1SUDOERS(5) BSD File Formats Manual SUDOERS(5)
2
4 sudoers — default sudo security policy plugin
5
7 The sudoers policy plugin determines a user's sudo privileges. It is the
8 default sudo policy plugin. The policy is driven by the /etc/sudoers
9 file or, optionally, in LDAP. The policy format is described in detail
10 in the SUDOERS FILE FORMAT section. For information on storing sudoers
11 policy information in LDAP, see sudoers.ldap(5).
12 Configuring sudo.conf for sudoers
14 sudo consults the sudo.conf(5) file to determine which plugins to load.
15 If no sudo.conf(5) file is present, or if it contains no Plugin lines,
16 sudoers will be used for auditing, policy decisions and I/O logging. To
17 explicitly configure sudo.conf(5) to use the sudoers plugin, the follow‐
18 ing configuration can be used.
19 Plugin sudoers_audit sudoers.so
21 Plugin sudoers_policy sudoers.so
22 Plugin sudoers_io sudoers.so
23 Starting with sudo 1.8.5, it is possible to specify optional arguments to
25 the sudoers plugin in the sudo.conf(5) file. Plugin arguments, if any,
26 should be listed after the path to the plugin (i.e., after sudoers.so).
27 The arguments are only effective for the plugin that opens (and parses)
28 the sudoers file.
29 For sudo version 1.9.1 and higher, this is the sudoers_audit plugin. For
31 older versions, it is the sudoers_policy plugin. Multiple arguments may
32 be specified, separated by white space. For example:
33 Plugin sudoers_audit sudoers.so sudoers_mode=0400 error_recovery=false
35 The following plugin arguments are supported:
37 error_recovery=bool
39 The error_recovery argument can be used to control whether
40 sudoers should attempt to recover from syntax errors in the
41 sudoers file. If set to true (the default), sudoers will try
42 to recover from a syntax error by discarding the portion of the
43 line that contains the error until the end of the line. A
44 value of false will disable error recovery. Prior to version
45 1.9.3, no error recovery was performed.
46 ldap_conf=pathname
48 The ldap_conf argument can be used to override the default path
49 to the ldap.conf file.
50 ldap_secret=pathname
52 The ldap_secret argument can be used to override the default
53 path to the ldap.secret file.
54 sudoers_file=pathname
56 The sudoers_file argument can be used to override the default
57 path to the sudoers file.
58 sudoers_uid=user-ID
60 The sudoers_uid argument can be used to override the default
61 owner of the sudoers file. It should be specified as a numeric
62 user-ID.
63 sudoers_gid=group-ID
65 The sudoers_gid argument can be used to override the default
66 group of the sudoers file. It must be specified as a numeric
67 group-ID (not a group name).
68 sudoers_mode=mode
70 The sudoers_mode argument can be used to override the default
71 file mode for the sudoers file. It should be specified as an
72 octal value.
73 For more information on configuring sudo.conf(5), refer to its manual.
75 User Authentication
77 The sudoers security policy requires that most users authenticate them‐
78 selves before they can use sudo. A password is not required if the in‐
79 voking user is root, if the target user is the same as the invoking user,
80 or if the policy has disabled authentication for the user or command.
81 Unlike su(1), when sudoers requires authentication, it validates the in‐
82 voking user's credentials, not the target user's (or root's) credentials.
83 This can be changed via the rootpw, targetpw and runaspw flags, described
84 later.
85 If a user who is not listed in the policy tries to run a command via
87 sudo, mail is sent to the proper authorities. The address used for such
88 mail is configurable via the mailto Defaults entry (described later) and
89 defaults to root.
90 No mail will be sent if an unauthorized user tries to run sudo with the
92 -l or -v option unless there is an authentication error and either the
93 mail_always or mail_badpass flags are enabled. This allows users to de‐
94 termine for themselves whether or not they are allowed to use sudo. By
95 default, all attempts to run sudo (successful or not) are logged, regard‐
96 less of whether or not mail is sent.
97 If sudo is run by root and the SUDO_USER environment variable is set, the
99 sudoers policy will use this value to determine who the actual user is.
100 This can be used by a user to log commands through sudo even when a root
101 shell has been invoked. It also allows the -e option to remain useful
102 even when invoked via a sudo-run script or program. Note, however, that
103 the sudoers file lookup is still done for root, not the user specified by
104 SUDO_USER.
105 sudoers uses per-user time stamp files for credential caching. Once a
107 user has been authenticated, a record is written containing the user-ID
108 that was used to authenticate, the terminal session ID, the start time of
109 the session leader (or parent process) and a time stamp (using a mono‐
110 tonic clock if one is available). The user may then use sudo without a
111 password for a short period of time (5 minutes unless overridden by the
112 timestamp_timeout option). By default, sudoers uses a separate record
113 for each terminal, which means that a user's login sessions are authenti‐
114 cated separately. The timestamp_type option can be used to select the
115 type of time stamp record sudoers will use.
116 Logging
118 By default, sudoers logs both successful and unsuccessful attempts (as
119 well as errors). The log_allowed and log_denied flags can be used to
120 control this behavior. Messages can be logged to syslog(3), a log file,
121 or both. The default is to log to syslog(3) but this is configurable via
122 the syslog and logfile settings. See EVENT LOGGING for a description of
123 the log file format.
124 sudoers is also capable of running a command in a pseudo-terminal and
126 logging input and/or output. The standard input, standard output, and
127 standard error can be logged even when not associated with a terminal.
128 For more information about I/O logging, see the I/O LOGGING section.
129 Starting with version 1.9, the log_servers setting may be used to send
131 event and I/O log data to a remote server running sudo_logsrvd or another
132 service that implements the protocol described by sudo_logsrv.proto(5).
133 Command environment
135 Since environment variables can influence program behavior, sudoers pro‐
136 vides a means to restrict which variables from the user's environment are
137 inherited by the command to be run. There are two distinct ways sudoers
138 can deal with environment variables.
139 By default, the env_reset flag is enabled. This causes commands to be
141 executed with a new, minimal environment. On AIX (and Linux systems
142 without PAM), the environment is initialized with the contents of the
143 /etc/environment file. The HOME, MAIL, SHELL, LOGNAME and USER environ‐
144 ment variables are initialized based on the target user and the SUDO_*
145 variables are set based on the invoking user. Additional variables, such
146 as DISPLAY, PATH and TERM, are preserved from the invoking user's envi‐
147 ronment if permitted by the env_check, or env_keep options. A few envi‐
148 ronment variables are treated specially. If the PATH and TERM variables
149 are not preserved from the user's environment, they will be set to de‐
150 fault values. The LOGNAME and USER are handled as a single entity. If
151 one of them is preserved (or removed) from the user's environment, the
152 other will be as well. If LOGNAME and USER are to be preserved but only
153 one of them is present in the user's environment, the other will be set
154 to the same value. This avoids an inconsistent environment where one of
155 the variables describing the user name is set to the invoking user and
156 one is set to the target user. Environment variables with a value begin‐
157 ning with ‘()’ are removed unless both the name and value parts are
158 matched by env_keep or env_check, as they may be interpreted as functions
159 by the bash shell. Prior to version 1.8.11, such variables were always
160 removed.
161 If, however, the env_reset flag is disabled, any variables not explicitly
163 denied by the env_check and env_delete options are allowed and their val‐
164 ues are inherited from the invoking process. Prior to version 1.8.21,
165 environment variables with a value beginning with ‘()’ were always re‐
166 moved. Beginning with version 1.8.21, a pattern in env_delete is used to
167 match bash shell functions instead. Since it is not possible to block
168 all potentially dangerous environment variables, use of the default
169 env_reset behavior is encouraged.
170 Environment variables specified by env_check, env_delete, or env_keep may
172 include one or more ‘*’ characters which will match zero or more charac‐
173 ters. No other wildcard characters are supported.
174 By default, environment variables are matched by name. However, if the
176 pattern includes an equal sign (‘=’), both the variables name and value
177 must match. For example, a bash shell function could be matched as fol‐
178 lows:
179 env_keep += "BASH_FUNC_my_func%%=()*"
181 Without the ‘=()*’ suffix, this would not match, as bash shell functions
183 are not preserved by default.
184 The complete list of environment variables that are preserved or removed,
186 as modified by global Defaults parameters in sudoers, is displayed when
187 sudo is run by root with the -V option. The list of environment vari‐
188 ables to remove varies based on the operating system sudo is running on.
189 Other sudoers options may influence the command environment, such as
191 always_set_home, secure_path, set_logname, and set_home.
192 On systems that support PAM where the pam_env module is enabled for sudo,
194 variables in the PAM environment may be merged in to the environment. If
195 a variable in the PAM environment is already present in the user's envi‐
196 ronment, the value will only be overridden if the variable was not pre‐
197 served by sudoers. When env_reset is enabled, variables preserved from
198 the invoking user's environment by the env_keep list take precedence over
199 those in the PAM environment. When env_reset is disabled, variables
200 present the invoking user's environment take precedence over those in the
201 PAM environment unless they match a pattern in the env_delete list.
202 The dynamic linker on most operating systems will remove variables that
204 can control dynamic linking from the environment of set-user-ID executa‐
205 bles, including sudo. Depending on the operating system this may include
206 _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others. These type
207 of variables are removed from the environment before sudo even begins ex‐
208 ecution and, as such, it is not possible for sudo to preserve them.
209 As a special case, if the -i option (initial login) is specified, sudoers
211 will initialize the environment regardless of the value of env_reset.
212 The DISPLAY, PATH and TERM variables remain unchanged; HOME, MAIL, SHELL,
213 USER, and LOGNAME are set based on the target user. On AIX (and Linux
214 systems without PAM), the contents of /etc/environment are also included.
215 All other environment variables are removed unless permitted by env_keep
216 or env_check, described above.
217 Finally, the restricted_env_file and env_file files are applied, if
219 present. The variables in restricted_env_file are applied first and are
220 subject to the same restrictions as the invoking user's environment, as
221 detailed above. The variables in env_file are applied last and are not
222 subject to these restrictions. In both cases, variables present in the
223 files will only be set to their specified values if they would not con‐
224 flict with an existing environment variable.
225
227 The sudoers file is composed of two types of entries: aliases (basically
228 variables) and user specifications (which specify who may run what).
229 When multiple entries match for a user, they are applied in order. Where
231 there are multiple matches, the last match is used (which is not neces‐
232 sarily the most specific match).
233 The sudoers file grammar will be described below in Extended Backus-Naur
235 Form (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly
236 simple, and the definitions below are annotated.
237 Resource limits
239 By default, sudoers uses the operating system's native method of setting
240 resource limits for the target user. On Linux systems, resource limits
241 are usually set by the pam_limits.so PAM module. On some BSD systems,
242 the /etc/login.conf file specifies resource limits for the user. On AIX
243 systems, resource limits are configured in the /etc/security/limits file.
244 If there is no system mechanism to set per-user resource limits, the com‐
245 mand will run with the same limits as the invoking user. The one excep‐
246 tion to this is the core dump file size, which is set by sudoers to 0 by
247 default. Disabling core dumps by default makes it possible to avoid po‐
248 tential security problems where the core file is treated as trusted in‐
249 put.
250 Resource limits may also be set in the sudoers file itself, in which case
252 they override those set by the system. See the rlimit_as, rlimit_core,
253 rlimit_cpu, rlimit_data, rlimit_fsize, rlimit_locks, rlimit_memlock,
254 rlimit_nofile, rlimit_nproc, rlimit_rss, rlimit_stack options described
255 below. Resource limits in sudoers may be specified in one of the follow‐
256 ing formats:
257 “value”
259 Both the soft and hard resource limits are set to the same value.
260 The special value “infinity” can be used to indicate that the
261 value is unlimited.
262 “soft,hard”
264 Two comma-separated values. The soft limit is set to the first
265 value and the hard limit is set to the second. Both values must
266 either be enclosed in a set of double quotes, or the comma must
267 be escaped with a backslash (‘\’). The special value “infinity”
268 may be used in place of either value.
269 “default”
271 The default resource limit for the user will be used. This may
272 be a user-specific value (see above) or the value of the resource
273 limit when sudo was invoked for systems that don't support per-
274 user limits.
275 “user” The invoking user's resource limits will be preserved when run‐
277 ning the command.
278 For example, to restore the historic core dump file size behavior, a line
280 like the following may be used.
281 Defaults rlimit_core=default
283 Resource limits in sudoers are only supported by version 1.8.7 or higher.
285 Quick guide to EBNF
287 EBNF is a concise and exact way of describing the grammar of a language.
288 Each EBNF definition is made up of production rules. For example:
289 symbol ::= definition | alternate1 | alternate2 ...
291 Each production rule references others and thus makes up a grammar for
293 the language. EBNF also contains the following operators, which many
294 readers will recognize from regular expressions. Do not, however, con‐
295 fuse them with “wildcard” characters, which have different meanings.
296 ? Means that the preceding symbol (or group of symbols) is optional.
298 That is, it may appear once or not at all.
299 * Means that the preceding symbol (or group of symbols) may appear
301 zero or more times.
302 + Means that the preceding symbol (or group of symbols) may appear
304 one or more times.
305 Parentheses may be used to group symbols together. For clarity, we will
307 use single quotes ('') to designate what is a verbatim character string
308 (as opposed to a symbol name).
309 Aliases
311 There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and
312 Cmnd_Alias. Beginning with sudo 1.9.0, Cmd_Alias may be used in place of
313 Cmnd_Alias if desired.
314 Alias ::= 'User_Alias' User_Alias_Spec (':' User_Alias_Spec)* |
316 'Runas_Alias' Runas_Alias_Spec (':' Runas_Alias_Spec)* |
317 'Host_Alias' Host_Alias_Spec (':' Host_Alias_Spec)* |
318 'Cmnd_Alias' Cmnd_Alias_Spec (':' Cmnd_Alias_Spec)* |
319 'Cmd_Alias' Cmnd_Alias_Spec (':' Cmnd_Alias_Spec)*
320 User_Alias ::= NAME
322 User_Alias_Spec ::= User_Alias '=' User_List
324 Runas_Alias ::= NAME
326 Runas_Alias_Spec ::= Runas_Alias '=' Runas_List
328 Host_Alias ::= NAME
330 Host_Alias_Spec ::= Host_Alias '=' Host_List
332 Cmnd_Alias ::= NAME
334 Cmnd_Alias_Spec ::= Cmnd_Alias '=' Cmnd_List
336 NAME ::= [A-Z]([A-Z][0-9]_)*
338 Each alias definition is of the form
340 Alias_Type NAME = item1, item2, ...
342 where Alias_Type is one of User_Alias, Runas_Alias, Host_Alias, or
344 Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and under‐
345 score characters (‘_’). A NAME must start with an uppercase letter. It
346 is possible to put several alias definitions of the same type on a single
347 line, joined by a colon (‘:’). For example:
348 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
350 It is a syntax error to redefine an existing alias. It is possible to
352 use the same name for aliases of different types, but this is not recom‐
353 mended.
354 The definitions of what constitutes a valid alias member follow.
356 User_List ::= User |
358 User ',' User_List
359 User ::= '!'* user name |
361 '!'* #user-ID |
362 '!'* %group |
363 '!'* %#group-ID |
364 '!'* +netgroup |
365 '!'* %:nonunix_group |
366 '!'* %:#nonunix_gid |
367 '!'* User_Alias
368 A User_List is made up of one or more user names, user-IDs (prefixed with
370 ‘#’), system group names and IDs (prefixed with ‘%’ and ‘%#’ respec‐
371 tively), netgroups (prefixed with ‘+’), non-Unix group names and IDs
372 (prefixed with ‘%:’ and ‘%:#’ respectively), and User_Aliases. Each list
373 item may be prefixed with zero or more ‘!’ operators. An odd number of
374 ‘!’ operators negate the value of the item; an even number just cancel
375 each other out. User netgroups are matched using the user and domain
376 members only; the host member is not used when matching.
377 A user name, user-ID, group, group-ID, netgroup, nonunix_group or
379 nonunix_gid may be enclosed in double quotes to avoid the need for escap‐
380 ing special characters. Alternately, special characters may be specified
381 in escaped hex mode, e.g., \x20 for space. When using double quotes, any
382 prefix characters must be included inside the quotes.
383 The actual nonunix_group and nonunix_gid syntax depends on the underlying
385 group provider plugin. For instance, the QAS AD plugin supports the fol‐
386 lowing formats:
387 • Group in the same domain: "%:Group Name"
389 • Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
391 • Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
393 See GROUP PROVIDER PLUGINS for more information.
395 Quotes around group names are optional. Unquoted strings must use a
397 backslash (‘\’) to escape spaces and special characters. See Other
398 special characters and reserved words for a list of characters that need
399 to be escaped.
400 Runas_List ::= Runas_Member |
402 Runas_Member ',' Runas_List
403 Runas_Member ::= '!'* user name |
405 '!'* #user-ID |
406 '!'* %group |
407 '!'* %#group-ID |
408 '!'* %:nonunix_group |
409 '!'* %:#nonunix_gid |
410 '!'* +netgroup |
411 '!'* Runas_Alias |
412 '!'* ALL
413 A Runas_List is similar to a User_List except that instead of
415 User_Aliases it can contain Runas_Aliases. User names and groups are
416 matched as strings. In other words, two users (groups) with the same
417 user (group) ID are considered to be distinct. If you wish to match all
418 user names with the same user-ID (e.g., root and toor), you can use a
419 user-ID instead of a name (#0 in the example given). The user-ID or
420 group-ID specified in a Runas_Member need not be listed in the password
421 or group database.
422 Host_List ::= Host |
424 Host ',' Host_List
425 Host ::= '!'* host name |
427 '!'* ip_addr |
428 '!'* network(/netmask)? |
429 '!'* +netgroup |
430 '!'* Host_Alias |
431 '!'* ALL
432 A Host_List is made up of one or more host names, IP addresses, network
434 numbers, netgroups (prefixed with ‘+’), and other aliases. Again, the
435 value of an item may be negated with the ‘!’ operator. Host netgroups
436 are matched using the host (both qualified and unqualified) and domain
437 members only; the user member is not used when matching. If you specify
438 a network number without a netmask, sudo will query each of the local
439 host's network interfaces and, if the network number corresponds to one
440 of the hosts's network interfaces, will use the netmask of that inter‐
441 face. The netmask may be specified either in standard IP address nota‐
442 tion (e.g., 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR notation
443 (number of bits, e.g., 24 or 64). A host name may include shell-style
444 wildcards (see the Wildcards section below), but unless the hostname com‐
445 mand on your machine returns the fully qualified host name, you'll need
446 to use the fqdn flag for wildcards to be useful. sudo only inspects ac‐
447 tual network interfaces; this means that IP address 127.0.0.1 (localhost)
448 will never match. Also, the host name “localhost” will only match if
449 that is the actual host name, which is usually only the case for non-net‐
450 worked systems.
