1SUDOERS(5) BSD File Formats Manual SUDOERS(5)
2
4 sudoers — default sudo security policy plugin
5
7 The sudoers policy plugin determines a user's sudo privileges. It is the
8 default sudo policy plugin. The policy is driven by the /etc/sudoers
9 file or, optionally in LDAP. The policy format is described in detail in
10 the SUDOERS FILE FORMAT section. For information on storing sudoers pol‐
11 icy information in LDAP, please see sudoers.ldap(5).
12 Configuring sudo.conf for sudoers
14 sudo consults the sudo.conf(5) file to determine which policy and I/O
15 logging plugins to load. If no sudo.conf(5) file is present, or if it
16 contains no Plugin lines, sudoers will be used for policy decisions and
17 I/O logging. To explicitly configure sudo.conf(5) to use the sudoers
18 plugin, the following configuration can be used.
19 Plugin sudoers_policy sudoers.so
21 Plugin sudoers_io sudoers.so
22 Starting with sudo 1.8.5, it is possible to specify optional arguments to
24 the sudoers plugin in the sudo.conf(5) file. These arguments, if
25 present, should be listed after the path to the plugin (i.e., after
26 sudoers.so). Multiple arguments may be specified, separated by white
27 space. For example:
28 Plugin sudoers_policy sudoers.so sudoers_mode=0400
30 The following plugin arguments are supported:
32 ldap_conf=pathname
34 The ldap_conf argument can be used to override the default path
35 to the ldap.conf file.
36 ldap_secret=pathname
38 The ldap_secret argument can be used to override the default
39 path to the ldap.secret file.
40 sudoers_file=pathname
42 The sudoers_file argument can be used to override the default
43 path to the sudoers file.
44 sudoers_uid=uid
46 The sudoers_uid argument can be used to override the default
47 owner of the sudoers file. It should be specified as a numeric
48 user-ID.
49 sudoers_gid=gid
51 The sudoers_gid argument can be used to override the default
52 group of the sudoers file. It must be specified as a numeric
53 group-ID (not a group name).
54 sudoers_mode=mode
56 The sudoers_mode argument can be used to override the default
57 file mode for the sudoers file. It should be specified as an
58 octal value.
59 For more information on configuring sudo.conf(5), please refer to its
61 manual.
62 User Authentication
64 The sudoers security policy requires that most users authenticate them‐
65 selves before they can use sudo. A password is not required if the
66 invoking user is root, if the target user is the same as the invoking
67 user, or if the policy has disabled authentication for the user or com‐
68 mand. Unlike su(1), when sudoers requires authentication, it validates
69 the invoking user's credentials, not the target user's (or root's) cre‐
70 dentials. This can be changed via the rootpw, targetpw and runaspw
71 flags, described later.
72 If a user who is not listed in the policy tries to run a command via
74 sudo, mail is sent to the proper authorities. The address used for such
75 mail is configurable via the mailto Defaults entry (described later) and
76 defaults to root.
77 Note that no mail will be sent if an unauthorized user tries to run sudo
79 with the -l or -v option unless there is an authentication error and
80 either the mail_always or mail_badpass flags are enabled. This allows
81 users to determine for themselves whether or not they are allowed to use
82 sudo. By default, all attempts to run sudo (successful or not) are
83 logged, regardless of whether or not mail is sent.
84 If sudo is run by root and the SUDO_USER environment variable is set, the
86 sudoers policy will use this value to determine who the actual user is.
87 This can be used by a user to log commands through sudo even when a root
88 shell has been invoked. It also allows the -e option to remain useful
89 even when invoked via a sudo-run script or program. Note, however, that
90 the sudoers file lookup is still done for root, not the user specified by
91 SUDO_USER.
92 sudoers uses per-user time stamp files for credential caching. Once a
94 user has been authenticated, a record is written containing the user-ID
95 that was used to authenticate, the terminal session ID, the start time of
96 the session leader (or parent process) and a time stamp (using a mono‐
97 tonic clock if one is available). The user may then use sudo without a
98 password for a short period of time (5 minutes unless overridden by the
99 timestamp_timeout option). By default, sudoers uses a separate record
100 for each terminal, which means that a user's login sessions are authenti‐
101 cated separately. The timestamp_type option can be used to select the
102 type of time stamp record sudoers will use.
103 Logging
105 By default, sudoers logs both successful and unsuccessful attempts (as
106 well as errors). The log_allowed and log_denied flags can be used to
107 control this behavior. Messages can be logged to syslog(3), a log file,
108 or both. The default is to log to syslog(3) but this is configurable via
109 the syslog and logfile settings. See LOG FORMAT for a description of the
110 log file format.
111 sudoers is also capable of running a command in a pseudo-terminal and
113 logging all input and/or output. The standard input, standard output and
114 standard error can be logged even when not associated with a terminal.
115 I/O logging is not on by default but can be enabled using the log_input
116 and log_output options as well as the LOG_INPUT and LOG_OUTPUT command
117 tags. See I/O LOG FILES for details on how I/O log files are stored.
118 Command environment
120 Since environment variables can influence program behavior, sudoers pro‐
121 vides a means to restrict which variables from the user's environment are
122 inherited by the command to be run. There are two distinct ways sudoers
123 can deal with environment variables.
124 By default, the env_reset flag is enabled. This causes commands to be
126 executed with a new, minimal environment. On AIX (and Linux systems
127 without PAM), the environment is initialized with the contents of the
128 /etc/environment file. The HOME, MAIL, SHELL, LOGNAME and USER environ‐
129 ment variables are initialized based on the target user and the SUDO_*
130 variables are set based on the invoking user. Additional variables, such
131 as DISPLAY, PATH and TERM, are preserved from the invoking user's envi‐
132 ronment if permitted by the env_check or env_keep options. This is
133 effectively a whitelist for environment variables. A few environment
134 variables are treated specially. If the PATH and TERM variables are not
135 preserved from the user's environment, they will be set to default val‐
136 ues. The LOGNAME and USER are handled as a single entity. If one of
137 them is preserved (or removed) from the user's environment, the other
138 will be as well. If LOGNAME and USER are to be preserved but only one of
139 them is present in the user's environment, the other will be set to the
140 same value. This avoids an inconsistent environment where one of the
141 variables describing the user name is set to the invoking user and one is
142 set to the target user. Environment variables with a value beginning
143 with () are removed unless both the name and value parts are matched by
144 env_keep or env_check, as they may be interpreted as functions by the
145 bash shell. Prior to version 1.8.11, such variables were always removed.
146 If, however, the env_reset flag is disabled, any variables not explicitly
148 denied by the env_check and env_delete options are inherited from the
149 invoking process. In this case, env_check and env_delete behave like a
150 blacklist. Prior to version 1.8.21, environment variables with a value
151 beginning with () were always removed. Beginning with version 1.8.21, a
152 pattern in env_delete is used to match bash shell functions instead.
153 Since it is not possible to blacklist all potentially dangerous environ‐
154 ment variables, use of the default env_reset behavior is encouraged.
155 Environment variables specified by env_check, env_delete, or env_keep may
157 include one or more ‘*’ characters which will match zero or more charac‐
158 ters. No other wildcard characters are supported.
159 By default, environment variables are matched by name. However, if the
161 pattern includes an equal sign (‘=’), both the variables name and value
162 must match. For example, a bash shell function could be matched as fol‐
163 lows:
164 env_keep += "BASH_FUNC_my_func%%=()*"
166 Without the “=()*” suffix, this would not match, as bash shell functions
168 are not preserved by default.
169 The complete list of environment variables that are preserved or removed,
171 as modified by global Defaults parameters in sudoers, is displayed when
172 sudo is run by root with the -V option. Please note that the list of
173 environment variables to remove varies based on the operating system sudo
174 is running on.
175 Other sudoers options may influence the command environment, such as
177 always_set_home, secure_path, set_logname, and set_home.
178 On systems that support PAM where the pam_env module is enabled for sudo,
180 variables in the PAM environment may be merged in to the environment. If
181 a variable in the PAM environment is already present in the user's envi‐
182 ronment, the value will only be overridden if the variable was not pre‐
183 served by sudoers. When env_reset is enabled, variables preserved from
184 the invoking user's environment by the env_keep list take precedence over
185 those in the PAM environment. When env_reset is disabled, variables
186 present the invoking user's environment take precedence over those in the
187 PAM environment unless they match a pattern in the env_delete list.
188 Note that the dynamic linker on most operating systems will remove vari‐
190 ables that can control dynamic linking from the environment of set-user-
191 ID executables, including sudo. Depending on the operating system this
192 may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others.
193 These type of variables are removed from the environment before sudo even
194 begins execution and, as such, it is not possible for sudo to preserve
195 them.
196 As a special case, if the -i option (initial login) is specified, sudoers
198 will initialize the environment regardless of the value of env_reset.
199 The DISPLAY, PATH and TERM variables remain unchanged; HOME, MAIL, SHELL,
200 USER, and LOGNAME are set based on the target user. On AIX (and Linux
201 systems without PAM), the contents of /etc/environment are also included.
202 All other environment variables are removed unless permitted by env_keep
203 or env_check, described above.
204 Finally, the restricted_env_file and env_file files are applied, if
206 present. The variables in restricted_env_file are applied first and are
207 subject to the same restrictions as the invoking user's environment, as
208 detailed above. The variables in env_file are applied last and are not
209 subject to these restrictions. In both cases, variables present in the
210 files will only be set to their specified values if they would not con‐
211 flict with an existing environment variable.
212
214 The sudoers file is composed of two types of entries: aliases (basically
215 variables) and user specifications (which specify who may run what).
216 When multiple entries match for a user, they are applied in order. Where
218 there are multiple matches, the last match is used (which is not neces‐
219 sarily the most specific match).
220 The sudoers file grammar will be described below in Extended Backus-Naur
222 Form (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly
223 simple, and the definitions below are annotated.
224 Quick guide to EBNF
226 EBNF is a concise and exact way of describing the grammar of a language.
227 Each EBNF definition is made up of production rules. E.g.,
228 symbol ::= definition | alternate1 | alternate2 ...
230 Each production rule references others and thus makes up a grammar for
232 the language. EBNF also contains the following operators, which many
233 readers will recognize from regular expressions. Do not, however, con‐
234 fuse them with “wildcard” characters, which have different meanings.
235 ? Means that the preceding symbol (or group of symbols) is optional.
237 That is, it may appear once or not at all.
238 * Means that the preceding symbol (or group of symbols) may appear
240 zero or more times.
241 + Means that the preceding symbol (or group of symbols) may appear
243 one or more times.
244 Parentheses may be used to group symbols together. For clarity, we will
246 use single quotes ('') to designate what is a verbatim character string
247 (as opposed to a symbol name).
248 Aliases
250 There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and
251 Cmnd_Alias.
252 Alias ::= 'User_Alias' User_Alias_Spec (':' User_Alias_Spec)* |
254 'Runas_Alias' Runas_Alias_Spec (':' Runas_Alias_Spec)* |
255 'Host_Alias' Host_Alias_Spec (':' Host_Alias_Spec)* |
256 'Cmnd_Alias' Cmnd_Alias_Spec (':' Cmnd_Alias_Spec)*
257 User_Alias ::= NAME
259 User_Alias_Spec ::= User_Alias '=' User_List
261 Runas_Alias ::= NAME
263 Runas_Alias_Spec ::= Runas_Alias '=' Runas_List
265 Host_Alias ::= NAME
267 Host_Alias_Spec ::= Host_Alias '=' Host_List
269 Cmnd_Alias ::= NAME
271 Cmnd_Alias_Spec ::= Cmnd_Alias '=' Cmnd_List
273 NAME ::= [A-Z]([A-Z][0-9]_)*
275 Each alias definition is of the form
277 Alias_Type NAME = item1, item2, ...
279 where Alias_Type is one of User_Alias, Runas_Alias, Host_Alias, or
281 Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and under‐
282 score characters (‘_’). A NAME must start with an uppercase letter. It
283 is possible to put several alias definitions of the same type on a single
284 line, joined by a colon (‘:’). E.g.,
285 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
287 It is a syntax error to redefine an existing alias. It is possible to
289 use the same name for aliases of different types, but this is not recom‐
290 mended.
291 The definitions of what constitutes a valid alias member follow.
293 User_List ::= User |
295 User ',' User_List
296 User ::= '!'* user name |
298 '!'* #uid |
299 '!'* %group |
300 '!'* %#gid |
301 '!'* +netgroup |
302 '!'* %:nonunix_group |
303 '!'* %:#nonunix_gid |
304 '!'* User_Alias
305 A User_List is made up of one or more user names, user-IDs (prefixed with
307 ‘#’), system group names and IDs (prefixed with ‘%’ and ‘%#’ respec‐
308 tively), netgroups (prefixed with ‘+’), non-Unix group names and IDs
309 (prefixed with ‘%:’ and ‘%:#’ respectively) and User_Aliases. Each list
310 item may be prefixed with zero or more ‘!’ operators. An odd number of
311 ‘!’ operators negate the value of the item; an even number just cancel
312 each other out. User netgroups are matched using the user and domain
313 members only; the host member is not used when matching.
314 A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may
316 be enclosed in double quotes to avoid the need for escaping special char‐
317 acters. Alternately, special characters may be specified in escaped hex
318 mode, e.g., \x20 for space. When using double quotes, any prefix charac‐
319 ters must be included inside the quotes.
320 The actual nonunix_group and nonunix_gid syntax depends on the underlying
322 group provider plugin. For instance, the QAS AD plugin supports the fol‐
323 lowing formats:
324 · Group in the same domain: "%:Group Name"
326 · Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
328 · Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
330 See GROUP PROVIDER PLUGINS for more information.
332 Note that quotes around group names are optional. Unquoted strings must
334 use a backslash (‘\’) to escape spaces and special characters. See Other
335 special characters and reserved words for a list of characters that need
336 to be escaped.
337 Runas_List ::= Runas_Member |
339 Runas_Member ',' Runas_List
340 Runas_Member ::= '!'* user name |
342 '!'* #uid |
343 '!'* %group |
344 '!'* %#gid |
345 '!'* %:nonunix_group |
346 '!'* %:#nonunix_gid |
347 '!'* +netgroup |
348 '!'* Runas_Alias
349 A Runas_List is similar to a User_List except that instead of
351 User_Aliases it can contain Runas_Aliases. Note that user names and
352 groups are matched as strings. In other words, two users (groups) with
353 the same user (group) ID are considered to be distinct. If you wish to
354 match all user names with the same user-ID (e.g., root and toor), you can
355 use a user-ID instead of a name (#0 in the example given). Note that the
356 user-ID or group-ID specified in a Runas_Member need not be listed in the
357 password or group database.
