sudoers(5)

1SUDOERS(5)                   MAINTENANCE COMMANDS                   SUDOERS(5)
2
3
4

6       sudoers - list of which users may execute what
7

9       The sudoers file is composed of two types of entries: aliases (basi‐
10       cally variables) and user specifications (which specify who may run
11       what).
12
13       When multiple entries match for a user, they are applied in order.
14       Where there are conflicting values, the last match is used (which is
15       not necessarily the most specific match).
16
17       The sudoers grammar will be described below in Extended Backus-Naur
18       Form (EBNF).  Don't despair if you don't know what EBNF is; it is
19       fairly simple, and the definitions below are annotated.
20
21       Quick guide to EBNF
22
23       EBNF is a concise and exact way of describing the grammar of a lan‐
24       guage.  Each EBNF definition is made up of production rules.  E.g.,
25
26        symbol ::= definition ⎪ alternate1 ⎪ alternate2 ...
27
28       Each production rule references others and thus makes up a grammar for
29       the language.  EBNF also contains the following operators, which many
30       readers will recognize from regular expressions.  Do not, however, con‐
31       fuse them with "wildcard" characters, which have different meanings.
32
33       ?       Means that the preceding symbol (or group of symbols) is
34               optional.  That is, it may appear once or not at all.
35
36       *       Means that the preceding symbol (or group of symbols) may
37               appear zero or more times.
38
39       +       Means that the preceding symbol (or group of symbols) may
40               appear one or more times.
41
42       Parentheses may be used to group symbols together.  For clarity, we
43       will use single quotes ('') to designate what is a verbatim character
44       string (as opposed to a symbol name).
45
46       Aliases
47
48       There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
49       and Cmnd_Alias.
50
51        Alias ::= 'User_Alias'  User_Alias (':' User_Alias)* ⎪
52                  'Runas_Alias' Runas_Alias (':' Runas_Alias)* ⎪
53                  'Host_Alias'  Host_Alias (':' Host_Alias)* ⎪
54                  'Cmnd_Alias'  Cmnd_Alias (':' Cmnd_Alias)*
55
56        User_Alias ::= NAME '=' User_List
57
58        Runas_Alias ::= NAME '=' Runas_List
59
60        Host_Alias ::= NAME '=' Host_List
61
62        Cmnd_Alias ::= NAME '=' Cmnd_List
63
64        NAME ::= [A-Z]([A-Z][0-9]_)*
65
66       Each alias definition is of the form
67
68        Alias_Type NAME = item1, item2, ...
69
70       where Alias_Type is one of User_Alias, Runas_Alias, Host_Alias, or
71       Cmnd_Alias.  A NAME is a string of uppercase letters, numbers, and
72       underscore characters ('_').  A NAME must start with an uppercase let‐
73       ter.  It is possible to put several alias definitions of the same type
74       on a single line, joined by a colon (':').  E.g.,
75
76        Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
77
78       The definitions of what constitutes a valid alias member follow.
79
80        User_List ::= User ⎪
81                      User ',' User_List
82
83        User ::= '!'* username ⎪
84                 '!'* '%'group ⎪
85                 '!'* '+'netgroup ⎪
86                 '!'* User_Alias
87
88       A User_List is made up of one or more usernames, system groups (pre‐
89       fixed with '%'), netgroups (prefixed with '+') and other aliases.  Each
90       list item may be prefixed with one or more '!' operators.  An odd num‐
91       ber of '!' operators negate the value of the item; an even number just
92       cancel each other out.
93
94        Runas_List ::= Runas_User ⎪
95                       Runas_User ',' Runas_List
96
97        Runas_User ::= '!'* username ⎪
98                       '!'* '#'uid ⎪
99                       '!'* '%'group ⎪
100                       '!'* +netgroup ⎪
101                       '!'* Runas_Alias
102
103       A Runas_List is similar to a User_List except that it can also contain
104       uids (prefixed with '#') and instead of User_Aliases it can contain
105       Runas_Aliases.  Note that usernames and groups are matched as strings.
106       In other words, two users (groups) with the same uid (gid) are consid‐
107       ered to be distinct.  If you wish to match all usernames with the same
108       uid (e.g. root and toor), you can use a uid instead (#0 in the example
109       given).
110
111        Host_List ::= Host ⎪
112                      Host ',' Host_List
113
114        Host ::= '!'* hostname ⎪
115                 '!'* ip_addr ⎪
116                 '!'* network(/netmask)? ⎪
117                 '!'* '+'netgroup ⎪
118                 '!'* Host_Alias
119
120       A Host_List is made up of one or more hostnames, IP addresses, network
121       numbers, netgroups (prefixed with '+') and other aliases.  Again, the
122       value of an item may be negated with the '!' operator.  If you do not
123       specify a netmask with a network number, the netmask of the host's eth‐
124       ernet interface(s) will be used when matching.  The netmask may be
125       specified either in dotted quad notation (e.g.  255.255.255.0) or CIDR
126       notation (number of bits, e.g. 24).  A hostname may include shell-style
127       wildcards (see the Wildcards section below), but unless the hostname
128       command on your machine returns the fully qualified hostname, you'll
129       need to use the fqdn option for wildcards to be useful.
130
131        Cmnd_List ::= Cmnd ⎪
132                      Cmnd ',' Cmnd_List
133
134        commandname ::= filename ⎪
135                        filename args ⎪
136                        filename '""'
137
138        Cmnd ::= '!'* commandname ⎪
139                 '!'* directory ⎪
140                 '!'* "sudoedit" ⎪
141                 '!'* Cmnd_Alias
142
143       A Cmnd_List is a list of one or more commandnames, directories, and
144       other aliases.  A commandname is a fully qualified filename which may
145       include shell-style wildcards (see the Wildcards section below).  A
146       simple filename allows the user to run the command with any arguments
147       he/she wishes.  However, you may also specify command line arguments
148       (including wildcards).  Alternately, you can specify "" to indicate
149       that the command may only be run without command line arguments.  A
150       directory is a fully qualified pathname ending in a '/'.  When you
151       specify a directory in a Cmnd_List, the user will be able to run any
152       file within that directory (but not in any subdirectories therein).
153
154       If a Cmnd has associated command line arguments, then the arguments in
155       the Cmnd must match exactly those given by the user on the command line
156       (or match the wildcards if there are any).  Note that the following
157       characters must be escaped with a '\' if they are used in command argu‐
158       ments: ',', ':', '=', '\'.  The special command "sudoedit" is used to
159       permit a user to run sudo with the -e flag (or as sudoedit).  It may
160       take command line arguments just as a normal command does.
161
162       Defaults
163
164       Certain configuration options may be changed from their default values
165       at runtime via one or more Default_Entry lines.  These may affect all
166       users on any host, all users on a specific host, a specific user, or
167       commands being run as a specific user.
168
169        Default_Type ::= 'Defaults' ⎪
170                         'Defaults' '@' Host ⎪
171                         'Defaults' ':' User ⎪
172                         'Defaults' '>' RunasUser
173
174        Default_Entry ::= Default_Type Parameter_List
175
176        Parameter_List ::= Parameter ⎪
177                           Parameter ',' Parameter_List
178
179        Parameter ::= Parameter '=' Value ⎪
180                      Parameter '+=' Value ⎪
181                      Parameter '-=' Value ⎪
182                      '!'* Parameter
183
184       Parameters may be flags, integer values, strings, or lists.  Flags are