451 digest ::= [A-Fa-f0-9]+ |
453 [A-Za-z0-9\+/=]+
454 Digest_Spec ::= "sha224" ':' digest |
456 "sha256" ':' digest |
457 "sha384" ':' digest |
458 "sha512" ':' digest
459 Digest_List ::= Digest_Spec |
461 Digest_Spec ',' Digest_List
462 Cmnd_List ::= Cmnd |
464 Cmnd ',' Cmnd_List
465 command name ::= regex |
467 file name
468 command ::= command name |
470 command name args |
471 command name regex |
472 command name '""' |
473 ALL
474 Edit_Spec ::= "sudoedit" file name+ |
476 "sudoedit" regex |
477 "sudoedit"
478 Cmnd ::= Digest_List? '!'* command |
480 '!'* directory |
481 '!'* Edit_Spec |
482 '!'* Cmnd_Alias
483 A Cmnd_List is a list of one or more commands, directories, or aliases.
485 A command is a fully qualified file name, which may include shell-style
486 wildcards (see the Wildcards section below), or a regular expression that
487 starts with ‘^’ and ends with ‘$’ (see the Regular expressions section
488 below). A directory is a fully qualified path name ending in a ‘/’.
489 When you specify a directory in a Cmnd_List, the user will be able to run
490 any file within that directory (but not in any sub-directories therein).
491 If no command line arguments are specified, the user may run the command
492 with any arguments they choose. Command line arguments can include wild‐
493 cards or be a regular expression that starts with ‘^’ and ends with ‘$’.
494 If the command line arguments consist of ‘""’, the command may only be
495 run with no arguments.
496 If a Cmnd has associated command line arguments, the arguments in the
498 Cmnd must match those given by the user on the command line. If the ar‐
499 guments in a Cmnd begin with the ‘^’ character, they will be interpreted
500 as a regular expression and matched accordingly. Otherwise, shell-style
501 wildcards are used when matching. Unless a regular expression is speci‐
502 fied, the following characters must be escaped with a ‘\’ if they are
503 used in command arguments: ‘,’, ‘:’, ‘=’, ‘\’. To prevent arguments in a
504 Cmnd that begin with a ‘^’ character from being interpreted as a regular
505 expression, the ‘^’ must be escaped with a ‘\’.
506 The built-in command “sudoedit” is used to permit a user to run sudo with
508 the -e option (or as sudoedit). It may take command line arguments just
509 as a normal command does. Unlike other commands, “sudoedit” is built
510 into sudo itself and must be specified in the sudoers file without a
511 leading path. If a leading path is present, for example
512 /usr/bin/sudoedit, the path name will be silently converted to
513 “sudoedit”. A fully-qualified path for sudoedit is treated as an error
514 by visudo.
515 A command may be preceded by a Digest_List, a comma-separated list of one
517 or more Digest_Spec entries. If a Digest_List is present, the command
518 will only match successfully if it can be verified using one of the SHA-2
519 digests in the list. Starting with version 1.9.0, the ALL reserved word
520 can be used in conjunction with a Digest_List. The following digest for‐
521 mats are supported: sha224, sha256, sha384, and sha512. The string may
522 be specified in either hex or base64 format (base64 is more compact).
523 There are several utilities capable of generating SHA-2 digests in hex
524 format such as openssl, shasum, sha224sum, sha256sum, sha384sum,
525 sha512sum.
526 For example, using openssl:
528 $ openssl dgst -sha224 /bin/ls
530 SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
531 It is also possible to use openssl to generate base64 output:
533 $ openssl dgst -binary -sha224 /bin/ls | openssl base64
535 EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
536 Warning, if the user has write access to the command itself (directly or
538 via a sudo command), it may be possible for the user to replace the com‐
539 mand after the digest check has been performed but before the command is
540 executed. A similar race condition exists on systems that lack the
541 fexecve(2) system call when the directory in which the command is located
542 is writable by the user. See the description of the fdexec setting for
543 more information on how sudo executes commands that have an associated
544 digest.
545 Command digests are only supported by version 1.8.7 or higher.
547 Defaults
549 Certain configuration options may be changed from their default values at
550 run-time via one or more Default_Entry lines. These may affect all users
551 on any host, all users on a specific host, a specific user, a specific
552 command, or commands being run as a specific user. Per-command entries
553 may not include command line arguments. If you need to specify argu‐
554 ments, define a Cmnd_Alias and reference that instead.
555 Default_Type ::= 'Defaults' |
557 'Defaults' '@' Host_List |
558 'Defaults' ':' User_List |
559 'Defaults' '!' Cmnd_List |
560 'Defaults' '>' Runas_List
561 Default_Entry ::= Default_Type Parameter_List
563 Parameter_List ::= Parameter |
565 Parameter ',' Parameter_List
566 Parameter ::= Parameter '=' Value |
568 Parameter '+=' Value |
569 Parameter '-=' Value |
570 '!'* Parameter
571 Parameters may be flags, integer values, strings, or lists. Flags are
573 implicitly boolean and can be turned off via the ‘!’ operator. Some in‐
574 teger, string and list parameters may also be used in a boolean context
575 to disable them. Values may be enclosed in double quotes ("") when they
576 contain multiple words. Special characters may be escaped with a back‐
577 slash (‘\’).
578 To include a literal backslash character in a command line argument you
580 must escape the backslash twice. For example, to match ‘\n’ as part of a
581 command line argument, you must use ‘\\\\n’ in the sudoers file. This is
582 due to there being two levels of escaping, one in the sudoers parser it‐
583 self and another when command line arguments are matched by the
584 fnmatch(3) or regexec(3) function.
585 Lists have two additional assignment operators, ‘+=’ and ‘-=’. These op‐
587 erators are used to add to and delete from a list respectively. It is
588 not an error to use the ‘-=’ operator to remove an element that does not
589 exist in a list.
590 Defaults entries are parsed in the following order: global, host, user,
592 and runas Defaults first, then command defaults. If there are multiple
593 Defaults settings of the same type, the last matching setting is used.
594 The following Defaults settings are parsed before all others since they
595 may affect subsequent entries: fqdn, group_plugin, runas_default,
596 sudoers_locale.
597 See SUDOERS OPTIONS for a list of supported Defaults parameters.
599 User specification
601 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
602 (':' Host_List '=' Cmnd_Spec_List)*
603 Cmnd_Spec_List ::= Cmnd_Spec |
605 Cmnd_Spec ',' Cmnd_Spec_List
606 Cmnd_Spec ::= Runas_Spec? Option_Spec* (Tag_Spec ':')* Cmnd
608 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
610 Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)
612 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
614 Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp')
616 Timeout_Spec ::= 'TIMEOUT=timeout'
618 Chdir_Spec ::= 'CWD=directory'
620 Chroot_Spec ::= 'CHROOT=directory'
622 Tag_Spec ::= ('EXEC' | 'NOEXEC' | 'FOLLOW' | 'NOFOLLOW' |
624 'LOG_INPUT' | 'NOLOG_INPUT' | 'LOG_OUTPUT' |
625 'NOLOG_OUTPUT' | 'MAIL' | 'NOMAIL' | 'INTERCEPT' |
626 'NOINTERCEPT' | 'PASSWD' | 'NOPASSWD' | 'SETENV' |
627 'NOSETENV')
628 A user specification determines which commands a user may run (and as
630 what user) on specified hosts. By default, commands are run as root (un‐
631 less runas_default has been set to a different value) but this can also
632 be changed on a per-command basis.
633 The basic structure of a user specification is “who where = (as_whom)
635 what”. Let's break that down into its constituent parts:
636 Runas_Spec
638 A Runas_Spec determines the user and/or the group that a command may be
639 run as. A fully-specified Runas_Spec consists of two Runas_Lists (as de‐
640 fined above) separated by a colon (‘:’) and enclosed in a set of paren‐
641 theses. The first Runas_List indicates which users the command may be
642 run as via the -u option. The second defines a list of groups that may
643 be specified via the -g option (in addition to any of the target user's
644 groups). If both Runas_Lists are specified, the command may be run with
645 any combination of users and groups listed in their respective
646 Runas_Lists. If only the first is specified, the command may be run as
647 any user in the list and, optionally, with any group the target user be‐
648 longs to. If the first Runas_List is empty but the second is specified,
649 the command may be run as the invoking user with the group set to any
650 listed in the Runas_List. If both Runas_Lists are empty, the command may
651 only be run as the invoking user and the group, if specified, must be one
652 that the invoking user is a member of. If no Runas_Spec is specified,
653 the command may only be run as the runas_default user (root by default)
654 and the group, if specified, must be one that the runas_default user is a
655 member of.
656 A Runas_Spec sets the default for the commands that follow it. What this
658 means is that for the entry:
659 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
661 The user dgb may run /bin/ls, /bin/kill, and /usr/bin/lprm on the host
663 boulder—but only as operator. For example:
664 $ sudo -u operator /bin/ls
666 It is also possible to override a Runas_Spec later on in an entry. If we
668 modify the entry like so:
669 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
671 Then user dgb is now allowed to run /bin/ls as operator, but /bin/kill
673 and /usr/bin/lprm as root.
674 We can extend this to allow dgb to run /bin/ls with either the user or
676 group set to operator:
677 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
679 /usr/bin/lprm
680 While the group portion of the Runas_Spec permits the user to run as com‐
682 mand with that group, it does not force the user to do so. If no group
683 is specified on the command line, the command will run with the group
684 listed in the target user's password database entry. The following would
685 all be permitted by the sudoers entry above:
686 $ sudo -u operator /bin/ls
688 $ sudo -u operator -g operator /bin/ls
689 $ sudo -g operator /bin/ls
690 In the following example, user tcm may run commands that access a modem
692 device file with the dialer group.
693 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
695 /usr/local/bin/minicom
696 In this example only the group will be set, the command still runs as
698 user tcm. For example:
699 $ sudo -g dialer /usr/bin/cu
701 Multiple users and groups may be present in a Runas_Spec, in which case
703 the user may select any combination of users and groups via the -u and -g
704 options. In this example:
705 alan ALL = (root, bin : operator, system) ALL
707 user alan may run any command as either user root or bin, optionally set‐
709 ting the group to operator or system.
710 Option_Spec
712 A Cmnd may have zero or more options associated with it. Options may
713 consist of SELinux roles and/or types, start and/or end dates and command
714 timeouts. Once an option is set for a Cmnd, subsequent Cmnds in the
715 Cmnd_Spec_List, inherit that option unless it is overridden by another
716 option. Option names are reserved words in sudoers. This means that
717 none of the valid option names (see below) can be used when declaring an
718 alias.
719 SELinux_Spec
721 On systems with SELinux support, sudoers file entries may optionally have
722 an SELinux role and/or type associated with a command. This can be used
723 to implement a form of role-based access control (RBAC). If a role or
724 type is specified with the command it will override any default values
725 specified in sudoers. A role or type specified on the command line, how‐
726 ever, will supersede the values in sudoers.
727 Date_Spec
729 sudoers rules can be specified with a start and end date via the
730 NOTBEFORE and NOTAFTER settings. The time stamp must be specified in
731 “Generalized Time” as defined by RFC 4517. The format is effectively
732 ‘yyyymmddHHMMSSZ’ where the minutes and seconds are optional. The ‘Z’
733 suffix indicates that the time stamp is in Coordinated Universal Time
734 (UTC). It is also possible to specify a timezone offset from UTC in
735 hours and minutes instead of a ‘Z’. For example, ‘-0500’ would corre‐
736 spond to Eastern Standard time in the US. As an extension, if no ‘Z’ or
737 timezone offset is specified, local time will be used.
738 The following are all valid time stamps:
740 20170214083000Z
742 2017021408Z
743 20160315220000-0500
744 20151201235900
745 Timeout_Spec
747 A command may have a timeout associated with it. If the timeout expires
748 before the command has exited, the command will be terminated. The time‐
749 out may be specified in combinations of days, hours, minutes, and seconds
750 with a single-letter case-insensitive suffix that indicates the unit of
751 time. For example, a timeout of 7 days, 8 hours, 30 minutes, and 10 sec‐
752 onds would be written as ‘7d8h30m10s’. If a number is specified without
753 a unit, seconds are assumed. Any of the days, minutes, hours, or seconds
754 may be omitted. The order must be from largest to smallest unit and a
755 unit may not be specified more than once.
756 The following are all valid timeout values: ‘7d8h30m10s’, ‘14d’, ‘8h30m’,
758 ‘600s’, ‘3600’. The following are invalid timeout values: ‘12m2w1d’,
759 ‘30s10m4h’, ‘1d2d3h’.
760 This setting is only supported by version 1.8.20 or higher.
762 Chdir_Spec
764 The working directory that the command will be run in can be specified
765 using the CWD setting. The directory must be a fully-qualified path name
766 beginning with a ‘/’ or ‘~’ character, or the special value “*”. A value
767 of “*” indicates that the user may specify the working directory by run‐
768 ning sudo with the -D option. By default, commands are run from the in‐
769 voking user's current working directory, unless the -i option is given.
770 Path names of the form ~user/path/name are interpreted as being relative
771 to the named user's home directory. If the user name is omitted, the
772 path will be relative to the runas user's home directory.
773 This setting is only supported by version 1.9.3 or higher.
775 Chroot_Spec
777 The root directory that the command will be run in can be specified using
778 the CHROOT setting. The directory must be a fully-qualified path name
779 beginning with a ‘/’ or ‘~’ character, or the special value “*”. A value
780 of “*” indicates that the user may specify the root directory by running
781 sudo with the -R option. This setting can be used to run the command in
782 a chroot(2) “sandbox” similar to the chroot(8) utility. Path names of
783 the form ~user/path/name are interpreted as being relative to the named
784 user's home directory. If the user name is omitted, the path will be
785 relative to the runas user's home directory.
786 This setting is only supported by version 1.9.3 or higher.
788 Tag_Spec
790 A command may have zero or more tags associated with it. The following
791 tag values are supported: EXEC, NOEXEC, FOLLOW, NOFOLLOW, LOG_INPUT,
792 NOLOG_INPUT, LOG_OUTPUT, NOLOG_OUTPUT, MAIL, NOMAIL, INTERCEPT,
793 NOINTERCEPT, PASSWD, NOPASSWD, SETENV, and NOSETENV. Once a tag is set
794 on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag unless
795 it is overridden by the opposite tag (in other words, PASSWD overrides
796 NOPASSWD and NOEXEC overrides EXEC).
797 EXEC and NOEXEC
799 If sudo has been compiled with noexec support and the underlying oper‐
801 ating system supports it, the NOEXEC tag can be used to prevent a dy‐
802 namically-linked executable from running further commands itself.
803 In the following example, user aaron may run /usr/bin/more and
805 /usr/bin/vi but shell escapes will be disabled.
806 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
808 See the Preventing shell escapes section below for more details on how
810 NOEXEC works and whether or not it will work on your system.
811 FOLLOW and NOFOLLOW
813 Starting with version 1.8.15, sudoedit will not open a file that is a
815 symbolic link unless the sudoedit_follow flag is enabled. The FOLLOW
816 and NOFOLLOW tags override the value of sudoedit_follow and can be used
817 to permit (or deny) the editing of symbolic links on a per-command ba‐
818 sis. These tags are only effective for the sudoedit command and are
819 ignored for all other commands.
820 LOG_INPUT and NOLOG_INPUT
822 These tags override the value of the log_input flag on a per-command
824 basis. For more information, see I/O LOGGING.
825 LOG_OUTPUT and NOLOG_OUTPUT
827 These tags override the value of the log_output flag on a per-command
829 basis. For more information, see I/O LOGGING.
830 MAIL and NOMAIL
832 These tags provide fine-grained control over whether mail will be sent
834 when a user runs a command by overriding the value of the
835 mail_all_cmnds flag on a per-command basis. They have no effect when
836 sudo is run with the -l or -v options. A NOMAIL tag will also override
837 the mail_always and mail_no_perms options. For more information, see
838 the descriptions of mail_all_cmnds, mail_always, and mail_no_perms in
839 the SUDOERS OPTIONS section below.
840 PASSWD and NOPASSWD
842 By default, sudo requires that a user authenticate before running a
844 command. This behavior can be modified via the NOPASSWD tag. Like a
845 Runas_Spec, the NOPASSWD tag sets a default for the commands that fol‐
846 low it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used
847 to reverse things. For example:
848 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
850 would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm
852 as root on the machine “rushmore” without authenticating himself. If
853 we only want ray to be able to run /bin/kill without a password the en‐
854 try would be:
855 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
857 Note, however, that the PASSWD tag has no effect on users who are in
859 the group specified by the exempt_group setting.
860 By default, if the NOPASSWD tag is applied to any of a user's entries
862 for the current host, the user will be able to run ‘sudo -l’ without a
863 password. Additionally, a user may only run ‘sudo -v’ without a pass‐
864 word if all of the user's entries for the current host have the
865 NOPASSWD tag. This behavior may be overridden via the verifypw and
866 listpw options.
867 SETENV and NOSETENV
869 These tags override the value of the setenv flag on a per-command ba‐
871 sis. If SETENV has been set for a command, the user may disable the
872 env_reset flag from the command line via the -E option. Additionally,
873 environment variables set on the command line are not subject to the
874 restrictions imposed by env_check, env_delete, or env_keep. As such,
875 only trusted users should be allowed to set variables in this manner.
876 If the command matched is ALL, the SETENV tag is implied for that com‐
877 mand; this default may be overridden by use of the NOSETENV tag.
878 INTERCEPT and NOINTERCEPT
880 If sudo has been compiled with intercept support and the underlying op‐
882 erating system supports it, the INTERCEPT tag can be used to cause pro‐
883 grams spawned by a command to be validated against sudoers and logged
884 just like they would be if run through sudo directly. This is useful
885 in conjunction with commands that allow shell escapes such as editors,
886 shells, and paginators. There is additional overhead due to the policy
887 check that may add latency when running commands such as shell scripts
888 that execute a large number of sub-commands. For interactive commands,
889 such as a shell or editor, the overhead is not usually noticeable.
890 In the following example, user chuck may run any command on the machine
892 “research” in intercept mode.
893 chuck research = INTERCEPT: ALL
895 See the Preventing shell escapes section below for more details on how
897 INTERCEPT works and whether or not it will work on your system.
898 Wildcards
900 sudo allows shell-style wildcards (aka meta or glob characters) to be
901 used in host names, path names, and command line arguments in the sudoers
902 file. Wildcard matching is done via the glob(3) and fnmatch(3) functions
903 as specified by IEEE Std 1003.1 (“POSIX.1”).
904 * Matches any set of zero or more characters (including white
906 space).
907 ? Matches any single character (including white space).
909 [...] Matches any character in the specified range.
911 [!...] Matches any character not in the specified range.
913 \x For any character ‘x’, evaluates to ‘x’. This is used to es‐
915 cape special characters such as: ‘*’, ‘?’, ‘[’, and ‘]’.
916 These are not regular expressions. Unlike a regular expression there is
918 no way to match one or more characters within a range.
919 Character classes may be used if your system's glob(3) and fnmatch(3)
921 functions support them. However, because the ‘:’ character has special
922 meaning in sudoers, it must be escaped. For example:
923 /bin/ls [[\:alpha\:]]*
925 Would match any file name beginning with a letter.
927 A forward slash (‘/’) will not be matched by wildcards used in the file
929 name portion of the command. This is to make a path like:
930 /usr/bin/*
932 match /usr/bin/who but not /usr/bin/X11/xterm.
934 When matching the command line arguments, however, a slash does get
936 matched by wildcards since command line arguments may contain arbitrary
937 strings and not just path names.
938 Wildcards in command line arguments should be used with care.
940 Wildcards can match any character, including white space. In most cases,
941 it is safer to use a regular expression to match command line arguments.
942 For more information, see Wildcards in command arguments below.
943 Exceptions to wildcard rules
945 The following exceptions apply to the above rules:
946 "" If the empty string ‘""’ is the only command line argument in
948 the sudoers file entry it means that command is not allowed to
949 be run with any arguments.
