1SUDOERS(5) BSD File Formats Manual SUDOERS(5)
2
4 sudoers — default sudo security policy plugin
5
7 The sudoers policy plugin determines a user's sudo privileges. It is the
8 default sudo policy plugin. The policy is driven by the /etc/sudoers
9 file or, optionally in LDAP. The policy format is described in detail in
10 the SUDOERS FILE FORMAT section. For information on storing sudoers pol‐
11 icy information in LDAP, please see sudoers.ldap(5).
12 Configuring sudo.conf for sudoers
14 sudo consults the sudo.conf(5) file to determine which policy and I/O
15 logging plugins to load. If no sudo.conf(5) file is present, or if it
16 contains no Plugin lines, sudoers will be used for policy decisions and
17 I/O logging. To explicitly configure sudo.conf(5) to use the sudoers
18 plugin, the following configuration can be used.
19 Plugin sudoers_audit sudoers.so
21 Plugin sudoers_policy sudoers.so
22 Plugin sudoers_io sudoers.so
23 Starting with sudo 1.8.5, it is possible to specify optional arguments to
25 the sudoers plugin in the sudo.conf(5) file. Plugin arguments, if any,
26 should be listed after the path to the plugin (i.e., after sudoers.so).
27 The arguments are only effective for the plugin that opens (and parses)
28 the sudoers file.
29 For sudo version 1.9.1 and higher, this is the sudoers_audit plugin. For
31 older versions, it is the sudoers_policy plugin. Multiple arguments may
32 be specified, separated by white space. For example:
33 Plugin sudoers_audit sudoers.so sudoers_mode=0400 error_recovery=false
35 The following plugin arguments are supported:
37 error_recovery=bool
39 The error_recovery argument can be used to control whether
40 sudoers should attempt to recover from syntax errors in the
41 sudoers file. If set to true (the default), sudoers will try
42 to recover from a syntax error by discarding the portion of the
43 line that contains the error until the end of the line. A
44 value of false will disable error recovery. Prior to version
45 1.9.3, no error recovery was performed.
46 ldap_conf=pathname
48 The ldap_conf argument can be used to override the default path
49 to the ldap.conf file.
50 ldap_secret=pathname
52 The ldap_secret argument can be used to override the default
53 path to the ldap.secret file.
54 sudoers_file=pathname
56 The sudoers_file argument can be used to override the default
57 path to the sudoers file.
58 sudoers_uid=uid
60 The sudoers_uid argument can be used to override the default
61 owner of the sudoers file. It should be specified as a numeric
62 user-ID.
63 sudoers_gid=gid
65 The sudoers_gid argument can be used to override the default
66 group of the sudoers file. It must be specified as a numeric
67 group-ID (not a group name).
68 sudoers_mode=mode
70 The sudoers_mode argument can be used to override the default
71 file mode for the sudoers file. It should be specified as an
72 octal value.
73 For more information on configuring sudo.conf(5), please refer to its
75 manual.
76 User Authentication
78 The sudoers security policy requires that most users authenticate them‐
79 selves before they can use sudo. A password is not required if the
80 invoking user is root, if the target user is the same as the invoking
81 user, or if the policy has disabled authentication for the user or com‐
82 mand. Unlike su(1), when sudoers requires authentication, it validates
83 the invoking user's credentials, not the target user's (or root's) cre‐
84 dentials. This can be changed via the rootpw, targetpw and runaspw
85 flags, described later.
86 If a user who is not listed in the policy tries to run a command via
88 sudo, mail is sent to the proper authorities. The address used for such
89 mail is configurable via the mailto Defaults entry (described later) and
90 defaults to root.
91 Note that no mail will be sent if an unauthorized user tries to run sudo
93 with the -l or -v option unless there is an authentication error and
94 either the mail_always or mail_badpass flags are enabled. This allows
95 users to determine for themselves whether or not they are allowed to use
96 sudo. By default, all attempts to run sudo (successful or not) are
97 logged, regardless of whether or not mail is sent.
98 If sudo is run by root and the SUDO_USER environment variable is set, the
100 sudoers policy will use this value to determine who the actual user is.
101 This can be used by a user to log commands through sudo even when a root
102 shell has been invoked. It also allows the -e option to remain useful
103 even when invoked via a sudo-run script or program. Note, however, that
104 the sudoers file lookup is still done for root, not the user specified by
105 SUDO_USER.
106 sudoers uses per-user time stamp files for credential caching. Once a
108 user has been authenticated, a record is written containing the user-ID
109 that was used to authenticate, the terminal session ID, the start time of
110 the session leader (or parent process) and a time stamp (using a mono‐
111 tonic clock if one is available). The user may then use sudo without a
112 password for a short period of time (5 minutes unless overridden by the
113 timestamp_timeout option). By default, sudoers uses a separate record
114 for each terminal, which means that a user's login sessions are authenti‐
115 cated separately. The timestamp_type option can be used to select the
116 type of time stamp record sudoers will use.
117 Logging
119 By default, sudoers logs both successful and unsuccessful attempts (as
120 well as errors). The log_allowed and log_denied flags can be used to
121 control this behavior. Messages can be logged to syslog(3), a log file,
122 or both. The default is to log to syslog(3) but this is configurable via
123 the syslog and logfile settings. See LOG FORMAT for a description of the
124 log file format.
125 sudoers is also capable of running a command in a pseudo-terminal and
127 logging all input and/or output. The standard input, standard output and
128 standard error can be logged even when not associated with a terminal.
129 I/O logging is not on by default but can be enabled using the log_input
130 and log_output options as well as the LOG_INPUT and LOG_OUTPUT command
131 tags. See I/O LOG FILES for details on how I/O log files are stored.
132 Starting with version 1.9, the log_servers setting may be used to send
134 event and I/O log data to a remote server running sudo_logsrvd or another
135 service that implements the protocol described by sudo_logsrv.proto(5).
136 Command environment
138 Since environment variables can influence program behavior, sudoers pro‐
139 vides a means to restrict which variables from the user's environment are
140 inherited by the command to be run. There are two distinct ways sudoers
141 can deal with environment variables.
142 By default, the env_reset flag is enabled. This causes commands to be
144 executed with a new, minimal environment. On AIX (and Linux systems
145 without PAM), the environment is initialized with the contents of the
146 /etc/environment file. The HOME, MAIL, SHELL, LOGNAME and USER environ‐
147 ment variables are initialized based on the target user and the SUDO_*
148 variables are set based on the invoking user. Additional variables, such
149 as DISPLAY, PATH and TERM, are preserved from the invoking user's envi‐
150 ronment if permitted by the env_check or env_keep options. A few envi‐
151 ronment variables are treated specially. If the PATH and TERM variables
152 are not preserved from the user's environment, they will be set to
153 default values. The LOGNAME and USER are handled as a single entity. If
154 one of them is preserved (or removed) from the user's environment, the
155 other will be as well. If LOGNAME and USER are to be preserved but only
156 one of them is present in the user's environment, the other will be set
157 to the same value. This avoids an inconsistent environment where one of
158 the variables describing the user name is set to the invoking user and
159 one is set to the target user. Environment variables with a value begin‐
160 ning with () are removed unless both the name and value parts are matched
161 by env_keep or env_check, as they may be interpreted as functions by the
162 bash shell. Prior to version 1.8.11, such variables were always removed.
163 If, however, the env_reset flag is disabled, any variables not explicitly
165 denied by the env_check and env_delete options are allowed and their val‐
166 ues are inherited from the invoking process. Prior to version 1.8.21,
167 environment variables with a value beginning with () were always removed.
168 Beginning with version 1.8.21, a pattern in env_delete is used to match
169 bash shell functions instead. Since it is not possible to block all
170 potentially dangerous environment variables, use of the default env_reset
171 behavior is encouraged.
172 Environment variables specified by env_check, env_delete, or env_keep may
174 include one or more ‘*’ characters which will match zero or more charac‐
175 ters. No other wildcard characters are supported.
176 By default, environment variables are matched by name. However, if the
178 pattern includes an equal sign (‘=’), both the variables name and value
179 must match. For example, a bash shell function could be matched as fol‐
180 lows:
181 env_keep += "BASH_FUNC_my_func%%=()*"
183 Without the “=()*” suffix, this would not match, as bash shell functions
185 are not preserved by default.
186 The complete list of environment variables that are preserved or removed,
188 as modified by global Defaults parameters in sudoers, is displayed when
189 sudo is run by root with the -V option. Please note that the list of
190 environment variables to remove varies based on the operating system sudo
191 is running on.
192 Other sudoers options may influence the command environment, such as
194 always_set_home, secure_path, set_logname, and set_home.
195 On systems that support PAM where the pam_env module is enabled for sudo,
197 variables in the PAM environment may be merged in to the environment. If
198 a variable in the PAM environment is already present in the user's envi‐
199 ronment, the value will only be overridden if the variable was not pre‐
200 served by sudoers. When env_reset is enabled, variables preserved from
201 the invoking user's environment by the env_keep list take precedence over
202 those in the PAM environment. When env_reset is disabled, variables
203 present the invoking user's environment take precedence over those in the
204 PAM environment unless they match a pattern in the env_delete list.
205 Note that the dynamic linker on most operating systems will remove vari‐
207 ables that can control dynamic linking from the environment of set-user-
208 ID executables, including sudo. Depending on the operating system this
209 may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others.
210 These type of variables are removed from the environment before sudo even
211 begins execution and, as such, it is not possible for sudo to preserve
212 them.
213 As a special case, if the -i option (initial login) is specified, sudoers
215 will initialize the environment regardless of the value of env_reset.
216 The DISPLAY, PATH and TERM variables remain unchanged; HOME, MAIL, SHELL,
217 USER, and LOGNAME are set based on the target user. On AIX (and Linux
218 systems without PAM), the contents of /etc/environment are also included.
219 All other environment variables are removed unless permitted by env_keep
220 or env_check, described above.
221 Finally, the restricted_env_file and env_file files are applied, if
223 present. The variables in restricted_env_file are applied first and are
224 subject to the same restrictions as the invoking user's environment, as
225 detailed above. The variables in env_file are applied last and are not
226 subject to these restrictions. In both cases, variables present in the
227 files will only be set to their specified values if they would not con‐
228 flict with an existing environment variable.
229
231 The sudoers file is composed of two types of entries: aliases (basically
232 variables) and user specifications (which specify who may run what).
233 When multiple entries match for a user, they are applied in order. Where
235 there are multiple matches, the last match is used (which is not neces‐
236 sarily the most specific match).
237 The sudoers file grammar will be described below in Extended Backus-Naur
239 Form (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly
240 simple, and the definitions below are annotated.
241 Quick guide to EBNF
243 EBNF is a concise and exact way of describing the grammar of a language.
244 Each EBNF definition is made up of production rules. E.g.,
245 symbol ::= definition | alternate1 | alternate2 ...
247 Each production rule references others and thus makes up a grammar for
249 the language. EBNF also contains the following operators, which many
250 readers will recognize from regular expressions. Do not, however, con‐
251 fuse them with “wildcard” characters, which have different meanings.
252 ? Means that the preceding symbol (or group of symbols) is optional.
254 That is, it may appear once or not at all.
255 * Means that the preceding symbol (or group of symbols) may appear
257 zero or more times.
258 + Means that the preceding symbol (or group of symbols) may appear
260 one or more times.
261 Parentheses may be used to group symbols together. For clarity, we will
263 use single quotes ('') to designate what is a verbatim character string
264 (as opposed to a symbol name).
265 Aliases
267 There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and
268 Cmnd_Alias. Beginning with sudo 1.9.0, Cmd_Alias may be used in place of
269 Cmnd_Alias if desired.
270 Alias ::= 'User_Alias' User_Alias_Spec (':' User_Alias_Spec)* |
272 'Runas_Alias' Runas_Alias_Spec (':' Runas_Alias_Spec)* |
273 'Host_Alias' Host_Alias_Spec (':' Host_Alias_Spec)* |
274 'Cmnd_Alias' Cmnd_Alias_Spec (':' Cmnd_Alias_Spec)* |
275 'Cmd_Alias' Cmnd_Alias_Spec (':' Cmnd_Alias_Spec)*
276 User_Alias ::= NAME
278 User_Alias_Spec ::= User_Alias '=' User_List
280 Runas_Alias ::= NAME
282 Runas_Alias_Spec ::= Runas_Alias '=' Runas_List
284 Host_Alias ::= NAME
286 Host_Alias_Spec ::= Host_Alias '=' Host_List
288 Cmnd_Alias ::= NAME
290 Cmnd_Alias_Spec ::= Cmnd_Alias '=' Cmnd_List
292 NAME ::= [A-Z]([A-Z][0-9]_)*
294 Each alias definition is of the form
296 Alias_Type NAME = item1, item2, ...
298 where Alias_Type is one of User_Alias, Runas_Alias, Host_Alias, or
300 Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and under‐
301 score characters (‘_’). A NAME must start with an uppercase letter. It
302 is possible to put several alias definitions of the same type on a single
303 line, joined by a colon (‘:’). E.g.,
304 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
306 It is a syntax error to redefine an existing alias. It is possible to
308 use the same name for aliases of different types, but this is not recom‐
309 mended.
310 The definitions of what constitutes a valid alias member follow.
312 User_List ::= User |
314 User ',' User_List
315 User ::= '!'* user name |
317 '!'* #uid |
318 '!'* %group |
319 '!'* %#gid |
320 '!'* +netgroup |
321 '!'* %:nonunix_group |
322 '!'* %:#nonunix_gid |
323 '!'* User_Alias
324 A User_List is made up of one or more user names, user-IDs (prefixed with
326 ‘#’), system group names and IDs (prefixed with ‘%’ and ‘%#’ respec‐
327 tively), netgroups (prefixed with ‘+’), non-Unix group names and IDs
328 (prefixed with ‘%:’ and ‘%:#’ respectively) and User_Aliases. Each list
329 item may be prefixed with zero or more ‘!’ operators. An odd number of
330 ‘!’ operators negate the value of the item; an even number just cancel
331 each other out. User netgroups are matched using the user and domain
332 members only; the host member is not used when matching.
333 A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may
335 be enclosed in double quotes to avoid the need for escaping special char‐
336 acters. Alternately, special characters may be specified in escaped hex
337 mode, e.g., \x20 for space. When using double quotes, any prefix charac‐
338 ters must be included inside the quotes.
339 The actual nonunix_group and nonunix_gid syntax depends on the underlying
341 group provider plugin. For instance, the QAS AD plugin supports the fol‐
342 lowing formats:
343 · Group in the same domain: "%:Group Name"
345 · Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
347 · Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
349 See GROUP PROVIDER PLUGINS for more information.
351 Note that quotes around group names are optional. Unquoted strings must
353 use a backslash (‘\’) to escape spaces and special characters. See Other
354 special characters and reserved words for a list of characters that need
355 to be escaped.
356 Runas_List ::= Runas_Member |
358 Runas_Member ',' Runas_List
359 Runas_Member ::= '!'* user name |
361 '!'* #uid |
362 '!'* %group |
363 '!'* %#gid |
364 '!'* %:nonunix_group |
365 '!'* %:#nonunix_gid |
366 '!'* +netgroup |
367 '!'* Runas_Alias
368 A Runas_List is similar to a User_List except that instead of
370 User_Aliases it can contain Runas_Aliases. Note that user names and
371 groups are matched as strings. In other words, two users (groups) with
372 the same user (group) ID are considered to be distinct. If you wish to
373 match all user names with the same user-ID (e.g., root and toor), you can
374 use a user-ID instead of a name (#0 in the example given). Note that the
375 user-ID or group-ID specified in a Runas_Member need not be listed in the
376 password or group database.
