.rn '' }`
''' $RCSfile: sudoers.5,v $$Revision: 1.2 $$Date: 1996/11/17 16:34:06 $
'''
''' $Log: sudoers.5,v $
''' Revision 1.2 1996/11/17 16:34:06 millert
''' Updated to sudo 1.5.3
'''
'''
.de Sh
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp
.if t .sp .5v
.if n .sp
..
.de Ip
.br
.ie \\n(.$>=3 .ne \\$3
.el .ne 3
.IP "\\$1" \\$2
..
.de Vb
.ft CW
.nf
.ne \\$1
..
.de Ve
.ft R
.fi
..
'''
'''
''' Set up \*(-- to give an unbreakable dash;
''' string Tr holds user defined translation string.
''' Bell System Logo is used as a dummy character.
'''
.tr \(*W-|\(bv\*(Tr
.ie n \{\
.ds -- \(*W-
.ds PI pi
.if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
.ds L" ""
.ds R" ""
.ds L' '
.ds R' '
'br\}
.el\{\
.ds -- \(em\|
.tr \*(Tr
.ds L" ``
.ds R" ''
.ds L' `
.ds R' '
.ds PI \(*p
'br\}
.\" If the F register is turned on, we'll generate
.\" index entries out stderr for the following things:
.\" TH Title
.\" SH Header
.\" Sh Subsection
.\" Ip Item
.\" X<> Xref (embedded
.\" Of course, you have to process the output yourself
.\" in some meaninful fashion.
.if \nF \{
.de IX
.tm Index:\\$1\t\\n%\t"\\$2"
..
.nr % 0
.rr F
.\}
.TH sudoers 5 "1.5.3" "13/Nov/96" "FILE FORMATS"
.IX Title "sudoers 5"
.UC
.IX Name "sudoers - list of which users may execute what as root"
.if n .hy 0
.if n .na
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.de CQ \" put $1 in typewriter font
.ft CW
'if n "\c
'if t \\&\\$1\c
'if n \\&\\$1\c
'if n \&"
\\&\\$2 \\$3 \\$4 \\$5 \\$6 \\$7
'.ft R
..
.\" @(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2
. \" AM - accent mark definitions
.bd B 3
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds ? ?
. ds ! !
. ds /
. ds q
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds ? \s-2c\h'-\w'c'u*7/10'\u\h'\*(#H'\zi\d\s+2\h'\w'c'u*8/10'
. ds ! \s-2\(or\s+2\h'-\w'\(or'u'\v'-.8m'.\v'.8m'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
. ds q o\h'-\w'o'u*8/10'\s-4\v'.4m'\z\(*i\v'-.4m'\s+4\h'\w'o'u*8/10'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds v \\k:\h'-(\\n(.wu*9/10-\*(#H)'\v'-\*(#V'\*(#[\s-4v\s0\v'\*(#V'\h'|\\n:u'\*(#]
.ds _ \\k:\h'-(\\n(.wu*9/10-\*(#H+(\*(#F*2/3))'\v'-.4m'\z\(hy\v'.4m'\h'|\\n:u'
.ds . \\k:\h'-(\\n(.wu*8/10)'\v'\*(#V*4/10'\z.\v'-\*(#V*4/10'\h'|\\n:u'
.ds 3 \*(#[\v'.2m'\s-2\&3\s0\v'-.2m'\*(#]
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.ds oe o\h'-(\w'o'u*4/10)'e
.ds Oe O\h'-(\w'O'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds v \h'-1'\o'\(aa\(ga'
. ds _ \h'-1'^
. ds . \h'-1'.
. ds 3 3
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
. ds oe oe
. ds Oe OE
.\}
.rm #[ #] #H #V #F C
.SH "NAME"
.IX Header "NAME"
sudoers \- list of which users may execute what as root
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fIsudoers\fR file is composed of an optional host alias section,
an optional command alias section and the user specification section.
All command or host aliases need to start with their respective keywords
(ie: Host_Alias, User_Alias, Runas_Alias or Cmnd_Alias).
If there are multiple occurrences of a user, the union of the entries
will be used.
.Sh "user specification format:"
.IX Subsection "user specification format:"
.PP
.Vb 1
\& user access_group [: access_group] ...