950 sudoedit Command line arguments to the sudoedit built-in command should
952 always be path names, so a forward slash (‘/’) will not be
953 matched by a wildcard.
954 Regular expressions
956 Starting with version 1.9.10, it is possible to use regular expressions
957 for path names and command line arguments. Regular expressions are more
958 expressive than shell-style wildcards and are usually safer because they
959 provide a greater degree of control when matching. The type of regular
960 expressions supported by sudoers are POSIX extended regular expressions,
961 similar to those used by the egrep(1) utility. They are usually docu‐
962 mented in the regex(7) or re_format(7) manual, depending on the system.
963 As an extension, if the regular expression begins with “(?i)”, it will be
964 matched in a case-insensitive manner.
965 In sudoers, regular expressions must start with a ‘^’ character and end
967 with a ‘$’. This makes it explicit what is, or is not, a regular expres‐
968 sion. Either the path name, the command line arguments or both may be
969 regular expressions. Because the path name and arguments are matched
970 separately, it is even possible to use wildcards for the path name and
971 regular expressions for the arguments. It is not possible to use a sin‐
972 gle regular expression to match both the command and its arguments. Reg‐
973 ular expressions in sudoers are limited to 1024 characters.
974 There is no need to escape sudoers special characters in a regular ex‐
976 pression other than the pound sign (‘#’).
977 In the following example, user john can run the passwd(1) command as root
979 on any host but is not allowed to change root's password. This kind of
980 rule is impossible to express safely using wildcards.
981 john ALL = /usr/bin/passwd ^[a-zA-Z0-9_]+$,\
983 !/usr/bin/passwd root
984 It is also possible to use a regular expression in conjunction with
986 sudoedit rules. The following rule would give user bob the ability to
987 edit the /etc/motd, /etc/issue, and /etc/hosts files only.
988 bob ALL = sudoedit ^/etc/(motd|issue|hosts)$
990 Regular expressions may also be used to match the command itself. In
992 this example, a regular expression is used to allow user sid to run the
993 /usr/sbin/groupadd, /usr/sbin/groupmod, /usr/sbin/groupdel,
994 /usr/sbin/useradd, /usr/sbin/usermod, and /usr/sbin/userdel commands as
995 root.
996 sid ALL = ^/usr/sbin/(group|user)(add|mod|del)$
998 One disadvantage of using a regular expression to match the command name
1000 is that it is not possible to match relative paths such as ./useradd or
1001 ../sbin/useradd. This has security implications when a regular expres‐
1002 sion is used for the command name in conjunction with the negation opera‐
1003 tor, ‘!’, as such rules can be trivially bypassed. Because of this, us‐
1004 ing a negated regular expression for the command name is strongly
1005 discouraged. This does not apply to negated commands that only use a
1006 regular expression to match the command arguments. See Regular
1007 expressions in command names below for more information.
1008 Including other files from within sudoers
1010 It is possible to include other sudoers files from within the sudoers
1011 file currently being parsed using the @include and @includedir direc‐
1012 tives. For compatibility with sudo versions prior to 1.9.1, #include and
1013 #includedir are also accepted.
1014 An include file can be used, for example, to keep a site-wide sudoers
1016 file in addition to a local, per-machine file. For the sake of this ex‐
1017 ample the site-wide sudoers file will be /etc/sudoers and the per-machine
1018 one will be /etc/sudoers.local. To include /etc/sudoers.local from
1019 within /etc/sudoers one would use the following line in /etc/sudoers:
1020 @include /etc/sudoers.local
1022 When sudo reaches this line it will suspend processing of the current
1024 file (/etc/sudoers) and switch to /etc/sudoers.local. Upon reaching the
1025 end of /etc/sudoers.local, the rest of /etc/sudoers will be processed.
1026 Files that are included may themselves include other files. A hard limit
1027 of 128 nested include files is enforced to prevent include file loops.
1028 Starting with version 1.9.1, the path to the include file may contain
1030 white space if it is escaped with a backslash (‘\’). Alternately, the
1031 entire path may be enclosed in double quotes (""), in which case no es‐
1032 caping is necessary. To include a literal backslash in the path, ‘\\’
1033 should be used.
1034 If the path to the include file is not fully-qualified (does not begin
1036 with a ‘/’), it must be located in the same directory as the sudoers file
1037 it was included from. For example, if /etc/sudoers contains the line:
1038 @include sudoers.local
1040 the file that will be included is /etc/sudoers.local.
1042 The file name may also include the ‘%h’ escape, signifying the short form
1044 of the host name. In other words, if the machine's host name is
1045 “xerxes”, then
1046 @include /etc/sudoers.%h
1048 will cause sudo to include the file /etc/sudoers.xerxes.
1050 The @includedir directive can be used to create a sudoers.d directory
1052 that the system package manager can drop sudoers file rules into as part
1053 of package installation. For example, given:
1054 @includedir /etc/sudoers.d
1056 sudo will suspend processing of the current file and read each file in
1058 /etc/sudoers.d, skipping file names that end in ‘~’ or contain a ‘.’
1059 character to avoid causing problems with package manager or editor tempo‐
1060 rary/backup files.
1061 Files are parsed in sorted lexical order. That is,
1063 /etc/sudoers.d/01_first will be parsed before /etc/sudoers.d/10_second.
1064 Be aware that because the sorting is lexical, not numeric,
1065 /etc/sudoers.d/1_whoops would be loaded after /etc/sudoers.d/10_second.
1066 Using a consistent number of leading zeroes in the file names can be used
1067 to avoid such problems. After parsing the files in the directory, con‐
1068 trol returns to the file that contained the @includedir directive.
1069 Unlike files included via @include, visudo will not edit the files in a
1071 @includedir directory unless one of them contains a syntax error. It is
1072 still possible to run visudo with the -f flag to edit the files directly,
1073 but this will not catch the redefinition of an alias that is also present
1074 in a different file.
1075 Other special characters and reserved words
1077 The pound sign (‘#’) is used to indicate a comment (unless it is part of
1078 a #include directive or unless it occurs in the context of a user name
1079 and is followed by one or more digits, in which case it is treated as a
1080 user-ID). Both the comment character and any text after it, up to the
1081 end of the line, are ignored.
1082 The reserved word ALL is a built-in alias that always causes a match to
1084 succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
1085 User_Alias, Runas_Alias, or Host_Alias. Attempting to define an alias
1086 named ALL will result in a syntax error. Using ALL can be dangerous
1087 since in a command context, it allows the user to run any command on the
1088 system.
1089 The following option names permitted in an Option_Spec are also consid‐
1091 ered reserved words: CHROOT, ROLE, TYPE, TIMEOUT, CWD, NOTBEFORE and
1092 NOTAFTER. Attempting to define an alias with the same name as one of the
1093 options will result in a syntax error.
1094 An exclamation point (‘!’) can be used as a logical not operator in a
1096 list or alias as well as in front of a Cmnd. This allows one to exclude
1097 certain values. For the ‘!’ operator to be effective, there must be
1098 something for it to exclude. For example, to match all users except for
1099 root one would use:
1100 ALL, !root
1102 If the ALL, is omitted, as in:
1104 !root
1106 it would explicitly deny root but not match any other users. This is
1108 different from a true “negation” operator.
1109 Note, however, that using a ‘!’ in conjunction with the built-in ALL
1111 alias to allow a user to run “all but a few” commands rarely works as in‐
1112 tended (see SECURITY NOTES below).
1113 Long lines can be continued with a backslash (‘\’) as the last character
1115 on the line.
1116 White space between elements in a list as well as special syntactic char‐
1118 acters in a User Specification (‘=’, ‘:’, ‘(’, ‘)’) is optional.
1119 The following characters must be escaped with a backslash (‘\’) when used
1121 as part of a word (e.g., a user name or host name): ‘!’, ‘=’, ‘:’, ‘,’,
1122 ‘(’, ‘)’, ‘\’.
1123
1125 sudo's behavior can be modified by Default_Entry lines, as explained ear‐
1126 lier. A list of all supported Defaults parameters, grouped by type, are
1127 listed below.
1128 Boolean Flags:
1130 always_query_group_plugin
1132 If a group_plugin is configured, use it to resolve
1133 groups of the form ‘%group’ as long as there is not
1134 also a system group of the same name. Normally, only
1135 groups of the form ‘%:group’ are passed to the
1136 group_plugin. This flag is off by default.
1137 always_set_home If enabled, sudo will set the HOME environment variable
1139 to the home directory of the target user (which is the
1140 runas_default user unless the -u option is used). This
1141 flag is largely obsolete and has no effect unless the
1142 env_reset flag has been disabled or HOME is present in
1143 the env_keep list, both of which are strongly discour‐
1144 aged. This flag is off by default.
1145 authenticate If set, users must authenticate themselves via a pass‐
1147 word (or other means of authentication) before they may
1148 run commands. This default may be overridden via the
1149 PASSWD and NOPASSWD tags. This flag is on by default.
1150 case_insensitive_group
1152 If enabled, group names in sudoers will be matched in a
1153 case insensitive manner. This may be necessary when
1154 users are stored in LDAP or AD. This flag is on by de‐
1155 fault.
1156 case_insensitive_user
1158 If enabled, user names in sudoers will be matched in a
1159 case insensitive manner. This may be necessary when
1160 groups are stored in LDAP or AD. This flag is on by
1161 default.
1162 closefrom_override
1164 If set, the user may use the -C option which overrides
1165 the default starting point at which sudo begins closing
1166 open file descriptors. This flag is off by default.
1167 compress_io If set, and sudo is configured to log a command's input
1169 or output, the I/O logs will be compressed using zlib.
1170 This flag is on by default when sudo is compiled with
1171 zlib support.
1172 exec_background By default, sudo runs a command as the foreground
1174 process as long as sudo itself is running in the fore‐
1175 ground. When the exec_background flag is enabled and
1176 the command is being run in a pseudo-terminal (due to
1177 I/O logging or the use_pty flag), the command will be
1178 run as a background process. Attempts to read from the
1179 controlling terminal (or to change terminal settings)
1180 will result in the command being suspended with the
1181 SIGTTIN signal (or SIGTTOU in the case of terminal set‐
1182 tings). If this happens when sudo is a foreground
1183 process, the command will be granted the controlling
1184 terminal and resumed in the foreground with no user in‐
1185 tervention required. The advantage of initially run‐
1186 ning the command in the background is that sudo need
1187 not read from the terminal unless the command explic‐
1188 itly requests it. Otherwise, any terminal input must
1189 be passed to the command, whether it has required it or
1190 not (the kernel buffers terminals so it is not possible
1191 to tell whether the command really wants the input).
1192 This is different from historic sudo behavior or when
1193 the command is not being run in a pseudo-terminal.
1194 For this to work seamlessly, the operating system must
1196 support the automatic restarting of system calls. Un‐
1197 fortunately, not all operating systems do this by de‐
1198 fault, and even those that do may have bugs. For exam‐
1199 ple, macOS fails to restart the tcgetattr(3) and
1200 tcsetattr(3) functions (this is a bug in macOS). Fur‐
1201 thermore, because this behavior depends on the command
1202 stopping with the SIGTTIN or SIGTTOU signals, programs
1203 that catch these signals and suspend themselves with a
1204 different signal (usually SIGTOP) will not be automati‐
1205 cally foregrounded. Some versions of the linux su(1)
1206 command behave this way. This flag is off by default.
1207 This setting is only supported by version 1.8.7 or
1209 higher. It has no effect unless I/O logging is enabled
1210 or the use_pty flag is enabled.
1211 env_editor If set, visudo will use the value of the SUDO_EDITOR,
1213 VISUAL or EDITOR environment variables before falling
1214 back on the default editor list. visudo is typically
1215 run as root so this flag may allow a user with visudo
1216 privileges to run arbitrary commands as root without
1217 logging. An alternative is to place a colon-separated
1218 list of “safe” editors int the editor setting. visudo
1219 will then only use SUDO_EDITOR, VISUAL or EDITOR if
1220 they match a value specified in editor. If the
1221 env_reset flag is enabled, the SUDO_EDITOR, VISUAL
1222 and/or EDITOR environment variables must be present in
1223 the env_keep list for the env_editor flag to function
1224 when visudo is invoked via sudo. This flag is on by
1225 default.
1226 env_reset If set, sudo will run the command in a minimal environ‐
1228 ment containing the TERM, PATH, HOME, MAIL, SHELL,
1229 LOGNAME, USER and SUDO_* variables. Any variables in
1230 the caller's environment or in the file specified by
1231 the restricted_env_file setting that match the env_keep
1232 and env_check lists are then added, followed by any
1233 variables present in the file specified by the env_file
1234 setting (if any). The contents of the env_keep and
1235 env_check lists, as modified by global Defaults parame‐
1236 ters in sudoers, are displayed when sudo is run by root
1237 with the -V option. If the secure_path setting is en‐
1238 abled, its value will be used for the PATH environment
1239 variable. This flag is on by default.
1240 fast_glob Normally, sudo uses the glob(3) function to do shell-
1242 style globbing when matching path names. However,
1243 since it accesses the file system, glob(3) can take a
1244 long time to complete for some patterns, especially
1245 when the pattern references a network file system that
1246 is mounted on demand (auto mounted). The fast_glob
1247 flag causes sudo to use the fnmatch(3) function, which
1248 does not access the file system to do its matching.
1249 The disadvantage of fast_glob is that it is unable to
1250 match relative paths such as ./ls or ../bin/ls. This
1251 has security implications when path names that include
1252 globbing characters are used with the negation opera‐
1253 tor, ‘!’, as such rules can be trivially bypassed. As
1254 such, this flag should not be used when the sudoers
1255 file contains rules that contain negated path names
1256 which include globbing characters. This flag is off by
1257 default.
1258 log_passwords Most programs that require a user's password will dis‐
1260 able echo before reading the password to avoid display‐
1261 ing the plaintext password on the screen. However, if
1262 terminal input is being logged (see I/O LOGGING), the
1263 password will still be present in the I/O log. If the
1264 log_passwords option is disabled, sudoers will attempt
1265 to prevent passwords from being logged. It does this
1266 by using the regular expressions in passprompt_regex to
1267 match a password prompt in the terminal output buffer.
1268 When a match is found, input characters in the I/O log
1269 will be replaced with ‘*’ until either a line feed or
1270 carriage return is found in the terminal input or a new
1271 terminal output buffer is received. If, however, a
1272 program displays characters as the user types (such as
1273 sudo when pwfeedback is set), only the first character
1274 of the password will be replaced in the I/O log. This
1275 option has no effect unless log_input or log_ttyin are
1276 also set. This flag is on by default.
1277 This setting is only supported by version 1.9.10 or
1279 higher.
1280 fqdn Set this flag if you want to put fully qualified host
1282 names in the sudoers file when the local host name (as
1283 returned by the ‘hostname’ command) does not contain
1284 the domain name. In other words, instead of myhost you
1285 would use myhost.mydomain.edu. You may still use the
1286 short form if you wish (and even mix the two). This
1287 flag is only effective when the “canonical” host name,
1288 as returned by the getaddrinfo(3) or gethostbyname(3)
1289 function, is a fully-qualified domain name. This is
1290 usually the case when the system is configured to use
1291 DNS for host name resolution.
1292 If the system is configured to use the /etc/hosts file
1294 in preference to DNS, the “canonical” host name may not
1295 be fully-qualified. The order that sources are queried
1296 for host name resolution is usually specified in the
1297 /etc/nsswitch.conf, /etc/netsvc.conf, /etc/host.conf,
1298 or, in some cases, /etc/resolv.conf file. In the
1299 /etc/hosts file, the first host name of the entry is
1300 considered to be the “canonical” name; subsequent names
1301 are aliases that are not used by sudoers. For example,
1302 the following hosts file line for the machine “xyzzy”
1303 has the fully-qualified domain name as the “canonical”
1304 host name, and the short version as an alias.
1305 192.168.1.1 xyzzy.sudo.ws xyzzy
1307 If the machine's hosts file entry is not formatted
1309 properly, the fqdn flag will not be effective if it is
1310 queried before DNS.
1311 Beware that when using DNS for host name resolution,
1313 turning on fqdn requires sudoers to make DNS lookups
1314 which renders sudo unusable if DNS stops working (for
1315 example if the machine is disconnected from the net‐
1316 work). Just like with the hosts file, you must use the
1317 “canonical” name as DNS knows it. That is, you may not
1318 use a host alias (CNAME entry) due to performance is‐
1319 sues and the fact that there is no way to get all
1320 aliases from DNS.
1321 This flag is off by default.
1323 ignore_audit_errors
1325 Allow commands to be run even if sudoers cannot write
1326 to the audit log. If enabled, an audit log write fail‐
1327 ure is not treated as a fatal error. If disabled, a
1328 command may only be run after the audit event is suc‐
1329 cessfully written. This flag is only effective on sys‐
1330 tems for which sudoers supports audit logging, includ‐
1331 ing FreeBSD, Linux, macOS, and Solaris. This flag is
1332 on by default.
1333 ignore_dot If set, sudo will ignore "." or "" (both denoting the
1335 current directory) in the PATH environment variable;
1336 the PATH itself is not modified. This flag is on by
1337 default.
1338 ignore_iolog_errors
1340 Allow commands to be run even if sudoers cannot write
1341 to the I/O log (local or remote). If enabled, an I/O
1342 log write failure is not treated as a fatal error. If
1343 disabled, the command will be terminated if the I/O log
1344 cannot be written to. This flag is off by default.
1345 ignore_logfile_errors
1347 Allow commands to be run even if sudoers cannot write
1348 to the log file. If enabled, a log file write failure
1349 is not treated as a fatal error. If disabled, a com‐
1350 mand may only be run after the log file entry is suc‐
1351 cessfully written. This flag only has an effect when
1352 sudoers is configured to use file-based logging via the
1353 logfile setting. This flag is on by default.
1354 ignore_local_sudoers
1356 If set via LDAP, parsing of /etc/sudoers will be
1357 skipped. This is intended for sites that wish to pre‐
1358 vent the usage of local sudoers files so that only LDAP
1359 is used. This thwarts the efforts of rogue operators
1360 who would attempt to add roles to /etc/sudoers. When
1361 this flag is enabled, /etc/sudoers does not even need
1362 to exist. Since this flag tells sudo how to behave
1363 when no specific LDAP entries have been matched, this
1364 sudoOption is only meaningful for the ‘cn=defaults’
1365 section. This flag is off by default.
1366 ignore_unknown_defaults
1368 If set, sudo will not produce a warning if it encoun‐
1369 ters an unknown Defaults entry in the sudoers file or
1370 an unknown sudoOption in LDAP. This flag is off by de‐
1371 fault.
1372 insults If set, sudo will insult users when they enter an in‐
1374 correct password. This flag is off by default.
1375 log_allowed If set, sudoers will log commands allowed by the policy
1377 to the system audit log (where supported) as well as to
1378 syslog and/or a log file. This flag is on by default.
1379 This setting is only supported by version 1.8.29 or
1381 higher.
1382 log_denied If set, sudoers will log commands denied by the policy
1384 to the system audit log (where supported) as well as to
1385 syslog and/or a log file. This flag is on by default.
1386 This setting is only supported by version 1.8.29 or
1388 higher.
1389 log_exit_status If set, sudoers will log the exit value of commands
1391 that are run to syslog and/or a log file. If a command
1392 was terminated by a signal, the signal name is logged
1393 as well. This flag is off by default.
1394 This setting is only supported by version 1.9.8 or
1396 higher.
