1SUDOERS(5)                  BSD File Formats Manual                 SUDOERS(5)
2

NAME

4     sudoers — default sudo security policy plugin
5

DESCRIPTION

7     The sudoers policy plugin determines a user's sudo privileges.  It is the
8     default sudo policy plugin.  The policy is driven by the /etc/sudoers
9     file or, optionally in LDAP.  The policy format is described in detail in
10     the SUDOERS FILE FORMAT section.  For information on storing sudoers pol‐
11     icy information in LDAP, please see sudoers.ldap(5).
12
13   Configuring sudo.conf for sudoers
14     sudo consults the sudo.conf(5) file to determine which policy and I/O
15     logging plugins to load.  If no sudo.conf(5) file is present, or if it
16     contains no Plugin lines, sudoers will be used for policy decisions and
17     I/O logging.  To explicitly configure sudo.conf(5) to use the sudoers
18     plugin, the following configuration can be used.
19
20           Plugin sudoers_audit sudoers.so
21           Plugin sudoers_policy sudoers.so
22           Plugin sudoers_io sudoers.so
23
24     Starting with sudo 1.8.5, it is possible to specify optional arguments to
25     the sudoers plugin in the sudo.conf(5) file.  Plugin arguments, if any,
26     should be listed after the path to the plugin (i.e., after sudoers.so).
27     The arguments are only effective for the plugin that opens (and parses)
28     the sudoers file.
29
30     For sudo version 1.9.1 and higher, this is the sudoers_audit plugin.  For
31     older versions, it is the sudoers_policy plugin.  Multiple arguments may
32     be specified, separated by white space.  For example:
33
34           Plugin sudoers_audit sudoers.so sudoers_mode=0400 error_recovery=false
35
36     The following plugin arguments are supported:
37
38     error_recovery=bool
39               The error_recovery argument can be used to control whether
40               sudoers should attempt to recover from syntax errors in the
41               sudoers file.  If set to true (the default), sudoers will try
42               to recover from a syntax error by discarding the portion of the
43               line that contains the error until the end of the line.  A
44               value of false will disable error recovery.  Prior to version
45               1.9.3, no error recovery was performed.
46
47     ldap_conf=pathname
48               The ldap_conf argument can be used to override the default path
49               to the ldap.conf file.
50
51     ldap_secret=pathname
52               The ldap_secret argument can be used to override the default
53               path to the ldap.secret file.
54
55     sudoers_file=pathname
56               The sudoers_file argument can be used to override the default
57               path to the sudoers file.
58
59     sudoers_uid=uid
60               The sudoers_uid argument can be used to override the default
61               owner of the sudoers file.  It should be specified as a numeric
62               user-ID.
63
64     sudoers_gid=gid
65               The sudoers_gid argument can be used to override the default
66               group of the sudoers file.  It must be specified as a numeric
67               group-ID (not a group name).
68
69     sudoers_mode=mode
70               The sudoers_mode argument can be used to override the default
71               file mode for the sudoers file.  It should be specified as an
72               octal value.
73
74     For more information on configuring sudo.conf(5), please refer to its
75     manual.
76
77   User Authentication
78     The sudoers security policy requires that most users authenticate them‐
79     selves before they can use sudo.  A password is not required if the
80     invoking user is root, if the target user is the same as the invoking
81     user, or if the policy has disabled authentication for the user or com‐
82     mand.  Unlike su(1), when sudoers requires authentication, it validates
83     the invoking user's credentials, not the target user's (or root's) cre‐
84     dentials.  This can be changed via the rootpw, targetpw and runaspw
85     flags, described later.
86
87     If a user who is not listed in the policy tries to run a command via
88     sudo, mail is sent to the proper authorities.  The address used for such
89     mail is configurable via the mailto Defaults entry (described later) and
90     defaults to root.
91
92     Note that no mail will be sent if an unauthorized user tries to run sudo
93     with the -l or -v option unless there is an authentication error and
94     either the mail_always or mail_badpass flags are enabled.  This allows
95     users to determine for themselves whether or not they are allowed to use
96     sudo.  By default, all attempts to run sudo (successful or not) are
97     logged, regardless of whether or not mail is sent.
98
99     If sudo is run by root and the SUDO_USER environment variable is set, the
100     sudoers policy will use this value to determine who the actual user is.
101     This can be used by a user to log commands through sudo even when a root
102     shell has been invoked.  It also allows the -e option to remain useful
103     even when invoked via a sudo-run script or program.  Note, however, that
104     the sudoers file lookup is still done for root, not the user specified by
105     SUDO_USER.
106
107     sudoers uses per-user time stamp files for credential caching.  Once a
108     user has been authenticated, a record is written containing the user-ID
109     that was used to authenticate, the terminal session ID, the start time of
110     the session leader (or parent process) and a time stamp (using a mono‐
111     tonic clock if one is available).  The user may then use sudo without a
112     password for a short period of time (5 minutes unless overridden by the
113     timestamp_timeout option).  By default, sudoers uses a separate record
114     for each terminal, which means that a user's login sessions are authenti‐
115     cated separately.  The timestamp_type option can be used to select the
116     type of time stamp record sudoers will use.
117
118   Logging
119     By default, sudoers logs both successful and unsuccessful attempts (as
120     well as errors).  The log_allowed and log_denied flags can be used to
121     control this behavior.  Messages can be logged to syslog(3), a log file,
122     or both.  The default is to log to syslog(3) but this is configurable via
123     the syslog and logfile settings.  See LOG FORMAT for a description of the
124     log file format.
125
126     sudoers is also capable of running a command in a pseudo-terminal and
127     logging all input and/or output.  The standard input, standard output and
128     standard error can be logged even when not associated with a terminal.
129     I/O logging is not on by default but can be enabled using the log_input
130     and log_output options as well as the LOG_INPUT and LOG_OUTPUT command
131     tags.  See I/O LOG FILES for details on how I/O log files are stored.
132
133     Starting with version 1.9, the log_servers setting may be used to send
134     event and I/O log data to a remote server running sudo_logsrvd or another
135     service that implements the protocol described by sudo_logsrv.proto(5).
136
137   Command environment
138     Since environment variables can influence program behavior, sudoers pro‐
139     vides a means to restrict which variables from the user's environment are
140     inherited by the command to be run.  There are two distinct ways sudoers
141     can deal with environment variables.
142
143     By default, the env_reset flag is enabled.  This causes commands to be
144     executed with a new, minimal environment.  On AIX (and Linux systems
145     without PAM), the environment is initialized with the contents of the
146     /etc/environment file.  The HOME, MAIL, SHELL, LOGNAME and USER environ‐
147     ment variables are initialized based on the target user and the SUDO_*
148     variables are set based on the invoking user.  Additional variables, such
149     as DISPLAY, PATH and TERM, are preserved from the invoking user's envi‐
150     ronment if permitted by the env_check or env_keep options.  A few envi‐
151     ronment variables are treated specially.  If the PATH and TERM variables
152     are not preserved from the user's environment, they will be set to
153     default values.  The LOGNAME and USER are handled as a single entity.  If
154     one of them is preserved (or removed) from the user's environment, the
155     other will be as well.  If LOGNAME and USER are to be preserved but only
156     one of them is present in the user's environment, the other will be set
157     to the same value.  This avoids an inconsistent environment where one of
158     the variables describing the user name is set to the invoking user and
159     one is set to the target user.  Environment variables with a value begin‐
160     ning with () are removed unless both the name and value parts are matched
161     by env_keep or env_check, as they may be interpreted as functions by the
162     bash shell.  Prior to version 1.8.11, such variables were always removed.
163
164     If, however, the env_reset flag is disabled, any variables not explicitly
165     denied by the env_check and env_delete options are allowed and their val‐
166     ues are inherited from the invoking process.  Prior to version 1.8.21,
167     environment variables with a value beginning with () were always removed.
168     Beginning with version 1.8.21, a pattern in env_delete is used to match
169     bash shell functions instead.  Since it is not possible to block all
170     potentially dangerous environment variables, use of the default env_reset
171     behavior is encouraged.
172
173     Environment variables specified by env_check, env_delete, or env_keep may
174     include one or more ‘*’ characters which will match zero or more charac‐
175     ters.  No other wildcard characters are supported.
176
177     By default, environment variables are matched by name.  However, if the
178     pattern includes an equal sign (‘=’), both the variables name and value
179     must match.  For example, a bash shell function could be matched as fol‐
180     lows:
181
182         env_keep += "BASH_FUNC_my_func%%=()*"
183
184     Without the “=()*” suffix, this would not match, as bash shell functions
185     are not preserved by default.
186
187     The complete list of environment variables that are preserved or removed,
188     as modified by global Defaults parameters in sudoers, is displayed when
189     sudo is run by root with the -V option.  Please note that the list of
190     environment variables to remove varies based on the operating system sudo
191     is running on.
192
193     Other sudoers options may influence the command environment, such as
194     always_set_home, secure_path, set_logname, and set_home.
195
196     On systems that support PAM where the pam_env module is enabled for sudo,
197     variables in the PAM environment may be merged in to the environment.  If
198     a variable in the PAM environment is already present in the user's envi‐
199     ronment, the value will only be overridden if the variable was not pre‐
200     served by sudoers.  When env_reset is enabled, variables preserved from
201     the invoking user's environment by the env_keep list take precedence over
202     those in the PAM environment.  When env_reset is disabled, variables
203     present the invoking user's environment take precedence over those in the
204     PAM environment unless they match a pattern in the env_delete list.
205
206     Note that the dynamic linker on most operating systems will remove vari‐
207     ables that can control dynamic linking from the environment of set-user-
208     ID executables, including sudo.  Depending on the operating system this
209     may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others.
210     These type of variables are removed from the environment before sudo even
211     begins execution and, as such, it is not possible for sudo to preserve
212     them.
213
214     As a special case, if the -i option (initial login) is specified, sudoers
215     will initialize the environment regardless of the value of env_reset.
216     The DISPLAY, PATH and TERM variables remain unchanged; HOME, MAIL, SHELL,
217     USER, and LOGNAME are set based on the target user.  On AIX (and Linux
218     systems without PAM), the contents of /etc/environment are also included.
219     All other environment variables are removed unless permitted by env_keep
220     or env_check, described above.
221
222     Finally, the restricted_env_file and env_file files are applied, if
223     present.  The variables in restricted_env_file are applied first and are
224     subject to the same restrictions as the invoking user's environment, as
225     detailed above.  The variables in env_file are applied last and are not
226     subject to these restrictions.  In both cases, variables present in the
227     files will only be set to their specified values if they would not con‐
228     flict with an existing environment variable.
229