185       implicitly boolean and can be turned off via the '!'  operator.  Some
186       integer, string and list parameters may also be used in a boolean con‐
187       text to disable them.  Values may be enclosed in double quotes (") when
188       they contain multiple words.  Special characters may be escaped with a
189       backslash (\).
190
191       Lists have two additional assignment operators, += and -=.  These oper‐
192       ators are used to add to and delete from a list respectively.  It is
193       not an error to use the -= operator to remove an element that does not
194       exist in a list.
195
196       Flags:
197
198       long_otp_prompt
199                   When validating with a One Time Password scheme (S/Key or
200                   OPIE), a two-line prompt is used to make it easier to cut
201                   and paste the challenge to a local window.  It's not as
202                   pretty as the default but some people find it more conve‐
203                   nient.  This flag is off by default.
204
205       ignore_dot  If set, sudo will ignore '.' or '' (current dir) in the
206                   PATH environment variable; the PATH itself is not modified.
207                   This flag is on by default.  Currently, while it is possi‐
208                   ble to set ignore_dot in sudoers, its value is not used.
209                   This option should be considered read-only (it will be
210                   fixed in a future version of sudo).
211
212       mail_always Send mail to the mailto user every time a users runs sudo.
213                   This flag is off by default.
214
215       mail_badpass
216                   Send mail to the mailto user if the user running sudo does
217                   not enter the correct password.  This flag is off by
218                   default.
219
220       mail_no_user
221                   If set, mail will be sent to the mailto user if the invok‐
222                   ing user is not in the sudoers file.  This flag is on by
223                   default.
224
225       mail_no_host
226                   If set, mail will be sent to the mailto user if the invok‐
227                   ing user exists in the sudoers file, but is not allowed to
228                   run commands on the current host.  This flag is off by
229                   default.
230
231       mail_no_perms
232                   If set, mail will be sent to the mailto user if the invok‐
233                   ing user is allowed to use sudo but the command they are
234                   trying is not listed in their sudoers file entry or is
235                   explicitly denied.  This flag is off by default.
236
237       tty_tickets If set, users must authenticate on a per-tty basis.  Nor‐
238                   mally, sudo uses a directory in the ticket dir with the
239                   same name as the user running it.  With this flag enabled,
240                   sudo will use a file named for the tty the user is logged
241                   in on in that directory.  This flag is on by default.
242
243       authenticate
244                   If set, users must authenticate themselves via a password
245                   (or other means of authentication) before they may run com‐
246                   mands.  This default may be overridden via the PASSWD and
247                   NOPASSWD tags.  This flag is on by default.
248
249       root_sudo   If set, root is allowed to run sudo too.  Disabling this
250                   prevents users from "chaining" sudo commands to get a root
251                   shell by doing something like "sudo sudo /bin/sh".  Note,
252                   however, that turning off root_sudo will also prevent root
253                   and from running sudoedit.  Disabling root_sudo provides no
254                   real additional security; it exists purely for historical
255                   reasons.  This flag is on by default.
256
257       log_host    If set, the hostname will be logged in the (non-syslog)
258                   sudo log file.  This flag is off by default.
259
260       log_year    If set, the four-digit year will be logged in the (non-sys‐
261                   log) sudo log file.  This flag is off by default.
262
263       shell_noargs
264                   If set and sudo is invoked with no arguments it acts as if
265                   the -s flag had been given.  That is, it runs a shell as
266                   root (the shell is determined by the SHELL environment
267                   variable if it is set, falling back on the shell listed in
268                   the invoking user's /etc/passwd entry if not).  This flag
269                   is off by default.
270
271       set_home    If set and sudo is invoked with the -s flag the HOME envi‐
272                   ronment variable will be set to the home directory of the
273                   target user (which is root unless the -u option is used).
274                   This effectively makes the -s flag imply -H.  This flag is
275                   off by default.
276
277       always_set_home
278                   If set, sudo will set the HOME environment variable to the
279                   home directory of the target user (which is root unless the
280                   -u option is used).  This effectively means that the -H
281                   flag is always implied.  This flag is off by default.
282
283       path_info   Normally, sudo will tell the user when a command could not
284                   be found in their PATH environment variable.  Some sites
285                   may wish to disable this as it could be used to gather
286                   information on the location of executables that the normal
287                   user does not have access to.  The disadvantage is that if
288                   the executable is simply not in the user's PATH, sudo will
289                   tell the user that they are not allowed to run it, which
290                   can be confusing.  This flag is off by default.
291
292       preserve_groups
293                   By default sudo will initialize the group vector to the
294                   list of groups the target user is in.  When preserve_groups
295                   is set, the user's existing group vector is left unaltered.
296                   The real and effective group IDs, however, are still set to
297                   match the target user.  This flag is off by default.
298
299       fqdn        Set this flag if you want to put fully qualified hostnames
300                   in the sudoers file.  I.e., instead of myhost you would use
301                   myhost.mydomain.edu.  You may still use the short form if
302                   you wish (and even mix the two).  Beware that turning on
303                   fqdn requires sudo to make DNS lookups which may make sudo
304                   unusable if DNS stops working (for example if the machine
305                   is not plugged into the network).  Also note that you must
306                   use the host's official name as DNS knows it.  That is, you
307                   may not use a host alias (CNAME entry) due to performance
308                   issues and the fact that there is no way to get all aliases
309                   from DNS.  If your machine's hostname (as returned by the
310                   hostname command) is already fully qualified you shouldn't
311                   need to set fqdn.  This flag is off by default.
312
313       insults     If set, sudo will insult users when they enter an incorrect
314                   password.  This flag is off by default.
315
316       requiretty  If set, sudo will only run when the user is logged in to a
317                   real tty.  This will disallow things like "rsh somehost
318                   sudo ls" since rsh(1) does not allocate a tty.  Because it
319                   is not possible to turn off echo when there is no tty
320                   present, some sites may with to set this flag to prevent a
321                   user from entering a visible password.  This flag is off by