1397 log_host If set, the host name will be included in log entries
1399 written to the file configured by the logfile setting.
1400 This flag is off by default.
1401 log_input If set, sudo will run the command in a pseudo-terminal
1403 (if sudo was run from a terminal) and log all user in‐
1404 put. If the standard input is not connected to the
1405 user's terminal, due to I/O redirection or because the
1406 command is part of a pipeline, that input is also
1407 logged. For more information about I/O logging, see
1408 the I/O LOGGING section. This flag is off by default.
1409 log_output If set, sudo will run the command in a pseudo-terminal
1411 (if sudo was run from a terminal) and log all output
1412 that is sent to the user's terminal, the standard out‐
1413 put or the standard error. If the standard output or
1414 standard error is not connected to the user's terminal,
1415 due to I/O redirection or because the command is part
1416 of a pipeline, that output is also logged. For more
1417 information about I/O logging, see the I/O LOGGING sec‐
1418 tion. This flag is off by default.
1419 log_server_keepalive
1421 If set, sudo will enable the TCP keepalive socket op‐
1422 tion on the connection to the log server. This enables
1423 the periodic transmission of keepalive messages to the
1424 server. If the server does not respond to a message,
1425 the connection will be closed and the running command
1426 will be terminated unless the ignore_iolog_errors flag
1427 (I/O logging enabled) or the ignore_log_errors flag
1428 (I/O logging disabled) is set. This flag is on by de‐
1429 fault.
1430 This setting is only supported by version 1.9.0 or
1432 higher.
1433 log_server_verify
1435 If set, the server certificate received during the TLS
1436 handshake must be valid and it must contain either the
1437 server name (from log_servers) or its IP address. If
1438 either of these conditions is not met, the TLS hand‐
1439 shake will fail. This flag is on by default.
1440 This setting is only supported by version 1.9.0 or
1442 higher.
1443 log_stderr If set, sudo will log the standard error if it is not
1445 connected to the user's terminal. This can be used to
1446 log output to a pipe or redirected to a file. This
1447 flag is off by default but is enabled when either the
1448 log_output flag or the LOG_OUTPUT command tag is set.
1449 log_stdin If set, sudo will log the standard input if it is not
1451 connected to the user's terminal. This can be used to
1452 log input from a pipe or redirected from a file. This
1453 flag is off by default but is enabled when either the
1454 log_input flag or the LOG_INPUT command tag is set.
1455 log_stdout If set, sudo will log the standard output if it is not
1457 connected to the user's terminal. This can be used to
1458 log output to a pipe or redirected to a file. This
1459 flag is off by default but is enabled when either the
1460 log_output flag or the LOG_OUTPUT command tag is set.
1461 log_subcmds If set, sudoers will log when a command spawns a child
1463 process and executes a program using the execve(2),
1464 execl(3), execle(3), execlp(3), execv(3), execvp(3),
1465 execvpe(3), or system(3) library functions. For exam‐
1466 ple, if a shell is run by sudo, the individual commands
1467 run via the shell will be logged. This flag is off by
1468 default.
1469 The log_subcmds flag uses the same underlying mechanism
1471 as the intercept setting. See Preventing shell escapes
1472 for more information on what systems support this op‐
1473 tion and its limitations. This setting is only sup‐
1474 ported by version 1.9.8 or higher and is incompatible
1475 with SELinux RBAC support unless the system supports
1476 seccomp(2) filter mode.
1477 log_ttyin If set, sudo will run the command in a pseudo-terminal
1479 and log user keystrokes sent to the user's terminal, if
1480 one is present. This flag is off by default but is en‐
1481 abled when either the log_input flag or the LOG_INPUT
1482 command tag is set. If no terminal is present, for ex‐
1483 ample when running a remote command using ssh(1), this
1484 flag will have no effect.
1485 log_ttyout If set, sudo will run the command in a pseudo-terminal
1487 and log all output displayed on the user's terminal, if
1488 one is present. This flag is off by default but is en‐
1489 abled when either the log_output flag or the LOG_OUTPUT
1490 command tag is set. If no terminal is present, for ex‐
1491 ample when running a remote command using ssh(1), this
1492 flag will have no effect.
1493 log_year If set, the four-digit year will be logged in the (non-
1495 syslog) sudo log file. This flag is off by default.
1496 long_otp_prompt When validating with a One Time Password (OTP) scheme
1498 such as S/Key or OPIE, a two-line prompt is used to
1499 make it easier to cut and paste the challenge to a lo‐
1500 cal window. It's not as pretty as the default but some
1501 people find it more convenient. This flag is off by
1502 default.
1503 mail_all_cmnds Send mail to the mailto user every time a user attempts
1505 to run a command via sudo (this includes sudoedit). No
1506 mail will be sent if the user runs sudo with the -l or
1507 -v option unless there is an authentication error and
1508 the mail_badpass flag is also set. This flag is off by
1509 default.
1510 mail_always Send mail to the mailto user every time a user runs
1512 sudo. This flag is off by default.
1513 mail_badpass Send mail to the mailto user if the user running sudo
1515 does not enter the correct password. If the command
1516 the user is attempting to run is not permitted by
1517 sudoers and one of the mail_all_cmnds, mail_always,
1518 mail_no_host, mail_no_perms or mail_no_user flags are
1519 set, this flag will have no effect. This flag is off
1520 by default.
1521 mail_no_host If set, mail will be sent to the mailto user if the in‐
1523 voking user exists in the sudoers file, but is not al‐
1524 lowed to run commands on the current host. This flag
1525 is off by default.
1526 mail_no_perms If set, mail will be sent to the mailto user if the in‐
1528 voking user is allowed to use sudo but the command they
1529 are trying is not listed in their sudoers file entry or
1530 is explicitly denied. This flag is off by default.
1531 mail_no_user If set, mail will be sent to the mailto user if the in‐
1533 voking user is not in the sudoers file. This flag is
1534 on by default.
1535 match_group_by_gid
1537 By default, sudoers will look up each group the user is
1538 a member of by group-ID to determine the group name
1539 (this is only done once). The resulting list of the
1540 user's group names is used when matching groups listed
1541 in the sudoers file. This works well on systems where
1542 the number of groups listed in the sudoers file is
1543 larger than the number of groups a typical user belongs
1544 to. On systems where group lookups are slow, where
1545 users may belong to a large number of groups, or where
1546 the number of groups listed in the sudoers file is rel‐
1547 atively small, it may be prohibitively expensive and
1548 running commands via sudo may take longer than normal.
1549 On such systems it may be faster to use the
1550 match_group_by_gid flag to avoid resolving the user's
1551 group-IDs to group names. In this case, sudoers must
1552 look up any group name listed in the sudoers file and
1553 use the group-ID instead of the group name when deter‐
1554 mining whether the user is a member of the group.
1555 If match_group_by_gid is enabled, group database
1557 lookups performed by sudoers will be keyed by group
1558 name as opposed to group-ID. On systems where there
1559 are multiple sources for the group database, it is pos‐
1560 sible to have conflicting group names or group-IDs in
1561 the local /etc/group file and the remote group data‐
1562 base. On such systems, enabling or disabling
1563 match_group_by_gid can be used to choose whether group
1564 database queries are performed by name (enabled) or ID
1565 (disabled), which may aid in working around group entry
1566 conflicts.
1567 The match_group_by_gid flag has no effect when sudoers
1569 data is stored in LDAP. This flag is off by default.
1570 This setting is only supported by version 1.8.18 or
1572 higher.
1573 intercept If set, all commands run via sudo will behave as if the
1575 INTERCEPT tag has been set, unless overridden by an
1576 NOINTERCEPT tag. See the description of INTERCEPT and
1577 NOINTERCEPT above as well as the Preventing shell
1578 escapes section at the end of this manual. This flag
1579 is off by default.
1580 This setting is only supported by version 1.9.8 or
1582 higher and is incompatible with SELinux RBAC support
1583 unless the system supports seccomp(2) filter mode.
1584 intercept_allow_setid
1586 On most systems, the dynamic loader will ignore
1587 LD_PRELOAD (or the equivalent) when running set-user-ID
1588 and set-group-ID programs, effectively disabling inter‐
1589 cept mode. To prevent this from happening, sudoers
1590 will not permit a set-user-ID or set-group-ID program
1591 to be run in intercept mode unless
1592 intercept_allow_setid is enable. This flag has no ef‐
1593 fect unless the intercept flag is enabled or the
1594 INTERCEPT tag has been set for the command. This flag
1595 is on by default when the intercept_type option is set
1596 to trace, otherwise it default to off.
1597 This setting is only supported by version 1.9.8 or
1599 higher.
1600 intercept_authenticate
1602 If set, commands run by an intercepted process must be
1603 authenticated when the user's time stamp is not cur‐
1604 rent. For example, if a shell is run with intercept
1605 enabled, as soon as the invoking user's time stamp is
1606 out of date, subsequent commands will need to be au‐
1607 thenticated. This flag has no effect unless the
1608 intercept flag is enabled or the INTERCEPT tag has been
1609 set for the command. This flag is off by default.
1610 This setting is only supported by version 1.9.8 or
1612 higher.
1613 intercept_verify If set, sudo will attempt to verify that a command run
1615 in intercept mode has the expected path name, command
1616 line arguments and environment.
1617 The process will be stopped after execve(2) has com‐
1619 pleted but before the new command has had a chance to
1620 run. To verify the command, sudo will read the com‐
1621 mand's path from /proc/PID/exe, the command line argu‐
1622 ments and environment from the process's memory, and
1623 compare them against the arguments that were passed to
1624 execve(2). In the event of a mismatch, the command
1625 will be sent a SIGKILL signal and terminated.
1626 This can help prevent a time of check versus time of
1628 use issue with intercept mode where the execve(2) argu‐
1629 ments could be altered after the sudoers policy check.
1630 The checks can only be performed if the proc(5) file
1631 system is available. This flag has no effect unless
1632 the intercept flag is enabled or the INTERCEPT tag has
1633 been set for the command and the intercept_type option
1634 is set to trace. This flag is on by default.
1635 This setting is only supported by version 1.9.12 or
1637 higher.
1638 netgroup_tuple If set, netgroup lookups will be performed using the
1640 full netgroup tuple: host name, user name, and domain
1641 (if one is set). Historically, sudo only matched the
1642 user name and domain for netgroups used in a User_List
1643 and only matched the host name and domain for netgroups
1644 used in a Host_List. This flag is off by default.
1645 noexec If set, all commands run via sudo will behave as if the
1647 NOEXEC tag has been set, unless overridden by an EXEC
1648 tag. See the description of EXEC and NOEXEC above as
1649 well as the Preventing shell escapes section at the end
1650 of this manual. This flag is off by default.
1651 noninteractive_auth
1653 If set, authentication will be attempted even in non-
1654 interactive mode (when sudo's -n option is specified).
1655 This allows authentication methods that don't require
1656 user interaction to succeed. Authentication methods
1657 that require input from the user's terminal will still
1658 fail. If disabled, authentication will not be at‐
1659 tempted in non-interactive mode. This flag is off by
1660 default.
1661 This setting is only supported by version 1.9.10 or
1663 higher.
1664 pam_acct_mgmt On systems that use PAM for authentication, sudo will
1666 perform PAM account validation for the invoking user by
1667 default. The actual checks performed depend on which
1668 PAM modules are configured. If enabled, account vali‐
1669 dation will be performed regardless of whether or not a
1670 password is required. This flag is on by default.
1671 This setting is only supported by version 1.8.28 or
1673 higher.
1674 pam_rhost On systems that use PAM for authentication, sudo will
1676 set the PAM remote host value to the name of the local
1677 host when the pam_rhost flag is enabled. On Linux sys‐
1678 tems, enabling pam_rhost may result in DNS lookups of
1679 the local host name when PAM is initialized. On So‐
1680 laris versions prior to Solaris 8, pam_rhost must be
1681 enabled if pam_ruser is also enabled to avoid a crash
1682 in the Solaris PAM implementation.
1683 This flag is off by default on systems other than So‐
1685 laris.
1686 This setting is only supported by version 1.9.0 or
1688 higher.
1689 pam_ruser On systems that use PAM for authentication, sudo will
1691 set the PAM remote user value to the name of the user
1692 that invoked sudo when the pam_ruser flag is enabled.
1693 This flag is on by default.
1694 This setting is only supported by version 1.9.0 or
1696 higher.
1697 pam_session On systems that use PAM for authentication, sudo will
1699 create a new PAM session for the command to be run in.
1700 Unless sudo is given the -i or -s options, PAM session
1701 modules are run with the “silent” flag enabled. This
1702 prevents last login information from being displayed
1703 for every command on some systems. Disabling
1704 pam_session may be needed on older PAM implementations
1705 or on operating systems where opening a PAM session
1706 changes the utmp or wtmp files. If PAM session support
1707 is disabled, resource limits may not be updated for the
1708 command being run. If pam_session, pam_setcred, and
1709 use_pty are disabled, log_servers has not been set and
1710 I/O logging has not been configured, sudo will execute
1711 the command directly instead of running it as a child
1712 process. This flag is on by default.
1713 This setting is only supported by version 1.8.7 or
1715 higher.
1716 pam_setcred On systems that use PAM for authentication, sudo will
1718 attempt to establish credentials for the target user by
1719 default, if supported by the underlying authentication
1720 system. One example of a credential is a Kerberos
1721 ticket. If pam_session, pam_setcred, and use_pty are
1722 disabled, log_servers has not been set and I/O logging
1723 has not been configured, sudo will execute the command
1724 directly instead of running it as a child process.
1725 This flag is on by default.
1726 This setting is only supported by version 1.8.8 or
1728 higher.
1729 passprompt_override
1731 If set, the prompt specified by passprompt or the
1732 SUDO_PROMPT environment variable will always be used
1733 and will replace the prompt provided by a PAM module or
1734 other authentication method. This flag is off by de‐
1735 fault.
1736 path_info Normally, sudo will tell the user when a command could
1738 not be found in their PATH environment variable. Some
1739 sites may wish to disable this as it could be used to
1740 gather information on the location of executables that
1741 the normal user does not have access to. The disadvan‐
1742 tage is that if the executable is simply not in the
1743 user's PATH, sudo will tell the user that they are not
1744 allowed to run it, which can be confusing. This flag
1745 is on by default.
1746 preserve_groups By default, sudo will initialize the group vector to
1748 the list of groups the target user is in. When
1749 preserve_groups is set, the user's existing group vec‐
1750 tor is left unaltered. The real and effective group-
1751 IDs, however, are still set to match the target user.
1752 This flag is off by default.
1753 pwfeedback By default, sudo reads the password like most other
1755 Unix programs, by turning off echo until the user hits
1756 the return (or enter) key. Some users become confused
1757 by this as it appears to them that sudo has hung at
1758 this point. When pwfeedback is set, sudo will provide
1759 visual feedback when the user presses a key. This does
1760 have a security impact as an onlooker may be able to
1761 determine the length of the password being entered.
1762 This flag is off by default.
1763 requiretty If set, sudo will only run when the user is logged in
1765 to a real tty. When this flag is set, sudo can only be
1766 run from a login session and not via other means such
1767 as cron(8) or cgi-bin scripts. This flag is off by de‐
1768 fault.
1769 root_sudo If set, root is allowed to run sudo too. Disabling
1771 this prevents users from “chaining” sudo commands to
1772 get a root shell by doing something like ‘sudo sudo
1773 /bin/sh’. Note, however, that turning off root_sudo
1774 will also prevent root from running sudoedit. Dis‐
1775 abling root_sudo provides no real additional security;
1776 it exists purely for historical reasons. This flag is
1777 on by default.
1778 rootpw If set, sudo will prompt for the root password instead
1780 of the password of the invoking user when running a
1781 command or editing a file. This flag is off by de‐
1782 fault.
1783 runas_allow_unknown_id
1785 If enabled, allow matching of runas user and group IDs
1786 that are not present in the password or group data‐
1787 bases. In addition to explicitly matching unknown user
1788 or group IDs in a Runas_List, this option also allows
1789 the ALL alias to match unknown IDs. This flag is off
1790 by default.
1791 This setting is only supported by version 1.8.30 or
1793 higher. Older versions of sudo always allowed matching
1794 of unknown user and group IDs.
1795 runas_check_shell
1797 If enabled, sudo will only run commands as a user whose
1798 shell appears in the /etc/shells file, even if the in‐
1799 voking user's Runas_List would otherwise permit it. If
1800 no /etc/shells file is present, a system-dependent list
1801 of built-in default shells is used. On many operating
1802 systems, system users such as “bin”, do not have a
1803 valid shell and this flag can be used to prevent com‐
1804 mands from being run as those users. This flag is off
1805 by default.
1806 This setting is only supported by version 1.8.30 or
1808 higher.
1809 runaspw If set, sudo will prompt for the password of the user
1811 defined by the runas_default option (defaults to root)
1812 instead of the password of the invoking user when run‐
1813 ning a command or editing a file. This flag is off by
1814 default.
1815 selinux If enabled, the user may specify an SELinux role and/or
1817 type to use when running the command, as permitted by
1818 the SELinux policy. If SELinux is disabled on the sys‐
1819 tem, this flag has no effect. This flag is on by de‐
1820 fault.
1821 set_home If enabled and sudo is invoked with the -s option, the
1823 HOME environment variable will be set to the home di‐
1824 rectory of the target user (which is the runas_default
1825 user unless the -u option is used). This flag is
1826 largely obsolete and has no effect unless the env_reset
1827 flag has been disabled or HOME is present in the
1828 env_keep list, both of which are strongly discouraged.
1829 This flag is off by default.
1830 set_logname Normally, sudo will set the LOGNAME and USER environ‐
1832 ment variables to the name of the target user (the user
1833 specified by runas_default unless the -u option is
1834 given). However, since some programs (including the
1835 RCS revision control system) use LOGNAME to determine
1836 the real identity of the user, it may be desirable to
1837 change this behavior. This can be done by negating the
1838 set_logname option. The set_logname option will have
1839 no effect if the env_reset option has not been disabled
1840 and the env_keep list contains LOGNAME or USER. This
1841 flag is on by default.
1842 set_utmp When enabled, sudo will create an entry in the utmp (or
1844 utmpx) file when a pseudo-terminal is allocated. A
1845 pseudo-terminal is allocated by sudo when it is running
1846 in a terminal and one or more of the log_input,
1847 log_output, log_stdin, log_stdout, log_stderr,
1848 log_ttyin, log_ttyout, or use_pty flags is enabled. By
1849 default, the new entry will be a copy of the user's ex‐
1850 isting utmp entry (if any), with the tty, time, type,
1851 and pid fields updated. This flag is on by default.
1852 setenv Allow the user to disable the env_reset option from the
1854 command line via the -E option. Additionally, environ‐
1855 ment variables set via the command line are not subject
1856 to the restrictions imposed by env_check, env_delete,
1857 or env_keep. As such, only trusted users should be al‐
1858 lowed to set variables in this manner. This flag is
1859 off by default.
1860 shell_noargs If set and sudo is invoked with no arguments it acts as
1862 if the -s option had been given. That is, it runs a
1863 shell as root (the shell is determined by the SHELL en‐
1864 vironment variable if it is set, falling back on the
1865 shell listed in the invoking user's /etc/passwd entry
1866 if not). This flag is off by default.
