1SUDOERS(5) BSD File Formats Manual SUDOERS(5)
2
4 sudoers — default sudo security policy plugin
5
7 The sudoers policy plugin determines a user's sudo privileges. It is the
8 default sudo policy plugin. The policy is driven by the /etc/sudoers
9 file or, optionally in LDAP. The policy format is described in detail in
10 the SUDOERS FILE FORMAT section. For information on storing sudoers pol‐
11 icy information in LDAP, please see sudoers.ldap(5).
12 Configuring sudo.conf for sudoers
14 sudo consults the sudo.conf(5) file to determine which policy and I/O
15 logging plugins to load. If no sudo.conf(5) file is present, or if it
16 contains no Plugin lines, sudoers will be used for policy decisions and
17 I/O logging. To explicitly configure sudo.conf(5) to use the sudoers
18 plugin, the following configuration can be used.
19 Plugin sudoers_audit sudoers.so
21 Plugin sudoers_policy sudoers.so
22 Plugin sudoers_io sudoers.so
23 Starting with sudo 1.8.5, it is possible to specify optional arguments to
25 the sudoers plugin in the sudo.conf(5) file. Plugin arguments, if any,
26 should be listed after the path to the plugin (i.e., after sudoers.so).
27 The arguments are only effective for the plugin that opens (and parses)
28 the sudoers file.
29 For sudo version 1.9.1 and higher, this is the sudoers_audit plugin. For
31 older versions, it is the sudoers_policy plugin. Multiple arguments may
32 be specified, separated by white space. For example:
33 Plugin sudoers_audit sudoers.so sudoers_mode=0400 error_recovery=false
35 The following plugin arguments are supported:
37 error_recovery=bool
39 The error_recovery argument can be used to control whether
40 sudoers should attempt to recover from syntax errors in the
41 sudoers file. If set to true (the default), sudoers will try
42 to recover from a syntax error by discarding the portion of the
43 line that contains the error until the end of the line. A
44 value of false will disable error recovery. Prior to version
45 1.9.3, no error recovery was performed.
46 ldap_conf=pathname
48 The ldap_conf argument can be used to override the default path
49 to the ldap.conf file.
50 ldap_secret=pathname
52 The ldap_secret argument can be used to override the default
53 path to the ldap.secret file.
54 sudoers_file=pathname
56 The sudoers_file argument can be used to override the default
57 path to the sudoers file.
58 sudoers_uid=uid
60 The sudoers_uid argument can be used to override the default
61 owner of the sudoers file. It should be specified as a numeric
62 user-ID.
63 sudoers_gid=gid
65 The sudoers_gid argument can be used to override the default
66 group of the sudoers file. It must be specified as a numeric
67 group-ID (not a group name).
68 sudoers_mode=mode
70 The sudoers_mode argument can be used to override the default
71 file mode for the sudoers file. It should be specified as an
72 octal value.
73 For more information on configuring sudo.conf(5), please refer to its
75 manual.
76 User Authentication
78 The sudoers security policy requires that most users authenticate them‐
79 selves before they can use sudo. A password is not required if the in‐
80 voking user is root, if the target user is the same as the invoking user,
81 or if the policy has disabled authentication for the user or command.
82 Unlike su(1), when sudoers requires authentication, it validates the in‐
83 voking user's credentials, not the target user's (or root's) credentials.
84 This can be changed via the rootpw, targetpw and runaspw flags, described
85 later.
86 If a user who is not listed in the policy tries to run a command via
88 sudo, mail is sent to the proper authorities. The address used for such
89 mail is configurable via the mailto Defaults entry (described later) and
90 defaults to root.
91 Note that no mail will be sent if an unauthorized user tries to run sudo
93 with the -l or -v option unless there is an authentication error and ei‐
94 ther the mail_always or mail_badpass flags are enabled. This allows
95 users to determine for themselves whether or not they are allowed to use
96 sudo. By default, all attempts to run sudo (successful or not) are
97 logged, regardless of whether or not mail is sent.
98 If sudo is run by root and the SUDO_USER environment variable is set, the
100 sudoers policy will use this value to determine who the actual user is.
101 This can be used by a user to log commands through sudo even when a root
102 shell has been invoked. It also allows the -e option to remain useful
103 even when invoked via a sudo-run script or program. Note, however, that
104 the sudoers file lookup is still done for root, not the user specified by
105 SUDO_USER.
106 sudoers uses per-user time stamp files for credential caching. Once a
108 user has been authenticated, a record is written containing the user-ID
109 that was used to authenticate, the terminal session ID, the start time of
110 the session leader (or parent process) and a time stamp (using a mono‐
111 tonic clock if one is available). The user may then use sudo without a
112 password for a short period of time (5 minutes unless overridden by the
113 timestamp_timeout option). By default, sudoers uses a separate record
114 for each terminal, which means that a user's login sessions are authenti‐
115 cated separately. The timestamp_type option can be used to select the
116 type of time stamp record sudoers will use.
117 Logging
119 By default, sudoers logs both successful and unsuccessful attempts (as
120 well as errors). The log_allowed and log_denied flags can be used to
121 control this behavior. Messages can be logged to syslog(3), a log file,
122 or both. The default is to log to syslog(3) but this is configurable via
123 the syslog and logfile settings. See LOG FORMAT for a description of the
124 log file format.
125 sudoers is also capable of running a command in a pseudo-terminal and
127 logging all input and/or output. The standard input, standard output and
128 standard error can be logged even when not associated with a terminal.
129 I/O logging is not on by default but can be enabled using the log_input
130 and log_output options as well as the LOG_INPUT and LOG_OUTPUT command
131 tags. See I/O LOG FILES for details on how I/O log files are stored.
132 Starting with version 1.9, the log_servers setting may be used to send
134 event and I/O log data to a remote server running sudo_logsrvd or another
135 service that implements the protocol described by sudo_logsrv.proto(5).
136 Command environment
138 Since environment variables can influence program behavior, sudoers pro‐
139 vides a means to restrict which variables from the user's environment are
140 inherited by the command to be run. There are two distinct ways sudoers
141 can deal with environment variables.
142 By default, the env_reset flag is enabled. This causes commands to be
144 executed with a new, minimal environment. On AIX (and Linux systems
145 without PAM), the environment is initialized with the contents of the
146 /etc/environment file. The HOME, MAIL, SHELL, LOGNAME and USER environ‐
147 ment variables are initialized based on the target user and the SUDO_*
148 variables are set based on the invoking user. Additional variables, such
149 as DISPLAY, PATH and TERM, are preserved from the invoking user's envi‐
150 ronment if permitted by the env_check or env_keep options. A few envi‐
151 ronment variables are treated specially. If the PATH and TERM variables
152 are not preserved from the user's environment, they will be set to de‐
153 fault values. The LOGNAME and USER are handled as a single entity. If
154 one of them is preserved (or removed) from the user's environment, the
155 other will be as well. If LOGNAME and USER are to be preserved but only
156 one of them is present in the user's environment, the other will be set
157 to the same value. This avoids an inconsistent environment where one of
158 the variables describing the user name is set to the invoking user and
159 one is set to the target user. Environment variables with a value begin‐
160 ning with () are removed unless both the name and value parts are matched
161 by env_keep or env_check, as they may be interpreted as functions by the
162 bash shell. Prior to version 1.8.11, such variables were always removed.
163 If, however, the env_reset flag is disabled, any variables not explicitly
165 denied by the env_check and env_delete options are allowed and their val‐
166 ues are inherited from the invoking process. Prior to version 1.8.21,
167 environment variables with a value beginning with () were always removed.
168 Beginning with version 1.8.21, a pattern in env_delete is used to match
169 bash shell functions instead. Since it is not possible to block all po‐
170 tentially dangerous environment variables, use of the default env_reset
171 behavior is encouraged.
172 Environment variables specified by env_check, env_delete, or env_keep may
174 include one or more ‘*’ characters which will match zero or more charac‐
175 ters. No other wildcard characters are supported.
176 By default, environment variables are matched by name. However, if the
178 pattern includes an equal sign (‘=’), both the variables name and value
179 must match. For example, a bash shell function could be matched as fol‐
180 lows:
181 env_keep += "BASH_FUNC_my_func%%=()*"
183 Without the “=()*” suffix, this would not match, as bash shell functions
185 are not preserved by default.
186 The complete list of environment variables that are preserved or removed,
188 as modified by global Defaults parameters in sudoers, is displayed when
189 sudo is run by root with the -V option. Please note that the list of en‐
190 vironment variables to remove varies based on the operating system sudo
191 is running on.
192 Other sudoers options may influence the command environment, such as
194 always_set_home, secure_path, set_logname, and set_home.
195 On systems that support PAM where the pam_env module is enabled for sudo,
197 variables in the PAM environment may be merged in to the environment. If
198 a variable in the PAM environment is already present in the user's envi‐
199 ronment, the value will only be overridden if the variable was not pre‐
200 served by sudoers. When env_reset is enabled, variables preserved from
201 the invoking user's environment by the env_keep list take precedence over
202 those in the PAM environment. When env_reset is disabled, variables
203 present the invoking user's environment take precedence over those in the
204 PAM environment unless they match a pattern in the env_delete list.
205 Note that the dynamic linker on most operating systems will remove vari‐
207 ables that can control dynamic linking from the environment of set-user-
208 ID executables, including sudo. Depending on the operating system this
209 may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others.
210 These type of variables are removed from the environment before sudo even
211 begins execution and, as such, it is not possible for sudo to preserve
212 them.
213 As a special case, if the -i option (initial login) is specified, sudoers
215 will initialize the environment regardless of the value of env_reset.
216 The DISPLAY, PATH and TERM variables remain unchanged; HOME, MAIL, SHELL,
217 USER, and LOGNAME are set based on the target user. On AIX (and Linux
218 systems without PAM), the contents of /etc/environment are also included.
219 All other environment variables are removed unless permitted by env_keep
220 or env_check, described above.
221 Finally, the restricted_env_file and env_file files are applied, if
223 present. The variables in restricted_env_file are applied first and are
224 subject to the same restrictions as the invoking user's environment, as
225 detailed above. The variables in env_file are applied last and are not
226 subject to these restrictions. In both cases, variables present in the
227 files will only be set to their specified values if they would not con‐
228 flict with an existing environment variable.
229
231 The sudoers file is composed of two types of entries: aliases (basically
232 variables) and user specifications (which specify who may run what).
233 When multiple entries match for a user, they are applied in order. Where
235 there are multiple matches, the last match is used (which is not neces‐
236 sarily the most specific match).
237 The sudoers file grammar will be described below in Extended Backus-Naur
239 Form (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly
240 simple, and the definitions below are annotated.
241 Quick guide to EBNF
243 EBNF is a concise and exact way of describing the grammar of a language.
244 Each EBNF definition is made up of production rules. E.g.,
245 symbol ::= definition | alternate1 | alternate2 ...
247 Each production rule references others and thus makes up a grammar for
249 the language. EBNF also contains the following operators, which many
250 readers will recognize from regular expressions. Do not, however, con‐
251 fuse them with “wildcard” characters, which have different meanings.
252 ? Means that the preceding symbol (or group of symbols) is optional.
254 That is, it may appear once or not at all.
255 * Means that the preceding symbol (or group of symbols) may appear
257 zero or more times.
258 + Means that the preceding symbol (or group of symbols) may appear
260 one or more times.
261 Parentheses may be used to group symbols together. For clarity, we will
263 use single quotes ('') to designate what is a verbatim character string
264 (as opposed to a symbol name).
265 Aliases
267 There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and
268 Cmnd_Alias. Beginning with sudo 1.9.0, Cmd_Alias may be used in place of
269 Cmnd_Alias if desired.
270 Alias ::= 'User_Alias' User_Alias_Spec (':' User_Alias_Spec)* |
272 'Runas_Alias' Runas_Alias_Spec (':' Runas_Alias_Spec)* |
273 'Host_Alias' Host_Alias_Spec (':' Host_Alias_Spec)* |
274 'Cmnd_Alias' Cmnd_Alias_Spec (':' Cmnd_Alias_Spec)* |
275 'Cmd_Alias' Cmnd_Alias_Spec (':' Cmnd_Alias_Spec)*
276 User_Alias ::= NAME
278 User_Alias_Spec ::= User_Alias '=' User_List
280 Runas_Alias ::= NAME
282 Runas_Alias_Spec ::= Runas_Alias '=' Runas_List
284 Host_Alias ::= NAME
286 Host_Alias_Spec ::= Host_Alias '=' Host_List
288 Cmnd_Alias ::= NAME
290 Cmnd_Alias_Spec ::= Cmnd_Alias '=' Cmnd_List
292 NAME ::= [A-Z]([A-Z][0-9]_)*
294 Each alias definition is of the form
296 Alias_Type NAME = item1, item2, ...
298 where Alias_Type is one of User_Alias, Runas_Alias, Host_Alias, or
300 Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and under‐
301 score characters (‘_’). A NAME must start with an uppercase letter. It
302 is possible to put several alias definitions of the same type on a single
303 line, joined by a colon (‘:’). E.g.,
304 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
306 It is a syntax error to redefine an existing alias. It is possible to
308 use the same name for aliases of different types, but this is not recom‐
309 mended.
310 The definitions of what constitutes a valid alias member follow.
312 User_List ::= User |
314 User ',' User_List
315 User ::= '!'* user name |
317 '!'* #uid |
318 '!'* %group |
319 '!'* %#gid |
320 '!'* +netgroup |
321 '!'* %:nonunix_group |
322 '!'* %:#nonunix_gid |
323 '!'* User_Alias
324 A User_List is made up of one or more user names, user-IDs (prefixed with
326 ‘#’), system group names and IDs (prefixed with ‘%’ and ‘%#’ respec‐
327 tively), netgroups (prefixed with ‘+’), non-Unix group names and IDs
328 (prefixed with ‘%:’ and ‘%:#’ respectively) and User_Aliases. Each list
329 item may be prefixed with zero or more ‘!’ operators. An odd number of
330 ‘!’ operators negate the value of the item; an even number just cancel
331 each other out. User netgroups are matched using the user and domain
332 members only; the host member is not used when matching.
333 A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may
335 be enclosed in double quotes to avoid the need for escaping special char‐
336 acters. Alternately, special characters may be specified in escaped hex
337 mode, e.g., \x20 for space. When using double quotes, any prefix charac‐
338 ters must be included inside the quotes.
339 The actual nonunix_group and nonunix_gid syntax depends on the underlying
341 group provider plugin. For instance, the QAS AD plugin supports the fol‐
342 lowing formats:
343 • Group in the same domain: "%:Group Name"
345 • Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
347 • Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
349 See GROUP PROVIDER PLUGINS for more information.
351 Note that quotes around group names are optional. Unquoted strings must
353 use a backslash (‘\’) to escape spaces and special characters. See Other
354 special characters and reserved words for a list of characters that need
355 to be escaped.
356 Runas_List ::= Runas_Member |
358 Runas_Member ',' Runas_List
359 Runas_Member ::= '!'* user name |
361 '!'* #uid |
362 '!'* %group |
363 '!'* %#gid |
364 '!'* %:nonunix_group |
365 '!'* %:#nonunix_gid |
366 '!'* +netgroup |
367 '!'* Runas_Alias
368 A Runas_List is similar to a User_List except that instead of
370 User_Aliases it can contain Runas_Aliases. Note that user names and
371 groups are matched as strings. In other words, two users (groups) with
372 the same user (group) ID are considered to be distinct. If you wish to
373 match all user names with the same user-ID (e.g., root and toor), you can
374 use a user-ID instead of a name (#0 in the example given). Note that the
375 user-ID or group-ID specified in a Runas_Member need not be listed in the
376 password or group database.
377 Host_List ::= Host |
379 Host ',' Host_List
380 Host ::= '!'* host name |
382 '!'* ip_addr |
383 '!'* network(/netmask)? |
384 '!'* +netgroup |
385 '!'* Host_Alias
386 A Host_List is made up of one or more host names, IP addresses, network
388 numbers, netgroups (prefixed with ‘+’) and other aliases. Again, the
389 value of an item may be negated with the ‘!’ operator. Host netgroups
390 are matched using the host (both qualified and unqualified) and domain
391 members only; the user member is not used when matching. If you specify
392 a network number without a netmask, sudo will query each of the local
393 host's network interfaces and, if the network number corresponds to one
394 of the hosts's network interfaces, will use the netmask of that inter‐
395 face. The netmask may be specified either in standard IP address nota‐
396 tion (e.g., 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR notation
397 (number of bits, e.g., 24 or 64). A host name may include shell-style
398 wildcards (see the Wildcards section below), but unless the host name
399 command on your machine returns the fully qualified host name, you'll
400 need to use the fqdn flag for wildcards to be useful. Note that sudo
401 only inspects actual network interfaces; this means that IP address
402 127.0.0.1 (localhost) will never match. Also, the host name “localhost”
403 will only match if that is the actual host name, which is usually only
404 the case for non-networked systems.