322                   default.
323
324       env_editor  If set, visudo will use the value of the EDITOR or VISUAL
325                   environment variables before falling back on the default
326                   editor list.  Note that this may create a security hole as
327                   it allows the user to run any arbitrary command as root
328                   without logging.  A safer alternative is to place a colon-
329                   separated list of editors in the editor variable.  visudo
330                   will then only use the EDITOR or VISUAL if they match a
331                   value specified in editor.  This flag is on by default.
332
333       rootpw      If set, sudo will prompt for the root password instead of
334                   the password of the invoking user.  This flag is off by
335                   default.
336
337       runaspw     If set, sudo will prompt for the password of the user
338                   defined by the runas_default option (defaults to root)
339                   instead of the password of the invoking user.  This flag is
340                   off by default.
341
342       targetpw    If set, sudo will prompt for the password of the user spec‐
343                   ified by the -u flag (defaults to root) instead of the
344                   password of the invoking user.  Note that this precludes
345                   the use of a uid not listed in the passwd database as an
346                   argument to the -u flag.  This flag is off by default.
347
348       set_logname Normally, sudo will set the LOGNAME and USER environment
349                   variables to the name of the target user (usually root
350                   unless the -u flag is given).  However, since some programs
351                   (including the RCS revision control system) use LOGNAME to
352                   determine the real identity of the user, it may be desir‐
353                   able to change this behavior.  This can be done by negating
354                   the set_logname option.
355
356       stay_setuid Normally, when sudo executes a command the real and effec‐
357                   tive UIDs are set to the target user (root by default).
358                   This option changes that behavior such that the real UID is
359                   left as the invoking user's UID.  In other words, this
360                   makes sudo act as a setuid wrapper.  This can be useful on
361                   systems that disable some potentially dangerous functional‐
362                   ity when a program is run setuid.  Note, however, that this
363                   means that sudo will run with the real uid of the invoking
364                   user which may allow that user to kill sudo before it can
365                   log a failure, depending on how your OS defines the inter‐
366                   action between signals and setuid processes.
367
368       env_reset   If set, sudo will reset the environment to only contain the
369                   following variables: HOME, LOGNAME, PATH, SHELL, TERM, and
370                   USER (in addition to the SUDO_* variables).  Of these, only
371                   TERM is copied unaltered from the old environment.  The
372                   other variables are set to default values (possibly modi‐
373                   fied by the value of the set_logname option).  If sudo was
374                   compiled with the SECURE_PATH option, its value will be
375                   used for the PATH environment variable.  Other variables
376                   may be preserved with the env_keep option.
377
378       use_loginclass
379                   If set, sudo will apply the defaults specified for the tar‐
380                   get user's login class if one exists.  Only available if
381                   sudo is configured with the --with-logincap option.  This
382                   flag is off by default.
383
384       noexec      If set, all commands run via sudo will behave as if the
385                   NOEXEC tag has been set, unless overridden by a EXEC tag.
386                   See the description of NOEXEC and EXEC below as well as the
387                   "PREVENTING SHELL ESCAPES" section at the end of this man‐
388                   ual.  This flag is off by default.
389
390       ignore_local_sudoers
391                   If set via LDAP, parsing of @sysconfdir@/sudoers will be
392                   skipped.  This is intended for an Enterprises that wish to
393                   prevent the usage of local sudoers files so that only LDAP
394                   is used.  This thwarts the efforts of rogue operators who
395                   would attempt to add roles to @sysconfdir@/sudoers.  When
396                   this option is present, @sysconfdir@/sudoers does not even
397                   need to exist.  Since this options tells sudo how to behave
398                   when no specific LDAP entries have been matched, this
399                   sudoOption is only meaningful for the cn=defaults section.
400                   This flag is off by default.
401
402       Integers:
403
404       passwd_tries
405                   The number of tries a user gets to enter his/her password
406                   before sudo logs the failure and exits.  The default is 3.
407
408       Integers that can be used in a boolean context:
409
410       loglinelen  Number of characters per line for the file log.  This value
411                   is used to decide when to wrap lines for nicer log files.
412                   This has no effect on the syslog log file, only the file
413                   log.  The default is 80 (use 0 or negate the option to dis‐
414                   able word wrap).
415
416       timestamp_timeout
417                   Number of minutes that can elapse before sudo will ask for
418                   a passwd again.  The default is 5.  Set this to 0 to always
419                   prompt for a password.  If set to a value less than 0 the
420                   user's timestamp will never expire.  This can be used to
421                   allow users to create or delete their own timestamps via
422                   sudo -v and sudo -k respectively.
423
424       passwd_timeout
425                   Number of minutes before the sudo password prompt times
426                   out.  The default is 5, set this to 0 for no password time‐
427                   out.
428
429       umask       Umask to use when running the command.  Negate this option
430                   or set it to 0777 to preserve the user's umask.  The
431                   default is 0022.
432
433       Strings:
434
435       mailsub     Subject of the mail sent to the mailto user. The escape %h
436                   will expand to the hostname of the machine.  Default is ***
437                   SECURITY information for %h ***.
438
439       badpass_message
440                   Message that is displayed if a user enters an incorrect
441                   password.  The default is Sorry, try again. unless insults
442                   are enabled.
443
444       timestampdir
445                   The directory in which sudo stores its timestamp files.
446                   The default is /var/run/sudo.
447
448       timestampowner
449                   The owner of the timestamp directory and the timestamps
450                   stored therein.  The default is root.
451
452       passprompt  The default prompt to use when asking for a password; can
453                   be overridden via the -p option or the SUDO_PROMPT environ‐
454                   ment variable.  The following percent (`%') escapes are
455                   supported:
456
457                   %u      expanded to the invoking user's login name
458
459                   %U      expanded to the login name of the user the command
460                           will be run as (defaults to root)
461
462                   %h      expanded to the local hostname without the domain
463                           name
464
465                   %H      expanded to the local hostname including the domain