358 Host_List ::= Host |
360 Host ',' Host_List
361 Host ::= '!'* host name |
363 '!'* ip_addr |
364 '!'* network(/netmask)? |
365 '!'* +netgroup |
366 '!'* Host_Alias
367 A Host_List is made up of one or more host names, IP addresses, network
369 numbers, netgroups (prefixed with ‘+’) and other aliases. Again, the
370 value of an item may be negated with the ‘!’ operator. Host netgroups
371 are matched using the host (both qualified and unqualified) and domain
372 members only; the user member is not used when matching. If you specify
373 a network number without a netmask, sudo will query each of the local
374 host's network interfaces and, if the network number corresponds to one
375 of the hosts's network interfaces, will use the netmask of that inter‐
376 face. The netmask may be specified either in standard IP address nota‐
377 tion (e.g., 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR notation
378 (number of bits, e.g., 24 or 64). A host name may include shell-style
379 wildcards (see the Wildcards section below), but unless the host name
380 command on your machine returns the fully qualified host name, you'll
381 need to use the fqdn flag for wildcards to be useful. Note that sudo
382 only inspects actual network interfaces; this means that IP address
383 127.0.0.1 (localhost) will never match. Also, the host name “localhost”
384 will only match if that is the actual host name, which is usually only
385 the case for non-networked systems.
386 digest ::= [A-Fa-f0-9]+ |
388 [A-Za-z0-9\+/=]+
389 Digest_Spec ::= "sha224" ':' digest |
391 "sha256" ':' digest |
392 "sha384" ':' digest |
393 "sha512" ':' digest
394 Cmnd_List ::= Cmnd |
396 Cmnd ',' Cmnd_List
397 command name ::= file name |
399 file name args |
400 file name '""'
401 Cmnd ::= Digest_Spec? '!'* command name |
403 '!'* directory |
404 '!'* "sudoedit" |
405 '!'* Cmnd_Alias
406 A Cmnd_List is a list of one or more command names, directories, and
408 other aliases. A command name is a fully qualified file name which may
409 include shell-style wildcards (see the Wildcards section below). A sim‐
410 ple file name allows the user to run the command with any arguments they
411 wish. However, you may also specify command line arguments (including
412 wildcards). Alternately, you can specify "" to indicate that the command
413 may only be run without command line arguments. A directory is a fully
414 qualified path name ending in a ‘/’. When you specify a directory in a
415 Cmnd_List, the user will be able to run any file within that directory
416 (but not in any sub-directories therein).
417 If a Cmnd has associated command line arguments, then the arguments in
419 the Cmnd must match exactly those given by the user on the command line
420 (or match the wildcards if there are any). Note that the following char‐
421 acters must be escaped with a ‘\’ if they are used in command arguments:
422 ‘,’, ‘:’, ‘=’, ‘\’. The built-in command “sudoedit” is used to permit a
423 user to run sudo with the -e option (or as sudoedit). It may take com‐
424 mand line arguments just as a normal command does. Note that “sudoedit”
425 is a command built into sudo itself and must be specified in the sudoers
426 file without a leading path.
427 If a command name is prefixed with a Digest_Spec, the command will only
429 match successfully if it can be verified using the specified SHA-2
430 digest. The following digest formats are supported: sha224, sha256,
431 sha384 and sha512. The string may be specified in either hex or base64
432 format (base64 is more compact). There are several utilities capable of
433 generating SHA-2 digests in hex format such as openssl, shasum,
434 sha224sum, sha256sum, sha384sum, sha512sum.
435 For example, using openssl:
437 $ openssl dgst -sha224 /bin/ls
439 SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
440 It is also possible to use openssl to generate base64 output:
442 $ openssl dgst -binary -sha224 /bin/ls | openssl base64
444 EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
445 Warning, if the user has write access to the command itself (directly or
447 via a sudo command), it may be possible for the user to replace the com‐
448 mand after the digest check has been performed but before the command is
449 executed. A similar race condition exists on systems that lack the
450 fexecve(2) system call when the directory in which the command is located
451 is writable by the user. See the description of the fdexec setting for
452 more information on how sudo executes commands that have an associated
453 digest.
454 Command digests are only supported by version 1.8.7 or higher.
456 Defaults
458 Certain configuration options may be changed from their default values at
459 run-time via one or more Default_Entry lines. These may affect all users
460 on any host, all users on a specific host, a specific user, a specific
461 command, or commands being run as a specific user. Note that per-command
462 entries may not include command line arguments. If you need to specify
463 arguments, define a Cmnd_Alias and reference that instead.
464 Default_Type ::= 'Defaults' |
466 'Defaults' '@' Host_List |
467 'Defaults' ':' User_List |
468 'Defaults' '!' Cmnd_List |
469 'Defaults' '>' Runas_List
470 Default_Entry ::= Default_Type Parameter_List
472 Parameter_List ::= Parameter |
474 Parameter ',' Parameter_List
475 Parameter ::= Parameter '=' Value |
477 Parameter '+=' Value |
478 Parameter '-=' Value |
479 '!'* Parameter
480 Parameters may be flags, integer values, strings, or lists. Flags are
482 implicitly boolean and can be turned off via the ‘!’ operator. Some
483 integer, string and list parameters may also be used in a boolean context
484 to disable them. Values may be enclosed in double quotes ("") when they
485 contain multiple words. Special characters may be escaped with a back‐
486 slash (‘\’).
487 Lists have two additional assignment operators, += and -=. These opera‐
489 tors are used to add to and delete from a list respectively. It is not
490 an error to use the -= operator to remove an element that does not exist
491 in a list.
492 Defaults entries are parsed in the following order: generic, host, user
494 and runas Defaults first, then command defaults. If there are multiple
495 Defaults settings of the same type, the last matching setting is used.
496 The following Defaults settings are parsed before all others since they
497 may affect subsequent entries: fqdn, group_plugin, runas_default,
498 sudoers_locale.
499 See SUDOERS OPTIONS for a list of supported Defaults parameters.
501 User specification
503 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
504 (':' Host_List '=' Cmnd_Spec_List)*
505 Cmnd_Spec_List ::= Cmnd_Spec |
507 Cmnd_Spec ',' Cmnd_Spec_List
508 Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd
510 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
512 Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec)
514 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
516 Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp')
518 Timeout_Spec ::= 'TIMEOUT=timeout'
520 Tag_Spec ::= ('EXEC:' | 'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' |
522 'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' |
523 'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'PASSWD:' |
524 'NOPASSWD:' | 'SETENV:' | 'NOSETENV:')
525 A user specification determines which commands a user may run (and as
527 what user) on specified hosts. By default, commands are run as root, but
528 this can be changed on a per-command basis.
529 The basic structure of a user specification is “who where = (as_whom)
531 what”. Let's break that down into its constituent parts:
532 Runas_Spec
534 A Runas_Spec determines the user and/or the group that a command may be
535 run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
536 defined above) separated by a colon (‘:’) and enclosed in a set of paren‐
537 theses. The first Runas_List indicates which users the command may be
538 run as via the -u option. The second defines a list of groups that can
539 be specified via the -g option in addition to any of the target user's
540 groups. If both Runas_Lists are specified, the command may be run with
541 any combination of users and groups listed in their respective
542 Runas_Lists. If only the first is specified, the command may be run as
543 any user in the list but no -g option may be specified. If the first
544 Runas_List is empty but the second is specified, the command may be run
545 as the invoking user with the group set to any listed in the Runas_List.
546 If both Runas_Lists are empty, the command may only be run as the invok‐
547 ing user. If no Runas_Spec is specified the command may be run as root
548 and no group may be specified.
549 A Runas_Spec sets the default for the commands that follow it. What this
551 means is that for the entry:
552 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
554 The user dgb may run /bin/ls, /bin/kill, and /usr/bin/lprm on the host
556 boulder—but only as operator. E.g.,
557 $ sudo -u operator /bin/ls
559 It is also possible to override a Runas_Spec later on in an entry. If we
561 modify the entry like so:
562 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
564 Then user dgb is now allowed to run /bin/ls as operator, but /bin/kill
566 and /usr/bin/lprm as root.
567 We can extend this to allow dgb to run /bin/ls with either the user or
569 group set to operator:
570 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
572 /usr/bin/lprm
573 Note that while the group portion of the Runas_Spec permits the user to
575 run as command with that group, it does not force the user to do so. If
576 no group is specified on the command line, the command will run with the
577 group listed in the target user's password database entry. The following
578 would all be permitted by the sudoers entry above:
579 $ sudo -u operator /bin/ls
581 $ sudo -u operator -g operator /bin/ls
582 $ sudo -g operator /bin/ls
583 In the following example, user tcm may run commands that access a modem
585 device file with the dialer group.
586 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
588 /usr/local/bin/minicom
589 Note that in this example only the group will be set, the command still
591 runs as user tcm. E.g.
592 $ sudo -g dialer /usr/bin/cu
594 Multiple users and groups may be present in a Runas_Spec, in which case
596 the user may select any combination of users and groups via the -u and -g
597 options. In this example:
598 alan ALL = (root, bin : operator, system) ALL
600 user alan may run any command as either user root or bin, optionally set‐
602 ting the group to operator or system.
603 Option_Spec
605 A Cmnd may have zero or more options associated with it. Options may
606 consist of SELinux roles and/or types, start and/or end dates and command
607 timeouts. Once an option is set for a Cmnd, subsequent Cmnds in the
608 Cmnd_Spec_List, inherit that option unless it is overridden by another
609 option.
610 SELinux_Spec
612 On systems with SELinux support, sudoers file entries may optionally have
613 an SELinux role and/or type associated with a command. If a role or type
614 is specified with the command it will override any default values speci‐
615 fied in sudoers. A role or type specified on the command line, however,
616 will supersede the values in sudoers.
617 Date_Spec
619 sudoers rules can be specified with a start and end date via the
620 NOTBEFORE and NOTAFTER settings. The time stamp must be specified in
621 Generalized Time as defined by RFC 4517. The format is effectively
622 yyyymmddHHMMSSZ where the minutes and seconds are optional. The ‘Z’ suf‐
623 fix indicates that the time stamp is in Coordinated Universal Time (UTC).
624 It is also possible to specify a timezone offset from UTC in hours and
625 minutes instead of a ‘Z’. For example, ‘-0500’ would correspond to East‐
626 ern Standard time in the US. As an extension, if no ‘Z’ or timezone off‐
627 set is specified, local time will be used.
628 The following are all valid time stamps:
630 20170214083000Z
632 2017021408Z
633 20160315220000-0500
634 20151201235900
635 Timeout_Spec
637 A command may have a timeout associated with it. If the timeout expires
638 before the command has exited, the command will be terminated. The time‐
639 out may be specified in combinations of days, hours, minutes and seconds
640 with a single-letter case-insensitive suffix that indicates the unit of
641 time. For example, a timeout of 7 days, 8 hours, 30 minutes and 10 sec‐
642 onds would be written as 7d8h30m10s. If a number is specified without a
643 unit, seconds are assumed. Any of the days, minutes, hours or seconds
644 may be omitted. The order must be from largest to smallest unit and a
645 unit may not be specified more than once.
646 The following are all valid timeout values: 7d8h30m10s, 14d, 8h30m, 600s,
648 3600. The following are invalid timeout values: 12m2w1d, 30s10m4h,
649 1d2d3h.
650 This setting is only supported by version 1.8.20 or higher.
652 Tag_Spec
654 A command may have zero or more tags associated with it. The following
655 tag values are supported: EXEC, NOEXEC, FOLLOW, NOFOLLOW, LOG_INPUT,
656 NOLOG_INPUT, LOG_OUTPUT, NOLOG_OUTPUT, MAIL, NOMAIL, PASSWD, NOPASSWD,
657 SETENV, and NOSETENV. Once a tag is set on a Cmnd, subsequent Cmnds in
658 the Cmnd_Spec_List, inherit the tag unless it is overridden by the oppo‐
659 site tag (in other words, PASSWD overrides NOPASSWD and NOEXEC overrides
660 EXEC).
661 EXEC and NOEXEC
663 If sudo has been compiled with noexec support and the underlying oper‐
665 ating system supports it, the NOEXEC tag can be used to prevent a
666 dynamically-linked executable from running further commands itself.
667 In the following example, user aaron may run /usr/bin/more and
669 /usr/bin/vi but shell escapes will be disabled.
670 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
672 See the Preventing shell escapes section below for more details on how
674 NOEXEC works and whether or not it will work on your system.
675 FOLLOW and NOFOLLOW Starting with version 1.8.15, sudoedit will not open
677 a file that is a symbolic link unless the sudoedit_follow flag is
678 enabled. The FOLLOW and NOFOLLOW tags override the value of
679 sudoedit_follow and can be used to permit (or deny) the editing of sym‐
680 bolic links on a per-command basis. These tags are only effective for
681 the sudoedit command and are ignored for all other commands.
682 LOG_INPUT and NOLOG_INPUT
684 These tags override the value of the log_input flag on a per-command
686 basis. For more information, see the description of log_input in the
687 SUDOERS OPTIONS section below.
688 LOG_OUTPUT and NOLOG_OUTPUT
690 These tags override the value of the log_output flag on a per-command
692 basis. For more information, see the description of log_output in the
693 SUDOERS OPTIONS section below.
694 MAIL and NOMAIL
696 These tags provide fine-grained control over whether mail will be sent
698 when a user runs a command by overriding the value of the
699 mail_all_cmnds flag on a per-command basis. They have no effect when
700 sudo is run with the -l or -v options. A NOMAIL tag will also override
701 the mail_always and mail_no_perms options. For more information, see
702 the descriptions of mail_all_cmnds, mail_always, and mail_no_perms in
703 the SUDOERS OPTIONS section below.
704 PASSWD and NOPASSWD
706 By default, sudo requires that a user authenticate him or herself
708 before running a command. This behavior can be modified via the
709 NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
710 the commands that follow it in the Cmnd_Spec_List. Conversely, the
711 PASSWD tag can be used to reverse things. For example:
712 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
714 would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm
716 as root on the machine rushmore without authenticating himself. If we
717 only want ray to be able to run /bin/kill without a password the entry
718 would be:
719 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
721 Note, however, that the PASSWD tag has no effect on users who are in
723 the group specified by the exempt_group setting.