377 Host_List ::= Host |
379 Host ',' Host_List
380 Host ::= '!'* host name |
382 '!'* ip_addr |
383 '!'* network(/netmask)? |
384 '!'* +netgroup |
385 '!'* Host_Alias
386 A Host_List is made up of one or more host names, IP addresses, network
388 numbers, netgroups (prefixed with ‘+’) and other aliases. Again, the
389 value of an item may be negated with the ‘!’ operator. Host netgroups
390 are matched using the host (both qualified and unqualified) and domain
391 members only; the user member is not used when matching. If you specify
392 a network number without a netmask, sudo will query each of the local
393 host's network interfaces and, if the network number corresponds to one
394 of the hosts's network interfaces, will use the netmask of that inter‐
395 face. The netmask may be specified either in standard IP address nota‐
396 tion (e.g., 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR notation
397 (number of bits, e.g., 24 or 64). A host name may include shell-style
398 wildcards (see the Wildcards section below), but unless the host name
399 command on your machine returns the fully qualified host name, you'll
400 need to use the fqdn flag for wildcards to be useful. Note that sudo
401 only inspects actual network interfaces; this means that IP address
402 127.0.0.1 (localhost) will never match. Also, the host name “localhost”
403 will only match if that is the actual host name, which is usually only
404 the case for non-networked systems.
405 digest ::= [A-Fa-f0-9]+ |
407 [A-Za-z0-9\+/=]+
408 Digest_Spec ::= "sha224" ':' digest |
410 "sha256" ':' digest |
411 "sha384" ':' digest |
412 "sha512" ':' digest
413 Digest_List ::= Digest_Spec |
415 Digest_Spec ',' Digest_List
416 Cmnd_List ::= Cmnd |
418 Cmnd ',' Cmnd_List
419 command name ::= file name |
421 file name args |
422 file name '""'
423 Edit_Spec ::= "sudoedit" file name+
425 Cmnd ::= Digest_List? '!'* command name |
427 '!'* directory |
428 '!'* Edit_Spec |
429 '!'* Cmnd_Alias
430 A Cmnd_List is a list of one or more command names, directories, and
432 other aliases. A command name is a fully qualified file name which may
433 include shell-style wildcards (see the Wildcards section below). A sim‐
434 ple file name allows the user to run the command with any arguments they
435 wish. However, you may also specify command line arguments (including
436 wildcards). Alternately, you can specify "" to indicate that the command
437 may only be run without command line arguments. A directory is a fully
438 qualified path name ending in a ‘/’. When you specify a directory in a
439 Cmnd_List, the user will be able to run any file within that directory
440 (but not in any sub-directories therein).
441 If a Cmnd has associated command line arguments, then the arguments in
443 the Cmnd must match exactly those given by the user on the command line
444 (or match the wildcards if there are any). Note that the following char‐
445 acters must be escaped with a ‘\’ if they are used in command arguments:
446 ‘,’, ‘:’, ‘=’, ‘\’. The built-in command “sudoedit” is used to permit a
447 user to run sudo with the -e option (or as sudoedit). It may take com‐
448 mand line arguments just as a normal command does. Note that “sudoedit”
449 is a command built into sudo itself and must be specified in the sudoers
450 file without a leading path. If a leading path is present, for example
451 /usr/bin/sudoedit, the path name will be silently converted to
452 “sudoedit”. A fully-qualified path for sudoedit is treated as an error
453 by visudo.
454 A command name may be preceded by a Digest_List, a comma-separated list
456 of one or more Digest_Spec entries. If a Digest_List is present, the
457 command will only match successfully if it can be verified using one of
458 the SHA-2 digests in the list. Starting with version 1.9.0, the ALL
459 reserved word can be used in conjunction with a Digest_List. The follow‐
460 ing digest formats are supported: sha224, sha256, sha384 and sha512. The
461 string may be specified in either hex or base64 format (base64 is more
462 compact). There are several utilities capable of generating SHA-2
463 digests in hex format such as openssl, shasum, sha224sum, sha256sum,
464 sha384sum, sha512sum.
465 For example, using openssl:
467 $ openssl dgst -sha224 /bin/ls
469 SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
470 It is also possible to use openssl to generate base64 output:
472 $ openssl dgst -binary -sha224 /bin/ls | openssl base64
474 EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
475 Warning, if the user has write access to the command itself (directly or
477 via a sudo command), it may be possible for the user to replace the com‐
478 mand after the digest check has been performed but before the command is
479 executed. A similar race condition exists on systems that lack the
480 fexecve(2) system call when the directory in which the command is located
481 is writable by the user. See the description of the fdexec setting for
482 more information on how sudo executes commands that have an associated
483 digest.
484 Command digests are only supported by version 1.8.7 or higher.
486 Defaults
488 Certain configuration options may be changed from their default values at
489 run-time via one or more Default_Entry lines. These may affect all users
490 on any host, all users on a specific host, a specific user, a specific
491 command, or commands being run as a specific user. Note that per-command
492 entries may not include command line arguments. If you need to specify
493 arguments, define a Cmnd_Alias and reference that instead.
494 Default_Type ::= 'Defaults' |
496 'Defaults' '@' Host_List |
497 'Defaults' ':' User_List |
498 'Defaults' '!' Cmnd_List |
499 'Defaults' '>' Runas_List
500 Default_Entry ::= Default_Type Parameter_List
502 Parameter_List ::= Parameter |
504 Parameter ',' Parameter_List
505 Parameter ::= Parameter '=' Value |
507 Parameter '+=' Value |
508 Parameter '-=' Value |
509 '!'* Parameter
510 Parameters may be flags, integer values, strings, or lists. Flags are
512 implicitly boolean and can be turned off via the ‘!’ operator. Some
513 integer, string and list parameters may also be used in a boolean context
514 to disable them. Values may be enclosed in double quotes ("") when they
515 contain multiple words. Special characters may be escaped with a back‐
516 slash (‘\’).
517 Lists have two additional assignment operators, += and -=. These opera‐
519 tors are used to add to and delete from a list respectively. It is not
520 an error to use the -= operator to remove an element that does not exist
521 in a list.
522 Defaults entries are parsed in the following order: generic, host, user
524 and runas Defaults first, then command defaults. If there are multiple
525 Defaults settings of the same type, the last matching setting is used.
526 The following Defaults settings are parsed before all others since they
527 may affect subsequent entries: fqdn, group_plugin, runas_default,
528 sudoers_locale.
529 See SUDOERS OPTIONS for a list of supported Defaults parameters.
531 User specification
533 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
534 (':' Host_List '=' Cmnd_Spec_List)*
535 Cmnd_Spec_List ::= Cmnd_Spec |
537 Cmnd_Spec ',' Cmnd_Spec_List
538 Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd
540 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
542 Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)
544 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
546 Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp')
548 Timeout_Spec ::= 'TIMEOUT=timeout'
550 Chdir_Spec ::= 'CWD=directory'
552 Chroot_Spec ::= 'CHROOT=directory'
554 Tag_Spec ::= ('EXEC:' | 'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' |
556 'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' |
557 'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'PASSWD:' |
558 'NOPASSWD:' | 'SETENV:' | 'NOSETENV:')
559 A user specification determines which commands a user may run (and as
561 what user) on specified hosts. By default, commands are run as root, but
562 this can be changed on a per-command basis.
563 The basic structure of a user specification is “who where = (as_whom)
565 what”. Let's break that down into its constituent parts:
566 Runas_Spec
568 A Runas_Spec determines the user and/or the group that a command may be
569 run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
570 defined above) separated by a colon (‘:’) and enclosed in a set of paren‐
571 theses. The first Runas_List indicates which users the command may be
572 run as via the -u option. The second defines a list of groups that can
573 be specified via the -g option in addition to any of the target user's
574 groups. If both Runas_Lists are specified, the command may be run with
575 any combination of users and groups listed in their respective
576 Runas_Lists. If only the first is specified, the command may be run as
577 any user in the list but no -g option may be specified. If the first
578 Runas_List is empty but the second is specified, the command may be run
579 as the invoking user with the group set to any listed in the Runas_List.
580 If both Runas_Lists are empty, the command may only be run as the invok‐
581 ing user. If no Runas_Spec is specified the command may be run as root
582 and no group may be specified.
583 A Runas_Spec sets the default for the commands that follow it. What this
585 means is that for the entry:
586 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
588 The user dgb may run /bin/ls, /bin/kill, and /usr/bin/lprm on the host
590 boulder—but only as operator. E.g.,
591 $ sudo -u operator /bin/ls
593 It is also possible to override a Runas_Spec later on in an entry. If we
595 modify the entry like so:
596 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
598 Then user dgb is now allowed to run /bin/ls as operator, but /bin/kill
600 and /usr/bin/lprm as root.
601 We can extend this to allow dgb to run /bin/ls with either the user or
603 group set to operator:
604 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
606 /usr/bin/lprm
607 Note that while the group portion of the Runas_Spec permits the user to
609 run as command with that group, it does not force the user to do so. If
610 no group is specified on the command line, the command will run with the
611 group listed in the target user's password database entry. The following
612 would all be permitted by the sudoers entry above:
613 $ sudo -u operator /bin/ls
615 $ sudo -u operator -g operator /bin/ls
616 $ sudo -g operator /bin/ls
617 In the following example, user tcm may run commands that access a modem
619 device file with the dialer group.
620 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
622 /usr/local/bin/minicom
623 Note that in this example only the group will be set, the command still
625 runs as user tcm. E.g.
626 $ sudo -g dialer /usr/bin/cu
628 Multiple users and groups may be present in a Runas_Spec, in which case
630 the user may select any combination of users and groups via the -u and -g
631 options. In this example:
632 alan ALL = (root, bin : operator, system) ALL
634 user alan may run any command as either user root or bin, optionally set‐
636 ting the group to operator or system.
637 Option_Spec
639 A Cmnd may have zero or more options associated with it. Options may
640 consist of SELinux roles and/or types, start and/or end dates and command
641 timeouts. Once an option is set for a Cmnd, subsequent Cmnds in the
642 Cmnd_Spec_List, inherit that option unless it is overridden by another
643 option. Note that the option names are reserved words in sudoers. This
644 means that none of the valid option names (see below) can be used when
645 declaring an alias.
646 SELinux_Spec
648 On systems with SELinux support, sudoers file entries may optionally have
649 an SELinux role and/or type associated with a command. If a role or type
650 is specified with the command it will override any default values speci‐
651 fied in sudoers. A role or type specified on the command line, however,
652 will supersede the values in sudoers.
653 Date_Spec
655 sudoers rules can be specified with a start and end date via the
656 NOTBEFORE and NOTAFTER settings. The time stamp must be specified in
657 Generalized Time as defined by RFC 4517. The format is effectively
658 yyyymmddHHMMSSZ where the minutes and seconds are optional. The ‘Z’ suf‐
659 fix indicates that the time stamp is in Coordinated Universal Time (UTC).
660 It is also possible to specify a timezone offset from UTC in hours and
661 minutes instead of a ‘Z’. For example, ‘-0500’ would correspond to East‐
662 ern Standard time in the US. As an extension, if no ‘Z’ or timezone off‐
663 set is specified, local time will be used.
664 The following are all valid time stamps:
666 20170214083000Z
668 2017021408Z
669 20160315220000-0500
670 20151201235900
671 Timeout_Spec
673 A command may have a timeout associated with it. If the timeout expires
674 before the command has exited, the command will be terminated. The time‐
675 out may be specified in combinations of days, hours, minutes and seconds
676 with a single-letter case-insensitive suffix that indicates the unit of
677 time. For example, a timeout of 7 days, 8 hours, 30 minutes and 10 sec‐
678 onds would be written as 7d8h30m10s. If a number is specified without a
679 unit, seconds are assumed. Any of the days, minutes, hours or seconds
680 may be omitted. The order must be from largest to smallest unit and a
681 unit may not be specified more than once.
682 The following are all valid timeout values: 7d8h30m10s, 14d, 8h30m, 600s,
684 3600. The following are invalid timeout values: 12m2w1d, 30s10m4h,
685 1d2d3h.
686 This setting is only supported by version 1.8.20 or higher.
688 Chdir_Spec
690 The working directory that the command will be run in can be specified
691 using the CWD setting. The directory must be a fully-qualified path name
692 beginning with a ‘/’ or ‘~’ character, or the special value “*”. A value
693 of “*” indicates that the user may specify the working directory by run‐
694 ning sudo with the -D option. By default, commands are run from the
695 invoking user's current working directory, unless the -i option is given.
696 Path names of the form ~user/path/name are interpreted as being relative
697 to the named user's home directory. If the user name is omitted, the
698 path will be relative to the runas user's home directory.
699 This setting is only supported by version 1.9.3 or higher.
701 Chroot_Spec
703 The root directory that the command will be run in can be specified using
704 the CHROOT setting. The directory must be a fully-qualified path name
705 beginning with a ‘/’ or ‘~’ character, or the special value “*”. A value
706 of “*” indicates that the user may specify the root directory by running
707 sudo with the -R option. This setting can be used to run the command in
708 a chroot(2) “sandbox” similar to the chroot(8) utility. Path names of
709 the form ~user/path/name are interpreted as being relative to the named
710 user's home directory. If the user name is omitted, the path will be
711 relative to the runas user's home directory.
712 This setting is only supported by version 1.9.3 or higher.
714 Tag_Spec
716 A command may have zero or more tags associated with it. The following
717 tag values are supported: EXEC, NOEXEC, FOLLOW, NOFOLLOW, LOG_INPUT,
718 NOLOG_INPUT, LOG_OUTPUT, NOLOG_OUTPUT, MAIL, NOMAIL, PASSWD, NOPASSWD,
719 SETENV, and NOSETENV. Once a tag is set on a Cmnd, subsequent Cmnds in
720 the Cmnd_Spec_List, inherit the tag unless it is overridden by the oppo‐
721 site tag (in other words, PASSWD overrides NOPASSWD and NOEXEC overrides
722 EXEC).
723 EXEC and NOEXEC
725 If sudo has been compiled with noexec support and the underlying oper‐
727 ating system supports it, the NOEXEC tag can be used to prevent a
728 dynamically-linked executable from running further commands itself.
729 In the following example, user aaron may run /usr/bin/more and
731 /usr/bin/vi but shell escapes will be disabled.
732 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
734 See the Preventing shell escapes section below for more details on how
736 NOEXEC works and whether or not it will work on your system.
737 FOLLOW and NOFOLLOW Starting with version 1.8.15, sudoedit will not open
739 a file that is a symbolic link unless the sudoedit_follow flag is
740 enabled. The FOLLOW and NOFOLLOW tags override the value of
741 sudoedit_follow and can be used to permit (or deny) the editing of sym‐
742 bolic links on a per-command basis. These tags are only effective for
743 the sudoedit command and are ignored for all other commands.
744 LOG_INPUT and NOLOG_INPUT
746 These tags override the value of the log_input flag on a per-command
748 basis. For more information, see the description of log_input in the
749 SUDOERS OPTIONS section below.
750 LOG_OUTPUT and NOLOG_OUTPUT
752 These tags override the value of the log_output flag on a per-command
754 basis. For more information, see the description of log_output in the
755 SUDOERS OPTIONS section below.
756 MAIL and NOMAIL
758 These tags provide fine-grained control over whether mail will be sent
760 when a user runs a command by overriding the value of the
761 mail_all_cmnds flag on a per-command basis. They have no effect when
762 sudo is run with the -l or -v options. A NOMAIL tag will also override
763 the mail_always and mail_no_perms options. For more information, see
764 the descriptions of mail_all_cmnds, mail_always, and mail_no_perms in
765 the SUDOERS OPTIONS section below.
766 PASSWD and NOPASSWD
768 By default, sudo requires that a user authenticate him or herself
770 before running a command. This behavior can be modified via the
771 NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
772 the commands that follow it in the Cmnd_Spec_List. Conversely, the
773 PASSWD tag can be used to reverse things. For example:
774 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
776 would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm
778 as root on the machine rushmore without authenticating himself. If we
779 only want ray to be able to run /bin/kill without a password the entry
780 would be:
781 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
783 Note, however, that the PASSWD tag has no effect on users who are in
785 the group specified by the exempt_group setting.