466                           name (on if the machine's hostname is fully quali‐
467                           fied or the fqdn option is set)
468
469                   %%      two consecutive % characters are collaped into a
470                           single % character
471
472                   The default value is Password:.
473
474       runas_default
475                   The default user to run commands as if the -u flag is not
476                   specified on the command line.  This defaults to root.
477                   Note that if runas_default is set it must occur before any
478                   Runas_Alias specifications.
479
480       syslog_goodpri
481                   Syslog priority to use when user authenticates success‐
482                   fully.  Defaults to notice.
483
484       syslog_badpri
485                   Syslog priority to use when user authenticates unsuccess‐
486                   fully.  Defaults to alert.
487
488       editor      A colon (':') separated list of editors allowed to be used
489                   with visudo.  visudo will choose the editor that matches
490                   the user's USER environment variable if possible, or the
491                   first editor in the list that exists and is executable.
492                   The default is the path to vi on your system.
493
494       noexec_file Path to a shared library containing dummy versions of the
495                   execv(), execve() and fexecve() library functions that just
496                   return an error.  This is used to implement the noexec
497                   functionality on systems that support LD_PRELOAD or its
498                   equivalent.  Defaults to /usr/libexec/sudo_noexec.so.
499
500       Strings that can be used in a boolean context:
501
502       lecture     This option controls when a short lecture will be printed
503                   along with the password prompt.  It has the following pos‐
504                   sible values:
505
506                   never   Never lecture the user.
507
508                   once    Only lecture the user the first time they run sudo.
509
510                   always  Always lecture the user.
511
512                   If no value is specified, a value of once is implied.
513                   Negating the option results in a value of never being used.
514                   The default value is once.
515
516       lecture_file
517                   Path to a file containing an alternate sudo lecture that
518                   will be used in place of the standard lecture if the named
519                   file exists.
520
521       logfile     Path to the sudo log file (not the syslog log file).  Set‐
522                   ting a path turns on logging to a file; negating this
523                   option turns it off.
524
525       syslog      Syslog facility if syslog is being used for logging (negate
526                   to disable syslog logging).  Defaults to authpriv.
527
528       mailerpath  Path to mail program used to send warning mail.  Defaults
529                   to the path to sendmail found at configure time.
530
531       mailerflags Flags to use when invoking mailer. Defaults to -t.
532
533       mailto      Address to send warning and error mail to.  The address
534                   should be enclosed in double quotes (") to protect against
535                   sudo interpreting the @ sign.  Defaults to root.
536
537       exempt_group
538                   Users in this group are exempt from password and PATH
539                   requirements.  This is not set by default.
540
541       verifypw    This option controls when a password will be required when
542                   a user runs sudo with the -v flag.  It has the following
543                   possible values:
544
545                   all     All the user's sudoers entries for the current host
546                           must have the NOPASSWD flag set to avoid entering a
547                           password.
548
549                   any     At least one of the user's sudoers entries for the
550                           current host must have the NOPASSWD flag set to
551                           avoid entering a password.
552
553                   never   The user need never enter a password to use the -v
554                           flag.
555
556                   always  The user must always enter a password to use the -v
557                           flag.
558
559                   If no value is specified, a value of all is implied.
560                   Negating the option results in a value of never being used.
561                   The default value is all.
562
563       listpw      This option controls when a password will be required when
564                   a user runs sudo with the -l flag.  It has the following
565                   possible values:
566
567                   all     All the user's sudoers entries for the current host
568                           must have the NOPASSWD flag set to avoid entering a
569                           password.
570
571                   any     At least one of the user's sudoers entries for the
572                           current host must have the NOPASSWD flag set to
573                           avoid entering a password.
574
575                   never   The user need never enter a password to use the -l
576                           flag.
577
578                   always  The user must always enter a password to use the -l
579                           flag.
580
581                   If no value is specified, a value of any is implied.
582                   Negating the option results in a value of never being used.
583                   The default value is any.
584
585       Lists that can be used in a boolean context:
586
587       env_check   Environment variables to be removed from the user's envi‐
588                   ronment if the variable's value contains % or / characters.
589                   This can be used to guard against printf-style format vul‐
590                   nerabilities in poorly-written programs.  The argument may
591                   be a double-quoted, space-separated list or a single value
592                   without double-quotes.  The list can be replaced, added to,
593                   deleted from, or disabled by using the =, +=, -=, and !
594                   operators respectively.  The default list of environment
595                   variables to check is printed when sudo is run by root with
596                   the -V option.
597
598       env_delete  Environment variables to be removed from the user's envi‐
599                   ronment.  The argument may be a double-quoted, space-sepa‐
600                   rated list or a single value without double-quotes.  The
601                   list can be replaced, added to, deleted from, or disabled
602                   by using the =, +=, -=, and ! operators respectively.  The
603                   default list of environment variables to remove is printed
604                   when sudo is run by root with the -V option.  Note that
605                   many operating systems will remove potentially dangerous
606                   variables from the environment of any setuid process (such
607                   as sudo).
608
609       env_keep    Environment variables to be preserved in the user's envi‐
610                   ronment when the env_reset option is in effect.  This
611                   allows fine-grained control over the environment
612                   sudo-spawned processes will receive.  The argument may be a
613                   double-quoted, space-separated list or a single value with‐
614                   out double-quotes.  The list can be replaced, added to,
615                   deleted from, or disabled by using the =, +=, -=, and !
616                   operators respectively.  This list has no default members.
617
618       When logging via syslog(3), sudo accepts the following values for the
619       syslog facility (the value of the syslog Parameter): authpriv (if your
620       OS supports it), auth, daemon, user, local0, local1, local2, local3,