405 digest ::= [A-Fa-f0-9]+ |
407 [A-Za-z0-9\+/=]+
408 Digest_Spec ::= "sha224" ':' digest |
410 "sha256" ':' digest |
411 "sha384" ':' digest |
412 "sha512" ':' digest
413 Digest_List ::= Digest_Spec |
415 Digest_Spec ',' Digest_List
416 Cmnd_List ::= Cmnd |
418 Cmnd ',' Cmnd_List
419 command name ::= file name |
421 file name args |
422 file name '""'
423 Edit_Spec ::= "sudoedit" file name+
425 Cmnd ::= Digest_List? '!'* command name |
427 '!'* directory |
428 '!'* Edit_Spec |
429 '!'* Cmnd_Alias
430 A Cmnd_List is a list of one or more command names, directories, and
432 other aliases. A command name is a fully qualified file name which may
433 include shell-style wildcards (see the Wildcards section below). A sim‐
434 ple file name allows the user to run the command with any arguments they
435 wish. However, you may also specify command line arguments (including
436 wildcards). Alternately, you can specify "" to indicate that the command
437 may only be run without command line arguments. A directory is a fully
438 qualified path name ending in a ‘/’. When you specify a directory in a
439 Cmnd_List, the user will be able to run any file within that directory
440 (but not in any sub-directories therein).
441 If a Cmnd has associated command line arguments, then the arguments in
443 the Cmnd must match exactly those given by the user on the command line
444 (or match the wildcards if there are any). Note that the following char‐
445 acters must be escaped with a ‘\’ if they are used in command arguments:
446 ‘,’, ‘:’, ‘=’, ‘\’. The built-in command “sudoedit” is used to permit a
447 user to run sudo with the -e option (or as sudoedit). It may take com‐
448 mand line arguments just as a normal command does. Note that “sudoedit”
449 is a command built into sudo itself and must be specified in the sudoers
450 file without a leading path. If a leading path is present, for example
451 /usr/bin/sudoedit, the path name will be silently converted to
452 “sudoedit”. A fully-qualified path for sudoedit is treated as an error
453 by visudo.
454 A command name may be preceded by a Digest_List, a comma-separated list
456 of one or more Digest_Spec entries. If a Digest_List is present, the
457 command will only match successfully if it can be verified using one of
458 the SHA-2 digests in the list. Starting with version 1.9.0, the ALL re‐
459 served word can be used in conjunction with a Digest_List. The following
460 digest formats are supported: sha224, sha256, sha384 and sha512. The
461 string may be specified in either hex or base64 format (base64 is more
462 compact). There are several utilities capable of generating SHA-2 di‐
463 gests in hex format such as openssl, shasum, sha224sum, sha256sum,
464 sha384sum, sha512sum.
465 For example, using openssl:
467 $ openssl dgst -sha224 /bin/ls
469 SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
470 It is also possible to use openssl to generate base64 output:
472 $ openssl dgst -binary -sha224 /bin/ls | openssl base64
474 EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
475 Warning, if the user has write access to the command itself (directly or
477 via a sudo command), it may be possible for the user to replace the com‐
478 mand after the digest check has been performed but before the command is
479 executed. A similar race condition exists on systems that lack the
480 fexecve() system call when the directory in which the command is located
481 is writable by the user. See the description of the fdexec setting for
482 more information on how sudo executes commands that have an associated
483 digest.
484 Command digests are only supported by version 1.8.7 or higher.
486 Defaults
488 Certain configuration options may be changed from their default values at
489 run-time via one or more Default_Entry lines. These may affect all users
490 on any host, all users on a specific host, a specific user, a specific
491 command, or commands being run as a specific user. Note that per-command
492 entries may not include command line arguments. If you need to specify
493 arguments, define a Cmnd_Alias and reference that instead.
494 Default_Type ::= 'Defaults' |
496 'Defaults' '@' Host_List |
497 'Defaults' ':' User_List |
498 'Defaults' '!' Cmnd_List |
499 'Defaults' '>' Runas_List
500 Default_Entry ::= Default_Type Parameter_List
502 Parameter_List ::= Parameter |
504 Parameter ',' Parameter_List
505 Parameter ::= Parameter '=' Value |
507 Parameter '+=' Value |
508 Parameter '-=' Value |
509 '!'* Parameter
510 Parameters may be flags, integer values, strings, or lists. Flags are
512 implicitly boolean and can be turned off via the ‘!’ operator. Some in‐
513 teger, string and list parameters may also be used in a boolean context
514 to disable them. Values may be enclosed in double quotes ("") when they
515 contain multiple words. Special characters may be escaped with a back‐
516 slash (‘\’).
517 To include a literal backslash character in a command line argument you
519 must escape the backslash twice. For example, to match ‘\n’ as part of a
520 command line argument, you must use ‘\\\\n’ in the sudoers file. This is
521 due to there being two levels of escaping, one in the sudoers parser it‐
522 self and another when command line arguments are matched by the
523 fnmatch(3) function.
524 Lists have two additional assignment operators, += and -=. These opera‐
526 tors are used to add to and delete from a list respectively. It is not
527 an error to use the -= operator to remove an element that does not exist
528 in a list.
529 Defaults entries are parsed in the following order: generic, host, user
531 and runas Defaults first, then command defaults. If there are multiple
532 Defaults settings of the same type, the last matching setting is used.
533 The following Defaults settings are parsed before all others since they
534 may affect subsequent entries: fqdn, group_plugin, runas_default,
535 sudoers_locale.
536 See SUDOERS OPTIONS for a list of supported Defaults parameters.
538 User specification
540 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
541 (':' Host_List '=' Cmnd_Spec_List)*
542 Cmnd_Spec_List ::= Cmnd_Spec |
544 Cmnd_Spec ',' Cmnd_Spec_List
545 Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd
547 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
549 Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)
551 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
553 Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp')
555 Timeout_Spec ::= 'TIMEOUT=timeout'
557 Chdir_Spec ::= 'CWD=directory'
559 Chroot_Spec ::= 'CHROOT=directory'
561 Tag_Spec ::= ('EXEC:' | 'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' |
563 'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' |
564 'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'INTERCEPT:' |
565 'NOINTERCEPT:' | 'PASSWD:' | 'NOPASSWD:' | 'SETENV:' |
566 'NOSETENV:')
567 A user specification determines which commands a user may run (and as
569 what user) on specified hosts. By default, commands are run as root, but
570 this can be changed on a per-command basis.
571 The basic structure of a user specification is “who where = (as_whom)
573 what”. Let's break that down into its constituent parts:
574 Runas_Spec
576 A Runas_Spec determines the user and/or the group that a command may be
577 run as. A fully-specified Runas_Spec consists of two Runas_Lists (as de‐
578 fined above) separated by a colon (‘:’) and enclosed in a set of paren‐
579 theses. The first Runas_List indicates which users the command may be
580 run as via the -u option. The second defines a list of groups that may
581 be specified via the -g option (in addition to any of the target user's
582 groups). If both Runas_Lists are specified, the command may be run with
583 any combination of users and groups listed in their respective
584 Runas_Lists. If only the first is specified, the command may be run as
585 any user in the list and, optionally, with any group the target user be‐
586 longs to. If the first Runas_List is empty but the second is specified,
587 the command may be run as the invoking user with the group set to any
588 listed in the Runas_List. If both Runas_Lists are empty, the command may
589 only be run as the invoking user and the group, if specified, must be one
590 that the invoking user is a member of. If no Runas_Spec is specified,
591 the command may only be run as root and the group, if specified, must be
592 one that root is a member of.
593 A Runas_Spec sets the default for the commands that follow it. What this
595 means is that for the entry:
596 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
598 The user dgb may run /bin/ls, /bin/kill, and /usr/bin/lprm on the host
600 boulder—but only as operator. E.g.,
601 $ sudo -u operator /bin/ls
603 It is also possible to override a Runas_Spec later on in an entry. If we
605 modify the entry like so:
606 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
608 Then user dgb is now allowed to run /bin/ls as operator, but /bin/kill
610 and /usr/bin/lprm as root.
611 We can extend this to allow dgb to run /bin/ls with either the user or
613 group set to operator:
614 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
616 /usr/bin/lprm
617 Note that while the group portion of the Runas_Spec permits the user to
619 run as command with that group, it does not force the user to do so. If
620 no group is specified on the command line, the command will run with the
621 group listed in the target user's password database entry. The following
622 would all be permitted by the sudoers entry above:
623 $ sudo -u operator /bin/ls
625 $ sudo -u operator -g operator /bin/ls
626 $ sudo -g operator /bin/ls
627 In the following example, user tcm may run commands that access a modem
629 device file with the dialer group.
630 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
632 /usr/local/bin/minicom
633 Note that in this example only the group will be set, the command still
635 runs as user tcm. E.g.
636 $ sudo -g dialer /usr/bin/cu
638 Multiple users and groups may be present in a Runas_Spec, in which case
640 the user may select any combination of users and groups via the -u and -g
641 options. In this example:
642 alan ALL = (root, bin : operator, system) ALL
644 user alan may run any command as either user root or bin, optionally set‐
646 ting the group to operator or system.
647 Option_Spec
649 A Cmnd may have zero or more options associated with it. Options may
650 consist of SELinux roles and/or types, start and/or end dates and command
651 timeouts. Once an option is set for a Cmnd, subsequent Cmnds in the
652 Cmnd_Spec_List, inherit that option unless it is overridden by another
653 option. Note that the option names are reserved words in sudoers. This
654 means that none of the valid option names (see below) can be used when
655 declaring an alias.
656 SELinux_Spec
658 On systems with SELinux support, sudoers file entries may optionally have
659 an SELinux role and/or type associated with a command. This can be used
660 to implement a form of role-based access control (RBAC). If a role or
661 type is specified with the command it will override any default values
662 specified in sudoers. A role or type specified on the command line, how‐
663 ever, will supersede the values in sudoers.
664 Date_Spec
666 sudoers rules can be specified with a start and end date via the
667 NOTBEFORE and NOTAFTER settings. The time stamp must be specified in
668 Generalized Time as defined by RFC 4517. The format is effectively
669 yyyymmddHHMMSSZ where the minutes and seconds are optional. The ‘Z’ suf‐
670 fix indicates that the time stamp is in Coordinated Universal Time (UTC).
671 It is also possible to specify a timezone offset from UTC in hours and
672 minutes instead of a ‘Z’. For example, ‘-0500’ would correspond to East‐
673 ern Standard time in the US. As an extension, if no ‘Z’ or timezone off‐
674 set is specified, local time will be used.
675 The following are all valid time stamps:
677 20170214083000Z
679 2017021408Z
680 20160315220000-0500
681 20151201235900
682 Timeout_Spec
684 A command may have a timeout associated with it. If the timeout expires
685 before the command has exited, the command will be terminated. The time‐
686 out may be specified in combinations of days, hours, minutes and seconds
687 with a single-letter case-insensitive suffix that indicates the unit of
688 time. For example, a timeout of 7 days, 8 hours, 30 minutes and 10 sec‐
689 onds would be written as 7d8h30m10s. If a number is specified without a
690 unit, seconds are assumed. Any of the days, minutes, hours or seconds
691 may be omitted. The order must be from largest to smallest unit and a
692 unit may not be specified more than once.
693 The following are all valid timeout values: 7d8h30m10s, 14d, 8h30m, 600s,
695 3600. The following are invalid timeout values: 12m2w1d, 30s10m4h,
696 1d2d3h.
697 This setting is only supported by version 1.8.20 or higher.
699 Chdir_Spec
701 The working directory that the command will be run in can be specified
702 using the CWD setting. The directory must be a fully-qualified path name
703 beginning with a ‘/’ or ‘~’ character, or the special value “*”. A value
704 of “*” indicates that the user may specify the working directory by run‐
705 ning sudo with the -D option. By default, commands are run from the in‐
706 voking user's current working directory, unless the -i option is given.
707 Path names of the form ~user/path/name are interpreted as being relative
708 to the named user's home directory. If the user name is omitted, the
709 path will be relative to the runas user's home directory.
710 This setting is only supported by version 1.9.3 or higher.
712 Chroot_Spec
714 The root directory that the command will be run in can be specified using
715 the CHROOT setting. The directory must be a fully-qualified path name
716 beginning with a ‘/’ or ‘~’ character, or the special value “*”. A value
717 of “*” indicates that the user may specify the root directory by running
718 sudo with the -R option. This setting can be used to run the command in
719 a chroot(2) “sandbox” similar to the chroot(8) utility. Path names of
720 the form ~user/path/name are interpreted as being relative to the named
721 user's home directory. If the user name is omitted, the path will be
722 relative to the runas user's home directory.
723 This setting is only supported by version 1.9.3 or higher.
725 Tag_Spec
727 A command may have zero or more tags associated with it. The following
728 tag values are supported: EXEC, NOEXEC, FOLLOW, NOFOLLOW, LOG_INPUT,
729 NOLOG_INPUT, LOG_OUTPUT, NOLOG_OUTPUT, MAIL, NOMAIL, INTERCEPT,
730 NOINTERCEPT, PASSWD, NOPASSWD, SETENV, and NOSETENV. Once a tag is set
731 on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag unless
732 it is overridden by the opposite tag (in other words, PASSWD overrides
733 NOPASSWD and NOEXEC overrides EXEC).
734 EXEC and NOEXEC
736 If sudo has been compiled with noexec support and the underlying oper‐
738 ating system supports it, the NOEXEC tag can be used to prevent a dy‐
739 namically-linked executable from running further commands itself.
740 In the following example, user aaron may run /usr/bin/more and
742 /usr/bin/vi but shell escapes will be disabled.
743 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
745 See the Preventing shell escapes section below for more details on how
747 NOEXEC works and whether or not it will work on your system.
748 FOLLOW and NOFOLLOW Starting with version 1.8.15, sudoedit will not open
750 a file that is a symbolic link unless the sudoedit_follow flag is en‐
751 abled. The FOLLOW and NOFOLLOW tags override the value of
752 sudoedit_follow and can be used to permit (or deny) the editing of sym‐
753 bolic links on a per-command basis. These tags are only effective for
754 the sudoedit command and are ignored for all other commands.
755 LOG_INPUT and NOLOG_INPUT
757 These tags override the value of the log_input flag on a per-command
759 basis. For more information, see the description of log_input in the
760 SUDOERS OPTIONS section below.
761 LOG_OUTPUT and NOLOG_OUTPUT
763 These tags override the value of the log_output flag on a per-command
765 basis. For more information, see the description of log_output in the
766 SUDOERS OPTIONS section below.
767 MAIL and NOMAIL
769 These tags provide fine-grained control over whether mail will be sent
771 when a user runs a command by overriding the value of the
772 mail_all_cmnds flag on a per-command basis. They have no effect when
773 sudo is run with the -l or -v options. A NOMAIL tag will also override
774 the mail_always and mail_no_perms options. For more information, see
775 the descriptions of mail_all_cmnds, mail_always, and mail_no_perms in
776 the SUDOERS OPTIONS section below.
777 PASSWD and NOPASSWD
779 By default, sudo requires that a user authenticate him or herself be‐
781 fore running a command. This behavior can be modified via the NOPASSWD
782 tag. Like a Runas_Spec, the NOPASSWD tag sets a default for the com‐
783 mands that follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag
784 can be used to reverse things. For example:
785 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
787 would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm
789 as root on the machine “rushmore” without authenticating himself. If
790 we only want ray to be able to run /bin/kill without a password the en‐
791 try would be:
792 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
794 Note, however, that the PASSWD tag has no effect on users who are in
796 the group specified by the exempt_group setting.
797 By default, if the NOPASSWD tag is applied to any of a user's entries
799 for the current host, the user will be able to run “sudo -l” without a
800 password. Additionally, a user may only run “sudo -v” without a pass‐
801 word if all of the user's entries for the current host have the
802 NOPASSWD tag. This behavior may be overridden via the verifypw and
803 listpw options.
804 SETENV and NOSETENV
806 These tags override the value of the setenv flag on a per-command ba‐
808 sis. Note that if SETENV has been set for a command, the user may dis‐
809 able the env_reset flag from the command line via the -E option. Addi‐
810 tionally, environment variables set on the command line are not subject
811 to the restrictions imposed by env_check, env_delete, or env_keep. As
812 such, only trusted users should be allowed to set variables in this
813 manner. If the command matched is ALL, the SETENV tag is implied for
814 that command; this default may be overridden by use of the NOSETENV
815 tag.
816 INTERCEPT and NOINTERCEPT
818 If sudo has been compiled with intercept support and the underlying op‐
820 erating system supports it, the INTERCEPT tag can be used to cause pro‐
821 grams spawned by a command to be validated against sudoers and logged
822 just like they would be if run through sudo directly. This is useful
823 in conjunction with commands that allow shell escapes such as editors,
824 shells and paginators.
