2024-05-07 10:38:14 -04:00
|
|
|
## sudoers file.
|
|
|
|
##
|
|
|
|
## This file MUST be edited with the 'visudo' command as root.
|
|
|
|
## Failure to use 'visudo' may result in syntax or file permission errors
|
|
|
|
## that prevent sudo from running.
|
|
|
|
##
|
|
|
|
## See the sudoers man page for the details on how to write a sudoers file.
|
|
|
|
##
|
|
|
|
|
|
|
|
##
|
|
|
|
## Host alias specification
|
|
|
|
##
|
|
|
|
## Groups of machines. These may include host names (optionally with wildcards),
|
|
|
|
## IP addresses, network numbers or netgroups.
|
|
|
|
# Host_Alias WEBSERVERS = www1, www2, www3
|
|
|
|
|
|
|
|
##
|
|
|
|
## User alias specification
|
|
|
|
##
|
|
|
|
## Groups of users. These may consist of user names, uids, Unix groups,
|
|
|
|
## or netgroups.
|
|
|
|
# User_Alias ADMINS = millert, dowdy, mikef
|
|
|
|
|
|
|
|
##
|
|
|
|
## Cmnd alias specification
|
|
|
|
##
|
|
|
|
## Groups of commands. Often used to group related commands together.
|
|
|
|
# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
|
|
|
|
# /usr/bin/pkill, /usr/bin/top
|
2024-11-02 15:38:28 -04:00
|
|
|
#
|
2024-05-07 10:38:14 -04:00
|
|
|
# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
|
2024-11-02 15:38:28 -04:00
|
|
|
#
|
|
|
|
# Cmnd_Alias DEBUGGERS = /usr/bin/gdb, /usr/bin/lldb, /usr/bin/strace, \
|
|
|
|
# /usr/bin/truss, /usr/bin/bpftrace, \
|
|
|
|
# /usr/bin/dtrace, /usr/bin/dtruss
|
|
|
|
#
|
|
|
|
# Cmnd_Alias PKGMAN = /usr/bin/apt, /usr/bin/dpkg, /usr/bin/rpm, \
|
|
|
|
# /usr/bin/yum, /usr/bin/dnf, /usr/bin/zypper, \
|
|
|
|
# /usr/bin/pacman
|
2024-05-07 10:38:14 -04:00
|
|
|
|
|
|
|
##
|
|
|
|
## Defaults specification
|
|
|
|
##
|
2024-11-02 15:38:28 -04:00
|
|
|
## Preserve editor environment variables for visudo.
|
|
|
|
## To preserve these for all commands, remove the "!visudo" qualifier.
|
|
|
|
Defaults!/usr/bin/visudo env_keep += "SUDO_EDITOR EDITOR VISUAL"
|
|
|
|
##
|
|
|
|
## Use a hard-coded PATH instead of the user's to find commands.
|
|
|
|
## This also helps prevent poorly written scripts from running
|
|
|
|
## artbitrary commands under sudo.
|
|
|
|
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"