786 By default, if the NOPASSWD tag is applied to any of a user's entries
788 for the current host, the user will be able to run “sudo -l” without a
789 password. Additionally, a user may only run “sudo -v” without a pass‐
790 word if all of the user's entries for the current host have the
791 NOPASSWD tag. This behavior may be overridden via the verifypw and
792 listpw options.
793 SETENV and NOSETENV
795 These tags override the value of the setenv flag on a per-command
797 basis. Note that if SETENV has been set for a command, the user may
798 disable the env_reset flag from the command line via the -E option.
799 Additionally, environment variables set on the command line are not
800 subject to the restrictions imposed by env_check, env_delete, or
801 env_keep. As such, only trusted users should be allowed to set vari‐
802 ables in this manner. If the command matched is ALL, the SETENV tag is
803 implied for that command; this default may be overridden by use of the
804 NOSETENV tag.
805 Wildcards
807 sudo allows shell-style wildcards (aka meta or glob characters) to be
808 used in host names, path names and command line arguments in the sudoers
809 file. Wildcard matching is done via the glob(3) and fnmatch(3) functions
810 as specified by IEEE Std 1003.1 (“POSIX.1”).
811 * Matches any set of zero or more characters (including white
813 space).
814 ? Matches any single character (including white space).
816 [...] Matches any character in the specified range.
818 [!...] Matches any character not in the specified range.
820 \x For any character ‘x’, evaluates to ‘x’. This is used to
822 escape special characters such as: ‘*’, ‘?’, ‘[’, and ‘]’.
823 Note that these are not regular expressions. Unlike a regular expression
825 there is no way to match one or more characters within a range.
826 Character classes may be used if your system's glob(3) and fnmatch(3)
828 functions support them. However, because the ‘:’ character has special
829 meaning in sudoers, it must be escaped. For example:
830 /bin/ls [[\:alpha\:]]*
832 Would match any file name beginning with a letter.
834 Note that a forward slash (‘/’) will not be matched by wildcards used in
836 the file name portion of the command. This is to make a path like:
837 /usr/bin/*
839 match /usr/bin/who but not /usr/bin/X11/xterm.
841 When matching the command line arguments, however, a slash does get
843 matched by wildcards since command line arguments may contain arbitrary
844 strings and not just path names.
845 Wildcards in command line arguments should be used with care.
847 Command line arguments are matched as a single, concatenated string.
848 This mean a wildcard character such as ‘?’ or ‘*’ will match across word
849 boundaries, which may be unexpected. For example, while a sudoers entry
850 like:
851 %operator ALL = /bin/cat /var/log/messages*
853 will allow command like:
855 $ sudo cat /var/log/messages.1
857 It will also allow:
859 $ sudo cat /var/log/messages /etc/shadow
861 which is probably not what was intended. In most cases it is better to
863 do command line processing outside of the sudoers file in a scripting
864 language.
865 Exceptions to wildcard rules
867 The following exceptions apply to the above rules:
868 "" If the empty string "" is the only command line argument in the
870 sudoers file entry it means that command is not allowed to be
871 run with any arguments.
872 sudoedit Command line arguments to the sudoedit built-in command should
874 always be path names, so a forward slash (‘/’) will not be
875 matched by a wildcard.
876 Including other files from within sudoers
878 It is possible to include other sudoers files from within the sudoers
879 file currently being parsed using the @include and @includedir direc‐
880 tives. For compatibility with sudo versions prior to 1.9.1, #include and
881 #includedir are also accepted.
882 An include file can be used, for example, to keep a site-wide sudoers
884 file in addition to a local, per-machine file. For the sake of this
885 example the site-wide sudoers file will be /etc/sudoers and the per-
886 machine one will be /etc/sudoers.local. To include /etc/sudoers.local
887 from within /etc/sudoers one would use the following line in
888 /etc/sudoers:
889 @include /etc/sudoers.local
891 When sudo reaches this line it will suspend processing of the current
893 file (/etc/sudoers) and switch to /etc/sudoers.local. Upon reaching the
894 end of /etc/sudoers.local, the rest of /etc/sudoers will be processed.
895 Files that are included may themselves include other files. A hard limit
896 of 128 nested include files is enforced to prevent include file loops.
897 The path to the include file may contain white space if it is escaped
899 with a backslash (‘\’). Alternately, the entire path may be enclosed in
900 double quotes (""), in which case no escaping is necessary. To include a
901 literal backslash in the path, ‘\\’ should be used.
902 If the path to the include file is not fully-qualified (does not begin
904 with a ‘/’), it must be located in the same directory as the sudoers file
905 it was included from. For example, if /etc/sudoers contains the line:
906 @include sudoers.local
908 the file that will be included is /etc/sudoers.local.
910 The file name may also include the %h escape, signifying the short form
912 of the host name. In other words, if the machine's host name is
913 “xerxes”, then
914 @include /etc/sudoers.%h
916 will cause sudo to include the file /etc/sudoers.xerxes.
918 The @includedir directive can be used to create a sudoers.d directory
920 that the system package manager can drop sudoers file rules into as part
921 of package installation. For example, given:
922 @includedir /etc/sudoers.d
924 sudo will suspend processing of the current file and read each file in
926 /etc/sudoers.d, skipping file names that end in ‘~’ or contain a ‘.’
927 character to avoid causing problems with package manager or editor tempo‐
928 rary/backup files. Files are parsed in sorted lexical order. That is,
929 /etc/sudoers.d/01_first will be parsed before /etc/sudoers.d/10_second.
930 Be aware that because the sorting is lexical, not numeric,
931 /etc/sudoers.d/1_whoops would be loaded after /etc/sudoers.d/10_second.
932 Using a consistent number of leading zeroes in the file names can be used
933 to avoid such problems. After parsing the files in the directory, con‐
934 trol returns to the file that contained the @includedir directive.
935 Note that unlike files included via @include, visudo will not edit the
937 files in a @includedir directory unless one of them contains a syntax
938 error. It is still possible to run visudo with the -f flag to edit the
939 files directly, but this will not catch the redefinition of an alias that
940 is also present in a different file.
941 Other special characters and reserved words
943 The pound sign (‘#’) is used to indicate a comment (unless it is part of
944 a #include directive or unless it occurs in the context of a user name
945 and is followed by one or more digits, in which case it is treated as a
946 user-ID). Both the comment character and any text after it, up to the
947 end of the line, are ignored.
948 The reserved word ALL is a built-in alias that always causes a match to
950 succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
951 User_Alias, Runas_Alias, or Host_Alias. Attempting to define an alias
952 named ALL will result in a syntax error. Please note that using ALL can
953 be dangerous since in a command context, it allows the user to run any
954 command on the system.
955 The following option names permitted in an Option_Spec are also consid‐
957 ered reserved words: CHROOT, ROLE, TYPE, TIMEOUT, CWD, NOTBEFORE and
958 NOTAFTER. Attempting to define an alias with the same name as one of the
959 options will result in a syntax error.
960 An exclamation point (‘!’) can be used as a logical not operator in a
962 list or alias as well as in front of a Cmnd. This allows one to exclude
963 certain values. For the ‘!’ operator to be effective, there must be
964 something for it to exclude. For example, to match all users except for
965 root one would use:
966 ALL,!root
968 If the ALL, is omitted, as in:
970 !root
972 it would explicitly deny root but not match any other users. This is
974 different from a true “negation” operator.
975 Note, however, that using a ‘!’ in conjunction with the built-in ALL
977 alias to allow a user to run “all but a few” commands rarely works as
978 intended (see SECURITY NOTES below).
979 Long lines can be continued with a backslash (‘\’) as the last character
981 on the line.
982 White space between elements in a list as well as special syntactic char‐
984 acters in a User Specification (‘=’, ‘:’, ‘(’, ‘)’) is optional.
985 The following characters must be escaped with a backslash (‘\’) when used
987 as part of a word (e.g., a user name or host name): ‘!’, ‘=’, ‘:’, ‘,’,
988 ‘(’, ‘)’, ‘\’.
989
991 sudo's behavior can be modified by Default_Entry lines, as explained ear‐
992 lier. A list of all supported Defaults parameters, grouped by type, are
993 listed below.
994 Boolean Flags:
996 always_query_group_plugin
998 If a group_plugin is configured, use it to resolve
999 groups of the form %group as long as there is not also
1000 a system group of the same name. Normally, only groups
1001 of the form %:group are passed to the group_plugin.
1002 This flag is off by default.
1003 always_set_home If enabled, sudo will set the HOME environment variable
1005 to the home directory of the target user (which is the
1006 root user unless the -u option is used). This flag is
1007 largely obsolete and has no effect unless the env_reset
1008 flag has been disabled or HOME is present in the
1009 env_keep list, both of which are strongly discouraged.
1010 This flag is off by default.
1011 authenticate If set, users must authenticate themselves via a pass‐
1013 word (or other means of authentication) before they may
1014 run commands. This default may be overridden via the
1015 PASSWD and NOPASSWD tags. This flag is on by default.
1016 case_insensitive_group
1018 If enabled, group names in sudoers will be matched in a
1019 case insensitive manner. This may be necessary when
1020 users are stored in LDAP or AD. This flag is on by
1021 default.
1022 case_insensitive_user
1024 If enabled, user names in sudoers will be matched in a
1025 case insensitive manner. This may be necessary when
1026 groups are stored in LDAP or AD. This flag is on by
1027 default.
1028 closefrom_override
1030 If set, the user may use the -C option which overrides
1031 the default starting point at which sudo begins closing
1032 open file descriptors. This flag is off by default.
1033 compress_io If set, and sudo is configured to log a command's input
1035 or output, the I/O logs will be compressed using zlib.
1036 This flag is on by default when sudo is compiled with
1037 zlib support.
1038 exec_background By default, sudo runs a command as the foreground
1040 process as long as sudo itself is running in the fore‐
1041 ground. When the exec_background flag is enabled and
1042 the command is being run in a pseudo-terminal (due to
1043 I/O logging or the use_pty flag), the command will be
1044 run as a background process. Attempts to read from the
1045 controlling terminal (or to change terminal settings)
1046 will result in the command being suspended with the
1047 SIGTTIN signal (or SIGTTOU in the case of terminal set‐
1048 tings). If this happens when sudo is a foreground
1049 process, the command will be granted the controlling
1050 terminal and resumed in the foreground with no user
1051 intervention required. The advantage of initially run‐
1052 ning the command in the background is that sudo need
1053 not read from the terminal unless the command explic‐
1054 itly requests it. Otherwise, any terminal input must
1055 be passed to the command, whether it has required it or
1056 not (the kernel buffers terminals so it is not possible
1057 to tell whether the command really wants the input).
1058 This is different from historic sudo behavior or when
1059 the command is not being run in a pseudo-terminal.
1060 For this to work seamlessly, the operating system must
1062 support the automatic restarting of system calls.
1063 Unfortunately, not all operating systems do this by
1064 default, and even those that do may have bugs. For
1065 example, macOS fails to restart the tcgetattr() and
1066 tcsetattr() system calls (this is a bug in macOS).
1067 Furthermore, because this behavior depends on the com‐
1068 mand stopping with the SIGTTIN or SIGTTOU signals, pro‐
1069 grams that catch these signals and suspend themselves
1070 with a different signal (usually SIGTOP) will not be
1071 automatically foregrounded. Some versions of the linux
1072 su(1) command behave this way. This flag is off by
1073 default.
1074 This setting is only supported by version 1.8.7 or
1076 higher. It has no effect unless I/O logging is enabled
1077 or the use_pty flag is enabled.
1078 env_editor If set, visudo will use the value of the SUDO_EDITOR,
1080 VISUAL or EDITOR environment variables before falling
1081 back on the default editor list. Note that visudo is
1082 typically run as root so this flag may allow a user
1083 with visudo privileges to run arbitrary commands as
1084 root without logging. An alternative is to place a
1085 colon-separated list of “safe” editors int the editor
1086 variable. visudo will then only use SUDO_EDITOR,
1087 VISUAL or EDITOR if they match a value specified in
1088 editor. If the env_reset flag is enabled, the
1089 SUDO_EDITOR, VISUAL and/or EDITOR environment variables
1090 must be present in the env_keep list for the env_editor
1091 flag to function when visudo is invoked via sudo. This
1092 flag is on by default.
1093 env_reset If set, sudo will run the command in a minimal environ‐
1095 ment containing the TERM, PATH, HOME, MAIL, SHELL,
1096 LOGNAME, USER and SUDO_* variables. Any variables in
1097 the caller's environment or in the file specified by
1098 the restricted_env_file setting that match the env_keep
1099 and env_check lists are then added, followed by any
1100 variables present in the file specified by the env_file
1101 setting (if any). The contents of the env_keep and
1102 env_check lists, as modified by global Defaults parame‐
1103 ters in sudoers, are displayed when sudo is run by root
1104 with the -V option. If the secure_path setting is
1105 enabled, its value will be used for the PATH environ‐
1106 ment variable. This flag is on by default.
1107 fast_glob Normally, sudo uses the glob(3) function to do shell-
1109 style globbing when matching path names. However,
1110 since it accesses the file system, glob(3) can take a
1111 long time to complete for some patterns, especially
1112 when the pattern references a network file system that
1113 is mounted on demand (auto mounted). The fast_glob
1114 flag causes sudo to use the fnmatch(3) function, which
1115 does not access the file system to do its matching.
1116 The disadvantage of fast_glob is that it is unable to
1117 match relative path names such as ./ls or ../bin/ls.
1118 This has security implications when path names that
1119 include globbing characters are used with the negation
1120 operator, ‘!’, as such rules can be trivially bypassed.
1121 As such, this flag should not be used when the sudoers
1122 file contains rules that contain negated path names
1123 which include globbing characters. This flag is off by
1124 default.
1125 fqdn Set this flag if you want to put fully qualified host
1127 names in the sudoers file when the local host name (as
1128 returned by the hostname command) does not contain the
1129 domain name. In other words, instead of myhost you
1130 would use myhost.mydomain.edu. You may still use the
1131 short form if you wish (and even mix the two). This
1132 flag is only effective when the “canonical” host name,
1133 as returned by the getaddrinfo() or gethostbyname()
1134 function, is a fully-qualified domain name. This is
1135 usually the case when the system is configured to use
1136 DNS for host name resolution.
1137 If the system is configured to use the /etc/hosts file
1139 in preference to DNS, the “canonical” host name may not
1140 be fully-qualified. The order that sources are queried
1141 for host name resolution is usually specified in the
1142 /etc/nsswitch.conf, /etc/netsvc.conf, /etc/host.conf,
1143 or, in some cases, /etc/resolv.conf file. In the
1144 /etc/hosts file, the first host name of the entry is
1145 considered to be the “canonical” name; subsequent names
1146 are aliases that are not used by sudoers. For example,
1147 the following hosts file line for the machine “xyzzy”
1148 has the fully-qualified domain name as the “canonical”
1149 host name, and the short version as an alias.
1150 192.168.1.1 xyzzy.sudo.ws xyzzy
1152 If the machine's hosts file entry is not formatted
1154 properly, the fqdn flag will not be effective if it is
1155 queried before DNS.
1156 Beware that when using DNS for host name resolution,
1158 turning on fqdn requires sudoers to make DNS lookups
1159 which renders sudo unusable if DNS stops working (for
1160 example if the machine is disconnected from the net‐
1161 work). Also note that just like with the hosts file,
1162 you must use the “canonical” name as DNS knows it.
1163 That is, you may not use a host alias (CNAME entry) due
1164 to performance issues and the fact that there is no way
1165 to get all aliases from DNS.
1166 This flag is off by default.
1168 ignore_audit_errors
1170 Allow commands to be run even if sudoers cannot write
1171 to the audit log. If enabled, an audit log write fail‐
1172 ure is not treated as a fatal error. If disabled, a
1173 command may only be run after the audit event is suc‐
1174 cessfully written. This flag is only effective on sys‐
1175 tems for which sudoers supports audit logging, includ‐
1176 ing FreeBSD, Linux, macOS and Solaris. This flag is on
1177 by default.