825 In the following example, user chuck may run any command on the machine
827 “research” in intercept mode.
828 chuck research = INTERCEPT: ALL
830 See the Preventing shell escapes section below for more details on how
832 INTERCEPT works and whether or not it will work on your system.
833 Wildcards
835 sudo allows shell-style wildcards (aka meta or glob characters) to be
836 used in host names, path names and command line arguments in the sudoers
837 file. Wildcard matching is done via the glob(3) and fnmatch(3) functions
838 as specified by IEEE Std 1003.1 (“POSIX.1”).
839 * Matches any set of zero or more characters (including white
841 space).
842 ? Matches any single character (including white space).
844 [...] Matches any character in the specified range.
846 [!...] Matches any character not in the specified range.
848 \x For any character ‘x’, evaluates to ‘x’. This is used to es‐
850 cape special characters such as: ‘*’, ‘?’, ‘[’, and ‘]’.
851 Note that these are not regular expressions. Unlike a regular expression
853 there is no way to match one or more characters within a range.
854 Character classes may be used if your system's glob(3) and fnmatch(3)
856 functions support them. However, because the ‘:’ character has special
857 meaning in sudoers, it must be escaped. For example:
858 /bin/ls [[\:alpha\:]]*
860 Would match any file name beginning with a letter.
862 Note that a forward slash (‘/’) will not be matched by wildcards used in
864 the file name portion of the command. This is to make a path like:
865 /usr/bin/*
867 match /usr/bin/who but not /usr/bin/X11/xterm.
869 When matching the command line arguments, however, a slash does get
871 matched by wildcards since command line arguments may contain arbitrary
872 strings and not just path names.
873 Wildcards in command line arguments should be used with care.
875 Command line arguments are matched as a single, concatenated string.
876 This mean a wildcard character such as ‘?’ or ‘*’ will match across word
877 boundaries, which may be unexpected. For example, while a sudoers entry
878 like:
879 %operator ALL = /bin/cat /var/log/messages*
881 will allow command like:
883 $ sudo cat /var/log/messages.1
885 It will also allow:
887 $ sudo cat /var/log/messages /etc/shadow
889 which is probably not what was intended. In most cases it is better to
891 do command line processing outside of the sudoers file in a scripting
892 language.
893 Exceptions to wildcard rules
895 The following exceptions apply to the above rules:
896 "" If the empty string "" is the only command line argument in the
898 sudoers file entry it means that command is not allowed to be
899 run with any arguments.
900 sudoedit Command line arguments to the sudoedit built-in command should
902 always be path names, so a forward slash (‘/’) will not be
903 matched by a wildcard.
904 Including other files from within sudoers
906 It is possible to include other sudoers files from within the sudoers
907 file currently being parsed using the @include and @includedir direc‐
908 tives. For compatibility with sudo versions prior to 1.9.1, #include and
909 #includedir are also accepted.
910 An include file can be used, for example, to keep a site-wide sudoers
912 file in addition to a local, per-machine file. For the sake of this ex‐
913 ample the site-wide sudoers file will be /etc/sudoers and the per-machine
914 one will be /etc/sudoers.local. To include /etc/sudoers.local from
915 within /etc/sudoers one would use the following line in /etc/sudoers:
916 @include /etc/sudoers.local
918 When sudo reaches this line it will suspend processing of the current
920 file (/etc/sudoers) and switch to /etc/sudoers.local. Upon reaching the
921 end of /etc/sudoers.local, the rest of /etc/sudoers will be processed.
922 Files that are included may themselves include other files. A hard limit
923 of 128 nested include files is enforced to prevent include file loops.
924 The path to the include file may contain white space if it is escaped
926 with a backslash (‘\’). Alternately, the entire path may be enclosed in
927 double quotes (""), in which case no escaping is necessary. To include a
928 literal backslash in the path, ‘\\’ should be used.
929 If the path to the include file is not fully-qualified (does not begin
931 with a ‘/’), it must be located in the same directory as the sudoers file
932 it was included from. For example, if /etc/sudoers contains the line:
933 @include sudoers.local
935 the file that will be included is /etc/sudoers.local.
937 The file name may also include the %h escape, signifying the short form
939 of the host name. In other words, if the machine's host name is
940 “xerxes”, then
941 @include /etc/sudoers.%h
943 will cause sudo to include the file /etc/sudoers.xerxes.
945 The @includedir directive can be used to create a sudoers.d directory
947 that the system package manager can drop sudoers file rules into as part
948 of package installation. For example, given:
949 @includedir /etc/sudoers.d
951 sudo will suspend processing of the current file and read each file in
953 /etc/sudoers.d, skipping file names that end in ‘~’ or contain a ‘.’
954 character to avoid causing problems with package manager or editor tempo‐
955 rary/backup files. Files are parsed in sorted lexical order. That is,
956 /etc/sudoers.d/01_first will be parsed before /etc/sudoers.d/10_second.
957 Be aware that because the sorting is lexical, not numeric,
958 /etc/sudoers.d/1_whoops would be loaded after /etc/sudoers.d/10_second.
959 Using a consistent number of leading zeroes in the file names can be used
960 to avoid such problems. After parsing the files in the directory, con‐
961 trol returns to the file that contained the @includedir directive.
962 Note that unlike files included via @include, visudo will not edit the
964 files in a @includedir directory unless one of them contains a syntax er‐
965 ror. It is still possible to run visudo with the -f flag to edit the
966 files directly, but this will not catch the redefinition of an alias that
967 is also present in a different file.
968 Other special characters and reserved words
970 The pound sign (‘#’) is used to indicate a comment (unless it is part of
971 a #include directive or unless it occurs in the context of a user name
972 and is followed by one or more digits, in which case it is treated as a
973 user-ID). Both the comment character and any text after it, up to the
974 end of the line, are ignored.
975 The reserved word ALL is a built-in alias that always causes a match to
977 succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
978 User_Alias, Runas_Alias, or Host_Alias. Attempting to define an alias
979 named ALL will result in a syntax error. Please note that using ALL can
980 be dangerous since in a command context, it allows the user to run any
981 command on the system.
982 The following option names permitted in an Option_Spec are also consid‐
984 ered reserved words: CHROOT, ROLE, TYPE, TIMEOUT, CWD, NOTBEFORE and
985 NOTAFTER. Attempting to define an alias with the same name as one of the
986 options will result in a syntax error.
987 An exclamation point (‘!’) can be used as a logical not operator in a
989 list or alias as well as in front of a Cmnd. This allows one to exclude
990 certain values. For the ‘!’ operator to be effective, there must be
991 something for it to exclude. For example, to match all users except for
992 root one would use:
993 ALL,!root
995 If the ALL, is omitted, as in:
997 !root
999 it would explicitly deny root but not match any other users. This is
1001 different from a true “negation” operator.
1002 Note, however, that using a ‘!’ in conjunction with the built-in ALL
1004 alias to allow a user to run “all but a few” commands rarely works as in‐
1005 tended (see SECURITY NOTES below).
1006 Long lines can be continued with a backslash (‘\’) as the last character
1008 on the line.
1009 White space between elements in a list as well as special syntactic char‐
1011 acters in a User Specification (‘=’, ‘:’, ‘(’, ‘)’) is optional.
1012 The following characters must be escaped with a backslash (‘\’) when used
1014 as part of a word (e.g., a user name or host name): ‘!’, ‘=’, ‘:’, ‘,’,
1015 ‘(’, ‘)’, ‘\’.
1016
1018 sudo's behavior can be modified by Default_Entry lines, as explained ear‐
1019 lier. A list of all supported Defaults parameters, grouped by type, are
1020 listed below.
1021 Boolean Flags:
1023 always_query_group_plugin
1025 If a group_plugin is configured, use it to resolve
1026 groups of the form %group as long as there is not also
1027 a system group of the same name. Normally, only groups
1028 of the form %:group are passed to the group_plugin.
1029 This flag is off by default.
1030 always_set_home If enabled, sudo will set the HOME environment variable
1032 to the home directory of the target user (which is the
1033 root user unless the -u option is used). This flag is
1034 largely obsolete and has no effect unless the env_reset
1035 flag has been disabled or HOME is present in the
1036 env_keep list, both of which are strongly discouraged.
1037 This flag is off by default.
1038 authenticate If set, users must authenticate themselves via a pass‐
1040 word (or other means of authentication) before they may
1041 run commands. This default may be overridden via the
1042 PASSWD and NOPASSWD tags. This flag is on by default.
1043 case_insensitive_group
1045 If enabled, group names in sudoers will be matched in a
1046 case insensitive manner. This may be necessary when
1047 users are stored in LDAP or AD. This flag is on by de‐
1048 fault.
1049 case_insensitive_user
1051 If enabled, user names in sudoers will be matched in a
1052 case insensitive manner. This may be necessary when
1053 groups are stored in LDAP or AD. This flag is on by
1054 default.
1055 closefrom_override
1057 If set, the user may use the -C option which overrides
1058 the default starting point at which sudo begins closing
1059 open file descriptors. This flag is off by default.
1060 compress_io If set, and sudo is configured to log a command's input
1062 or output, the I/O logs will be compressed using zlib.
1063 This flag is on by default when sudo is compiled with
1064 zlib support.
1065 exec_background By default, sudo runs a command as the foreground
1067 process as long as sudo itself is running in the fore‐
1068 ground. When the exec_background flag is enabled and
1069 the command is being run in a pseudo-terminal (due to
1070 I/O logging or the use_pty flag), the command will be
1071 run as a background process. Attempts to read from the
1072 controlling terminal (or to change terminal settings)
1073 will result in the command being suspended with the
1074 SIGTTIN signal (or SIGTTOU in the case of terminal set‐
1075 tings). If this happens when sudo is a foreground
1076 process, the command will be granted the controlling
1077 terminal and resumed in the foreground with no user in‐
1078 tervention required. The advantage of initially run‐
1079 ning the command in the background is that sudo need
1080 not read from the terminal unless the command explic‐
1081 itly requests it. Otherwise, any terminal input must
1082 be passed to the command, whether it has required it or
1083 not (the kernel buffers terminals so it is not possible
1084 to tell whether the command really wants the input).
1085 This is different from historic sudo behavior or when
1086 the command is not being run in a pseudo-terminal.
1087 For this to work seamlessly, the operating system must
1089 support the automatic restarting of system calls. Un‐
1090 fortunately, not all operating systems do this by de‐
1091 fault, and even those that do may have bugs. For exam‐
1092 ple, macOS fails to restart the tcgetattr() and
1093 tcsetattr() system calls (this is a bug in macOS).
1094 Furthermore, because this behavior depends on the com‐
1095 mand stopping with the SIGTTIN or SIGTTOU signals, pro‐
1096 grams that catch these signals and suspend themselves
1097 with a different signal (usually SIGTOP) will not be
1098 automatically foregrounded. Some versions of the linux
1099 su(1) command behave this way. This flag is off by de‐
1100 fault.
1101 This setting is only supported by version 1.8.7 or
1103 higher. It has no effect unless I/O logging is enabled
1104 or the use_pty flag is enabled.
1105 env_editor If set, visudo will use the value of the SUDO_EDITOR,
1107 VISUAL or EDITOR environment variables before falling
1108 back on the default editor list. Note that visudo is
1109 typically run as root so this flag may allow a user
1110 with visudo privileges to run arbitrary commands as
1111 root without logging. An alternative is to place a
1112 colon-separated list of “safe” editors int the editor
1113 variable. visudo will then only use SUDO_EDITOR,
1114 VISUAL or EDITOR if they match a value specified in
1115 editor. If the env_reset flag is enabled, the
1116 SUDO_EDITOR, VISUAL and/or EDITOR environment variables
1117 must be present in the env_keep list for the env_editor
1118 flag to function when visudo is invoked via sudo. This
1119 flag is on by default.
1120 env_reset If set, sudo will run the command in a minimal environ‐
1122 ment containing the TERM, PATH, HOME, MAIL, SHELL,
1123 LOGNAME, USER and SUDO_* variables. Any variables in
1124 the caller's environment or in the file specified by
1125 the restricted_env_file setting that match the env_keep
1126 and env_check lists are then added, followed by any
1127 variables present in the file specified by the env_file
1128 setting (if any). The contents of the env_keep and
1129 env_check lists, as modified by global Defaults parame‐
1130 ters in sudoers, are displayed when sudo is run by root
1131 with the -V option. If the secure_path setting is en‐
1132 abled, its value will be used for the PATH environment
1133 variable. This flag is on by default.
1134 fast_glob Normally, sudo uses the glob(3) function to do shell-
1136 style globbing when matching path names. However,
1137 since it accesses the file system, glob(3) can take a
1138 long time to complete for some patterns, especially
1139 when the pattern references a network file system that
1140 is mounted on demand (auto mounted). The fast_glob
1141 flag causes sudo to use the fnmatch(3) function, which
1142 does not access the file system to do its matching.
1143 The disadvantage of fast_glob is that it is unable to
1144 match relative path names such as ./ls or ../bin/ls.
1145 This has security implications when path names that in‐
1146 clude globbing characters are used with the negation
1147 operator, ‘!’, as such rules can be trivially bypassed.
1148 As such, this flag should not be used when the sudoers
1149 file contains rules that contain negated path names
1150 which include globbing characters. This flag is off by
1151 default.
1152 fqdn Set this flag if you want to put fully qualified host
1154 names in the sudoers file when the local host name (as
1155 returned by the hostname command) does not contain the
1156 domain name. In other words, instead of myhost you
1157 would use myhost.mydomain.edu. You may still use the
1158 short form if you wish (and even mix the two). This
1159 flag is only effective when the “canonical” host name,
1160 as returned by the getaddrinfo() or gethostbyname()
1161 function, is a fully-qualified domain name. This is
1162 usually the case when the system is configured to use
1163 DNS for host name resolution.
1164 If the system is configured to use the /etc/hosts file
1166 in preference to DNS, the “canonical” host name may not
1167 be fully-qualified. The order that sources are queried
1168 for host name resolution is usually specified in the
1169 /etc/nsswitch.conf, /etc/netsvc.conf, /etc/host.conf,
1170 or, in some cases, /etc/resolv.conf file. In the
1171 /etc/hosts file, the first host name of the entry is
1172 considered to be the “canonical” name; subsequent names
1173 are aliases that are not used by sudoers. For example,
1174 the following hosts file line for the machine “xyzzy”
1175 has the fully-qualified domain name as the “canonical”
1176 host name, and the short version as an alias.
1177 192.168.1.1 xyzzy.sudo.ws xyzzy
1179 If the machine's hosts file entry is not formatted
1181 properly, the fqdn flag will not be effective if it is
1182 queried before DNS.
1183 Beware that when using DNS for host name resolution,
1185 turning on fqdn requires sudoers to make DNS lookups
1186 which renders sudo unusable if DNS stops working (for
1187 example if the machine is disconnected from the net‐
1188 work). Also note that just like with the hosts file,
1189 you must use the “canonical” name as DNS knows it.
1190 That is, you may not use a host alias (CNAME entry) due
1191 to performance issues and the fact that there is no way
1192 to get all aliases from DNS.
1193 This flag is off by default.
1195 ignore_audit_errors
1197 Allow commands to be run even if sudoers cannot write
1198 to the audit log. If enabled, an audit log write fail‐
1199 ure is not treated as a fatal error. If disabled, a
1200 command may only be run after the audit event is suc‐
1201 cessfully written. This flag is only effective on sys‐
1202 tems for which sudoers supports audit logging, includ‐
1203 ing FreeBSD, Linux, macOS and Solaris. This flag is on
1204 by default.
1205 ignore_dot If set, sudo will ignore "." or "" (both denoting cur‐
1207 rent directory) in the PATH environment variable; the
1208 PATH itself is not modified. This flag is on by de‐
1209 fault.
1210 ignore_iolog_errors
1212 Allow commands to be run even if sudoers cannot write
1213 to the I/O log (local or remote). If enabled, an I/O
1214 log write failure is not treated as a fatal error. If
1215 disabled, the command will be terminated if the I/O log
1216 cannot be written to. This flag is off by default.
1217 ignore_logfile_errors
1219 Allow commands to be run even if sudoers cannot write
1220 to the log file. If enabled, a log file write failure
1221 is not treated as a fatal error. If disabled, a com‐
1222 mand may only be run after the log file entry is suc‐
1223 cessfully written. This flag only has an effect when
1224 sudoers is configured to use file-based logging via the
1225 logfile setting. This flag is on by default.
1226 ignore_local_sudoers
1228 If set via LDAP, parsing of /etc/sudoers will be
1229 skipped. This is intended for Enterprises that wish to
1230 prevent the usage of local sudoers files so that only
1231 LDAP is used. This thwarts the efforts of rogue opera‐
1232 tors who would attempt to add roles to /etc/sudoers.
1233 When this flag is enabled, /etc/sudoers does not even
1234 need to exist. Since this flag tells sudo how to be‐
1235 have when no specific LDAP entries have been matched,
1236 this sudoOption is only meaningful for the cn=defaults
1237 section. This flag is off by default.