724 By default, if the NOPASSWD tag is applied to any of a user's entries
726 for the current host, the user will be able to run “sudo -l” without a
727 password. Additionally, a user may only run “sudo -v” without a pass‐
728 word if all of the user's entries for the current host have the
729 NOPASSWD tag. This behavior may be overridden via the verifypw and
730 listpw options.
731 SETENV and NOSETENV
733 These tags override the value of the setenv flag on a per-command
735 basis. Note that if SETENV has been set for a command, the user may
736 disable the env_reset flag from the command line via the -E option.
737 Additionally, environment variables set on the command line are not
738 subject to the restrictions imposed by env_check, env_delete, or
739 env_keep. As such, only trusted users should be allowed to set vari‐
740 ables in this manner. If the command matched is ALL, the SETENV tag is
741 implied for that command; this default may be overridden by use of the
742 NOSETENV tag.
743 Wildcards
745 sudo allows shell-style wildcards (aka meta or glob characters) to be
746 used in host names, path names and command line arguments in the sudoers
747 file. Wildcard matching is done via the glob(3) and fnmatch(3) functions
748 as specified by IEEE Std 1003.1 (“POSIX.1”).
749 * Matches any set of zero or more characters (including white
751 space).
752 ? Matches any single character (including white space).
754 [...] Matches any character in the specified range.
756 [!...] Matches any character not in the specified range.
758 \x For any character ‘x’, evaluates to ‘x’. This is used to
760 escape special characters such as: ‘*’, ‘?’, ‘[’, and ‘]’.
761 Note that these are not regular expressions. Unlike a regular expression
763 there is no way to match one or more characters within a range.
764 Character classes may be used if your system's glob(3) and fnmatch(3)
766 functions support them. However, because the ‘:’ character has special
767 meaning in sudoers, it must be escaped. For example:
768 /bin/ls [[\:alpha\:]]*
770 Would match any file name beginning with a letter.
772 Note that a forward slash (‘/’) will not be matched by wildcards used in
774 the file name portion of the command. This is to make a path like:
775 /usr/bin/*
777 match /usr/bin/who but not /usr/bin/X11/xterm.
779 When matching the command line arguments, however, a slash does get
781 matched by wildcards since command line arguments may contain arbitrary
782 strings and not just path names.
783 Wildcards in command line arguments should be used with care.
785 Command line arguments are matched as a single, concatenated string.
786 This mean a wildcard character such as ‘?’ or ‘*’ will match across word
787 boundaries, which may be unexpected. For example, while a sudoers entry
788 like:
789 %operator ALL = /bin/cat /var/log/messages*
791 will allow command like:
793 $ sudo cat /var/log/messages.1
795 It will also allow:
797 $ sudo cat /var/log/messages /etc/shadow
799 which is probably not what was intended. In most cases it is better to
801 do command line processing outside of the sudoers file in a scripting
802 language.
803 Exceptions to wildcard rules
805 The following exceptions apply to the above rules:
806 "" If the empty string "" is the only command line argument in the
808 sudoers file entry it means that command is not allowed to be
809 run with any arguments.
810 sudoedit Command line arguments to the sudoedit built-in command should
812 always be path names, so a forward slash (‘/’) will not be
813 matched by a wildcard.
814 Including other files from within sudoers
816 It is possible to include other sudoers files from within the sudoers
817 file currently being parsed using the #include and #includedir direc‐
818 tives.
819 This can be used, for example, to keep a site-wide sudoers file in addi‐
821 tion to a local, per-machine file. For the sake of this example the
822 site-wide sudoers file will be /etc/sudoers and the per-machine one will
823 be /etc/sudoers.local. To include /etc/sudoers.local from within
824 /etc/sudoers we would use the following line in /etc/sudoers:
825 #include /etc/sudoers.local
827 When sudo reaches this line it will suspend processing of the current
829 file (/etc/sudoers) and switch to /etc/sudoers.local. Upon reaching the
830 end of /etc/sudoers.local, the rest of /etc/sudoers will be processed.
831 Files that are included may themselves include other files. A hard limit
832 of 128 nested include files is enforced to prevent include file loops.
833 If the path to the include file is not fully-qualified (does not begin
835 with a ‘/’), it must be located in the same directory as the sudoers file
836 it was included from. For example, if /etc/sudoers contains the line:
837 #include sudoers.local
839 the file that will be included is /etc/sudoers.local.
841 The file name may also include the %h escape, signifying the short form
843 of the host name. In other words, if the machine's host name is
844 “xerxes”, then
845 #include /etc/sudoers.%h
847 will cause sudo to include the file /etc/sudoers.xerxes.
849 The #includedir directive can be used to create a sudoers.d directory
851 that the system package manager can drop sudoers file rules into as part
852 of package installation. For example, given:
853 #includedir /etc/sudoers.d
855 sudo will suspend processing of the current file and read each file in
857 /etc/sudoers.d, skipping file names that end in ‘~’ or contain a ‘.’
858 character to avoid causing problems with package manager or editor tempo‐
859 rary/backup files. Files are parsed in sorted lexical order. That is,
860 /etc/sudoers.d/01_first will be parsed before /etc/sudoers.d/10_second.
861 Be aware that because the sorting is lexical, not numeric,
862 /etc/sudoers.d/1_whoops would be loaded after /etc/sudoers.d/10_second.
863 Using a consistent number of leading zeroes in the file names can be used
864 to avoid such problems. After parsing the files in the directory, con‐
865 trol returns to the file that contained the #includedir directive.
866 Note that unlike files included via #include, visudo will not edit the
868 files in a #includedir directory unless one of them contains a syntax
869 error. It is still possible to run visudo with the -f flag to edit the
870 files directly, but this will not catch the redefinition of an alias that
871 is also present in a different file.
872 Other special characters and reserved words
874 The pound sign (‘#’) is used to indicate a comment (unless it is part of
875 a #include directive or unless it occurs in the context of a user name
876 and is followed by one or more digits, in which case it is treated as a
877 user-ID). Both the comment character and any text after it, up to the
878 end of the line, are ignored.
879 The reserved word ALL is a built-in alias that always causes a match to
881 succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
882 User_Alias, Runas_Alias, or Host_Alias. You should not try to define
883 your own alias called ALL as the built-in alias will be used in prefer‐
884 ence to your own. Please note that using ALL can be dangerous since in a
885 command context, it allows the user to run any command on the system.
886 An exclamation point (‘!’) can be used as a logical not operator in a
888 list or alias as well as in front of a Cmnd. This allows one to exclude
889 certain values. For the ‘!’ operator to be effective, there must be
890 something for it to exclude. For example, to match all users except for
891 root one would use:
892 ALL,!root
894 If the ALL, is omitted, as in:
896 !root
898 it would explicitly deny root but not match any other users. This is
900 different from a true “negation” operator.
901 Note, however, that using a ‘!’ in conjunction with the built-in ALL
903 alias to allow a user to run “all but a few” commands rarely works as
904 intended (see SECURITY NOTES below).
905 Long lines can be continued with a backslash (‘\’) as the last character
907 on the line.
908 White space between elements in a list as well as special syntactic char‐
910 acters in a User Specification (‘=’, ‘:’, ‘(’, ‘)’) is optional.
911 The following characters must be escaped with a backslash (‘\’) when used
913 as part of a word (e.g., a user name or host name): ‘!’, ‘=’, ‘:’, ‘,’,
914 ‘(’, ‘)’, ‘\’.
915
917 sudo's behavior can be modified by Default_Entry lines, as explained ear‐
918 lier. A list of all supported Defaults parameters, grouped by type, are
919 listed below.
920 Boolean Flags:
922 always_query_group_plugin
924 If a group_plugin is configured, use it to resolve
925 groups of the form %group as long as there is not also
926 a system group of the same name. Normally, only groups
927 of the form %:group are passed to the group_plugin.
928 This flag is off by default.
929 always_set_home If enabled, sudo will set the HOME environment variable
931 to the home directory of the target user (which is the
932 root user unless the -u option is used). This flag is
933 largely obsolete and has no effect unless the env_reset
934 flag has been disabled or HOME is present in the
935 env_keep list, both of which are strongly discouraged.
936 This flag is off by default.
937 authenticate If set, users must authenticate themselves via a pass‐
939 word (or other means of authentication) before they may
940 run commands. This default may be overridden via the
941 PASSWD and NOPASSWD tags. This flag is on by default.
942 case_insensitive_group
944 If enabled, group names in sudoers will be matched in a
945 case insensitive manner. This may be necessary when
946 users are stored in LDAP or AD. This flag is on by
947 default.
948 case_insensitive_user
950 If enabled, user names in sudoers will be matched in a
951 case insensitive manner. This may be necessary when
952 groups are stored in LDAP or AD. This flag is on by
953 default.
954 closefrom_override
956 If set, the user may use the -C option which overrides
957 the default starting point at which sudo begins closing
958 open file descriptors. This flag is off by default.
959 compress_io If set, and sudo is configured to log a command's input
961 or output, the I/O logs will be compressed using zlib.
962 This flag is on by default when sudo is compiled with
963 zlib support.
964 exec_background By default, sudo runs a command as the foreground
966 process as long as sudo itself is running in the fore‐
967 ground. When the exec_background flag is enabled and
968 the command is being run in a pseudo-terminal (due to
969 I/O logging or the use_pty flag), the command will be
970 run as a background process. Attempts to read from the
971 controlling terminal (or to change terminal settings)
972 will result in the command being suspended with the
973 SIGTTIN signal (or SIGTTOU in the case of terminal set‐
974 tings). If this happens when sudo is a foreground
975 process, the command will be granted the controlling
976 terminal and resumed in the foreground with no user
977 intervention required. The advantage of initially run‐
978 ning the command in the background is that sudo need
979 not read from the terminal unless the command explic‐
980 itly requests it. Otherwise, any terminal input must
981 be passed to the command, whether it has required it or
982 not (the kernel buffers terminals so it is not possible
983 to tell whether the command really wants the input).
984 This is different from historic sudo behavior or when
985 the command is not being run in a pseudo-terminal.
986 For this to work seamlessly, the operating system must
988 support the automatic restarting of system calls.
989 Unfortunately, not all operating systems do this by
990 default, and even those that do may have bugs. For
991 example, macOS fails to restart the tcgetattr() and
992 tcsetattr() system calls (this is a bug in macOS).
993 Furthermore, because this behavior depends on the com‐
994 mand stopping with the SIGTTIN or SIGTTOU signals, pro‐
995 grams that catch these signals and suspend themselves
996 with a different signal (usually SIGTOP) will not be
997 automatically foregrounded. Some versions of the linux
998 su(1) command behave this way. This flag is off by
999 default.
1000 This setting is only supported by version 1.8.7 or
1002 higher. It has no effect unless I/O logging is enabled
1003 or the use_pty flag is enabled.
1004 env_editor If set, visudo will use the value of the SUDO_EDITOR,
1006 VISUAL or EDITOR environment variables before falling
1007 back on the default editor list. Note that visudo is
1008 typically run as root so this flag may allow a user
1009 with visudo privileges to run arbitrary commands as
1010 root without logging. An alternative is to place a
1011 colon-separated list of “safe” editors int the editor
1012 variable. visudo will then only use SUDO_EDITOR,
1013 VISUAL or EDITOR if they match a value specified in
1014 editor. If the env_reset flag is enabled, the
1015 SUDO_EDITOR, VISUAL and/or EDITOR environment variables
1016 must be present in the env_keep list for the env_editor
1017 flag to function when visudo is invoked via sudo. This
1018 flag is on by default.
1019 env_reset If set, sudo will run the command in a minimal environ‐
1021 ment containing the TERM, PATH, HOME, MAIL, SHELL,
1022 LOGNAME, USER and SUDO_* variables. Any variables in
1023 the caller's environment or in the file specified by
1024 the restricted_env_file setting that match the env_keep
1025 and env_check lists are then added, followed by any
1026 variables present in the file specified by the env_file
1027 setting (if any). The contents of the env_keep and
1028 env_check lists, as modified by global Defaults parame‐
1029 ters in sudoers, are displayed when sudo is run by root
1030 with the -V option. If the secure_path setting is
1031 enabled, its value will be used for the PATH environ‐
1032 ment variable. This flag is on by default.
1033 fast_glob Normally, sudo uses the glob(3) function to do shell-
1035 style globbing when matching path names. However,
1036 since it accesses the file system, glob(3) can take a
1037 long time to complete for some patterns, especially
1038 when the pattern references a network file system that
1039 is mounted on demand (auto mounted). The fast_glob
1040 flag causes sudo to use the fnmatch(3) function, which
1041 does not access the file system to do its matching.
1042 The disadvantage of fast_glob is that it is unable to
1043 match relative path names such as ./ls or ../bin/ls.
1044 This has security implications when path names that
1045 include globbing characters are used with the negation
1046 operator, ‘!’, as such rules can be trivially bypassed.
1047 As such, this flag should not be used when the sudoers
1048 file contains rules that contain negated path names
1049 which include globbing characters. This flag is off by
1050 default.
1051 fqdn Set this flag if you want to put fully qualified host
1053 names in the sudoers file when the local host name (as
1054 returned by the hostname command) does not contain the
1055 domain name. In other words, instead of myhost you
1056 would use myhost.mydomain.edu. You may still use the
1057 short form if you wish (and even mix the two). This
1058 flag is only effective when the “canonical” host name,
1059 as returned by the getaddrinfo() or gethostbyname()
1060 function, is a fully-qualified domain name. This is
1061 usually the case when the system is configured to use
1062 DNS for host name resolution.
1063 If the system is configured to use the /etc/hosts file
1065 in preference to DNS, the “canonical” host name may not
1066 be fully-qualified. The order that sources are queried
1067 for host name resolution is usually specified in the
1068 /etc/nsswitch.conf, /etc/netsvc.conf, /etc/host.conf,
1069 or, in some cases, /etc/resolv.conf file. In the
1070 /etc/hosts file, the first host name of the entry is
1071 considered to be the “canonical” name; subsequent names
1072 are aliases that are not used by sudoers. For example,
1073 the following hosts file line for the machine “xyzzy”
1074 has the fully-qualified domain name as the “canonical”
1075 host name, and the short version as an alias.