1867 stay_setuid Normally, when sudo executes a command the real and ef‐
1869 fective user-IDs are set to the target user (root by
1870 default). This option changes that behavior such that
1871 the real user-ID is left as the invoking user's user-
1872 ID. In other words, this makes sudo act as a set-user-
1873 ID wrapper. This can be useful on systems that disable
1874 some potentially dangerous functionality when a program
1875 is run set-user-ID. This option is only effective on
1876 systems that support either the setreuid(2) or
1877 setresuid(2) system call. This flag is off by default.
1878 sudoedit_checkdir
1880 If set, sudoedit will check all directory components of
1881 the path to be edited for writability by the invoking
1882 user. Symbolic links will not be followed in writable
1883 directories and sudoedit will refuse to edit a file lo‐
1884 cated in a writable directory. These restrictions are
1885 not enforced when sudoedit is run by root. On some
1886 systems, if all directory components of the path to be
1887 edited are not readable by the target user, sudoedit
1888 will be unable to edit the file. This flag is on by
1889 default.
1890 This setting was first introduced in version 1.8.15 but
1892 initially suffered from a race condition. The check
1893 for symbolic links in writable intermediate directories
1894 was added in version 1.8.16.
1895 sudoedit_follow By default, sudoedit will not follow symbolic links
1897 when opening files. The sudoedit_follow option can be
1898 enabled to allow sudoedit to open symbolic links. It
1899 may be overridden on a per-command basis by the FOLLOW
1900 and NOFOLLOW tags. This flag is off by default.
1901 This setting is only supported by version 1.8.15 or
1903 higher.
1904 syslog_pid When logging via syslog(3), include the process ID in
1906 the log entry. This flag is off by default.
1907 This setting is only supported by version 1.8.21 or
1909 higher.
1910 targetpw If set, sudo will prompt for the password of the user
1912 specified by the -u option (defaults to the value of
1913 runas_default) instead of the password of the invoking
1914 user when running a command or editing a file. This
1915 flag precludes the use of a user-ID not listed in the
1916 passwd database as an argument to the -u option. This
1917 flag is off by default.
1918 tty_tickets If set, users must authenticate on a per-tty basis.
1920 With this flag enabled, sudo will use a separate record
1921 in the time stamp file for each terminal. If disabled,
1922 a single record is used for all login sessions.
1923 This option has been superseded by the timestamp_type
1925 option.
1926 umask_override If set, sudo will set the umask as specified in the
1928 sudoers file without modification. This makes it pos‐
1929 sible to specify a umask in the sudoers file that is
1930 more permissive than the user's own umask and matches
1931 historical behavior. If umask_override is not set,
1932 sudo will set the umask to be the union of the user's
1933 umask and what is specified in sudoers. This flag is
1934 off by default.
1935 use_netgroups If set, netgroups (prefixed with ‘+’), may be used in
1937 place of a user or host. For LDAP-based sudoers, net‐
1938 group support requires an expensive sub-string match on
1939 the server unless the NETGROUP_BASE directive is
1940 present in the /etc/ldap.conf file. If netgroups are
1941 not needed, this option can be disabled to reduce the
1942 load on the LDAP server. This flag is on by default.
1943 use_pty If set, and sudo is running in a terminal, the command
1945 will be run in a pseudo-terminal (even if no I/O log‐
1946 ging is being done). If the sudo process is not at‐
1947 tached to a terminal, use_pty has no effect.
1948 A malicious program run under sudo may be capable of
1950 injecting commands into the user's terminal or running
1951 a background process that retains access to the user's
1952 terminal device even after the main program has fin‐
1953 ished executing. By running the command in a separate
1954 pseudo-terminal, this attack is no longer possible.
1955 This flag is off by default.
1956 user_command_timeouts
1958 If set, the user may specify a timeout on the command
1959 line. If the timeout expires before the command has
1960 exited, the command will be terminated. If a timeout
1961 is specified both in the sudoers file and on the com‐
1962 mand line, the smaller of the two timeouts will be
1963 used. See the Timeout_Spec section for a description
1964 of the timeout syntax. This flag is off by default.
1965 This setting is only supported by version 1.8.20 or
1967 higher.
1968 utmp_runas If set, sudo will store the name of the runas user when
1970 updating the utmp (or utmpx) file. By default, sudo
1971 stores the name of the invoking user. This flag is off
1972 by default.
1973 visiblepw By default, sudo will refuse to run if the user must
1975 enter a password but it is not possible to disable echo
1976 on the terminal. If the visiblepw flag is set, sudo
1977 will prompt for a password even when it would be visi‐
1978 ble on the screen. This makes it possible to run
1979 things like ‘ssh somehost sudo ls’ since by default,
1980 ssh(1) does not allocate a tty when running a command.
1981 This flag is off by default.
1982 Integers:
1984 closefrom Before it executes a command, sudo will close all open
1986 file descriptors other than standard input, standard
1987 output, and standard error (file descriptors 0-2). The
1988 closefrom option can be used to specify a different
1989 file descriptor at which to start closing. The default
1990 is 3.
1991 command_timeout The maximum amount of time a command is allowed to run
1993 before it is terminated. See the Timeout_Spec section
1994 for a description of the timeout syntax.
1995 This setting is only supported by version 1.8.20 or
1997 higher.
1998 log_server_timeout
2000 The maximum amount of time to wait when connecting to a
2001 log server or waiting for a server response. See the
2002 Timeout_Spec section for a description of the timeout
2003 syntax. The default value is 30 seconds.
2004 This setting is only supported by version 1.9.0 or
2006 higher.
2007 maxseq The maximum sequence number that will be substituted
2009 for the ‘%{seq}’ escape in the I/O log file (see the
2010 iolog_dir description below for more information).
2011 While the value substituted for ‘%{seq}’ is in base 36,
2012 maxseq itself should be expressed in decimal. Values
2013 larger than 2176782336 (which corresponds to the base
2014 36 sequence number “ZZZZZZ”) will be silently truncated
2015 to 2176782336. The default value is 2176782336.
2016 Once the local sequence number reaches the value of
2018 maxseq, it will “roll over” to zero, after which
2019 sudoers will truncate and re-use any existing I/O log
2020 path names.
2021 This setting is only supported by version 1.8.7 or
2023 higher.
2024 passwd_tries The number of tries a user gets to enter his/her pass‐
2026 word before sudo logs the failure and exits. The de‐
2027 fault is 3.
2028 syslog_maxlen On many systems, syslog(3) has a relatively small log
2030 buffer. IETF RFC 5424 states that syslog servers must
2031 support messages of at least 480 bytes and should sup‐
2032 port messages up to 2048 bytes. By default, sudoers
2033 creates log messages up to 980 bytes which corresponds
2034 to the historic BSD syslog implementation which used a
2035 1024 byte buffer to store the message, date, hostname,
2036 and program name. To prevent syslog messages from be‐
2037 ing truncated, sudoers will split up log messages that
2038 are larger than syslog_maxlen bytes. When a message is
2039 split, additional parts will include the string
2040 “(command continued)” after the user name and before
2041 the continued command line arguments.
2042 This setting is only supported by version 1.8.19 or
2044 higher.
2045 Integers that can be used in a boolean context:
2047 loglinelen Number of characters per line for the file log. This
2049 value is used to decide when to wrap lines for nicer
2050 log files. This has no effect on the syslog log file,
2051 only the file log. The default is 80 (use 0 or negate
2052 the option to disable word wrap).
2053 passwd_timeout Number of minutes before the sudo password prompt times
2055 out, or 0 for no timeout. The timeout may include a
2056 fractional component if minute granularity is insuffi‐
2057 cient, for example 2.5. The default is 5.
2058 timestamp_timeout
2060 Number of minutes that can elapse before sudo will ask
2061 for a password again. The timeout may include a frac‐
2062 tional component if minute granularity is insufficient,
2063 for example 2.5. The default is 5. Set this to 0 to
2064 always prompt for a password. If set to a value less
2065 than 0 the user's time stamp will not expire until the
2066 system is rebooted. This can be used to allow users to
2067 create or delete their own time stamps via ‘sudo -v’
2068 and ‘sudo -k’ respectively.
2069 umask File mode creation mask to use when running the com‐
2071 mand. Negate this option or set it to 0777 to prevent
2072 sudoers from changing the umask. Unless the
2073 umask_override flag is set, the actual umask will be
2074 the union of the user's umask and the value of the
2075 umask setting, which defaults to 0022. This guarantees
2076 that sudo never lowers the umask when running a com‐
2077 mand.
2078 If umask is explicitly set in sudoers, it will override
2080 any umask setting in PAM or login.conf. If umask is
2081 not set in sudoers, the umask specified by PAM or lo‐
2082 gin.conf will take precedence. The umask setting in
2083 PAM is not used for sudoedit, which does not create a
2084 new PAM session.
2085 Strings:
2087 authfail_message Message that is displayed after a user fails to authen‐
2089 ticate. The message may include the ‘%d’ escape which
2090 will expand to the number of failed password attempts.
2091 If set, it overrides the default message, “%d incorrect
2092 password attempt(s)”.
2093 badpass_message Message that is displayed if a user enters an incorrect
2095 password. The default is “Sorry, try again.” unless
2096 insults are enabled.
2097 editor A colon (‘:’) separated list of editor path names used
2099 by sudoedit and visudo. For sudoedit, this list is
2100 used to find an editor when none of the SUDO_EDITOR,
2101 VISUAL or EDITOR environment variables are set to an
2102 editor that exists and is executable. For visudo, it
2103 is used as a white list of allowed editors; visudo will
2104 choose the editor that matches the user's SUDO_EDITOR,
2105 VISUAL or EDITOR environment variable if possible, or
2106 the first editor in the list that exists and is exe‐
2107 cutable if not. Unless invoked as sudoedit, sudo does
2108 not preserve the SUDO_EDITOR, VISUAL or EDITOR environ‐
2109 ment variables unless they are present in the env_keep
2110 list or the env_reset option is disabled. The default
2111 is /usr/bin/nano:/usr/bin/vim:/usr/bin/vi.
2112 intercept_type The underlying mechanism used by the intercept and
2114 log_subcmds options. It has the following possible
2115 values:
2116 dso Preload a dynamic shared object (shared li‐
2118 brary) that intercepts the execve(2), execl(3),
2119 execle(3), execlp(3), execv(3), execvp(3),
2120 execvpe(3), and system(3) library functions. A
2121 value of dso is incompatible with sudo's
2122 SELinux RBAC support.
2123 trace Use ptrace(2) to intercept the execve(2) system
2125 call. This is only supported on Linux systems
2126 where seccomp(2) filtering is enabled. If the
2127 /proc/sys/kernel/seccomp/actions_avail file is
2128 missing or does not contain a “trap” element,
2129 setting intercept_type to trace will have no
2130 effect and dso will be used instead.
2131 The default is to use trace if it is supported by the
2133 system and dso if it is not.
2134 iolog_dir The top-level directory to use when constructing the
2136 path name for the input/output log directory. Only
2137 used if the log_input or log_output options are enabled
2138 or when the LOG_INPUT or LOG_OUTPUT tags are present
2139 for a command. The session sequence number, if any, is
2140 stored in the directory. The default is
2141 /var/log/sudo-io.
2142 The following percent (‘%’) escape sequences are sup‐
2144 ported:
2145 %{seq}
2147 expanded to a monotonically increasing base-36
2148 sequence number, such as 0100A5, where every two
2149 digits are used to form a new directory, e.g.,
2150 01/00/A5
2151 %{user}
2153 expanded to the invoking user's login name
2154 %{group}
2156 expanded to the name of the invoking user's real
2157 group-ID
2158 %{runas_user}
2160 expanded to the login name of the user the com‐
2161 mand will be run as (e.g., root)
2162 %{runas_group}
2164 expanded to the group name of the user the com‐
2165 mand will be run as (e.g., wheel)
2166 %{hostname}
2168 expanded to the local host name without the do‐
2169 main name
2170 %{command}
2172 expanded to the base name of the command being
2173 run
2174 In addition, any escape sequences supported by the sys‐
2176 tem's strftime(3) function will be expanded.
2177 To include a literal ‘%’ character, the string ‘%%’
2179 should be used.
2180 iolog_file The path name, relative to iolog_dir, in which to store
2182 input/output logs when the log_input or log_output op‐
2183 tions are enabled or when the LOG_INPUT or LOG_OUTPUT
2184 tags are present for a command. iolog_file may contain
2185 directory components. The default is ‘%{seq}’.
2186 See the iolog_dir option above for a list of supported
2188 percent (‘%’) escape sequences.
2189 In addition to the escape sequences, path names that
2191 end in six or more Xs will have the Xs replaced with a
2192 unique combination of digits and letters, similar to
2193 the mktemp(3) function.
2194 If the path created by concatenating iolog_dir and
2196 iolog_file already exists, the existing I/O log file
2197 will be truncated and overwritten unless iolog_file
2198 ends in six or more Xs.
2199 iolog_flush If set, sudo will flush I/O log data to disk after each
2201 write instead of buffering it. This makes it possible
2202 to view the logs in real-time as the program is execut‐
2203 ing but may significantly reduce the effectiveness of
2204 I/O log compression. This flag is off by default.
2205 This setting is only supported by version 1.8.20 or
2207 higher.
2208 iolog_group The group name to look up when setting the group-ID on
2210 new I/O log files and directories. If iolog_group is
2211 not set, the primary group-ID of the user specified by
2212 iolog_user is used. If neither iolog_group nor
2213 iolog_user are set, I/O log files and directories are
2214 created with group-ID 0.
2215 This setting is only supported by version 1.8.19 or
2217 higher.
2218 iolog_mode The file mode to use when creating I/O log files. Mode
2220 bits for read and write permissions for owner, group,
2221 or other are honored, everything else is ignored. The
2222 file permissions will always include the owner read and
2223 write bits, even if they are not present in the speci‐
2224 fied mode. When creating I/O log directories, search
2225 (execute) bits are added to match the read and write
2226 bits specified by iolog_mode. Defaults to 0600 (read
2227 and write by user only).
2228 This setting is only supported by version 1.8.19 or
2230 higher.
2231 iolog_user The user name to look up when setting the user and
2233 group-IDs on new I/O log files and directories. If
2234 iolog_group is set, it will be used instead of the
2235 user's primary group-ID. By default, I/O log files and
2236 directories are created with user and group-ID 0.
2237 This setting can be useful when the I/O logs are stored
2239 on a Network File System (NFS) share. Having a dedi‐
2240 cated user own the I/O log files means that sudoers
2241 does not write to the log files as user-ID 0, which is
2242 usually not permitted by NFS.
2243 This setting is only supported by version 1.8.19 or
2245 higher.
2246 lecture_status_dir
2248 The directory in which sudo stores per-user lecture
2249 status files. Once a user has received the lecture, a
2250 zero-length file is created in this directory so that
2251 sudo will not lecture the user again. This directory
2252 should not be cleared when the system reboots. The de‐
2253 fault is /var/db/sudo/lectured.
2254 log_server_cabundle
2256 The path to a certificate authority bundle file, in PEM
2257 format, to use instead of the system's default certifi‐
2258 cate authority database when authenticating the log
2259 server. The default is to use the system's default
2260 certificate authority database. This setting has no
2261 effect unless log_servers is set and the remote log
2262 server is secured with TLS.
2263 This setting is only supported by version 1.9.0 or
2265 higher.
2266 log_server_peer_cert
2268 The path to the sudo client's certificate file, in PEM
2269 format. This setting is required when the remote log
2270 server is secured with TLS and client certificate vali‐
2271 dation is enabled. For sudo_logsrvd, client certifi‐
2272 cate validation is controlled by the tls_checkpeer op‐
2273 tion, which defaults to false.
2274 This setting is only supported by version 1.9.0 or
2276 higher.
2277 log_server_peer_key
2279 The path to the sudo client's private key file, in PEM
2280 format. This setting is required when the remote log
2281 server is secured with TLS and client certificate vali‐
2282 dation is enabled. For sudo_logsrvd, client certifi‐
2283 cate validation is controlled by the tls_checkpeer
2284 flag, which defaults to false.
2285 This setting is only supported by version 1.9.0 or
2287 higher.
2288 mailsub Subject of the mail sent to the mailto user. The es‐
2290 cape ‘%h’ will expand to the host name of the machine.
2291 Default is “*** SECURITY information for %h ***”.
2292 noexec_file As of sudo version 1.8.1 this option is no longer sup‐
2294 ported. The path to the noexec file should now be set
2295 in the sudo.conf(5) file.
2296 pam_askpass_service
2298 On systems that use PAM for authentication, this is the
2299 service name used when the -A option is specified. The
2300 default value is either ‘@pam_service@’ or ‘sudo-i’,
2301 depending on whether or not the -i option is also spec‐
2302 ified. See the description of pam_service for more in‐
2303 formation.
2304 This setting is only supported by version 1.9.9 or
2306 higher.
2307 pam_login_service
2309 On systems that use PAM for authentication, this is the
2310 service name used when the -i option is specified. The
2311 default value is ‘sudo-i’. See the description of
2312 pam_service for more information.
2313 This setting is only supported by version 1.8.8 or
2315 higher.
2316 pam_service On systems that use PAM for authentication, the service
2318 name specifies the PAM policy to apply. This usually
2319 corresponds to an entry in the pam.conf file or a file
2320 in the /etc/pam.d directory. The default value is
2321 ‘sudo’.
2322 This setting is only supported by version 1.8.8 or
2324 higher.
2325 passprompt The default prompt to use when asking for a password;
2327 can be overridden via the -p option or the SUDO_PROMPT
2328 environment variable. The following percent (‘%’) es‐
2329 cape sequences are supported:
2330 %H expanded to the local host name including the do‐
2332 main name (only if the machine's host name is
2333 fully qualified or the fqdn option is set)
2334 %h expanded to the local host name without the do‐
2336 main name
2337 %p expanded to the user whose password is being
2339 asked for (respects the rootpw, targetpw and
2340 runaspw flags in sudoers)
2341 %U expanded to the login name of the user the com‐
2343 mand will be run as (defaults to root)
2344 %u expanded to the invoking user's login name
2346 %% two consecutive ‘%’ characters are collapsed into
2348 a single ‘%’ character
2349 On systems that use PAM for authentication, passprompt
2351 will only be used if the prompt provided by the PAM
2352 module matches the string “Password: ” or “username's
2353 Password: ”. This ensures that the passprompt setting
2354 does not interfere with challenge-response style au‐
2355 thentication. The passprompt_override flag can be used
2356 to change this behavior.
2357 The default value is ‘[sudo] password for %p: ’.
2359 role The default SELinux role to use when constructing a new
2361 security context to run the command. The default role
2362 may be overridden on a per-command basis in the sudoers
2363 file or via command line options. This option is only
2364 available when sudo is built with SELinux support.
2365 runas_default The default user to run commands as if the -u option is
2367 not specified on the command line. This defaults to
2368 root.
2369 sudoers_locale Locale to use when parsing the sudoers file, logging
2371 commands, and sending email. Changing the locale may
2372 affect how sudoers is interpreted. Defaults to ‘C’.
2373 timestamp_type sudoers uses per-user time stamp files for credential
2375 caching. The timestamp_type option can be used to
2376 specify the type of time stamp record used. It has the
2377 following possible values:
2378 global A single time stamp record is used for all of a
2380 user's login sessions, regardless of the termi‐
2381 nal or parent process ID. An additional record
2382 is used to serialize password prompts when sudo
2383 is used multiple times in a pipeline, but this
2384 does not affect authentication.