621       local4, local5, local6, and local7.  The following syslog priorities
622       are supported: alert, crit, debug, emerg, err, info, notice, and warn‐
623       ing.
624
625       User Specification
626
627        User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
628                      (':' Host_List '=' Cmnd_Spec_List)*
629
630        Cmnd_Spec_List ::= Cmnd_Spec ⎪
631                           Cmnd_Spec ',' Cmnd_Spec_List
632
633        Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
634
635        Runas_Spec ::= '(' Runas_List ')'
636
637        Tag_Spec ::= ('NOPASSWD:' ⎪ 'PASSWD:' ⎪ 'NOEXEC:' ⎪ 'EXEC:')
638
639       A user specification determines which commands a user may run (and as
640       what user) on specified hosts.  By default, commands are run as root,
641       but this can be changed on a per-command basis.
642
643       Let's break that down into its constituent parts:
644
645       Runas_Spec
646
647       A Runas_Spec is simply a Runas_List (as defined above) enclosed in a
648       set of parentheses.  If you do not specify a Runas_Spec in the user
649       specification, a default Runas_Spec of root will be used.  A Runas_Spec
650       sets the default for commands that follow it.  What this means is that
651       for the entry:
652
653        dgb    boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
654
655       The user dgb may run /bin/ls, /bin/kill, and /usr/bin/lprm -- but only
656       as operator.  E.g.,
657
658        $ sudo -u operator /bin/ls.
659
660       It is also possible to override a Runas_Spec later on in an entry.  If
661       we modify the entry like so:
662
663        dgb    boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
664
665       Then user dgb is now allowed to run /bin/ls as operator, but  /bin/kill
666       and /usr/bin/lprm as root.
667
668       Tag_Spec
669
670       A command may have zero or more tags associated with it.  There are
671       four possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC.  Once a tag
672       is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the
673       tag unless it is overridden by the opposite tag (ie: PASSWD overrides
674       NOPASSWD and EXEC overrides NOEXEC).
675
676       NOPASSWD and PASSWD
677
678       By default, sudo requires that a user authenticate him or herself
679       before running a command.  This behavior can be modified via the
680       NOPASSWD tag.  Like a Runas_Spec, the NOPASSWD tag sets a default for
681       the commands that follow it in the Cmnd_Spec_List.  Conversely, the
682       PASSWD tag can be used to reverse things.  For example:
683
684        ray    rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
685
686       would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm
687       as root on the machine rushmore as root without authenticating himself.
688       If we only want ray to be able to run /bin/kill without a password the
689       entry would be:
690
691        ray    rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
692
693       Note, however, that the PASSWD tag has no effect on users who are in
694       the group specified by the exempt_group option.
695
696       By default, if the NOPASSWD tag is applied to any of the entries for a
697       user on the current host, he or she will be able to run sudo -l without
698       a password.  Additionally, a user may only run sudo -v without a pass‐
699       word if the NOPASSWD tag is present for all a user's entries that per‐
700       tain to the current host.  This behavior may be overridden via the ver‐
701       ifypw and listpw options.
702
703       NOEXEC and EXEC
704
705       If sudo has been compiled with noexec support and the underlying oper‐
706       ating system support it, the NOEXEC tag can be used to prevent a dynam‐
707       ically-linked executable from running further commands itself.
708
709       In the following example, user aaron may run /usr/bin/more and
710       /usr/bin/vi but shell escapes will be disabled.
711
712        aaron  shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
713
714       See the "PREVENTING SHELL ESCAPES" section below for more details on
715       how noexec works and whether or not it will work on your system.
716
717       Wildcards
718
719       sudo allows shell-style wildcards (aka meta or glob characters) to be
720       used in pathnames as well as command line arguments in the sudoers
721       file.  Wildcard matching is done via the POSIX [22mfnmatch(3) routine.
722       Note that these are not regular expressions.
723
724       *       Matches any set of zero or more characters.
725
726       ?       Matches any single character.
727
728       [...]   Matches any character in the specified range.
729
730       [!...]  Matches any character not in the specified range.
731
732       \x      For any character "x", evaluates to "x".  This is used to
733               escape special characters such as: "*", "?", "[", and "}".
734
735       Note that a forward slash ('/') will not be matched by wildcards used
736       in the pathname.  When matching the command line arguments, however, a
737       slash does get matched by wildcards.  This is to make a path like:
738
739           /usr/bin/*
740
741       match /usr/bin/who but not /usr/bin/X11/xterm.
742
743       WARNING: a pathname with wildcards will not match a user command that
744       consists of a relative path.  In other words, given the following sudo‐
745       ers entry:
746
747           billy  workstation = /usr/bin/*
748
749       user billy will be able to run any command in /usr/bin as root, such as
750       /usr/bin/w.  The following two command will be allowed (the first
751       assumes that /usr/bin is in the user's path):
752
753           $ sudo w
754           $ sudo /usr/bin/w
755
756       However, this will not:
757
758           $ cd /usr/bin
759           $ sudo ./w
760
761       For this reason you should only grant access to commands using wild‐
762       cards and never restrict access using them.  This limitation will be
763       removed in a future version of sudo.
764
765       Exceptions to wildcard rules
766
767       The following exceptions apply to the above rules:
768
769       ""      If the empty string "" is the only command line argument in the
770               sudoers entry it means that command is not allowed to be run
771               with any arguments.
772
773       Other special characters and reserved words
774
775       The pound sign ('#') is used to indicate a comment (unless it occurs in
776       the context of a user name and is followed by one or more digits, in
777       which case it is treated as a uid).  Both the comment character and any
778       text after it, up to the end of the line, are ignored.
779
780       The reserved word ALL is a built-in alias that always causes a match to
781       succeed.  It can be used wherever one might otherwise use a Cmnd_Alias,
782       User_Alias, Runas_Alias, or Host_Alias.  You should not try to define
783       your own alias called ALL as the built-in alias will be used in prefer‐
784       ence to your own.  Please note that using ALL can be dangerous since in
785       a command context, it allows the user to run any command on the system.
786
787       An exclamation point ('!') can be used as a logical not operator both
788       in an alias and in front of a Cmnd.  This allows one to exclude certain
789       values.  Note, however, that using a ! in conjunction with the built-in
790       ALL alias to allow a user to run "all but a few" commands rarely works
791       as intended (see SECURITY NOTES below).
792
793       Long lines can be continued with a backslash ('\') as the last charac‐
794       ter on the line.
795
796       Whitespace between elements in a list as well as special syntactic
797       characters in a User Specification ('=', ':', '(', ')') is optional.
798
799       The following characters must be escaped with a backslash ('\') when
800       used as part of a word (e.g. a username or hostname): '@', '!', '=',
801       ':', ',', '(', ')', '\'.
802