SUDOERS FILE FORMAT

231     The sudoers file is composed of two types of entries: aliases (basically
232     variables) and user specifications (which specify who may run what).
233
234     When multiple entries match for a user, they are applied in order.  Where
235     there are multiple matches, the last match is used (which is not neces‐
236     sarily the most specific match).
237
238     The sudoers file grammar will be described below in Extended Backus-Naur
239     Form (EBNF).  Don't despair if you are unfamiliar with EBNF; it is fairly
240     simple, and the definitions below are annotated.
241
242   Quick guide to EBNF
243     EBNF is a concise and exact way of describing the grammar of a language.
244     Each EBNF definition is made up of production rules.  E.g.,
245
246     symbol ::= definition | alternate1 | alternate2 ...
247
248     Each production rule references others and thus makes up a grammar for
249     the language.  EBNF also contains the following operators, which many
250     readers will recognize from regular expressions.  Do not, however, con‐
251     fuse them with “wildcard” characters, which have different meanings.
252
253     ?     Means that the preceding symbol (or group of symbols) is optional.
254           That is, it may appear once or not at all.
255
256     *     Means that the preceding symbol (or group of symbols) may appear
257           zero or more times.
258
259     +     Means that the preceding symbol (or group of symbols) may appear
260           one or more times.
261
262     Parentheses may be used to group symbols together.  For clarity, we will
263     use single quotes ('') to designate what is a verbatim character string
264     (as opposed to a symbol name).
265
266   Aliases
267     There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and
268     Cmnd_Alias.  Beginning with sudo 1.9.0, Cmd_Alias may be used in place of
269     Cmnd_Alias if desired.
270
271     Alias ::= 'User_Alias'  User_Alias_Spec (':' User_Alias_Spec)* |
272               'Runas_Alias' Runas_Alias_Spec (':' Runas_Alias_Spec)* |
273               'Host_Alias'  Host_Alias_Spec (':' Host_Alias_Spec)* |
274               'Cmnd_Alias'  Cmnd_Alias_Spec (':' Cmnd_Alias_Spec)* |
275               'Cmd_Alias'   Cmnd_Alias_Spec (':' Cmnd_Alias_Spec)*
276
277     User_Alias ::= NAME
278
279     User_Alias_Spec ::= User_Alias '=' User_List
280
281     Runas_Alias ::= NAME
282
283     Runas_Alias_Spec ::= Runas_Alias '=' Runas_List
284
285     Host_Alias ::= NAME
286
287     Host_Alias_Spec ::= Host_Alias '=' Host_List
288
289     Cmnd_Alias ::= NAME
290
291     Cmnd_Alias_Spec ::= Cmnd_Alias '=' Cmnd_List
292
293     NAME ::= [A-Z]([A-Z][0-9]_)*
294
295     Each alias definition is of the form
296
297     Alias_Type NAME = item1, item2, ...
298
299     where Alias_Type is one of User_Alias, Runas_Alias, Host_Alias, or
300     Cmnd_Alias.  A NAME is a string of uppercase letters, numbers, and under‐
301     score characters (‘_’).  A NAME must start with an uppercase letter.  It
302     is possible to put several alias definitions of the same type on a single
303     line, joined by a colon (‘:’).  E.g.,
304
305     Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
306
307     It is a syntax error to redefine an existing alias.  It is possible to
308     use the same name for aliases of different types, but this is not recom‐
309     mended.
310
311     The definitions of what constitutes a valid alias member follow.
312
313     User_List ::= User |
314                   User ',' User_List
315
316     User ::= '!'* user name |
317              '!'* #uid |
318              '!'* %group |
319              '!'* %#gid |
320              '!'* +netgroup |
321              '!'* %:nonunix_group |
322              '!'* %:#nonunix_gid |
323              '!'* User_Alias
324
325     A User_List is made up of one or more user names, user-IDs (prefixed with
326     ‘#’), system group names and IDs (prefixed with ‘%’ and ‘%#’ respec‐
327     tively), netgroups (prefixed with ‘+’), non-Unix group names and IDs
328     (prefixed with ‘%:’ and ‘%:#’ respectively) and User_Aliases. Each list
329     item may be prefixed with zero or more ‘!’ operators.  An odd number of
330     ‘!’ operators negate the value of the item; an even number just cancel
331     each other out.  User netgroups are matched using the user and domain
332     members only; the host member is not used when matching.
333
334     A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may
335     be enclosed in double quotes to avoid the need for escaping special char‐
336     acters.  Alternately, special characters may be specified in escaped hex
337     mode, e.g., \x20 for space.  When using double quotes, any prefix charac‐
338     ters must be included inside the quotes.
339
340     The actual nonunix_group and nonunix_gid syntax depends on the underlying
341     group provider plugin.  For instance, the QAS AD plugin supports the fol‐
342     lowing formats:
343
344     ·  Group in the same domain: "%:Group Name"
345
346     ·  Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
347
348     ·  Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
349
350     See GROUP PROVIDER PLUGINS for more information.
351
352     Note that quotes around group names are optional.  Unquoted strings must
353     use a backslash (‘\’) to escape spaces and special characters.  See Other
354     special characters and reserved words for a list of characters that need
355     to be escaped.
356
357     Runas_List ::= Runas_Member |
358                    Runas_Member ',' Runas_List
359
360     Runas_Member ::= '!'* user name |
361                      '!'* #uid |
362                      '!'* %group |
363                      '!'* %#gid |
364                      '!'* %:nonunix_group |
365                      '!'* %:#nonunix_gid |
366                      '!'* +netgroup |
367                      '!'* Runas_Alias
368
369     A Runas_List is similar to a User_List except that instead of
370     User_Aliases it can contain Runas_Aliases.  Note that user names and
371     groups are matched as strings.  In other words, two users (groups) with
372     the same user (group) ID are considered to be distinct.  If you wish to
373     match all user names with the same user-ID (e.g., root and toor), you can
374     use a user-ID instead of a name (#0 in the example given).  Note that the
375     user-ID or group-ID specified in a Runas_Member need not be listed in the
376     password or group database.
377
378     Host_List ::= Host |
379                   Host ',' Host_List
380
381     Host ::= '!'* host name |
382              '!'* ip_addr |
383              '!'* network(/netmask)? |
384              '!'* +netgroup |
385              '!'* Host_Alias
386
387     A Host_List is made up of one or more host names, IP addresses, network
388     numbers, netgroups (prefixed with ‘+’) and other aliases.  Again, the
389     value of an item may be negated with the ‘!’ operator.  Host netgroups
390     are matched using the host (both qualified and unqualified) and domain
391     members only; the user member is not used when matching.  If you specify
392     a network number without a netmask, sudo will query each of the local
393     host's network interfaces and, if the network number corresponds to one
394     of the hosts's network interfaces, will use the netmask of that inter‐
395     face.  The netmask may be specified either in standard IP address nota‐
396     tion (e.g., 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR notation
397     (number of bits, e.g., 24 or 64).  A host name may include shell-style
398     wildcards (see the Wildcards section below), but unless the host name
399     command on your machine returns the fully qualified host name, you'll
400     need to use the fqdn flag for wildcards to be useful.  Note that sudo
401     only inspects actual network interfaces; this means that IP address
402     127.0.0.1 (localhost) will never match.  Also, the host name “localhost”
403     will only match if that is the actual host name, which is usually only
404     the case for non-networked systems.
405
406     digest ::= [A-Fa-f0-9]+ |
407                [A-Za-z0-9\+/=]+
408
409     Digest_Spec ::= "sha224" ':' digest |
410                     "sha256" ':' digest |
411                     "sha384" ':' digest |
412                     "sha512" ':' digest
413
414     Digest_List ::= Digest_Spec |
415                     Digest_Spec ',' Digest_List
416
417     Cmnd_List ::= Cmnd |
418                   Cmnd ',' Cmnd_List
419
420     command name ::= file name |
421                      file name args |
422                      file name '""'
423
424     Edit_Spec ::= "sudoedit" file name+
425
426     Cmnd ::= Digest_List? '!'* command name |
427              '!'* directory |
428              '!'* Edit_Spec |
429              '!'* Cmnd_Alias
430
431     A Cmnd_List is a list of one or more command names, directories, and
432     other aliases.  A command name is a fully qualified file name which may
433     include shell-style wildcards (see the Wildcards section below).  A sim‐
434     ple file name allows the user to run the command with any arguments they
435     wish.  However, you may also specify command line arguments (including
436     wildcards).  Alternately, you can specify "" to indicate that the command
437     may only be run without command line arguments.  A directory is a fully
438     qualified path name ending in a ‘/’.  When you specify a directory in a
439     Cmnd_List, the user will be able to run any file within that directory
440     (but not in any sub-directories therein).
441
442     If a Cmnd has associated command line arguments, then the arguments in
443     the Cmnd must match exactly those given by the user on the command line
444     (or match the wildcards if there are any).  Note that the following char‐
445     acters must be escaped with a ‘\’ if they are used in command arguments:
446     ‘,’, ‘:’, ‘=’, ‘\’.  The built-in command “sudoedit” is used to permit a
447     user to run sudo with the -e option (or as sudoedit).  It may take com‐
448     mand line arguments just as a normal command does.  Note that “sudoedit”
449     is a command built into sudo itself and must be specified in the sudoers
450     file without a leading path.  If a leading path is present, for example
451     /usr/bin/sudoedit, the path name will be silently converted to
452     “sudoedit”.  A fully-qualified path for sudoedit is treated as an error
453     by visudo.
454
455     A command name may be preceded by a Digest_List, a comma-separated list
456     of one or more Digest_Spec entries.  If a Digest_List is present, the
457     command will only match successfully if it can be verified using one of
458     the SHA-2 digests in the list.  Starting with version 1.9.0, the ALL
459     reserved word can be used in conjunction with a Digest_List.  The follow‐
460     ing digest formats are supported: sha224, sha256, sha384 and sha512.  The
461     string may be specified in either hex or base64 format (base64 is more
462     compact).  There are several utilities capable of generating SHA-2
463     digests in hex format such as openssl, shasum, sha224sum, sha256sum,
464     sha384sum, sha512sum.
465
466     For example, using openssl:
467
468     $ openssl dgst -sha224 /bin/ls
469     SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
470
471     It is also possible to use openssl to generate base64 output:
472
473     $ openssl dgst -binary -sha224 /bin/ls | openssl base64
474     EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
475
476     Warning, if the user has write access to the command itself (directly or
477     via a sudo command), it may be possible for the user to replace the com‐
478     mand after the digest check has been performed but before the command is
479     executed.  A similar race condition exists on systems that lack the
480     fexecve(2) system call when the directory in which the command is located
481     is writable by the user.  See the description of the fdexec setting for
482     more information on how sudo executes commands that have an associated
483     digest.
484
485     Command digests are only supported by version 1.8.7 or higher.
486
487   Defaults
488     Certain configuration options may be changed from their default values at
489     run-time via one or more Default_Entry lines.  These may affect all users
490     on any host, all users on a specific host, a specific user, a specific
491     command, or commands being run as a specific user.  Note that per-command
492     entries may not include command line arguments.  If you need to specify
493     arguments, define a Cmnd_Alias and reference that instead.
494
495     Default_Type ::= 'Defaults' |
496                      'Defaults' '@' Host_List |
497                      'Defaults' ':' User_List |
498                      'Defaults' '!' Cmnd_List |
499                      'Defaults' '>' Runas_List
500
501     Default_Entry ::= Default_Type Parameter_List
502
503     Parameter_List ::= Parameter |
504                        Parameter ',' Parameter_List
505
506     Parameter ::= Parameter '=' Value |
507                   Parameter '+=' Value |
508                   Parameter '-=' Value |
509                   '!'* Parameter
510
511     Parameters may be flags, integer values, strings, or lists.  Flags are
512     implicitly boolean and can be turned off via the ‘!’ operator.  Some
513     integer, string and list parameters may also be used in a boolean context
514     to disable them.  Values may be enclosed in double quotes ("") when they
515     contain multiple words.  Special characters may be escaped with a back‐
516     slash (‘\’).
517
518     Lists have two additional assignment operators, += and -=.  These opera‐
519     tors are used to add to and delete from a list respectively.  It is not
520     an error to use the -= operator to remove an element that does not exist
521     in a list.
522
523     Defaults entries are parsed in the following order: generic, host, user
524     and runas Defaults first, then command defaults.  If there are multiple
525     Defaults settings of the same type, the last matching setting is used.
526     The following Defaults settings are parsed before all others since they
527     may affect subsequent entries: fqdn, group_plugin, runas_default,
528     sudoers_locale.
529
530     See SUDOERS OPTIONS for a list of supported Defaults parameters.
531
532   User specification
533     User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
534                   (':' Host_List '=' Cmnd_Spec_List)*
535
536     Cmnd_Spec_List ::= Cmnd_Spec |
537                        Cmnd_Spec ',' Cmnd_Spec_List
538
539     Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd
540
541     Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
542
543     Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)
544
545     SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
546
547     Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp')
548
549     Timeout_Spec ::= 'TIMEOUT=timeout'
550
551     Chdir_Spec ::= 'CWD=directory'
552
553     Chroot_Spec ::= 'CHROOT=directory'
554
555     Tag_Spec ::= ('EXEC:' | 'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' |
556                   'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' |
557                   'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'PASSWD:' |
558                   'NOPASSWD:' | 'SETENV:' | 'NOSETENV:')
559
560     A user specification determines which commands a user may run (and as
561     what user) on specified hosts.  By default, commands are run as root, but
562     this can be changed on a per-command basis.
563
564     The basic structure of a user specification is “who where = (as_whom)
565     what”.  Let's break that down into its constituent parts:
566
567   Runas_Spec
568     A Runas_Spec determines the user and/or the group that a command may be
569     run as.  A fully-specified Runas_Spec consists of two Runas_Lists (as
570     defined above) separated by a colon (‘:’) and enclosed in a set of paren‐
571     theses.  The first Runas_List indicates which users the command may be
572     run as via the -u option.  The second defines a list of groups that can
573     be specified via the -g option in addition to any of the target user's
574     groups.  If both Runas_Lists are specified, the command may be run with
575     any combination of users and groups listed in their respective
576     Runas_Lists. If only the first is specified, the command may be run as
577     any user in the list but no -g option may be specified.  If the first
578     Runas_List is empty but the second is specified, the command may be run
579     as the invoking user with the group set to any listed in the Runas_List.
580     If both Runas_Lists are empty, the command may only be run as the invok‐
581     ing user.  If no Runas_Spec is specified the command may be run as root
582     and no group may be specified.
583
584     A Runas_Spec sets the default for the commands that follow it.  What this
585     means is that for the entry:
586
587     dgb     boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
588
589     The user dgb may run /bin/ls, /bin/kill, and /usr/bin/lprm on the host
590     boulder—but only as operator.  E.g.,
591
592     $ sudo -u operator /bin/ls
593
594     It is also possible to override a Runas_Spec later on in an entry.  If we
595     modify the entry like so:
596
597     dgb     boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
598
599     Then user dgb is now allowed to run /bin/ls as operator, but /bin/kill
600     and /usr/bin/lprm as root.
601
602     We can extend this to allow dgb to run /bin/ls with either the user or
603     group set to operator:
604
605     dgb     boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
606             /usr/bin/lprm
607
608     Note that while the group portion of the Runas_Spec permits the user to
609     run as command with that group, it does not force the user to do so.  If
610     no group is specified on the command line, the command will run with the
611     group listed in the target user's password database entry.  The following
612     would all be permitted by the sudoers entry above:
613
614     $ sudo -u operator /bin/ls
615     $ sudo -u operator -g operator /bin/ls
616     $ sudo -g operator /bin/ls
617
618     In the following example, user tcm may run commands that access a modem
619     device file with the dialer group.
620
621     tcm     boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
622             /usr/local/bin/minicom
623
624     Note that in this example only the group will be set, the command still
625     runs as user tcm.  E.g.
626
627     $ sudo -g dialer /usr/bin/cu
628
629     Multiple users and groups may be present in a Runas_Spec, in which case
630     the user may select any combination of users and groups via the -u and -g
631     options.  In this example:
632
633     alan    ALL = (root, bin : operator, system) ALL
634
635     user alan may run any command as either user root or bin, optionally set‐
636     ting the group to operator or system.
637
638   Option_Spec
639     A Cmnd may have zero or more options associated with it.  Options may
640     consist of SELinux roles and/or types, start and/or end dates and command
641     timeouts.  Once an option is set for a Cmnd, subsequent Cmnds in the
642     Cmnd_Spec_List, inherit that option unless it is overridden by another
643     option.  Note that the option names are reserved words in sudoers.  This
644     means that none of the valid option names (see below) can be used when
645     declaring an alias.
646
647   SELinux_Spec
648     On systems with SELinux support, sudoers file entries may optionally have
649     an SELinux role and/or type associated with a command.  If a role or type
650     is specified with the command it will override any default values speci‐
651     fied in sudoers.  A role or type specified on the command line, however,
652     will supersede the values in sudoers.
653
654   Date_Spec
655     sudoers rules can be specified with a start and end date via the
656     NOTBEFORE and NOTAFTER settings.  The time stamp must be specified in
657     Generalized Time as defined by RFC 4517.  The format is effectively
658     yyyymmddHHMMSSZ where the minutes and seconds are optional.  The ‘Z’ suf‐
659     fix indicates that the time stamp is in Coordinated Universal Time (UTC).
660     It is also possible to specify a timezone offset from UTC in hours and
661     minutes instead of a ‘Z’.  For example, ‘-0500’ would correspond to East‐
662     ern Standard time in the US.  As an extension, if no ‘Z’ or timezone off‐
663     set is specified, local time will be used.
664
665     The following are all valid time stamps:
666
667         20170214083000Z
668         2017021408Z
669         20160315220000-0500
670         20151201235900
671
672   Timeout_Spec
673     A command may have a timeout associated with it.  If the timeout expires
674     before the command has exited, the command will be terminated.  The time‐
675     out may be specified in combinations of days, hours, minutes and seconds
676     with a single-letter case-insensitive suffix that indicates the unit of
677     time.  For example, a timeout of 7 days, 8 hours, 30 minutes and 10 sec‐
678     onds would be written as 7d8h30m10s.  If a number is specified without a
679     unit, seconds are assumed.  Any of the days, minutes, hours or seconds
680     may be omitted.  The order must be from largest to smallest unit and a
681     unit may not be specified more than once.
682
683     The following are all valid timeout values: 7d8h30m10s, 14d, 8h30m, 600s,
684     3600.  The following are invalid timeout values: 12m2w1d, 30s10m4h,
685     1d2d3h.
686
687     This setting is only supported by version 1.8.20 or higher.
688
689   Chdir_Spec
690     The working directory that the command will be run in can be specified
691     using the CWD setting.  The directory must be a fully-qualified path name
692     beginning with a ‘/’ or ‘~’ character, or the special value “*”.  A value
693     of “*” indicates that the user may specify the working directory by run‐
694     ning sudo with the -D option.  By default, commands are run from the
695     invoking user's current working directory, unless the -i option is given.
696     Path names of the form ~user/path/name are interpreted as being relative
697     to the named user's home directory.  If the user name is omitted, the
698     path will be relative to the runas user's home directory.
699
700     This setting is only supported by version 1.9.3 or higher.
701
702   Chroot_Spec
703     The root directory that the command will be run in can be specified using
704     the CHROOT setting.  The directory must be a fully-qualified path name
705     beginning with a ‘/’ or ‘~’ character, or the special value “*”.  A value
706     of “*” indicates that the user may specify the root directory by running
707     sudo with the -R option.  This setting can be used to run the command in
708     a chroot(2) “sandbox” similar to the chroot(8) utility.  Path names of
709     the form ~user/path/name are interpreted as being relative to the named
710     user's home directory.  If the user name is omitted, the path will be
711     relative to the runas user's home directory.
712
713     This setting is only supported by version 1.9.3 or higher.
714
715   Tag_Spec
716     A command may have zero or more tags associated with it.  The following
717     tag values are supported: EXEC, NOEXEC, FOLLOW, NOFOLLOW, LOG_INPUT,
718     NOLOG_INPUT, LOG_OUTPUT, NOLOG_OUTPUT, MAIL, NOMAIL, PASSWD, NOPASSWD,
719     SETENV, and NOSETENV.  Once a tag is set on a Cmnd, subsequent Cmnds in
720     the Cmnd_Spec_List, inherit the tag unless it is overridden by the oppo‐
721     site tag (in other words, PASSWD overrides NOPASSWD and NOEXEC overrides
722     EXEC).
723
724     EXEC and NOEXEC
725
726       If sudo has been compiled with noexec support and the underlying oper‐
727       ating system supports it, the NOEXEC tag can be used to prevent a
728       dynamically-linked executable from running further commands itself.
729
730       In the following example, user aaron may run /usr/bin/more and
731       /usr/bin/vi but shell escapes will be disabled.
732
733       aaron   shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
734
735       See the Preventing shell escapes section below for more details on how
736       NOEXEC works and whether or not it will work on your system.
737
738     FOLLOW and NOFOLLOW Starting with version 1.8.15, sudoedit will not open
739       a file that is a symbolic link unless the sudoedit_follow flag is
740       enabled.  The FOLLOW and NOFOLLOW tags override the value of
741       sudoedit_follow and can be used to permit (or deny) the editing of sym‐
742       bolic links on a per-command basis.  These tags are only effective for
743       the sudoedit command and are ignored for all other commands.
744
745     LOG_INPUT and NOLOG_INPUT
746
747       These tags override the value of the log_input flag on a per-command
748       basis.  For more information, see the description of log_input in the
749       SUDOERS OPTIONS section below.
750
751     LOG_OUTPUT and NOLOG_OUTPUT
752
753       These tags override the value of the log_output flag on a per-command
754       basis.  For more information, see the description of log_output in the
755       SUDOERS OPTIONS section below.
756
757     MAIL and NOMAIL
758
759       These tags provide fine-grained control over whether mail will be sent
760       when a user runs a command by overriding the value of the
761       mail_all_cmnds flag on a per-command basis.  They have no effect when
762       sudo is run with the -l or -v options.  A NOMAIL tag will also override
763       the mail_always and mail_no_perms options.  For more information, see
764       the descriptions of mail_all_cmnds, mail_always, and mail_no_perms in
765       the SUDOERS OPTIONS section below.
766
767     PASSWD and NOPASSWD
768
769       By default, sudo requires that a user authenticate him or herself
770       before running a command.  This behavior can be modified via the
771       NOPASSWD tag.  Like a Runas_Spec, the NOPASSWD tag sets a default for
772       the commands that follow it in the Cmnd_Spec_List.  Conversely, the
773       PASSWD tag can be used to reverse things.  For example:
774
775       ray     rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
776
777       would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm
778       as root on the machine rushmore without authenticating himself.  If we
779       only want ray to be able to run /bin/kill without a password the entry
780       would be:
781
782       ray     rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
783
784       Note, however, that the PASSWD tag has no effect on users who are in
785       the group specified by the exempt_group setting.
786
787       By default, if the NOPASSWD tag is applied to any of a user's entries
788       for the current host, the user will be able to run “sudo -l” without a
789       password.  Additionally, a user may only run “sudo -v” without a pass‐
790       word if all of the user's entries for the current host have the
791       NOPASSWD tag.  This behavior may be overridden via the verifypw and
792       listpw options.
793
794     SETENV and NOSETENV
795
796       These tags override the value of the setenv flag on a per-command
797       basis.  Note that if SETENV has been set for a command, the user may
798       disable the env_reset flag from the command line via the -E option.
799       Additionally, environment variables set on the command line are not
800       subject to the restrictions imposed by env_check, env_delete, or
801       env_keep.  As such, only trusted users should be allowed to set vari‐
802       ables in this manner.  If the command matched is ALL, the SETENV tag is
803       implied for that command; this default may be overridden by use of the
804       NOSETENV tag.
805
806   Wildcards
807     sudo allows shell-style wildcards (aka meta or glob characters) to be
808     used in host names, path names and command line arguments in the sudoers
809     file.  Wildcard matching is done via the glob(3) and fnmatch(3) functions
810     as specified by IEEE Std 1003.1 (“POSIX.1”).
811
812     *         Matches any set of zero or more characters (including white
813               space).
814
815     ?         Matches any single character (including white space).
816
817     [...]     Matches any character in the specified range.
818
819     [!...]    Matches any character not in the specified range.
820
821     \x        For any character ‘x’, evaluates to ‘x’.  This is used to
822               escape special characters such as: ‘*’, ‘?’, ‘[’, and ‘]’.
823
824     Note that these are not regular expressions.  Unlike a regular expression
825     there is no way to match one or more characters within a range.
826
827     Character classes may be used if your system's glob(3) and fnmatch(3)
828     functions support them.  However, because the ‘:’ character has special
829     meaning in sudoers, it must be escaped.  For example:
830
831         /bin/ls [[\:alpha\:]]*
832
833     Would match any file name beginning with a letter.
834
835     Note that a forward slash (‘/’) will not be matched by wildcards used in
836     the file name portion of the command.  This is to make a path like:
837
838         /usr/bin/*
839
840     match /usr/bin/who but not /usr/bin/X11/xterm.
841
842     When matching the command line arguments, however, a slash does get
843     matched by wildcards since command line arguments may contain arbitrary
844     strings and not just path names.
845
846     Wildcards in command line arguments should be used with care.
847     Command line arguments are matched as a single, concatenated string.
848     This mean a wildcard character such as ‘?’ or ‘*’ will match across word
849     boundaries, which may be unexpected.  For example, while a sudoers entry
850     like:
851
852         %operator ALL = /bin/cat /var/log/messages*
853
854     will allow command like:
855
856         $ sudo cat /var/log/messages.1
857
858     It will also allow:
859
860         $ sudo cat /var/log/messages /etc/shadow
861
862     which is probably not what was intended.  In most cases it is better to
863     do command line processing outside of the sudoers file in a scripting
864     language.
865
866   Exceptions to wildcard rules
867     The following exceptions apply to the above rules:
868
869     ""        If the empty string "" is the only command line argument in the
870               sudoers file entry it means that command is not allowed to be
871               run with any arguments.
872
873     sudoedit  Command line arguments to the sudoedit built-in command should
874               always be path names, so a forward slash (‘/’) will not be
875               matched by a wildcard.
876
877   Including other files from within sudoers
878     It is possible to include other sudoers files from within the sudoers
879     file currently being parsed using the @include and @includedir direc‐
880     tives.  For compatibility with sudo versions prior to 1.9.1, #include and
881     #includedir are also accepted.
882
883     An include file can be used, for example, to keep a site-wide sudoers
884     file in addition to a local, per-machine file.  For the sake of this
885     example the site-wide sudoers file will be /etc/sudoers and the per-
886     machine one will be /etc/sudoers.local.  To include /etc/sudoers.local
887     from within /etc/sudoers one would use the following line in
888     /etc/sudoers:
889
890         @include /etc/sudoers.local
891
892     When sudo reaches this line it will suspend processing of the current
893     file (/etc/sudoers) and switch to /etc/sudoers.local.  Upon reaching the
894     end of /etc/sudoers.local, the rest of /etc/sudoers will be processed.
895     Files that are included may themselves include other files.  A hard limit
896     of 128 nested include files is enforced to prevent include file loops.
897
898     The path to the include file may contain white space if it is escaped
899     with a backslash (‘\’).  Alternately, the entire path may be enclosed in
900     double quotes (""), in which case no escaping is necessary.  To include a
901     literal backslash in the path, ‘\\’ should be used.
902
903     If the path to the include file is not fully-qualified (does not begin
904     with a ‘/’), it must be located in the same directory as the sudoers file
905     it was included from.  For example, if /etc/sudoers contains the line:
906
907         @include sudoers.local
908
909     the file that will be included is /etc/sudoers.local.
910
911     The file name may also include the %h escape, signifying the short form
912     of the host name.  In other words, if the machine's host name is
913     “xerxes”, then
914
915         @include /etc/sudoers.%h
916
917     will cause sudo to include the file /etc/sudoers.xerxes.
918
919     The @includedir directive can be used to create a sudoers.d directory
920     that the system package manager can drop sudoers file rules into as part
921     of package installation.  For example, given:
922
923         @includedir /etc/sudoers.d
924
925     sudo will suspend processing of the current file and read each file in
926     /etc/sudoers.d, skipping file names that end in ‘~’ or contain a ‘.’
927     character to avoid causing problems with package manager or editor tempo‐
928     rary/backup files.  Files are parsed in sorted lexical order.  That is,
929     /etc/sudoers.d/01_first will be parsed before /etc/sudoers.d/10_second.
930     Be aware that because the sorting is lexical, not numeric,
931     /etc/sudoers.d/1_whoops would be loaded after /etc/sudoers.d/10_second.
932     Using a consistent number of leading zeroes in the file names can be used
933     to avoid such problems.  After parsing the files in the directory, con‐
934     trol returns to the file that contained the @includedir directive.
935
936     Note that unlike files included via @include, visudo will not edit the
937     files in a @includedir directory unless one of them contains a syntax
938     error.  It is still possible to run visudo with the -f flag to edit the
939     files directly, but this will not catch the redefinition of an alias that
940     is also present in a different file.
941
942   Other special characters and reserved words
943     The pound sign (‘#’) is used to indicate a comment (unless it is part of
944     a #include directive or unless it occurs in the context of a user name
945     and is followed by one or more digits, in which case it is treated as a
946     user-ID).  Both the comment character and any text after it, up to the
947     end of the line, are ignored.
948
949     The reserved word ALL is a built-in alias that always causes a match to
950     succeed.  It can be used wherever one might otherwise use a Cmnd_Alias,
951     User_Alias, Runas_Alias, or Host_Alias.  Attempting to define an alias
952     named ALL will result in a syntax error.  Please note that using ALL can
953     be dangerous since in a command context, it allows the user to run any
954     command on the system.
955
956     The following option names permitted in an Option_Spec are also consid‐
957     ered reserved words: CHROOT, ROLE, TYPE, TIMEOUT, CWD, NOTBEFORE and
958     NOTAFTER.  Attempting to define an alias with the same name as one of the
959     options will result in a syntax error.
960
961     An exclamation point (‘!’) can be used as a logical not operator in a
962     list or alias as well as in front of a Cmnd.  This allows one to exclude
963     certain values.  For the ‘!’ operator to be effective, there must be
964     something for it to exclude.  For example, to match all users except for
965     root one would use:
966
967         ALL,!root
968
969     If the ALL, is omitted, as in:
970
971         !root
972
973     it would explicitly deny root but not match any other users.  This is
974     different from a true “negation” operator.
975
976     Note, however, that using a ‘!’ in conjunction with the built-in ALL
977     alias to allow a user to run “all but a few” commands rarely works as
978     intended (see SECURITY NOTES below).
979
980     Long lines can be continued with a backslash (‘\’) as the last character
981     on the line.
982
983     White space between elements in a list as well as special syntactic char‐
984     acters in a User Specification (‘=’, ‘:’, ‘(’, ‘)’) is optional.
985
986     The following characters must be escaped with a backslash (‘\’) when used
987     as part of a word (e.g., a user name or host name): ‘!’, ‘=’, ‘:’, ‘,’,
988     ‘(’, ‘)’, ‘\’.
989