2385 ppid A single time stamp record is used for all pro‐
2387 cesses with the same parent process ID (usually
2388 the shell). Commands run from the same shell
2389 (or other common parent process) will not re‐
2390 quire a password for timestamp_timeout minutes
2391 (5 by default). Commands run via sudo with a
2392 different parent process ID, for example from a
2393 shell script, will be authenticated separately.
2394 tty One time stamp record is used for each termi‐
2396 nal, which means that a user's login sessions
2397 are authenticated separately. If no terminal
2398 is present, the behavior is the same as ppid.
2399 Commands run from the same terminal will not
2400 require a password for timestamp_timeout min‐
2401 utes (5 by default).
2402 kernel The time stamp is stored in the kernel as an
2404 attribute of the terminal device. If no termi‐
2405 nal is present, the behavior is the same as
2406 ppid. Negative timestamp_timeout values are
2407 not supported and positive values are limited
2408 to a maximum of 60 minutes. This is currently
2409 only supported on OpenBSD.
2410 The default value is tty.
2412 This setting is only supported by version 1.8.21 or
2414 higher.
2415 timestampdir The directory in which sudo stores its time stamp
2417 files. This directory should be cleared when the sys‐
2418 tem reboots. The default is /run/sudo/ts.
2419 timestampowner The owner of the lecture status directory, time stamp
2421 directory and all files stored therein. The default is
2422 root.
2423 type The default SELinux type to use when constructing a new
2425 security context to run the command. The default type
2426 may be overridden on a per-command basis in the sudoers
2427 file or via command line options. This option is only
2428 available when sudo is built with SELinux support.
2429 Strings that can be used in a boolean context:
2431 admin_flag The admin_flag option specifies the path to a file that is
2433 created the first time a user that is a member of the sudo
2434 or admin groups runs sudo. Only available if sudo is con‐
2435 figured with the --enable-admin-flag option. The default
2436 value is ~/.sudo_as_admin_successful.
2437 env_file The env_file option specifies the fully qualified path to a
2439 file containing variables to be set in the environment of
2440 the program being run. Entries in this file should either
2441 be of the form ‘VARIABLE=value’ or ‘export VARIABLE=value’.
2442 The value may optionally be enclosed in single or double
2443 quotes. Variables in this file are only added if the vari‐
2444 able does not already exist in the environment. This file
2445 is considered to be part of the security policy, its con‐
2446 tents are not subject to other sudo environment restric‐
2447 tions such as env_keep and env_check.
2448 exempt_group Users in this group are exempt from password and PATH re‐
2450 quirements. The group name specified should not include a
2451 ‘%’ prefix. This is not set by default.
2452 fdexec Determines whether sudo will execute a command by its path
2454 or by an open file descriptor. It has the following possi‐
2455 ble values:
2456 always Always execute by file descriptor.
2458 never Never execute by file descriptor.
2460 digest_only
2462 Only execute by file descriptor if the command has
2463 an associated digest in the sudoers file.
2464 The default value is digest_only. This avoids a time of
2466 check versus time of use race condition when the command is
2467 located in a directory writable by the invoking user.
2468 fdexec will change the first element of the argument vector
2470 for scripts ($0 in the shell) due to the way the kernel
2471 runs script interpreters. Instead of being a normal path,
2472 it will refer to a file descriptor. For example, /dev/fd/4
2473 on Solaris and /proc/self/fd/4 on Linux. A workaround is
2474 to use the SUDO_COMMAND environment variable instead.
2475 The fdexec setting is only used when the command is matched
2477 by path name. It has no effect if the command is matched
2478 by the built-in ALL alias.
2479 This setting is only supported by version 1.8.20 or higher.
2481 If the operating system does not support the fexecve(2)
2482 system call, this setting has no effect.
2483 group_plugin A string containing a sudoers group plugin with optional
2485 arguments. The string should consist of the plugin path,
2486 either fully-qualified or relative to the /usr/libexec/sudo
2487 directory, followed by any configuration arguments the
2488 plugin requires. These arguments (if any) will be passed
2489 to the plugin's initialization function. If arguments are
2490 present, the string must be enclosed in double quotes ("").
2491 On 64-bit systems, if the plugin is present but cannot be
2493 loaded, sudoers will look for a 64-bit version and, if it
2494 exists, load that as a fallback. The exact rules for this
2495 vary by system. On Solaris, if the plugin is stored in a
2496 directory ending in “lib”, sudoers will create a fallback
2497 path by appending “/64” to the directory name;
2498 /usr/lib/sudo_plugin.so becomes /usr/lib/64/sudo_plugin.so.
2499 On Linux, a directory ending in “lib” will be transformed
2500 to “lib64” as the fallback path; /usr/lib/sudo_plugin.so
2501 becomes /usr/lib64/sudo_plugin.so. On all other systems,
2502 the fallback path is generated by adding a “64” before the
2503 file extension; sudo_plugin.so becomes sudo_plugin64.so.
2504 For more information see GROUP PROVIDER PLUGINS.
2506 lecture This option controls when a short lecture will be printed
2508 along with the password prompt. It has the following pos‐
2509 sible values:
2510 always Always lecture the user.
2512 never Never lecture the user.
2514 once Only lecture the user the first time they run sudo.
2516 If no value is specified, a value of once is implied.
2518 Negating the option results in a value of never being used.
2519 The default value is once.
2520 lecture_file Path to a file containing an alternate sudo lecture that
2522 will be used in place of the standard lecture if the named
2523 file exists. By default, sudo uses a built-in lecture.
2524 listpw This option controls when a password will be required when
2526 a user runs sudo with the -l option. It has the following
2527 possible values:
2528 all All the user's sudoers file entries for the cur‐
2530 rent host must have the NOPASSWD flag set to
2531 avoid entering a password.
2532 always The user must always enter a password to use the
2534 -l option.
2535 any At least one of the user's sudoers file entries
2537 for the current host must have the NOPASSWD flag
2538 set to avoid entering a password.
2539 never The user need never enter a password to use the
2541 -l option.
2542 If no value is specified, a value of any is implied.
2544 Negating the option results in a value of never being used.
2545 The default value is any.
2546 log_format The event log format. Supported log formats are:
2548 json Logs in JSON format. JSON log entries contain
2550 the full user details as well as the execution
2551 environment if the command was allowed. Due to
2552 limitations of the protocol, JSON events sent via
2553 syslog may be truncated.
2554 sudo Traditional sudo-style logs, see EVENT LOGGING
2556 for a description of the log file format.
2557 This setting affects logs sent via syslog(3) as well as the
2559 file specified by the logfile setting, if any. The default
2560 value is sudo.
2561 logfile Path to the sudo log file (not the syslog log file). Set‐
2563 ting a path turns on logging to a file; negating this op‐
2564 tion turns it off. By default, sudo logs via syslog.
2565 mailerflags Flags to use when invoking mailer. Defaults to -t.
2567 mailerpath Path to mail program used to send warning mail (negate to
2569 prevent sudo from sending mail). Defaults to the path to
2570 sendmail found at configure time.
2571 mailfrom Address to use for the “from” address when sending warning
2573 and error mail. The address should be enclosed in double
2574 quotes ("") to protect against sudo interpreting the ‘@’
2575 sign. Defaults to the name of the user running sudo.
2576 mailto Address to send warning and error mail to (negate to pre‐
2578 vent sudo from sending mail). The address should be en‐
2579 closed in double quotes ("") to protect against sudo inter‐
2580 preting the ‘@’ sign. Defaults to root.
2581 rlimit_as The maximum size to which the process's address space may
2583 grow (in bytes), if supported by the operating system. See
2584 Resource limits for more information.
2585 rlimit_core The largest size core dump file that may be created (in
2587 bytes). See Resource limits for more information. De‐
2588 faults to 0 (no core dump created).
2589 rlimit_cpu The maximum amount of CPU time that the process may use (in
2591 seconds). See Resource limits for more information.
2592 rlimit_data The maximum size of the data segment for the process (in
2594 bytes). See Resource limits for more information.
2595 rlimit_fsize The largest size file that the process may create (in
2597 bytes). See Resource limits for more information.
2598 rlimit_locks The maximum number of locks that the process may establish,
2600 if supported by the operating system. See Resource limits
2601 for more information.
2602 rlimit_memlock
2604 The maximum size that the process may lock in memory (in
2605 bytes), if supported by the operating system. See Resource
2606 limits for more information.
2607 rlimit_nofile
2609 The maximum number of files that the process may have open.
2610 See Resource limits for more information.
2611 rlimit_nproc The maximum number of processes that the user may run si‐
2613 multaneously. See Resource limits for more information.
2614 rlimit_rss The maximum size to which the process's resident set size
2616 may grow (in bytes). See Resource limits for more informa‐
2617 tion.
2618 rlimit_stack The maximum size to which the process's stack may grow (in
2620 bytes). See Resource limits for more information.
2621 restricted_env_file
2623 The restricted_env_file option specifies the fully quali‐
2624 fied path to a file containing variables to be set in the
2625 environment of the program being run. Entries in this file
2626 should either be of the form ‘VARIABLE=value’ or ‘export
2627 VARIABLE=value’. The value may optionally be enclosed in
2628 single or double quotes. Variables in this file are only
2629 added if the variable does not already exist in the envi‐
2630 ronment. Unlike env_file, the file's contents are not
2631 trusted and are processed in a manner similar to that of
2632 the invoking user's environment. If env_reset is enabled,
2633 variables in the file will only be added if they are
2634 matched by either the env_check or env_keep list. If
2635 env_reset is disabled, variables in the file are added as
2636 long as they are not matched by the env_delete list. In
2637 either case, the contents of restricted_env_file are pro‐
2638 cessed before the contents of env_file.
2639 runchroot If set, sudo will use this value for the root directory
2641 when running a command. The special value “*” will allow
2642 the user to specify the root directory via sudo's -R op‐
2643 tion. See the Chroot_Spec section for more details.
2644 It is only possible to use runchroot as a command-specific
2646 Defaults setting if the command exists with the same path
2647 both inside and outside the chroot jail. This restriction
2648 does not apply to global, host, or user-based Defaults set‐
2649 tings or to a Cmnd_Spec that includes a Chroot_Spec.
2650 This setting is only supported by version 1.9.3 or higher.
2652 runcwd If set, sudo will use this value for the working directory
2654 when running a command. The special value “*” will allow
2655 the user to specify the working directory via sudo's -D op‐
2656 tion. See the Chdir_Spec section for more details.
2657 This setting is only supported by version 1.9.3 or higher.
2659 secure_path If set, sudo will use this value in place of the user's
2661 PATH environment variable. This option can be used to re‐
2662 set the PATH to a known good value that contains directo‐
2663 ries for system administrator commands such as /usr/sbin.
2664 Users in the group specified by the exempt_group option are
2666 not affected by secure_path. This option is not set by de‐
2667 fault.
2668 syslog Syslog facility if syslog is being used for logging (negate
2670 to disable syslog logging). Defaults to authpriv.
2671 The following syslog facilities are supported: authpriv (if
2673 your OS supports it), auth, daemon, user, local0, local1,
2674 local2, local3, local4, local5, local6, and local7.
2675 syslog_badpri
2677 Syslog priority to use when the user is not allowed to run
2678 a command or when authentication is unsuccessful. Defaults
2679 to alert.
2680 The following syslog priorities are supported: alert, crit,
2682 debug, emerg, err, info, notice, warning, and none. Negat‐
2683 ing the option or setting it to a value of none will dis‐
2684 able logging of unsuccessful commands.
2685 syslog_goodpri
2687 Syslog priority to use when the user is allowed to run a
2688 command and authentication is successful. Defaults to no‐
2689 tice.
2690 See syslog_badpri for the list of supported syslog priori‐
2692 ties. Negating the option or setting it to a value of none
2693 will disable logging of successful commands.
2694 verifypw This option controls when a password will be required when
2696 a user runs sudo with the -v option. It has the following
2697 possible values:
2698 all All the user's sudoers file entries for the current
2700 host must have the NOPASSWD flag set to avoid en‐
2701 tering a password.
2702 always The user must always enter a password to use the -v
2704 option.
2705 any At least one of the user's sudoers file entries for
2707 the current host must have the NOPASSWD flag set to
2708 avoid entering a password.
2709 never The user need never enter a password to use the -v
2711 option.
2712 If no value is specified, a value of all is implied.
2714 Negating the option results in a value of never being used.
2715 The default value is all.
2716 Lists that can be used in a boolean context:
2718 env_check Environment variables to be removed from the user's en‐
2720 vironment unless they are considered “safe”. For all
2721 variables except TZ, “safe” means that the variable's
2722 value does not contain any ‘%’ or ‘/’ characters. This
2723 can be used to guard against printf-style format vul‐
2724 nerabilities in poorly-written programs. The TZ vari‐
2725 able is considered unsafe if any of the following are
2726 true:
2727 • It consists of a fully-qualified path name, option‐
2729 ally prefixed with a colon (‘:’), that does not
2730 match the location of the zoneinfo directory.
2731 • It contains a .. path element.
2733 • It contains white space or non-printable characters.
2735 • It is longer than the value of PATH_MAX.
2737 The argument may be a double-quoted, space-separated
2739 list or a single value without double-quotes. The list
2740 can be replaced, added to, deleted from, or disabled by
2741 using the ‘=’, ‘+=’, ‘-=’, and ‘!’ operators respec‐
2742 tively. Regardless of whether the env_reset option is
2743 enabled or disabled, variables specified by env_check
2744 will be preserved in the environment if they pass the
2745 aforementioned check. The global list of environment
2746 variables to check is displayed when sudo is run by
2747 root with the -V option.
2748 env_delete Environment variables to be removed from the user's en‐
2750 vironment when the env_reset option is not in effect.
2751 The argument may be a double-quoted, space-separated
2752 list or a single value without double-quotes. The list
2753 can be replaced, added to, deleted from, or disabled by
2754 using the ‘=’, ‘+=’, ‘-=’, and ‘!’ operators respec‐
2755 tively. The global list of environment variables to
2756 remove is displayed when sudo is run by root with the
2757 -V option. Many operating systems will remove poten‐
2758 tially dangerous variables from the environment of any
2759 set-user-ID process (such as sudo).
2760 env_keep Environment variables to be preserved in the user's en‐
2762 vironment when the env_reset option is in effect. This
2763 allows fine-grained control over the environment
2764 sudo-spawned processes will receive. The argument may
2765 be a double-quoted, space-separated list or a single
2766 value without double-quotes. The list can be replaced,
2767 added to, deleted from, or disabled by using the ‘=’,
2768 ‘+=’, ‘-=’, and ‘!’ operators respectively. The global
2769 list of variables to keep is displayed when sudo is run
2770 by root with the -V option.
2771 Preserving the HOME environment variable has security
2773 implications since many programs use it when searching
2774 for configuration or data files. Adding HOME to
2775 env_keep may enable a user to run unrestricted commands
2776 via sudo and is strongly discouraged. Users wishing to
2777 edit files with sudo should run sudoedit (or sudo -e)
2778 to get their accustomed editor configuration instead of
2779 invoking the editor directly.
2780 log_servers A list of one or more servers to use for remote event
2782 and I/O log storage, separated by white space. Log
2783 servers must be running sudo_logsrvd or another service
2784 that implements the protocol described by
2785 sudo_logsrv.proto(5).
2786 Server addresses should be of the form
2788 “host[:port][(tls)]”. The host portion may be a host
2789 name, an IPv4 address, or an IPv6 address in square
2790 brackets.
2791 If the optional tls flag is present, the connection
2793 will be secured with Transport Layer Security (TLS)
2794 version 1.2 or 1.3. Versions of TLS prior to 1.2 are
2795 not supported.
2796 If a port is specified, it may either be a port number
2798 or a well-known service name as defined by the system
2799 service name database. If no port is specified, port
2800 30343 will be used for plaintext connections and port
2801 30344 will be used for TLS connections.
2802 When log_servers is set, event log data will be logged
2804 both locally (see the syslog and log_file settings) as
2805 well as remotely, but I/O log data will only be logged
2806 remotely. If multiple hosts are specified, they will
2807 be attempted in reverse order. If no log servers are
2808 available, the user will not be able to run a command
2809 unless either the ignore_iolog_errors flag (I/O logging
2810 enabled) or the ignore_log_errors flag (I/O logging
2811 disabled) is set. Likewise, if the connection to the
2812 log server is interrupted while sudo is running, the
2813 command will be terminated unless the
2814 ignore_iolog_errors flag (I/O logging enabled) or the
2815 ignore_log_errors flag (I/O logging disabled) is set.
2816 This setting is only supported by version 1.9.0 or
2818 higher.
2819 passprompt_regex A list of POSIX extended regular expressions used to
2821 match password prompts in the terminal output. As an
2822 extension, if the regular expression begins with
2823 “(?i)”, it will be matched in a case-insensitive man‐
2824 ner. Each regular expression is limited to 1024 char‐
2825 acters. This option is only used when log_passwords
2826 has been disabled. The default value is “[Pp]assword[:
2827 ]*”
2828 This setting is only supported by version 1.9.10 or
2830 higher.
2831
2833 The sudoers plugin supports its own plugin interface to allow non-Unix
2834 group lookups which can query a group source other than the standard Unix
2835 group database. This can be used to implement support for the
2836 nonunix_group syntax described earlier.
2837 Group provider plugins are specified via the group_plugin setting. The
2839 argument to group_plugin should consist of the plugin path, either fully-
2840 qualified or relative to the /usr/libexec/sudo directory, followed by any
2841 configuration options the plugin requires. These options (if specified)
2842 will be passed to the plugin's initialization function. If options are
2843 present, the string must be enclosed in double quotes ("").
2844 The following group provider plugins are installed by default:
2846 group_file
2848 The group_file plugin supports an alternate group file that
2849 uses the same syntax as the /etc/group file. The path to the
2850 group file should be specified as an option to the plugin. For
2851 example, if the group file to be used is /etc/sudo-group:
2852 Defaults group_plugin="group_file.so /etc/sudo-group"
2854 system_group
2856 The system_group plugin supports group lookups via the standard
2857 C library functions getgrnam(3) and getgrid(3). This plugin
2858 can be used in instances where the user belongs to groups not
2859 present in the user's supplemental group vector. This plugin
2860 takes no options:
2861 Defaults group_plugin=system_group.so
2863 The group provider plugin API is described in detail in sudo_plugin(5).
2865
2867 sudoers can log events in either JSON or sudo format, this section de‐
2868 scribes the sudo log format. Depending on sudoers configuration, sudoers
2869 can log events via syslog(3), to a local log file, or both. The log for‐
2870 mat is almost identical in both cases.
2871 Accepted command log entries
2873 Commands that sudo runs are logged using the following format (split into
2874 multiple lines for readability):
2875 date hostname progname: username : TTY=ttyname ; PWD=cwd ; \
2877 USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \
2878 ENV=env_vars COMMAND=command
2879 Where the fields are as follows:
2881 date The date the command was run. Typically, this is in the
2883 format “MMM, DD, HH:MM:SS”. If logging via syslog(3), the
2884 actual date format is controlled by the syslog daemon. If
2885 logging to a file and the log_year option is enabled, the
2886 date will also include the year.
2887 hostname The name of the host sudo was run on. This field is only
2889 present when logging via syslog(3).
2890 progname The name of the program, usually sudo or sudoedit. This
2892 field is only present when logging via syslog(3).
2893 username The login name of the user who ran sudo.