1076 192.168.1.1 xyzzy.sudo.ws xyzzy
1078 If the machine's hosts file entry is not formatted
1080 properly, the fqdn flag will not be effective if it is
1081 queried before DNS.
1082 Beware that when using DNS for host name resolution,
1084 turning on fqdn requires sudoers to make DNS lookups
1085 which renders sudo unusable if DNS stops working (for
1086 example if the machine is disconnected from the net‐
1087 work). Also note that just like with the hosts file,
1088 you must use the “canonical” name as DNS knows it.
1089 That is, you may not use a host alias (CNAME entry) due
1090 to performance issues and the fact that there is no way
1091 to get all aliases from DNS.
1092 This flag is off by default.
1094 ignore_audit_errors
1096 Allow commands to be run even if sudoers cannot write
1097 to the audit log. If enabled, an audit log write fail‐
1098 ure is not treated as a fatal error. If disabled, a
1099 command may only be run after the audit event is suc‐
1100 cessfully written. This flag is only effective on sys‐
1101 tems for which sudoers supports audit logging, includ‐
1102 ing FreeBSD, Linux, macOS and Solaris. This flag is on
1103 by default.
1104 ignore_dot If set, sudo will ignore "." or "" (both denoting cur‐
1106 rent directory) in the PATH environment variable; the
1107 PATH itself is not modified. This flag is on by
1108 default.
1109 ignore_iolog_errors
1111 Allow commands to be run even if sudoers cannot write
1112 to the I/O log. If enabled, an I/O log write failure
1113 is not treated as a fatal error. If disabled, the com‐
1114 mand will be terminated if the I/O log cannot be writ‐
1115 ten to. This flag is off by default.
1116 ignore_logfile_errors
1118 Allow commands to be run even if sudoers cannot write
1119 to the log file. If enabled, a log file write failure
1120 is not treated as a fatal error. If disabled, a com‐
1121 mand may only be run after the log file entry is suc‐
1122 cessfully written. This flag only has an effect when
1123 sudoers is configured to use file-based logging via the
1124 logfile setting. This flag is on by default.
1125 ignore_local_sudoers
1127 If set via LDAP, parsing of /etc/sudoers will be
1128 skipped. This is intended for Enterprises that wish to
1129 prevent the usage of local sudoers files so that only
1130 LDAP is used. This thwarts the efforts of rogue opera‐
1131 tors who would attempt to add roles to /etc/sudoers.
1132 When this flag is enabled, /etc/sudoers does not even
1133 need to exist. Since this flag tells sudo how to
1134 behave when no specific LDAP entries have been matched,
1135 this sudoOption is only meaningful for the cn=defaults
1136 section. This flag is off by default.
1137 ignore_unknown_defaults
1139 If set, sudo will not produce a warning if it encoun‐
1140 ters an unknown Defaults entry in the sudoers file or
1141 an unknown sudoOption in LDAP. This flag is off by
1142 default.
1143 insults If set, sudo will insult users when they enter an
1145 incorrect password. This flag is off by default.
1146 log_allowed If set, sudoers will log commands allowed by the policy
1148 to the system audit log (where supported) as well as to
1149 syslog and/or a log file. This flag is on by default.
1150 This setting is only supported by version 1.8.29 or
1152 higher.
1153 log_denied If set, sudoers will log commands denied by the policy
1155 to the system audit log (where supported) as well as to
1156 syslog and/or a log file. This flag is on by default.
1157 This setting is only supported by version 1.8.29 or
1159 higher.
1160 log_host If set, the host name will be included in log entries
1162 written to the file configured by the logfile setting.
1163 This flag is off by default.
1164 log_input If set, sudo will run the command in a pseudo-terminal
1166 and log all user input. If the standard input is not
1167 connected to the user's tty, due to I/O redirection or
1168 because the command is part of a pipeline, that input
1169 is also captured and stored in a separate log file.
1170 Anything sent to the standard input will be consumed,
1171 regardless of whether or not the command run via sudo
1172 is actually reading the standard input. This may have
1173 unexpected results when using sudo in a shell script
1174 that expects to process the standard input. For more
1175 information about I/O logging, see the I/O LOG FILES
1176 section. This flag is off by default.
1177 log_output If set, sudo will run the command in a pseudo-terminal
1179 and log all output that is sent to the screen, similar
1180 to the script(1) command. For more information about
1181 I/O logging, see the I/O LOG FILES section. This flag
1182 is off by default.
1183 log_year If set, the four-digit year will be logged in the (non-
1185 syslog) sudo log file. This flag is off by default.
1186 long_otp_prompt When validating with a One Time Password (OTP) scheme
1188 such as S/Key or OPIE, a two-line prompt is used to
1189 make it easier to cut and paste the challenge to a
1190 local window. It's not as pretty as the default but
1191 some people find it more convenient. This flag is off
1192 by default.
1193 mail_all_cmnds Send mail to the mailto user every time a user attempts
1195 to run a command via sudo (this includes sudoedit). No
1196 mail will be sent if the user runs sudo with the -l or
1197 -v option unless there is an authentication error and
1198 the mail_badpass flag is also set. This flag is off by
1199 default.
1200 mail_always Send mail to the mailto user every time a user runs
1202 sudo. This flag is off by default.
1203 mail_badpass Send mail to the mailto user if the user running sudo
1205 does not enter the correct password. If the command
1206 the user is attempting to run is not permitted by
1207 sudoers and one of the mail_all_cmnds, mail_always,
1208 mail_no_host, mail_no_perms or mail_no_user flags are
1209 set, this flag will have no effect. This flag is off
1210 by default.
1211 mail_no_host If set, mail will be sent to the mailto user if the
1213 invoking user exists in the sudoers file, but is not
1214 allowed to run commands on the current host. This flag
1215 is off by default.
1216 mail_no_perms If set, mail will be sent to the mailto user if the
1218 invoking user is allowed to use sudo but the command
1219 they are trying is not listed in their sudoers file
1220 entry or is explicitly denied. This flag is off by
1221 default.
1222 mail_no_user If set, mail will be sent to the mailto user if the
1224 invoking user is not in the sudoers file. This flag is
1225 on by default.
1226 match_group_by_gid
1228 By default, sudoers will look up each group the user is
1229 a member of by group-ID to determine the group name
1230 (this is only done once). The resulting list of the
1231 user's group names is used when matching groups listed
1232 in the sudoers file. This works well on systems where
1233 the number of groups listed in the sudoers file is
1234 larger than the number of groups a typical user belongs
1235 to. On systems where group lookups are slow, where
1236 users may belong to a large number of groups, and where
1237 the number of groups listed in the sudoers file is rel‐
1238 atively small, it may be prohibitively expensive and
1239 running commands via sudo may take longer than normal.
1240 On such systems it may be faster to use the
1241 match_group_by_gid flag to avoid resolving the user's
1242 group-IDs to group names. In this case, sudoers must
1243 look up any group name listed in the sudoers file and
1244 use the group-ID instead of the group name when deter‐
1245 mining whether the user is a member of the group.
1246 Note that if match_group_by_gid is enabled, group data‐
1248 base lookups performed by sudoers will be keyed by
1249 group name as opposed to group-ID. On systems where
1250 there are multiple sources for the group database, it
1251 is possible to have conflicting group names or group-
1252 IDs in the local /etc/group file and the remote group
1253 database. On such systems, enabling or disabling
1254 match_group_by_gid can be used to choose whether group
1255 database queries are performed by name (enabled) or ID
1256 (disabled), which may aid in working around group entry
1257 conflicts.
1258 The match_group_by_gid flag has no effect when sudoers
1260 data is stored in LDAP. This flag is off by default.
1261 This setting is only supported by version 1.8.18 or
1263 higher.
1264 netgroup_tuple If set, netgroup lookups will be performed using the
1266 full netgroup tuple: host name, user name and domain
1267 (if one is set). Historically, sudo only matched the
1268 user name and domain for netgroups used in a User_List
1269 and only matched the host name and domain for netgroups
1270 used in a Host_List. This flag is off by default.
1271 noexec If set, all commands run via sudo will behave as if the
1273 NOEXEC tag has been set, unless overridden by an EXEC
1274 tag. See the description of EXEC and NOEXEC above as
1275 well as the Preventing shell escapes section at the end
1276 of this manual. This flag is off by default.
1277 pam_acct_mgmt On systems that use PAM for authentication, sudo will
1279 perform PAM account validation for the invoking user by
1280 default. The actual checks performed depend on which
1281 PAM modules are configured. If enabled, account vali‐
1282 dation will be performed regardless of whether or not a
1283 password is required. This flag is on by default.
1284 This setting is only supported by version 1.8.28 or
1286 higher.
1287 pam_session On systems that use PAM for authentication, sudo will
1289 create a new PAM session for the command to be run in.
1290 Unless sudo is given the -i or -s options, PAM session
1291 modules are run with the “silent” flag enabled. This
1292 prevents last login information from being displayed
1293 for every command on some systems. Disabling
1294 pam_session may be needed on older PAM implementations
1295 or on operating systems where opening a PAM session
1296 changes the utmp or wtmp files. If PAM session support
1297 is disabled, resource limits may not be updated for the
1298 command being run. If pam_session, pam_setcred, and
1299 use_pty are disabled and I/O logging has not been con‐
1300 figured, sudo will execute the command directly instead
1301 of running it as a child process. This flag is on by
1302 default.
1303 This setting is only supported by version 1.8.7 or
1305 higher.
1306 pam_setcred On systems that use PAM for authentication, sudo will
1308 attempt to establish credentials for the target user by
1309 default, if supported by the underlying authentication
1310 system. One example of a credential is a Kerberos
1311 ticket. If pam_session, pam_setcred, and use_pty are
1312 disabled and I/O logging has not been configured, sudo
1313 will execute the command directly instead of running it
1314 as a child process. This flag is on by default.
1315 This setting is only supported by version 1.8.8 or
1317 higher.
1318 passprompt_override
1320 If set, the prompt specified by passprompt or the
1321 SUDO_PROMPT environment variable will always be used
1322 and will replace the prompt provided by a PAM module or
1323 other authentication method. This flag is off by
1324 default.
1325 path_info Normally, sudo will tell the user when a command could
1327 not be found in their PATH environment variable. Some
1328 sites may wish to disable this as it could be used to
1329 gather information on the location of executables that
1330 the normal user does not have access to. The disadvan‐
1331 tage is that if the executable is simply not in the
1332 user's PATH, sudo will tell the user that they are not
1333 allowed to run it, which can be confusing. This flag
1334 is on by default.
1335 preserve_groups By default, sudo will initialize the group vector to
1337 the list of groups the target user is in. When
1338 preserve_groups is set, the user's existing group vec‐
1339 tor is left unaltered. The real and effective group-
1340 IDs, however, are still set to match the target user.
1341 This flag is off by default.
1342 pwfeedback By default, sudo reads the password like most other
1344 Unix programs, by turning off echo until the user hits
1345 the return (or enter) key. Some users become confused
1346 by this as it appears to them that sudo has hung at
1347 this point. When pwfeedback is set, sudo will provide
1348 visual feedback when the user presses a key. Note that
1349 this does have a security impact as an onlooker may be
1350 able to determine the length of the password being
1351 entered. This flag is off by default.
1352 requiretty If set, sudo will only run when the user is logged in
1354 to a real tty. When this flag is set, sudo can only be
1355 run from a login session and not via other means such
1356 as cron(8) or cgi-bin scripts. This flag is off by
1357 default.
1358 root_sudo If set, root is allowed to run sudo too. Disabling
1360 this prevents users from “chaining” sudo commands to
1361 get a root shell by doing something like “sudo sudo
1362 /bin/sh”. Note, however, that turning off root_sudo
1363 will also prevent root from running sudoedit. Dis‐
1364 abling root_sudo provides no real additional security;
1365 it exists purely for historical reasons. This flag is
1366 on by default.
1367 rootpw If set, sudo will prompt for the root password instead
1369 of the password of the invoking user when running a
1370 command or editing a file. This flag is off by
1371 default.
1372 runaspw If set, sudo will prompt for the password of the user
1374 defined by the runas_default option (defaults to root)
1375 instead of the password of the invoking user when run‐
1376 ning a command or editing a file. This flag is off by
1377 default.
1378 set_home If enabled and sudo is invoked with the -s option, the
1380 HOME environment variable will be set to the home
1381 directory of the target user (which is the root user
1382 unless the -u option is used). This flag is largely
1383 obsolete and has no effect unless the env_reset flag
1384 has been disabled or HOME is present in the env_keep
1385 list, both of which are strongly discouraged. This
1386 flag is off by default.
1387 set_logname Normally, sudo will set the LOGNAME and USER environ‐
1389 ment variables to the name of the target user (usually
1390 root unless the -u option is given). However, since
1391 some programs (including the RCS revision control sys‐
1392 tem) use LOGNAME to determine the real identity of the
1393 user, it may be desirable to change this behavior.
1394 This can be done by negating the set_logname option.
1395 Note that set_logname will have no effect if the
1396 env_reset option has not been disabled and the env_keep
1397 list contains LOGNAME or USER. This flag is on by
1398 default.
1399 set_utmp When enabled, sudo will create an entry in the utmp (or
1401 utmpx) file when a pseudo-terminal is allocated. A
1402 pseudo-terminal is allocated by sudo when it is running
1403 in a terminal and one or more of the log_input,
1404 log_output or use_pty flags is enabled. By default,
1405 the new entry will be a copy of the user's existing
1406 utmp entry (if any), with the tty, time, type and pid
1407 fields updated. This flag is on by default.
1408 setenv Allow the user to disable the env_reset option from the
1410 command line via the -E option. Additionally, environ‐
1411 ment variables set via the command line are not subject
1412 to the restrictions imposed by env_check, env_delete,
1413 or env_keep. As such, only trusted users should be
1414 allowed to set variables in this manner. This flag is
1415 off by default.
1416 shell_noargs If set and sudo is invoked with no arguments it acts as
1418 if the -s option had been given. That is, it runs a
1419 shell as root (the shell is determined by the SHELL
1420 environment variable if it is set, falling back on the
1421 shell listed in the invoking user's /etc/passwd entry
1422 if not). This flag is off by default.