SUDOERS OPTIONS

991     sudo's behavior can be modified by Default_Entry lines, as explained ear‐
992     lier.  A list of all supported Defaults parameters, grouped by type, are
993     listed below.
994
995     Boolean Flags:
996
997     always_query_group_plugin
998                       If a group_plugin is configured, use it to resolve
999                       groups of the form %group as long as there is not also
1000                       a system group of the same name.  Normally, only groups
1001                       of the form %:group are passed to the group_plugin.
1002                       This flag is off by default.
1003
1004     always_set_home   If enabled, sudo will set the HOME environment variable
1005                       to the home directory of the target user (which is the
1006                       root user unless the -u option is used).  This flag is
1007                       largely obsolete and has no effect unless the env_reset
1008                       flag has been disabled or HOME is present in the
1009                       env_keep list, both of which are strongly discouraged.
1010                       This flag is off by default.
1011
1012     authenticate      If set, users must authenticate themselves via a pass‐
1013                       word (or other means of authentication) before they may
1014                       run commands.  This default may be overridden via the
1015                       PASSWD and NOPASSWD tags.  This flag is on by default.
1016
1017     case_insensitive_group
1018                       If enabled, group names in sudoers will be matched in a
1019                       case insensitive manner.  This may be necessary when
1020                       users are stored in LDAP or AD.  This flag is on by
1021                       default.
1022
1023     case_insensitive_user
1024                       If enabled, user names in sudoers will be matched in a
1025                       case insensitive manner.  This may be necessary when
1026                       groups are stored in LDAP or AD.  This flag is on by
1027                       default.
1028
1029     closefrom_override
1030                       If set, the user may use the -C option which overrides
1031                       the default starting point at which sudo begins closing
1032                       open file descriptors.  This flag is off by default.
1033
1034     compress_io       If set, and sudo is configured to log a command's input
1035                       or output, the I/O logs will be compressed using zlib.
1036                       This flag is on by default when sudo is compiled with
1037                       zlib support.
1038
1039     exec_background   By default, sudo runs a command as the foreground
1040                       process as long as sudo itself is running in the fore‐
1041                       ground.  When the exec_background flag is enabled and
1042                       the command is being run in a pseudo-terminal (due to
1043                       I/O logging or the use_pty flag), the command will be
1044                       run as a background process.  Attempts to read from the
1045                       controlling terminal (or to change terminal settings)
1046                       will result in the command being suspended with the
1047                       SIGTTIN signal (or SIGTTOU in the case of terminal set‐
1048                       tings).  If this happens when sudo is a foreground
1049                       process, the command will be granted the controlling
1050                       terminal and resumed in the foreground with no user
1051                       intervention required.  The advantage of initially run‐
1052                       ning the command in the background is that sudo need
1053                       not read from the terminal unless the command explic‐
1054                       itly requests it.  Otherwise, any terminal input must
1055                       be passed to the command, whether it has required it or
1056                       not (the kernel buffers terminals so it is not possible
1057                       to tell whether the command really wants the input).
1058                       This is different from historic sudo behavior or when
1059                       the command is not being run in a pseudo-terminal.
1060
1061                       For this to work seamlessly, the operating system must
1062                       support the automatic restarting of system calls.
1063                       Unfortunately, not all operating systems do this by
1064                       default, and even those that do may have bugs.  For
1065                       example, macOS fails to restart the tcgetattr() and
1066                       tcsetattr() system calls (this is a bug in macOS).
1067                       Furthermore, because this behavior depends on the com‐
1068                       mand stopping with the SIGTTIN or SIGTTOU signals, pro‐
1069                       grams that catch these signals and suspend themselves
1070                       with a different signal (usually SIGTOP) will not be
1071                       automatically foregrounded.  Some versions of the linux
1072                       su(1) command behave this way.  This flag is off by
1073                       default.
1074
1075                       This setting is only supported by version 1.8.7 or
1076                       higher.  It has no effect unless I/O logging is enabled
1077                       or the use_pty flag is enabled.
1078
1079     env_editor        If set, visudo will use the value of the SUDO_EDITOR,
1080                       VISUAL or EDITOR environment variables before falling
1081                       back on the default editor list.  Note that visudo is
1082                       typically run as root so this flag may allow a user
1083                       with visudo privileges to run arbitrary commands as
1084                       root without logging.  An alternative is to place a
1085                       colon-separated list of “safe” editors int the editor
1086                       variable.  visudo will then only use SUDO_EDITOR,
1087                       VISUAL or EDITOR if they match a value specified in
1088                       editor.  If the env_reset flag is enabled, the
1089                       SUDO_EDITOR, VISUAL and/or EDITOR environment variables
1090                       must be present in the env_keep list for the env_editor
1091                       flag to function when visudo is invoked via sudo.  This
1092                       flag is on by default.
1093
1094     env_reset         If set, sudo will run the command in a minimal environ‐
1095                       ment containing the TERM, PATH, HOME, MAIL, SHELL,
1096                       LOGNAME, USER and SUDO_* variables.  Any variables in
1097                       the caller's environment or in the file specified by
1098                       the restricted_env_file setting that match the env_keep
1099                       and env_check lists are then added, followed by any
1100                       variables present in the file specified by the env_file
1101                       setting (if any).  The contents of the env_keep and
1102                       env_check lists, as modified by global Defaults parame‐
1103                       ters in sudoers, are displayed when sudo is run by root
1104                       with the -V option.  If the secure_path setting is
1105                       enabled, its value will be used for the PATH environ‐
1106                       ment variable.  This flag is on by default.
1107
1108     fast_glob         Normally, sudo uses the glob(3) function to do shell-
1109                       style globbing when matching path names.  However,
1110                       since it accesses the file system, glob(3) can take a
1111                       long time to complete for some patterns, especially
1112                       when the pattern references a network file system that
1113                       is mounted on demand (auto mounted).  The fast_glob
1114                       flag causes sudo to use the fnmatch(3) function, which
1115                       does not access the file system to do its matching.
1116                       The disadvantage of fast_glob is that it is unable to
1117                       match relative path names such as ./ls or ../bin/ls.
1118                       This has security implications when path names that
1119                       include globbing characters are used with the negation
1120                       operator, ‘!’, as such rules can be trivially bypassed.
1121                       As such, this flag should not be used when the sudoers
1122                       file contains rules that contain negated path names
1123                       which include globbing characters.  This flag is off by
1124                       default.
1125
1126     fqdn              Set this flag if you want to put fully qualified host
1127                       names in the sudoers file when the local host name (as
1128                       returned by the hostname command) does not contain the
1129                       domain name.  In other words, instead of myhost you
1130                       would use myhost.mydomain.edu.  You may still use the
1131                       short form if you wish (and even mix the two).  This
1132                       flag is only effective when the “canonical” host name,
1133                       as returned by the getaddrinfo() or gethostbyname()
1134                       function, is a fully-qualified domain name.  This is
1135                       usually the case when the system is configured to use
1136                       DNS for host name resolution.
1137
1138                       If the system is configured to use the /etc/hosts file
1139                       in preference to DNS, the “canonical” host name may not
1140                       be fully-qualified.  The order that sources are queried
1141                       for host name resolution is usually specified in the
1142                       /etc/nsswitch.conf, /etc/netsvc.conf, /etc/host.conf,
1143                       or, in some cases, /etc/resolv.conf file.  In the
1144                       /etc/hosts file, the first host name of the entry is
1145                       considered to be the “canonical” name; subsequent names
1146                       are aliases that are not used by sudoers.  For example,
1147                       the following hosts file line for the machine “xyzzy”
1148                       has the fully-qualified domain name as the “canonical”
1149                       host name, and the short version as an alias.
1150
1151                             192.168.1.1 xyzzy.sudo.ws xyzzy
1152
1153                       If the machine's hosts file entry is not formatted
1154                       properly, the fqdn flag will not be effective if it is
1155                       queried before DNS.
1156
1157                       Beware that when using DNS for host name resolution,
1158                       turning on fqdn requires sudoers to make DNS lookups
1159                       which renders sudo unusable if DNS stops working (for
1160                       example if the machine is disconnected from the net‐
1161                       work).  Also note that just like with the hosts file,
1162                       you must use the “canonical” name as DNS knows it.
1163                       That is, you may not use a host alias (CNAME entry) due
1164                       to performance issues and the fact that there is no way
1165                       to get all aliases from DNS.
1166
1167                       This flag is off by default.
1168
1169     ignore_audit_errors
1170                       Allow commands to be run even if sudoers cannot write
1171                       to the audit log.  If enabled, an audit log write fail‐
1172                       ure is not treated as a fatal error.  If disabled, a
1173                       command may only be run after the audit event is suc‐
1174                       cessfully written.  This flag is only effective on sys‐
1175                       tems for which sudoers supports audit logging, includ‐
1176                       ing FreeBSD, Linux, macOS and Solaris.  This flag is on
1177                       by default.
1178
1179     ignore_dot        If set, sudo will ignore "." or "" (both denoting cur‐
1180                       rent directory) in the PATH environment variable; the
1181                       PATH itself is not modified.  This flag is on by
1182                       default.
1183
1184     ignore_iolog_errors
1185                       Allow commands to be run even if sudoers cannot write
1186                       to the I/O log (local or remote).  If enabled, an I/O
1187                       log write failure is not treated as a fatal error.  If
1188                       disabled, the command will be terminated if the I/O log
1189                       cannot be written to.  This flag is off by default.
1190
1191     ignore_logfile_errors
1192                       Allow commands to be run even if sudoers cannot write
1193                       to the log file.  If enabled, a log file write failure
1194                       is not treated as a fatal error.  If disabled, a com‐
1195                       mand may only be run after the log file entry is suc‐
1196                       cessfully written.  This flag only has an effect when
1197                       sudoers is configured to use file-based logging via the
1198                       logfile setting.  This flag is on by default.
1199
1200     ignore_local_sudoers
1201                       If set via LDAP, parsing of /etc/sudoers will be
1202                       skipped.  This is intended for Enterprises that wish to
1203                       prevent the usage of local sudoers files so that only
1204                       LDAP is used.  This thwarts the efforts of rogue opera‐
1205                       tors who would attempt to add roles to /etc/sudoers.
1206                       When this flag is enabled, /etc/sudoers does not even
1207                       need to exist.  Since this flag tells sudo how to
1208                       behave when no specific LDAP entries have been matched,
1209                       this sudoOption is only meaningful for the cn=defaults
1210                       section.  This flag is off by default.
1211
1212     ignore_unknown_defaults
1213                       If set, sudo will not produce a warning if it encoun‐
1214                       ters an unknown Defaults entry in the sudoers file or
1215                       an unknown sudoOption in LDAP.  This flag is off by
1216                       default.
1217
1218     insults           If set, sudo will insult users when they enter an
1219                       incorrect password.  This flag is off by default.
1220
1221     log_allowed       If set, sudoers will log commands allowed by the policy
1222                       to the system audit log (where supported) as well as to
1223                       syslog and/or a log file.  This flag is on by default.
1224
1225                       This setting is only supported by version 1.8.29 or
1226                       higher.
1227
1228     log_denied        If set, sudoers will log commands denied by the policy
1229                       to the system audit log (where supported) as well as to
1230                       syslog and/or a log file.  This flag is on by default.
1231
1232                       This setting is only supported by version 1.8.29 or
1233                       higher.
1234
1235     log_host          If set, the host name will be included in log entries
1236                       written to the file configured by the logfile setting.
1237                       This flag is off by default.
1238
1239     log_input         If set, sudo will run the command in a pseudo-terminal
1240                       and log all user input.  If the standard input is not
1241                       connected to the user's tty, due to I/O redirection or
1242                       because the command is part of a pipeline, that input
1243                       is also captured and stored in a separate log file.
1244                       Anything sent to the standard input will be consumed,
1245                       regardless of whether or not the command run via sudo
1246                       is actually reading the standard input.  This may have
1247                       unexpected results when using sudo in a shell script
1248                       that expects to process the standard input.  For more
1249                       information about I/O logging, see the I/O LOG FILES
1250                       section.  This flag is off by default.
1251
1252     log_output        If set, sudo will run the command in a pseudo-terminal
1253                       and log all output that is sent to the screen, similar
1254                       to the script(1) command.  For more information about
1255                       I/O logging, see the I/O LOG FILES section.  This flag
1256                       is off by default.
1257
1258     log_server_keepalive
1259                       If set, sudo will enable the TCP keepalive socket
1260                       option on the connection to the log server.  This
1261                       enables the periodic transmission of keepalive messages
1262                       to the server.  If the server does not respond to a
1263                       message, the connection will be closed and the running
1264                       command will be terminated unless the
1265                       ignore_iolog_errors flag (I/O logging enabled) or the
1266                       ignore_log_errors flag (I/O logging disabled) is set.
1267                       This flag is on by default.
1268
1269                       This setting is only supported by version 1.9.0 or
1270                       higher.
1271
1272     log_server_verify
1273                       If set, the server certificate received during the TLS
1274                       handshake must be valid and it must contain either the
1275                       server name (from log_servers) or its IP address.  If
1276                       either of these conditions is not met, the TLS hand‐
1277                       shake will fail.  This flag is on by default.
1278
1279                       This setting is only supported by version 1.9.0 or
1280                       higher.
1281
1282     log_year          If set, the four-digit year will be logged in the (non-
1283                       syslog) sudo log file.  This flag is off by default.
1284
1285     long_otp_prompt   When validating with a One Time Password (OTP) scheme
1286                       such as S/Key or OPIE, a two-line prompt is used to
1287                       make it easier to cut and paste the challenge to a
1288                       local window.  It's not as pretty as the default but
1289                       some people find it more convenient.  This flag is off
1290                       by default.
1291
1292     mail_all_cmnds    Send mail to the mailto user every time a user attempts
1293                       to run a command via sudo (this includes sudoedit).  No
1294                       mail will be sent if the user runs sudo with the -l or
1295                       -v option unless there is an authentication error and
1296                       the mail_badpass flag is also set.  This flag is off by
1297                       default.
1298
1299     mail_always       Send mail to the mailto user every time a user runs
1300                       sudo.  This flag is off by default.
1301
1302     mail_badpass      Send mail to the mailto user if the user running sudo
1303                       does not enter the correct password.  If the command
1304                       the user is attempting to run is not permitted by
1305                       sudoers and one of the mail_all_cmnds, mail_always,
1306                       mail_no_host, mail_no_perms or mail_no_user flags are
1307                       set, this flag will have no effect.  This flag is off
1308                       by default.
1309
1310     mail_no_host      If set, mail will be sent to the mailto user if the
1311                       invoking user exists in the sudoers file, but is not
1312                       allowed to run commands on the current host.  This flag
1313                       is off by default.
1314
1315     mail_no_perms     If set, mail will be sent to the mailto user if the
1316                       invoking user is allowed to use sudo but the command
1317                       they are trying is not listed in their sudoers file
1318                       entry or is explicitly denied.  This flag is off by
1319                       default.
1320
1321     mail_no_user      If set, mail will be sent to the mailto user if the
1322                       invoking user is not in the sudoers file.  This flag is
1323                       on by default.
1324
1325     match_group_by_gid
1326                       By default, sudoers will look up each group the user is
1327                       a member of by group-ID to determine the group name
1328                       (this is only done once).  The resulting list of the
1329                       user's group names is used when matching groups listed
1330                       in the sudoers file.  This works well on systems where
1331                       the number of groups listed in the sudoers file is
1332                       larger than the number of groups a typical user belongs
1333                       to.  On systems where group lookups are slow, where
1334                       users may belong to a large number of groups, and where
1335                       the number of groups listed in the sudoers file is rel‐
1336                       atively small, it may be prohibitively expensive and
1337                       running commands via sudo may take longer than normal.
1338                       On such systems it may be faster to use the
1339                       match_group_by_gid flag to avoid resolving the user's
1340                       group-IDs to group names.  In this case, sudoers must
1341                       look up any group name listed in the sudoers file and
1342                       use the group-ID instead of the group name when deter‐
1343                       mining whether the user is a member of the group.
1344
1345                       Note that if match_group_by_gid is enabled, group data‐
1346                       base lookups performed by sudoers will be keyed by
1347                       group name as opposed to group-ID.  On systems where
1348                       there are multiple sources for the group database, it
1349                       is possible to have conflicting group names or group-
1350                       IDs in the local /etc/group file and the remote group
1351                       database.  On such systems, enabling or disabling
1352                       match_group_by_gid can be used to choose whether group
1353                       database queries are performed by name (enabled) or ID
1354                       (disabled), which may aid in working around group entry
1355                       conflicts.
1356
1357                       The match_group_by_gid flag has no effect when sudoers
1358                       data is stored in LDAP.  This flag is off by default.
1359
1360                       This setting is only supported by version 1.8.18 or
1361                       higher.
1362
1363     netgroup_tuple    If set, netgroup lookups will be performed using the
1364                       full netgroup tuple: host name, user name and domain
1365                       (if one is set).  Historically, sudo only matched the
1366                       user name and domain for netgroups used in a User_List
1367                       and only matched the host name and domain for netgroups
1368                       used in a Host_List.  This flag is off by default.
1369
1370     noexec            If set, all commands run via sudo will behave as if the
1371                       NOEXEC tag has been set, unless overridden by an EXEC
1372                       tag.  See the description of EXEC and NOEXEC above as
1373                       well as the Preventing shell escapes section at the end
1374                       of this manual.  This flag is off by default.
1375
1376     pam_acct_mgmt     On systems that use PAM for authentication, sudo will
1377                       perform PAM account validation for the invoking user by
1378                       default.  The actual checks performed depend on which
1379                       PAM modules are configured.  If enabled, account vali‐
1380                       dation will be performed regardless of whether or not a
1381                       password is required.  This flag is on by default.
1382
1383                       This setting is only supported by version 1.8.28 or
1384                       higher.
1385
1386     pam_rhost         On systems that use PAM for authentication, sudo will
1387                       set the PAM remote host value to the name of the local
1388                       host when the pam_rhost flag is enabled.  On Linux sys‐
1389                       tems, enabling pam_rhost may result in DNS lookups of
1390                       the local host name when PAM is initialized.  On
1391                       Solaris versions prior to Solaris 8, pam_rhost must be
1392                       enabled if pam_ruser is also enabled to avoid a crash
1393                       in the Solaris PAM implementation.
1394
1395                       This flag is off by default on systems other than
1396                       Solaris.
1397
1398                       This setting is only supported by version 1.9.0 or
1399                       higher.
1400
1401     pam_ruser         On systems that use PAM for authentication, sudo will
1402                       set the PAM remote user value to the name of the user
1403                       that invoked sudo when the pam_ruser flag is enabled.
1404                       This flag is on by default.
1405
1406                       This setting is only supported by version 1.9.0 or
1407                       higher.
1408
1409     pam_session       On systems that use PAM for authentication, sudo will
1410                       create a new PAM session for the command to be run in.
1411                       Unless sudo is given the -i or -s options, PAM session
1412                       modules are run with the “silent” flag enabled.  This
1413                       prevents last login information from being displayed
1414                       for every command on some systems.  Disabling
1415                       pam_session may be needed on older PAM implementations
1416                       or on operating systems where opening a PAM session
1417                       changes the utmp or wtmp files.  If PAM session support
1418                       is disabled, resource limits may not be updated for the
1419                       command being run.  If pam_session, pam_setcred, and
1420                       use_pty are disabled, log_servers has not been set and
1421                       I/O logging has not been configured, sudo will execute
1422                       the command directly instead of running it as a child
1423                       process.  This flag is on by default.
1424
1425                       This setting is only supported by version 1.8.7 or
1426                       higher.
1427
1428     pam_setcred       On systems that use PAM for authentication, sudo will
1429                       attempt to establish credentials for the target user by
1430                       default, if supported by the underlying authentication
1431                       system.  One example of a credential is a Kerberos
1432                       ticket.  If pam_session, pam_setcred, and use_pty are
1433                       disabled, log_servers has not been set and I/O logging
1434                       has not been configured, sudo will execute the command
1435                       directly instead of running it as a child process.
1436                       This flag is on by default.
1437
1438                       This setting is only supported by version 1.8.8 or
1439                       higher.
1440
1441     passprompt_override
1442                       If set, the prompt specified by passprompt or the
1443                       SUDO_PROMPT environment variable will always be used
1444                       and will replace the prompt provided by a PAM module or
1445                       other authentication method.  This flag is off by
1446                       default.
1447
1448     path_info         Normally, sudo will tell the user when a command could
1449                       not be found in their PATH environment variable.  Some