1178 ignore_dot If set, sudo will ignore "." or "" (both denoting cur‐
1180 rent directory) in the PATH environment variable; the
1181 PATH itself is not modified. This flag is on by
1182 default.
1183 ignore_iolog_errors
1185 Allow commands to be run even if sudoers cannot write
1186 to the I/O log (local or remote). If enabled, an I/O
1187 log write failure is not treated as a fatal error. If
1188 disabled, the command will be terminated if the I/O log
1189 cannot be written to. This flag is off by default.
1190 ignore_logfile_errors
1192 Allow commands to be run even if sudoers cannot write
1193 to the log file. If enabled, a log file write failure
1194 is not treated as a fatal error. If disabled, a com‐
1195 mand may only be run after the log file entry is suc‐
1196 cessfully written. This flag only has an effect when
1197 sudoers is configured to use file-based logging via the
1198 logfile setting. This flag is on by default.
1199 ignore_local_sudoers
1201 If set via LDAP, parsing of /etc/sudoers will be
1202 skipped. This is intended for Enterprises that wish to
1203 prevent the usage of local sudoers files so that only
1204 LDAP is used. This thwarts the efforts of rogue opera‐
1205 tors who would attempt to add roles to /etc/sudoers.
1206 When this flag is enabled, /etc/sudoers does not even
1207 need to exist. Since this flag tells sudo how to
1208 behave when no specific LDAP entries have been matched,
1209 this sudoOption is only meaningful for the cn=defaults
1210 section. This flag is off by default.
1211 ignore_unknown_defaults
1213 If set, sudo will not produce a warning if it encoun‐
1214 ters an unknown Defaults entry in the sudoers file or
1215 an unknown sudoOption in LDAP. This flag is off by
1216 default.
1217 insults If set, sudo will insult users when they enter an
1219 incorrect password. This flag is off by default.
1220 log_allowed If set, sudoers will log commands allowed by the policy
1222 to the system audit log (where supported) as well as to
1223 syslog and/or a log file. This flag is on by default.
1224 This setting is only supported by version 1.8.29 or
1226 higher.
1227 log_denied If set, sudoers will log commands denied by the policy
1229 to the system audit log (where supported) as well as to
1230 syslog and/or a log file. This flag is on by default.
1231 This setting is only supported by version 1.8.29 or
1233 higher.
1234 log_host If set, the host name will be included in log entries
1236 written to the file configured by the logfile setting.
1237 This flag is off by default.
1238 log_input If set, sudo will run the command in a pseudo-terminal
1240 and log all user input. If the standard input is not
1241 connected to the user's tty, due to I/O redirection or
1242 because the command is part of a pipeline, that input
1243 is also captured and stored in a separate log file.
1244 Anything sent to the standard input will be consumed,
1245 regardless of whether or not the command run via sudo
1246 is actually reading the standard input. This may have
1247 unexpected results when using sudo in a shell script
1248 that expects to process the standard input. For more
1249 information about I/O logging, see the I/O LOG FILES
1250 section. This flag is off by default.
1251 log_output If set, sudo will run the command in a pseudo-terminal
1253 and log all output that is sent to the screen, similar
1254 to the script(1) command. For more information about
1255 I/O logging, see the I/O LOG FILES section. This flag
1256 is off by default.
1257 log_server_keepalive
1259 If set, sudo will enable the TCP keepalive socket
1260 option on the connection to the log server. This
1261 enables the periodic transmission of keepalive messages
1262 to the server. If the server does not respond to a
1263 message, the connection will be closed and the running
1264 command will be terminated unless the
1265 ignore_iolog_errors flag (I/O logging enabled) or the
1266 ignore_log_errors flag (I/O logging disabled) is set.
1267 This flag is on by default.
1268 This setting is only supported by version 1.9.0 or
1270 higher.
1271 log_server_verify
1273 If set, the server certificate received during the TLS
1274 handshake must be valid and it must contain either the
1275 server name (from log_servers) or its IP address. If
1276 either of these conditions is not met, the TLS hand‐
1277 shake will fail. This flag is on by default.
1278 This setting is only supported by version 1.9.0 or
1280 higher.
1281 log_year If set, the four-digit year will be logged in the (non-
1283 syslog) sudo log file. This flag is off by default.
1284 long_otp_prompt When validating with a One Time Password (OTP) scheme
1286 such as S/Key or OPIE, a two-line prompt is used to
1287 make it easier to cut and paste the challenge to a
1288 local window. It's not as pretty as the default but
1289 some people find it more convenient. This flag is off
1290 by default.
1291 mail_all_cmnds Send mail to the mailto user every time a user attempts
1293 to run a command via sudo (this includes sudoedit). No
1294 mail will be sent if the user runs sudo with the -l or
1295 -v option unless there is an authentication error and
1296 the mail_badpass flag is also set. This flag is off by
1297 default.
1298 mail_always Send mail to the mailto user every time a user runs
1300 sudo. This flag is off by default.
1301 mail_badpass Send mail to the mailto user if the user running sudo
1303 does not enter the correct password. If the command
1304 the user is attempting to run is not permitted by
1305 sudoers and one of the mail_all_cmnds, mail_always,
1306 mail_no_host, mail_no_perms or mail_no_user flags are
1307 set, this flag will have no effect. This flag is off
1308 by default.
1309 mail_no_host If set, mail will be sent to the mailto user if the
1311 invoking user exists in the sudoers file, but is not
1312 allowed to run commands on the current host. This flag
1313 is off by default.
1314 mail_no_perms If set, mail will be sent to the mailto user if the
1316 invoking user is allowed to use sudo but the command
1317 they are trying is not listed in their sudoers file
1318 entry or is explicitly denied. This flag is off by
1319 default.
1320 mail_no_user If set, mail will be sent to the mailto user if the
1322 invoking user is not in the sudoers file. This flag is
1323 on by default.
1324 match_group_by_gid
1326 By default, sudoers will look up each group the user is
1327 a member of by group-ID to determine the group name
1328 (this is only done once). The resulting list of the
1329 user's group names is used when matching groups listed
1330 in the sudoers file. This works well on systems where
1331 the number of groups listed in the sudoers file is
1332 larger than the number of groups a typical user belongs
1333 to. On systems where group lookups are slow, where
1334 users may belong to a large number of groups, and where
1335 the number of groups listed in the sudoers file is rel‐
1336 atively small, it may be prohibitively expensive and
1337 running commands via sudo may take longer than normal.
1338 On such systems it may be faster to use the
1339 match_group_by_gid flag to avoid resolving the user's
1340 group-IDs to group names. In this case, sudoers must
1341 look up any group name listed in the sudoers file and
1342 use the group-ID instead of the group name when deter‐
1343 mining whether the user is a member of the group.
1344 Note that if match_group_by_gid is enabled, group data‐
1346 base lookups performed by sudoers will be keyed by
1347 group name as opposed to group-ID. On systems where
1348 there are multiple sources for the group database, it
1349 is possible to have conflicting group names or group-
1350 IDs in the local /etc/group file and the remote group
1351 database. On such systems, enabling or disabling
1352 match_group_by_gid can be used to choose whether group
1353 database queries are performed by name (enabled) or ID
1354 (disabled), which may aid in working around group entry
1355 conflicts.
1356 The match_group_by_gid flag has no effect when sudoers
1358 data is stored in LDAP. This flag is off by default.
1359 This setting is only supported by version 1.8.18 or
1361 higher.
1362 netgroup_tuple If set, netgroup lookups will be performed using the
1364 full netgroup tuple: host name, user name and domain
1365 (if one is set). Historically, sudo only matched the
1366 user name and domain for netgroups used in a User_List
1367 and only matched the host name and domain for netgroups
1368 used in a Host_List. This flag is off by default.
1369 noexec If set, all commands run via sudo will behave as if the
1371 NOEXEC tag has been set, unless overridden by an EXEC
1372 tag. See the description of EXEC and NOEXEC above as
1373 well as the Preventing shell escapes section at the end
1374 of this manual. This flag is off by default.
1375 pam_acct_mgmt On systems that use PAM for authentication, sudo will
1377 perform PAM account validation for the invoking user by
1378 default. The actual checks performed depend on which
1379 PAM modules are configured. If enabled, account vali‐
1380 dation will be performed regardless of whether or not a
1381 password is required. This flag is on by default.
1382 This setting is only supported by version 1.8.28 or
1384 higher.
1385 pam_rhost On systems that use PAM for authentication, sudo will
1387 set the PAM remote host value to the name of the local
1388 host when the pam_rhost flag is enabled. On Linux sys‐
1389 tems, enabling pam_rhost may result in DNS lookups of
1390 the local host name when PAM is initialized. On
1391 Solaris versions prior to Solaris 8, pam_rhost must be
1392 enabled if pam_ruser is also enabled to avoid a crash
1393 in the Solaris PAM implementation.
1394 This flag is off by default on systems other than
1396 Solaris.
1397 This setting is only supported by version 1.9.0 or
1399 higher.
1400 pam_ruser On systems that use PAM for authentication, sudo will
1402 set the PAM remote user value to the name of the user
1403 that invoked sudo when the pam_ruser flag is enabled.
1404 This flag is on by default.
1405 This setting is only supported by version 1.9.0 or
1407 higher.
1408 pam_session On systems that use PAM for authentication, sudo will
1410 create a new PAM session for the command to be run in.
1411 Unless sudo is given the -i or -s options, PAM session
1412 modules are run with the “silent” flag enabled. This
1413 prevents last login information from being displayed
1414 for every command on some systems. Disabling
1415 pam_session may be needed on older PAM implementations
1416 or on operating systems where opening a PAM session
1417 changes the utmp or wtmp files. If PAM session support
1418 is disabled, resource limits may not be updated for the
1419 command being run. If pam_session, pam_setcred, and
1420 use_pty are disabled, log_servers has not been set and
1421 I/O logging has not been configured, sudo will execute
1422 the command directly instead of running it as a child
1423 process. This flag is on by default.
1424 This setting is only supported by version 1.8.7 or
1426 higher.
1427 pam_setcred On systems that use PAM for authentication, sudo will
1429 attempt to establish credentials for the target user by
1430 default, if supported by the underlying authentication
1431 system. One example of a credential is a Kerberos
1432 ticket. If pam_session, pam_setcred, and use_pty are
1433 disabled, log_servers has not been set and I/O logging
1434 has not been configured, sudo will execute the command
1435 directly instead of running it as a child process.
1436 This flag is on by default.
1437 This setting is only supported by version 1.8.8 or
1439 higher.
1440 passprompt_override
1442 If set, the prompt specified by passprompt or the
1443 SUDO_PROMPT environment variable will always be used
1444 and will replace the prompt provided by a PAM module or
1445 other authentication method. This flag is off by
1446 default.
1447 path_info Normally, sudo will tell the user when a command could
1449 not be found in their PATH environment variable. Some
1450 sites may wish to disable this as it could be used to
1451 gather information on the location of executables that
1452 the normal user does not have access to. The disadvan‐
1453 tage is that if the executable is simply not in the
1454 user's PATH, sudo will tell the user that they are not
1455 allowed to run it, which can be confusing. This flag
1456 is on by default.
1457 preserve_groups By default, sudo will initialize the group vector to
1459 the list of groups the target user is in. When
1460 preserve_groups is set, the user's existing group vec‐
1461 tor is left unaltered. The real and effective group-
1462 IDs, however, are still set to match the target user.
1463 This flag is off by default.
1464 pwfeedback By default, sudo reads the password like most other
1466 Unix programs, by turning off echo until the user hits
1467 the return (or enter) key. Some users become confused
1468 by this as it appears to them that sudo has hung at
1469 this point. When pwfeedback is set, sudo will provide
1470 visual feedback when the user presses a key. Note that
1471 this does have a security impact as an onlooker may be
1472 able to determine the length of the password being
1473 entered. This flag is off by default.
1474 requiretty If set, sudo will only run when the user is logged in
1476 to a real tty. When this flag is set, sudo can only be
1477 run from a login session and not via other means such
1478 as cron(8) or cgi-bin scripts. This flag is off by
1479 default.
1480 root_sudo If set, root is allowed to run sudo too. Disabling
1482 this prevents users from “chaining” sudo commands to
1483 get a root shell by doing something like “sudo sudo
1484 /bin/sh”. Note, however, that turning off root_sudo
1485 will also prevent root from running sudoedit. Dis‐
1486 abling root_sudo provides no real additional security;
1487 it exists purely for historical reasons. This flag is
1488 on by default.
1489 rootpw If set, sudo will prompt for the root password instead
1491 of the password of the invoking user when running a
1492 command or editing a file. This flag is off by
1493 default.
1494 runas_allow_unknown_id
1496 If enabled, allow matching of runas user and group IDs
1497 that are not present in the password or group data‐
1498 bases. In addition to explicitly matching unknown user
1499 or group IDs in a Runas_List, this option also allows
1500 the ALL alias to match unknown IDs. This flag is off
1501 by default.
1502 This setting is only supported by version 1.8.30 or
1504 higher. Older versions of sudo always allowed matching
1505 of unknown user and group IDs.
1506 runas_check_shell
1508 If enabled, sudo will only run commands as a user whose
1509 shell appears in the /etc/shells file, even if the
1510 invoking user's Runas_List would otherwise permit it.
1511 If no /etc/shells file is present, a system-dependent
1512 list of built-in default shells is used. On many oper‐
1513 ating systems, system users such as “bin”, do not have
1514 a valid shell and this flag can be used to prevent com‐
1515 mands from being run as those users. This flag is off
1516 by default.
1517 This setting is only supported by version 1.8.30 or
1519 higher.
1520 runaspw If set, sudo will prompt for the password of the user
1522 defined by the runas_default option (defaults to root)
1523 instead of the password of the invoking user when run‐
1524 ning a command or editing a file. This flag is off by
1525 default.
1526 selinux If enabled, the user may specify an SELinux role and/or
1528 type to use when running the command, as permitted by
1529 the SELinux policy. If SELinux is disabled on the sys‐
1530 tem, this flag has no effect. This flag is on by
1531 default.
1532 set_home If enabled and sudo is invoked with the -s option, the
1534 HOME environment variable will be set to the home
1535 directory of the target user (which is the root user
1536 unless the -u option is used). This flag is largely
1537 obsolete and has no effect unless the env_reset flag
1538 has been disabled or HOME is present in the env_keep
1539 list, both of which are strongly discouraged. This
1540 flag is off by default.
1541 set_logname Normally, sudo will set the LOGNAME and USER environ‐
1543 ment variables to the name of the target user (usually
1544 root unless the -u option is given). However, since
1545 some programs (including the RCS revision control sys‐
1546 tem) use LOGNAME to determine the real identity of the
1547 user, it may be desirable to change this behavior.
1548 This can be done by negating the set_logname option.
1549 Note that set_logname will have no effect if the
1550 env_reset option has not been disabled and the env_keep
1551 list contains LOGNAME or USER. This flag is on by
1552 default.
1553 set_utmp When enabled, sudo will create an entry in the utmp (or
1555 utmpx) file when a pseudo-terminal is allocated. A
1556 pseudo-terminal is allocated by sudo when it is running
1557 in a terminal and one or more of the log_input,
1558 log_output or use_pty flags is enabled. By default,
1559 the new entry will be a copy of the user's existing
1560 utmp entry (if any), with the tty, time, type and pid
1561 fields updated. This flag is on by default.
1562 setenv Allow the user to disable the env_reset option from the
1564 command line via the -E option. Additionally, environ‐
1565 ment variables set via the command line are not subject
1566 to the restrictions imposed by env_check, env_delete,
1567 or env_keep. As such, only trusted users should be
1568 allowed to set variables in this manner. This flag is
1569 off by default.
1570 shell_noargs If set and sudo is invoked with no arguments it acts as
1572 if the -s option had been given. That is, it runs a
1573 shell as root (the shell is determined by the SHELL
1574 environment variable if it is set, falling back on the
1575 shell listed in the invoking user's /etc/passwd entry
1576 if not). This flag is off by default.
