noexec for a command, use the NOEXEC tag as docu‐
2661 mented in the User Specification section above. Here is that
2662 example again:
2663 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
2665 This allows user aaron to run /usr/bin/more and /usr/bin/vi
2667 with noexec enabled. This will prevent those two commands from
2668 executing other commands (such as a shell). If you are unsure
2669 whether or not your system is capable of supporting noexec you
2670 can always just try it out and check whether shell escapes work
2671 when noexec is enabled.
2672 Note that restricting shell escapes is not a panacea. Programs running
2674 as root are still capable of many potentially hazardous operations (such
2675 as changing or overwriting files) that could lead to unintended privilege
2676 escalation. In the specific case of an editor, a safer approach is to
2677 give the user permission to run sudoedit (see below).
2678 Secure editing
2680 The sudoers plugin includes sudoedit support which allows users to
2681 securely edit files with the editor of their choice. As sudoedit is a
2682 built-in command, it must be specified in the sudoers file without a
2683 leading path. However, it may take command line arguments just as a nor‐
2684 mal command does. Wildcards used in sudoedit command line arguments are
2685 expected to be path names, so a forward slash (‘/’) will not be matched
2686 by a wildcard.
2687 Unlike other sudo commands, the editor is run with the permissions of the
2689 invoking user and with the environment unmodified. More information may
2690 be found in the description of the -e option in sudo(8).
2691 For example, to allow user operator to edit the “message of the day”
2693 file:
2694 operator sudoedit /etc/motd
2696 The operator user then runs sudoedit as follows:
2698 $ sudoedit /etc/motd
2700 The editor will run as the operator user, not root, on a temporary copy
2702 of /etc/motd. After the file has been edited, /etc/motd will be updated
2703 with the contents of the temporary copy.
2704 Users should never be granted sudoedit permission to edit a file that
2706 resides in a directory the user has write access to, either directly or
2707 via a wildcard. If the user has write access to the directory it is pos‐
2708 sible to replace the legitimate file with a link to another file, allow‐
2709 ing the editing of arbitrary files. To prevent this, starting with ver‐
2710 sion 1.8.16, symbolic links will not be followed in writable directories
2711 and sudoedit will refuse to edit a file located in a writable directory
2712 unless the sudoedit_checkdir option has been disabled or the invoking
2713 user is root. Additionally, in version 1.8.15 and higher, sudoedit will
2714 refuse to open a symbolic link unless either the sudoedit_follow option
2715 is enabled or the sudoedit command is prefixed with the FOLLOW tag in the
2716 sudoers file.
2717 Time stamp file checks
2719 sudoers will check the ownership of its time stamp directory
2720 (/run/sudo/ts by default) and ignore the directory's contents if it is
2721 not owned by root or if it is writable by a user other than root. Older
2722 versions of sudo stored time stamp files in /tmp; this is no longer rec‐
2723 ommended as it may be possible for a user to create the time stamp them‐
2724 selves on systems that allow unprivileged users to change the ownership
2725 of files they create.
2726 While the time stamp directory should be cleared at reboot time, not all
2728 systems contain a /run or /var/run directory. To avoid potential prob‐
2729 lems, sudoers will ignore time stamp files that date from before the
2730 machine booted on systems where the boot time is available.
2731 Some systems with graphical desktop environments allow unprivileged users
2733 to change the system clock. Since sudoers relies on the system clock for
2734 time stamp validation, it may be possible on such systems for a user to
2735 run sudo for longer than timestamp_timeout by setting the clock back. To
2736 combat this, sudoers uses a monotonic clock (which never moves backwards)
2737 for its time stamps if the system supports it.
2738 sudoers will not honor time stamps set far in the future. Time stamps
2740 with a date greater than current_time + 2 * TIMEOUT will be ignored and
2741 sudoers will log and complain.
2742 If the timestamp_type option is set to “tty”, the time stamp record
2744 includes the device number of the terminal the user authenticated with.
2745 This provides per-terminal granularity but time stamp records may still
2746 outlive the user's session.
2747 Unless the timestamp_type option is set to “global”, the time stamp
2749 record also includes the session ID of the process that last authenti‐
2750 cated. This prevents processes in different terminal sessions from using
2751 the same time stamp record. On systems where a process's start time can
2752 be queried, the start time of the session leader is recorded in the time
2753 stamp record. If no terminal is present or the timestamp_type option is
2754 set to “ppid”, the start time of the parent process is used instead. In
2755 most cases this will prevent a time stamp record from being re-used with‐
2756 out the user entering a password when logging out and back in again.
2757
2759 Versions 1.8.4 and higher of the sudoers plugin support a flexible debug‐
2760 ging framework that can help track down what the plugin is doing inter‐
2761 nally if there is a problem. This can be configured in the sudo.conf(5)
2762 file.
2763 The sudoers plugin uses the same debug flag format as the sudo front-end:
2765 subsystem@priority.
2766 The priorities used by sudoers, in order of decreasing severity, are:
2768 crit, err, warn, notice, diag, info, trace and debug. Each priority,
2769 when specified, also includes all priorities higher than it. For exam‐
2770 ple, a priority of notice would include debug messages logged at notice
2771 and higher.
2772 The following subsystems are used by the sudoers plugin:
2774 alias User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
2776 all matches every subsystem
2778 audit BSM and Linux audit code
2780 auth user authentication
2782 defaults sudoers file Defaults settings
2784 env environment handling
2786 ldap LDAP-based sudoers
2788 logging logging support
2790 match matching of users, groups, hosts and netgroups in the sudoers
2792 file
2793 netif network interface handling
2795 nss network service switch handling in sudoers
2797 parser sudoers file parsing
2799 perms permission setting
2801 plugin The equivalent of main for the plugin.
2803 pty pseudo-tty related code
2805 rbtree redblack tree internals
2807 sssd SSSD-based sudoers
2809 util utility functions
2811 For example:
2812 Debug sudo /var/log/sudo_debug match@info,nss@info
2814 For more information, see the sudo.conf(5) manual.
2816
2818 ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), sudo.conf(5),
2819 sudoers.ldap(5), sudo(8), sudo_plugin(5), sudoers_timestamp(5), visudo(8)
2820
2822 Many people have worked on sudo over the years; this version consists of
2823 code written primarily by:
2824 Todd C. Miller
2826 See the CONTRIBUTORS file in the sudo distribution
2828 (https://www.sudo.ws/contributors.html) for an exhaustive list of people
2829 who have contributed to sudo.
2830
2832 The sudoers file should always be edited by the visudo command which
2833 locks the file and does grammatical checking. It is imperative that the
2834 sudoers file be free of syntax errors since sudo will not run with a syn‐
2835 tactically incorrect sudoers file.
2836 When using netgroups of machines (as opposed to users), if you store
2838 fully qualified host name in the netgroup (as is usually the case), you
2839 either need to have the machine's host name be fully qualified as
2840 returned by the hostname command or use the fqdn option in sudoers.
2841
2843 If you feel you have found a bug in sudo, please submit a bug report at
2844 https://bugzilla.sudo.ws/
2845
2847 Limited free support is available via the sudo-users mailing list, see
2848 https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
2849 the archives.
2850
2852 sudo is provided “AS IS” and any express or implied warranties, includ‐
2853 ing, but not limited to, the implied warranties of merchantability and
2854 fitness for a particular purpose are disclaimed. See the LICENSE file
2855 distributed with sudo or https://www.sudo.ws/license.html for complete
2856 details.
2857Sudo 1.8.23 April 18, 2018 Sudo 1.8.23