1423 stay_setuid Normally, when sudo executes a command the real and
1425 effective UIDs are set to the target user (root by
1426 default). This option changes that behavior such that
1427 the real UID is left as the invoking user's UID. In
1428 other words, this makes sudo act as a set-user-ID wrap‐
1429 per. This can be useful on systems that disable some
1430 potentially dangerous functionality when a program is
1431 run set-user-ID. This option is only effective on sys‐
1432 tems that support either the setreuid(2) or
1433 setresuid(2) system call. This flag is off by default.
1434 sudoedit_checkdir
1436 If set, sudoedit will check all directory components of
1437 the path to be edited for writability by the invoking
1438 user. Symbolic links will not be followed in writable
1439 directories and sudoedit will refuse to edit a file
1440 located in a writable directory. These restrictions
1441 are not enforced when sudoedit is run by root. On some
1442 systems, if all directory components of the path to be
1443 edited are not readable by the target user, sudoedit
1444 will be unable to edit the file. This flag is on by
1445 default.
1446 This setting was first introduced in version 1.8.15 but
1448 initially suffered from a race condition. The check
1449 for symbolic links in writable intermediate directories
1450 was added in version 1.8.16.
1451 sudoedit_follow By default, sudoedit will not follow symbolic links
1453 when opening files. The sudoedit_follow option can be
1454 enabled to allow sudoedit to open symbolic links. It
1455 may be overridden on a per-command basis by the FOLLOW
1456 and NOFOLLOW tags. This flag is off by default.
1457 This setting is only supported by version 1.8.15 or
1459 higher.
1460 syslog_pid When logging via syslog(3), include the process ID in
1462 the log entry. This flag is off by default.
1463 This setting is only supported by version 1.8.21 or
1465 higher.
1466 targetpw If set, sudo will prompt for the password of the user
1468 specified by the -u option (defaults to root) instead
1469 of the password of the invoking user when running a
1470 command or editing a file. Note that this flag pre‐
1471 cludes the use of a user-ID not listed in the passwd
1472 database as an argument to the -u option. This flag is
1473 off by default.
1474 tty_tickets If set, users must authenticate on a per-tty basis.
1476 With this flag enabled, sudo will use a separate record
1477 in the time stamp file for each terminal. If disabled,
1478 a single record is used for all login sessions.
1479 This option has been superseded by the timestamp_type
1481 option.
1482 umask_override If set, sudo will set the umask as specified in the
1484 sudoers file without modification. This makes it pos‐
1485 sible to specify a umask in the sudoers file that is
1486 more permissive than the user's own umask and matches
1487 historical behavior. If umask_override is not set,
1488 sudo will set the umask to be the union of the user's
1489 umask and what is specified in sudoers. This flag is
1490 off by default.
1491 use_netgroups If set, netgroups (prefixed with ‘+’), may be used in
1493 place of a user or host. For LDAP-based sudoers, net‐
1494 group support requires an expensive sub-string match on
1495 the server unless the NETGROUP_BASE directive is
1496 present in the /etc/ldap.conf file. If netgroups are
1497 not needed, this option can be disabled to reduce the
1498 load on the LDAP server. This flag is on by default.
1499 use_pty If set, and sudo is running in a terminal, the command
1501 will be run in a pseudo-terminal (even if no I/O log‐
1502 ging is being done). If the sudo process is not
1503 attached to a terminal, use_pty has no effect.
1504 A malicious program run under sudo may be capable of
1506 injecting commands into the user's terminal or running
1507 a background process that retains access to the user's
1508 terminal device even after the main program has fin‐
1509 ished executing. By running the command in a separate
1510 pseudo-terminal, this attack is no longer possible.
1511 This flag is off by default.
1512 user_command_timeouts
1514 If set, the user may specify a timeout on the command
1515 line. If the timeout expires before the command has
1516 exited, the command will be terminated. If a timeout
1517 is specified both in the sudoers file and on the com‐
1518 mand line, the smaller of the two timeouts will be
1519 used. See the Timeout_Spec section for a description
1520 of the timeout syntax. This flag is off by default.
1521 This setting is only supported by version 1.8.20 or
1523 higher.
1524 utmp_runas If set, sudo will store the name of the runas user when
1526 updating the utmp (or utmpx) file. By default, sudo
1527 stores the name of the invoking user. This flag is off
1528 by default.
1529 visiblepw By default, sudo will refuse to run if the user must
1531 enter a password but it is not possible to disable echo
1532 on the terminal. If the visiblepw flag is set, sudo
1533 will prompt for a password even when it would be visi‐
1534 ble on the screen. This makes it possible to run
1535 things like “ssh somehost sudo ls” since by default,
1536 ssh(1) does not allocate a tty when running a command.
1537 This flag is off by default.
1538 Integers:
1540 closefrom Before it executes a command, sudo will close all open
1542 file descriptors other than standard input, standard
1543 output and standard error (ie: file descriptors 0-2).
1544 The closefrom option can be used to specify a different
1545 file descriptor at which to start closing. The default
1546 is 3.
1547 command_timeout The maximum amount of time a command is allowed to run
1549 before it is terminated. See the Timeout_Spec section
1550 for a description of the timeout syntax.
1551 This setting is only supported by version 1.8.20 or
1553 higher.
1554 maxseq The maximum sequence number that will be substituted
1556 for the “%{seq}” escape in the I/O log file (see the
1557 iolog_dir description below for more information).
1558 While the value substituted for “%{seq}” is in base 36,
1559 maxseq itself should be expressed in decimal. Values
1560 larger than 2176782336 (which corresponds to the base
1561 36 sequence number “ZZZZZZ”) will be silently truncated
1562 to 2176782336. The default value is 2176782336.
1563 Once the local sequence number reaches the value of
1565 maxseq, it will “roll over” to zero, after which
1566 sudoers will truncate and re-use any existing I/O log
1567 path names.
1568 This setting is only supported by version 1.8.7 or
1570 higher.
1571 passwd_tries The number of tries a user gets to enter his/her pass‐
1573 word before sudo logs the failure and exits. The
1574 default is 3.
1575 syslog_maxlen On many systems, syslog(3) has a relatively small log
1577 buffer. IETF RFC 5424 states that syslog servers must
1578 support messages of at least 480 bytes and should sup‐
1579 port messages up to 2048 bytes. By default, sudoers
1580 creates log messages up to 980 bytes which corresponds
1581 to the historic BSD syslog implementation which used a
1582 1024 byte buffer to store the message, date, hostname
1583 and program name. To prevent syslog messages from
1584 being truncated, sudoers will split up log messages
1585 that are larger than syslog_maxlen bytes. When a mes‐
1586 sage is split, additional parts will include the string
1587 “(command continued)” after the user name and before
1588 the continued command line arguments.
1589 This setting is only supported by version 1.8.19 or
1591 higher.
1592 Integers that can be used in a boolean context:
1594 loglinelen Number of characters per line for the file log. This
1596 value is used to decide when to wrap lines for nicer
1597 log files. This has no effect on the syslog log file,
1598 only the file log. The default is 80 (use 0 or negate
1599 the option to disable word wrap).
1600 passwd_timeout Number of minutes before the sudo password prompt times
1602 out, or 0 for no timeout. The timeout may include a
1603 fractional component if minute granularity is insuffi‐
1604 cient, for example 2.5. The default is 5.
1605 timestamp_timeout
1607 Number of minutes that can elapse before sudo will ask
1608 for a passwd again. The timeout may include a frac‐
1609 tional component if minute granularity is insufficient,
1610 for example 2.5. The default is 5. Set this to 0 to
1611 always prompt for a password. If set to a value less
1612 than 0 the user's time stamp will not expire until the
1613 system is rebooted. This can be used to allow users to
1614 create or delete their own time stamps via “sudo -v”
1615 and “sudo -k” respectively.
1616 umask File mode creation mask to use when running the com‐
1618 mand. Negate this option or set it to 0777 to prevent
1619 sudoers from changing the umask. Unless the
1620 umask_override flag is set, the actual umask will be
1621 the union of the user's umask and the value of the
1622 umask setting, which defaults to 0022. This guarantees
1623 that sudo never lowers the umask when running a com‐
1624 mand.
1625 If umask is explicitly set in sudoers, it will override
1627 any umask setting in PAM or login.conf. If umask is
1628 not set in sudoers, the umask specified by PAM or
1629 login.conf will take precedence. The umask setting in
1630 PAM is not used for sudoedit, which does not create a
1631 new PAM session.
1632 Strings:
1634 authfail_message Message that is displayed after a user fails to authen‐
1636 ticate. The message may include the ‘%d’ escape which
1637 will expand to the number of failed password attempts.
1638 If set, it overrides the default message, %d incorrect
1639 password attempt(s).
1640 badpass_message Message that is displayed if a user enters an incorrect
1642 password. The default is Sorry, try again. unless
1643 insults are enabled.
1644 editor A colon (‘:’) separated list of editors path names used
1646 by sudoedit and visudo. For sudoedit, this list is
1647 used to find an editor when none of the SUDO_EDITOR,
1648 VISUAL or EDITOR environment variables are set to an
1649 editor that exists and is executable. For visudo, it
1650 is used as a white list of allowed editors; visudo will
1651 choose the editor that matches the user's SUDO_EDITOR,
1652 VISUAL or EDITOR environment variable if possible, or
1653 the first editor in the list that exists and is exe‐
1654 cutable if not. Unless invoked as sudoedit, sudo does
1655 not preserve the SUDO_EDITOR, VISUAL or EDITOR environ‐
1656 ment variables unless they are present in the env_keep
1657 list or the env_reset option is disabled. The default
1658 is /bin/vi.
1659 iolog_dir The top-level directory to use when constructing the
1661 path name for the input/output log directory. Only
1662 used if the log_input or log_output options are enabled
1663 or when the LOG_INPUT or LOG_OUTPUT tags are present
1664 for a command. The session sequence number, if any, is
1665 stored in the directory. The default is
1666 /var/log/sudo-io.
1667 The following percent (‘%’) escape sequences are sup‐
1669 ported:
1670 %{seq}
1672 expanded to a monotonically increasing base-36
1673 sequence number, such as 0100A5, where every two
1674 digits are used to form a new directory, e.g.,
1675 01/00/A5
1676 %{user}
1678 expanded to the invoking user's login name
1679 %{group}
1681 expanded to the name of the invoking user's real
1682 group-ID
1683 %{runas_user}
1685 expanded to the login name of the user the com‐
1686 mand will be run as (e.g., root)
1687 %{runas_group}
1689 expanded to the group name of the user the com‐
1690 mand will be run as (e.g., wheel)
1691 %{hostname}
1693 expanded to the local host name without the
1694 domain name
1695 %{command}
1697 expanded to the base name of the command being
1698 run
1699 In addition, any escape sequences supported by the sys‐
1701 tem's strftime(3) function will be expanded.
1702 To include a literal ‘%’ character, the string ‘%%’
1704 should be used.
1705 iolog_file The path name, relative to iolog_dir, in which to store
1707 input/output logs when the log_input or log_output
1708 options are enabled or when the LOG_INPUT or LOG_OUTPUT
1709 tags are present for a command. Note that iolog_file
1710 may contain directory components. The default is
1711 “%{seq}”.
1712 See the iolog_dir option above for a list of supported
1714 percent (‘%’) escape sequences.
1715 In addition to the escape sequences, path names that
1717 end in six or more Xs will have the Xs replaced with a
1718 unique combination of digits and letters, similar to
1719 the mktemp(3) function.
1720 If the path created by concatenating iolog_dir and
1722 iolog_file already exists, the existing I/O log file
1723 will be truncated and overwritten unless iolog_file
1724 ends in six or more Xs.
1725 iolog_flush If set, sudo will flush I/O log data to disk after each
1727 write instead of buffering it. This makes it possible
1728 to view the logs in real-time as the program is execut‐
1729 ing but may significantly reduce the effectiveness of
1730 I/O log compression. This flag is off by default.
1731 This setting is only supported by version 1.8.20 or
1733 higher.
1734 iolog_group The group name to look up when setting the group-ID on
1736 new I/O log files and directories. If iolog_group is
1737 not set, the primary group-ID of the user specified by
1738 iolog_user is used. If neither iolog_group nor
1739 iolog_user are set, I/O log files and directories are
1740 created with group-ID 0.
1741 This setting is only supported by version 1.8.19 or
1743 higher.
1744 iolog_mode The file mode to use when creating I/O log files. Mode
1746 bits for read and write permissions for owner, group or
1747 other are honored, everything else is ignored. The
1748 file permissions will always include the owner read and
1749 write bits, even if they are not present in the speci‐
1750 fied mode. When creating I/O log directories, search
1751 (execute) bits are added to match the read and write
1752 bits specified by iolog_mode. Defaults to 0600 (read
1753 and write by user only).
1754 This setting is only supported by version 1.8.19 or
1756 higher.
1757 iolog_user The user name to look up when setting the user and
1759 group-IDs on new I/O log files and directories. If
1760 iolog_group is set, it will be used instead of the
1761 user's primary group-ID. By default, I/O log files and
1762 directories are created with user and group-ID 0.
1763 This setting can be useful when the I/O logs are stored
1765 on a Network File System (NFS) share. Having a dedi‐
1766 cated user own the I/O log files means that sudoers
1767 does not write to the log files as user-ID 0, which is
1768 usually not permitted by NFS.
1769 This setting is only supported by version 1.8.19 or
1771 higher.
1772 lecture_status_dir
1774 The directory in which sudo stores per-user lecture
1775 status files. Once a user has received the lecture, a
1776 zero-length file is created in this directory so that
1777 sudo will not lecture the user again. This directory
1778 should not be cleared when the system reboots. The
1779 default is /var/db/sudo/lectured.
1780 mailsub Subject of the mail sent to the mailto user. The
1782 escape %h will expand to the host name of the machine.
1783 Default is “*** SECURITY information for %h ***”.
1784 noexec_file As of sudo version 1.8.1 this option is no longer sup‐
1786 ported. The path to the noexec file should now be set
1787 in the sudo.conf(5) file.
1788 pam_login_service
1790 On systems that use PAM for authentication, this is the
1791 service name used when the -i option is specified. The
1792 default value is “sudo-i”. See the description of
1793 pam_service for more information.
1794 This setting is only supported by version 1.8.8 or
1796 higher.
1797 pam_service On systems that use PAM for authentication, the service
1799 name specifies the PAM policy to apply. This usually
1800 corresponds to an entry in the pam.conf file or a file
1801 in the /etc/pam.d directory. The default value is
1802 “sudo”.