2895 ttyname The short name of the terminal (e.g., “console”, “tty01”,
2897 or “pts/0”) sudo was run on, or “unknown” if there was no
2898 terminal present.
2899 cwd The current working directory that sudo was run in.
2901 runasuser The user the command was run as.
2903 runasgroup The group the command was run as if one was specified on
2905 the command line.
2906 logid An I/O log identifier that can be used to replay the com‐
2908 mand's output. This is only present when the log_input or
2909 log_output option is enabled.
2910 env_vars A list of environment variables specified on the command
2912 line, if specified.
2913 command The actual command that was executed.
2915 Messages are logged using the locale specified by sudoers_locale, which
2917 defaults to the ‘C’ locale.
2918 Denied command log entries
2920 If the user is not allowed to run the command, the reason for the denial
2921 will follow the user name. Possible reasons include:
2922 user NOT in sudoers
2924 The user is not listed in the sudoers file.
2925 user NOT authorized on host
2927 The user is listed in the sudoers file but is not allowed to run com‐
2928 mands on the host.
2929 command not allowed
2931 The user is listed in the sudoers file for the host but they are not
2932 allowed to run the specified command.
2933 3 incorrect password attempts
2935 The user failed to enter their password after 3 tries. The actual num‐
2936 ber of tries will vary based on the number of failed attempts and the
2937 value of the passwd_tries option.
2938 a password is required
2940 The -n option was specified but a password was required.
2941 sorry, you are not allowed to set the following environment variables
2943 The user specified environment variables on the command line that were
2944 not allowed by sudoers.
2945 Error log entries
2947 If an error occurs, sudoers will log a message and, in most cases, send a
2948 message to the administrator via email. Possible errors include:
2949 parse error in /etc/sudoers near line N
2951 sudoers encountered an error when parsing the specified file. In some
2952 cases, the actual error may be one line above or below the line number
2953 listed, depending on the type of error.
2954 problem with defaults entries
2956 The sudoers file contains one or more unknown Defaults settings. This
2957 does not prevent sudo from running, but the sudoers file should be
2958 checked using visudo.
2959 timestamp owner (username): No such user
2961 The time stamp directory owner, as specified by the timestampowner set‐
2962 ting, could not be found in the password database.
2963 unable to open/read /etc/sudoers
2965 The sudoers file could not be opened for reading. This can happen when
2966 the sudoers file is located on a remote file system that maps user-ID 0
2967 to a different value. Normally, sudoers tries to open the sudoers file
2968 using group permissions to avoid this problem. Consider either chang‐
2969 ing the ownership of /etc/sudoers or adding an argument like
2970 “sudoers_uid=N” (where ‘N’ is the user-ID that owns the sudoers file)
2971 to the end of the sudoers Plugin line in the sudo.conf(5) file.
2972 unable to open /etc/sudoers
2974 The /etc/sudoers file is missing.
2975 /etc/sudoers is not a regular file
2977 The /etc/sudoers file exists but is not a regular file or symbolic
2978 link.
2979 /etc/sudoers is owned by uid N, should be 0
2981 The sudoers file has the wrong owner. If you wish to change the
2982 sudoers file owner, add “sudoers_uid=N” (where ‘N’ is the user-ID that
2983 owns the sudoers file) to the sudoers Plugin line in the sudo.conf(5)
2984 file.
2985 /etc/sudoers is world writable
2987 The permissions on the sudoers file allow all users to write to it.
2988 The sudoers file must not be world-writable, the default file mode is
2989 0440 (readable by owner and group, writable by none). The default mode
2990 may be changed via the “sudoers_mode” option to the sudoers Plugin line
2991 in the sudo.conf(5) file.
2992 /etc/sudoers is owned by gid N, should be 1
2994 The sudoers file has the wrong group ownership. If you wish to change
2995 the sudoers file group ownership, add “sudoers_gid=N” (where ‘N’ is the
2996 group-ID that owns the sudoers file) to the sudoers Plugin line in the
2997 sudo.conf(5) file.
2998 unable to open /run/sudo/ts/username
3000 sudoers was unable to read or create the user's time stamp file. This
3001 can happen when timestampowner is set to a user other than root and the
3002 mode on /run/sudo is not searchable by group or other. The default
3003 mode for /run/sudo is 0711.
3004 unable to write to /run/sudo/ts/username
3006 sudoers was unable to write to the user's time stamp file.
3007 /run/sudo/ts is owned by uid X, should be Y
3009 The time stamp directory is owned by a user other than timestampowner.
3010 This can occur when the value of timestampowner has been changed.
3011 sudoers will ignore the time stamp directory until the owner is cor‐
3012 rected.
3013 /run/sudo/ts is group writable
3015 The time stamp directory is group-writable; it should be writable only
3016 by timestampowner. The default mode for the time stamp directory is
3017 0700. sudoers will ignore the time stamp directory until the mode is
3018 corrected.
3019 Notes on logging via syslog
3021 By default, sudoers logs messages via syslog(3). The date, hostname, and
3022 progname fields are added by the system's syslog(3) function, not sudoers
3023 itself. As such, they may vary in format on different systems.
3024 The maximum size of syslog messages varies from system to system. The
3026 syslog_maxlen setting can be used to change the maximum syslog message
3027 size from the default value of 980 bytes. For more information, see the
3028 description of syslog_maxlen.
3029 Notes on logging to a file
3031 If the logfile option is set, sudoers will log to a local file, such as
3032 /var/log/sudo. When logging to a file, sudoers uses a format similar to
3033 syslog(3), with a few important differences:
3034 1. The progname and hostname fields are not present.
3036 2. If the log_year option is enabled, the date will also include the
3038 year.
3039 3. Lines that are longer than loglinelen characters (80 by default) are
3041 word-wrapped and continued on the next line with a four character
3042 indent. This makes entries easier to read for a human being, but
3043 makes it more difficult to use grep(1) on the log files. If the
3044 loglinelen option is set to 0 (or negated with a ‘!’), word wrap
3045 will be disabled.
3046
3048 When I/O logging is enabled, sudo will runs the command in a pseudo-ter‐
3049 minal, logging user input and/or output, depending on which sudoers flags
3050 are enabled. There are five distinct types of I/O that can be logged,
3051 each with a corresponding sudoers flag.
3052 Type Flag Description
3054 terminal input log_ttyin keystrokes entered by the user
3055 terminal output log_ttyout command output displayed to the screen
3056 standard input log_stdin input from a pipe or a file
3057 standard output log_stdout output to a pipe or a file
3058 standard error log_stderr output to a pipe or a file
3059 In addition to flags described the above, the log_input flag and
3061 LOG_INPUT command tag set both log_ttyin and log_stdin. The log_output
3062 flag and LOG_OUTPUT command tag set log_ttyout, log_stdout, and
3063 log_stderr.
3064 To capture terminal input and output, sudo run the command in a pseudo-
3066 terminal, logging the input and output before passing it on to the user.
3067 To capture the standard input, standard output or standard error, sudo
3068 uses a pipe to interpose itself between the input or output stream, log‐
3069 ging the I/O before passing it to the other end of the pipe.
3070 I/O can be logged either to the local machine or to a remote log server.
3072 For local logs, I/O is logged to the directory specified by the iolog_dir
3073 option (/var/log/sudo-io by default) using a unique session ID that is
3074 included in the sudo log line, prefixed with ‘TSID=’. The iolog_file op‐
3075 tion may be used to control the format of the session ID. For remote
3076 logs, the log_servers setting is used to specify one or more log servers
3077 running sudo_logsrvd or another server that implements the protocol de‐
3078 scribed by sudo_logsrv.proto(5).
3079 I/O logging pitfals
3081 When logging standard input, anything sent to the standard input will be
3082 consumed, regardless of whether or not the command run via sudo is ac‐
3083 tively reading the standard input. This may have unexpected results when
3084 using sudo in a shell script that expects to process the standard input.
3085 For example, given the following shell script:
3086 #!/bin/sh
3088 sudo echo testing
3089 echo done
3090 It will behave as expected when the script is passed to the shell as a an
3092 argument:
3093 $ sh test.sh
3095 testing
3096 done
3097 However, if the script is passed to the shell on the standard input, the
3099 ‘sudo echo testing’ command will consume the rest of the script. This
3100 means that the ‘echo done’ statement is never executed.
3101 $ sh -s < test.sh
3103 testing
3104 There are several ways to work around this problem:
3106 1. Redirect the standard input from /dev/null when running a command
3108 via sudo that does not need to read the standard input.
3109 sudo echo testing < /dev/null
3111 2. Pass the script to the shell by path name instead of via the stan‐
3113 dard input.
3114 sh test.sh
3116 3. Disable logging the standard input for commands that do not need to
3118 read the standard input.
3119 Defaults!/bin/echo !log_stdin
3121 Depending on the command, it may not be desirable to log the standard in‐
3123 put or standard output. For example, I/O logging of commands that send
3124 or receive large amount of data via the standard output or standard input
3125 such as rsync(1) and tar(1) could fill up the log file system with super‐
3126 fluous data. It is possible to disable logging of the standard input and
3127 standard output for such commands as follows:
3128 Cmnd_Alias COPY_CMDS = /usr/bin/tar, /usr/bin/cpio, /usr/bin/rsync
3130 # Log input and output but omit stdin and stdout when copying files.
3132 Defaults log_input, log_output
3133 Defaults!COPY_CMDS !log_stdin, !log_stdout
3134 However, be aware that using the log_input flag or the LOG_INPUT command
3136 tag will also enable log_stdin. Likewise, the log_ouput flag or the
3137 LOG_OUTPUT command tag will enable log_stdout and log_stderr. Careful or‐
3138 dering of rules may be necessary to achieve the results that you expect.
3139 I/O log format
3141 For both local and remote I/O logs, each log is stored in a separate di‐
3142 rectory that contains the following files:
3143 log A text file containing information about the command. The
3145 first line consists of the following colon-delimited fields:
3146 the time the command was run, the name of the user who ran
3147 sudo, the name of the target user, the name of the target group
3148 (optional), the terminal that sudo was run from, and the number
3149 of lines and columns of the terminal. The second and third
3150 lines contain the working directory the command was run from
3151 and the path name of the command itself (with arguments if
3152 present).
3153 log.json A JSON-formatted file containing information about the command.
3155 This is similar to the log file but contains additional infor‐
3156 mation and is easily extensible. The log.json file will be
3157 used by sudoreplay(8) in preference to the log file if it ex‐
3158 ists. The file may contain the following elements:
3159 timestamp
3161 A JSON object containing time the command was run.
3162 It consists of two values, seconds and nanoseconds.
3163 columns The number of columns of the terminal the command ran
3165 on, or zero if no terminal was present.
3166 command The fully-qualified path of the command that was run.
3168 lines The number of lines of the terminal the command ran
3170 on, or zero if no terminal was present.
3171 runargv A JSON array representing the command's argument vec‐
3173 tor as passed to the execve(2) system call.
3174 runenv A JSON array representing the command's environment
3176 as passed to the execve(2) system call.
3177 rungid The group ID the command ran as. This element is
3179 only present when the user specifies a group on the
3180 command line.
3181 rungroup The name of the group the command ran as. This ele‐
3183 ment is only present when the user specifies a group
3184 on the command line.
3185 runuid The user ID the command ran as.
3187 runuser The name of the user the command ran as.
3189 submitcwd
3191 The current working directory at the time sudo was
3192 run.
3193 submithost
3195 The name of the host the command was run on.
3196 submituser
3198 The name of the user who ran the command via sudo.
3199 ttyname The path name of the terminal the user invoked sudo
3201 from. If the command was run in a pseudo-terminal,
3202 ttyname will be different from the terminal the com‐
3203 mand actually ran in.
3204 timing Timing information used to replay the session. Each line con‐
3206 sists of the I/O log entry type and amount of time since the
3207 last entry, followed by type-specific data. The I/O log entry
3208 types and their corresponding type-specific data are:
3209 0 standard input, number of bytes in the entry
3211 1 standard output, number of bytes in the entry
3212 2 standard error, number of bytes in the entry
3213 3 terminal input, number of bytes in the entry
3214 4 terminal output, number of bytes in the entry
3215 5 window change, new number lines and columns
3216 6 bug compatibility for sudo 1.8.7 terminal output
3217 7 command suspend or resume, signal received
3218 ttyin Raw input from the user's terminal, exactly as it was received.
3220 This file is only present if the log_input or log_ttyin flags
3221 are set and sudo was run from a terminal. No post-processing
3222 is performed. For manual viewing, you may wish to convert car‐
3223 riage return characters in the log to line feeds. For example:
3224 ‘gunzip -c ttyin | tr "\r" "\n"’
3225 stdin The standard input when no terminal is present, or input redi‐
3227 rected from a pipe or file. This file is only present if the
3228 log_input or log_stdin flags are set and the standard input is
3229 not connected to a terminal.
3230 ttyout Output from the pseudo-terminal (what the command writes to the
3232 screen). Terminal-specific post-processing is performed before
3233 the data is logged. This means that, for example, line feeds
3234 are usually converted to line feed/carriage return pairs and
3235 tabs may be expanded to spaces. This file is only present if
3236 the log_output or log_ttyout flags are set and sudo was run
3237 from a terminal.
3238 stdout The standard output when no terminal is present, or output
3240 redirected to a pipe or file. This file is only present if the
3241 log_output or log_stdout flags are set and the standard output
3242 is not connected to a terminal.
3243 stderr The standard error when no terminal is present, or output redi‐
3245 rected to a pipe or file. This file is only present if the
3246 log_output or log_stderr flags are set and the standard error
3247 is not connected to a terminal.
3248 All files other than log are compressed in gzip format unless the
3250 compress_io flag has been disabled. Due to buffering, it is not normally
3251 possible to display the I/O logs in real-time as the program is execut‐
3252 ing. The I/O log data will not be complete until the program run by sudo
3253 has exited or has been terminated by a signal. The iolog_flush flag can
3254 be used to disable buffering, in which case I/O log data is written to
3255 disk as soon as it is available. The output portion of an I/O log file
3256 can be viewed with the sudoreplay(8) utility, which can also be used to
3257 list or search the available logs.
3258 User input may contain sensitive information such as passwords (even if
3260 they are not echoed to the screen), which will be stored in the log file
3261 unencrypted. In most cases, logging the command output via log_output or
3262 LOG_OUTPUT is all that is required. When logging input, consider dis‐
3263 abling the log_passwords flag.
3264 Since each session's I/O logs are stored in a separate directory, tradi‐
3266 tional log rotation utilities cannot be used to limit the number of I/O
3267 logs. The simplest way to limit the number of I/O is by setting the
3268 maxseq option to the maximum number of logs you wish to store. Once the
3269 I/O log sequence number reaches maxseq, it will be reset to zero and
3270 sudoers will truncate and re-use any existing I/O logs.
3271
3273 /etc/sudo.conf Sudo front-end configuration
3274 /etc/sudoers List of who can run what
3276 /etc/group Local groups file
3278 /etc/netgroup List of network groups
3280 /var/log/sudo-io I/O log files
3282 /run/sudo/ts Directory containing time stamps for the
3284 sudoers security policy
3285 /var/db/sudo/lectured Directory containing lecture status files for
3287 the sudoers security policy
3288 /etc/environment Initial environment for -i mode on AIX and
3290 Linux systems
3291
3293 Below are example sudoers file entries. Admittedly, some of these are a
3294 bit contrived. First, we allow a few environment variables to pass and
3295 then define our aliases:
3296 # Run X applications through sudo; HOME is used to find the
3298 # .Xauthority file. Other programs use HOME to locate configuration
3299 # files and this may lead to privilege escalation!
3300 Defaults env_keep += "DISPLAY HOME"
3301 # User alias specification
3303 User_Alias FULLTIMERS = millert, mikef, dowdy
3304 User_Alias PARTTIMERS = bostley, jwfox, crawl
3305 User_Alias WEBADMIN = will, wendy, wim
3306 # Runas alias specification
3308 Runas_Alias OP = root, operator
3309 Runas_Alias DB = oracle, sybase
3310 Runas_Alias ADMINGRP = adm, oper
3311 # Host alias specification
3313 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
3314 SGI = grolsch, dandelion, black :\
3315 ALPHA = widget, thalamus, foobar :\
3316 HPPA = boa, nag, python
3317 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
3318 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
3319 Host_Alias SERVERS = primary, mail, www, ns
3320 Host_Alias CDROM = orion, perseus, hercules
3321 # Cmnd alias specification
3323 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
3324 /usr/sbin/restore, /usr/sbin/rrestore,\
3325 sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
3326 /home/operator/bin/start_backups
3327 Cmnd_Alias KILL = /usr/bin/kill
3328 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
3329 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
3330 Cmnd_Alias HALT = /usr/sbin/halt
3331 Cmnd_Alias REBOOT = /usr/sbin/reboot
3332 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
3333 /usr/local/bin/tcsh, /usr/bin/rsh,\
3334 /usr/local/bin/zsh
3335 Cmnd_Alias SU = /usr/bin/su
3336 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
3337 Here we override some of the compiled in default values. We want sudo to
3339 log via syslog(3) using the auth facility in all cases and for commands
3340 to be run with the target user's home directory as the working directory.
3341 We don't want to subject the full time staff to the sudo lecture and we
3342 want to allow them to run commands in a chroot(2) “sandbox” via the -R
3343 option. User millert need not provide a password and we don't want to
3344 reset the LOGNAME or USER environment variables when running commands as
3345 root. Additionally, on the machines in the SERVERS Host_Alias, we keep
3346 an additional local log file and make sure we log the year in each log
3347 line since the log entries will be kept around for several years.
3348 Lastly, we disable shell escapes for the commands in the PAGERS
3349 Cmnd_Alias (/usr/bin/more, /usr/bin/pg and /usr/bin/less). This will not
3350 effectively constrain users with sudo ALL privileges.
3351 # Override built-in defaults
3353 Defaults syslog=auth,runcwd=~
3354 Defaults>root !set_logname
3355 Defaults:FULLTIMERS !lecture,runchroot=*
3356 Defaults:millert !authenticate
3357 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
3358 Defaults!PAGERS noexec
3359 The User specification is the part that actually determines who may run
3361 what.
3362 root ALL = (ALL) ALL
3364 %wheel ALL = (ALL) ALL
3365 We let root and any user in group wheel run any command on any host as
3367 any user.
3368 FULLTIMERS ALL = NOPASSWD: ALL
3370 Full time sysadmins (millert, mikef, and dowdy) may run any command on
3372 any host without authenticating themselves.
3373 PARTTIMERS ALL = ALL
3375 Part time sysadmins bostley, jwfox, and crawl) may run any command on any
3377 host but they must authenticate themselves first (since the entry lacks
3378 the NOPASSWD tag).
3379 jack CSNETS = ALL
3381 The user jack may run any command on the machines in the CSNETS alias
3383 (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those
3384 networks, only 128.138.204.0 has an explicit netmask (in CIDR notation)
3385 indicating it is a class C network. For the other networks in CSNETS,
3386 the local machine's netmask will be used during matching.
3387 lisa CUNETS = ALL
3389 The user lisa may run any command on any host in the CUNETS alias (the
3391 class B network 128.138.0.0).
3392 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
3394 sudoedit /etc/printcap, /usr/oper/bin/
3395 The operator user may run commands limited to simple maintenance. Here,
3397 those are commands related to backups, killing processes, the printing
3398 system, shutting down the system, and any commands in the directory
3399 /usr/oper/bin/. One command in the DUMPS Cmnd_Alias includes a sha224
3400 digest, /home/operator/bin/start_backups. This is because the directory
3401 containing the script is writable by the operator user. If the script is
3402 modified (resulting in a digest mismatch) it will no longer be possible
3403 to run it via sudo.