.Ve
.Vb 10
\& access_group ::= host_type = [(runas_list)] [NOPASSWD:] [op]cmnd_type
\& [,[(user_list)] [NOPASSWD:] [op]cmnd_type] ...
\& host_type ::= a lower-case hostname, netgroup, ip address,
\& network number, network number/netmask,
\& or host alias.
\& runas_list ::= comma-separated list of users, groups,
\& netgroups or Runas_Aliases the user may run
\& commands as (default is root).
\& cmnd_type ::= a command OR a command alias.
\& op ::= the logical "!" NOT operator.
.Ve
.Sh "host alias section format:"
.IX Subsection "host alias section format:"
.PP
.Vb 1
\& Host_Alias HOSTALIAS = host-list
.Ve
.Vb 4
\& Host_Alias ::= a keyword.
\& HOSTALIAS ::= an upper-case alias name.
\& host-list ::= a comma separated list of hosts, netgroups,
\& ip addresses, networks.
.Ve
.Sh "user alias section format:"
.IX Subsection "user alias section format:"
.PP
.Vb 1
\& User_Alias USERALIAS = user-list
.Ve
.Vb 3
\& User_Alias ::= a keyword.
\& USERALIAS ::= an upper-case alias name.
\& user-list ::= a comma separated list of users, groups, netgroups.
.Ve
.Sh "runas alias section format:"
.IX Subsection "runas alias section format:"
.PP
.Vb 1
\& Runas_Alias RUNASALIAS = runas-list
.Ve
.Vb 3
\& Runas_Alias ::= a keyword.
\& RUNASALIAS ::= an upper-case alias name.
\& runas-list ::= a comma separated list of users, groups, netgroups.
.Ve
.Sh "command alias section format:"
.IX Subsection "command alias section format:"
.PP
.Vb 1
\& Cmnd_Alias CMNDALIAS = cmnd-list
.Ve
.Vb 3
\& Cmnd_Alias ::= a keyword.
\& CMNDALIAS ::= an upper-case alias name.
\& cmnd-list ::= a comma separated list commands.
.Ve
.Sh "command specification:"
.IX Subsection "command specification:"
.PP
.Vb 1
\& path arg1 arg2 .. argn = command
.Ve
.Vb 2
\& path ::= a fully qualified pathname.
\& arg[1..n] ::= optional command line arguments.
.Ve
.Sh "wildcards (aka meta characters):"
.IX Subsection "wildcards (aka meta characters):"
\fBsudo\fR allows shell-style \fIwildcards\fR along with command arguments
in the \fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
\f(CWfnmatch(3)\fR routine.
.Ip "\f(CW*\fR" 8
.IX Item "\f(CW*\fR"
Matches any set of zero or more characters.
.Ip "\f(CW?\fR" 8
.IX Item "\f(CW?\fR"
Matches any single character.
.Ip "\f(CW[...]\fR" 8
.IX Item "\f(CW[...]\fR"
Matches any character in the specified range.
.Ip "\f(CW[!...]\fR" 8
.IX Item "\f(CW[!...]\fR"
Matches any character \fBnot\fR in the specified range.
.Ip "\f(CW\ex\fR" 8
.IX Item "\f(CW\ex\fR"
For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
.Sh "exceptions to wildcard rules:"
.IX Subsection "exceptions to wildcard rules:"
The following exceptions apply to the above rules:
.Ip "\f(CW""\fR" 8
.IX Item "\f(CW""\fR"
If the empty string \f(CW""\fR is the only command line argument in the
\fIsudoers\fR entry it means that command may take \fBno\fR arguments.
.Sh "other special characters and reserved words:"
.IX Subsection "other special characters and reserved words:"
Text after a pound sign (\fB#\fR) is considered a comment.
Words that begin with a percent sign (\fB%\fR) are assumed to
be \s-1UN\s0*X groups (%staff refers to users in the group \fIstaff\fR).
Words that begin with a plus sign (\fB+\fR) are assumed to
be netgroups (\fB+cshosts\fR refers to the netgroup \fIcshosts\fR).
Long lines can be newline escaped with the backslash \fB\e\fR character.