804        /etc/sudoers           List of who can run what
805        /etc/group             Local groups file
806        /etc/netgroup          List of network groups
807

809       Since the sudoers file is parsed in a single pass, order is important.
810       In general, you should structure sudoers such that the Host_Alias,
811       User_Alias, and Cmnd_Alias specifications come first, followed by any
812       Default_Entry lines, and finally the Runas_Alias and user specifica‐
813       tions.  The basic rule of thumb is you cannot reference an Alias that
814       has not already been defined.
815
816       Below are example sudoers entries.  Admittedly, some of these are a bit
817       contrived.  First, we define our aliases:
818
819        # User alias specification
820        User_Alias     FULLTIMERS = millert, mikef, dowdy
821        User_Alias     PARTTIMERS = bostley, jwfox, crawl
822        User_Alias     WEBMASTERS = will, wendy, wim
823
824        # Runas alias specification
825        Runas_Alias    OP = root, operator
826        Runas_Alias    DB = oracle, sybase
827
828        # Host alias specification
829        Host_Alias     SPARC = bigtime, eclipse, moet, anchor :\
830                       SGI = grolsch, dandelion, black :\
831                       ALPHA = widget, thalamus, foobar :\
832                       HPPA = boa, nag, python
833        Host_Alias     CUNETS = 128.138.0.0/255.255.0.0
834        Host_Alias     CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
835        Host_Alias     SERVERS = master, mail, www, ns
836        Host_Alias     CDROM = orion, perseus, hercules
837
838        # Cmnd alias specification
839        Cmnd_Alias     DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
840                               /usr/sbin/restore, /usr/sbin/rrestore
841        Cmnd_Alias     KILL = /usr/bin/kill
842        Cmnd_Alias     PRINTING = /usr/sbin/lpc, /usr/bin/lprm
843        Cmnd_Alias     SHUTDOWN = /usr/sbin/shutdown
844        Cmnd_Alias     HALT = /usr/sbin/halt
845        Cmnd_Alias     REBOOT = /usr/sbin/reboot
846        Cmnd_Alias     SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
847                                /usr/local/bin/tcsh, /usr/bin/rsh, \
848                                /usr/local/bin/zsh
849        Cmnd_Alias     SU = /usr/bin/su
850
851       Here we override some of the compiled in default values.  We want sudo
852       to log via syslog(3) using the auth facility in all cases.  We don't
853       want to subject the full time staff to the sudo lecture, user millert
854       need not give a password, and we don't want to reset the LOGNAME or
855       USER environment variables when running commands as root.  Addition‐
856       ally, on the machines in the SERVERS Host_Alias, we keep an additional
857       local log file and make sure we log the year in each log line since the
858       log entries will be kept around for several years.
859
860        # Override built-in defaults
861        Defaults               syslog=auth
862        Defaults>root          !set_logname
863        Defaults:FULLTIMERS    !lecture
864        Defaults:millert       !authenticate
865        Defaults@SERVERS       log_year, logfile=/var/log/sudo.log
866
867       The User specification is the part that actually determines who may run
868       what.
869
870        root           ALL = (ALL) ALL
871        %wheel         ALL = (ALL) ALL
872
873       We let root and any user in group wheel run any command on any host as
874       any user.
875
876        FULLTIMERS     ALL = NOPASSWD: ALL
877
878       Full time sysadmins (millert, mikef, and dowdy) may run any command on
879       any host without authenticating themselves.
880
881        PARTTIMERS     ALL = ALL
882
883       Part time sysadmins (bostley, jwfox, and crawl) may run any command on
884       any host but they must authenticate themselves first (since the entry
885       lacks the NOPASSWD tag).
886
887        jack           CSNETS = ALL
888
889       The user jack may run any command on the machines in the CSNETS alias
890       (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0).  Of
891       those networks, only 128.138.204.0 has an explicit netmask (in CIDR
892       notation) indicating it is a class C network.  For the other networks
893       in CSNETS, the local machine's netmask will be used during matching.
894
895        lisa           CUNETS = ALL
896
897       The user lisa may run any command on any host in the CUNETS alias (the
898       class B network 128.138.0.0).
899
900        operator       ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
901                       sudoedit /etc/printcap, /usr/oper/bin/
902
903       The operator user may run commands limited to simple maintenance.
904       Here, those are commands related to backups, killing processes, the
905       printing system, shutting down the system, and any commands in the
906       directory /usr/oper/bin/.
907
908        joe            ALL = /usr/bin/su operator
909
910       The user joe may only su(1) to operator.
911
912        pete           HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
913
914       The user pete is allowed to change anyone's password except for root on
915       the HPPA machines.  Note that this assumes passwd(1) does not take mul‐
916       tiple usernames on the command line.
917
918        bob            SPARC = (OP) ALL : SGI = (OP) ALL
919
920       The user bob may run anything on the SPARC and SGI machines as any user
921       listed in the OP Runas_Alias (root and operator).
922
923        jim            +biglab = ALL
924
925       The user jim may run any command on machines in the biglab netgroup.
926       Sudo knows that "biglab" is a netgroup due to the '+' prefix.
927
928        +secretaries   ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
929
930       Users in the secretaries netgroup need to help manage the printers as
931       well as add and remove users, so they are allowed to run those commands
932       on all machines.
933
934        fred           ALL = (DB) NOPASSWD: ALL
935
936       The user fred can run commands as any user in the DB Runas_Alias (ora‐
937       cle or sybase) without giving a password.
938
939        john           ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
940
941       On the ALPHA machines, user john may su to anyone except root but he is
942       not allowed to give su(1) any flags.
943
944        jen            ALL, !SERVERS = ALL
945
946       The user jen may run any command on any machine except for those in the
947       SERVERS Host_Alias (master, mail, www and ns).
948
949        jill           SERVERS = /usr/bin/, !SU, !SHELLS
950
951       For any machine in the SERVERS Host_Alias, jill may run any commands in
952       the directory /usr/bin/ except for those commands belonging to the SU
953       and SHELLS Cmnd_Aliases.
954
955        steve          CSNETS = (operator) /usr/local/op_commands/
956
957       The user steve may run any command in the directory /usr/local/op_com‐
958       mands/ but only as user operator.
959
960        matt           valkyrie = KILL
961
962       On his personal workstation, valkyrie, matt needs to be able to kill
963       hung processes.
964
965        WEBMASTERS     www = (www) ALL, (root) /usr/bin/su www
966
967       On the host www, any user in the WEBMASTERS User_Alias (will, wendy,
968       and wim), may run any command as user www (which owns the web pages) or
969       simply su(1) to www.
970
971        ALL            CDROM = NOPASSWD: /sbin/umount /CDROM,\
972                       /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
973
974       Any user may mount or unmount a CD-ROM on the machines in the CDROM
975       Host_Alias (orion, perseus, hercules) without entering a password.
976       This is a bit tedious for users to type, so it is a prime candidate for
977       encapsulating in a shell script.
978