1577 stay_setuid Normally, when sudo executes a command the real and
1579 effective UIDs are set to the target user (root by
1580 default). This option changes that behavior such that
1581 the real UID is left as the invoking user's UID. In
1582 other words, this makes sudo act as a set-user-ID wrap‐
1583 per. This can be useful on systems that disable some
1584 potentially dangerous functionality when a program is
1585 run set-user-ID. This option is only effective on sys‐
1586 tems that support either the setreuid(2) or
1587 setresuid(2) system call. This flag is off by default.
1588 sudoedit_checkdir
1590 If set, sudoedit will check all directory components of
1591 the path to be edited for writability by the invoking
1592 user. Symbolic links will not be followed in writable
1593 directories and sudoedit will refuse to edit a file
1594 located in a writable directory. These restrictions
1595 are not enforced when sudoedit is run by root. On some
1596 systems, if all directory components of the path to be
1597 edited are not readable by the target user, sudoedit
1598 will be unable to edit the file. This flag is on by
1599 default.
1600 This setting was first introduced in version 1.8.15 but
1602 initially suffered from a race condition. The check
1603 for symbolic links in writable intermediate directories
1604 was added in version 1.8.16.
1605 sudoedit_follow By default, sudoedit will not follow symbolic links
1607 when opening files. The sudoedit_follow option can be
1608 enabled to allow sudoedit to open symbolic links. It
1609 may be overridden on a per-command basis by the FOLLOW
1610 and NOFOLLOW tags. This flag is off by default.
1611 This setting is only supported by version 1.8.15 or
1613 higher.
1614 syslog_pid When logging via syslog(3), include the process ID in
1616 the log entry. This flag is off by default.
1617 This setting is only supported by version 1.8.21 or
1619 higher.
1620 targetpw If set, sudo will prompt for the password of the user
1622 specified by the -u option (defaults to root) instead
1623 of the password of the invoking user when running a
1624 command or editing a file. Note that this flag pre‐
1625 cludes the use of a user-ID not listed in the passwd
1626 database as an argument to the -u option. This flag is
1627 off by default.
1628 tty_tickets If set, users must authenticate on a per-tty basis.
1630 With this flag enabled, sudo will use a separate record
1631 in the time stamp file for each terminal. If disabled,
1632 a single record is used for all login sessions.
1633 This option has been superseded by the timestamp_type
1635 option.
1636 umask_override If set, sudo will set the umask as specified in the
1638 sudoers file without modification. This makes it pos‐
1639 sible to specify a umask in the sudoers file that is
1640 more permissive than the user's own umask and matches
1641 historical behavior. If umask_override is not set,
1642 sudo will set the umask to be the union of the user's
1643 umask and what is specified in sudoers. This flag is
1644 off by default.
1645 use_netgroups If set, netgroups (prefixed with ‘+’), may be used in
1647 place of a user or host. For LDAP-based sudoers, net‐
1648 group support requires an expensive sub-string match on
1649 the server unless the NETGROUP_BASE directive is
1650 present in the /etc/ldap.conf file. If netgroups are
1651 not needed, this option can be disabled to reduce the
1652 load on the LDAP server. This flag is on by default.
1653 use_pty If set, and sudo is running in a terminal, the command
1655 will be run in a pseudo-terminal (even if no I/O log‐
1656 ging is being done). If the sudo process is not
1657 attached to a terminal, use_pty has no effect.
1658 A malicious program run under sudo may be capable of
1660 injecting commands into the user's terminal or running
1661 a background process that retains access to the user's
1662 terminal device even after the main program has fin‐
1663 ished executing. By running the command in a separate
1664 pseudo-terminal, this attack is no longer possible.
1665 This flag is off by default.
1666 user_command_timeouts
1668 If set, the user may specify a timeout on the command
1669 line. If the timeout expires before the command has
1670 exited, the command will be terminated. If a timeout
1671 is specified both in the sudoers file and on the com‐
1672 mand line, the smaller of the two timeouts will be
1673 used. See the Timeout_Spec section for a description
1674 of the timeout syntax. This flag is off by default.
1675 This setting is only supported by version 1.8.20 or
1677 higher.
1678 utmp_runas If set, sudo will store the name of the runas user when
1680 updating the utmp (or utmpx) file. By default, sudo
1681 stores the name of the invoking user. This flag is off
1682 by default.
1683 visiblepw By default, sudo will refuse to run if the user must
1685 enter a password but it is not possible to disable echo
1686 on the terminal. If the visiblepw flag is set, sudo
1687 will prompt for a password even when it would be visi‐
1688 ble on the screen. This makes it possible to run
1689 things like “ssh somehost sudo ls” since by default,
1690 ssh(1) does not allocate a tty when running a command.
1691 This flag is off by default.
1692 Integers:
1694 closefrom Before it executes a command, sudo will close all open
1696 file descriptors other than standard input, standard
1697 output and standard error (ie: file descriptors 0-2).
1698 The closefrom option can be used to specify a different
1699 file descriptor at which to start closing. The default
1700 is 3.
1701 command_timeout The maximum amount of time a command is allowed to run
1703 before it is terminated. See the Timeout_Spec section
1704 for a description of the timeout syntax.
1705 This setting is only supported by version 1.8.20 or
1707 higher.
1708 log_server_timeout
1710 The maximum amount of time to wait when connecting to a
1711 log server or waiting for a server response. See the
1712 Timeout_Spec section for a description of the timeout
1713 syntax. The default value is 30 seconds.
1714 This setting is only supported by version 1.9.0 or
1716 higher.
1717 maxseq The maximum sequence number that will be substituted
1719 for the “%{seq}” escape in the I/O log file (see the
1720 iolog_dir description below for more information).
1721 While the value substituted for “%{seq}” is in base 36,
1722 maxseq itself should be expressed in decimal. Values
1723 larger than 2176782336 (which corresponds to the base
1724 36 sequence number “ZZZZZZ”) will be silently truncated
1725 to 2176782336. The default value is 2176782336.
1726 Once the local sequence number reaches the value of
1728 maxseq, it will “roll over” to zero, after which
1729 sudoers will truncate and re-use any existing I/O log
1730 path names.
1731 This setting is only supported by version 1.8.7 or
1733 higher.
1734 passwd_tries The number of tries a user gets to enter his/her pass‐
1736 word before sudo logs the failure and exits. The
1737 default is 3.
1738 syslog_maxlen On many systems, syslog(3) has a relatively small log
1740 buffer. IETF RFC 5424 states that syslog servers must
1741 support messages of at least 480 bytes and should sup‐
1742 port messages up to 2048 bytes. By default, sudoers
1743 creates log messages up to 980 bytes which corresponds
1744 to the historic BSD syslog implementation which used a
1745 1024 byte buffer to store the message, date, hostname
1746 and program name. To prevent syslog messages from
1747 being truncated, sudoers will split up log messages
1748 that are larger than syslog_maxlen bytes. When a mes‐
1749 sage is split, additional parts will include the string
1750 “(command continued)” after the user name and before
1751 the continued command line arguments.
1752 This setting is only supported by version 1.8.19 or
1754 higher.
1755 Integers that can be used in a boolean context:
1757 loglinelen Number of characters per line for the file log. This
1759 value is used to decide when to wrap lines for nicer
1760 log files. This has no effect on the syslog log file,
1761 only the file log. The default is 80 (use 0 or negate
1762 the option to disable word wrap).
1763 passwd_timeout Number of minutes before the sudo password prompt times
1765 out, or 0 for no timeout. The timeout may include a
1766 fractional component if minute granularity is insuffi‐
1767 cient, for example 2.5. The default is 5.
1768 timestamp_timeout
1770 Number of minutes that can elapse before sudo will ask
1771 for a passwd again. The timeout may include a frac‐
1772 tional component if minute granularity is insufficient,
1773 for example 2.5. The default is 5. Set this to 0 to
1774 always prompt for a password. If set to a value less
1775 than 0 the user's time stamp will not expire until the
1776 system is rebooted. This can be used to allow users to
1777 create or delete their own time stamps via “sudo -v”
1778 and “sudo -k” respectively.
1779 umask File mode creation mask to use when running the com‐
1781 mand. Negate this option or set it to 0777 to prevent
1782 sudoers from changing the umask. Unless the
1783 umask_override flag is set, the actual umask will be
1784 the union of the user's umask and the value of the
1785 umask setting, which defaults to 0022. This guarantees
1786 that sudo never lowers the umask when running a com‐
1787 mand.
1788 If umask is explicitly set in sudoers, it will override
1790 any umask setting in PAM or login.conf. If umask is
1791 not set in sudoers, the umask specified by PAM or
1792 login.conf will take precedence. The umask setting in
1793 PAM is not used for sudoedit, which does not create a
1794 new PAM session.
1795 Strings:
1797 authfail_message Message that is displayed after a user fails to authen‐
1799 ticate. The message may include the ‘%d’ escape which
1800 will expand to the number of failed password attempts.
1801 If set, it overrides the default message, %d incorrect
1802 password attempt(s).
1803 badpass_message Message that is displayed if a user enters an incorrect
1805 password. The default is Sorry, try again. unless
1806 insults are enabled.
1807 editor A colon (‘:’) separated list of editors path names used
1809 by sudoedit and visudo. For sudoedit, this list is
1810 used to find an editor when none of the SUDO_EDITOR,
1811 VISUAL or EDITOR environment variables are set to an
1812 editor that exists and is executable. For visudo, it
1813 is used as a white list of allowed editors; visudo will
1814 choose the editor that matches the user's SUDO_EDITOR,
1815 VISUAL or EDITOR environment variable if possible, or
1816 the first editor in the list that exists and is exe‐
1817 cutable if not. Unless invoked as sudoedit, sudo does
1818 not preserve the SUDO_EDITOR, VISUAL or EDITOR environ‐
1819 ment variables unless they are present in the env_keep
1820 list or the env_reset option is disabled. The default
1821 is /bin/vi.
1822 iolog_dir The top-level directory to use when constructing the
1824 path name for the input/output log directory. Only
1825 used if the log_input or log_output options are enabled
1826 or when the LOG_INPUT or LOG_OUTPUT tags are present
1827 for a command. The session sequence number, if any, is
1828 stored in the directory. The default is
1829 /var/log/sudo-io.
1830 The following percent (‘%’) escape sequences are sup‐
1832 ported:
1833 %{seq}
1835 expanded to a monotonically increasing base-36
1836 sequence number, such as 0100A5, where every two
1837 digits are used to form a new directory, e.g.,
1838 01/00/A5
1839 %{user}
1841 expanded to the invoking user's login name
1842 %{group}
1844 expanded to the name of the invoking user's real
1845 group-ID
1846 %{runas_user}
1848 expanded to the login name of the user the com‐
1849 mand will be run as (e.g., root)
1850 %{runas_group}
1852 expanded to the group name of the user the com‐
1853 mand will be run as (e.g., wheel)
1854 %{hostname}
1856 expanded to the local host name without the
1857 domain name
1858 %{command}
1860 expanded to the base name of the command being
1861 run
1862 In addition, any escape sequences supported by the sys‐
1864 tem's strftime(3) function will be expanded.
1865 To include a literal ‘%’ character, the string ‘%%’
1867 should be used.
1868 iolog_file The path name, relative to iolog_dir, in which to store
1870 input/output logs when the log_input or log_output
1871 options are enabled or when the LOG_INPUT or LOG_OUTPUT
1872 tags are present for a command. Note that iolog_file
1873 may contain directory components. The default is
1874 “%{seq}”.
1875 See the iolog_dir option above for a list of supported
1877 percent (‘%’) escape sequences.
1878 In addition to the escape sequences, path names that
1880 end in six or more Xs will have the Xs replaced with a
1881 unique combination of digits and letters, similar to
1882 the mktemp(3) function.
1883 If the path created by concatenating iolog_dir and
1885 iolog_file already exists, the existing I/O log file
1886 will be truncated and overwritten unless iolog_file
1887 ends in six or more Xs.
1888 iolog_flush If set, sudo will flush I/O log data to disk after each
1890 write instead of buffering it. This makes it possible
1891 to view the logs in real-time as the program is execut‐
1892 ing but may significantly reduce the effectiveness of
1893 I/O log compression. This flag is off by default.
1894 This setting is only supported by version 1.8.20 or
1896 higher.
1897 iolog_group The group name to look up when setting the group-ID on
1899 new I/O log files and directories. If iolog_group is
1900 not set, the primary group-ID of the user specified by
1901 iolog_user is used. If neither iolog_group nor
1902 iolog_user are set, I/O log files and directories are
1903 created with group-ID 0.
1904 This setting is only supported by version 1.8.19 or
1906 higher.
1907 iolog_mode The file mode to use when creating I/O log files. Mode
1909 bits for read and write permissions for owner, group or
1910 other are honored, everything else is ignored. The
1911 file permissions will always include the owner read and
1912 write bits, even if they are not present in the speci‐
1913 fied mode. When creating I/O log directories, search
1914 (execute) bits are added to match the read and write
1915 bits specified by iolog_mode. Defaults to 0600 (read
1916 and write by user only).
1917 This setting is only supported by version 1.8.19 or
1919 higher.
1920 iolog_user The user name to look up when setting the user and
1922 group-IDs on new I/O log files and directories. If
1923 iolog_group is set, it will be used instead of the
1924 user's primary group-ID. By default, I/O log files and
1925 directories are created with user and group-ID 0.
1926 This setting can be useful when the I/O logs are stored
1928 on a Network File System (NFS) share. Having a dedi‐
1929 cated user own the I/O log files means that sudoers
1930 does not write to the log files as user-ID 0, which is
1931 usually not permitted by NFS.
1932 This setting is only supported by version 1.8.19 or
1934 higher.
1935 lecture_status_dir
1937 The directory in which sudo stores per-user lecture
1938 status files. Once a user has received the lecture, a
1939 zero-length file is created in this directory so that
1940 sudo will not lecture the user again. This directory
1941 should not be cleared when the system reboots. The
1942 default is /var/db/sudo/lectured.
1943 log_server_cabundle
1945 The path to a certificate authority bundle file, in PEM
1946 format, to use instead of the system's default certifi‐
1947 cate authority database when authenticating the log
1948 server. The default is to use the system's default
1949 certificate authority database. This setting has no
1950 effect unless log_servers is set and the remote log
1951 server is secured with TLS.
1952 This setting is only supported by version 1.9.0 or
1954 higher.
1955 log_server_peer_cert
1957 The path to the client's certificate file, in PEM for‐
1958 mat. This setting is required when log_servers is set
1959 and the remote log server is secured with TLS.
1960 This setting is only supported by version 1.9.0 or
1962 higher.
1963 log_server_peer_key
1965 The path to the client's private key file, in PEM for‐
1966 mat. This setting is required when log_servers is set
1967 and the remote log server is secured with TLS.
1968 This setting is only supported by version 1.9.0 or
1970 higher.
1971 mailsub Subject of the mail sent to the mailto user. The
1973 escape %h will expand to the host name of the machine.
1974 Default is “*** SECURITY information for %h ***”.
1975 noexec_file As of sudo version 1.8.1 this option is no longer sup‐
1977 ported. The path to the noexec file should now be set
1978 in the sudo.conf(5) file.
1979 pam_login_service
1981 On systems that use PAM for authentication, this is the
1982 service name used when the -i option is specified. The
1983 default value is “sudo-i”. See the description of
1984 pam_service for more information.
1985 This setting is only supported by version 1.8.8 or
1987 higher.
1988 pam_service On systems that use PAM for authentication, the service
1990 name specifies the PAM policy to apply. This usually
1991 corresponds to an entry in the pam.conf file or a file
1992 in the /etc/pam.d directory. The default value is
1993 “sudo”.
1994 This setting is only supported by version 1.8.8 or
1996 higher.
