sudoers(5) FILE FORMATS sudoers(5) NAME sudoers - list of which users may execute what as root DESCRIPTION The sudoers file is composed of an optional host alias section, an optional command alias section and the user specification section. All command or host aliases need to start with their respective keywords (ie: Host_Alias, User_Alias, Runas_Alias or Cmnd_Alias). If there are multiple occurrences of a user, the union of the entries will be used. user specification format: user access_group [: access_group] ... access_group ::= host_type = [(runas_list)] [NOPASSWD:] [op]cmnd_type [,[(user_list)] [NOPASSWD:] [op]cmnd_type] ... host_type ::= a lower-case hostname, netgroup, ip address, network number, network number/netmask, or host alias. runas_list ::= comma-separated list of users, groups, netgroups or Runas_Aliases the user may run commands as (default is root). cmnd_type ::= a command OR a command alias. op ::= the logical "!" NOT operator. host alias section format: Host_Alias HOSTALIAS = host-list Host_Alias ::= a keyword. HOSTALIAS ::= an upper-case alias name. host-list ::= a comma separated list of hosts, netgroups, ip addresses, networks. user alias section format: User_Alias USERALIAS = user-list User_Alias ::= a keyword. USERALIAS ::= an upper-case alias name. user-list ::= a comma separated list of users, groups, netgroups. runas alias section format: Runas_Alias RUNASALIAS = runas-list 13/Nov/96 Last change: 1.5.3 1 sudoers(5) FILE FORMATS sudoers(5) Runas_Alias ::= a keyword. RUNASALIAS ::= an upper-case alias name. runas-list ::= a comma separated list of users, groups, netgroups. command alias section format: Cmnd_Alias CMNDALIAS = cmnd-list Cmnd_Alias ::= a keyword. CMNDALIAS ::= an upper-case alias name. cmnd-list ::= a comma separated list commands. command specification: path arg1 arg2 .. argn = command path ::= a fully qualified pathname. arg[1..n] ::= optional command line arguments. wildcards (aka meta characters): sudo allows shell-style wildcards along with command arguments in the sudoers file. Wildcard matching is done via the POSIX fnmatch(3) routine. * Matches any set of zero or more characters. ? Matches any single character. [...] Matches any character in the specified range. [!...] Matches any character not in the specified range. \x For any character "x", evaluates to "x". This is used to escape special characters such as: "*", "?", "[", and "}". exceptions to wildcard rules: The following exceptions apply to the above rules: If the empty string "" is the only command line argument in the sudoers entry it means that command may take no arguments. other special characters and reserved words: Text after a pound sign (#) is considered a comment. Words that begin with a percent sign (%) are assumed to be UN*X 13/Nov/96 Last change: 1.5.3 2 sudoers(5) FILE FORMATS sudoers(5) groups (%staff refers to users in the group staff). Words that begin with a plus sign (+) are assumed to be netgroups (+cshosts refers to the netgroup cshosts). Long lines can be newline escaped with the backslash \ character. The reserved word NOPASSWD indicates that a user need not enter a password for the command listed in that entry. The reserved alias ALL can be used for both {Host,User,Cmnd}_Alias. DO NOT define an alias of ALL, it will NOT be used. Note that ALL implies the entire universe of hosts/users/commands. You can subtract elements from the universe by using the syntax: user host=ALL,!ALIAS1,!