980       It is generally not effective to "subtract" commands from ALL using the
981       '!' operator.  A user can trivially circumvent this by copying the
982       desired command to a different name and then executing that.  For exam‐
983       ple:
984
985           bill        ALL = ALL, !SU, !SHELLS
986
987       Doesn't really prevent bill from running the commands listed in SU or
988       SHELLS since he can simply copy those commands to a different name, or
989       use a shell escape from an editor or other program.  Therefore, these
990       kind of restrictions should be considered advisory at best (and rein‐
991       forced by policy).
992

994       Once sudo executes a program, that program is free to do whatever it
995       pleases, including run other programs.  This can be a security issue
996       since it is not uncommon for a program to allow shell escapes, which
997       lets a user bypass sudo's restrictions.  Common programs that permit
998       shell escapes include shells (obviously), editors, paginators, mail and
999       terminal programs.
1000
1001       Many systems that support shared libraries have the ability to override
1002       default library functions by pointing an environment variable (usually
1003       LD_PRELOAD) to an alternate shared library.  On such systems, sudo's
1004       noexec functionality can be used to prevent a program run by sudo from
1005       executing any other programs.  Note, however, that this applies only to
1006       native dynamically-linked executables.  Statically-linked executables
1007       and foreign executables running under binary emulation are not
1008       affected.
1009
1010       To tell whether or not sudo supports noexec, you can run the following
1011       as root:
1012
1013           sudo -V ⎪ grep "dummy exec"
1014
1015       If the resulting output contains a line that begins with:
1016
1017           File containing dummy exec functions:
1018
1019       then sudo may be able to replace the exec family of functions in the
1020       standard library with its own that simply return an error.  Unfortu‐
1021       nately, there is no foolproof way to know whether or not noexec will
1022       work at compile-time.  Noexec should work on SunOS, Solaris, *BSD,
1023       Linux, IRIX, Tru64 UNIX, MacOS X, and HP-UX 11.x.  It is known not to
1024       work on AIX and UnixWare.  Noexec is expected to work on most operating
1025       systems that support the LD_PRELOAD environment variable.  Check your
1026       operating system's manual pages for the dynamic linker (usually ld.so,
1027       ld.so.1, dyld, dld.sl, rld, or loader) to see if LD_PRELOAD is sup‐
1028       ported.
1029
1030       To enable noexec for a command, use the NOEXEC tag as documented in the
1031       User Specification section above.  Here is that example again:
1032
1033        aaron  shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1034
1035       This allows user aaron to run /usr/bin/more and /usr/bin/vi with noexec
1036       enabled.  This will prevent those two commands from executing other
1037       commands (such as a shell).  If you are unsure whether or not your sys‐
1038       tem is capable of supporting noexec you can always just try it out and
1039       see if it works.
1040
1041       Note that disabling shell escapes is not a panacea.  Programs running
1042       as root are still capable of many potentially hazardous operations
1043       (such as changing or overwriting files) that could lead to unintended
1044       privilege escalation.  In the specific case of an editor, a safer
1045       approach is to give the user permission to run sudoedit.
1046