1997 passprompt The default prompt to use when asking for a password;
1999 can be overridden via the -p option or the SUDO_PROMPT
2000 environment variable. The following percent (‘%’)
2001 escape sequences are supported:
2002 %H expanded to the local host name including the
2004 domain name (only if the machine's host name is
2005 fully qualified or the fqdn option is set)
2006 %h expanded to the local host name without the
2008 domain name
2009 %p expanded to the user whose password is being
2011 asked for (respects the rootpw, targetpw and
2012 runaspw flags in sudoers)
2013 %U expanded to the login name of the user the com‐
2015 mand will be run as (defaults to root)
2016 %u expanded to the invoking user's login name
2018 %% two consecutive % characters are collapsed into a
2020 single % character
2021 On systems that use PAM for authentication, passprompt
2023 will only be used if the prompt provided by the PAM
2024 module matches the string “Password: ” or “username's
2025 Password: ”. This ensures that the passprompt setting
2026 does not interfere with challenge-response style
2027 authentication. The passprompt_override flag can be
2028 used to change this behavior.
2029 The default value is “[sudo] password for %p: ”.
2031 role The default SELinux role to use when constructing a new
2033 security context to run the command. The default role
2034 may be overridden on a per-command basis in the sudoers
2035 file or via command line options. This option is only
2036 available when sudo is built with SELinux support.
2037 runas_default The default user to run commands as if the -u option is
2039 not specified on the command line. This defaults to
2040 root.
2041 sudoers_locale Locale to use when parsing the sudoers file, logging
2043 commands, and sending email. Note that changing the
2044 locale may affect how sudoers is interpreted. Defaults
2045 to “C”.
2046 timestamp_type sudoers uses per-user time stamp files for credential
2048 caching. The timestamp_type option can be used to
2049 specify the type of time stamp record used. It has the
2050 following possible values:
2051 global A single time stamp record is used for all of a
2053 user's login sessions, regardless of the termi‐
2054 nal or parent process ID. An additional record
2055 is used to serialize password prompts when sudo
2056 is used multiple times in a pipeline, but this
2057 does not affect authentication.
2058 ppid A single time stamp record is used for all pro‐
2060 cesses with the same parent process ID (usually
2061 the shell). Commands run from the same shell
2062 (or other common parent process) will not
2063 require a password for timestamp_timeout min‐
2064 utes (5 by default). Commands run via sudo
2065 with a different parent process ID, for example
2066 from a shell script, will be authenticated sep‐
2067 arately.
2068 tty One time stamp record is used for each termi‐
2070 nal, which means that a user's login sessions
2071 are authenticated separately. If no terminal
2072 is present, the behavior is the same as ppid.
2073 Commands run from the same terminal will not
2074 require a password for timestamp_timeout min‐
2075 utes (5 by default).
2076 kernel The time stamp is stored in the kernel as an
2078 attribute of the terminal device. If no termi‐
2079 nal is present, the behavior is the same as
2080 ppid. Negative timestamp_timeout values are
2081 not supported and positive values are limited
2082 to a maximum of 60 minutes. This is currently
2083 only supported on OpenBSD.
2084 The default value is tty.
2086 This setting is only supported by version 1.8.21 or
2088 higher.
2089 timestampdir The directory in which sudo stores its time stamp
2091 files. This directory should be cleared when the sys‐
2092 tem reboots. The default is /run/sudo/ts.
2093 timestampowner The owner of the lecture status directory, time stamp
2095 directory and all files stored therein. The default is
2096 root.
2097 type The default SELinux type to use when constructing a new
2099 security context to run the command. The default type
2100 may be overridden on a per-command basis in the sudoers
2101 file or via command line options. This option is only
2102 available when sudo is built with SELinux support.
2103 Strings that can be used in a boolean context:
2105 env_file The env_file option specifies the fully qualified path to a
2107 file containing variables to be set in the environment of
2108 the program being run. Entries in this file should either
2109 be of the form “VARIABLE=value” or “export VARIABLE=value”.
2110 The value may optionally be enclosed in single or double
2111 quotes. Variables in this file are only added if the vari‐
2112 able does not already exist in the environment. This file
2113 is considered to be part of the security policy, its con‐
2114 tents are not subject to other sudo environment restric‐
2115 tions such as env_keep and env_check.
2116 exempt_group Users in this group are exempt from password and PATH
2118 requirements. The group name specified should not include
2119 a % prefix. This is not set by default.
2120 fdexec Determines whether sudo will execute a command by its path
2122 or by an open file descriptor. It has the following possi‐
2123 ble values:
2124 always Always execute by file descriptor.
2126 never Never execute by file descriptor.
2128 digest_only
2130 Only execute by file descriptor if the command has
2131 an associated digest in the sudoers file.
2132 The default value is digest_only. This avoids a time of
2134 check versus time of use race condition when the command is
2135 located in a directory writable by the invoking user.
2136 Note that fdexec will change the first element of the argu‐
2138 ment vector for scripts ($0 in the shell) due to the way
2139 the kernel runs script interpreters. Instead of being a
2140 normal path, it will refer to a file descriptor. For exam‐
2141 ple, /dev/fd/4 on Solaris and /proc/self/fd/4 on Linux. A
2142 workaround is to use the SUDO_COMMAND environment variable
2143 instead.
2144 The fdexec setting is only used when the command is matched
2146 by path name. It has no effect if the command is matched
2147 by the built-in ALL alias.
2148 This setting is only supported by version 1.8.20 or higher.
2150 If the operating system does not support the fexecve(2)
2151 system call, this setting has no effect.
2152 group_plugin A string containing a sudoers group plugin with optional
2154 arguments. The string should consist of the plugin path,
2155 either fully-qualified or relative to the /usr/libexec/sudo
2156 directory, followed by any configuration arguments the
2157 plugin requires. These arguments (if any) will be passed
2158 to the plugin's initialization function. If arguments are
2159 present, the string must be enclosed in double quotes ("").
2160 For more information see GROUP PROVIDER PLUGINS.
2162 lecture This option controls when a short lecture will be printed
2164 along with the password prompt. It has the following pos‐
2165 sible values:
2166 always Always lecture the user.
2168 never Never lecture the user.
2170 once Only lecture the user the first time they run sudo.
2172 If no value is specified, a value of once is implied.
2174 Negating the option results in a value of never being used.
2175 The default value is once.
2176 lecture_file Path to a file containing an alternate sudo lecture that
2178 will be used in place of the standard lecture if the named
2179 file exists. By default, sudo uses a built-in lecture.
2180 listpw This option controls when a password will be required when
2182 a user runs sudo with the -l option. It has the following
2183 possible values:
2184 all All the user's sudoers file entries for the cur‐
2186 rent host must have the NOPASSWD flag set to
2187 avoid entering a password.
2188 always The user must always enter a password to use the
2190 -l option.
2191 any At least one of the user's sudoers file entries
2193 for the current host must have the NOPASSWD flag
2194 set to avoid entering a password.
2195 never The user need never enter a password to use the
2197 -l option.
2198 If no value is specified, a value of any is implied.
2200 Negating the option results in a value of never being used.
2201 The default value is any.
2202 log_format The event log format. Supported log formats are:
2204 json Logs in JSON format. JSON log entries contain
2206 the full user details as well as the execution
2207 environment if the command was allowed. Due to
2208 limitations of the protocol, JSON events sent via
2209 syslog may be truncated.
2210 sudo Traditional sudo-style logs, see LOG FORMAT for a
2212 description of the log file format.
2213 This setting affects logs sent via syslog(3) as well as the
2215 file specified by the logfile setting, if any. The default
2216 value is sudo.
2217 logfile Path to the sudo log file (not the syslog log file). Set‐
2219 ting a path turns on logging to a file; negating this
2220 option turns it off. By default, sudo logs via syslog.
2221 mailerflags Flags to use when invoking mailer. Defaults to -t.
2223 mailerpath Path to mail program used to send warning mail. Defaults
2225 to the path to sendmail found at configure time.
2226 mailfrom Address to use for the “from” address when sending warning
2228 and error mail. The address should be enclosed in double
2229 quotes ("") to protect against sudo interpreting the @
2230 sign. Defaults to the name of the user running sudo.
2231 mailto Address to send warning and error mail to. The address
2233 should be enclosed in double quotes ("") to protect against
2234 sudo interpreting the @ sign. Defaults to root.
2235 restricted_env_file
2237 The restricted_env_file option specifies the fully quali‐
2238 fied path to a file containing variables to be set in the
2239 environment of the program being run. Entries in this file
2240 should either be of the form “VARIABLE=value” or “export
2241 VARIABLE=value”. The value may optionally be enclosed in
2242 single or double quotes. Variables in this file are only
2243 added if the variable does not already exist in the envi‐
2244 ronment. Unlike env_file, the file's contents are not
2245 trusted and are processed in a manner similar to that of
2246 the invoking user's environment. If env_reset is enabled,
2247 variables in the file will only be added if they are
2248 matched by either the env_check or env_keep list. If
2249 env_reset is disabled, variables in the file are added as
2250 long as they are not matched by the env_delete list. In
2251 either case, the contents of restricted_env_file are pro‐
2252 cessed before the contents of env_file.
2253 runchroot If set, sudo will use this value for the root directory
2255 when running a command. The special value “*” will allow
2256 the user to specify the root directory via sudo's -R
2257 option. See the Chroot_Spec section for more details.
2258 It is only possible to use runchroot as a command-specific
2260 Defaults setting if the command exists with the same path
2261 both inside and outside the chroot jail. This restriction
2262 does not apply to generic, host or user-based Defaults set‐
2263 tings or to a Cmnd_Spec that includes a Chroot_Spec.
2264 This setting is only supported by version 1.9.3 or higher.
2266 runcwd If set, sudo will use this value for the working directory
2268 when running a command. The special value “*” will allow
2269 the user to specify the working directory via sudo's -D
2270 option. See the Chdir_Spec section for more details.
2271 This setting is only supported by version 1.9.3 or higher.
2273 secure_path If set, sudo will use this value in place of the user's
2275 PATH environment variable. This option can be used to
2276 reset the PATH to a known good value that contains directo‐
2277 ries for system administrator commands such as /usr/sbin.
2278 Users in the group specified by the exempt_group option are
2280 not affected by secure_path. This option is not set by
2281 default.
2282 syslog Syslog facility if syslog is being used for logging (negate
2284 to disable syslog logging). Defaults to authpriv.
2285 The following syslog facilities are supported: authpriv (if
2287 your OS supports it), auth, daemon, user, local0, local1,
2288 local2, local3, local4, local5, local6, and local7.
2289 syslog_badpri
2291 Syslog priority to use when the user is not allowed to run
2292 a command or when authentication is unsuccessful. Defaults
2293 to alert.
2294 The following syslog priorities are supported: alert, crit,
2296 debug, emerg, err, info, notice, warning, and none. Negat‐
2297 ing the option or setting it to a value of none will dis‐
2298 able logging of unsuccessful commands.
2299 syslog_goodpri
2301 Syslog priority to use when the user is allowed to run a
2302 command and authentication is successful. Defaults to
2303 notice.
2304 See syslog_badpri for the list of supported syslog priori‐
2306 ties. Negating the option or setting it to a value of none
2307 will disable logging of successful commands.
2308 verifypw This option controls when a password will be required when
2310 a user runs sudo with the -v option. It has the following
2311 possible values:
2312 all All the user's sudoers file entries for the current
2314 host must have the NOPASSWD flag set to avoid
2315 entering a password.
2316 always The user must always enter a password to use the -v
2318 option.
2319 any At least one of the user's sudoers file entries for
2321 the current host must have the NOPASSWD flag set to
2322 avoid entering a password.
2323 never The user need never enter a password to use the -v
2325 option.
2326 If no value is specified, a value of all is implied.
2328 Negating the option results in a value of never being used.
2329 The default value is all.
2330 Lists that can be used in a boolean context:
2332 env_check Environment variables to be removed from the user's
2334 environment unless they are considered “safe”. For all
2335 variables except TZ, “safe” means that the variable's
2336 value does not contain any ‘%’ or ‘/’ characters. This
2337 can be used to guard against printf-style format vul‐
2338 nerabilities in poorly-written programs. The TZ vari‐
2339 able is considered unsafe if any of the following are
2340 true:
2341 · It consists of a fully-qualified path name, option‐
2343 ally prefixed with a colon (‘:’), that does not
2344 match the location of the zoneinfo directory.
2345 · It contains a .. path element.
2347 · It contains white space or non-printable characters.
2349 · It is longer than the value of PATH_MAX.
2351 The argument may be a double-quoted, space-separated
2353 list or a single value without double-quotes. The list
2354 can be replaced, added to, deleted from, or disabled by
2355 using the =, +=, -=, and ! operators respectively.
2356 Regardless of whether the env_reset option is enabled
2357 or disabled, variables specified by env_check will be
2358 preserved in the environment if they pass the aforemen‐
2359 tioned check. The global list of environment variables
2360 to check is displayed when sudo is run by root with the
2361 -V option.
2362 env_delete Environment variables to be removed from the user's
2364 environment when the env_reset option is not in effect.
2365 The argument may be a double-quoted, space-separated
2366 list or a single value without double-quotes. The list
2367 can be replaced, added to, deleted from, or disabled by
2368 using the =, +=, -=, and ! operators respectively. The
2369 global list of environment variables to remove is dis‐
2370 played when sudo is run by root with the -V option.
2371 Note that many operating systems will remove poten‐
2372 tially dangerous variables from the environment of any
2373 set-user-ID process (such as sudo).
2374 env_keep Environment variables to be preserved in the user's
2376 environment when the env_reset option is in effect.
2377 This allows fine-grained control over the environment
2378 sudo-spawned processes will receive. The argument may
2379 be a double-quoted, space-separated list or a single
2380 value without double-quotes. The list can be replaced,
2381 added to, deleted from, or disabled by using the =, +=,
2382 -=, and ! operators respectively. The global list of
2383 variables to keep is displayed when sudo is run by root
2384 with the -V option.
2385 Preserving the HOME environment variable has security
2387 implications since many programs use it when searching
2388 for configuration or data files. Adding HOME to
2389 env_keep may enable a user to run unrestricted commands
2390 via sudo and is strongly discouraged. Users wishing to
2391 edit files with sudo should run sudoedit (or sudo -e)
2392 to get their accustomed editor configuration instead of
2393 invoking the editor directly.
2394 log_servers A list of one or more servers to use for remote event
2396 and I/O log storage, separated by white space. Log
2397 servers must be running sudo_logsrvd or another service
2398 that implements the protocol described by
2399 sudo_logsrv.proto(5).
2400 Server addresses should be of the form
2402 “host[:port][(tls)]”. The host portion may be a host
2403 name, an IPv4 address, or an IPv6 address in square
2404 brackets.
2405 If the optional tls flag is present, the connection
2407 will be secured with Transport Layer Security (TLS)
2408 version 1.2 or 1.3. Versions of TLS prior to 1.2 are
2409 not supported.
2410 If a port is specified, it may either be a port number
2412 or a well-known service name as defined by the system
2413 service name database. If no port is specified, port
2414 30343 will be used for plaintext connections and port
2415 30344 will be used for TLS connections.
2416 When log_servers is set, event log data will be logged
2418 both locally (see the syslog and log_file settings) as
2419 well as remotely, but I/O log data will only be logged
2420 remotely. If multiple hosts are specified, they will
2421 be attempted in reverse order. If no log servers are
2422 available, the user will not be able to run a command
2423 unless either the ignore_iolog_errors flag (I/O logging
2424 enabled) or the ignore_log_errors flag (I/O logging
2425 disabled) is set. Likewise, if the connection to the
2426 log server is interrupted while sudo is running, the
2427 command will be terminated unless the
2428 ignore_iolog_errors flag (I/O logging enabled) or the
2429 ignore_log_errors flag (I/O logging disabled) is set.
2430 This setting is only supported by version 1.9.0 or
2432 higher.
2433
2435 The sudoers plugin supports its own plugin interface to allow non-Unix
2436 group lookups which can query a group source other than the standard Unix
2437 group database. This can be used to implement support for the
2438 nonunix_group syntax described earlier.