1803 This setting is only supported by version 1.8.8 or
1805 higher.
1806 passprompt The default prompt to use when asking for a password;
1808 can be overridden via the -p option or the SUDO_PROMPT
1809 environment variable. The following percent (‘%’)
1810 escape sequences are supported:
1811 %H expanded to the local host name including the
1813 domain name (only if the machine's host name is
1814 fully qualified or the fqdn option is set)
1815 %h expanded to the local host name without the
1817 domain name
1818 %p expanded to the user whose password is being
1820 asked for (respects the rootpw, targetpw and
1821 runaspw flags in sudoers)
1822 %U expanded to the login name of the user the com‐
1824 mand will be run as (defaults to root)
1825 %u expanded to the invoking user's login name
1827 %% two consecutive % characters are collapsed into a
1829 single % character
1830 On systems that use PAM for authentication, passprompt
1832 will only be used if the prompt provided by the PAM
1833 module matches the string “Password: ” or “username's
1834 Password: ”. This ensures that the passprompt setting
1835 does not interfere with challenge-response style
1836 authentication. The passprompt_override flag can be
1837 used to change this behavior.
1838 The default value is “[sudo] password for %p: ”.
1840 role The default SELinux role to use when constructing a new
1842 security context to run the command. The default role
1843 may be overridden on a per-command basis in the sudoers
1844 file or via command line options. This option is only
1845 available when sudo is built with SELinux support.
1846 runas_default The default user to run commands as if the -u option is
1848 not specified on the command line. This defaults to
1849 root.
1850 sudoers_locale Locale to use when parsing the sudoers file, logging
1852 commands, and sending email. Note that changing the
1853 locale may affect how sudoers is interpreted. Defaults
1854 to “C”.
1855 timestamp_type sudoers uses per-user time stamp files for credential
1857 caching. The timestamp_type option can be used to
1858 specify the type of time stamp record used. It has the
1859 following possible values:
1860 global A single time stamp record is used for all of a
1862 user's login sessions, regardless of the termi‐
1863 nal or parent process ID. An additional record
1864 is used to serialize password prompts when sudo
1865 is used multiple times in a pipeline, but this
1866 does not affect authentication.
1867 ppid A single time stamp record is used for all pro‐
1869 cesses with the same parent process ID (usually
1870 the shell). Commands run from the same shell
1871 (or other common parent process) will not
1872 require a password for timestamp_timeout min‐
1873 utes (5 by default). Commands run via sudo
1874 with a different parent process ID, for example
1875 from a shell script, will be authenticated sep‐
1876 arately.
1877 tty One time stamp record is used for each termi‐
1879 nal, which means that a user's login sessions
1880 are authenticated separately. If no terminal
1881 is present, the behavior is the same as ppid.
1882 Commands run from the same terminal will not
1883 require a password for timestamp_timeout min‐
1884 utes (5 by default).
1885 kernel The time stamp is stored in the kernel as an
1887 attribute of the terminal device. If no termi‐
1888 nal is present, the behavior is the same as
1889 ppid. Negative timestamp_timeout values are
1890 not supported and positive values are limited
1891 to a maximum of 60 minutes. This is currently
1892 only supported on OpenBSD.
1893 The default value is tty.
1895 This setting is only supported by version 1.8.21 or
1897 higher.
1898 timestampdir The directory in which sudo stores its time stamp
1900 files. This directory should be cleared when the sys‐
1901 tem reboots. The default is /run/sudo/ts.
1902 timestampowner The owner of the lecture status directory, time stamp
1904 directory and all files stored therein. The default is
1905 root.
1906 type The default SELinux type to use when constructing a new
1908 security context to run the command. The default type
1909 may be overridden on a per-command basis in the sudoers
1910 file or via command line options. This option is only
1911 available when sudo is built with SELinux support.
1912 Strings that can be used in a boolean context:
1914 env_file The env_file option specifies the fully qualified path to a
1916 file containing variables to be set in the environment of
1917 the program being run. Entries in this file should either
1918 be of the form “VARIABLE=value” or “export VARIABLE=value”.
1919 The value may optionally be surrounded by single or double
1920 quotes. Variables in this file are only added if the vari‐
1921 able does not already exist in the environment. This file
1922 is considered to be part of the security policy, its con‐
1923 tents are not subject to other sudo environment restric‐
1924 tions such as env_keep and env_check.
1925 exempt_group Users in this group are exempt from password and PATH
1927 requirements. The group name specified should not include
1928 a % prefix. This is not set by default.
1929 fdexec Determines whether sudo will execute a command by its path
1931 or by an open file descriptor. It has the following possi‐
1932 ble values:
1933 always Always execute by file descriptor.
1935 never Never execute by file descriptor.
1937 digest_only
1939 Only execute by file descriptor if the command has
1940 an associated digest in the sudoers file.
1941 The default value is digest_only. This avoids a time of
1943 check versus time of use race condition when the command is
1944 located in a directory writable by the invoking user.
1945 Note that fdexec will change the first element of the argu‐
1947 ment vector for scripts ($0 in the shell) due to the way
1948 the kernel runs script interpreters. Instead of being a
1949 normal path, it will refer to a file descriptor. For exam‐
1950 ple, /dev/fd/4 on Solaris and /proc/self/fd/4 on Linux. A
1951 workaround is to use the SUDO_COMMAND environment variable
1952 instead.
1953 The fdexec setting is only used when the command is matched
1955 by path name. It has no effect if the command is matched
1956 by the built-in ALL alias.
1957 This setting is only supported by version 1.8.20 or higher.
1959 If the operating system does not support the fexecve(2)
1960 system call, this setting has no effect.
1961 group_plugin A string containing a sudoers group plugin with optional
1963 arguments. The string should consist of the plugin path,
1964 either fully-qualified or relative to the /usr/libexec/sudo
1965 directory, followed by any configuration arguments the
1966 plugin requires. These arguments (if any) will be passed
1967 to the plugin's initialization function. If arguments are
1968 present, the string must be enclosed in double quotes ("").
1969 For more information see GROUP PROVIDER PLUGINS.
1971 lecture This option controls when a short lecture will be printed
1973 along with the password prompt. It has the following pos‐
1974 sible values:
1975 always Always lecture the user.
1977 never Never lecture the user.
1979 once Only lecture the user the first time they run sudo.
1981 If no value is specified, a value of once is implied.
1983 Negating the option results in a value of never being used.
1984 The default value is once.
1985 lecture_file Path to a file containing an alternate sudo lecture that
1987 will be used in place of the standard lecture if the named
1988 file exists. By default, sudo uses a built-in lecture.
1989 listpw This option controls when a password will be required when
1991 a user runs sudo with the -l option. It has the following
1992 possible values:
1993 all All the user's sudoers file entries for the cur‐
1995 rent host must have the NOPASSWD flag set to
1996 avoid entering a password.
1997 always The user must always enter a password to use the
1999 -l option.
2000 any At least one of the user's sudoers file entries
2002 for the current host must have the NOPASSWD flag
2003 set to avoid entering a password.
2004 never The user need never enter a password to use the
2006 -l option.
2007 If no value is specified, a value of any is implied.
2009 Negating the option results in a value of never being used.
2010 The default value is any.
2011 logfile Path to the sudo log file (not the syslog log file). Set‐
2013 ting a path turns on logging to a file; negating this
2014 option turns it off. By default, sudo logs via syslog.
2015 mailerflags Flags to use when invoking mailer. Defaults to -t.
2017 mailerpath Path to mail program used to send warning mail. Defaults
2019 to the path to sendmail found at configure time.
2020 mailfrom Address to use for the “from” address when sending warning
2022 and error mail. The address should be enclosed in double
2023 quotes ("") to protect against sudo interpreting the @
2024 sign. Defaults to the name of the user running sudo.
2025 mailto Address to send warning and error mail to. The address
2027 should be enclosed in double quotes ("") to protect against
2028 sudo interpreting the @ sign. Defaults to root.
2029 restricted_env_file
2031 The restricted_env_file option specifies the fully quali‐
2032 fied path to a file containing variables to be set in the
2033 environment of the program being run. Entries in this file
2034 should either be of the form “VARIABLE=value” or “export
2035 VARIABLE=value”. The value may optionally be surrounded by
2036 single or double quotes. Variables in this file are only
2037 added if the variable does not already exist in the envi‐
2038 ronment. Unlike env_file, the file's contents are not
2039 trusted and are processed in a manner similar to that of
2040 the invoking user's environment. If env_reset is enabled,
2041 variables in the file will only be added if they are
2042 matched by either the env_check or env_keep list. If
2043 env_reset is disabled, variables in the file are added as
2044 long as they are not matched by the env_delete list. In
2045 either case, the contents of restricted_env_file are pro‐
2046 cessed before the contents of env_file.
2047 secure_path If set, sudo will use this value in place of the user's
2049 PATH environment variable. This option can be used to
2050 reset the PATH to a known good value that contains directo‐
2051 ries for system administrator commands such as /usr/sbin.
2052 Users in the group specified by the exempt_group option are
2054 not affected by secure_path. This option is not set by
2055 default.
2056 syslog Syslog facility if syslog is being used for logging (negate
2058 to disable syslog logging). Defaults to authpriv.
2059 The following syslog facilities are supported: authpriv (if
2061 your OS supports it), auth, daemon, user, local0, local1,
2062 local2, local3, local4, local5, local6, and local7.
2063 syslog_badpri
2065 Syslog priority to use when the user is not allowed to run
2066 a command or when authentication is unsuccessful. Defaults
2067 to alert.
2068 The following syslog priorities are supported: alert, crit,
2070 debug, emerg, err, info, notice, warning, and none. Negat‐
2071 ing the option or setting it to a value of none will dis‐
2072 able logging of unsuccessful commands.
2073 syslog_goodpri
2075 Syslog priority to use when the user is allowed to run a
2076 command and authentication is successful. Defaults to
2077 notice.
2078 See syslog_badpri for the list of supported syslog priori‐
2080 ties. Negating the option or setting it to a value of none
2081 will disable logging of successful commands.
2082 verifypw This option controls when a password will be required when
2084 a user runs sudo with the -v option. It has the following
2085 possible values:
2086 all All the user's sudoers file entries for the current
2088 host must have the NOPASSWD flag set to avoid
2089 entering a password.
2090 always The user must always enter a password to use the -v
2092 option.
2093 any At least one of the user's sudoers file entries for
2095 the current host must have the NOPASSWD flag set to
2096 avoid entering a password.
2097 never The user need never enter a password to use the -v
2099 option.
2100 If no value is specified, a value of all is implied.
2102 Negating the option results in a value of never being used.
2103 The default value is all.
2104 Lists that can be used in a boolean context:
2106 env_check Environment variables to be removed from the user's
2108 environment unless they are considered “safe”. For all
2109 variables except TZ, “safe” means that the variable's
2110 value does not contain any ‘%’ or ‘/’ characters. This
2111 can be used to guard against printf-style format vul‐
2112 nerabilities in poorly-written programs. The TZ vari‐
2113 able is considered unsafe if any of the following are
2114 true:
2115 · It consists of a fully-qualified path name, option‐
2117 ally prefixed with a colon (‘:’), that does not
2118 match the location of the zoneinfo directory.
2119 · It contains a .. path element.
2121 · It contains white space or non-printable characters.
2123 · It is longer than the value of PATH_MAX.
2125 The argument may be a double-quoted, space-separated
2127 list or a single value without double-quotes. The list
2128 can be replaced, added to, deleted from, or disabled by
2129 using the =, +=, -=, and ! operators respectively.
2130 Regardless of whether the env_reset option is enabled
2131 or disabled, variables specified by env_check will be
2132 preserved in the environment if they pass the aforemen‐
2133 tioned check. The global list of environment variables
2134 to check is displayed when sudo is run by root with the
2135 -V option.
2136 env_delete Environment variables to be removed from the user's
2138 environment when the env_reset option is not in effect.
2139 The argument may be a double-quoted, space-separated
2140 list or a single value without double-quotes. The list
2141 can be replaced, added to, deleted from, or disabled by
2142 using the =, +=, -=, and ! operators respectively. The
2143 global list of environment variables to remove is dis‐
2144 played when sudo is run by root with the -V option.
2145 Note that many operating systems will remove poten‐
2146 tially dangerous variables from the environment of any
2147 set-user-ID process (such as sudo).
2148 env_keep Environment variables to be preserved in the user's
2150 environment when the env_reset option is in effect.
2151 This allows fine-grained control over the environment
2152 sudo-spawned processes will receive. The argument may
2153 be a double-quoted, space-separated list or a single
2154 value without double-quotes. The list can be replaced,
2155 added to, deleted from, or disabled by using the =, +=,
2156 -=, and ! operators respectively. The global list of
2157 variables to keep is displayed when sudo is run by root
2158 with the -V option.
2159 Preserving the HOME environment variable has security
2161 implications since many programs use it when searching
2162 for configuration or data files. Adding HOME to
2163 env_keep may enable a user to run unrestricted commands
2164 via sudo and is strongly discouraged. Users wishing to
2165 edit files with sudo should run sudoedit (or sudo -e)
2166 to get their accustomed editor configuration instead of
2167 invoking the editor directly.
2168
2170 The sudoers plugin supports its own plugin interface to allow non-Unix
2171 group lookups which can query a group source other than the standard Unix
2172 group database. This can be used to implement support for the
2173 nonunix_group syntax described earlier.
2174 Group provider plugins are specified via the group_plugin setting. The
2176 argument to group_plugin should consist of the plugin path, either fully-
2177 qualified or relative to the /usr/libexec/sudo directory, followed by any
2178 configuration options the plugin requires. These options (if specified)
2179 will be passed to the plugin's initialization function. If options are
2180 present, the string must be enclosed in double quotes ("").
2181 The following group provider plugins are installed by default:
2183 group_file
2185 The group_file plugin supports an alternate group file that
2186 uses the same syntax as the /etc/group file. The path to the
2187 group file should be specified as an option to the plugin. For
2188 example, if the group file to be used is /etc/sudo-group:
2189 Defaults group_plugin="group_file.so /etc/sudo-group"
2191 system_group
2193 The system_group plugin supports group lookups via the standard
2194 C library functions getgrnam() and getgrid(). This plugin can
2195 be used in instances where the user belongs to groups not
2196 present in the user's supplemental group vector. This plugin
2197 takes no options:
2198 Defaults group_plugin=system_group.so
2200 The group provider plugin API is described in detail in sudo_plugin(5).
2202
2204 sudoers can log events using either syslog(3) or a simple log file. The
2205 log format is almost identical in both cases.