1450                       sites may wish to disable this as it could be used to
1451                       gather information on the location of executables that
1452                       the normal user does not have access to.  The disadvan‐
1453                       tage is that if the executable is simply not in the
1454                       user's PATH, sudo will tell the user that they are not
1455                       allowed to run it, which can be confusing.  This flag
1456                       is on by default.
1457
1458     preserve_groups   By default, sudo will initialize the group vector to
1459                       the list of groups the target user is in.  When
1460                       preserve_groups is set, the user's existing group vec‐
1461                       tor is left unaltered.  The real and effective group-
1462                       IDs, however, are still set to match the target user.
1463                       This flag is off by default.
1464
1465     pwfeedback        By default, sudo reads the password like most other
1466                       Unix programs, by turning off echo until the user hits
1467                       the return (or enter) key.  Some users become confused
1468                       by this as it appears to them that sudo has hung at
1469                       this point.  When pwfeedback is set, sudo will provide
1470                       visual feedback when the user presses a key.  Note that
1471                       this does have a security impact as an onlooker may be
1472                       able to determine the length of the password being
1473                       entered.  This flag is off by default.
1474
1475     requiretty        If set, sudo will only run when the user is logged in
1476                       to a real tty.  When this flag is set, sudo can only be
1477                       run from a login session and not via other means such
1478                       as cron(8) or cgi-bin scripts.  This flag is off by
1479                       default.
1480
1481     root_sudo         If set, root is allowed to run sudo too.  Disabling
1482                       this prevents users from “chaining” sudo commands to
1483                       get a root shell by doing something like “sudo sudo
1484                       /bin/sh”.  Note, however, that turning off root_sudo
1485                       will also prevent root from running sudoedit.  Dis‐
1486                       abling root_sudo provides no real additional security;
1487                       it exists purely for historical reasons.  This flag is
1488                       on by default.
1489
1490     rootpw            If set, sudo will prompt for the root password instead
1491                       of the password of the invoking user when running a
1492                       command or editing a file.  This flag is off by
1493                       default.
1494
1495     runas_allow_unknown_id
1496                       If enabled, allow matching of runas user and group IDs
1497                       that are not present in the password or group data‐
1498                       bases.  In addition to explicitly matching unknown user
1499                       or group IDs in a Runas_List, this option also allows
1500                       the ALL alias to match unknown IDs.  This flag is off
1501                       by default.
1502
1503                       This setting is only supported by version 1.8.30 or
1504                       higher.  Older versions of sudo always allowed matching
1505                       of unknown user and group IDs.
1506
1507     runas_check_shell
1508                       If enabled, sudo will only run commands as a user whose
1509                       shell appears in the /etc/shells file, even if the
1510                       invoking user's Runas_List would otherwise permit it.
1511                       If no /etc/shells file is present, a system-dependent
1512                       list of built-in default shells is used.  On many oper‐
1513                       ating systems, system users such as “bin”, do not have
1514                       a valid shell and this flag can be used to prevent com‐
1515                       mands from being run as those users.  This flag is off
1516                       by default.
1517
1518                       This setting is only supported by version 1.8.30 or
1519                       higher.
1520
1521     runaspw           If set, sudo will prompt for the password of the user
1522                       defined by the runas_default option (defaults to root)
1523                       instead of the password of the invoking user when run‐
1524                       ning a command or editing a file.  This flag is off by
1525                       default.
1526
1527     selinux           If enabled, the user may specify an SELinux role and/or
1528                       type to use when running the command, as permitted by
1529                       the SELinux policy.  If SELinux is disabled on the sys‐
1530                       tem, this flag has no effect.  This flag is on by
1531                       default.
1532
1533     set_home          If enabled and sudo is invoked with the -s option, the
1534                       HOME environment variable will be set to the home
1535                       directory of the target user (which is the root user
1536                       unless the -u option is used).  This flag is largely
1537                       obsolete and has no effect unless the env_reset flag
1538                       has been disabled or HOME is present in the env_keep
1539                       list, both of which are strongly discouraged.  This
1540                       flag is off by default.
1541
1542     set_logname       Normally, sudo will set the LOGNAME and USER environ‐
1543                       ment variables to the name of the target user (usually
1544                       root unless the -u option is given).  However, since
1545                       some programs (including the RCS revision control sys‐
1546                       tem) use LOGNAME to determine the real identity of the
1547                       user, it may be desirable to change this behavior.
1548                       This can be done by negating the set_logname option.
1549                       Note that set_logname will have no effect if the
1550                       env_reset option has not been disabled and the env_keep
1551                       list contains LOGNAME or USER.  This flag is on by
1552                       default.
1553
1554     set_utmp          When enabled, sudo will create an entry in the utmp (or
1555                       utmpx) file when a pseudo-terminal is allocated.  A
1556                       pseudo-terminal is allocated by sudo when it is running
1557                       in a terminal and one or more of the log_input,
1558                       log_output or use_pty flags is enabled.  By default,
1559                       the new entry will be a copy of the user's existing
1560                       utmp entry (if any), with the tty, time, type and pid
1561                       fields updated.  This flag is on by default.
1562
1563     setenv            Allow the user to disable the env_reset option from the
1564                       command line via the -E option.  Additionally, environ‐
1565                       ment variables set via the command line are not subject
1566                       to the restrictions imposed by env_check, env_delete,
1567                       or env_keep.  As such, only trusted users should be
1568                       allowed to set variables in this manner.  This flag is
1569                       off by default.
1570
1571     shell_noargs      If set and sudo is invoked with no arguments it acts as
1572                       if the -s option had been given.  That is, it runs a
1573                       shell as root (the shell is determined by the SHELL
1574                       environment variable if it is set, falling back on the
1575                       shell listed in the invoking user's /etc/passwd entry
1576                       if not).  This flag is off by default.
1577
1578     stay_setuid       Normally, when sudo executes a command the real and
1579                       effective UIDs are set to the target user (root by
1580                       default).  This option changes that behavior such that
1581                       the real UID is left as the invoking user's UID.  In
1582                       other words, this makes sudo act as a set-user-ID wrap‐
1583                       per.  This can be useful on systems that disable some
1584                       potentially dangerous functionality when a program is
1585                       run set-user-ID.  This option is only effective on sys‐
1586                       tems that support either the setreuid(2) or
1587                       setresuid(2) system call.  This flag is off by default.
1588
1589     sudoedit_checkdir
1590                       If set, sudoedit will check all directory components of
1591                       the path to be edited for writability by the invoking
1592                       user.  Symbolic links will not be followed in writable
1593                       directories and sudoedit will refuse to edit a file
1594                       located in a writable directory.  These restrictions
1595                       are not enforced when sudoedit is run by root.  On some
1596                       systems, if all directory components of the path to be
1597                       edited are not readable by the target user, sudoedit
1598                       will be unable to edit the file.  This flag is on by
1599                       default.
1600
1601                       This setting was first introduced in version 1.8.15 but
1602                       initially suffered from a race condition.  The check
1603                       for symbolic links in writable intermediate directories
1604                       was added in version 1.8.16.
1605
1606     sudoedit_follow   By default, sudoedit will not follow symbolic links
1607                       when opening files.  The sudoedit_follow option can be
1608                       enabled to allow sudoedit to open symbolic links.  It
1609                       may be overridden on a per-command basis by the FOLLOW
1610                       and NOFOLLOW tags.  This flag is off by default.
1611
1612                       This setting is only supported by version 1.8.15 or
1613                       higher.
1614
1615     syslog_pid        When logging via syslog(3), include the process ID in
1616                       the log entry.  This flag is off by default.
1617
1618                       This setting is only supported by version 1.8.21 or
1619                       higher.
1620
1621     targetpw          If set, sudo will prompt for the password of the user
1622                       specified by the -u option (defaults to root) instead
1623                       of the password of the invoking user when running a
1624                       command or editing a file.  Note that this flag pre‐
1625                       cludes the use of a user-ID not listed in the passwd
1626                       database as an argument to the -u option.  This flag is
1627                       off by default.
1628
1629     tty_tickets       If set, users must authenticate on a per-tty basis.
1630                       With this flag enabled, sudo will use a separate record
1631                       in the time stamp file for each terminal.  If disabled,
1632                       a single record is used for all login sessions.
1633
1634                       This option has been superseded by the timestamp_type
1635                       option.
1636
1637     umask_override    If set, sudo will set the umask as specified in the
1638                       sudoers file without modification.  This makes it pos‐
1639                       sible to specify a umask in the sudoers file that is
1640                       more permissive than the user's own umask and matches
1641                       historical behavior.  If umask_override is not set,
1642                       sudo will set the umask to be the union of the user's
1643                       umask and what is specified in sudoers.  This flag is
1644                       off by default.
1645
1646     use_netgroups     If set, netgroups (prefixed with ‘+’), may be used in
1647                       place of a user or host.  For LDAP-based sudoers, net‐
1648                       group support requires an expensive sub-string match on
1649                       the server unless the NETGROUP_BASE directive is
1650                       present in the /etc/ldap.conf file.  If netgroups are
1651                       not needed, this option can be disabled to reduce the
1652                       load on the LDAP server.  This flag is on by default.
1653
1654     use_pty           If set, and sudo is running in a terminal, the command
1655                       will be run in a pseudo-terminal (even if no I/O log‐
1656                       ging is being done).  If the sudo process is not
1657                       attached to a terminal, use_pty has no effect.
1658
1659                       A malicious program run under sudo may be capable of
1660                       injecting commands into the user's terminal or running
1661                       a background process that retains access to the user's
1662                       terminal device even after the main program has fin‐
1663                       ished executing.  By running the command in a separate
1664                       pseudo-terminal, this attack is no longer possible.
1665                       This flag is off by default.
1666
1667     user_command_timeouts
1668                       If set, the user may specify a timeout on the command
1669                       line.  If the timeout expires before the command has
1670                       exited, the command will be terminated.  If a timeout
1671                       is specified both in the sudoers file and on the com‐
1672                       mand line, the smaller of the two timeouts will be
1673                       used.  See the Timeout_Spec section for a description
1674                       of the timeout syntax.  This flag is off by default.
1675
1676                       This setting is only supported by version 1.8.20 or
1677                       higher.
1678
1679     utmp_runas        If set, sudo will store the name of the runas user when
1680                       updating the utmp (or utmpx) file.  By default, sudo
1681                       stores the name of the invoking user.  This flag is off
1682                       by default.
1683
1684     visiblepw         By default, sudo will refuse to run if the user must
1685                       enter a password but it is not possible to disable echo
1686                       on the terminal.  If the visiblepw flag is set, sudo
1687                       will prompt for a password even when it would be visi‐
1688                       ble on the screen.  This makes it possible to run
1689                       things like “ssh somehost sudo ls” since by default,
1690                       ssh(1) does not allocate a tty when running a command.
1691                       This flag is off by default.
1692
1693     Integers:
1694
1695     closefrom         Before it executes a command, sudo will close all open
1696                       file descriptors other than standard input, standard
1697                       output and standard error (ie: file descriptors 0-2).
1698                       The closefrom option can be used to specify a different
1699                       file descriptor at which to start closing.  The default
1700                       is 3.
1701
1702     command_timeout   The maximum amount of time a command is allowed to run
1703                       before it is terminated.  See the Timeout_Spec section
1704                       for a description of the timeout syntax.
1705
1706                       This setting is only supported by version 1.8.20 or
1707                       higher.
1708
1709     log_server_timeout
1710                       The maximum amount of time to wait when connecting to a
1711                       log server or waiting for a server response.  See the
1712                       Timeout_Spec section for a description of the timeout
1713                       syntax.  The default value is 30 seconds.
1714
1715                       This setting is only supported by version 1.9.0 or
1716                       higher.
1717
1718     maxseq            The maximum sequence number that will be substituted
1719                       for the “%{seq}” escape in the I/O log file (see the
1720                       iolog_dir description below for more information).
1721                       While the value substituted for “%{seq}” is in base 36,
1722                       maxseq itself should be expressed in decimal.  Values
1723                       larger than 2176782336 (which corresponds to the base
1724                       36 sequence number “ZZZZZZ”) will be silently truncated
1725                       to 2176782336.  The default value is 2176782336.
1726
1727                       Once the local sequence number reaches the value of
1728                       maxseq, it will “roll over” to zero, after which
1729                       sudoers will truncate and re-use any existing I/O log
1730                       path names.
1731
1732                       This setting is only supported by version 1.8.7 or
1733                       higher.
1734
1735     passwd_tries      The number of tries a user gets to enter his/her pass‐
1736                       word before sudo logs the failure and exits.  The
1737                       default is 3.
1738
1739     syslog_maxlen     On many systems, syslog(3) has a relatively small log
1740                       buffer.  IETF RFC 5424 states that syslog servers must
1741                       support messages of at least 480 bytes and should sup‐
1742                       port messages up to 2048 bytes.  By default, sudoers
1743                       creates log messages up to 980 bytes which corresponds
1744                       to the historic BSD syslog implementation which used a
1745                       1024 byte buffer to store the message, date, hostname
1746                       and program name.  To prevent syslog messages from
1747                       being truncated, sudoers will split up log messages
1748                       that are larger than syslog_maxlen bytes.  When a mes‐
1749                       sage is split, additional parts will include the string
1750                       “(command continued)” after the user name and before
1751                       the continued command line arguments.
1752
1753                       This setting is only supported by version 1.8.19 or
1754                       higher.
1755
1756     Integers that can be used in a boolean context:
1757
1758     loglinelen        Number of characters per line for the file log.  This
1759                       value is used to decide when to wrap lines for nicer
1760                       log files.  This has no effect on the syslog log file,
1761                       only the file log.  The default is 80 (use 0 or negate
1762                       the option to disable word wrap).
1763
1764     passwd_timeout    Number of minutes before the sudo password prompt times
1765                       out, or 0 for no timeout.  The timeout may include a
1766                       fractional component if minute granularity is insuffi‐
1767                       cient, for example 2.5.  The default is 5.
1768
1769     timestamp_timeout
1770                       Number of minutes that can elapse before sudo will ask
1771                       for a passwd again.  The timeout may include a frac‐
1772                       tional component if minute granularity is insufficient,
1773                       for example 2.5.  The default is 5.  Set this to 0 to
1774                       always prompt for a password.  If set to a value less
1775                       than 0 the user's time stamp will not expire until the
1776                       system is rebooted.  This can be used to allow users to
1777                       create or delete their own time stamps via “sudo -v”
1778                       and “sudo -k” respectively.
1779
1780     umask             File mode creation mask to use when running the com‐
1781                       mand.  Negate this option or set it to 0777 to prevent
1782                       sudoers from changing the umask.  Unless the
1783                       umask_override flag is set, the actual umask will be
1784                       the union of the user's umask and the value of the
1785                       umask setting, which defaults to 0022.  This guarantees
1786                       that sudo never lowers the umask when running a com‐
1787                       mand.
1788
1789                       If umask is explicitly set in sudoers, it will override
1790                       any umask setting in PAM or login.conf.  If umask is
1791                       not set in sudoers, the umask specified by PAM or
1792                       login.conf will take precedence.  The umask setting in
1793                       PAM is not used for sudoedit, which does not create a
1794                       new PAM session.
1795
1796     Strings:
1797
1798     authfail_message  Message that is displayed after a user fails to authen‐
1799                       ticate.  The message may include the ‘%d’ escape which
1800                       will expand to the number of failed password attempts.
1801                       If set, it overrides the default message, %d incorrect
1802                       password attempt(s).
1803
1804     badpass_message   Message that is displayed if a user enters an incorrect
1805                       password.  The default is Sorry, try again. unless
1806                       insults are enabled.
1807
1808     editor            A colon (‘:’) separated list of editors path names used
1809                       by sudoedit and visudo.  For sudoedit, this list is
1810                       used to find an editor when none of the SUDO_EDITOR,
1811                       VISUAL or EDITOR environment variables are set to an
1812                       editor that exists and is executable.  For visudo, it
1813                       is used as a white list of allowed editors; visudo will
1814                       choose the editor that matches the user's SUDO_EDITOR,
1815                       VISUAL or EDITOR environment variable if possible, or
1816                       the first editor in the list that exists and is exe‐
1817                       cutable if not.  Unless invoked as sudoedit, sudo does
1818                       not preserve the SUDO_EDITOR, VISUAL or EDITOR environ‐
1819                       ment variables unless they are present in the env_keep
1820                       list or the env_reset option is disabled.  The default
1821                       is /bin/vi.
1822
1823     iolog_dir         The top-level directory to use when constructing the
1824                       path name for the input/output log directory.  Only
1825                       used if the log_input or log_output options are enabled
1826                       or when the LOG_INPUT or LOG_OUTPUT tags are present
1827                       for a command.  The session sequence number, if any, is
1828                       stored in the directory.  The default is
1829                       /var/log/sudo-io.
1830
1831                       The following percent (‘%’) escape sequences are sup‐
1832                       ported:
1833
1834                       %{seq}
1835                             expanded to a monotonically increasing base-36
1836                             sequence number, such as 0100A5, where every two
1837                             digits are used to form a new directory, e.g.,
1838                             01/00/A5
1839
1840                       %{user}
1841                             expanded to the invoking user's login name
1842
1843                       %{group}
1844                             expanded to the name of the invoking user's real
1845                             group-ID
1846
1847                       %{runas_user}
1848                             expanded to the login name of the user the com‐
1849                             mand will be run as (e.g., root)
1850
1851                       %{runas_group}
1852                             expanded to the group name of the user the com‐
1853                             mand will be run as (e.g., wheel)
1854
1855                       %{hostname}
1856                             expanded to the local host name without the
1857                             domain name
1858
1859                       %{command}
1860                             expanded to the base name of the command being
1861                             run
1862
1863                       In addition, any escape sequences supported by the sys‐
1864                       tem's strftime(3) function will be expanded.
1865
1866                       To include a literal ‘%’ character, the string ‘%%’
1867                       should be used.
1868
1869     iolog_file        The path name, relative to iolog_dir, in which to store
1870                       input/output logs when the log_input or log_output
1871                       options are enabled or when the LOG_INPUT or LOG_OUTPUT
1872                       tags are present for a command.  Note that iolog_file
1873                       may contain directory components.  The default is
1874                       “%{seq}”.
1875
1876                       See the iolog_dir option above for a list of supported
1877                       percent (‘%’) escape sequences.
1878
1879                       In addition to the escape sequences, path names that
1880                       end in six or more Xs will have the Xs replaced with a
1881                       unique combination of digits and letters, similar to
1882                       the mktemp(3) function.
1883
1884                       If the path created by concatenating iolog_dir and
1885                       iolog_file already exists, the existing I/O log file
1886                       will be truncated and overwritten unless iolog_file
1887                       ends in six or more Xs.
1888
1889     iolog_flush       If set, sudo will flush I/O log data to disk after each
1890                       write instead of buffering it.  This makes it possible
1891                       to view the logs in real-time as the program is execut‐
1892                       ing but may significantly reduce the effectiveness of
1893                       I/O log compression.  This flag is off by default.
1894
1895                       This setting is only supported by version 1.8.20 or
1896                       higher.
1897
1898     iolog_group       The group name to look up when setting the group-ID on
1899                       new I/O log files and directories.  If iolog_group is
1900                       not set, the primary group-ID of the user specified by
1901                       iolog_user is used.  If neither iolog_group nor
1902                       iolog_user are set, I/O log files and directories are
1903                       created with group-ID 0.
1904
1905                       This setting is only supported by version 1.8.19 or
1906                       higher.
1907
1908     iolog_mode        The file mode to use when creating I/O log files.  Mode
1909                       bits for read and write permissions for owner, group or
1910                       other are honored, everything else is ignored.  The
1911                       file permissions will always include the owner read and
1912                       write bits, even if they are not present in the speci‐
1913                       fied mode.  When creating I/O log directories, search
1914                       (execute) bits are added to match the read and write
1915                       bits specified by iolog_mode.  Defaults to 0600 (read
1916                       and write by user only).
1917
1918                       This setting is only supported by version 1.8.19 or
1919                       higher.
1920
1921     iolog_user        The user name to look up when setting the user and
1922                       group-IDs on new I/O log files and directories.  If
1923                       iolog_group is set, it will be used instead of the
1924                       user's primary group-ID.  By default, I/O log files and
1925                       directories are created with user and group-ID 0.
1926
1927                       This setting can be useful when the I/O logs are stored
1928                       on a Network File System (NFS) share.  Having a dedi‐
1929                       cated user own the I/O log files means that sudoers