1238 ignore_unknown_defaults
1240 If set, sudo will not produce a warning if it encoun‐
1241 ters an unknown Defaults entry in the sudoers file or
1242 an unknown sudoOption in LDAP. This flag is off by de‐
1243 fault.
1244 insults If set, sudo will insult users when they enter an in‐
1246 correct password. This flag is off by default.
1247 log_allowed If set, sudoers will log commands allowed by the policy
1249 to the system audit log (where supported) as well as to
1250 syslog and/or a log file. This flag is on by default.
1251 This setting is only supported by version 1.8.29 or
1253 higher.
1254 log_denied If set, sudoers will log commands denied by the policy
1256 to the system audit log (where supported) as well as to
1257 syslog and/or a log file. This flag is on by default.
1258 This setting is only supported by version 1.8.29 or
1260 higher.
1261 log_exit_status If set, sudoers will log the exit value of commands
1263 that are run to syslog and/or a log file. If a command
1264 was terminated by a signal, the signal name is logged
1265 as well. This flag is off by default.
1266 This setting is only supported by version 1.9.8 or
1268 higher.
1269 log_host If set, the host name will be included in log entries
1271 written to the file configured by the logfile setting.
1272 This flag is off by default.
1273 log_input If set, sudo will run the command in a pseudo-terminal
1275 and log all user input. If the standard input is not
1276 connected to the user's tty, due to I/O redirection or
1277 because the command is part of a pipeline, that input
1278 is also captured and stored in a separate log file.
1279 Anything sent to the standard input will be consumed,
1280 regardless of whether or not the command run via sudo
1281 is actually reading the standard input. This may have
1282 unexpected results when using sudo in a shell script
1283 that expects to process the standard input. For more
1284 information about I/O logging, see the I/O LOG FILES
1285 section. This flag is off by default.
1286 log_output If set, sudo will run the command in a pseudo-terminal
1288 and log all output that is sent to the screen, similar
1289 to the script(1) command. For more information about
1290 I/O logging, see the I/O LOG FILES section. This flag
1291 is off by default.
1292 log_server_keepalive
1294 If set, sudo will enable the TCP keepalive socket op‐
1295 tion on the connection to the log server. This enables
1296 the periodic transmission of keepalive messages to the
1297 server. If the server does not respond to a message,
1298 the connection will be closed and the running command
1299 will be terminated unless the ignore_iolog_errors flag
1300 (I/O logging enabled) or the ignore_log_errors flag
1301 (I/O logging disabled) is set. This flag is on by de‐
1302 fault.
1303 This setting is only supported by version 1.9.0 or
1305 higher.
1306 log_server_verify
1308 If set, the server certificate received during the TLS
1309 handshake must be valid and it must contain either the
1310 server name (from log_servers) or its IP address. If
1311 either of these conditions is not met, the TLS hand‐
1312 shake will fail. This flag is on by default.
1313 This setting is only supported by version 1.9.0 or
1315 higher.
1316 log_subcmds If set, sudoers will log when a command spawns a child
1318 process and executes a program using the execl(),
1319 execle(), execlp(), execv(), execve(), execvp(), or
1320 execvpe() library functions. For example, if a shell
1321 is run by sudo, the individual commands run via the
1322 shell will be logged. This flag is off by default.
1323 The log_subcmds flag uses the same underlying mechanism
1325 as the intercept setting. See Preventing shell escapes
1326 for more information on what systems support this op‐
1327 tion and its limitations. This setting is only sup‐
1328 ported by version 1.9.8 or higher and is incompatible
1329 with SELinux RBAC support.
1330 log_year If set, the four-digit year will be logged in the (non-
1332 syslog) sudo log file. This flag is off by default.
1333 long_otp_prompt When validating with a One Time Password (OTP) scheme
1335 such as S/Key or OPIE, a two-line prompt is used to
1336 make it easier to cut and paste the challenge to a lo‐
1337 cal window. It's not as pretty as the default but some
1338 people find it more convenient. This flag is off by
1339 default.
1340 mail_all_cmnds Send mail to the mailto user every time a user attempts
1342 to run a command via sudo (this includes sudoedit). No
1343 mail will be sent if the user runs sudo with the -l or
1344 -v option unless there is an authentication error and
1345 the mail_badpass flag is also set. This flag is off by
1346 default.
1347 mail_always Send mail to the mailto user every time a user runs
1349 sudo. This flag is off by default.
1350 mail_badpass Send mail to the mailto user if the user running sudo
1352 does not enter the correct password. If the command
1353 the user is attempting to run is not permitted by
1354 sudoers and one of the mail_all_cmnds, mail_always,
1355 mail_no_host, mail_no_perms or mail_no_user flags are
1356 set, this flag will have no effect. This flag is off
1357 by default.
1358 mail_no_host If set, mail will be sent to the mailto user if the in‐
1360 voking user exists in the sudoers file, but is not al‐
1361 lowed to run commands on the current host. This flag
1362 is off by default.
1363 mail_no_perms If set, mail will be sent to the mailto user if the in‐
1365 voking user is allowed to use sudo but the command they
1366 are trying is not listed in their sudoers file entry or
1367 is explicitly denied. This flag is off by default.
1368 mail_no_user If set, mail will be sent to the mailto user if the in‐
1370 voking user is not in the sudoers file. This flag is
1371 on by default.
1372 match_group_by_gid
1374 By default, sudoers will look up each group the user is
1375 a member of by group-ID to determine the group name
1376 (this is only done once). The resulting list of the
1377 user's group names is used when matching groups listed
1378 in the sudoers file. This works well on systems where
1379 the number of groups listed in the sudoers file is
1380 larger than the number of groups a typical user belongs
1381 to. On systems where group lookups are slow, where
1382 users may belong to a large number of groups, and where
1383 the number of groups listed in the sudoers file is rel‐
1384 atively small, it may be prohibitively expensive and
1385 running commands via sudo may take longer than normal.
1386 On such systems it may be faster to use the
1387 match_group_by_gid flag to avoid resolving the user's
1388 group-IDs to group names. In this case, sudoers must
1389 look up any group name listed in the sudoers file and
1390 use the group-ID instead of the group name when deter‐
1391 mining whether the user is a member of the group.
1392 Note that if match_group_by_gid is enabled, group data‐
1394 base lookups performed by sudoers will be keyed by
1395 group name as opposed to group-ID. On systems where
1396 there are multiple sources for the group database, it
1397 is possible to have conflicting group names or group-
1398 IDs in the local /etc/group file and the remote group
1399 database. On such systems, enabling or disabling
1400 match_group_by_gid can be used to choose whether group
1401 database queries are performed by name (enabled) or ID
1402 (disabled), which may aid in working around group entry
1403 conflicts.
1404 The match_group_by_gid flag has no effect when sudoers
1406 data is stored in LDAP. This flag is off by default.
1407 This setting is only supported by version 1.8.18 or
1409 higher.
1410 intercept If set, all commands run via sudo will behave as if the
1412 INTERCEPT tag has been set, unless overridden by an
1413 NOINTERCEPT tag. See the description of INTERCEPT and
1414 NOINTERCEPT above as well as the Preventing shell
1415 escapes section at the end of this manual. This flag
1416 is off by default.
1417 This setting is only supported by version 1.9.8 or
1419 higher and is incompatible with SELinux RBAC support.
1420 intercept_allow_setid
1422 On most systems, the dynamic loader will ignore
1423 LD_PRELOAD (or the equivalent) when running set-user-ID
1424 and set-group-ID programs, effectively disabling inter‐
1425 cept mode. To prevent this from happening, sudoers
1426 will not permit a set-user-ID or set-group-ID program
1427 to be run in intercept mode unless
1428 intercept_allow_setid is set. This flag has no effect
1429 unless the intercept flag is enabled or the INTERCEPT
1430 tag has been set for the command. This flag is on by
1431 default.
1432 This setting is only supported by version 1.9.8 or
1434 higher.
1435 intercept_authenticate
1437 If set, commands run by an intercepted process must be
1438 authenticated when the user's time stamp is not cur‐
1439 rent. For example, if a shell is run with intercept
1440 enabled, as soon as the invoking user's time stamp is
1441 out of date, subsequent commands will need to be au‐
1442 thenticated. This flag has no effect unless the
1443 intercept flag is enabled or the INTERCEPT tag has been
1444 set for the command. This flag is off by default.
1445 This setting is only supported by version 1.9.8 or
1447 higher.
1448 netgroup_tuple If set, netgroup lookups will be performed using the
1450 full netgroup tuple: host name, user name and domain
1451 (if one is set). Historically, sudo only matched the
1452 user name and domain for netgroups used in a User_List
1453 and only matched the host name and domain for netgroups
1454 used in a Host_List. This flag is off by default.
1455 noexec If set, all commands run via sudo will behave as if the
1457 NOEXEC tag has been set, unless overridden by an EXEC
1458 tag. See the description of EXEC and NOEXEC above as
1459 well as the Preventing shell escapes section at the end
1460 of this manual. This flag is off by default.
1461 pam_acct_mgmt On systems that use PAM for authentication, sudo will
1463 perform PAM account validation for the invoking user by
1464 default. The actual checks performed depend on which
1465 PAM modules are configured. If enabled, account vali‐
1466 dation will be performed regardless of whether or not a
1467 password is required. This flag is on by default.
1468 This setting is only supported by version 1.8.28 or
1470 higher.
1471 pam_rhost On systems that use PAM for authentication, sudo will
1473 set the PAM remote host value to the name of the local
1474 host when the pam_rhost flag is enabled. On Linux sys‐
1475 tems, enabling pam_rhost may result in DNS lookups of
1476 the local host name when PAM is initialized. On So‐
1477 laris versions prior to Solaris 8, pam_rhost must be
1478 enabled if pam_ruser is also enabled to avoid a crash
1479 in the Solaris PAM implementation.
1480 This flag is off by default on systems other than So‐
1482 laris.
1483 This setting is only supported by version 1.9.0 or
1485 higher.
1486 pam_ruser On systems that use PAM for authentication, sudo will
1488 set the PAM remote user value to the name of the user
1489 that invoked sudo when the pam_ruser flag is enabled.
1490 This flag is on by default.
1491 This setting is only supported by version 1.9.0 or
1493 higher.
1494 pam_session On systems that use PAM for authentication, sudo will
1496 create a new PAM session for the command to be run in.
1497 Unless sudo is given the -i or -s options, PAM session
1498 modules are run with the “silent” flag enabled. This
1499 prevents last login information from being displayed
1500 for every command on some systems. Disabling
1501 pam_session may be needed on older PAM implementations
1502 or on operating systems where opening a PAM session
1503 changes the utmp or wtmp files. If PAM session support
1504 is disabled, resource limits may not be updated for the
1505 command being run. If pam_session, pam_setcred, and
1506 use_pty are disabled, log_servers has not been set and
1507 I/O logging has not been configured, sudo will execute
1508 the command directly instead of running it as a child
1509 process. This flag is on by default.
1510 This setting is only supported by version 1.8.7 or
1512 higher.
1513 pam_setcred On systems that use PAM for authentication, sudo will
1515 attempt to establish credentials for the target user by
1516 default, if supported by the underlying authentication
1517 system. One example of a credential is a Kerberos
1518 ticket. If pam_session, pam_setcred, and use_pty are
1519 disabled, log_servers has not been set and I/O logging
1520 has not been configured, sudo will execute the command
1521 directly instead of running it as a child process.
1522 This flag is on by default.
1523 This setting is only supported by version 1.8.8 or
1525 higher.
1526 passprompt_override
1528 If set, the prompt specified by passprompt or the
1529 SUDO_PROMPT environment variable will always be used
1530 and will replace the prompt provided by a PAM module or
1531 other authentication method. This flag is off by de‐
1532 fault.
1533 path_info Normally, sudo will tell the user when a command could
1535 not be found in their PATH environment variable. Some
1536 sites may wish to disable this as it could be used to
1537 gather information on the location of executables that
1538 the normal user does not have access to. The disadvan‐
1539 tage is that if the executable is simply not in the
1540 user's PATH, sudo will tell the user that they are not
1541 allowed to run it, which can be confusing. This flag
1542 is on by default.
1543 preserve_groups By default, sudo will initialize the group vector to
1545 the list of groups the target user is in. When
1546 preserve_groups is set, the user's existing group vec‐
1547 tor is left unaltered. The real and effective group-
1548 IDs, however, are still set to match the target user.
1549 This flag is off by default.
1550 pwfeedback By default, sudo reads the password like most other
1552 Unix programs, by turning off echo until the user hits
1553 the return (or enter) key. Some users become confused
1554 by this as it appears to them that sudo has hung at
1555 this point. When pwfeedback is set, sudo will provide
1556 visual feedback when the user presses a key. Note that
1557 this does have a security impact as an onlooker may be
1558 able to determine the length of the password being en‐
1559 tered. This flag is off by default.
1560 requiretty If set, sudo will only run when the user is logged in
1562 to a real tty. When this flag is set, sudo can only be
1563 run from a login session and not via other means such
1564 as cron(8) or cgi-bin scripts. This flag is off by de‐
1565 fault.
1566 root_sudo If set, root is allowed to run sudo too. Disabling
1568 this prevents users from “chaining” sudo commands to
1569 get a root shell by doing something like “sudo sudo
1570 /bin/sh”. Note, however, that turning off root_sudo
1571 will also prevent root from running sudoedit. Dis‐
1572 abling root_sudo provides no real additional security;
1573 it exists purely for historical reasons. This flag is
1574 on by default.
1575 rootpw If set, sudo will prompt for the root password instead
1577 of the password of the invoking user when running a
1578 command or editing a file. This flag is off by de‐
1579 fault.
1580 runas_allow_unknown_id
1582 If enabled, allow matching of runas user and group IDs
1583 that are not present in the password or group data‐
1584 bases. In addition to explicitly matching unknown user
1585 or group IDs in a Runas_List, this option also allows
1586 the ALL alias to match unknown IDs. This flag is off
1587 by default.
1588 This setting is only supported by version 1.8.30 or
1590 higher. Older versions of sudo always allowed matching
1591 of unknown user and group IDs.
1592 runas_check_shell
1594 If enabled, sudo will only run commands as a user whose
1595 shell appears in the /etc/shells file, even if the in‐
1596 voking user's Runas_List would otherwise permit it. If
1597 no /etc/shells file is present, a system-dependent list
1598 of built-in default shells is used. On many operating
1599 systems, system users such as “bin”, do not have a
1600 valid shell and this flag can be used to prevent com‐
1601 mands from being run as those users. This flag is off
1602 by default.
1603 This setting is only supported by version 1.8.30 or
1605 higher.
1606 runaspw If set, sudo will prompt for the password of the user
1608 defined by the runas_default option (defaults to root)
1609 instead of the password of the invoking user when run‐
1610 ning a command or editing a file. This flag is off by
1611 default.
1612 selinux If enabled, the user may specify an SELinux role and/or
1614 type to use when running the command, as permitted by
1615 the SELinux policy. If SELinux is disabled on the sys‐
1616 tem, this flag has no effect. This flag is on by de‐
1617 fault.
1618 set_home If enabled and sudo is invoked with the -s option, the
1620 HOME environment variable will be set to the home di‐
1621 rectory of the target user (which is the root user un‐
1622 less the -u option is used). This flag is largely ob‐
1623 solete and has no effect unless the env_reset flag has
1624 been disabled or HOME is present in the env_keep list,
1625 both of which are strongly discouraged. This flag is
1626 off by default.
1627 set_logname Normally, sudo will set the LOGNAME and USER environ‐
1629 ment variables to the name of the target user (usually
1630 root unless the -u option is given). However, since
1631 some programs (including the RCS revision control sys‐
1632 tem) use LOGNAME to determine the real identity of the
1633 user, it may be desirable to change this behavior.
1634 This can be done by negating the set_logname option.
1635 Note that set_logname will have no effect if the
1636 env_reset option has not been disabled and the env_keep
1637 list contains LOGNAME or USER. This flag is on by de‐
1638 fault.
1639 set_utmp When enabled, sudo will create an entry in the utmp (or
1641 utmpx) file when a pseudo-terminal is allocated. A
1642 pseudo-terminal is allocated by sudo when it is running
1643 in a terminal and one or more of the log_input,
1644 log_output or use_pty flags is enabled. By default,
1645 the new entry will be a copy of the user's existing
1646 utmp entry (if any), with the tty, time, type and pid
1647 fields updated. This flag is on by default.
1648 setenv Allow the user to disable the env_reset option from the
1650 command line via the -E option. Additionally, environ‐
1651 ment variables set via the command line are not subject
1652 to the restrictions imposed by env_check, env_delete,
1653 or env_keep. As such, only trusted users should be al‐
1654 lowed to set variables in this manner. This flag is
1655 off by default.