1048       rsh(1), su(1), fnmatch(3), sudo(8), visudo(8)
1049

1051       The sudoers file should always be edited by the visudo command which
1052       locks the file and does grammatical checking. It is imperative that
1053       sudoers be free of syntax errors since sudo will not run with a syntac‐
1054       tically incorrect sudoers file.
1055
1056       When using netgroups of machines (as opposed to users), if you store
1057       fully qualified hostnames in the netgroup (as is usually the case), you
1058       either need to have the machine's hostname be fully qualified as
1059       returned by the hostname command or use the fqdn option in sudoers.
1060

1062       If you feel you have found a bug in sudo, please submit a bug report at
1063       http://www.sudo.ws/sudo/bugs/
1064

1066       Commercial support is available for sudo, see
1067       http://www.sudo.ws/sudo/support.html for details.
1068
1069       Limited free support is available via the sudo-users mailing list, see
1070       http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
1071       the archives.
1072

1074       Sudo is provided ``AS IS'' and any express or implied warranties,
1075       including, but not limited to, the implied warranties of merchantabil‐
1076       ity and fitness for a particular purpose are disclaimed.  See the
1077       LICENSE file distributed with sudo or
1078       http://www.sudo.ws/sudo/license.html for complete details.
1079
1080
1081
10821.6.8p12                         June 20, 2005                      SUDOERS(5)

NAME

DESCRIPTION

FILES

EXAMPLES

SECURITY NOTES

PREVENTING SHELL ESCAPES

SEE ALSO

CAVEATS

BUGS

SUPPORT

DISCLAIMER