The reserved word \fB\s-1NOPASSWD\s0\fR indicates that a user need not
enter a password for the command listed in that entry.
.PP
The reserved alias \fI\s-1ALL\s0\fR can be used for both {Host,User,Cmnd}_Alias.
\fB\s-1DO\s0 \s-1NOT\s0\fR define an alias of \fI\s-1ALL\s0\fR, it will \fB\s-1NOT\s0\fR be used.
Note that \fI\s-1ALL\s0\fR implies the entire universe of hosts/users/commands.
You can subtract elements from the universe by using the syntax:
user host=\s-1ALL\s0,!\s-1ALIAS1\s0,!/etc/halt...
Note that the \*(L"!\*(R" notation only works in a user's command list. You
may not use it to subtract elements in a User_Alias, Host_Alias,
Cmnd_Alias or user list.
.PP
Commands may have optional command line arguments. If they do,
then the arguments in the \fIsudoers\fR file must exactly match those
on the command line. It is also possible to have a command's
arguments span multiple lines as long as the line continuance
character \*(L"\e\*(R" is used. The following characters must be escaped
with a \*(L"\e\*(R" if used in command arguments: \*(L",\*(R", \*(L":\*(R", \*(L"=\*(R", \*(L"\e\*(R".
.SH "EXAMPLES"
.IX Header "EXAMPLES"
.PP
.Vb 7
\& # Host alias specification
\& Host_Alias HUB=houdini:\e
\& REMOTE=merlin,kodiakthorn,spirit
\& Host_Alias SERVERS=houdini,merlin,kodiakthorn,spirit
\& Host_Alias CUNETS=128.138.0.0/255.255.0.0
\& Host_Alias CSNETS=128.138.243.0,128.138.204.0,\e
\& 128.138.205.192
.Ve
.Vb 3
\& # User alias specification
\& User_Alias FULLTIME=millert,dowdy,mikef
\& User_Alias PARTTIME=juola,mccreary,tor
.Ve
.Vb 2
\& # Runas alias specification
\& Runas_Alias OP=root,operator
.Ve
.Vb 6
\& # Command alias specification
\& Cmnd_Alias LPCS=/usr/etc/lpc,/usr/ucb/lprm
\& Cmnd_Alias SHELLS=/bin/sh,/bin/csh,/bin/tcsh,/bin/ksh
\& Cmnd_Alias SU=/bin/su
\& Cmnd_Alias MISC=/bin/rm,/bin/cat:\e
\& SHUTDOWN=/etc/halt,/etc/shutdown
.Ve
.Vb 14
\& # User specification
\& FULLTIME ALL=(ALL) NOPASSWD: ALL
\& %wheel ALL=ALL
\& PARTTIME ALL=ALL,!SHELLS,!SU
\& +interns +openlabs=ALL,!SHELLS,!SU
\& britt REMOTE=SHUTDOWN:ALL=LPCS
\& jimbo CUNETS=/bin/su ?*,!/bin/su root
\& nieusma SERVERS=SHUTDOWN,/etc/reboot:\e
\& HUB=ALL,!SHELLS
\& jill houdini=/etc/shutdown -[hr] now,MISC
\& markm HUB=ALL,!MISC,!/etc/shutdown,!/etc/halt
\& davehieb merlin=(OP) ALL:SERVERS=/etc/halt:\e
\& kodiakthorn=NOPASSWD: ALL
\& steve CSNETS=(operator) /usr/op_commands/
.Ve
.Sh "Host Alias specifications:"
.IX Subsection "Host Alias specifications:"
The are four \fIhost aliases\fR. The first actually contains
two \fIaliases\fR. It sets \f(CWHUB\fR to be \f(CWhoudini\fR and \f(CWREMOTE\fR
to the three machines \f(CWmerlin\fR, \f(CWkodiakthorn\fR and \f(CWspirit\fR.
Similarly, \f(CWSERVERS\fR is set to the machines \f(CWhoudini\fR, \f(CWmerlin\fR,
\f(CWkodiakthorn\fR and \f(CWspirit\fR. The \f(CWCSNETS\fR alias will match
any host on the 128.138.243.0, 128.138.204.0, or 128.138.205.192
nets. The \f(CWCUNETS\fR alias will match any host on the 128.138.0.0
(class B) network. Note that these are \fBnetwork\fR addresses, not ip
addresses. Unless an explicate netmask is given, the local \fInetmask\fR
is used to determine whether or not the current host belongs to a network.