2206 Accepted command log entries
2208 Commands that sudo runs are logged using the following format (split into
2209 multiple lines for readability):
2210 date hostname progname: username : TTY=ttyname ; PWD=cwd ; \
2212 USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \
2213 ENV=env_vars COMMAND=command
2214 Where the fields are as follows:
2216 date The date the command was run. Typically, this is in the
2218 format “MMM, DD, HH:MM:SS”. If logging via syslog(3), the
2219 actual date format is controlled by the syslog daemon. If
2220 logging to a file and the log_year option is enabled, the
2221 date will also include the year.
2222 hostname The name of the host sudo was run on. This field is only
2224 present when logging via syslog(3).
2225 progname The name of the program, usually sudo or sudoedit. This
2227 field is only present when logging via syslog(3).
2228 username The login name of the user who ran sudo.
2230 ttyname The short name of the terminal (e.g., “console”, “tty01”,
2232 or “pts/0”) sudo was run on, or “unknown” if there was no
2233 terminal present.
2234 cwd The current working directory that sudo was run in.
2236 runasuser The user the command was run as.
2238 runasgroup The group the command was run as if one was specified on
2240 the command line.
2241 logid An I/O log identifier that can be used to replay the com‐
2243 mand's output. This is only present when the log_input or
2244 log_output option is enabled.
2245 env_vars A list of environment variables specified on the command
2247 line, if specified.
2248 command The actual command that was executed.
2250 Messages are logged using the locale specified by sudoers_locale, which
2252 defaults to the “C” locale.
2253 Denied command log entries
2255 If the user is not allowed to run the command, the reason for the denial
2256 will follow the user name. Possible reasons include:
2257 user NOT in sudoers
2259 The user is not listed in the sudoers file.
2260 user NOT authorized on host
2262 The user is listed in the sudoers file but is not allowed to run com‐
2263 mands on the host.
2264 command not allowed
2266 The user is listed in the sudoers file for the host but they are not
2267 allowed to run the specified command.
2268 3 incorrect password attempts
2270 The user failed to enter their password after 3 tries. The actual num‐
2271 ber of tries will vary based on the number of failed attempts and the
2272 value of the passwd_tries option.
2273 a password is required
2275 The -n option was specified but a password was required.
2276 sorry, you are not allowed to set the following environment variables
2278 The user specified environment variables on the command line that were
2279 not allowed by sudoers.
2280 Error log entries
2282 If an error occurs, sudoers will log a message and, in most cases, send a
2283 message to the administrator via email. Possible errors include:
2284 parse error in /etc/sudoers near line N
2286 sudoers encountered an error when parsing the specified file. In some
2287 cases, the actual error may be one line above or below the line number
2288 listed, depending on the type of error.
2289 problem with defaults entries
2291 The sudoers file contains one or more unknown Defaults settings. This
2292 does not prevent sudo from running, but the sudoers file should be
2293 checked using visudo.
2294 timestamp owner (username): No such user
2296 The time stamp directory owner, as specified by the timestampowner set‐
2297 ting, could not be found in the password database.
2298 unable to open/read /etc/sudoers
2300 The sudoers file could not be opened for reading. This can happen when
2301 the sudoers file is located on a remote file system that maps user-ID 0
2302 to a different value. Normally, sudoers tries to open the sudoers file
2303 using group permissions to avoid this problem. Consider either chang‐
2304 ing the ownership of /etc/sudoers or adding an argument like
2305 “sudoers_uid=N” (where ‘N’ is the user-ID that owns the sudoers file)
2306 to the end of the sudoers Plugin line in the sudo.conf(5) file.
2307 unable to stat /etc/sudoers
2309 The /etc/sudoers file is missing.
2310 /etc/sudoers is not a regular file
2312 The /etc/sudoers file exists but is not a regular file or symbolic
2313 link.
2314 /etc/sudoers is owned by uid N, should be 0
2316 The sudoers file has the wrong owner. If you wish to change the
2317 sudoers file owner, please add “sudoers_uid=N” (where ‘N’ is the user-
2318 ID that owns the sudoers file) to the sudoers Plugin line in the
2319 sudo.conf(5) file.
2320 /etc/sudoers is world writable
2322 The permissions on the sudoers file allow all users to write to it.
2323 The sudoers file must not be world-writable, the default file mode is
2324 0440 (readable by owner and group, writable by none). The default mode
2325 may be changed via the “sudoers_mode” option to the sudoers Plugin line
2326 in the sudo.conf(5) file.
2327 /etc/sudoers is owned by gid N, should be 1
2329 The sudoers file has the wrong group ownership. If you wish to change
2330 the sudoers file group ownership, please add “sudoers_gid=N” (where ‘N’
2331 is the group-ID that owns the sudoers file) to the sudoers Plugin line
2332 in the sudo.conf(5) file.
2333 unable to open /run/sudo/ts/username
2335 sudoers was unable to read or create the user's time stamp file. This
2336 can happen when timestampowner is set to a user other than root and the
2337 mode on /run/sudo is not searchable by group or other. The default
2338 mode for /run/sudo is 0711.
2339 unable to write to /run/sudo/ts/username
2341 sudoers was unable to write to the user's time stamp file.
2342 /run/sudo/ts is owned by uid X, should be Y
2344 The time stamp directory is owned by a user other than timestampowner.
2345 This can occur when the value of timestampowner has been changed.
2346 sudoers will ignore the time stamp directory until the owner is cor‐
2347 rected.
2348 /run/sudo/ts is group writable
2350 The time stamp directory is group-writable; it should be writable only
2351 by timestampowner. The default mode for the time stamp directory is
2352 0700. sudoers will ignore the time stamp directory until the mode is
2353 corrected.
2354 Notes on logging via syslog
2356 By default, sudoers logs messages via syslog(3). The date, hostname, and
2357 progname fields are added by the system's syslog() function, not sudoers
2358 itself. As such, they may vary in format on different systems.
2359 The maximum size of syslog messages varies from system to system. The
2361 syslog_maxlen setting can be used to change the maximum syslog message
2362 size from the default value of 980 bytes. For more information, see the
2363 description of syslog_maxlen.
2364 Notes on logging to a file
2366 If the logfile option is set, sudoers will log to a local file, such as
2367 /var/log/sudo. When logging to a file, sudoers uses a format similar to
2368 syslog(3), with a few important differences:
2369 1. The progname and hostname fields are not present.
2371 2. If the log_year option is enabled, the date will also include the
2373 year.
2374 3. Lines that are longer than loglinelen characters (80 by default) are
2376 word-wrapped and continued on the next line with a four character
2377 indent. This makes entries easier to read for a human being, but
2378 makes it more difficult to use grep(1) on the log files. If the
2379 loglinelen option is set to 0 (or negated with a ‘!’), word wrap
2380 will be disabled.
2381
2383 When I/O logging is enabled, sudo will run the command in a pseudo-termi‐
2384 nal and log all user input and/or output, depending on which options are
2385 enabled. I/O is logged to the directory specified by the iolog_dir
2386 option (/var/log/sudo-io by default) using a unique session ID that is
2387 included in the sudo log line, prefixed with “TSID=”. The iolog_file
2388 option may be used to control the format of the session ID.
2389 Each I/O log is stored in a separate directory that contains the follow‐
2391 ing files:
2392 log A text file containing information about the command. The
2394 first line consists of the following colon-delimited fields:
2395 the time the command was run, the name of the user who ran
2396 sudo, the name of the target user, the name of the target group
2397 (optional), the terminal that sudo was run from, and the number
2398 of lines and columns of the terminal. The second and third
2399 lines contain the working directory the command was run from
2400 and the path name of the command itself (with arguments if
2401 present).
2402 timing Timing information used to replay the session. Each line con‐
2404 sists of the I/O log entry type and amount of time since the
2405 last entry, followed by type-specific data. The I/O log entry
2406 types and their corresponding type-specific data are:
2407 0 standard input, number of bytes in the entry
2409 1 standard output, number of bytes in the entry
2410 2 standard error, number of bytes in the entry
2411 3 terminal input, number of bytes in the entry
2412 4 terminal output, number of bytes in the entry
2413 5 window change, new number lines and columns
2414 6 bug compatibility for sudo 1.8.7 terminal output
2415 7 command suspend or resume, signal received
2416 ttyin Raw input from the user's terminal, exactly as it was received.
2418 No post-processing is performed. For manual viewing, you may
2419 wish to convert carriage return characters in the log to line
2420 feeds. For example: ‘gunzip -c ttyin | tr "\r" "\n"’
2421 stdin The standard input when no terminal is present, or input redi‐
2423 rected from a pipe or file.
2424 ttyout Output from the pseudo-terminal (what the command writes to the
2426 screen). Note that terminal-specific post-processing is per‐
2427 formed before the data is logged. This means that, for exam‐
2428 ple, line feeds are usually converted to line feed/carriage
2429 return pairs and tabs may be expanded to spaces.
2430 stdout The standard output when no terminal is present, or output
2432 redirected to a pipe or file.
2433 stderr The standard error redirected to a pipe or file.
2435 All files other than log are compressed in gzip format unless the
2437 compress_io flag has been disabled. Due to buffering, it is not normally
2438 possible to display the I/O logs in real-time as the program is execut‐
2439 ing. The I/O log data will not be complete until the program run by sudo
2440 has exited or has been terminated by a signal. The iolog_flush flag can
2441 be used to disable buffering, in which case I/O log data is written to
2442 disk as soon as it is available. The output portion of an I/O log file
2443 can be viewed with the sudoreplay(8) utility, which can also be used to
2444 list or search the available logs.
2445 Note that user input may contain sensitive information such as passwords
2447 (even if they are not echoed to the screen), which will be stored in the
2448 log file unencrypted. In most cases, logging the command output via
2449 log_output or LOG_OUTPUT is all that is required.
2450 Since each session's I/O logs are stored in a separate directory, tradi‐
2452 tional log rotation utilities cannot be used to limit the number of I/O
2453 logs. The simplest way to limit the number of I/O is by setting the
2454 maxseq option to the maximum number of logs you wish to store. Once the
2455 I/O log sequence number reaches maxseq, it will be reset to zero and
2456 sudoers will truncate and re-use any existing I/O logs.
2457
2459 /etc/sudo.conf Sudo front end configuration
2460 /etc/sudoers List of who can run what
2462 /etc/group Local groups file
2464 /etc/netgroup List of network groups
2466 /var/log/sudo-io I/O log files
2468 /run/sudo/ts Directory containing time stamps for the
2470 sudoers security policy
2471 /var/db/sudo/lectured Directory containing lecture status files for
2473 the sudoers security policy
2474 /etc/environment Initial environment for -i mode on AIX and
2476 Linux systems
2477
2479 Below are example sudoers file entries. Admittedly, some of these are a
2480 bit contrived. First, we allow a few environment variables to pass and
2481 then define our aliases:
2482 # Run X applications through sudo; HOME is used to find the
2484 # .Xauthority file. Note that other programs use HOME to find
2485 # configuration files and this may lead to privilege escalation!
2486 Defaults env_keep += "DISPLAY HOME"
2487 # User alias specification
2489 User_Alias FULLTIMERS = millert, mikef, dowdy
2490 User_Alias PARTTIMERS = bostley, jwfox, crawl
2491 User_Alias WEBMASTERS = will, wendy, wim
2492 # Runas alias specification
2494 Runas_Alias OP = root, operator
2495 Runas_Alias DB = oracle, sybase
2496 Runas_Alias ADMINGRP = adm, oper
2497 # Host alias specification
2499 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
2500 SGI = grolsch, dandelion, black :\
2501 ALPHA = widget, thalamus, foobar :\
2502 HPPA = boa, nag, python
2503 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
2504 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
2505 Host_Alias SERVERS = master, mail, www, ns
2506 Host_Alias CDROM = orion, perseus, hercules
2507 # Cmnd alias specification
2509 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
2510 /usr/sbin/restore, /usr/sbin/rrestore,\
2511 sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
2512 /home/operator/bin/start_backups
2513 Cmnd_Alias KILL = /usr/bin/kill
2514 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
2515 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
2516 Cmnd_Alias HALT = /usr/sbin/halt
2517 Cmnd_Alias REBOOT = /usr/sbin/reboot
2518 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
2519 /usr/local/bin/tcsh, /usr/bin/rsh,\
2520 /usr/local/bin/zsh
2521 Cmnd_Alias SU = /usr/bin/su
2522 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
2523 Here we override some of the compiled in default values. We want sudo to
2525 log via syslog(3) using the auth facility in all cases. We don't want to
2526 subject the full time staff to the sudo lecture, user millert need not
2527 give a password, and we don't want to reset the LOGNAME or USER environ‐
2528 ment variables when running commands as root. Additionally, on the
2529 machines in the SERVERS Host_Alias, we keep an additional local log file
2530 and make sure we log the year in each log line since the log entries will
2531 be kept around for several years. Lastly, we disable shell escapes for
2532 the commands in the PAGERS Cmnd_Alias (/usr/bin/more, /usr/bin/pg and
2533 /usr/bin/less). Note that this will not effectively constrain users with
2534 sudo ALL privileges.
2535 # Override built-in defaults
2537 Defaults syslog=auth
2538 Defaults>root !set_logname
2539 Defaults:FULLTIMERS !lecture
2540 Defaults:millert !authenticate
2541 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
2542 Defaults!PAGERS noexec
2543 The User specification is the part that actually determines who may run
2545 what.
2546 root ALL = (ALL) ALL
2548 %wheel ALL = (ALL) ALL
2549 We let root and any user in group wheel run any command on any host as
2551 any user.
2552 FULLTIMERS ALL = NOPASSWD: ALL
2554 Full time sysadmins (millert, mikef, and dowdy) may run any command on
2556 any host without authenticating themselves.
2557 PARTTIMERS ALL = ALL
2559 Part time sysadmins bostley, jwfox, and crawl) may run any command on any
2561 host but they must authenticate themselves first (since the entry lacks
2562 the NOPASSWD tag).
2563 jack CSNETS = ALL
2565 The user jack may run any command on the machines in the CSNETS alias
2567 (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those
2568 networks, only 128.138.204.0 has an explicit netmask (in CIDR notation)
2569 indicating it is a class C network. For the other networks in CSNETS,
2570 the local machine's netmask will be used during matching.