1656 shell_noargs If set and sudo is invoked with no arguments it acts as
1658 if the -s option had been given. That is, it runs a
1659 shell as root (the shell is determined by the SHELL en‐
1660 vironment variable if it is set, falling back on the
1661 shell listed in the invoking user's /etc/passwd entry
1662 if not). This flag is off by default.
1663 stay_setuid Normally, when sudo executes a command the real and ef‐
1665 fective UIDs are set to the target user (root by de‐
1666 fault). This option changes that behavior such that
1667 the real UID is left as the invoking user's UID. In
1668 other words, this makes sudo act as a set-user-ID wrap‐
1669 per. This can be useful on systems that disable some
1670 potentially dangerous functionality when a program is
1671 run set-user-ID. This option is only effective on sys‐
1672 tems that support either the setreuid(2) or
1673 setresuid(2) system call. This flag is off by default.
1674 sudoedit_checkdir
1676 If set, sudoedit will check all directory components of
1677 the path to be edited for writability by the invoking
1678 user. Symbolic links will not be followed in writable
1679 directories and sudoedit will refuse to edit a file lo‐
1680 cated in a writable directory. These restrictions are
1681 not enforced when sudoedit is run by root. On some
1682 systems, if all directory components of the path to be
1683 edited are not readable by the target user, sudoedit
1684 will be unable to edit the file. This flag is on by
1685 default.
1686 This setting was first introduced in version 1.8.15 but
1688 initially suffered from a race condition. The check
1689 for symbolic links in writable intermediate directories
1690 was added in version 1.8.16.
1691 sudoedit_follow By default, sudoedit will not follow symbolic links
1693 when opening files. The sudoedit_follow option can be
1694 enabled to allow sudoedit to open symbolic links. It
1695 may be overridden on a per-command basis by the FOLLOW
1696 and NOFOLLOW tags. This flag is off by default.
1697 This setting is only supported by version 1.8.15 or
1699 higher.
1700 syslog_pid When logging via syslog(3), include the process ID in
1702 the log entry. This flag is off by default.
1703 This setting is only supported by version 1.8.21 or
1705 higher.
1706 targetpw If set, sudo will prompt for the password of the user
1708 specified by the -u option (defaults to root) instead
1709 of the password of the invoking user when running a
1710 command or editing a file. Note that this flag pre‐
1711 cludes the use of a user-ID not listed in the passwd
1712 database as an argument to the -u option. This flag is
1713 off by default.
1714 tty_tickets If set, users must authenticate on a per-tty basis.
1716 With this flag enabled, sudo will use a separate record
1717 in the time stamp file for each terminal. If disabled,
1718 a single record is used for all login sessions.
1719 This option has been superseded by the timestamp_type
1721 option.
1722 umask_override If set, sudo will set the umask as specified in the
1724 sudoers file without modification. This makes it pos‐
1725 sible to specify a umask in the sudoers file that is
1726 more permissive than the user's own umask and matches
1727 historical behavior. If umask_override is not set,
1728 sudo will set the umask to be the union of the user's
1729 umask and what is specified in sudoers. This flag is
1730 off by default.
1731 use_netgroups If set, netgroups (prefixed with ‘+’), may be used in
1733 place of a user or host. For LDAP-based sudoers, net‐
1734 group support requires an expensive sub-string match on
1735 the server unless the NETGROUP_BASE directive is
1736 present in the /etc/ldap.conf file. If netgroups are
1737 not needed, this option can be disabled to reduce the
1738 load on the LDAP server. This flag is on by default.
1739 use_pty If set, and sudo is running in a terminal, the command
1741 will be run in a pseudo-terminal (even if no I/O log‐
1742 ging is being done). If the sudo process is not at‐
1743 tached to a terminal, use_pty has no effect.
1744 A malicious program run under sudo may be capable of
1746 injecting commands into the user's terminal or running
1747 a background process that retains access to the user's
1748 terminal device even after the main program has fin‐
1749 ished executing. By running the command in a separate
1750 pseudo-terminal, this attack is no longer possible.
1751 This flag is off by default.
1752 user_command_timeouts
1754 If set, the user may specify a timeout on the command
1755 line. If the timeout expires before the command has
1756 exited, the command will be terminated. If a timeout
1757 is specified both in the sudoers file and on the com‐
1758 mand line, the smaller of the two timeouts will be
1759 used. See the Timeout_Spec section for a description
1760 of the timeout syntax. This flag is off by default.
1761 This setting is only supported by version 1.8.20 or
1763 higher.
1764 utmp_runas If set, sudo will store the name of the runas user when
1766 updating the utmp (or utmpx) file. By default, sudo
1767 stores the name of the invoking user. This flag is off
1768 by default.
1769 visiblepw By default, sudo will refuse to run if the user must
1771 enter a password but it is not possible to disable echo
1772 on the terminal. If the visiblepw flag is set, sudo
1773 will prompt for a password even when it would be visi‐
1774 ble on the screen. This makes it possible to run
1775 things like “ssh somehost sudo ls” since by default,
1776 ssh(1) does not allocate a tty when running a command.
1777 This flag is off by default.
1778 Integers:
1780 closefrom Before it executes a command, sudo will close all open
1782 file descriptors other than standard input, standard
1783 output and standard error (ie: file descriptors 0-2).
1784 The closefrom option can be used to specify a different
1785 file descriptor at which to start closing. The default
1786 is 3.
1787 command_timeout The maximum amount of time a command is allowed to run
1789 before it is terminated. See the Timeout_Spec section
1790 for a description of the timeout syntax.
1791 This setting is only supported by version 1.8.20 or
1793 higher.
1794 log_server_timeout
1796 The maximum amount of time to wait when connecting to a
1797 log server or waiting for a server response. See the
1798 Timeout_Spec section for a description of the timeout
1799 syntax. The default value is 30 seconds.
1800 This setting is only supported by version 1.9.0 or
1802 higher.
1803 maxseq The maximum sequence number that will be substituted
1805 for the “%{seq}” escape in the I/O log file (see the
1806 iolog_dir description below for more information).
1807 While the value substituted for “%{seq}” is in base 36,
1808 maxseq itself should be expressed in decimal. Values
1809 larger than 2176782336 (which corresponds to the base
1810 36 sequence number “ZZZZZZ”) will be silently truncated
1811 to 2176782336. The default value is 2176782336.
1812 Once the local sequence number reaches the value of
1814 maxseq, it will “roll over” to zero, after which
1815 sudoers will truncate and re-use any existing I/O log
1816 path names.
1817 This setting is only supported by version 1.8.7 or
1819 higher.
1820 passwd_tries The number of tries a user gets to enter his/her pass‐
1822 word before sudo logs the failure and exits. The de‐
1823 fault is 3.
1824 syslog_maxlen On many systems, syslog(3) has a relatively small log
1826 buffer. IETF RFC 5424 states that syslog servers must
1827 support messages of at least 480 bytes and should sup‐
1828 port messages up to 2048 bytes. By default, sudoers
1829 creates log messages up to 980 bytes which corresponds
1830 to the historic BSD syslog implementation which used a
1831 1024 byte buffer to store the message, date, hostname
1832 and program name. To prevent syslog messages from be‐
1833 ing truncated, sudoers will split up log messages that
1834 are larger than syslog_maxlen bytes. When a message is
1835 split, additional parts will include the string
1836 “(command continued)” after the user name and before
1837 the continued command line arguments.
1838 This setting is only supported by version 1.8.19 or
1840 higher.
1841 Integers that can be used in a boolean context:
1843 loglinelen Number of characters per line for the file log. This
1845 value is used to decide when to wrap lines for nicer
1846 log files. This has no effect on the syslog log file,
1847 only the file log. The default is 80 (use 0 or negate
1848 the option to disable word wrap).
1849 passwd_timeout Number of minutes before the sudo password prompt times
1851 out, or 0 for no timeout. The timeout may include a
1852 fractional component if minute granularity is insuffi‐
1853 cient, for example 2.5. The default is 5.
1854 timestamp_timeout
1856 Number of minutes that can elapse before sudo will ask
1857 for a passwd again. The timeout may include a frac‐
1858 tional component if minute granularity is insufficient,
1859 for example 2.5. The default is 5. Set this to 0 to
1860 always prompt for a password. If set to a value less
1861 than 0 the user's time stamp will not expire until the
1862 system is rebooted. This can be used to allow users to
1863 create or delete their own time stamps via “sudo -v”
1864 and “sudo -k” respectively.
1865 umask File mode creation mask to use when running the com‐
1867 mand. Negate this option or set it to 0777 to prevent
1868 sudoers from changing the umask. Unless the
1869 umask_override flag is set, the actual umask will be
1870 the union of the user's umask and the value of the
1871 umask setting, which defaults to 0022. This guarantees
1872 that sudo never lowers the umask when running a com‐
1873 mand.
1874 If umask is explicitly set in sudoers, it will override
1876 any umask setting in PAM or login.conf. If umask is
1877 not set in sudoers, the umask specified by PAM or lo‐
1878 gin.conf will take precedence. The umask setting in
1879 PAM is not used for sudoedit, which does not create a
1880 new PAM session.
1881 Strings:
1883 authfail_message Message that is displayed after a user fails to authen‐
1885 ticate. The message may include the ‘%d’ escape which
1886 will expand to the number of failed password attempts.
1887 If set, it overrides the default message, %d incorrect
1888 password attempt(s).
1889 badpass_message Message that is displayed if a user enters an incorrect
1891 password. The default is Sorry, try again. unless in‐
1892 sults are enabled.
1893 editor A colon (‘:’) separated list of editors path names used
1895 by sudoedit and visudo. For sudoedit, this list is
1896 used to find an editor when none of the SUDO_EDITOR,
1897 VISUAL or EDITOR environment variables are set to an
1898 editor that exists and is executable. For visudo, it
1899 is used as a white list of allowed editors; visudo will
1900 choose the editor that matches the user's SUDO_EDITOR,
1901 VISUAL or EDITOR environment variable if possible, or
1902 the first editor in the list that exists and is exe‐
1903 cutable if not. Unless invoked as sudoedit, sudo does
1904 not preserve the SUDO_EDITOR, VISUAL or EDITOR environ‐
1905 ment variables unless they are present in the env_keep
1906 list or the env_reset option is disabled. The default
1907 is /usr/bin/nano:/usr/bin/vim:/usr/bin/vi.
1908 iolog_dir The top-level directory to use when constructing the
1910 path name for the input/output log directory. Only
1911 used if the log_input or log_output options are enabled
1912 or when the LOG_INPUT or LOG_OUTPUT tags are present
1913 for a command. The session sequence number, if any, is
1914 stored in the directory. The default is
1915 /var/log/sudo-io.
1916 The following percent (‘%’) escape sequences are sup‐
1918 ported:
1919 %{seq}
1921 expanded to a monotonically increasing base-36
1922 sequence number, such as 0100A5, where every two
1923 digits are used to form a new directory, e.g.,
1924 01/00/A5
1925 %{user}
1927 expanded to the invoking user's login name
1928 %{group}
1930 expanded to the name of the invoking user's real
1931 group-ID
1932 %{runas_user}
1934 expanded to the login name of the user the com‐
1935 mand will be run as (e.g., root)
1936 %{runas_group}
1938 expanded to the group name of the user the com‐
1939 mand will be run as (e.g., wheel)
1940 %{hostname}
1942 expanded to the local host name without the do‐
1943 main name
1944 %{command}
1946 expanded to the base name of the command being
1947 run
1948 In addition, any escape sequences supported by the sys‐
1950 tem's strftime(3) function will be expanded.
1951 To include a literal ‘%’ character, the string ‘%%’
1953 should be used.
1954 iolog_file The path name, relative to iolog_dir, in which to store
1956 input/output logs when the log_input or log_output op‐
1957 tions are enabled or when the LOG_INPUT or LOG_OUTPUT
1958 tags are present for a command. Note that iolog_file
1959 may contain directory components. The default is
1960 “%{seq}”.
1961 See the iolog_dir option above for a list of supported
1963 percent (‘%’) escape sequences.
1964 In addition to the escape sequences, path names that
1966 end in six or more Xs will have the Xs replaced with a
1967 unique combination of digits and letters, similar to
1968 the mktemp(3) function.
1969 If the path created by concatenating iolog_dir and
1971 iolog_file already exists, the existing I/O log file
1972 will be truncated and overwritten unless iolog_file
1973 ends in six or more Xs.
1974 iolog_flush If set, sudo will flush I/O log data to disk after each
1976 write instead of buffering it. This makes it possible
1977 to view the logs in real-time as the program is execut‐
1978 ing but may significantly reduce the effectiveness of
1979 I/O log compression. This flag is off by default.
1980 This setting is only supported by version 1.8.20 or
1982 higher.
1983 iolog_group The group name to look up when setting the group-ID on
1985 new I/O log files and directories. If iolog_group is
1986 not set, the primary group-ID of the user specified by
1987 iolog_user is used. If neither iolog_group nor
1988 iolog_user are set, I/O log files and directories are
1989 created with group-ID 0.
1990 This setting is only supported by version 1.8.19 or
1992 higher.
1993 iolog_mode The file mode to use when creating I/O log files. Mode
1995 bits for read and write permissions for owner, group or
1996 other are honored, everything else is ignored. The
1997 file permissions will always include the owner read and
1998 write bits, even if they are not present in the speci‐
1999 fied mode. When creating I/O log directories, search
2000 (execute) bits are added to match the read and write
2001 bits specified by iolog_mode. Defaults to 0600 (read
2002 and write by user only).
2003 This setting is only supported by version 1.8.19 or
2005 higher.
2006 iolog_user The user name to look up when setting the user and
2008 group-IDs on new I/O log files and directories. If
2009 iolog_group is set, it will be used instead of the
2010 user's primary group-ID. By default, I/O log files and
2011 directories are created with user and group-ID 0.
2012 This setting can be useful when the I/O logs are stored
2014 on a Network File System (NFS) share. Having a dedi‐
2015 cated user own the I/O log files means that sudoers
2016 does not write to the log files as user-ID 0, which is
2017 usually not permitted by NFS.
2018 This setting is only supported by version 1.8.19 or
2020 higher.
2021 lecture_status_dir
2023 The directory in which sudo stores per-user lecture
2024 status files. Once a user has received the lecture, a
2025 zero-length file is created in this directory so that
2026 sudo will not lecture the user again. This directory
2027 should not be cleared when the system reboots. The de‐
2028 fault is /var/db/sudo/lectured.
2029 log_server_cabundle
2031 The path to a certificate authority bundle file, in PEM
2032 format, to use instead of the system's default certifi‐
2033 cate authority database when authenticating the log
2034 server. The default is to use the system's default
2035 certificate authority database. This setting has no
2036 effect unless log_servers is set and the remote log
2037 server is secured with TLS.
2038 This setting is only supported by version 1.9.0 or
2040 higher.
2041 log_server_peer_cert
2043 The path to the sudo client's certificate file, in PEM
2044 format. This setting is required when the remote log
2045 server is secured with TLS and client certificate vali‐
2046 dation is enabled. For sudo_logsrvd, client certifi‐
2047 cate validation is controlled by the tls_checkpeer op‐
2048 tion, which defaults to false.
2049 This setting is only supported by version 1.9.0 or
2051 higher.
2052 log_server_peer_key
2054 The path to the sudo client's private key file, in PEM
2055 format. This setting is required when the remote log
2056 server is secured with TLS and client certificate vali‐
2057 dation is enabled. For sudo_logsrvd, client certifi‐
2058 cate validation is controlled by the tls_checkpeer op‐
2059 tion, which defaults to false.
2060 This setting is only supported by version 1.9.0 or
2062 higher.
2063 mailsub Subject of the mail sent to the mailto user. The es‐
2065 cape %h will expand to the host name of the machine.
2066 Default is “*** SECURITY information for %h ***”.
2067 noexec_file As of sudo version 1.8.1 this option is no longer sup‐
2069 ported. The path to the noexec file should now be set
2070 in the sudo.conf(5) file.
2071 pam_login_service
2073 On systems that use PAM for authentication, this is the
2074 service name used when the -i option is specified. The
2075 default value is “sudo-i”. See the description of
2076 pam_service for more information.
2077 This setting is only supported by version 1.8.8 or
2079 higher.
2080 pam_service On systems that use PAM for authentication, the service
2082 name specifies the PAM policy to apply. This usually
2083 corresponds to an entry in the pam.conf file or a file
2084 in the /etc/pam.d directory. The default value is
2085 “sudo”.
2086 This setting is only supported by version 1.8.8 or
2088 higher.