|
|
|
|
##
|
2024-05-07 10:38:14 -04:00
|
|
|
## You may wish to keep some of the following environment variables
|
|
|
|
## when running commands via sudo.
|
|
|
|
##
|
|
|
|
## Locale settings
|
|
|
|
# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
|
|
|
|
##
|
|
|
|
## Run X applications through sudo; HOME is used to find the
|
|
|
|
## .Xauthority file. Note that other programs use HOME to find
|
|
|
|
## configuration files and this may lead to privilege escalation!
|
|
|
|
# Defaults env_keep += "HOME"
|
|
|
|
##
|
|
|
|
## X11 resource path settings
|
|
|
|
# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
|
|
|
|
##
|
|
|
|
## Desktop path settings
|
|
|
|
# Defaults env_keep += "QTDIR KDEDIR"
|
|
|
|
##
|
|
|
|
## Allow sudo-run commands to inherit the callers' ConsoleKit session
|
|
|
|
# Defaults env_keep += "XDG_SESSION_COOKIE"
|
|
|
|
##
|
|
|
|
## Uncomment to enable special input methods. Care should be taken as
|
|
|
|
## this may allow users to subvert the command being run via sudo.
|
|
|
|
# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
|
|
|
|
##
|
2024-11-02 15:38:28 -04:00
|
|
|
## Uncomment to disable "use_pty" when running commands as root.
|
|
|
|
## Commands run as non-root users will run in a pseudo-terminal,
|
|
|
|
## not the user's own terminal, to prevent command injection.
|
|
|
|
# Defaults>root !use_pty
|
|
|
|
##
|
|
|
|
## Uncomment to run commands in the background by default.
|
|
|
|
## This can be used to prevent sudo from consuming user input while
|
|
|
|
## a non-interactive command runs if "use_pty" or I/O logging are
|
|
|
|
## enabled. Some commands may not run properly in the background.
|
|
|
|
# Defaults exec_background
|
2024-05-07 10:38:14 -04:00
|
|
|
##
|
|
|
|
## Uncomment to send mail if the user does not enter the correct password.
|
|
|
|
# Defaults mail_badpass
|
|
|
|
##
|
|
|
|
## Uncomment to enable logging of a command's output, except for
|
|
|
|
## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
|
2024-11-02 15:38:28 -04:00
|
|
|
## Sudo will create up to 2,176,782,336 I/O logs before recycling them.
|
|
|
|
## Set maxseq to a smaller number if you don't have unlimited disk space.
|
2024-05-07 10:38:14 -04:00
|
|
|
# Defaults log_output
|
|
|
|
# Defaults!/usr/bin/sudoreplay !log_output
|
|
|
|
# Defaults!/usr/local/bin/sudoreplay !log_output
|
|
|
|
# Defaults!REBOOT !log_output
|
2024-11-02 15:38:28 -04:00
|
|
|
# Defaults maxseq = 1000
|
|
|
|
##
|
|
|
|
## Uncomment to disable intercept and log_subcmds for debuggers and
|
|
|
|
## tracers. Otherwise, anything that uses ptrace(2) will be unable
|
|
|
|
## to run under sudo if intercept_type is set to "trace".
|
|
|
|
# Defaults!DEBUGGERS !intercept, !log_subcmds
|
|
|
|
##
|
|
|
|
## Uncomment to disable intercept and log_subcmds for package managers.
|
|
|
|
## Some package scripts run a huge number of commands, which is made
|
|
|
|
## slower by these options and also can clutter up the logs.
|
|
|
|
# Defaults!PKGMAN !intercept, !log_subcmds
|
2024-05-07 10:38:14 -04:00
|
|
|
|
|
|
|
##
|
|
|
|
## Runas alias specification
|
|
|
|
##
|
|
|
|
|
|
|
|
##
|
|
|
|
## User privilege specification
|
|
|
|
##
|
2024-11-02 15:38:28 -04:00
|
|
|
root ALL=(ALL:ALL) ALL
|
|
|
|
default ALL=(ALL:ALL) ALL
|
2024-05-07 10:38:14 -04:00
|
|
|
|
|
|
|
## Uncomment to allow members of group wheel to execute any command
|
2024-11-02 15:38:28 -04:00
|
|
|
%wheel ALL=(ALL:ALL) ALL
|
2024-05-07 10:38:14 -04:00
|
|
|
|
|
|
|
## Same thing without a password
|
2024-11-02 15:38:28 -04:00
|
|
|
# %wheel ALL=(ALL:ALL) NOPASSWD: ALL
|
2024-05-07 10:38:14 -04:00
|
|
|
|
|
|
|
## Uncomment to allow members of group sudo to execute any command
|
2024-11-02 15:38:28 -04:00
|
|
|
# %sudo ALL=(ALL:ALL) ALL
|
2024-05-07 10:38:14 -04:00
|
|
|
|
|
|
|
## Uncomment to allow any user to run sudo if they know the password
|
|
|
|
## of the user they are running the command as (root by default).
|
|
|
|
# Defaults targetpw # Ask for the password of the target user
|
2024-11-02 15:38:28 -04:00
|
|
|
# ALL ALL=(ALL:ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
|
2024-05-07 10:38:14 -04:00
|
|
|
|
|
|
|
## Read drop-in files from /etc/sudoers.d
|
2024-11-02 15:38:28 -04:00
|
|
|
@includedir /etc/sudoers.d
|