2439 Group provider plugins are specified via the group_plugin setting. The
2441 argument to group_plugin should consist of the plugin path, either fully-
2442 qualified or relative to the /usr/libexec/sudo directory, followed by any
2443 configuration options the plugin requires. These options (if specified)
2444 will be passed to the plugin's initialization function. If options are
2445 present, the string must be enclosed in double quotes ("").
2446 The following group provider plugins are installed by default:
2448 group_file
2450 The group_file plugin supports an alternate group file that
2451 uses the same syntax as the /etc/group file. The path to the
2452 group file should be specified as an option to the plugin. For
2453 example, if the group file to be used is /etc/sudo-group:
2454 Defaults group_plugin="group_file.so /etc/sudo-group"
2456 system_group
2458 The system_group plugin supports group lookups via the standard
2459 C library functions getgrnam() and getgrid(). This plugin can
2460 be used in instances where the user belongs to groups not
2461 present in the user's supplemental group vector. This plugin
2462 takes no options:
2463 Defaults group_plugin=system_group.so
2465 The group provider plugin API is described in detail in sudo_plugin(5).
2467
2469 sudoers can log events in either JSON or sudo format, this section
2470 describes the sudo log format. Depending on sudoers configuration,
2471 sudoers can log events via syslog(3), to a local log file, or both. The
2472 log format is almost identical in both cases.
2473 Accepted command log entries
2475 Commands that sudo runs are logged using the following format (split into
2476 multiple lines for readability):
2477 date hostname progname: username : TTY=ttyname ; PWD=cwd ; \
2479 USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \
2480 ENV=env_vars COMMAND=command
2481 Where the fields are as follows:
2483 date The date the command was run. Typically, this is in the
2485 format “MMM, DD, HH:MM:SS”. If logging via syslog(3), the
2486 actual date format is controlled by the syslog daemon. If
2487 logging to a file and the log_year option is enabled, the
2488 date will also include the year.
2489 hostname The name of the host sudo was run on. This field is only
2491 present when logging via syslog(3).
2492 progname The name of the program, usually sudo or sudoedit. This
2494 field is only present when logging via syslog(3).
2495 username The login name of the user who ran sudo.
2497 ttyname The short name of the terminal (e.g., “console”, “tty01”,
2499 or “pts/0”) sudo was run on, or “unknown” if there was no
2500 terminal present.
2501 cwd The current working directory that sudo was run in.
2503 runasuser The user the command was run as.
2505 runasgroup The group the command was run as if one was specified on
2507 the command line.
2508 logid An I/O log identifier that can be used to replay the com‐
2510 mand's output. This is only present when the log_input or
2511 log_output option is enabled.
2512 env_vars A list of environment variables specified on the command
2514 line, if specified.
2515 command The actual command that was executed.
2517 Messages are logged using the locale specified by sudoers_locale, which
2519 defaults to the “C” locale.
2520 Denied command log entries
2522 If the user is not allowed to run the command, the reason for the denial
2523 will follow the user name. Possible reasons include:
2524 user NOT in sudoers
2526 The user is not listed in the sudoers file.
2527 user NOT authorized on host
2529 The user is listed in the sudoers file but is not allowed to run com‐
2530 mands on the host.
2531 command not allowed
2533 The user is listed in the sudoers file for the host but they are not
2534 allowed to run the specified command.
2535 3 incorrect password attempts
2537 The user failed to enter their password after 3 tries. The actual num‐
2538 ber of tries will vary based on the number of failed attempts and the
2539 value of the passwd_tries option.
2540 a password is required
2542 The -n option was specified but a password was required.
2543 sorry, you are not allowed to set the following environment variables
2545 The user specified environment variables on the command line that were
2546 not allowed by sudoers.
2547 Error log entries
2549 If an error occurs, sudoers will log a message and, in most cases, send a
2550 message to the administrator via email. Possible errors include:
2551 parse error in /etc/sudoers near line N
2553 sudoers encountered an error when parsing the specified file. In some
2554 cases, the actual error may be one line above or below the line number
2555 listed, depending on the type of error.
2556 problem with defaults entries
2558 The sudoers file contains one or more unknown Defaults settings. This
2559 does not prevent sudo from running, but the sudoers file should be
2560 checked using visudo.
2561 timestamp owner (username): No such user
2563 The time stamp directory owner, as specified by the timestampowner set‐
2564 ting, could not be found in the password database.
2565 unable to open/read /etc/sudoers
2567 The sudoers file could not be opened for reading. This can happen when
2568 the sudoers file is located on a remote file system that maps user-ID 0
2569 to a different value. Normally, sudoers tries to open the sudoers file
2570 using group permissions to avoid this problem. Consider either chang‐
2571 ing the ownership of /etc/sudoers or adding an argument like
2572 “sudoers_uid=N” (where ‘N’ is the user-ID that owns the sudoers file)
2573 to the end of the sudoers Plugin line in the sudo.conf(5) file.
2574 unable to stat /etc/sudoers
2576 The /etc/sudoers file is missing.
2577 /etc/sudoers is not a regular file
2579 The /etc/sudoers file exists but is not a regular file or symbolic
2580 link.
2581 /etc/sudoers is owned by uid N, should be 0
2583 The sudoers file has the wrong owner. If you wish to change the
2584 sudoers file owner, please add “sudoers_uid=N” (where ‘N’ is the user-
2585 ID that owns the sudoers file) to the sudoers Plugin line in the
2586 sudo.conf(5) file.
2587 /etc/sudoers is world writable
2589 The permissions on the sudoers file allow all users to write to it.
2590 The sudoers file must not be world-writable, the default file mode is
2591 0440 (readable by owner and group, writable by none). The default mode
2592 may be changed via the “sudoers_mode” option to the sudoers Plugin line
2593 in the sudo.conf(5) file.
2594 /etc/sudoers is owned by gid N, should be 1
2596 The sudoers file has the wrong group ownership. If you wish to change
2597 the sudoers file group ownership, please add “sudoers_gid=N” (where ‘N’
2598 is the group-ID that owns the sudoers file) to the sudoers Plugin line
2599 in the sudo.conf(5) file.
2600 unable to open /run/sudo/ts/username
2602 sudoers was unable to read or create the user's time stamp file. This
2603 can happen when timestampowner is set to a user other than root and the
2604 mode on /run/sudo is not searchable by group or other. The default
2605 mode for /run/sudo is 0711.
2606 unable to write to /run/sudo/ts/username
2608 sudoers was unable to write to the user's time stamp file.
2609 /run/sudo/ts is owned by uid X, should be Y
2611 The time stamp directory is owned by a user other than timestampowner.
2612 This can occur when the value of timestampowner has been changed.
2613 sudoers will ignore the time stamp directory until the owner is cor‐
2614 rected.
2615 /run/sudo/ts is group writable
2617 The time stamp directory is group-writable; it should be writable only
2618 by timestampowner. The default mode for the time stamp directory is
2619 0700. sudoers will ignore the time stamp directory until the mode is
2620 corrected.
2621 Notes on logging via syslog
2623 By default, sudoers logs messages via syslog(3). The date, hostname, and
2624 progname fields are added by the system's syslog() function, not sudoers
2625 itself. As such, they may vary in format on different systems.
2626 The maximum size of syslog messages varies from system to system. The
2628 syslog_maxlen setting can be used to change the maximum syslog message
2629 size from the default value of 980 bytes. For more information, see the
2630 description of syslog_maxlen.
2631 Notes on logging to a file
2633 If the logfile option is set, sudoers will log to a local file, such as
2634 /var/log/sudo. When logging to a file, sudoers uses a format similar to
2635 syslog(3), with a few important differences:
2636 1. The progname and hostname fields are not present.
2638 2. If the log_year option is enabled, the date will also include the
2640 year.
2641 3. Lines that are longer than loglinelen characters (80 by default) are
2643 word-wrapped and continued on the next line with a four character
2644 indent. This makes entries easier to read for a human being, but
2645 makes it more difficult to use grep(1) on the log files. If the
2646 loglinelen option is set to 0 (or negated with a ‘!’), word wrap
2647 will be disabled.
2648
2650 When I/O logging is enabled, sudo will run the command in a pseudo-termi‐
2651 nal and log all user input and/or output, depending on which options are
2652 enabled. I/O can be logged either to the local machine or to a remote
2653 log server. For local logs, I/O is logged to the directory specified by
2654 the iolog_dir option (/var/log/sudo-io by default) using a unique session
2655 ID that is included in the sudo log line, prefixed with “TSID=”. The
2656 iolog_file option may be used to control the format of the session ID.
2657 For remote logs, the log_servers setting is used to specify one or more
2658 log servers running sudo_logsrvd or another server that implements the
2659 protocol described by sudo_logsrv.proto(5).
2660 For both local and remote I/O logs, each log is stored in a separate
2662 directory that contains the following files:
2663 log A text file containing information about the command. The
2665 first line consists of the following colon-delimited fields:
2666 the time the command was run, the name of the user who ran
2667 sudo, the name of the target user, the name of the target group
2668 (optional), the terminal that sudo was run from, and the number
2669 of lines and columns of the terminal. The second and third
2670 lines contain the working directory the command was run from
2671 and the path name of the command itself (with arguments if
2672 present).
2673 log.json A JSON-formatted file containing information about the command.
2675 This is similar to the log file but contains additional infor‐
2676 mation and is easily extensible. The log.json file will be
2677 used by sudoreplay(8) in preference to the log file if it
2678 exists. The file may contain the following elements:
2679 timestamp
2681 A JSON object containing time the command was run.
2682 It consists of two values, seconds and nanoseconds.
2683 columns The number of columns of the terminal the command ran
2685 on, or zero if no terminal was present.
2686 command The fully-qualified path of the command that was run.
2688 lines The number of lines of the terminal the command ran
2690 on, or zero if no terminal was present.
2691 runargv A JSON array representing the command's argument vec‐
2693 tor as passed to the execve(2) system call.
2694 runenv A JSON array representing the command's environment
2696 as passed to the execve(2) system call.
2697 rungid The group ID the command ran as. This element is
2699 only present when the user specifies a group on the
2700 command line.
2701 rungroup The name of the group the command ran as. This ele‐
2703 ment is only present when the user specifies a group
2704 on the command line.
2705 runuid The user ID the command ran as.
2707 runuser The name of the user the command ran as.
2709 submitcwd
2711 The current working directory at the time sudo was
2712 run.
2713 submithost
2715 The name of the host the command was run on.
2716 submituser
2718 The name of the user who ran the command via sudo.
2719 ttyname The path name of the terminal the user invoked sudo
2721 from. If the command was run in a pseudo-terminal,
2722 ttyname will be different from the terminal the com‐
2723 mand actually ran in.
2724 timing Timing information used to replay the session. Each line con‐
2726 sists of the I/O log entry type and amount of time since the
2727 last entry, followed by type-specific data. The I/O log entry
2728 types and their corresponding type-specific data are:
2729 0 standard input, number of bytes in the entry
2731 1 standard output, number of bytes in the entry
2732 2 standard error, number of bytes in the entry
2733 3 terminal input, number of bytes in the entry
2734 4 terminal output, number of bytes in the entry
2735 5 window change, new number lines and columns
2736 6 bug compatibility for sudo 1.8.7 terminal output
2737 7 command suspend or resume, signal received
2738 ttyin Raw input from the user's terminal, exactly as it was received.
2740 No post-processing is performed. For manual viewing, you may
2741 wish to convert carriage return characters in the log to line
2742 feeds. For example: ‘gunzip -c ttyin | tr "\r" "\n"’
2743 stdin The standard input when no terminal is present, or input redi‐
2745 rected from a pipe or file.
2746 ttyout Output from the pseudo-terminal (what the command writes to the
2748 screen). Note that terminal-specific post-processing is per‐
2749 formed before the data is logged. This means that, for exam‐
2750 ple, line feeds are usually converted to line feed/carriage
2751 return pairs and tabs may be expanded to spaces.
2752 stdout The standard output when no terminal is present, or output
2754 redirected to a pipe or file.
2755 stderr The standard error redirected to a pipe or file.
2757 All files other than log are compressed in gzip format unless the
2759 compress_io flag has been disabled. Due to buffering, it is not normally
2760 possible to display the I/O logs in real-time as the program is execut‐
2761 ing. The I/O log data will not be complete until the program run by sudo
2762 has exited or has been terminated by a signal. The iolog_flush flag can
2763 be used to disable buffering, in which case I/O log data is written to
2764 disk as soon as it is available. The output portion of an I/O log file
2765 can be viewed with the sudoreplay(8) utility, which can also be used to
2766 list or search the available logs.
2767 Note that user input may contain sensitive information such as passwords
2769 (even if they are not echoed to the screen), which will be stored in the
2770 log file unencrypted. In most cases, logging the command output via
2771 log_output or LOG_OUTPUT is all that is required.
2772 Since each session's I/O logs are stored in a separate directory, tradi‐
2774 tional log rotation utilities cannot be used to limit the number of I/O
2775 logs. The simplest way to limit the number of I/O is by setting the
2776 maxseq option to the maximum number of logs you wish to store. Once the
2777 I/O log sequence number reaches maxseq, it will be reset to zero and
2778 sudoers will truncate and re-use any existing I/O logs.
2779
2781 /etc/sudo.conf Sudo front end configuration
2782 /etc/sudoers List of who can run what
2784 /etc/group Local groups file
2786 /etc/netgroup List of network groups
2788 /var/log/sudo-io I/O log files
2790 /run/sudo/ts Directory containing time stamps for the
2792 sudoers security policy
2793 /var/db/sudo/lectured Directory containing lecture status files for
2795 the sudoers security policy
2796 /etc/environment Initial environment for -i mode on AIX and
2798 Linux systems
2799
2801 Below are example sudoers file entries. Admittedly, some of these are a
2802 bit contrived. First, we allow a few environment variables to pass and
2803 then define our aliases:
2804 # Run X applications through sudo; HOME is used to find the
2806 # .Xauthority file. Note that other programs use HOME to find
2807 # configuration files and this may lead to privilege escalation!
2808 Defaults env_keep += "DISPLAY HOME"
2809 # User alias specification
2811 User_Alias FULLTIMERS = millert, mikef, dowdy
2812 User_Alias PARTTIMERS = bostley, jwfox, crawl
2813 User_Alias WEBADMIN = will, wendy, wim
2814 # Runas alias specification
2816 Runas_Alias OP = root, operator
2817 Runas_Alias DB = oracle, sybase
2818 Runas_Alias ADMINGRP = adm, oper
2819 # Host alias specification
2821 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
2822 SGI = grolsch, dandelion, black :\
2823 ALPHA = widget, thalamus, foobar :\
2824 HPPA = boa, nag, python
2825 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
2826 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
2827 Host_Alias SERVERS = primary, mail, www, ns
2828 Host_Alias CDROM = orion, perseus, hercules
2829 # Cmnd alias specification
2831 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
2832 /usr/sbin/restore, /usr/sbin/rrestore,\
2833 sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
2834 /home/operator/bin/start_backups
2835 Cmnd_Alias KILL = /usr/bin/kill
2836 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
2837 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
2838 Cmnd_Alias HALT = /usr/sbin/halt
2839 Cmnd_Alias REBOOT = /usr/sbin/reboot
2840 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
2841 /usr/local/bin/tcsh, /usr/bin/rsh,\
2842 /usr/local/bin/zsh
2843 Cmnd_Alias SU = /usr/bin/su
2844 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
2845 Here we override some of the compiled in default values. We want sudo to
2847 log via syslog(3) using the auth facility in all cases and for commands
2848 to be run with the target user's home directory as the working directory.
2849 We don't want to subject the full time staff to the sudo lecture and we
2850 want to allow them to run commands in a chroot(2) “sandbox” via the -R
2851 option. User millert need not provide a password and we don't want to
2852 reset the LOGNAME or USER environment variables when running commands as
2853 root. Additionally, on the machines in the SERVERS Host_Alias, we keep
2854 an additional local log file and make sure we log the year in each log
2855 line since the log entries will be kept around for several years.