2089 passprompt The default prompt to use when asking for a password;
2091 can be overridden via the -p option or the SUDO_PROMPT
2092 environment variable. The following percent (‘%’) es‐
2093 cape sequences are supported:
2094 %H expanded to the local host name including the do‐
2096 main name (only if the machine's host name is
2097 fully qualified or the fqdn option is set)
2098 %h expanded to the local host name without the do‐
2100 main name
2101 %p expanded to the user whose password is being
2103 asked for (respects the rootpw, targetpw and
2104 runaspw flags in sudoers)
2105 %U expanded to the login name of the user the com‐
2107 mand will be run as (defaults to root)
2108 %u expanded to the invoking user's login name
2110 %% two consecutive % characters are collapsed into a
2112 single % character
2113 On systems that use PAM for authentication, passprompt
2115 will only be used if the prompt provided by the PAM
2116 module matches the string “Password: ” or “username's
2117 Password: ”. This ensures that the passprompt setting
2118 does not interfere with challenge-response style au‐
2119 thentication. The passprompt_override flag can be used
2120 to change this behavior.
2121 The default value is “[sudo] password for %p: ”.
2123 role The default SELinux role to use when constructing a new
2125 security context to run the command. The default role
2126 may be overridden on a per-command basis in the sudoers
2127 file or via command line options. This option is only
2128 available when sudo is built with SELinux support.
2129 runas_default The default user to run commands as if the -u option is
2131 not specified on the command line. This defaults to
2132 root.
2133 sudoers_locale Locale to use when parsing the sudoers file, logging
2135 commands, and sending email. Note that changing the
2136 locale may affect how sudoers is interpreted. Defaults
2137 to “C”.
2138 timestamp_type sudoers uses per-user time stamp files for credential
2140 caching. The timestamp_type option can be used to
2141 specify the type of time stamp record used. It has the
2142 following possible values:
2143 global A single time stamp record is used for all of a
2145 user's login sessions, regardless of the termi‐
2146 nal or parent process ID. An additional record
2147 is used to serialize password prompts when sudo
2148 is used multiple times in a pipeline, but this
2149 does not affect authentication.
2150 ppid A single time stamp record is used for all pro‐
2152 cesses with the same parent process ID (usually
2153 the shell). Commands run from the same shell
2154 (or other common parent process) will not re‐
2155 quire a password for timestamp_timeout minutes
2156 (5 by default). Commands run via sudo with a
2157 different parent process ID, for example from a
2158 shell script, will be authenticated separately.
2159 tty One time stamp record is used for each termi‐
2161 nal, which means that a user's login sessions
2162 are authenticated separately. If no terminal
2163 is present, the behavior is the same as ppid.
2164 Commands run from the same terminal will not
2165 require a password for timestamp_timeout min‐
2166 utes (5 by default).
2167 kernel The time stamp is stored in the kernel as an
2169 attribute of the terminal device. If no termi‐
2170 nal is present, the behavior is the same as
2171 ppid. Negative timestamp_timeout values are
2172 not supported and positive values are limited
2173 to a maximum of 60 minutes. This is currently
2174 only supported on OpenBSD.
2175 The default value is tty.
2177 This setting is only supported by version 1.8.21 or
2179 higher.
2180 timestampdir The directory in which sudo stores its time stamp
2182 files. This directory should be cleared when the sys‐
2183 tem reboots. The default is /run/sudo/ts.
2184 timestampowner The owner of the lecture status directory, time stamp
2186 directory and all files stored therein. The default is
2187 root.
2188 type The default SELinux type to use when constructing a new
2190 security context to run the command. The default type
2191 may be overridden on a per-command basis in the sudoers
2192 file or via command line options. This option is only
2193 available when sudo is built with SELinux support.
2194 Strings that can be used in a boolean context:
2196 admin_flag The admin_flag option specifies the path to a file that is
2198 created the first time a user that is a member of the sudo
2199 or admin groups runs sudo. Only available if sudo is con‐
2200 figured with the --enable-admin-flag option. The default
2201 value is ~/.sudo_as_admin_successful.
2202 env_file The env_file option specifies the fully qualified path to a
2204 file containing variables to be set in the environment of
2205 the program being run. Entries in this file should either
2206 be of the form “VARIABLE=value” or “export VARIABLE=value”.
2207 The value may optionally be enclosed in single or double
2208 quotes. Variables in this file are only added if the vari‐
2209 able does not already exist in the environment. This file
2210 is considered to be part of the security policy, its con‐
2211 tents are not subject to other sudo environment restric‐
2212 tions such as env_keep and env_check.
2213 exempt_group Users in this group are exempt from password and PATH re‐
2215 quirements. The group name specified should not include a
2216 % prefix. This is not set by default.
2217 fdexec Determines whether sudo will execute a command by its path
2219 or by an open file descriptor. It has the following possi‐
2220 ble values:
2221 always Always execute by file descriptor.
2223 never Never execute by file descriptor.
2225 digest_only
2227 Only execute by file descriptor if the command has
2228 an associated digest in the sudoers file.
2229 The default value is digest_only. This avoids a time of
2231 check versus time of use race condition when the command is
2232 located in a directory writable by the invoking user.
2233 Note that fdexec will change the first element of the argu‐
2235 ment vector for scripts ($0 in the shell) due to the way
2236 the kernel runs script interpreters. Instead of being a
2237 normal path, it will refer to a file descriptor. For exam‐
2238 ple, /dev/fd/4 on Solaris and /proc/self/fd/4 on Linux. A
2239 workaround is to use the SUDO_COMMAND environment variable
2240 instead.
2241 The fdexec setting is only used when the command is matched
2243 by path name. It has no effect if the command is matched
2244 by the built-in ALL alias.
2245 This setting is only supported by version 1.8.20 or higher.
2247 If the operating system does not support the fexecve() sys‐
2248 tem call, this setting has no effect.
2249 group_plugin A string containing a sudoers group plugin with optional
2251 arguments. The string should consist of the plugin path,
2252 either fully-qualified or relative to the /usr/libexec/sudo
2253 directory, followed by any configuration arguments the
2254 plugin requires. These arguments (if any) will be passed
2255 to the plugin's initialization function. If arguments are
2256 present, the string must be enclosed in double quotes ("").
2257 For more information see GROUP PROVIDER PLUGINS.
2259 lecture This option controls when a short lecture will be printed
2261 along with the password prompt. It has the following pos‐
2262 sible values:
2263 always Always lecture the user.
2265 never Never lecture the user.
2267 once Only lecture the user the first time they run sudo.
2269 If no value is specified, a value of once is implied.
2271 Negating the option results in a value of never being used.
2272 The default value is once.
2273 lecture_file Path to a file containing an alternate sudo lecture that
2275 will be used in place of the standard lecture if the named
2276 file exists. By default, sudo uses a built-in lecture.
2277 listpw This option controls when a password will be required when
2279 a user runs sudo with the -l option. It has the following
2280 possible values:
2281 all All the user's sudoers file entries for the cur‐
2283 rent host must have the NOPASSWD flag set to
2284 avoid entering a password.
2285 always The user must always enter a password to use the
2287 -l option.
2288 any At least one of the user's sudoers file entries
2290 for the current host must have the NOPASSWD flag
2291 set to avoid entering a password.
2292 never The user need never enter a password to use the
2294 -l option.
2295 If no value is specified, a value of any is implied.
2297 Negating the option results in a value of never being used.
2298 The default value is any.
2299 log_format The event log format. Supported log formats are:
2301 json Logs in JSON format. JSON log entries contain
2303 the full user details as well as the execution
2304 environment if the command was allowed. Due to
2305 limitations of the protocol, JSON events sent via
2306 syslog may be truncated.
2307 sudo Traditional sudo-style logs, see LOG FORMAT for a
2309 description of the log file format.
2310 This setting affects logs sent via syslog(3) as well as the
2312 file specified by the logfile setting, if any. The default
2313 value is sudo.
2314 logfile Path to the sudo log file (not the syslog log file). Set‐
2316 ting a path turns on logging to a file; negating this op‐
2317 tion turns it off. By default, sudo logs via syslog.
2318 mailerflags Flags to use when invoking mailer. Defaults to -t.
2320 mailerpath Path to mail program used to send warning mail. Defaults
2322 to the path to sendmail found at configure time.
2323 mailfrom Address to use for the “from” address when sending warning
2325 and error mail. The address should be enclosed in double
2326 quotes ("") to protect against sudo interpreting the @
2327 sign. Defaults to the name of the user running sudo.
2328 mailto Address to send warning and error mail to. The address
2330 should be enclosed in double quotes ("") to protect against
2331 sudo interpreting the @ sign. Defaults to root.
2332 restricted_env_file
2334 The restricted_env_file option specifies the fully quali‐
2335 fied path to a file containing variables to be set in the
2336 environment of the program being run. Entries in this file
2337 should either be of the form “VARIABLE=value” or “export
2338 VARIABLE=value”. The value may optionally be enclosed in
2339 single or double quotes. Variables in this file are only
2340 added if the variable does not already exist in the envi‐
2341 ronment. Unlike env_file, the file's contents are not
2342 trusted and are processed in a manner similar to that of
2343 the invoking user's environment. If env_reset is enabled,
2344 variables in the file will only be added if they are
2345 matched by either the env_check or env_keep list. If
2346 env_reset is disabled, variables in the file are added as
2347 long as they are not matched by the env_delete list. In
2348 either case, the contents of restricted_env_file are pro‐
2349 cessed before the contents of env_file.
2350 runchroot If set, sudo will use this value for the root directory
2352 when running a command. The special value “*” will allow
2353 the user to specify the root directory via sudo's -R op‐
2354 tion. See the Chroot_Spec section for more details.
2355 It is only possible to use runchroot as a command-specific
2357 Defaults setting if the command exists with the same path
2358 both inside and outside the chroot jail. This restriction
2359 does not apply to generic, host or user-based Defaults set‐
2360 tings or to a Cmnd_Spec that includes a Chroot_Spec.
2361 This setting is only supported by version 1.9.3 or higher.
2363 runcwd If set, sudo will use this value for the working directory
2365 when running a command. The special value “*” will allow
2366 the user to specify the working directory via sudo's -D op‐
2367 tion. See the Chdir_Spec section for more details.
2368 This setting is only supported by version 1.9.3 or higher.
2370 secure_path If set, sudo will use this value in place of the user's
2372 PATH environment variable. This option can be used to re‐
2373 set the PATH to a known good value that contains directo‐
2374 ries for system administrator commands such as /usr/sbin.
2375 Users in the group specified by the exempt_group option are
2377 not affected by secure_path. This option is not set by de‐
2378 fault.
2379 syslog Syslog facility if syslog is being used for logging (negate
2381 to disable syslog logging). Defaults to authpriv.
2382 The following syslog facilities are supported: authpriv (if
2384 your OS supports it), auth, daemon, user, local0, local1,
2385 local2, local3, local4, local5, local6, and local7.
2386 syslog_badpri
2388 Syslog priority to use when the user is not allowed to run
2389 a command or when authentication is unsuccessful. Defaults
2390 to alert.
2391 The following syslog priorities are supported: alert, crit,
2393 debug, emerg, err, info, notice, warning, and none. Negat‐
2394 ing the option or setting it to a value of none will dis‐
2395 able logging of unsuccessful commands.
2396 syslog_goodpri
2398 Syslog priority to use when the user is allowed to run a
2399 command and authentication is successful. Defaults to
2400 notice.
2401 See syslog_badpri for the list of supported syslog priori‐
2403 ties. Negating the option or setting it to a value of none
2404 will disable logging of successful commands.
2405 verifypw This option controls when a password will be required when
2407 a user runs sudo with the -v option. It has the following
2408 possible values:
2409 all All the user's sudoers file entries for the current
2411 host must have the NOPASSWD flag set to avoid en‐
2412 tering a password.
2413 always The user must always enter a password to use the -v
2415 option.
2416 any At least one of the user's sudoers file entries for
2418 the current host must have the NOPASSWD flag set to
2419 avoid entering a password.
2420 never The user need never enter a password to use the -v
2422 option.
2423 If no value is specified, a value of all is implied.
2425 Negating the option results in a value of never being used.
2426 The default value is all.
2427 Lists that can be used in a boolean context:
2429 env_check Environment variables to be removed from the user's en‐
2431 vironment unless they are considered “safe”. For all
2432 variables except TZ, “safe” means that the variable's
2433 value does not contain any ‘%’ or ‘/’ characters. This
2434 can be used to guard against printf-style format vul‐
2435 nerabilities in poorly-written programs. The TZ vari‐
2436 able is considered unsafe if any of the following are
2437 true:
2438 • It consists of a fully-qualified path name, option‐
2440 ally prefixed with a colon (‘:’), that does not
2441 match the location of the zoneinfo directory.
2442 • It contains a .. path element.
2444 • It contains white space or non-printable characters.
2446 • It is longer than the value of PATH_MAX.
2448 The argument may be a double-quoted, space-separated
2450 list or a single value without double-quotes. The list
2451 can be replaced, added to, deleted from, or disabled by
2452 using the =, +=, -=, and ! operators respectively. Re‐
2453 gardless of whether the env_reset option is enabled or
2454 disabled, variables specified by env_check will be pre‐
2455 served in the environment if they pass the aforemen‐
2456 tioned check. The global list of environment variables
2457 to check is displayed when sudo is run by root with the
2458 -V option.
2459 env_delete Environment variables to be removed from the user's en‐
2461 vironment when the env_reset option is not in effect.
2462 The argument may be a double-quoted, space-separated
2463 list or a single value without double-quotes. The list
2464 can be replaced, added to, deleted from, or disabled by
2465 using the =, +=, -=, and ! operators respectively. The
2466 global list of environment variables to remove is dis‐
2467 played when sudo is run by root with the -V option.
2468 Note that many operating systems will remove poten‐
2469 tially dangerous variables from the environment of any
2470 set-user-ID process (such as sudo).
2471 env_keep Environment variables to be preserved in the user's en‐
2473 vironment when the env_reset option is in effect. This
2474 allows fine-grained control over the environment
2475 sudo-spawned processes will receive. The argument may
2476 be a double-quoted, space-separated list or a single
2477 value without double-quotes. The list can be replaced,
2478 added to, deleted from, or disabled by using the =, +=,
2479 -=, and ! operators respectively. The global list of
2480 variables to keep is displayed when sudo is run by root
2481 with the -V option.
2482 Preserving the HOME environment variable has security
2484 implications since many programs use it when searching
2485 for configuration or data files. Adding HOME to
2486 env_keep may enable a user to run unrestricted commands
2487 via sudo and is strongly discouraged. Users wishing to
2488 edit files with sudo should run sudoedit (or sudo -e)
2489 to get their accustomed editor configuration instead of
2490 invoking the editor directly.
2491 log_servers A list of one or more servers to use for remote event
2493 and I/O log storage, separated by white space. Log
2494 servers must be running sudo_logsrvd or another service
2495 that implements the protocol described by
2496 sudo_logsrv.proto(5).
2497 Server addresses should be of the form
2499 “host[:port][(tls)]”. The host portion may be a host
2500 name, an IPv4 address, or an IPv6 address in square
2501 brackets.
2502 If the optional tls flag is present, the connection
2504 will be secured with Transport Layer Security (TLS)
2505 version 1.2 or 1.3. Versions of TLS prior to 1.2 are
2506 not supported.
2507 If a port is specified, it may either be a port number
2509 or a well-known service name as defined by the system
2510 service name database. If no port is specified, port
2511 30343 will be used for plaintext connections and port
2512 30344 will be used for TLS connections.
2513 When log_servers is set, event log data will be logged
2515 both locally (see the syslog and log_file settings) as
2516 well as remotely, but I/O log data will only be logged
2517 remotely. If multiple hosts are specified, they will
2518 be attempted in reverse order. If no log servers are
2519 available, the user will not be able to run a command
2520 unless either the ignore_iolog_errors flag (I/O logging
2521 enabled) or the ignore_log_errors flag (I/O logging
2522 disabled) is set. Likewise, if the connection to the
2523 log server is interrupted while sudo is running, the
2524 command will be terminated unless the
2525 ignore_iolog_errors flag (I/O logging enabled) or the
2526 ignore_log_errors flag (I/O logging disabled) is set.
2527 This setting is only supported by version 1.9.0 or
2529 higher.
2530
2532 The sudoers plugin supports its own plugin interface to allow non-Unix
2533 group lookups which can query a group source other than the standard Unix
2534 group database. This can be used to implement support for the
2535 nonunix_group syntax described earlier.
2536 Group provider plugins are specified via the group_plugin setting. The
2538 argument to group_plugin should consist of the plugin path, either fully-
2539 qualified or relative to the /usr/libexec/sudo directory, followed by any
2540 configuration options the plugin requires. These options (if specified)
2541 will be passed to the plugin's initialization function. If options are
2542 present, the string must be enclosed in double quotes ("").