1930                       does not write to the log files as user-ID 0, which is
1931                       usually not permitted by NFS.
1932
1933                       This setting is only supported by version 1.8.19 or
1934                       higher.
1935
1936     lecture_status_dir
1937                       The directory in which sudo stores per-user lecture
1938                       status files.  Once a user has received the lecture, a
1939                       zero-length file is created in this directory so that
1940                       sudo will not lecture the user again.  This directory
1941                       should not be cleared when the system reboots.  The
1942                       default is /var/db/sudo/lectured.
1943
1944     log_server_cabundle
1945                       The path to a certificate authority bundle file, in PEM
1946                       format, to use instead of the system's default certifi‐
1947                       cate authority database when authenticating the log
1948                       server.  The default is to use the system's default
1949                       certificate authority database.  This setting has no
1950                       effect unless log_servers is set and the remote log
1951                       server is secured with TLS.
1952
1953                       This setting is only supported by version 1.9.0 or
1954                       higher.
1955
1956     log_server_peer_cert
1957                       The path to the client's certificate file, in PEM for‐
1958                       mat.  This setting is required when log_servers is set
1959                       and the remote log server is secured with TLS.
1960
1961                       This setting is only supported by version 1.9.0 or
1962                       higher.
1963
1964     log_server_peer_key
1965                       The path to the client's private key file, in PEM for‐
1966                       mat.  This setting is required when log_servers is set
1967                       and the remote log server is secured with TLS.
1968
1969                       This setting is only supported by version 1.9.0 or
1970                       higher.
1971
1972     mailsub           Subject of the mail sent to the mailto user.  The
1973                       escape %h will expand to the host name of the machine.
1974                       Default is “*** SECURITY information for %h ***”.
1975
1976     noexec_file       As of sudo version 1.8.1 this option is no longer sup‐
1977                       ported.  The path to the noexec file should now be set
1978                       in the sudo.conf(5) file.
1979
1980     pam_login_service
1981                       On systems that use PAM for authentication, this is the
1982                       service name used when the -i option is specified.  The
1983                       default value is “sudo-i”.  See the description of
1984                       pam_service for more information.
1985
1986                       This setting is only supported by version 1.8.8 or
1987                       higher.
1988
1989     pam_service       On systems that use PAM for authentication, the service
1990                       name specifies the PAM policy to apply.  This usually
1991                       corresponds to an entry in the pam.conf file or a file
1992                       in the /etc/pam.d directory.  The default value is
1993                       “sudo”.
1994
1995                       This setting is only supported by version 1.8.8 or
1996                       higher.
1997
1998     passprompt        The default prompt to use when asking for a password;
1999                       can be overridden via the -p option or the SUDO_PROMPT
2000                       environment variable.  The following percent (‘%’)
2001                       escape sequences are supported:
2002
2003                       %H    expanded to the local host name including the
2004                             domain name (only if the machine's host name is
2005                             fully qualified or the fqdn option is set)
2006
2007                       %h    expanded to the local host name without the
2008                             domain name
2009
2010                       %p    expanded to the user whose password is being
2011                             asked for (respects the rootpw, targetpw and
2012                             runaspw flags in sudoers)
2013
2014                       %U    expanded to the login name of the user the com‐
2015                             mand will be run as (defaults to root)
2016
2017                       %u    expanded to the invoking user's login name
2018
2019                       %%    two consecutive % characters are collapsed into a
2020                             single % character
2021
2022                       On systems that use PAM for authentication, passprompt
2023                       will only be used if the prompt provided by the PAM
2024                       module matches the string “Password: ” or “username's
2025                       Password: ”.  This ensures that the passprompt setting
2026                       does not interfere with challenge-response style
2027                       authentication.  The passprompt_override flag can be
2028                       used to change this behavior.
2029
2030                       The default value is “[sudo] password for %p: ”.
2031
2032     role              The default SELinux role to use when constructing a new
2033                       security context to run the command.  The default role
2034                       may be overridden on a per-command basis in the sudoers
2035                       file or via command line options.  This option is only
2036                       available when sudo is built with SELinux support.
2037
2038     runas_default     The default user to run commands as if the -u option is
2039                       not specified on the command line.  This defaults to
2040                       root.
2041
2042     sudoers_locale    Locale to use when parsing the sudoers file, logging
2043                       commands, and sending email.  Note that changing the
2044                       locale may affect how sudoers is interpreted.  Defaults
2045                       to “C”.
2046
2047     timestamp_type    sudoers uses per-user time stamp files for credential
2048                       caching.  The timestamp_type option can be used to
2049                       specify the type of time stamp record used.  It has the
2050                       following possible values:
2051
2052                       global  A single time stamp record is used for all of a
2053                               user's login sessions, regardless of the termi‐
2054                               nal or parent process ID.  An additional record
2055                               is used to serialize password prompts when sudo
2056                               is used multiple times in a pipeline, but this
2057                               does not affect authentication.
2058
2059                       ppid    A single time stamp record is used for all pro‐
2060                               cesses with the same parent process ID (usually
2061                               the shell).  Commands run from the same shell
2062                               (or other common parent process) will not
2063                               require a password for timestamp_timeout min‐
2064                               utes (5 by default).  Commands run via sudo
2065                               with a different parent process ID, for example
2066                               from a shell script, will be authenticated sep‐
2067                               arately.
2068
2069                       tty     One time stamp record is used for each termi‐
2070                               nal, which means that a user's login sessions
2071                               are authenticated separately.  If no terminal
2072                               is present, the behavior is the same as ppid.
2073                               Commands run from the same terminal will not
2074                               require a password for timestamp_timeout min‐
2075                               utes (5 by default).
2076
2077                       kernel  The time stamp is stored in the kernel as an
2078                               attribute of the terminal device.  If no termi‐
2079                               nal is present, the behavior is the same as
2080                               ppid.  Negative timestamp_timeout values are
2081                               not supported and positive values are limited
2082                               to a maximum of 60 minutes.  This is currently
2083                               only supported on OpenBSD.
2084
2085                       The default value is tty.
2086
2087                       This setting is only supported by version 1.8.21 or
2088                       higher.
2089
2090     timestampdir      The directory in which sudo stores its time stamp
2091                       files.  This directory should be cleared when the sys‐
2092                       tem reboots.  The default is /run/sudo/ts.
2093
2094     timestampowner    The owner of the lecture status directory, time stamp
2095                       directory and all files stored therein.  The default is
2096                       root.
2097
2098     type              The default SELinux type to use when constructing a new
2099                       security context to run the command.  The default type
2100                       may be overridden on a per-command basis in the sudoers
2101                       file or via command line options.  This option is only
2102                       available when sudo is built with SELinux support.
2103
2104     Strings that can be used in a boolean context:
2105
2106     env_file      The env_file option specifies the fully qualified path to a
2107                   file containing variables to be set in the environment of
2108                   the program being run.  Entries in this file should either
2109                   be of the form “VARIABLE=value” or “export VARIABLE=value”.
2110                   The value may optionally be enclosed in single or double
2111                   quotes.  Variables in this file are only added if the vari‐
2112                   able does not already exist in the environment.  This file
2113                   is considered to be part of the security policy, its con‐
2114                   tents are not subject to other sudo environment restric‐
2115                   tions such as env_keep and env_check.
2116
2117     exempt_group  Users in this group are exempt from password and PATH
2118                   requirements.  The group name specified should not include
2119                   a % prefix.  This is not set by default.
2120
2121     fdexec        Determines whether sudo will execute a command by its path
2122                   or by an open file descriptor.  It has the following possi‐
2123                   ble values:
2124
2125                   always  Always execute by file descriptor.
2126
2127                   never   Never execute by file descriptor.
2128
2129                   digest_only
2130                           Only execute by file descriptor if the command has
2131                           an associated digest in the sudoers file.
2132
2133                   The default value is digest_only.  This avoids a time of
2134                   check versus time of use race condition when the command is
2135                   located in a directory writable by the invoking user.
2136
2137                   Note that fdexec will change the first element of the argu‐
2138                   ment vector for scripts ($0 in the shell) due to the way
2139                   the kernel runs script interpreters.  Instead of being a
2140                   normal path, it will refer to a file descriptor.  For exam‐
2141                   ple, /dev/fd/4 on Solaris and /proc/self/fd/4 on Linux.  A
2142                   workaround is to use the SUDO_COMMAND environment variable
2143                   instead.
2144
2145                   The fdexec setting is only used when the command is matched
2146                   by path name.  It has no effect if the command is matched
2147                   by the built-in ALL alias.
2148
2149                   This setting is only supported by version 1.8.20 or higher.
2150                   If the operating system does not support the fexecve(2)
2151                   system call, this setting has no effect.
2152
2153     group_plugin  A string containing a sudoers group plugin with optional
2154                   arguments.  The string should consist of the plugin path,
2155                   either fully-qualified or relative to the /usr/libexec/sudo
2156                   directory, followed by any configuration arguments the
2157                   plugin requires.  These arguments (if any) will be passed
2158                   to the plugin's initialization function.  If arguments are
2159                   present, the string must be enclosed in double quotes ("").
2160
2161                   For more information see GROUP PROVIDER PLUGINS.
2162
2163     lecture       This option controls when a short lecture will be printed
2164                   along with the password prompt.  It has the following pos‐
2165                   sible values:
2166
2167                   always  Always lecture the user.
2168
2169                   never   Never lecture the user.
2170
2171                   once    Only lecture the user the first time they run sudo.
2172
2173                   If no value is specified, a value of once is implied.
2174                   Negating the option results in a value of never being used.
2175                   The default value is once.
2176
2177     lecture_file  Path to a file containing an alternate sudo lecture that
2178                   will be used in place of the standard lecture if the named
2179                   file exists.  By default, sudo uses a built-in lecture.
2180
2181     listpw        This option controls when a password will be required when
2182                   a user runs sudo with the -l option.  It has the following
2183                   possible values:
2184
2185                   all       All the user's sudoers file entries for the cur‐
2186                             rent host must have the NOPASSWD flag set to
2187                             avoid entering a password.
2188
2189                   always    The user must always enter a password to use the
2190                             -l option.
2191
2192                   any       At least one of the user's sudoers file entries
2193                             for the current host must have the NOPASSWD flag
2194                             set to avoid entering a password.
2195
2196                   never     The user need never enter a password to use the
2197                             -l option.
2198
2199                   If no value is specified, a value of any is implied.
2200                   Negating the option results in a value of never being used.
2201                   The default value is any.
2202
2203     log_format    The event log format.  Supported log formats are:
2204
2205                   json      Logs in JSON format.  JSON log entries contain
2206                             the full user details as well as the execution
2207                             environment if the command was allowed.  Due to
2208                             limitations of the protocol, JSON events sent via
2209                             syslog may be truncated.
2210
2211                   sudo      Traditional sudo-style logs, see LOG FORMAT for a
2212                             description of the log file format.
2213
2214                   This setting affects logs sent via syslog(3) as well as the
2215                   file specified by the logfile setting, if any.  The default
2216                   value is sudo.
2217
2218     logfile       Path to the sudo log file (not the syslog log file).  Set‐
2219                   ting a path turns on logging to a file; negating this
2220                   option turns it off.  By default, sudo logs via syslog.
2221
2222     mailerflags   Flags to use when invoking mailer.  Defaults to -t.
2223
2224     mailerpath    Path to mail program used to send warning mail.  Defaults
2225                   to the path to sendmail found at configure time.
2226
2227     mailfrom      Address to use for the “from” address when sending warning
2228                   and error mail.  The address should be enclosed in double
2229                   quotes ("") to protect against sudo interpreting the @
2230                   sign.  Defaults to the name of the user running sudo.
2231
2232     mailto        Address to send warning and error mail to.  The address
2233                   should be enclosed in double quotes ("") to protect against
2234                   sudo interpreting the @ sign.  Defaults to root.
2235
2236     restricted_env_file
2237                   The restricted_env_file option specifies the fully quali‐
2238                   fied path to a file containing variables to be set in the
2239                   environment of the program being run.  Entries in this file
2240                   should either be of the form “VARIABLE=value” or “export
2241                   VARIABLE=value”.  The value may optionally be enclosed in
2242                   single or double quotes.  Variables in this file are only
2243                   added if the variable does not already exist in the envi‐
2244                   ronment.  Unlike env_file, the file's contents are not
2245                   trusted and are processed in a manner similar to that of
2246                   the invoking user's environment.  If env_reset is enabled,
2247                   variables in the file will only be added if they are
2248                   matched by either the env_check or env_keep list.  If
2249                   env_reset is disabled, variables in the file are added as
2250                   long as they are not matched by the env_delete list.  In
2251                   either case, the contents of restricted_env_file are pro‐
2252                   cessed before the contents of env_file.
2253
2254     runchroot     If set, sudo will use this value for the root directory
2255                   when running a command.  The special value “*” will allow
2256                   the user to specify the root directory via sudo's -R
2257                   option.  See the Chroot_Spec section for more details.
2258
2259                   It is only possible to use runchroot as a command-specific
2260                   Defaults setting if the command exists with the same path
2261                   both inside and outside the chroot jail.  This restriction
2262                   does not apply to generic, host or user-based Defaults set‐
2263                   tings or to a Cmnd_Spec that includes a Chroot_Spec.
2264
2265                   This setting is only supported by version 1.9.3 or higher.
2266
2267     runcwd        If set, sudo will use this value for the working directory
2268                   when running a command.  The special value “*” will allow
2269                   the user to specify the working directory via sudo's -D
2270                   option.  See the Chdir_Spec section for more details.
2271
2272                   This setting is only supported by version 1.9.3 or higher.
2273
2274     secure_path   If set, sudo will use this value in place of the user's
2275                   PATH environment variable.  This option can be used to
2276                   reset the PATH to a known good value that contains directo‐
2277                   ries for system administrator commands such as /usr/sbin.
2278
2279                   Users in the group specified by the exempt_group option are
2280                   not affected by secure_path.  This option is not set by
2281                   default.
2282
2283     syslog        Syslog facility if syslog is being used for logging (negate
2284                   to disable syslog logging).  Defaults to authpriv.
2285
2286                   The following syslog facilities are supported: authpriv (if
2287                   your OS supports it), auth, daemon, user, local0, local1,
2288                   local2, local3, local4, local5, local6, and local7.
2289
2290     syslog_badpri
2291                   Syslog priority to use when the user is not allowed to run
2292                   a command or when authentication is unsuccessful.  Defaults
2293                   to alert.
2294
2295                   The following syslog priorities are supported: alert, crit,
2296                   debug, emerg, err, info, notice, warning, and none.  Negat‐
2297                   ing the option or setting it to a value of none will dis‐
2298                   able logging of unsuccessful commands.
2299
2300     syslog_goodpri
2301                   Syslog priority to use when the user is allowed to run a
2302                   command and authentication is successful.  Defaults to
2303                   notice.
2304
2305                   See syslog_badpri for the list of supported syslog priori‐
2306                   ties.  Negating the option or setting it to a value of none
2307                   will disable logging of successful commands.
2308
2309     verifypw      This option controls when a password will be required when
2310                   a user runs sudo with the -v option.  It has the following
2311                   possible values:
2312
2313                   all     All the user's sudoers file entries for the current
2314                           host must have the NOPASSWD flag set to avoid
2315                           entering a password.
2316
2317                   always  The user must always enter a password to use the -v
2318                           option.
2319
2320                   any     At least one of the user's sudoers file entries for
2321                           the current host must have the NOPASSWD flag set to
2322                           avoid entering a password.
2323
2324                   never   The user need never enter a password to use the -v
2325                           option.
2326
2327                   If no value is specified, a value of all is implied.
2328                   Negating the option results in a value of never being used.
2329                   The default value is all.
2330
2331     Lists that can be used in a boolean context:
2332
2333     env_check         Environment variables to be removed from the user's
2334                       environment unless they are considered “safe”.  For all
2335                       variables except TZ, “safe” means that the variable's
2336                       value does not contain any ‘%’ or ‘/’ characters.  This
2337                       can be used to guard against printf-style format vul‐
2338                       nerabilities in poorly-written programs.  The TZ vari‐
2339                       able is considered unsafe if any of the following are
2340                       true:
2341
2342                       ·  It consists of a fully-qualified path name, option‐
2343                          ally prefixed with a colon (‘:’), that does not
2344                          match the location of the zoneinfo directory.
2345
2346                       ·  It contains a .. path element.
2347
2348                       ·  It contains white space or non-printable characters.
2349
2350                       ·  It is longer than the value of PATH_MAX.
2351
2352                       The argument may be a double-quoted, space-separated
2353                       list or a single value without double-quotes.  The list
2354                       can be replaced, added to, deleted from, or disabled by
2355                       using the =, +=, -=, and ! operators respectively.
2356                       Regardless of whether the env_reset option is enabled
2357                       or disabled, variables specified by env_check will be
2358                       preserved in the environment if they pass the aforemen‐
2359                       tioned check.  The global list of environment variables
2360                       to check is displayed when sudo is run by root with the
2361                       -V option.
2362
2363     env_delete        Environment variables to be removed from the user's
2364                       environment when the env_reset option is not in effect.
2365                       The argument may be a double-quoted, space-separated
2366                       list or a single value without double-quotes.  The list
2367                       can be replaced, added to, deleted from, or disabled by
2368                       using the =, +=, -=, and ! operators respectively.  The
2369                       global list of environment variables to remove is dis‐
2370                       played when sudo is run by root with the -V option.
2371                       Note that many operating systems will remove poten‐
2372                       tially dangerous variables from the environment of any
2373                       set-user-ID process (such as sudo).
2374
2375     env_keep          Environment variables to be preserved in the user's
2376                       environment when the env_reset option is in effect.
2377                       This allows fine-grained control over the environment
2378                       sudo-spawned processes will receive.  The argument may
2379                       be a double-quoted, space-separated list or a single
2380                       value without double-quotes.  The list can be replaced,
2381                       added to, deleted from, or disabled by using the =, +=,
2382                       -=, and ! operators respectively.  The global list of
2383                       variables to keep is displayed when sudo is run by root
2384                       with the -V option.
2385
2386                       Preserving the HOME environment variable has security
2387                       implications since many programs use it when searching
2388                       for configuration or data files.  Adding HOME to
2389                       env_keep may enable a user to run unrestricted commands
2390                       via sudo and is strongly discouraged.  Users wishing to
2391                       edit files with sudo should run sudoedit (or sudo -e)
2392                       to get their accustomed editor configuration instead of
2393                       invoking the editor directly.
2394
2395     log_servers       A list of one or more servers to use for remote event
2396                       and I/O log storage, separated by white space.  Log
2397                       servers must be running sudo_logsrvd or another service
2398                       that implements the protocol described by
2399                       sudo_logsrv.proto(5).
2400
2401                       Server addresses should be of the form
2402                       “host[:port][(tls)]”.  The host portion may be a host
2403                       name, an IPv4 address, or an IPv6 address in square
2404                       brackets.
2405
2406                       If the optional tls flag is present, the connection
2407                       will be secured with Transport Layer Security (TLS)
2408                       version 1.2 or 1.3.  Versions of TLS prior to 1.2 are
2409                       not supported.
2410
2411                       If a port is specified, it may either be a port number
2412                       or a well-known service name as defined by the system
2413                       service name database.  If no port is specified, port
2414                       30343 will be used for plaintext connections and port
2415                       30344 will be used for TLS connections.
2416
2417                       When log_servers is set, event log data will be logged
2418                       both locally (see the syslog and log_file settings) as
2419                       well as remotely, but I/O log data will only be logged
2420                       remotely.  If multiple hosts are specified, they will
2421                       be attempted in reverse order.  If no log servers are
2422                       available, the user will not be able to run a command
2423                       unless either the ignore_iolog_errors flag (I/O logging
2424                       enabled) or the ignore_log_errors flag (I/O logging
2425                       disabled) is set.  Likewise, if the connection to the
2426                       log server is interrupted while sudo is running, the
2427                       command will be terminated unless the
2428                       ignore_iolog_errors flag (I/O logging enabled) or the
2429                       ignore_log_errors flag (I/O logging disabled) is set.
2430
2431                       This setting is only supported by version 1.9.0 or
2432                       higher.
2433