/etc/halt... Note that the "!" notation only works in a user's command list. You may not use it to subtract elements in a User_Alias, Host_Alias, Cmnd_Alias or user list. Commands may have optional command line arguments. If they do, then the arguments in the sudoers file must exactly match those on the command line. It is also possible to have a command's arguments span multiple lines as long as the line continuance character "\" is used. The following characters must be escaped with a "\" if used in command arguments: ",", ":", "=", "\". EXAMPLES # Host alias specification Host_Alias HUB=houdini:\ REMOTE=merlin,kodiakthorn,spirit Host_Alias SERVERS=houdini,merlin,kodiakthorn,spirit Host_Alias CUNETS=128.138.0.0/255.255.0.0 Host_Alias CSNETS=128.138.243.0,128.138.204.0,\ 128.138.205.192 # User alias specification User_Alias FULLTIME=millert,dowdy,mikef User_Alias PARTTIME=juola,mccreary,tor # Runas alias specification Runas_Alias OP=root,operator # Command alias specification Cmnd_Alias LPCS=/usr/etc/lpc,/usr/ucb/lprm Cmnd_Alias SHELLS=/bin/sh,/bin/csh,/bin/tcsh,/bin/ksh Cmnd_Alias SU=/bin/su Cmnd_Alias MISC=/bin/rm,/bin/cat:\ SHUTDOWN=/etc/halt,/etc/shutdown 13/Nov/96 Last change: 1.5.3 3 sudoers(5) FILE FORMATS sudoers(5) # User specification FULLTIME ALL=(ALL) NOPASSWD: ALL %wheel ALL=ALL PARTTIME ALL=ALL,!SHELLS,!SU +interns +openlabs=ALL,!SHELLS,!SU britt REMOTE=SHUTDOWN:ALL=LPCS jimbo CUNETS=/bin/su ?*,!/bin/su root nieusma SERVERS=SHUTDOWN,/etc/reboot:\ HUB=ALL,!SHELLS jill houdini=/etc/shutdown -[hr] now,MISC markm HUB=ALL,!MISC,!/etc/shutdown,!/etc/halt davehieb merlin=(OP) ALL:SERVERS=/etc/halt:\ kodiakthorn=NOPASSWD: ALL steve CSNETS=(operator) /usr/op_commands/ Host Alias specifications: The are four host aliases. The first actually contains two aliases. It sets HUB to be houdini and REMOTE to the three machines merlin, kodiakthorn and spirit. Similarly, SERVERS is set to the machines houdini, merlin, kodiakthorn and spirit. The CSNETS alias will match any host on the 128.138.243.0, 128.138.204.0, or 128.138.205.192 nets. The CUNETS alias will match any host on the 128.138.0.0 (class B) network. Note that these are network addresses, not ip addresses. Unless an explicate netmask is given, the local netmask is used to determine whether or not the current host belongs to a network. User Alias specifications: The two user aliases simply groups the FULLTIME and PARTTIME folks into two separate aliases. Command alias specifications: Command aliases are lists of commands with or without associated command line arguments. The entries above should be self-explanatory. User specifications: FULLTIME Full-time sysadmins in the FULLTIME alias may run any command on any host as any user without a password. %wheel Any user in the UN*X group wheel may run any command on any host. PARTTIME Part-time sysadmins in the PARTTIME alias may run any command except those in the 13/Nov/96 Last change: 1.5.3 4 sudoers(5) FILE FORMATS sudoers(5) SHELLS and SU aliases on any host. +interns Any user in the netgroup interns may run any command except those in the SHELLS and SU aliases on any host that is in the openlabs netgroup. britt The user britt may run commands in the SHUTDOWN alias on the REMOTE machines and commands in the LPCS alias on any machine. jimbo The user jimbo may su to any user save root on the machines on CUNETS (which is explicately listed as a class B network). nieusma The user nieusma may run commands in the SHUTDOWN alias as well as /etc/reboot on the SERVER machines and any command except those in the SHELLS alias on the HUB machines. jill The user jill may run /etc/shutdown -h now or /etc/shutdown -r now as well as the commands in the MISC alias on houdini. markm The user markm may run any command on the HUB machines except /etc/shutdown, /etc/halt, and commands listed in the MISC alias. davehieb The user davehieb may run any command on merlin as any user in the Runas_Alias OP (ie: root or operator). He may also run /etc/halt on the SERVERS and any command on kodiakthorn (no password required on kodiakthorn). steve The user steve may run any command in the /usr/op_commands/ directory as user operator on the machines on CSNETS. CAVEATS The sudoers file should always be edited by the visudo command which locks the file and does grammatical checking. It is imperative that the sudoers be free of syntax errors since sudo will not run with a syntactically incorrect sudoers file. FILES /etc/sudoers file of authorized users. /etc/netgroup list of network groups. 13/Nov/96 Last change: 1.5.3 5 sudoers(5) FILE FORMATS sudoers(5) SEE ALSO sudo(8), visudo(8), su(1), fnmatch(3).