2856 Lastly, we disable shell escapes for the commands in the PAGERS
2857 Cmnd_Alias (/usr/bin/more, /usr/bin/pg and /usr/bin/less). Note that
2858 this will not effectively constrain users with sudo ALL privileges.
2859 # Override built-in defaults
2861 Defaults syslog=auth,runcwd=~
2862 Defaults>root !set_logname
2863 Defaults:FULLTIMERS !lecture,runchroot=*
2864 Defaults:millert !authenticate
2865 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
2866 Defaults!PAGERS noexec
2867 The User specification is the part that actually determines who may run
2869 what.
2870 root ALL = (ALL) ALL
2872 %wheel ALL = (ALL) ALL
2873 We let root and any user in group wheel run any command on any host as
2875 any user.
2876 FULLTIMERS ALL = NOPASSWD: ALL
2878 Full time sysadmins (millert, mikef, and dowdy) may run any command on
2880 any host without authenticating themselves.
2881 PARTTIMERS ALL = ALL
2883 Part time sysadmins bostley, jwfox, and crawl) may run any command on any
2885 host but they must authenticate themselves first (since the entry lacks
2886 the NOPASSWD tag).
2887 jack CSNETS = ALL
2889 The user jack may run any command on the machines in the CSNETS alias
2891 (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those
2892 networks, only 128.138.204.0 has an explicit netmask (in CIDR notation)
2893 indicating it is a class C network. For the other networks in CSNETS,
2894 the local machine's netmask will be used during matching.
2895 lisa CUNETS = ALL
2897 The user lisa may run any command on any host in the CUNETS alias (the
2899 class B network 128.138.0.0).
2900 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
2902 sudoedit /etc/printcap, /usr/oper/bin/
2903 The operator user may run commands limited to simple maintenance. Here,
2905 those are commands related to backups, killing processes, the printing
2906 system, shutting down the system, and any commands in the directory
2907 /usr/oper/bin/. Note that one command in the DUMPS Cmnd_Alias includes a
2908 sha224 digest, /home/operator/bin/start_backups. This is because the
2909 directory containing the script is writable by the operator user. If the
2910 script is modified (resulting in a digest mismatch) it will no longer be
2911 possible to run it via sudo.
2912 joe ALL = /usr/bin/su operator
2914 The user joe may only su(1) to operator.
2916 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root*
2918 %opers ALL = (: ADMINGRP) /usr/sbin/
2920 Users in the opers group may run commands in /usr/sbin/ as themselves
2922 with any group in the ADMINGRP Runas_Alias (the adm and oper groups).
2923 The user pete is allowed to change anyone's password except for root on
2925 the HPPA machines. Because command line arguments are matched as a sin‐
2926 gle, concatenated string, the ‘*’ wildcard will match multiple words.
2927 This example assumes that passwd(1) does not take multiple user names on
2928 the command line. Note that on GNU systems, options to passwd(1) may be
2929 specified after the user argument. As a result, this rule will also
2930 allow:
2931 passwd username --expire
2933 which may not be desirable.
2935 bob SPARC = (OP) ALL : SGI = (OP) ALL
2937 The user bob may run anything on the SPARC and SGI machines as any user
2939 listed in the OP Runas_Alias (root and operator.)
2940 jim +biglab = ALL
2942 The user jim may run any command on machines in the biglab netgroup.
2944 sudo knows that “biglab” is a netgroup due to the ‘+’ prefix.
2945 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
2947 Users in the secretaries netgroup need to help manage the printers as
2949 well as add and remove users, so they are allowed to run those commands
2950 on all machines.
2951 fred ALL = (DB) NOPASSWD: ALL
2953 The user fred can run commands as any user in the DB Runas_Alias (oracle
2955 or sybase) without giving a password.
2956 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
2958 On the ALPHA machines, user john may su to anyone except root but he is
2960 not allowed to specify any options to the su(1) command.
2961 jen ALL, !SERVERS = ALL
2963 The user jen may run any command on any machine except for those in the
2965 SERVERS Host_Alias (primary, mail, www and ns).
2966 jill SERVERS = /usr/bin/, !SU, !SHELLS
2968 For any machine in the SERVERS Host_Alias, jill may run any commands in
2970 the directory /usr/bin/ except for those commands belonging to the SU and
2971 SHELLS Cmnd_Aliases. While not specifically mentioned in the rule, the
2972 commands in the PAGERS Cmnd_Alias all reside in /usr/bin and have the
2973 noexec option set.
2974 steve CSNETS = (operator) /usr/local/op_commands/
2976 The user steve may run any command in the directory /usr/local/op_com‐
2978 mands/ but only as user operator.
2979 matt valkyrie = KILL
2981 On his personal workstation, valkyrie, matt needs to be able to kill hung
2983 processes.
2984 WEBADMIN www = (www) ALL, (root) /usr/bin/su www
2986 On the host www, any user in the WEBADMIN User_Alias (will, wendy, and
2988 wim), may run any command as user www (which owns the web pages) or sim‐
2989 ply su(1) to www.
2990 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
2992 /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
2993 Any user may mount or unmount a CD-ROM on the machines in the CDROM
2995 Host_Alias (orion, perseus, hercules) without entering a password. This
2996 is a bit tedious for users to type, so it is a prime candidate for encap‐
2997 sulating in a shell script.
2998
3000 Limitations of the ‘!’ operator
3001 It is generally not effective to “subtract” commands from ALL using the
3002 ‘!’ operator. A user can trivially circumvent this by copying the
3003 desired command to a different name and then executing that. For exam‐
3004 ple:
3005 bill ALL = ALL, !SU, !SHELLS
3007 Doesn't really prevent bill from running the commands listed in SU or
3009 SHELLS since he can simply copy those commands to a different name, or
3010 use a shell escape from an editor or other program. Therefore, these
3011 kind of restrictions should be considered advisory at best (and rein‐
3012 forced by policy).
3013 In general, if a user has sudo ALL there is nothing to prevent them from
3015 creating their own program that gives them a root shell (or making their
3016 own copy of a shell) regardless of any ‘!’ elements in the user specifi‐
3017 cation.
3018 Security implications of fast_glob
3020 If the fast_glob option is in use, it is not possible to reliably negate
3021 commands where the path name includes globbing (aka wildcard) characters.
3022 This is because the C library's fnmatch(3) function cannot resolve rela‐
3023 tive paths. While this is typically only an inconvenience for rules that
3024 grant privileges, it can result in a security issue for rules that sub‐
3025 tract or revoke privileges.
3026 For example, given the following sudoers file entry:
3028 john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
3030 /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
3031 User john can still run /usr/bin/passwd root if fast_glob is enabled by
3033 changing to /usr/bin and running ./passwd root instead.
3034 Preventing shell escapes
3036 Once sudo executes a program, that program is free to do whatever it
3037 pleases, including run other programs. This can be a security issue
3038 since it is not uncommon for a program to allow shell escapes, which lets
3039 a user bypass sudo's access control and logging. Common programs that
3040 permit shell escapes include shells (obviously), editors, paginators,
3041 mail and terminal programs.
3042 There are two basic approaches to this problem:
3044 restrict Avoid giving users access to commands that allow the user to
3046 run arbitrary commands. Many editors have a restricted mode
3047 where shell escapes are disabled, though sudoedit is a better
3048 solution to running editors via sudo. Due to the large number
3049 of programs that offer shell escapes, restricting users to the
3050 set of programs that do not is often unworkable.
3051 noexec Many systems that support shared libraries have the ability to
3053 override default library functions by pointing an environment
3054 variable (usually LD_PRELOAD) to an alternate shared library.
3055 On such systems, sudo's noexec functionality can be used to
3056 prevent a program run by sudo from executing any other pro‐
3057 grams. Note, however, that this applies only to dynamically-
3058 linked executables. Statically-linked executables and executa‐
3059 bles running under binary emulation are not affected.
3060 The noexec feature is known to work on SunOS, Solaris, *BSD,
3062 Linux, IRIX, Tru64 UNIX, macOS, HP-UX 11.x and AIX 5.3 and
3063 above. It should be supported on most operating systems that
3064 support the LD_PRELOAD environment variable. Check your oper‐
3065 ating system's manual pages for the dynamic linker (usually
3066 ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
3067 LD_PRELOAD is supported.
3068 On Solaris 10 and higher, noexec uses Solaris privileges
3070 instead of the LD_PRELOAD environment variable.
3071 To enable noexec for a command, use the NOEXEC tag as docu‐
3073 mented in the User Specification section above. Here is that
3074 example again:
3075 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
3077 This allows user aaron to run /usr/bin/more and /usr/bin/vi
3079 with noexec enabled. This will prevent those two commands from
3080 executing other commands (such as a shell). If you are unsure
3081 whether or not your system is capable of supporting noexec you
3082 can always just try it out and check whether shell escapes work
3083 when noexec is enabled.
3084 Note that restricting shell escapes is not a panacea. Programs running
3086 as root are still capable of many potentially hazardous operations (such
3087 as changing or overwriting files) that could lead to unintended privilege
3088 escalation. In the specific case of an editor, a safer approach is to
3089 give the user permission to run sudoedit (see below).
3090 Secure editing
3092 The sudoers plugin includes sudoedit support which allows users to
3093 securely edit files with the editor of their choice. As sudoedit is a
3094 built-in command, it must be specified in the sudoers file without a
3095 leading path. However, it may take command line arguments just as a nor‐
3096 mal command does. Wildcards used in sudoedit command line arguments are
3097 expected to be path names, so a forward slash (‘/’) will not be matched
3098 by a wildcard.
3099 Unlike other sudo commands, the editor is run with the permissions of the
3101 invoking user and with the environment unmodified. More information may
3102 be found in the description of the -e option in sudo(8).
3103 For example, to allow user operator to edit the “message of the day”
3105 file:
3106 operator sudoedit /etc/motd
3108 The operator user then runs sudoedit as follows:
3110 $ sudoedit /etc/motd
3112 The editor will run as the operator user, not root, on a temporary copy
3114 of /etc/motd. After the file has been edited, /etc/motd will be updated
3115 with the contents of the temporary copy.
3116 Users should never be granted sudoedit permission to edit a file that
3118 resides in a directory the user has write access to, either directly or
3119 via a wildcard. If the user has write access to the directory it is pos‐
3120 sible to replace the legitimate file with a link to another file, allow‐
3121 ing the editing of arbitrary files. To prevent this, starting with ver‐
3122 sion 1.8.16, symbolic links will not be followed in writable directories
3123 and sudoedit will refuse to edit a file located in a writable directory
3124 unless the sudoedit_checkdir option has been disabled or the invoking
3125 user is root. Additionally, in version 1.8.15 and higher, sudoedit will
3126 refuse to open a symbolic link unless either the sudoedit_follow option
3127 is enabled or the sudoedit command is prefixed with the FOLLOW tag in the
3128 sudoers file.
3129 Time stamp file checks
3131 sudoers will check the ownership of its time stamp directory
3132 (/run/sudo/ts by default) and ignore the directory's contents if it is
3133 not owned by root or if it is writable by a user other than root. Older
3134 versions of sudo stored time stamp files in /tmp; this is no longer rec‐
3135 ommended as it may be possible for a user to create the time stamp them‐
3136 selves on systems that allow unprivileged users to change the ownership
3137 of files they create.
3138 While the time stamp directory should be cleared at reboot time, not all
3140 systems contain a /run or /var/run directory. To avoid potential prob‐
3141 lems, sudoers will ignore time stamp files that date from before the
3142 machine booted on systems where the boot time is available.
3143 Some systems with graphical desktop environments allow unprivileged users
3145 to change the system clock. Since sudoers relies on the system clock for
3146 time stamp validation, it may be possible on such systems for a user to
3147 run sudo for longer than timestamp_timeout by setting the clock back. To
3148 combat this, sudoers uses a monotonic clock (which never moves backwards)
3149 for its time stamps if the system supports it.
3150 sudoers will not honor time stamps set far in the future. Time stamps
3152 with a date greater than current_time + 2 * TIMEOUT will be ignored and
3153 sudoers will log and complain.
3154 If the timestamp_type option is set to “tty”, the time stamp record
3156 includes the device number of the terminal the user authenticated with.
3157 This provides per-terminal granularity but time stamp records may still
3158 outlive the user's session.
3159 Unless the timestamp_type option is set to “global”, the time stamp
3161 record also includes the session ID of the process that last authenti‐
3162 cated. This prevents processes in different terminal sessions from using
3163 the same time stamp record. On systems where a process's start time can
3164 be queried, the start time of the session leader is recorded in the time
3165 stamp record. If no terminal is present or the timestamp_type option is
3166 set to “ppid”, the start time of the parent process is used instead. In
3167 most cases this will prevent a time stamp record from being re-used with‐
3168 out the user entering a password when logging out and back in again.
3169
3171 Versions 1.8.4 and higher of the sudoers plugin support a flexible debug‐
3172 ging framework that can help track down what the plugin is doing inter‐
3173 nally if there is a problem. This can be configured in the sudo.conf(5)
3174 file.
3175 The sudoers plugin uses the same debug flag format as the sudo front-end:
3177 subsystem@priority.
3178 The priorities used by sudoers, in order of decreasing severity, are:
3180 crit, err, warn, notice, diag, info, trace and debug. Each priority,
3181 when specified, also includes all priorities higher than it. For exam‐
3182 ple, a priority of notice would include debug messages logged at notice
3183 and higher.
3184 The following subsystems are used by the sudoers plugin:
3186 alias User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
3188 all matches every subsystem
3190 audit BSM and Linux audit code
3192 auth user authentication
3194 defaults sudoers file Defaults settings
3196 env environment handling
3198 ldap LDAP-based sudoers
3200 logging logging support
3202 match matching of users, groups, hosts and netgroups in the sudoers
3204 file
3205 netif network interface handling
3207 nss network service switch handling in sudoers
3209 parser sudoers file parsing
3211 perms permission setting
3213 plugin The equivalent of main for the plugin.
3215 pty pseudo-terminal related code
3217 rbtree redblack tree internals
3219 sssd SSSD-based sudoers
3221 util utility functions
3223 For example:
3224 Debug sudo /var/log/sudo_debug match@info,nss@info
3226 For more information, see the sudo.conf(5) manual.
3228
3230 ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), sudo.conf(5),
3231 sudo_plugin(5), sudoers.ldap(5), sudoers_timestamp(5), sudo(8), visudo(8)
3232
3234 Many people have worked on sudo over the years; this version consists of
3235 code written primarily by:
3236 Todd C. Miller
3238 See the CONTRIBUTORS file in the sudo distribution
3240 (https://www.sudo.ws/contributors.html) for an exhaustive list of people
3241 who have contributed to sudo.
3242
3244 The sudoers file should always be edited by the visudo utility which
3245 locks the file and checks for syntax errors. If sudoers contains syntax
3246 errors, sudo may refuse to run, which is a serious problem if sudo is
3247 your only method of obtaining superuser privileges. Recent versions of
3248 sudoers will attempt to recover after a syntax error by ignoring the rest
3249 of the line after encountering an error. Older versions of sudo will not
3250 run if sudoers contains a syntax error.
3251 When using netgroups of machines (as opposed to users), if you store
3253 fully qualified host name in the netgroup (as is usually the case), you
3254 either need to have the machine's host name be fully qualified as
3255 returned by the hostname command or use the fqdn option in sudoers.
3256
3258 If you feel you have found a bug in sudo, please submit a bug report at
3259 https://bugzilla.sudo.ws/
3260
3262 Limited free support is available via the sudo-users mailing list, see
3263 https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
3264 the archives.
3265
3267 sudo is provided “AS IS” and any express or implied warranties, includ‐
3268 ing, but not limited to, the implied warranties of merchantability and
3269 fitness for a particular purpose are disclaimed. See the LICENSE file
3270 distributed with sudo or https://www.sudo.ws/license.html for complete
3271 details.
3272Sudo 1.9.5p2 January 8, 2020 Sudo 1.9.5p2