GROUP PROVIDER PLUGINS

2435     The sudoers plugin supports its own plugin interface to allow non-Unix
2436     group lookups which can query a group source other than the standard Unix
2437     group database.  This can be used to implement support for the
2438     nonunix_group syntax described earlier.
2439
2440     Group provider plugins are specified via the group_plugin setting.  The
2441     argument to group_plugin should consist of the plugin path, either fully-
2442     qualified or relative to the /usr/libexec/sudo directory, followed by any
2443     configuration options the plugin requires.  These options (if specified)
2444     will be passed to the plugin's initialization function.  If options are
2445     present, the string must be enclosed in double quotes ("").
2446
2447     The following group provider plugins are installed by default:
2448
2449     group_file
2450               The group_file plugin supports an alternate group file that
2451               uses the same syntax as the /etc/group file.  The path to the
2452               group file should be specified as an option to the plugin.  For
2453               example, if the group file to be used is /etc/sudo-group:
2454
2455               Defaults group_plugin="group_file.so /etc/sudo-group"
2456
2457     system_group
2458               The system_group plugin supports group lookups via the standard
2459               C library functions getgrnam() and getgrid().  This plugin can
2460               be used in instances where the user belongs to groups not
2461               present in the user's supplemental group vector.  This plugin
2462               takes no options:
2463
2464               Defaults group_plugin=system_group.so
2465
2466     The group provider plugin API is described in detail in sudo_plugin(5).
2467

