sudo

Hurricane Electric Internet Services: Accounts starting at $9.95/month
Hurricane Electric Internet Services

NAME

       sudo - execute a command as the superuser

       visudo - edit the sudoers file



SYNOPSIS

       sudo command



DESCRIPTION

       Sudo  allows  a permitted user to execute a command as the
       superuser.  Sudo determines who is an authorized  user  by
       consulting  the file /etc/sudoers.  Sudo will prompt for a
       user's password to initiate a validation period of N  min-
       utes (where N is defined at installation time and defaults
       to 5 minutes).

       The sudoers file is composed of  an  optional  host  alias
       section,  an  optional  command alias section and the user
       specification section. All command or host aliases need to
       start       with       their      respective      keywords
       (Host_Alias/Cmnd_Alias).  Note that only the first  occur-
       rance of a user name will be significant in the user spec-
       ification section.

       user specification format:
         user access_group [: access_group] ...

           access_group ::= host_type = [op]cmnd_type [,[op]cmnd_type] ...
              host_type ::= a lower-case host name OR a host alias.
              cmnd_type ::= an command OR a command alias.
                     op ::= the logical '!' NOT operator.

       host alias section format:
         Host_Alias HOSTALIAS = host-list

             Host_Alias ::= a keyword.
              HOSTALIAS ::= an upper-case alias name.
              host-list ::= a comma separated list of hosts.

       command alias section format:
         Cmnd_Alias CMNDALIAS = cmnd-list

             Cmnd_Alias ::= a keyword.
              CMNDALIAS ::= an upper-case alias name.
              cmnd-list ::= a comma separated list commands.

       Text after a pound sign '#' is considered a comment.
       Long lines can be newline escaped with the backslash '\' character.
       The reserved alias 'ALL' can be used for both {Host,Cmnd}_Alias'.
           DO NOT define an alias of 'ALL', it will NOT be used.
           Note that 'ALL' implies the entire universe of hosts/commands.
           You can subtract elements from the universe by using the syntax:
              user  host=ALL,!ALIAS1,!/etc/halt...

       Examples

           # Host alias specification
           Host_Alias  HUB=houdini.rootgroup.com:\
                       REMOTE=merlin,kodiakthorn,spirit
           Host_Alias  MACHINES=kalkan,alpo,milkbones
           Host_Alias  SERVERS=houdini,merlin,kodiakthorn,spirit

           # Command alias specification
           Cmnd_Alias  LPCS=/usr/etc/lpc,/usr/ucb/lprm
           Cmnd_Alias  SHELLS=/bin/sh,/bin/csh,/bin/tcsh
           Cmnd_Alias  MISC=/bin/rm,/bin/cat:\
                       SHUTDOWN=/etc/halt,/etc/shutdown

           # User specification
           britt       REMOTE=SHUTDOWN:ALL=LPCS
           robh        ALL=ALL,!SHELLS
           nieusma     SERVERS=SHUTDOWN,/etc/reboot:\
                       HUB=ALL,!SHELLS
           jill        houdini.rootgroup.com=/etc/shutdown,MISC
           markm       HUB=ALL,!MISC,!/etc/shutdown,!/etc/halt
           billp       ALL=/usr/local/bin/top:MACHINES=SHELLS
           davehieb    merlin=ALL:SERVERS=/etc/halt:\
                       kodiakthorn=ALL

       The above sudoers file specification is composed of 4 host
       alias specifications, 4 command alias specifications and 7
       user  specifications.   Britt  is  permitted  to   execute
       /etc/halt,  /etc/shutdown,  /usr/etc/lpc and /usr/ucb/lprm
       on the REMOTE machines (merlin, kodiakthorn, and  spirit).
       Robh  is  permitted  to execute any command except for the
       group of SHELL commands on any machine.  Jill is permitted
       to  execute  /etc/shutdown,  /bin/rm, and /bin/cat on hou-
       dini.  Davehieb can execute any command on machines merlin
       and kodiakthorn and can halt the SERVERS.

       The  sudoers  file  SHOULD be edited by the visudo command
       which locks the file and does  gramatical  checking.  This
       provides  a  mechanism for the prevention of stupid syntax
       errors.

       Sudo was designed to log via the 4.3 BSD syslogging facil-
       ity but can log to a file instead if so desired.

       If  an  unauthorized user executes sudo, mail will be sent
       from the user to the local authorities (defined at instal-
       lation time).

       All  preferences  are defined at installation time and are
       derived from the sudo.h include file and the Makefile.



FUTURE ENHANCEMENTS

       Allow nesting of host and command aliases.
       Allow the host specifier in the sudoers file
           to use universe notation (user ALL,!SERVERS, ... = commands).
       Allow user aliases in the sudoers file (like host/command aliases).
       Have visudo do more extensive checking on the sudoers file.



FILES

       /etc/sudoers                 file of authorized users.
       /etc/stmp                    lock file for visudo.
       /usr/local/bin/sudo          the executable itself.
       /usr/local/etc/visudo        utility for modifying the sudoers file.



AUTHORS

       Jeff Nieusma                 <nieusma@rootgroup.com>
       David Hieb                   <davehieb@rootgroup.com>



DISCLAIMER

       This program is distributed in the hope that  it  will  be
       useful, but WITHOUT ANY WARRANTY; without even the implied
       warranty of MERCHANTABILITY or FITNESS  FOR  A  PARTICULAR
       PURPOSE.   See  the  GNU  General  Public License for more
       details.

       You should have received a copy of the GNU General  Public
       License along with this program; if not, write to the Free
       Software Foundation, Inc., 675  Mass  Ave,  Cambridge,  MA
       02139, USA.



CAVEATS

       There is no easy way to prevent a user from gaining a root
       shell if that user has access to commands that  are  shell
       scripts or that allow shell escapes.



SEE ALSO

       su(1)
Hurricane Electric Internet Services: Accounts starting at $9.95/month
Hurricane Electric Internet Services
Copyright (C) 1998 Hurricane Electric. All Rights Reserved.