2543 The following group provider plugins are installed by default:
2545 group_file
2547 The group_file plugin supports an alternate group file that
2548 uses the same syntax as the /etc/group file. The path to the
2549 group file should be specified as an option to the plugin. For
2550 example, if the group file to be used is /etc/sudo-group:
2551 Defaults group_plugin="group_file.so /etc/sudo-group"
2553 system_group
2555 The system_group plugin supports group lookups via the standard
2556 C library functions getgrnam() and getgrid(). This plugin can
2557 be used in instances where the user belongs to groups not
2558 present in the user's supplemental group vector. This plugin
2559 takes no options:
2560 Defaults group_plugin=system_group.so
2562 The group provider plugin API is described in detail in sudo_plugin(5).
2564
2566 sudoers can log events in either JSON or sudo format, this section de‐
2567 scribes the sudo log format. Depending on sudoers configuration, sudoers
2568 can log events via syslog(3), to a local log file, or both. The log for‐
2569 mat is almost identical in both cases.
2570 Accepted command log entries
2572 Commands that sudo runs are logged using the following format (split into
2573 multiple lines for readability):
2574 date hostname progname: username : TTY=ttyname ; PWD=cwd ; \
2576 USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \
2577 ENV=env_vars COMMAND=command
2578 Where the fields are as follows:
2580 date The date the command was run. Typically, this is in the
2582 format “MMM, DD, HH:MM:SS”. If logging via syslog(3), the
2583 actual date format is controlled by the syslog daemon. If
2584 logging to a file and the log_year option is enabled, the
2585 date will also include the year.
2586 hostname The name of the host sudo was run on. This field is only
2588 present when logging via syslog(3).
2589 progname The name of the program, usually sudo or sudoedit. This
2591 field is only present when logging via syslog(3).
2592 username The login name of the user who ran sudo.
2594 ttyname The short name of the terminal (e.g., “console”, “tty01”,
2596 or “pts/0”) sudo was run on, or “unknown” if there was no
2597 terminal present.
2598 cwd The current working directory that sudo was run in.
2600 runasuser The user the command was run as.
2602 runasgroup The group the command was run as if one was specified on
2604 the command line.
2605 logid An I/O log identifier that can be used to replay the com‐
2607 mand's output. This is only present when the log_input or
2608 log_output option is enabled.
2609 env_vars A list of environment variables specified on the command
2611 line, if specified.
2612 command The actual command that was executed.
2614 Messages are logged using the locale specified by sudoers_locale, which
2616 defaults to the “C” locale.
2617 Denied command log entries
2619 If the user is not allowed to run the command, the reason for the denial
2620 will follow the user name. Possible reasons include:
2621 user NOT in sudoers
2623 The user is not listed in the sudoers file.
2624 user NOT authorized on host
2626 The user is listed in the sudoers file but is not allowed to run com‐
2627 mands on the host.
2628 command not allowed
2630 The user is listed in the sudoers file for the host but they are not
2631 allowed to run the specified command.
2632 3 incorrect password attempts
2634 The user failed to enter their password after 3 tries. The actual num‐
2635 ber of tries will vary based on the number of failed attempts and the
2636 value of the passwd_tries option.
2637 a password is required
2639 The -n option was specified but a password was required.
2640 sorry, you are not allowed to set the following environment variables
2642 The user specified environment variables on the command line that were
2643 not allowed by sudoers.
2644 Error log entries
2646 If an error occurs, sudoers will log a message and, in most cases, send a
2647 message to the administrator via email. Possible errors include:
2648 parse error in /etc/sudoers near line N
2650 sudoers encountered an error when parsing the specified file. In some
2651 cases, the actual error may be one line above or below the line number
2652 listed, depending on the type of error.
2653 problem with defaults entries
2655 The sudoers file contains one or more unknown Defaults settings. This
2656 does not prevent sudo from running, but the sudoers file should be
2657 checked using visudo.
2658 timestamp owner (username): No such user
2660 The time stamp directory owner, as specified by the timestampowner set‐
2661 ting, could not be found in the password database.
2662 unable to open/read /etc/sudoers
2664 The sudoers file could not be opened for reading. This can happen when
2665 the sudoers file is located on a remote file system that maps user-ID 0
2666 to a different value. Normally, sudoers tries to open the sudoers file
2667 using group permissions to avoid this problem. Consider either chang‐
2668 ing the ownership of /etc/sudoers or adding an argument like
2669 “sudoers_uid=N” (where ‘N’ is the user-ID that owns the sudoers file)
2670 to the end of the sudoers Plugin line in the sudo.conf(5) file.
2671 unable to stat /etc/sudoers
2673 The /etc/sudoers file is missing.
2674 /etc/sudoers is not a regular file
2676 The /etc/sudoers file exists but is not a regular file or symbolic
2677 link.
2678 /etc/sudoers is owned by uid N, should be 0
2680 The sudoers file has the wrong owner. If you wish to change the
2681 sudoers file owner, please add “sudoers_uid=N” (where ‘N’ is the user-
2682 ID that owns the sudoers file) to the sudoers Plugin line in the
2683 sudo.conf(5) file.
2684 /etc/sudoers is world writable
2686 The permissions on the sudoers file allow all users to write to it.
2687 The sudoers file must not be world-writable, the default file mode is
2688 0440 (readable by owner and group, writable by none). The default mode
2689 may be changed via the “sudoers_mode” option to the sudoers Plugin line
2690 in the sudo.conf(5) file.
2691 /etc/sudoers is owned by gid N, should be 1
2693 The sudoers file has the wrong group ownership. If you wish to change
2694 the sudoers file group ownership, please add “sudoers_gid=N” (where ‘N’
2695 is the group-ID that owns the sudoers file) to the sudoers Plugin line
2696 in the sudo.conf(5) file.
2697 unable to open /run/sudo/ts/username
2699 sudoers was unable to read or create the user's time stamp file. This
2700 can happen when timestampowner is set to a user other than root and the
2701 mode on /run/sudo is not searchable by group or other. The default
2702 mode for /run/sudo is 0711.
2703 unable to write to /run/sudo/ts/username
2705 sudoers was unable to write to the user's time stamp file.
2706 /run/sudo/ts is owned by uid X, should be Y
2708 The time stamp directory is owned by a user other than timestampowner.
2709 This can occur when the value of timestampowner has been changed.
2710 sudoers will ignore the time stamp directory until the owner is cor‐
2711 rected.
2712 /run/sudo/ts is group writable
2714 The time stamp directory is group-writable; it should be writable only
2715 by timestampowner. The default mode for the time stamp directory is
2716 0700. sudoers will ignore the time stamp directory until the mode is
2717 corrected.
2718 Notes on logging via syslog
2720 By default, sudoers logs messages via syslog(3). The date, hostname, and
2721 progname fields are added by the system's syslog() function, not sudoers
2722 itself. As such, they may vary in format on different systems.
2723 The maximum size of syslog messages varies from system to system. The
2725 syslog_maxlen setting can be used to change the maximum syslog message
2726 size from the default value of 980 bytes. For more information, see the
2727 description of syslog_maxlen.
2728 Notes on logging to a file
2730 If the logfile option is set, sudoers will log to a local file, such as
2731 /var/log/sudo. When logging to a file, sudoers uses a format similar to
2732 syslog(3), with a few important differences:
2733 1. The progname and hostname fields are not present.
2735 2. If the log_year option is enabled, the date will also include the
2737 year.
2738 3. Lines that are longer than loglinelen characters (80 by default) are
2740 word-wrapped and continued on the next line with a four character
2741 indent. This makes entries easier to read for a human being, but
2742 makes it more difficult to use grep(1) on the log files. If the
2743 loglinelen option is set to 0 (or negated with a ‘!’), word wrap
2744 will be disabled.
2745
2747 When I/O logging is enabled, sudo will run the command in a pseudo-termi‐
2748 nal and log all user input and/or output, depending on which options are
2749 enabled. I/O can be logged either to the local machine or to a remote
2750 log server. For local logs, I/O is logged to the directory specified by
2751 the iolog_dir option (/var/log/sudo-io by default) using a unique session
2752 ID that is included in the sudo log line, prefixed with “TSID=”. The
2753 iolog_file option may be used to control the format of the session ID.
2754 For remote logs, the log_servers setting is used to specify one or more
2755 log servers running sudo_logsrvd or another server that implements the
2756 protocol described by sudo_logsrv.proto(5).
2757 For both local and remote I/O logs, each log is stored in a separate di‐
2759 rectory that contains the following files:
2760 log A text file containing information about the command. The
2762 first line consists of the following colon-delimited fields:
2763 the time the command was run, the name of the user who ran
2764 sudo, the name of the target user, the name of the target group
2765 (optional), the terminal that sudo was run from, and the number
2766 of lines and columns of the terminal. The second and third
2767 lines contain the working directory the command was run from
2768 and the path name of the command itself (with arguments if
2769 present).
2770 log.json A JSON-formatted file containing information about the command.
2772 This is similar to the log file but contains additional infor‐
2773 mation and is easily extensible. The log.json file will be
2774 used by sudoreplay(8) in preference to the log file if it ex‐
2775 ists. The file may contain the following elements:
2776 timestamp
2778 A JSON object containing time the command was run.
2779 It consists of two values, seconds and nanoseconds.
2780 columns The number of columns of the terminal the command ran
2782 on, or zero if no terminal was present.
2783 command The fully-qualified path of the command that was run.
2785 lines The number of lines of the terminal the command ran
2787 on, or zero if no terminal was present.
2788 runargv A JSON array representing the command's argument vec‐
2790 tor as passed to the execve() system call.
2791 runenv A JSON array representing the command's environment
2793 as passed to the execve() system call.
2794 rungid The group ID the command ran as. This element is
2796 only present when the user specifies a group on the
2797 command line.
2798 rungroup The name of the group the command ran as. This ele‐
2800 ment is only present when the user specifies a group
2801 on the command line.
2802 runuid The user ID the command ran as.
2804 runuser The name of the user the command ran as.
2806 submitcwd
2808 The current working directory at the time sudo was
2809 run.
2810 submithost
2812 The name of the host the command was run on.
2813 submituser
2815 The name of the user who ran the command via sudo.
2816 ttyname The path name of the terminal the user invoked sudo
2818 from. If the command was run in a pseudo-terminal,
2819 ttyname will be different from the terminal the com‐
2820 mand actually ran in.
2821 timing Timing information used to replay the session. Each line con‐
2823 sists of the I/O log entry type and amount of time since the
2824 last entry, followed by type-specific data. The I/O log entry
2825 types and their corresponding type-specific data are:
2826 0 standard input, number of bytes in the entry
2828 1 standard output, number of bytes in the entry
2829 2 standard error, number of bytes in the entry
2830 3 terminal input, number of bytes in the entry
2831 4 terminal output, number of bytes in the entry
2832 5 window change, new number lines and columns
2833 6 bug compatibility for sudo 1.8.7 terminal output
2834 7 command suspend or resume, signal received
2835 ttyin Raw input from the user's terminal, exactly as it was received.
2837 No post-processing is performed. For manual viewing, you may
2838 wish to convert carriage return characters in the log to line
2839 feeds. For example: ‘gunzip -c ttyin | tr "\r" "\n"’
2840 stdin The standard input when no terminal is present, or input redi‐
2842 rected from a pipe or file.
2843 ttyout Output from the pseudo-terminal (what the command writes to the
2845 screen). Note that terminal-specific post-processing is per‐
2846 formed before the data is logged. This means that, for exam‐
2847 ple, line feeds are usually converted to line feed/carriage re‐
2848 turn pairs and tabs may be expanded to spaces.
2849 stdout The standard output when no terminal is present, or output
2851 redirected to a pipe or file.
2852 stderr The standard error redirected to a pipe or file.
2854 All files other than log are compressed in gzip format unless the
2856 compress_io flag has been disabled. Due to buffering, it is not normally
2857 possible to display the I/O logs in real-time as the program is execut‐
2858 ing. The I/O log data will not be complete until the program run by sudo
2859 has exited or has been terminated by a signal. The iolog_flush flag can
2860 be used to disable buffering, in which case I/O log data is written to
2861 disk as soon as it is available. The output portion of an I/O log file
2862 can be viewed with the sudoreplay(8) utility, which can also be used to
2863 list or search the available logs.
2864 Note that user input may contain sensitive information such as passwords
2866 (even if they are not echoed to the screen), which will be stored in the
2867 log file unencrypted. In most cases, logging the command output via
2868 log_output or LOG_OUTPUT is all that is required.
2869 Since each session's I/O logs are stored in a separate directory, tradi‐
2871 tional log rotation utilities cannot be used to limit the number of I/O
2872 logs. The simplest way to limit the number of I/O is by setting the
2873 maxseq option to the maximum number of logs you wish to store. Once the
2874 I/O log sequence number reaches maxseq, it will be reset to zero and
2875 sudoers will truncate and re-use any existing I/O logs.
2876
2878 /etc/sudo.conf Sudo front end configuration
2879 /etc/sudoers List of who can run what
2881 /etc/group Local groups file
2883 /etc/netgroup List of network groups
2885 /var/log/sudo-io I/O log files
2887 /run/sudo/ts Directory containing time stamps for the
2889 sudoers security policy
2890 /var/db/sudo/lectured Directory containing lecture status files for
2892 the sudoers security policy
2893 /etc/environment Initial environment for -i mode on AIX and
2895 Linux systems
2896
2898 Below are example sudoers file entries. Admittedly, some of these are a
2899 bit contrived. First, we allow a few environment variables to pass and
2900 then define our aliases:
2901 # Run X applications through sudo; HOME is used to find the
2903 # .Xauthority file. Note that other programs use HOME to find
2904 # configuration files and this may lead to privilege escalation!
2905 Defaults env_keep += "DISPLAY HOME"
2906 # User alias specification
2908 User_Alias FULLTIMERS = millert, mikef, dowdy
2909 User_Alias PARTTIMERS = bostley, jwfox, crawl
2910 User_Alias WEBADMIN = will, wendy, wim
2911 # Runas alias specification
2913 Runas_Alias OP = root, operator
2914 Runas_Alias DB = oracle, sybase
2915 Runas_Alias ADMINGRP = adm, oper
2916 # Host alias specification
2918 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
2919 SGI = grolsch, dandelion, black :\
2920 ALPHA = widget, thalamus, foobar :\
2921 HPPA = boa, nag, python
2922 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
2923 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
2924 Host_Alias SERVERS = primary, mail, www, ns
2925 Host_Alias CDROM = orion, perseus, hercules
2926 # Cmnd alias specification
2928 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
2929 /usr/sbin/restore, /usr/sbin/rrestore,\
2930 sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
2931 /home/operator/bin/start_backups
2932 Cmnd_Alias KILL = /usr/bin/kill
2933 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
2934 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
2935 Cmnd_Alias HALT = /usr/sbin/halt
2936 Cmnd_Alias REBOOT = /usr/sbin/reboot
2937 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
2938 /usr/local/bin/tcsh, /usr/bin/rsh,\
2939 /usr/local/bin/zsh
2940 Cmnd_Alias SU = /usr/bin/su
2941 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
2942 Here we override some of the compiled in default values. We want sudo to
2944 log via syslog(3) using the auth facility in all cases and for commands
2945 to be run with the target user's home directory as the working directory.
2946 We don't want to subject the full time staff to the sudo lecture and we
2947 want to allow them to run commands in a chroot(2) “sandbox” via the -R
2948 option. User millert need not provide a password and we don't want to
2949 reset the LOGNAME or USER environment variables when running commands as
2950 root. Additionally, on the machines in the SERVERS Host_Alias, we keep
2951 an additional local log file and make sure we log the year in each log
2952 line since the log entries will be kept around for several years.
2953 Lastly, we disable shell escapes for the commands in the PAGERS
2954 Cmnd_Alias (/usr/bin/more, /usr/bin/pg and /usr/bin/less). Note that
2955 this will not effectively constrain users with sudo ALL privileges.
2956 # Override built-in defaults
2958 Defaults syslog=auth,runcwd=~
2959 Defaults>root !set_logname
2960 Defaults:FULLTIMERS !lecture,runchroot=*
2961 Defaults:millert !authenticate
2962 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
2963 Defaults!PAGERS noexec
2964 The User specification is the part that actually determines who may run
2966 what.
2967 root ALL = (ALL) ALL
2969 %wheel ALL = (ALL) ALL
2970 We let root and any user in group wheel run any command on any host as
2972 any user.
2973 FULLTIMERS ALL = NOPASSWD: ALL
2975 Full time sysadmins (millert, mikef, and dowdy) may run any command on
2977 any host without authenticating themselves.
2978 PARTTIMERS ALL = ALL
2980 Part time sysadmins bostley, jwfox, and crawl) may run any command on any
2982 host but they must authenticate themselves first (since the entry lacks
2983 the NOPASSWD tag).
2984 jack CSNETS = ALL
2986 The user jack may run any command on the machines in the CSNETS alias
2988 (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those
2989 networks, only 128.138.204.0 has an explicit netmask (in CIDR notation)
2990 indicating it is a class C network. For the other networks in CSNETS,
2991 the local machine's netmask will be used during matching.
2992 lisa CUNETS = ALL
2994 The user lisa may run any command on any host in the CUNETS alias (the
2996 class B network 128.138.0.0).