LOG FORMAT

2469     sudoers can log events in either JSON or sudo format, this section
2470     describes the sudo log format.  Depending on sudoers configuration,
2471     sudoers can log events via syslog(3), to a local log file, or both.  The
2472     log format is almost identical in both cases.
2473
2474   Accepted command log entries
2475     Commands that sudo runs are logged using the following format (split into
2476     multiple lines for readability):
2477
2478         date hostname progname: username : TTY=ttyname ; PWD=cwd ; \
2479             USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \
2480             ENV=env_vars COMMAND=command
2481
2482     Where the fields are as follows:
2483
2484     date          The date the command was run.  Typically, this is in the
2485                   format “MMM, DD, HH:MM:SS”.  If logging via syslog(3), the
2486                   actual date format is controlled by the syslog daemon.  If
2487                   logging to a file and the log_year option is enabled, the
2488                   date will also include the year.
2489
2490     hostname      The name of the host sudo was run on.  This field is only
2491                   present when logging via syslog(3).
2492
2493     progname      The name of the program, usually sudo or sudoedit.  This
2494                   field is only present when logging via syslog(3).
2495
2496     username      The login name of the user who ran sudo.
2497
2498     ttyname       The short name of the terminal (e.g., “console”, “tty01”,
2499                   or “pts/0”) sudo was run on, or “unknown” if there was no
2500                   terminal present.
2501
2502     cwd           The current working directory that sudo was run in.
2503
2504     runasuser     The user the command was run as.
2505
2506     runasgroup    The group the command was run as if one was specified on
2507                   the command line.
2508
2509     logid         An I/O log identifier that can be used to replay the com‐
2510                   mand's output.  This is only present when the log_input or
2511                   log_output option is enabled.
2512
2513     env_vars      A list of environment variables specified on the command
2514                   line, if specified.
2515
2516     command       The actual command that was executed.
2517
2518     Messages are logged using the locale specified by sudoers_locale, which
2519     defaults to the “C” locale.
2520
2521   Denied command log entries
2522     If the user is not allowed to run the command, the reason for the denial
2523     will follow the user name.  Possible reasons include:
2524
2525     user NOT in sudoers
2526       The user is not listed in the sudoers file.
2527
2528     user NOT authorized on host
2529       The user is listed in the sudoers file but is not allowed to run com‐
2530       mands on the host.
2531
2532     command not allowed
2533       The user is listed in the sudoers file for the host but they are not
2534       allowed to run the specified command.
2535
2536     3 incorrect password attempts
2537       The user failed to enter their password after 3 tries.  The actual num‐
2538       ber of tries will vary based on the number of failed attempts and the
2539       value of the passwd_tries option.
2540
2541     a password is required
2542       The -n option was specified but a password was required.
2543
2544     sorry, you are not allowed to set the following environment variables
2545       The user specified environment variables on the command line that were
2546       not allowed by sudoers.
2547
2548   Error log entries
2549     If an error occurs, sudoers will log a message and, in most cases, send a
2550     message to the administrator via email.  Possible errors include:
2551
2552     parse error in /etc/sudoers near line N
2553       sudoers encountered an error when parsing the specified file.  In some
2554       cases, the actual error may be one line above or below the line number
2555       listed, depending on the type of error.
2556
2557     problem with defaults entries
2558       The sudoers file contains one or more unknown Defaults settings.  This
2559       does not prevent sudo from running, but the sudoers file should be
2560       checked using visudo.
2561
2562     timestamp owner (username): No such user
2563       The time stamp directory owner, as specified by the timestampowner set‐
2564       ting, could not be found in the password database.
2565
2566     unable to open/read /etc/sudoers
2567       The sudoers file could not be opened for reading.  This can happen when
2568       the sudoers file is located on a remote file system that maps user-ID 0
2569       to a different value.  Normally, sudoers tries to open the sudoers file
2570       using group permissions to avoid this problem.  Consider either chang‐
2571       ing the ownership of /etc/sudoers or adding an argument like
2572       “sudoers_uid=N” (where ‘N’ is the user-ID that owns the sudoers file)
2573       to the end of the sudoers Plugin line in the sudo.conf(5) file.
2574
2575     unable to stat /etc/sudoers
2576       The /etc/sudoers file is missing.
2577
2578     /etc/sudoers is not a regular file
2579       The /etc/sudoers file exists but is not a regular file or symbolic
2580       link.
2581
2582     /etc/sudoers is owned by uid N, should be 0
2583       The sudoers file has the wrong owner.  If you wish to change the
2584       sudoers file owner, please add “sudoers_uid=N” (where ‘N’ is the user-
2585       ID that owns the sudoers file) to the sudoers Plugin line in the
2586       sudo.conf(5) file.
2587
2588     /etc/sudoers is world writable
2589       The permissions on the sudoers file allow all users to write to it.
2590       The sudoers file must not be world-writable, the default file mode is
2591       0440 (readable by owner and group, writable by none).  The default mode
2592       may be changed via the “sudoers_mode” option to the sudoers Plugin line
2593       in the sudo.conf(5) file.
2594
2595     /etc/sudoers is owned by gid N, should be 1
2596       The sudoers file has the wrong group ownership.  If you wish to change
2597       the sudoers file group ownership, please add “sudoers_gid=N” (where ‘N’
2598       is the group-ID that owns the sudoers file) to the sudoers Plugin line
2599       in the sudo.conf(5) file.
2600
2601     unable to open /run/sudo/ts/username
2602       sudoers was unable to read or create the user's time stamp file.  This
2603       can happen when timestampowner is set to a user other than root and the
2604       mode on /run/sudo is not searchable by group or other.  The default
2605       mode for /run/sudo is 0711.
2606
2607     unable to write to /run/sudo/ts/username
2608       sudoers was unable to write to the user's time stamp file.
2609
2610     /run/sudo/ts is owned by uid X, should be Y
2611       The time stamp directory is owned by a user other than timestampowner.
2612       This can occur when the value of timestampowner has been changed.
2613       sudoers will ignore the time stamp directory until the owner is cor‐
2614       rected.
2615
2616     /run/sudo/ts is group writable
2617       The time stamp directory is group-writable; it should be writable only
2618       by timestampowner.  The default mode for the time stamp directory is
2619       0700.  sudoers will ignore the time stamp directory until the mode is
2620       corrected.
2621
2622   Notes on logging via syslog
2623     By default, sudoers logs messages via syslog(3).  The date, hostname, and
2624     progname fields are added by the system's syslog() function, not sudoers
2625     itself.  As such, they may vary in format on different systems.
2626
2627     The maximum size of syslog messages varies from system to system.  The
2628     syslog_maxlen setting can be used to change the maximum syslog message
2629     size from the default value of 980 bytes.  For more information, see the
2630     description of syslog_maxlen.
2631
2632   Notes on logging to a file
2633     If the logfile option is set, sudoers will log to a local file, such as
2634     /var/log/sudo.  When logging to a file, sudoers uses a format similar to
2635     syslog(3), with a few important differences:
2636
2637     1.   The progname and hostname fields are not present.
2638
2639     2.   If the log_year option is enabled, the date will also include the
2640          year.
2641
2642     3.   Lines that are longer than loglinelen characters (80 by default) are
2643          word-wrapped and continued on the next line with a four character
2644          indent.  This makes entries easier to read for a human being, but
2645          makes it more difficult to use grep(1) on the log files.  If the
2646          loglinelen option is set to 0 (or negated with a ‘!’), word wrap
2647          will be disabled.
2648

I/O LOG FILES

2650     When I/O logging is enabled, sudo will run the command in a pseudo-termi‐
2651     nal and log all user input and/or output, depending on which options are
2652     enabled.  I/O can be logged either to the local machine or to a remote
2653     log server.  For local logs, I/O is logged to the directory specified by
2654     the iolog_dir option (/var/log/sudo-io by default) using a unique session
2655     ID that is included in the sudo log line, prefixed with “TSID=”.  The
2656     iolog_file option may be used to control the format of the session ID.
2657     For remote logs, the log_servers setting is used to specify one or more
2658     log servers running sudo_logsrvd or another server that implements the
2659     protocol described by sudo_logsrv.proto(5).
2660
2661     For both local and remote I/O logs, each log is stored in a separate
2662     directory that contains the following files:
2663
2664     log       A text file containing information about the command.  The
2665               first line consists of the following colon-delimited fields:
2666               the time the command was run, the name of the user who ran
2667               sudo, the name of the target user, the name of the target group
2668               (optional), the terminal that sudo was run from, and the number
2669               of lines and columns of the terminal.  The second and third
2670               lines contain the working directory the command was run from
2671               and the path name of the command itself (with arguments if
2672               present).
2673
2674     log.json  A JSON-formatted file containing information about the command.
2675               This is similar to the log file but contains additional infor‐
2676               mation and is easily extensible.  The log.json file will be
2677               used by sudoreplay(8) in preference to the log file if it
2678               exists.  The file may contain the following elements:
2679
2680               timestamp
2681                         A JSON object containing time the command was run.
2682                         It consists of two values, seconds and nanoseconds.
2683
2684               columns   The number of columns of the terminal the command ran
2685                         on, or zero if no terminal was present.
2686
2687               command   The fully-qualified path of the command that was run.
2688
2689               lines     The number of lines of the terminal the command ran
2690                         on, or zero if no terminal was present.
2691
2692               runargv   A JSON array representing the command's argument vec‐
2693                         tor as passed to the execve(2) system call.
2694
2695               runenv    A JSON array representing the command's environment
2696                         as passed to the execve(2) system call.
2697
2698               rungid    The group ID the command ran as.  This element is
2699                         only present when the user specifies a group on the
2700                         command line.
2701
2702               rungroup  The name of the group the command ran as.  This ele‐
2703                         ment is only present when the user specifies a group
2704                         on the command line.
2705
2706               runuid    The user ID the command ran as.
2707
2708               runuser   The name of the user the command ran as.
2709
2710               submitcwd
2711                         The current working directory at the time sudo was
2712                         run.
2713
2714               submithost
2715                         The name of the host the command was run on.
2716
2717               submituser
2718                         The name of the user who ran the command via sudo.
2719
2720               ttyname   The path name of the terminal the user invoked sudo
2721                         from.  If the command was run in a pseudo-terminal,
2722                         ttyname will be different from the terminal the com‐
2723                         mand actually ran in.
2724
2725     timing    Timing information used to replay the session.  Each line con‐
2726               sists of the I/O log entry type and amount of time since the
2727               last entry, followed by type-specific data.  The I/O log entry
2728               types and their corresponding type-specific data are:
2729
2730               0     standard input, number of bytes in the entry
2731               1     standard output, number of bytes in the entry
2732               2     standard error, number of bytes in the entry
2733               3     terminal input, number of bytes in the entry
2734               4     terminal output, number of bytes in the entry
2735               5     window change, new number lines and columns
2736               6     bug compatibility for sudo 1.8.7 terminal output
2737               7     command suspend or resume, signal received
2738
2739     ttyin     Raw input from the user's terminal, exactly as it was received.
2740               No post-processing is performed.  For manual viewing, you may
2741               wish to convert carriage return characters in the log to line
2742               feeds.  For example: ‘gunzip -c ttyin | tr "\r" "\n"’
2743
2744     stdin     The standard input when no terminal is present, or input redi‐
2745               rected from a pipe or file.
2746
2747     ttyout    Output from the pseudo-terminal (what the command writes to the
2748               screen).  Note that terminal-specific post-processing is per‐
2749               formed before the data is logged.  This means that, for exam‐
2750               ple, line feeds are usually converted to line feed/carriage
2751               return pairs and tabs may be expanded to spaces.
2752
2753     stdout    The standard output when no terminal is present, or output
2754               redirected to a pipe or file.
2755
2756     stderr    The standard error redirected to a pipe or file.
2757
2758     All files other than log are compressed in gzip format unless the
2759     compress_io flag has been disabled.  Due to buffering, it is not normally
2760     possible to display the I/O logs in real-time as the program is execut‐
2761     ing.  The I/O log data will not be complete until the program run by sudo
2762     has exited or has been terminated by a signal.  The iolog_flush flag can
2763     be used to disable buffering, in which case I/O log data is written to
2764     disk as soon as it is available.  The output portion of an I/O log file
2765     can be viewed with the sudoreplay(8) utility, which can also be used to
2766     list or search the available logs.
2767
2768     Note that user input may contain sensitive information such as passwords
2769     (even if they are not echoed to the screen), which will be stored in the
2770     log file unencrypted.  In most cases, logging the command output via
2771     log_output or LOG_OUTPUT is all that is required.
2772
2773     Since each session's I/O logs are stored in a separate directory, tradi‐
2774     tional log rotation utilities cannot be used to limit the number of I/O
2775     logs.  The simplest way to limit the number of I/O is by setting the
2776     maxseq option to the maximum number of logs you wish to store.  Once the
2777     I/O log sequence number reaches maxseq, it will be reset to zero and
2778     sudoers will truncate and re-use any existing I/O logs.
2779

FILES

2781     /etc/sudo.conf            Sudo front end configuration
2782
2783     /etc/sudoers              List of who can run what
2784
2785     /etc/group                Local groups file
2786
2787     /etc/netgroup             List of network groups
2788
2789     /var/log/sudo-io          I/O log files
2790
2791     /run/sudo/ts              Directory containing time stamps for the
2792                               sudoers security policy
2793
2794     /var/db/sudo/lectured     Directory containing lecture status files for
2795                               the sudoers security policy
2796
2797     /etc/environment          Initial environment for -i mode on AIX and
2798                               Linux systems
2799