.Sh "User Alias specifications:"
.IX Subsection "User Alias specifications:"
The two \fIuser aliases\fR simply groups the \f(CWFULLTIME\fR and
\f(CWPARTTIME\fR folks into two separate aliases.
.Sh "Command alias specifications:"
.IX Subsection "Command alias specifications:"
Command aliases are lists of commands with or without associated
command line arguments. The entries above should be self-explanatory.
.Sh "User specifications:"
.IX Subsection "User specifications:"
.Ip "\s-1FULLTIME\s0" 16
.IX Item "\s-1FULLTIME\s0"
Full-time sysadmins in the \f(CWFULLTIME\fR alias may run any
command on any host as any user without a password.
.Ip "%wheel" 16
.IX Item "%wheel"
Any user in the \s-1UN\s0*X group \f(CWwheel\fR may run any
command on any host.
.Ip "\s-1PARTTIME\s0" 16
.IX Item "\s-1PARTTIME\s0"
Part-time sysadmins in the \f(CWPARTTIME\fR alias may run any
command except those in the \f(CWSHELLS\fR and \f(CWSU\fR aliases
on any host.
.Ip "+interns" 16
.IX Item "+interns"
Any user in the netgroup \f(CWinterns\fR may run any
command except those in the \f(CWSHELLS\fR and \f(CWSU\fR aliases
on any host that is in the \f(CWopenlabs\fR netgroup.
.Ip "britt" 16
.IX Item "britt"
The user \f(CWbritt\fR may run commands in the \f(CWSHUTDOWN\fR alias
on the \f(CWREMOTE\fR machines and commands in the \f(CWLPCS\fR alias
on any machine.
.Ip "jimbo" 16
.IX Item "jimbo"
The user \f(CWjimbo\fR may \f(CWsu\fR to any user save root on the
machines on \f(CWCUNETS\fR (which is explicately listed as a class
B network).
.Ip "nieusma" 16
.IX Item "nieusma"
The user \f(CWnieusma\fR may run commands in the \f(CWSHUTDOWN\fR alias
as well as \fI/etc/reboot\fR on the \f(CWSERVER\fR machines and
any command except those in the \f(CWSHELLS\fR alias on the \f(CWHUB\fR
machines.
.Ip "jill" 16
.IX Item "jill"
The user \f(CWjill\fR may run \f(CW/etc/shutdown -h now\fR or
\f(CW/etc/shutdown -r now\fR as well as the commands in the
\f(CWMISC\fR alias on houdini.
.Ip "markm" 16
.IX Item "markm"
The user \f(CWmarkm\fR may run any command on the \f(CWHUB\fR machines
except \fI/etc/shutdown\fR, \fI/etc/halt\fR, and commands listed
in the \f(CWMISC\fR alias.
.Ip "davehieb" 16
.IX Item "davehieb"
The user \f(CWdavehieb\fR may run any command on \f(CWmerlin\fR as any
user in the Runas_Alias \s-1OP\s0 (ie: root or operator). He may
also run \fI/etc/halt\fR on the \f(CWSERVERS\fR and any command
on \f(CWkodiakthorn\fR (no password required on \f(CWkodiakthorn\fR).
.Ip "steve" 16
.IX Item "steve"
The user \f(CWsteve\fR may run any command in the \fI/usr/op_commands/\fR
directory as user \f(CWoperator\fR on the machines on \f(CWCSNETS\fR.
.SH "CAVEATS"
.IX Header "CAVEATS"
The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR
command which locks the file and does grammatical checking. It is
imperative that the \fIsudoers\fR be free of syntax errors since sudo
will not run with a syntactically incorrect \fIsudoers\fR file.
.SH "FILES"
.IX Header "FILES"
.PP
.Vb 2
\& /etc/sudoers file of authorized users.
\& /etc/netgroup list of network groups.
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\fIsudo\fR\|(8), \fIvisudo\fR\|(8), \fIsu\fR\|(1), \fIfnmatch\fR\|(3).
.rn }` ''