2571 lisa CUNETS = ALL
2573 The user lisa may run any command on any host in the CUNETS alias (the
2575 class B network 128.138.0.0).
2576 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
2578 sudoedit /etc/printcap, /usr/oper/bin/
2579 The operator user may run commands limited to simple maintenance. Here,
2581 those are commands related to backups, killing processes, the printing
2582 system, shutting down the system, and any commands in the directory
2583 /usr/oper/bin/. Note that one command in the DUMPS Cmnd_Alias includes a
2584 sha224 digest, /home/operator/bin/start_backups. This is because the
2585 directory containing the script is writable by the operator user. If the
2586 script is modified (resulting in a digest mismatch) it will no longer be
2587 possible to run it via sudo.
2588 joe ALL = /usr/bin/su operator
2590 The user joe may only su(1) to operator.
2592 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root*
2594 %opers ALL = (: ADMINGRP) /usr/sbin/
2596 Users in the opers group may run commands in /usr/sbin/ as themselves
2598 with any group in the ADMINGRP Runas_Alias (the adm and oper groups).
2599 The user pete is allowed to change anyone's password except for root on
2601 the HPPA machines. Because command line arguments are matched as a sin‐
2602 gle, concatenated string, the ‘*’ wildcard will match multiple words.
2603 This example assumes that passwd(1) does not take multiple user names on
2604 the command line. Note that on GNU systems, options to passwd(1) may be
2605 specified after the user argument. As a result, this rule will also
2606 allow:
2607 passwd username --expire
2609 which may not be desirable.
2611 bob SPARC = (OP) ALL : SGI = (OP) ALL
2613 The user bob may run anything on the SPARC and SGI machines as any user
2615 listed in the OP Runas_Alias (root and operator.)
2616 jim +biglab = ALL
2618 The user jim may run any command on machines in the biglab netgroup.
2620 sudo knows that “biglab” is a netgroup due to the ‘+’ prefix.
2621 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
2623 Users in the secretaries netgroup need to help manage the printers as
2625 well as add and remove users, so they are allowed to run those commands
2626 on all machines.
2627 fred ALL = (DB) NOPASSWD: ALL
2629 The user fred can run commands as any user in the DB Runas_Alias (oracle
2631 or sybase) without giving a password.
2632 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
2634 On the ALPHA machines, user john may su to anyone except root but he is
2636 not allowed to specify any options to the su(1) command.
2637 jen ALL, !SERVERS = ALL
2639 The user jen may run any command on any machine except for those in the
2641 SERVERS Host_Alias (master, mail, www and ns).
2642 jill SERVERS = /usr/bin/, !SU, !SHELLS
2644 For any machine in the SERVERS Host_Alias, jill may run any commands in
2646 the directory /usr/bin/ except for those commands belonging to the SU and
2647 SHELLS Cmnd_Aliases. While not specifically mentioned in the rule, the
2648 commands in the PAGERS Cmnd_Alias all reside in /usr/bin and have the
2649 noexec option set.
2650 steve CSNETS = (operator) /usr/local/op_commands/
2652 The user steve may run any command in the directory /usr/local/op_com‐
2654 mands/ but only as user operator.
2655 matt valkyrie = KILL
2657 On his personal workstation, valkyrie, matt needs to be able to kill hung
2659 processes.
2660 WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
2662 On the host www, any user in the WEBMASTERS User_Alias (will, wendy, and
2664 wim), may run any command as user www (which owns the web pages) or sim‐
2665 ply su(1) to www.
2666 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
2668 /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
2669 Any user may mount or unmount a CD-ROM on the machines in the CDROM
2671 Host_Alias (orion, perseus, hercules) without entering a password. This
2672 is a bit tedious for users to type, so it is a prime candidate for encap‐
2673 sulating in a shell script.
2674
2676 Limitations of the ‘!’ operator
2677 It is generally not effective to “subtract” commands from ALL using the
2678 ‘!’ operator. A user can trivially circumvent this by copying the
2679 desired command to a different name and then executing that. For exam‐
2680 ple:
2681 bill ALL = ALL, !SU, !SHELLS
2683 Doesn't really prevent bill from running the commands listed in SU or
2685 SHELLS since he can simply copy those commands to a different name, or
2686 use a shell escape from an editor or other program. Therefore, these
2687 kind of restrictions should be considered advisory at best (and rein‐
2688 forced by policy).
2689 In general, if a user has sudo ALL there is nothing to prevent them from
2691 creating their own program that gives them a root shell (or making their
2692 own copy of a shell) regardless of any ‘!’ elements in the user specifi‐
2693 cation.
2694 Security implications of fast_glob
2696 If the fast_glob option is in use, it is not possible to reliably negate
2697 commands where the path name includes globbing (aka wildcard) characters.
2698 This is because the C library's fnmatch(3) function cannot resolve rela‐
2699 tive paths. While this is typically only an inconvenience for rules that
2700 grant privileges, it can result in a security issue for rules that sub‐
2701 tract or revoke privileges.
2702 For example, given the following sudoers file entry:
2704 john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
2706 /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
2707 User john can still run /usr/bin/passwd root if fast_glob is enabled by
2709 changing to /usr/bin and running ./passwd root instead.
2710 Preventing shell escapes
2712 Once sudo executes a program, that program is free to do whatever it
2713 pleases, including run other programs. This can be a security issue
2714 since it is not uncommon for a program to allow shell escapes, which lets
2715 a user bypass sudo's access control and logging. Common programs that
2716 permit shell escapes include shells (obviously), editors, paginators,
2717 mail and terminal programs.
2718 There are two basic approaches to this problem:
2720 restrict Avoid giving users access to commands that allow the user to
2722 run arbitrary commands. Many editors have a restricted mode
2723 where shell escapes are disabled, though sudoedit is a better
2724 solution to running editors via sudo. Due to the large number
2725 of programs that offer shell escapes, restricting users to the
2726 set of programs that do not is often unworkable.
2727 noexec Many systems that support shared libraries have the ability to
2729 override default library functions by pointing an environment
2730 variable (usually LD_PRELOAD) to an alternate shared library.
2731 On such systems, sudo's noexec functionality can be used to
2732 prevent a program run by sudo from executing any other pro‐
2733 grams. Note, however, that this applies only to native dynami‐
2734 cally-linked executables. Statically-linked executables and
2735 foreign executables running under binary emulation are not
2736 affected.
2737 The noexec feature is known to work on SunOS, Solaris, *BSD,
2739 Linux, IRIX, Tru64 UNIX, macOS, HP-UX 11.x and AIX 5.3 and
2740 above. It should be supported on most operating systems that
2741 support the LD_PRELOAD environment variable. Check your oper‐
2742 ating system's manual pages for the dynamic linker (usually
2743 ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
2744 LD_PRELOAD is supported.
2745 On Solaris 10 and higher, noexec uses Solaris privileges
2747 instead of the LD_PRELOAD environment variable.
2748 To enable noexec for a command, use the NOEXEC tag as docu‐
2750 mented in the User Specification section above. Here is that
2751 example again:
2752 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
2754 This allows user aaron to run /usr/bin/more and /usr/bin/vi
2756 with noexec enabled. This will prevent those two commands from
2757 executing other commands (such as a shell). If you are unsure
2758 whether or not your system is capable of supporting noexec you
2759 can always just try it out and check whether shell escapes work
2760 when noexec is enabled.
2761 Note that restricting shell escapes is not a panacea. Programs running
2763 as root are still capable of many potentially hazardous operations (such
2764 as changing or overwriting files) that could lead to unintended privilege
2765 escalation. In the specific case of an editor, a safer approach is to
2766 give the user permission to run sudoedit (see below).
2767 Secure editing
2769 The sudoers plugin includes sudoedit support which allows users to
2770 securely edit files with the editor of their choice. As sudoedit is a
2771 built-in command, it must be specified in the sudoers file without a
2772 leading path. However, it may take command line arguments just as a nor‐
2773 mal command does. Wildcards used in sudoedit command line arguments are
2774 expected to be path names, so a forward slash (‘/’) will not be matched
2775 by a wildcard.
2776 Unlike other sudo commands, the editor is run with the permissions of the
2778 invoking user and with the environment unmodified. More information may
2779 be found in the description of the -e option in sudo(8).
2780 For example, to allow user operator to edit the “message of the day”
2782 file:
2783 operator sudoedit /etc/motd
2785 The operator user then runs sudoedit as follows:
2787 $ sudoedit /etc/motd
2789 The editor will run as the operator user, not root, on a temporary copy
2791 of /etc/motd. After the file has been edited, /etc/motd will be updated
2792 with the contents of the temporary copy.
2793 Users should never be granted sudoedit permission to edit a file that
2795 resides in a directory the user has write access to, either directly or
2796 via a wildcard. If the user has write access to the directory it is pos‐
2797 sible to replace the legitimate file with a link to another file, allow‐
2798 ing the editing of arbitrary files. To prevent this, starting with ver‐
2799 sion 1.8.16, symbolic links will not be followed in writable directories
2800 and sudoedit will refuse to edit a file located in a writable directory
2801 unless the sudoedit_checkdir option has been disabled or the invoking
2802 user is root. Additionally, in version 1.8.15 and higher, sudoedit will
2803 refuse to open a symbolic link unless either the sudoedit_follow option
2804 is enabled or the sudoedit command is prefixed with the FOLLOW tag in the
2805 sudoers file.
2806 Time stamp file checks
2808 sudoers will check the ownership of its time stamp directory
2809 (/run/sudo/ts by default) and ignore the directory's contents if it is
2810 not owned by root or if it is writable by a user other than root. Older
2811 versions of sudo stored time stamp files in /tmp; this is no longer rec‐
2812 ommended as it may be possible for a user to create the time stamp them‐
2813 selves on systems that allow unprivileged users to change the ownership
2814 of files they create.
2815 While the time stamp directory should be cleared at reboot time, not all
2817 systems contain a /run or /var/run directory. To avoid potential prob‐
2818 lems, sudoers will ignore time stamp files that date from before the
2819 machine booted on systems where the boot time is available.
2820 Some systems with graphical desktop environments allow unprivileged users
2822 to change the system clock. Since sudoers relies on the system clock for
2823 time stamp validation, it may be possible on such systems for a user to
2824 run sudo for longer than timestamp_timeout by setting the clock back. To
2825 combat this, sudoers uses a monotonic clock (which never moves backwards)
2826 for its time stamps if the system supports it.
2827 sudoers will not honor time stamps set far in the future. Time stamps
2829 with a date greater than current_time + 2 * TIMEOUT will be ignored and
2830 sudoers will log and complain.
2831 If the timestamp_type option is set to “tty”, the time stamp record
2833 includes the device number of the terminal the user authenticated with.
2834 This provides per-terminal granularity but time stamp records may still
2835 outlive the user's session.
2836 Unless the timestamp_type option is set to “global”, the time stamp
2838 record also includes the session ID of the process that last authenti‐
2839 cated. This prevents processes in different terminal sessions from using
2840 the same time stamp record. On systems where a process's start time can
2841 be queried, the start time of the session leader is recorded in the time
2842 stamp record. If no terminal is present or the timestamp_type option is
2843 set to “ppid”, the start time of the parent process is used instead. In
2844 most cases this will prevent a time stamp record from being re-used with‐
2845 out the user entering a password when logging out and back in again.
2846
2848 Versions 1.8.4 and higher of the sudoers plugin support a flexible debug‐
2849 ging framework that can help track down what the plugin is doing inter‐
2850 nally if there is a problem. This can be configured in the sudo.conf(5)
2851 file.
2852 The sudoers plugin uses the same debug flag format as the sudo front-end:
2854 subsystem@priority.
2855 The priorities used by sudoers, in order of decreasing severity, are:
2857 crit, err, warn, notice, diag, info, trace and debug. Each priority,
2858 when specified, also includes all priorities higher than it. For exam‐
2859 ple, a priority of notice would include debug messages logged at notice
2860 and higher.
2861 The following subsystems are used by the sudoers plugin:
2863 alias User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
2865 all matches every subsystem
2867 audit BSM and Linux audit code
2869 auth user authentication
2871 defaults sudoers file Defaults settings
2873 env environment handling
2875 ldap LDAP-based sudoers
2877 logging logging support
2879 match matching of users, groups, hosts and netgroups in the sudoers
2881 file
2882 netif network interface handling
2884 nss network service switch handling in sudoers
2886 parser sudoers file parsing
2888 perms permission setting
2890 plugin The equivalent of main for the plugin.
2892 pty pseudo-terminal related code
2894 rbtree redblack tree internals
2896 sssd SSSD-based sudoers
2898 util utility functions
2900 For example:
2901 Debug sudo /var/log/sudo_debug match@info,nss@info
2903 For more information, see the sudo.conf(5) manual.
2905
2907 ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), sudo.conf(5),
2908 sudo_plugin(5), sudoers.ldap(5), sudoers_timestamp(5), sudo(8), visudo(8)
2909
2911 Many people have worked on sudo over the years; this version consists of
2912 code written primarily by:
2913 Todd C. Miller
2915 See the CONTRIBUTORS file in the sudo distribution
2917 (https://www.sudo.ws/contributors.html) for an exhaustive list of people
2918 who have contributed to sudo.
2919
2921 The sudoers file should always be edited by the visudo command which
2922 locks the file and does grammatical checking. It is imperative that the
2923 sudoers file be free of syntax errors since sudo will not run with a syn‐
2924 tactically incorrect sudoers file.
2925 When using netgroups of machines (as opposed to users), if you store
2927 fully qualified host name in the netgroup (as is usually the case), you
2928 either need to have the machine's host name be fully qualified as
2929 returned by the hostname command or use the fqdn option in sudoers.
2930
2932 If you feel you have found a bug in sudo, please submit a bug report at
2933 https://bugzilla.sudo.ws/
2934
2936 Limited free support is available via the sudo-users mailing list, see
2937 https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
2938 the archives.
2939
2941 sudo is provided “AS IS” and any express or implied warranties, includ‐
2942 ing, but not limited to, the implied warranties of merchantability and
2943 fitness for a particular purpose are disclaimed. See the LICENSE file
2944 distributed with sudo or https://www.sudo.ws/license.html for complete
2945 details.
2946Sudo 1.8.29 October 20, 2019 Sudo 1.8.29