EXAMPLES

2801     Below are example sudoers file entries.  Admittedly, some of these are a
2802     bit contrived.  First, we allow a few environment variables to pass and
2803     then define our aliases:
2804
2805     # Run X applications through sudo; HOME is used to find the
2806     # .Xauthority file.  Note that other programs use HOME to find
2807     # configuration files and this may lead to privilege escalation!
2808     Defaults env_keep += "DISPLAY HOME"
2809
2810     # User alias specification
2811     User_Alias      FULLTIMERS = millert, mikef, dowdy
2812     User_Alias      PARTTIMERS = bostley, jwfox, crawl
2813     User_Alias      WEBADMIN = will, wendy, wim
2814
2815     # Runas alias specification
2816     Runas_Alias     OP = root, operator
2817     Runas_Alias     DB = oracle, sybase
2818     Runas_Alias     ADMINGRP = adm, oper
2819
2820     # Host alias specification
2821     Host_Alias      SPARC = bigtime, eclipse, moet, anchor :\
2822                     SGI = grolsch, dandelion, black :\
2823                     ALPHA = widget, thalamus, foobar :\
2824                     HPPA = boa, nag, python
2825     Host_Alias      CUNETS = 128.138.0.0/255.255.0.0
2826     Host_Alias      CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
2827     Host_Alias      SERVERS = primary, mail, www, ns
2828     Host_Alias      CDROM = orion, perseus, hercules
2829
2830     # Cmnd alias specification
2831     Cmnd_Alias      DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
2832                             /usr/sbin/restore, /usr/sbin/rrestore,\
2833                             sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
2834                             /home/operator/bin/start_backups
2835     Cmnd_Alias      KILL = /usr/bin/kill
2836     Cmnd_Alias      PRINTING = /usr/sbin/lpc, /usr/bin/lprm
2837     Cmnd_Alias      SHUTDOWN = /usr/sbin/shutdown
2838     Cmnd_Alias      HALT = /usr/sbin/halt
2839     Cmnd_Alias      REBOOT = /usr/sbin/reboot
2840     Cmnd_Alias      SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
2841                              /usr/local/bin/tcsh, /usr/bin/rsh,\
2842                              /usr/local/bin/zsh
2843     Cmnd_Alias      SU = /usr/bin/su
2844     Cmnd_Alias      PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
2845
2846     Here we override some of the compiled in default values.  We want sudo to
2847     log via syslog(3) using the auth facility in all cases and for commands
2848     to be run with the target user's home directory as the working directory.
2849     We don't want to subject the full time staff to the sudo lecture and we
2850     want to allow them to run commands in a chroot(2) “sandbox” via the -R
2851     option.  User millert need not provide a password and we don't want to
2852     reset the LOGNAME or USER environment variables when running commands as
2853     root.  Additionally, on the machines in the SERVERS Host_Alias, we keep
2854     an additional local log file and make sure we log the year in each log
2855     line since the log entries will be kept around for several years.
2856     Lastly, we disable shell escapes for the commands in the PAGERS
2857     Cmnd_Alias (/usr/bin/more, /usr/bin/pg and /usr/bin/less).  Note that
2858     this will not effectively constrain users with sudo ALL privileges.
2859
2860     # Override built-in defaults
2861     Defaults                syslog=auth,runcwd=~
2862     Defaults>root           !set_logname
2863     Defaults:FULLTIMERS     !lecture,runchroot=*
2864     Defaults:millert        !authenticate
2865     Defaults@SERVERS        log_year, logfile=/var/log/sudo.log
2866     Defaults!PAGERS         noexec
2867
2868     The User specification is the part that actually determines who may run
2869     what.
2870
2871     root            ALL = (ALL) ALL
2872     %wheel          ALL = (ALL) ALL
2873
2874     We let root and any user in group wheel run any command on any host as
2875     any user.
2876
2877     FULLTIMERS      ALL = NOPASSWD: ALL
2878
2879     Full time sysadmins (millert, mikef, and dowdy) may run any command on
2880     any host without authenticating themselves.
2881
2882     PARTTIMERS      ALL = ALL
2883
2884     Part time sysadmins bostley, jwfox, and crawl) may run any command on any
2885     host but they must authenticate themselves first (since the entry lacks
2886     the NOPASSWD tag).
2887
2888     jack            CSNETS = ALL
2889
2890     The user jack may run any command on the machines in the CSNETS alias
2891     (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0).  Of those
2892     networks, only 128.138.204.0 has an explicit netmask (in CIDR notation)
2893     indicating it is a class C network.  For the other networks in CSNETS,
2894     the local machine's netmask will be used during matching.
2895
2896     lisa            CUNETS = ALL
2897
2898     The user lisa may run any command on any host in the CUNETS alias (the
2899     class B network 128.138.0.0).
2900
2901     operator        ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
2902                     sudoedit /etc/printcap, /usr/oper/bin/
2903
2904     The operator user may run commands limited to simple maintenance.  Here,
2905     those are commands related to backups, killing processes, the printing
2906     system, shutting down the system, and any commands in the directory
2907     /usr/oper/bin/.  Note that one command in the DUMPS Cmnd_Alias includes a
2908     sha224 digest, /home/operator/bin/start_backups.  This is because the
2909     directory containing the script is writable by the operator user.  If the
2910     script is modified (resulting in a digest mismatch) it will no longer be
2911     possible to run it via sudo.
2912
2913     joe             ALL = /usr/bin/su operator
2914
2915     The user joe may only su(1) to operator.
2916
2917     pete            HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root*
2918
2919     %opers          ALL = (: ADMINGRP) /usr/sbin/
2920
2921     Users in the opers group may run commands in /usr/sbin/ as themselves
2922     with any group in the ADMINGRP Runas_Alias (the adm and oper groups).
2923
2924     The user pete is allowed to change anyone's password except for root on
2925     the HPPA machines.  Because command line arguments are matched as a sin‐
2926     gle, concatenated string, the ‘*’ wildcard will match multiple words.
2927     This example assumes that passwd(1) does not take multiple user names on
2928     the command line.  Note that on GNU systems, options to passwd(1) may be
2929     specified after the user argument.  As a result, this rule will also
2930     allow:
2931
2932         passwd username --expire
2933
2934     which may not be desirable.
2935
2936     bob             SPARC = (OP) ALL : SGI = (OP) ALL
2937
2938     The user bob may run anything on the SPARC and SGI machines as any user
2939     listed in the OP Runas_Alias (root and operator.)
2940
2941     jim             +biglab = ALL
2942
2943     The user jim may run any command on machines in the biglab netgroup.
2944     sudo knows that “biglab” is a netgroup due to the ‘+’ prefix.
2945
2946     +secretaries    ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
2947
2948     Users in the secretaries netgroup need to help manage the printers as
2949     well as add and remove users, so they are allowed to run those commands
2950     on all machines.
2951
2952     fred            ALL = (DB) NOPASSWD: ALL
2953
2954     The user fred can run commands as any user in the DB Runas_Alias (oracle
2955     or sybase) without giving a password.
2956
2957     john            ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
2958
2959     On the ALPHA machines, user john may su to anyone except root but he is
2960     not allowed to specify any options to the su(1) command.
2961
2962     jen             ALL, !SERVERS = ALL
2963
2964     The user jen may run any command on any machine except for those in the
2965     SERVERS Host_Alias (primary, mail, www and ns).
2966
2967     jill            SERVERS = /usr/bin/, !SU, !SHELLS
2968
2969     For any machine in the SERVERS Host_Alias, jill may run any commands in
2970     the directory /usr/bin/ except for those commands belonging to the SU and
2971     SHELLS Cmnd_Aliases.  While not specifically mentioned in the rule, the
2972     commands in the PAGERS Cmnd_Alias all reside in /usr/bin and have the
2973     noexec option set.
2974
2975     steve           CSNETS = (operator) /usr/local/op_commands/
2976
2977     The user steve may run any command in the directory /usr/local/op_com‐
2978     mands/ but only as user operator.
2979
2980     matt            valkyrie = KILL
2981
2982     On his personal workstation, valkyrie, matt needs to be able to kill hung
2983     processes.
2984
2985     WEBADMIN        www = (www) ALL, (root) /usr/bin/su www
2986
2987     On the host www, any user in the WEBADMIN User_Alias (will, wendy, and
2988     wim), may run any command as user www (which owns the web pages) or sim‐
2989     ply su(1) to www.
2990
2991     ALL             CDROM = NOPASSWD: /sbin/umount /CDROM,\
2992                     /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
2993
2994     Any user may mount or unmount a CD-ROM on the machines in the CDROM
2995     Host_Alias (orion, perseus, hercules) without entering a password.  This
2996     is a bit tedious for users to type, so it is a prime candidate for encap‐
2997     sulating in a shell script.
2998

SECURITY NOTES

3000   Limitations of the ‘!’ operator
3001     It is generally not effective to “subtract” commands from ALL using the
3002     ‘!’ operator.  A user can trivially circumvent this by copying the
3003     desired command to a different name and then executing that.  For exam‐
3004     ple:
3005
3006     bill    ALL = ALL, !SU, !SHELLS
3007
3008     Doesn't really prevent bill from running the commands listed in SU or
3009     SHELLS since he can simply copy those commands to a different name, or
3010     use a shell escape from an editor or other program.  Therefore, these
3011     kind of restrictions should be considered advisory at best (and rein‐
3012     forced by policy).
3013
3014     In general, if a user has sudo ALL there is nothing to prevent them from
3015     creating their own program that gives them a root shell (or making their
3016     own copy of a shell) regardless of any ‘!’ elements in the user specifi‐
3017     cation.
3018
3019   Security implications of fast_glob
3020     If the fast_glob option is in use, it is not possible to reliably negate
3021     commands where the path name includes globbing (aka wildcard) characters.
3022     This is because the C library's fnmatch(3) function cannot resolve rela‐
3023     tive paths.  While this is typically only an inconvenience for rules that
3024     grant privileges, it can result in a security issue for rules that sub‐
3025     tract or revoke privileges.
3026
3027     For example, given the following sudoers file entry:
3028
3029     john    ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
3030                   /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
3031
3032     User john can still run /usr/bin/passwd root if fast_glob is enabled by
3033     changing to /usr/bin and running ./passwd root instead.
3034
3035   Preventing shell escapes
3036     Once sudo executes a program, that program is free to do whatever it
3037     pleases, including run other programs.  This can be a security issue
3038     since it is not uncommon for a program to allow shell escapes, which lets
3039     a user bypass sudo's access control and logging.  Common programs that
3040     permit shell escapes include shells (obviously), editors, paginators,
3041     mail and terminal programs.
3042
3043     There are two basic approaches to this problem:
3044
3045     restrict  Avoid giving users access to commands that allow the user to
3046               run arbitrary commands.  Many editors have a restricted mode
3047               where shell escapes are disabled, though sudoedit is a better
3048               solution to running editors via sudo.  Due to the large number
3049               of programs that offer shell escapes, restricting users to the
3050               set of programs that do not is often unworkable.
3051
3052     noexec    Many systems that support shared libraries have the ability to
3053               override default library functions by pointing an environment
3054               variable (usually LD_PRELOAD) to an alternate shared library.
3055               On such systems, sudo's noexec functionality can be used to
3056               prevent a program run by sudo from executing any other pro‐
3057               grams.  Note, however, that this applies only to dynamically-
3058               linked executables.  Statically-linked executables and executa‐
3059               bles running under binary emulation are not affected.
3060
3061               The noexec feature is known to work on SunOS, Solaris, *BSD,
3062               Linux, IRIX, Tru64 UNIX, macOS, HP-UX 11.x and AIX 5.3 and
3063               above.  It should be supported on most operating systems that
3064               support the LD_PRELOAD environment variable.  Check your oper‐
3065               ating system's manual pages for the dynamic linker (usually
3066               ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
3067               LD_PRELOAD is supported.
3068
3069               On Solaris 10 and higher, noexec uses Solaris privileges
3070               instead of the LD_PRELOAD environment variable.
3071
3072               To enable noexec for a command, use the NOEXEC tag as docu‐
3073               mented in the User Specification section above.  Here is that
3074               example again:
3075
3076               aaron   shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
3077
3078               This allows user aaron to run /usr/bin/more and /usr/bin/vi
3079               with noexec enabled.  This will prevent those two commands from
3080               executing other commands (such as a shell).  If you are unsure
3081               whether or not your system is capable of supporting noexec you
3082               can always just try it out and check whether shell escapes work
3083               when noexec is enabled.
3084
3085     Note that restricting shell escapes is not a panacea.  Programs running
3086     as root are still capable of many potentially hazardous operations (such
3087     as changing or overwriting files) that could lead to unintended privilege
3088     escalation.  In the specific case of an editor, a safer approach is to
3089     give the user permission to run sudoedit (see below).
3090
3091   Secure editing
3092     The sudoers plugin includes sudoedit support which allows users to
3093     securely edit files with the editor of their choice.  As sudoedit is a
3094     built-in command, it must be specified in the sudoers file without a
3095     leading path.  However, it may take command line arguments just as a nor‐
3096     mal command does.  Wildcards used in sudoedit command line arguments are
3097     expected to be path names, so a forward slash (‘/’) will not be matched
3098     by a wildcard.
3099
3100     Unlike other sudo commands, the editor is run with the permissions of the
3101     invoking user and with the environment unmodified.  More information may
3102     be found in the description of the -e option in sudo(8).
3103
3104     For example, to allow user operator to edit the “message of the day”
3105     file:
3106
3107           operator        sudoedit /etc/motd
3108
3109     The operator user then runs sudoedit as follows:
3110
3111           $ sudoedit /etc/motd
3112
3113     The editor will run as the operator user, not root, on a temporary copy
3114     of /etc/motd.  After the file has been edited, /etc/motd will be updated
3115     with the contents of the temporary copy.
3116
3117     Users should never be granted sudoedit permission to edit a file that
3118     resides in a directory the user has write access to, either directly or
3119     via a wildcard.  If the user has write access to the directory it is pos‐
3120     sible to replace the legitimate file with a link to another file, allow‐
3121     ing the editing of arbitrary files.  To prevent this, starting with ver‐
3122     sion 1.8.16, symbolic links will not be followed in writable directories
3123     and sudoedit will refuse to edit a file located in a writable directory
3124     unless the sudoedit_checkdir option has been disabled or the invoking
3125     user is root.  Additionally, in version 1.8.15 and higher, sudoedit will
3126     refuse to open a symbolic link unless either the sudoedit_follow option
3127     is enabled or the sudoedit command is prefixed with the FOLLOW tag in the
3128     sudoers file.
3129
3130   Time stamp file checks
3131     sudoers will check the ownership of its time stamp directory
3132     (/run/sudo/ts by default) and ignore the directory's contents if it is
3133     not owned by root or if it is writable by a user other than root.  Older
3134     versions of sudo stored time stamp files in /tmp; this is no longer rec‐
3135     ommended as it may be possible for a user to create the time stamp them‐
3136     selves on systems that allow unprivileged users to change the ownership
3137     of files they create.
3138
3139     While the time stamp directory should be cleared at reboot time, not all
3140     systems contain a /run or /var/run directory.  To avoid potential prob‐
3141     lems, sudoers will ignore time stamp files that date from before the
3142     machine booted on systems where the boot time is available.
3143
3144     Some systems with graphical desktop environments allow unprivileged users
3145     to change the system clock.  Since sudoers relies on the system clock for
3146     time stamp validation, it may be possible on such systems for a user to
3147     run sudo for longer than timestamp_timeout by setting the clock back.  To
3148     combat this, sudoers uses a monotonic clock (which never moves backwards)
3149     for its time stamps if the system supports it.
3150
3151     sudoers will not honor time stamps set far in the future.  Time stamps
3152     with a date greater than current_time + 2 * TIMEOUT will be ignored and
3153     sudoers will log and complain.
3154
3155     If the timestamp_type option is set to “tty”, the time stamp record
3156     includes the device number of the terminal the user authenticated with.
3157     This provides per-terminal granularity but time stamp records may still
3158     outlive the user's session.
3159
3160     Unless the timestamp_type option is set to “global”, the time stamp
3161     record also includes the session ID of the process that last authenti‐
3162     cated.  This prevents processes in different terminal sessions from using
3163     the same time stamp record.  On systems where a process's start time can
3164     be queried, the start time of the session leader is recorded in the time
3165     stamp record.  If no terminal is present or the timestamp_type option is
3166     set to “ppid”, the start time of the parent process is used instead.  In
3167     most cases this will prevent a time stamp record from being re-used with‐
3168     out the user entering a password when logging out and back in again.
3169

DEBUGGING

3171     Versions 1.8.4 and higher of the sudoers plugin support a flexible debug‐
3172     ging framework that can help track down what the plugin is doing inter‐
3173     nally if there is a problem.  This can be configured in the sudo.conf(5)
3174     file.
3175
3176     The sudoers plugin uses the same debug flag format as the sudo front-end:
3177     subsystem@priority.
3178
3179     The priorities used by sudoers, in order of decreasing severity, are:
3180     crit, err, warn, notice, diag, info, trace and debug.  Each priority,
3181     when specified, also includes all priorities higher than it.  For exam‐
3182     ple, a priority of notice would include debug messages logged at notice
3183     and higher.
3184
3185     The following subsystems are used by the sudoers plugin:
3186
3187     alias     User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
3188
3189     all       matches every subsystem
3190
3191     audit     BSM and Linux audit code
3192
3193     auth      user authentication
3194
3195     defaults  sudoers file Defaults settings
3196
3197     env       environment handling
3198
3199     ldap      LDAP-based sudoers
3200
3201     logging   logging support
3202
3203     match     matching of users, groups, hosts and netgroups in the sudoers
3204               file
3205
3206     netif     network interface handling
3207
3208     nss       network service switch handling in sudoers
3209
3210     parser    sudoers file parsing
3211
3212     perms     permission setting
3213
3214     plugin    The equivalent of main for the plugin.
3215
3216     pty       pseudo-terminal related code
3217
3218     rbtree    redblack tree internals
3219
3220     sssd      SSSD-based sudoers
3221
3222     util      utility functions
3223     For example:
3224
3225     Debug sudo /var/log/sudo_debug match@info,nss@info
3226
3227     For more information, see the sudo.conf(5) manual.
3228

SEE ALSO

3230     ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), sudo.conf(5),
3231     sudo_plugin(5), sudoers.ldap(5), sudoers_timestamp(5), sudo(8), visudo(8)
3232

AUTHORS

3234     Many people have worked on sudo over the years; this version consists of
3235     code written primarily by:
3236
3237           Todd C. Miller
3238
3239     See the CONTRIBUTORS file in the sudo distribution
3240     (https://www.sudo.ws/contributors.html) for an exhaustive list of people
3241     who have contributed to sudo.
3242

CAVEATS

3244     The sudoers file should always be edited by the visudo utility which
3245     locks the file and checks for syntax errors.  If sudoers contains syntax
3246     errors, sudo may refuse to run, which is a serious problem if sudo is
3247     your only method of obtaining superuser privileges.  Recent versions of
3248     sudoers will attempt to recover after a syntax error by ignoring the rest
3249     of the line after encountering an error.  Older versions of sudo will not
3250     run if sudoers contains a syntax error.
3251
3252     When using netgroups of machines (as opposed to users), if you store
3253     fully qualified host name in the netgroup (as is usually the case), you
3254     either need to have the machine's host name be fully qualified as
3255     returned by the hostname command or use the fqdn option in sudoers.
3256

BUGS

3258     If you feel you have found a bug in sudo, please submit a bug report at
3259     https://bugzilla.sudo.ws/
3260

SUPPORT

3262     Limited free support is available via the sudo-users mailing list, see
3263     https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
3264     the archives.
3265

DISCLAIMER

3267     sudo is provided “AS IS” and any express or implied warranties, includ‐
3268     ing, but not limited to, the implied warranties of merchantability and
3269     fitness for a particular purpose are disclaimed.  See the LICENSE file
3270     distributed with sudo or https://www.sudo.ws/license.html for complete
3271     details.
3272
3273Sudo 1.9.5p2                    January 8, 2020                   Sudo 1.9.5p2
Impressum