3404 joe ALL = /usr/bin/su operator
3406 The user joe may only su(1) to operator.
3408 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root*
3410 %opers ALL = (: ADMINGRP) /usr/sbin/
3412 Users in the opers group may run commands in /usr/sbin/ as themselves
3414 with any group in the ADMINGRP Runas_Alias (the adm and oper groups).
3415 The user pete is allowed to change anyone's password except for root on
3417 the HPPA machines. Because command line arguments are matched as a sin‐
3418 gle, concatenated string, the ‘*’ wildcard will match multiple words.
3419 This example assumes that passwd(1) does not take multiple user names on
3420 the command line. On systems with GNU getopt(3), options to passwd(1)
3421 may be specified after the user argument. As a result, this rule will
3422 also allow:
3423 passwd username --expire
3425 which may not be desirable.
3427 bob SPARC = (OP) ALL : SGI = (OP) ALL
3429 The user bob may run anything on the SPARC and SGI machines as any user
3431 listed in the OP Runas_Alias (root and operator.)
3432 jim +biglab = ALL
3434 The user jim may run any command on machines in the biglab netgroup.
3436 sudo knows that “biglab” is a netgroup due to the ‘+’ prefix.
3437 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
3439 Users in the secretaries netgroup need to help manage the printers as
3441 well as add and remove users, so they are allowed to run those commands
3442 on all machines.
3443 fred ALL = (DB) NOPASSWD: ALL
3445 The user fred can run commands as any user in the DB Runas_Alias (oracle
3447 or sybase) without giving a password.
3448 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
3450 On the ALPHA machines, user john may su to anyone except root but he is
3452 not allowed to specify any options to the su(1) command.
3453 jen ALL, !SERVERS = ALL
3455 The user jen may run any command on any machine except for those in the
3457 SERVERS Host_Alias (primary, mail, www, and ns).
3458 jill SERVERS = /usr/bin/, !SU, !SHELLS
3460 For any machine in the SERVERS Host_Alias, jill may run any commands in
3462 the directory /usr/bin/ except for those commands belonging to the SU and
3463 SHELLS Cmnd_Aliases. While not specifically mentioned in the rule, the
3464 commands in the PAGERS Cmnd_Alias all reside in /usr/bin and have the
3465 noexec option set.
3466 steve CSNETS = (operator) /usr/local/op_commands/
3468 The user steve may run any command in the directory /usr/local/op_com‐
3470 mands/ but only as user operator.
3471 matt valkyrie = KILL
3473 On his personal workstation, valkyrie, matt needs to be able to kill hung
3475 processes.
3476 WEBADMIN www = (www) ALL, (root) /usr/bin/su www
3478 On the host www, any user in the WEBADMIN User_Alias (will, wendy, and
3480 wim), may run any command as user www (which owns the web pages) or sim‐
3481 ply su(1) to www.
3482 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
3484 /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
3485 Any user may mount or unmount a CD-ROM on the machines in the CDROM
3487 Host_Alias (orion, perseus, hercules) without entering a password. This
3488 is a bit tedious for users to type, so it is a prime candidate for encap‐
3489 sulating in a shell script.
3490
3492 Limitations of the ‘!’ operator
3493 It is generally not effective to “subtract” commands from ALL using the
3494 ‘!’ operator. A user can trivially circumvent this by copying the de‐
3495 sired command to a different name and then executing that. For example:
3496 bill ALL = ALL, !SU, !SHELLS
3498 Doesn't really prevent bill from running the commands listed in SU or
3500 SHELLS since he can simply copy those commands to a different name, or
3501 use a shell escape from an editor or other program. Therefore, these
3502 kind of restrictions should be considered advisory at best (and rein‐
3503 forced by policy).
3504 In general, if a user has sudo ALL there is nothing to prevent them from
3506 creating their own program that gives them a root shell (or making their
3507 own copy of a shell) regardless of any ‘!’ elements in the user specifi‐
3508 cation.
3509 Security implications of fast_glob
3511 If the fast_glob option is in use, it is not possible to reliably negate
3512 commands where the path name includes globbing (aka wildcard) characters.
3513 This is because the C library's fnmatch(3) function cannot resolve rela‐
3514 tive paths. While this is typically only an inconvenience for rules that
3515 grant privileges, it can result in a security issue for rules that sub‐
3516 tract or revoke privileges.
3517 For example, given the following sudoers file entry:
3519 john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
3521 /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
3522 User john can still run ‘/usr/bin/passwd root’ if fast_glob is enabled by
3524 changing to /usr/bin and running ‘./passwd root’ instead.
3525 Another potential issue is that when sudo executes the command, it must
3527 use the command or path specified by the user instead of a path listed in
3528 the sudoers file. This may lead to a time of check versus time of use
3529 race condition.
3530 Wildcards in command arguments
3532 Command line arguments are matched as a single, concatenated string.
3533 This mean a wildcard character such as ‘?’ or ‘*’ will match across word
3534 boundaries, which may be unexpected. For example, while a sudoers entry
3535 like:
3536 %operator ALL = /bin/cat /var/log/messages*
3538 will allow command like:
3540 $ sudo cat /var/log/messages.1
3542 It will also allow:
3544 $ sudo cat /var/log/messages /etc/shadow
3546 which is probably not what was intended. A safer alternative is to use a
3548 regular expression for matching command line arguments. The above exam‐
3549 ple can be rewritten as a regular expression:
3550 %operator ALL = /bin/cat ^/var/log/messages[^[:space:]]*$
3552 The regular expression will only match a single file with a name that be‐
3554 gins with /var/log/messages and does not include any white space in the
3555 name. It is often better to do command line processing outside of the
3556 sudoers file in a scripting language for anything non-trivial.
3557 Regular expressions in command names
3559 Using a regular expression to match a command name has the same security
3560 implications as using the fast_glob option:
3561 • It is not possible to reliably negate commands when the path name is a
3563 regular expression.
3564 • When sudo executes the command, it must use the command or path speci‐
3566 fied by the user instead of a path listed in the sudoers file. This
3567 may lead to a time of check versus time of use race condition.
3568 These issues do not apply to rules where only the command line options
3570 are matched using a regular expression.
3571 Preventing shell escapes
3573 Once sudo executes a program, that program is free to do whatever it
3574 pleases, including run other programs. This can be a security issue
3575 since it is not uncommon for a program to allow shell escapes, which lets
3576 a user bypass sudo's access control and logging. Common programs that
3577 permit shell escapes include shells (obviously), editors, paginators,
3578 mail, and terminal programs.
3579 There are four basic approaches to this problem:
3581 restrict Avoid giving users access to commands that allow the user to
3583 run arbitrary commands. Many editors have a restricted mode
3584 where shell escapes are disabled, though sudoedit is a better
3585 solution to running editors via sudo. Due to the large number
3586 of programs that offer shell escapes, restricting users to the
3587 set of programs that do not is often unworkable.
3588 intercept
3590 On most systems, sudo's intercept functionality can be used to
3591 transparently intercept an attempt to run a new command, allow
3592 or deny it based on sudoers rules, and log the result. For ex‐
3593 ample, this can be used to restrict the commands run from
3594 within a privileged shell or editor.
3595 There are two underlying mechanisms that may be used to imple‐
3597 ment intercept mode: dso and trace. The intercept_type setting
3598 can be used to select between them.
3599 The first mechanism, dso, overrides the standard C library
3601 functions that are used to execute a command. It does this by
3602 setting an environment variable (usually LD_PRELOAD) to the
3603 path of a dynamic shared object, or shared library, containing
3604 custom versions of the execve(2), execl(3), execle(3),
3605 execlp(3), execv(3), execvp(3), execvpe(3), and system(3) li‐
3606 brary functions that connect back to sudo for a policy deci‐
3607 sion. Note, however, that this applies only to dynamically-
3608 linked executables. It is not possible to intercept commands
3609 for statically-linked executables or executables that run under
3610 binary emulation this way. Because most dynamic loaders ignore
3611 LD_PRELOAD (or the equivalent) when running set-user-ID and
3612 set-group-ID programs, sudoers will not permit such programs to
3613 be run in intercept mode by default. The dso mechanism is in‐
3614 compatible with sudo's SELinux RBAC support (but see below).
3615 SELinux disables LD_PRELOAD by default and interferes with file
3616 descriptor inheritance, which sudo relies on.
3617 The second mechanism, trace, is available on Linux systems that
3619 support seccomp(2) filtering. It uses ptrace(2) and seccomp(2)
3620 to intercept the execve(2) system call instead of pre-loading a
3621 dynamic shared object. Both static and dynamic executables are
3622 supported and it is compatible with sudo's SELinux RBAC mode.
3623 Functions utilizing the execveat(2) system call, such as
3624 fexecve(3), are not currently intercepted.
3625 The intercept feature is known to work on Solaris, *BSD, Linux,
3627 macOS, HP-UX 11.x and AIX 5.3 and above. It should be sup‐
3628 ported on most operating systems that support the LD_PRELOAD
3629 environment variable or an equivalent. It is not possible to
3630 intercept shell built-in commands or restrict the ability to
3631 read or write sensitive files from within a shell.
3632 To enable intercept mode on a per-command basis, use the
3634 INTERCEPT tag as documented in the User Specification section
3635 above. Here is that example again:
3636 chuck research = INTERCEPT: ALL
3638 This allows user chuck to run any command on the machine
3640 “research” in intercept mode. Any commands run via shell es‐
3641 capes will be validated and logged by sudo. If you are unsure
3642 whether or not your system is capable of supporting intercept,
3643 you can always just try it out and check whether or not exter‐
3644 nal commands run via a shell are logged when intercept is en‐
3645 abled.
3646 There is an inherent race condition between when a command is
3648 checked against sudoers rules and when it is actually executed.
3649 If a user is allowed to run arbitrary commands, they may be
3650 able to change the execve(2) arguments in the program after the
3651 sudoers policy check has completed but before the new command
3652 is executed. Starting with version 1.9.12, the trace method
3653 will verify that the command and its arguments have not changed
3654 after execve(2) has completed but before execution of the new
3655 program has had a chance to run. This is not the case with the
3656 dso method. See the description of the intercept_verify set‐
3657 ting for more information.
3658 log There are two separate but related ways to log additional com‐
3660 mands. The first is to enable I/O logging using the log_output
3661 flag. This will log the command's output but will not create
3662 an event log entry when the additional command is run. The
3663 second is to enable the log_subcmds flag in sudoers which will
3664 create an event log entry every time a new command is run. If
3665 I/O logging is also enabled, the log entry will include a time
3666 offset into the I/O log to indicate when the command was run.
3667 This offset can be passed to the sudoreplay(8) utility to re‐
3668 play the I/O log at the exact moment when the command was run.
3669 The log_subcmds flag uses the same mechanism as intercept (see
3670 above) and has the same limitations.
3671 noexec sudo's noexec functionality can be used to prevent a program
3673 run by sudo from executing any other programs. On most sys‐
3674 tems, it uses the same LD_PRELOAD mechanism as intercept (see
3675 above) and thus the same caveats apply. The noexec functional‐
3676 ity is capable of blocking execution of commands run via the
3677 execve(2), execl(3), execle(3), execlp(3), exect(3), execv(3),
3678 execveat(3), execvP(3), execvp(3), execvpe(3), fexecve(3),
3679 popen(3), posix_spawn(3), posix_spawnp(3), system(3), and
3680 wordexp(3) functions. On Linux, a seccomp(2) filter is used to
3681 implement noexec. On Solaris 10 and higher, noexec uses So‐
3682 laris privileges instead of the LD_PRELOAD environment vari‐
3683 able.
3684 To enable noexec for a command, use the NOEXEC tag as docu‐
3686 mented in the User Specification section above. Here is that
3687 example again:
3688 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
3690 This allows user aaron to run /usr/bin/more and /usr/bin/vi
3692 with noexec enabled. This will prevent those two commands from
3693 executing other commands (such as a shell). If you are unsure
3694 whether or not your system is capable of supporting noexec you
3695 can always just try it out and check whether shell escapes work
3696 when noexec is enabled.
3697 Restricting shell escapes is not a panacea. Programs running as root are
3699 still capable of many potentially hazardous operations (such as changing
3700 or overwriting files) that could lead to unintended privilege escalation.
3701 In the specific case of an editor, a safer approach is to give the user
3702 permission to run sudoedit (see below).
3703 Secure editing
3705 The sudoers plugin includes sudoedit support which allows users to se‐
3706 curely edit files with the editor of their choice. As sudoedit is a
3707 built-in command, it must be specified in the sudoers file without a
3708 leading path. However, it may take command line arguments just as a nor‐
3709 mal command does. Wildcards used in sudoedit command line arguments are
3710 expected to be path names, so a forward slash (‘/’) will not be matched
3711 by a wildcard.
3712 Unlike other sudo commands, the editor is run with the permissions of the
3714 invoking user and with the environment unmodified. More information may
3715 be found in the description of the -e option in sudo(8).
3716 For example, to allow user operator to edit the “message of the day” file
3718 on any machine:
3719 operator ALL = sudoedit /etc/motd
3721 The operator user then runs sudoedit as follows:
3723 $ sudoedit /etc/motd
3725 The editor will run as the operator user, not root, on a temporary copy
3727 of /etc/motd. After the file has been edited, /etc/motd will be updated
3728 with the contents of the temporary copy.
3729 Users should never be granted sudoedit permission to edit a file that re‐
3731 sides in a directory the user has write access to, either directly or via
3732 a wildcard. If the user has write access to the directory it is possible
3733 to replace the legitimate file with a link to another file, allowing the
3734 editing of arbitrary files. To prevent this, starting with version
3735 1.8.16, symbolic links will not be followed in writable directories and
3736 sudoedit will refuse to edit a file located in a writable directory un‐
3737 less the sudoedit_checkdir option has been disabled or the invoking user
3738 is root. Additionally, in version 1.8.15 and higher, sudoedit will
3739 refuse to open a symbolic link unless either the sudoedit_follow option
3740 is enabled or the sudoedit command is prefixed with the FOLLOW tag in the
3741 sudoers file.
3742 Time stamp file checks
3744 sudoers will check the ownership of its time stamp directory
3745 (/run/sudo/ts by default) and ignore the directory's contents if it is
3746 not owned by root or if it is writable by a user other than root. Older
3747 versions of sudo stored time stamp files in /tmp; this is no longer rec‐
3748 ommended as it may be possible for a user to create the time stamp them‐
3749 selves on systems that allow unprivileged users to change the ownership
3750 of files they create.
3751 While the time stamp directory should be cleared at reboot time, not all
3753 systems contain a /run or /var/run directory. To avoid potential prob‐
3754 lems, sudoers will ignore time stamp files that date from before the ma‐
3755 chine booted on systems where the boot time is available.
3756 Some systems with graphical desktop environments allow unprivileged users
3758 to change the system clock. Since sudoers relies on the system clock for
3759 time stamp validation, it may be possible on such systems for a user to
3760 run sudo for longer than timestamp_timeout by setting the clock back. To
3761 combat this, sudoers uses a monotonic clock (which never moves backwards)
3762 for its time stamps if the system supports it.
3763 sudoers will not honor time stamps set far in the future. Time stamps
3765 with a date greater than current_time + 2 * TIMEOUT will be ignored and
3766 sudoers will log and complain.
3767 If the timestamp_type option is set to “tty”, the time stamp record in‐
3769 cludes the device number of the terminal the user authenticated with.
3770 This provides per-terminal granularity but time stamp records may still
3771 outlive the user's session.
3772 Unless the timestamp_type option is set to “global”, the time stamp
3774 record also includes the session ID of the process that last authenti‐
3775 cated. This prevents processes in different terminal sessions from using
3776 the same time stamp record. On systems where a process's start time can
3777 be queried, the start time of the session leader is recorded in the time
3778 stamp record. If no terminal is present or the timestamp_type option is
3779 set to “ppid”, the start time of the parent process is used instead. In
3780 most cases this will prevent a time stamp record from being re-used with‐
3781 out the user entering a password when logging out and back in again.
3782
3784 Versions 1.8.4 and higher of the sudoers plugin support a flexible debug‐
3785 ging framework that can help track down what the plugin is doing inter‐
3786 nally if there is a problem. This can be configured in the sudo.conf(5)
3787 file.
3788 The sudoers plugin uses the same debug flag format as the sudo front-end:
3790 subsystem@priority.
3791 The priorities used by sudoers, in order of decreasing severity, are:
3793 crit, err, warn, notice, diag, info, trace, and debug. Each priority,
3794 when specified, also includes all priorities higher than it. For exam‐
3795 ple, a priority of notice would include debug messages logged at notice
3796 and higher.
3797 The following subsystems are used by the sudoers plugin:
3799 alias User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
3801 all matches every subsystem
3803 audit BSM and Linux audit code
3805 auth user authentication
3807 defaults sudoers file Defaults settings
3809 env environment handling
3811 ldap LDAP-based sudoers
3813 logging logging support
3815 match matching of users, groups, hosts, and netgroups in the sudoers
3817 file
3818 netif network interface handling
3820 nss network service switch handling in sudoers
3822 parser sudoers file parsing
3824 perms permission setting
3826 plugin The equivalent of main for the plugin.
3828 pty pseudo-terminal related code
3830 rbtree redblack tree internals
3832 sssd SSSD-based sudoers
3834 util utility functions
3836 For example:
3838 Debug sudoers.so /var/log/sudoers_debug match@info,nss@info
3840 For more information, see the sudo.conf(5) manual.
3842
3844 ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), sudo.conf(5),
3845 sudo_plugin(5), sudoers.ldap(5), sudoers_timestamp(5), sudo(8), visudo(8)
3846
3848 Many people have worked on sudo over the years; this version consists of
3849 code written primarily by:
3850 Todd C. Miller
3852 See the CONTRIBUTORS.md file in the sudo distribution
3854 (https://www.sudo.ws/about/contributors/) for an exhaustive list of peo‐
3855 ple who have contributed to sudo.
3856
3858 The sudoers file should always be edited by the visudo utility which
3859 locks the file and checks for syntax errors. If sudoers contains syntax
3860 errors, sudo may refuse to run, which is a serious problem if sudo is
3861 your only method of obtaining superuser privileges. Recent versions of
3862 sudoers will attempt to recover after a syntax error by ignoring the rest
3863 of the line after encountering an error. Older versions of sudo will not
3864 run if sudoers contains a syntax error.
3865 When using netgroups of machines (as opposed to users), if you store
3867 fully qualified host name in the netgroup (as is usually the case), you
3868 either need to have the machine's host name be fully qualified as re‐
3869 turned by the hostname command or use the fqdn option in sudoers.
3870
3872 If you believe you have found a bug in sudo, you can submit a bug report
3873 at https://bugzilla.sudo.ws/
3874
3876 Limited free support is available via the sudo-users mailing list, see
3877 https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
3878 the archives.
3879
3881 sudo is provided “AS IS” and any express or implied warranties, includ‐
3882 ing, but not limited to, the implied warranties of merchantability and
3883 fitness for a particular purpose are disclaimed. See the LICENSE.md file
3884 distributed with sudo or https://www.sudo.ws/about/license/ for complete
3885 details.
3886Sudo 1.9.12p2 October 20, 2022 Sudo 1.9.12p2