2997 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
2999 sudoedit /etc/printcap, /usr/oper/bin/
3000 The operator user may run commands limited to simple maintenance. Here,
3002 those are commands related to backups, killing processes, the printing
3003 system, shutting down the system, and any commands in the directory
3004 /usr/oper/bin/. Note that one command in the DUMPS Cmnd_Alias includes a
3005 sha224 digest, /home/operator/bin/start_backups. This is because the di‐
3006 rectory containing the script is writable by the operator user. If the
3007 script is modified (resulting in a digest mismatch) it will no longer be
3008 possible to run it via sudo.
3009 joe ALL = /usr/bin/su operator
3011 The user joe may only su(1) to operator.
3013 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root*
3015 %opers ALL = (: ADMINGRP) /usr/sbin/
3017 Users in the opers group may run commands in /usr/sbin/ as themselves
3019 with any group in the ADMINGRP Runas_Alias (the adm and oper groups).
3020 The user pete is allowed to change anyone's password except for root on
3022 the HPPA machines. Because command line arguments are matched as a sin‐
3023 gle, concatenated string, the ‘*’ wildcard will match multiple words.
3024 This example assumes that passwd(1) does not take multiple user names on
3025 the command line. Note that on GNU systems, options to passwd(1) may be
3026 specified after the user argument. As a result, this rule will also al‐
3027 low:
3028 passwd username --expire
3030 which may not be desirable.
3032 bob SPARC = (OP) ALL : SGI = (OP) ALL
3034 The user bob may run anything on the SPARC and SGI machines as any user
3036 listed in the OP Runas_Alias (root and operator.)
3037 jim +biglab = ALL
3039 The user jim may run any command on machines in the biglab netgroup.
3041 sudo knows that “biglab” is a netgroup due to the ‘+’ prefix.
3042 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
3044 Users in the secretaries netgroup need to help manage the printers as
3046 well as add and remove users, so they are allowed to run those commands
3047 on all machines.
3048 fred ALL = (DB) NOPASSWD: ALL
3050 The user fred can run commands as any user in the DB Runas_Alias (oracle
3052 or sybase) without giving a password.
3053 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
3055 On the ALPHA machines, user john may su to anyone except root but he is
3057 not allowed to specify any options to the su(1) command.
3058 jen ALL, !SERVERS = ALL
3060 The user jen may run any command on any machine except for those in the
3062 SERVERS Host_Alias (primary, mail, www and ns).
3063 jill SERVERS = /usr/bin/, !SU, !SHELLS
3065 For any machine in the SERVERS Host_Alias, jill may run any commands in
3067 the directory /usr/bin/ except for those commands belonging to the SU and
3068 SHELLS Cmnd_Aliases. While not specifically mentioned in the rule, the
3069 commands in the PAGERS Cmnd_Alias all reside in /usr/bin and have the
3070 noexec option set.
3071 steve CSNETS = (operator) /usr/local/op_commands/
3073 The user steve may run any command in the directory /usr/local/op_com‐
3075 mands/ but only as user operator.
3076 matt valkyrie = KILL
3078 On his personal workstation, valkyrie, matt needs to be able to kill hung
3080 processes.
3081 WEBADMIN www = (www) ALL, (root) /usr/bin/su www
3083 On the host www, any user in the WEBADMIN User_Alias (will, wendy, and
3085 wim), may run any command as user www (which owns the web pages) or sim‐
3086 ply su(1) to www.
3087 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
3089 /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
3090 Any user may mount or unmount a CD-ROM on the machines in the CDROM
3092 Host_Alias (orion, perseus, hercules) without entering a password. This
3093 is a bit tedious for users to type, so it is a prime candidate for encap‐
3094 sulating in a shell script.
3095
3097 Limitations of the ‘!’ operator
3098 It is generally not effective to “subtract” commands from ALL using the
3099 ‘!’ operator. A user can trivially circumvent this by copying the de‐
3100 sired command to a different name and then executing that. For example:
3101 bill ALL = ALL, !SU, !SHELLS
3103 Doesn't really prevent bill from running the commands listed in SU or
3105 SHELLS since he can simply copy those commands to a different name, or
3106 use a shell escape from an editor or other program. Therefore, these
3107 kind of restrictions should be considered advisory at best (and rein‐
3108 forced by policy).
3109 In general, if a user has sudo ALL there is nothing to prevent them from
3111 creating their own program that gives them a root shell (or making their
3112 own copy of a shell) regardless of any ‘!’ elements in the user specifi‐
3113 cation.
3114 Security implications of fast_glob
3116 If the fast_glob option is in use, it is not possible to reliably negate
3117 commands where the path name includes globbing (aka wildcard) characters.
3118 This is because the C library's fnmatch(3) function cannot resolve rela‐
3119 tive paths. While this is typically only an inconvenience for rules that
3120 grant privileges, it can result in a security issue for rules that sub‐
3121 tract or revoke privileges.
3122 For example, given the following sudoers file entry:
3124 john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
3126 /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
3127 User john can still run /usr/bin/passwd root if fast_glob is enabled by
3129 changing to /usr/bin and running ./passwd root instead.
3130 Preventing shell escapes
3132 Once sudo executes a program, that program is free to do whatever it
3133 pleases, including run other programs. This can be a security issue
3134 since it is not uncommon for a program to allow shell escapes, which lets
3135 a user bypass sudo's access control and logging. Common programs that
3136 permit shell escapes include shells (obviously), editors, paginators,
3137 mail and terminal programs.
3138 There are four basic approaches to this problem:
3140 restrict Avoid giving users access to commands that allow the user to
3142 run arbitrary commands. Many editors have a restricted mode
3143 where shell escapes are disabled, though sudoedit is a better
3144 solution to running editors via sudo. Due to the large number
3145 of programs that offer shell escapes, restricting users to the
3146 set of programs that do not is often unworkable.
3147 intercept
3149 Many systems that support shared libraries have the ability to
3150 override default library functions by pointing an environment
3151 variable (usually LD_PRELOAD) to an alternate shared library.
3152 On such systems, sudo's intercept functionality can be used to
3153 transparently intercept an attempt to run a new command, allow
3154 or deny it based on sudoers rules, and log the result. For ex‐
3155 ample, this can be used to restrict the commands run from
3156 within a privileged shell. Note, however, that this applies
3157 only to dynamically-linked executables. Statically-linked exe‐
3158 cutables and executables running under binary emulation are not
3159 affected. Also, most shells support built-in commands and the
3160 ability to read or write sensitive files that cannot be inter‐
3161 cepted by sudo.
3162 Currently, sudo's intercept functionality only works for pro‐
3164 grams that use the execl(), execle(), execlp(), execv(),
3165 execve(), execvp(), or execvpe() library functions to run the
3166 new command. This may be expanded in a future release of sudo.
3167 Because most dynamic loaders ignore LD_PRELOAD (or the equiva‐
3168 lent) when running set-user-ID and set-group-ID programs,
3169 sudoers will not permit such programs to be run in intercept
3170 mode.
3171 The intercept feature is known to work on Solaris, *BSD, Linux,
3173 macOS, HP-UX 11.x and AIX 5.3 and above. It should be sup‐
3174 ported on most operating systems that support the LD_PRELOAD
3175 environment variable. Check your operating system's manual
3176 pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
3177 dld.sl, rld, or loader) to see if LD_PRELOAD is supported. It
3178 is not supported when sudo's SELinux RBAC support is in use due
3179 to a fundamental incompatibility.
3180 To enable intercept mode on a per-command basis, use the
3182 INTERCEPT tag as documented in the User Specification section
3183 above. Here is that example again:
3184 chuck research = INTERCEPT: ALL
3186 This allows user chuck to run any command on the machine
3188 “research” in intercept mode. Any commands run via shell es‐
3189 capes will be validated and logged by sudo. If you are unsure
3190 whether or not your system is capable of supporting intercept,
3191 you can always just try it out and check whether or not exter‐
3192 nal commands run via a shell are logged when intercept is en‐
3193 abled.
3194 log There are two separate but related ways to log additional com‐
3196 mands. The first is to enable I/O logging using the log_output
3197 flag. This will log the command's output but will not create
3198 an event log entry when the additional command is run. The
3199 second is to enable the log_subcmds flag in sudoers which will
3200 create an event log entry every time a new command is run. If
3201 I/O logging is also enabled, the log entry will include a time
3202 offset into the I/O log to indicate when the command was run.
3203 This offset can be passed to the sudoreplay(8) utility to re‐
3204 play the I/O log at the exact moment when the command was run.
3205 The log_subcmds flag uses the same mechanism as intercept (see
3206 above) and has the same limitations.
3207 noexec sudo's noexec functionality can be used to prevent a program
3209 run by sudo from executing any other programs. On most sys‐
3210 tems, it uses the same mechanism as intercept (see above) and
3211 thus the same caveats apply. The noexec functionality is capa‐
3212 ble of blocking execution of commands run via the execl(),
3213 execle(), execlp(), exect(), execv(), execve(), execveat(),
3214 execvP(), execvp(), execvpe(), fexecve(), popen(),
3215 posix_spawn(), posix_spawnp(), system(), and wordexp() func‐
3216 tions. On Linux, a seccomp() filter is used to implement
3217 noexec. On Solaris 10 and higher, noexec uses Solaris privi‐
3218 leges instead of the LD_PRELOAD environment variable.
3219 To enable noexec for a command, use the NOEXEC tag as docu‐
3221 mented in the User Specification section above. Here is that
3222 example again:
3223 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
3225 This allows user aaron to run /usr/bin/more and /usr/bin/vi
3227 with noexec enabled. This will prevent those two commands from
3228 executing other commands (such as a shell). If you are unsure
3229 whether or not your system is capable of supporting noexec you
3230 can always just try it out and check whether shell escapes work
3231 when noexec is enabled.
3232 Note that restricting shell escapes is not a panacea. Programs running
3234 as root are still capable of many potentially hazardous operations (such
3235 as changing or overwriting files) that could lead to unintended privilege
3236 escalation. In the specific case of an editor, a safer approach is to
3237 give the user permission to run sudoedit (see below).
3238 Secure editing
3240 The sudoers plugin includes sudoedit support which allows users to se‐
3241 curely edit files with the editor of their choice. As sudoedit is a
3242 built-in command, it must be specified in the sudoers file without a
3243 leading path. However, it may take command line arguments just as a nor‐
3244 mal command does. Wildcards used in sudoedit command line arguments are
3245 expected to be path names, so a forward slash (‘/’) will not be matched
3246 by a wildcard.
3247 Unlike other sudo commands, the editor is run with the permissions of the
3249 invoking user and with the environment unmodified. More information may
3250 be found in the description of the -e option in sudo(8).
3251 For example, to allow user operator to edit the “message of the day”
3253 file:
3254 operator sudoedit /etc/motd
3256 The operator user then runs sudoedit as follows:
3258 $ sudoedit /etc/motd
3260 The editor will run as the operator user, not root, on a temporary copy
3262 of /etc/motd. After the file has been edited, /etc/motd will be updated
3263 with the contents of the temporary copy.
3264 Users should never be granted sudoedit permission to edit a file that re‐
3266 sides in a directory the user has write access to, either directly or via
3267 a wildcard. If the user has write access to the directory it is possible
3268 to replace the legitimate file with a link to another file, allowing the
3269 editing of arbitrary files. To prevent this, starting with version
3270 1.8.16, symbolic links will not be followed in writable directories and
3271 sudoedit will refuse to edit a file located in a writable directory un‐
3272 less the sudoedit_checkdir option has been disabled or the invoking user
3273 is root. Additionally, in version 1.8.15 and higher, sudoedit will
3274 refuse to open a symbolic link unless either the sudoedit_follow option
3275 is enabled or the sudoedit command is prefixed with the FOLLOW tag in the
3276 sudoers file.
3277 Time stamp file checks
3279 sudoers will check the ownership of its time stamp directory
3280 (/run/sudo/ts by default) and ignore the directory's contents if it is
3281 not owned by root or if it is writable by a user other than root. Older
3282 versions of sudo stored time stamp files in /tmp; this is no longer rec‐
3283 ommended as it may be possible for a user to create the time stamp them‐
3284 selves on systems that allow unprivileged users to change the ownership
3285 of files they create.
3286 While the time stamp directory should be cleared at reboot time, not all
3288 systems contain a /run or /var/run directory. To avoid potential prob‐
3289 lems, sudoers will ignore time stamp files that date from before the ma‐
3290 chine booted on systems where the boot time is available.
3291 Some systems with graphical desktop environments allow unprivileged users
3293 to change the system clock. Since sudoers relies on the system clock for
3294 time stamp validation, it may be possible on such systems for a user to
3295 run sudo for longer than timestamp_timeout by setting the clock back. To
3296 combat this, sudoers uses a monotonic clock (which never moves backwards)
3297 for its time stamps if the system supports it.
3298 sudoers will not honor time stamps set far in the future. Time stamps
3300 with a date greater than current_time + 2 * TIMEOUT will be ignored and
3301 sudoers will log and complain.
3302 If the timestamp_type option is set to “tty”, the time stamp record in‐
3304 cludes the device number of the terminal the user authenticated with.
3305 This provides per-terminal granularity but time stamp records may still
3306 outlive the user's session.
3307 Unless the timestamp_type option is set to “global”, the time stamp
3309 record also includes the session ID of the process that last authenti‐
3310 cated. This prevents processes in different terminal sessions from using
3311 the same time stamp record. On systems where a process's start time can
3312 be queried, the start time of the session leader is recorded in the time
3313 stamp record. If no terminal is present or the timestamp_type option is
3314 set to “ppid”, the start time of the parent process is used instead. In
3315 most cases this will prevent a time stamp record from being re-used with‐
3316 out the user entering a password when logging out and back in again.
3317
3319 Versions 1.8.4 and higher of the sudoers plugin support a flexible debug‐
3320 ging framework that can help track down what the plugin is doing inter‐
3321 nally if there is a problem. This can be configured in the sudo.conf(5)
3322 file.
3323 The sudoers plugin uses the same debug flag format as the sudo front-end:
3325 subsystem@priority.
3326 The priorities used by sudoers, in order of decreasing severity, are:
3328 crit, err, warn, notice, diag, info, trace and debug. Each priority,
3329 when specified, also includes all priorities higher than it. For exam‐
3330 ple, a priority of notice would include debug messages logged at notice
3331 and higher.
3332 The following subsystems are used by the sudoers plugin:
3334 alias User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
3336 all matches every subsystem
3338 audit BSM and Linux audit code
3340 auth user authentication
3342 defaults sudoers file Defaults settings
3344 env environment handling
3346 ldap LDAP-based sudoers
3348 logging logging support
3350 match matching of users, groups, hosts and netgroups in the sudoers
3352 file
3353 netif network interface handling
3355 nss network service switch handling in sudoers
3357 parser sudoers file parsing
3359 perms permission setting
3361 plugin The equivalent of main for the plugin.
3363 pty pseudo-terminal related code
3365 rbtree redblack tree internals
3367 sssd SSSD-based sudoers
3369 util utility functions
3371 For example:
3373 Debug sudoers.so /var/log/sudoers_debug match@info,nss@info
3375 For more information, see the sudo.conf(5) manual.
3377
3379 ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), sudo.conf(5),
3380 sudo_plugin(5), sudoers.ldap(5), sudoers_timestamp(5), sudo(8), visudo(8)
3381
3383 Many people have worked on sudo over the years; this version consists of
3384 code written primarily by:
3385 Todd C. Miller
3387 See the CONTRIBUTORS file in the sudo distribution
3389 (https://www.sudo.ws/contributors.html) for an exhaustive list of people
3390 who have contributed to sudo.
3391
3393 The sudoers file should always be edited by the visudo utility which
3394 locks the file and checks for syntax errors. If sudoers contains syntax
3395 errors, sudo may refuse to run, which is a serious problem if sudo is
3396 your only method of obtaining superuser privileges. Recent versions of
3397 sudoers will attempt to recover after a syntax error by ignoring the rest
3398 of the line after encountering an error. Older versions of sudo will not
3399 run if sudoers contains a syntax error.
3400 When using netgroups of machines (as opposed to users), if you store
3402 fully qualified host name in the netgroup (as is usually the case), you
3403 either need to have the machine's host name be fully qualified as re‐
3404 turned by the hostname command or use the fqdn option in sudoers.
3405
3407 If you feel you have found a bug in sudo, please submit a bug report at
3408 https://bugzilla.sudo.ws/
3409
3411 Limited free support is available via the sudo-users mailing list, see
3412 https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
3413 the archives.
3414
3416 sudo is provided “AS IS” and any express or implied warranties, includ‐
3417 ing, but not limited to, the implied warranties of merchantability and
3418 fitness for a particular purpose are disclaimed. See the LICENSE file
3419 distributed with sudo or https://www.sudo.ws/license.html for complete
3420 details.
3421Sudo 1.9.8p2 September 7, 2021 Sudo 1.9.8p2