## sudoers file. ## ## This file MUST be edited with the 'visudo' command as root. ## Failure to use 'visudo' may result in syntax or file permission errors ## that prevent sudo from running. ## ## See the sudoers man page for the details on how to write a sudoers file. ## ## ## Host alias specification ## ## Groups of machines. These may include host names (optionally with wildcards), ## IP addresses, network numbers or netgroups. # Host_Alias WEBSERVERS = www1, www2, www3 ## ## User alias specification ## ## Groups of users. These may consist of user names, uids, Unix groups, ## or netgroups. # User_Alias ADMINS = millert, dowdy, mikef ## ## Cmnd alias specification ## ## Groups of commands. Often used to group related commands together. # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ # /usr/bin/pkill, /usr/bin/top # # Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff # # Cmnd_Alias DEBUGGERS = /usr/bin/gdb, /usr/bin/lldb, /usr/bin/strace, \ # /usr/bin/truss, /usr/bin/bpftrace, \ # /usr/bin/dtrace, /usr/bin/dtruss # # Cmnd_Alias PKGMAN = /usr/bin/apt, /usr/bin/dpkg, /usr/bin/rpm, \ # /usr/bin/yum, /usr/bin/dnf, /usr/bin/zypper, \ # /usr/bin/pacman ## ## Defaults specification ## ## Preserve editor environment variables for visudo. ## To preserve these for all commands, remove the "!visudo" qualifier. Defaults!/usr/bin/visudo env_keep += "SUDO_EDITOR EDITOR VISUAL" ## ## Use a hard-coded PATH instead of the user's to find commands. ## This also helps prevent poorly written scripts from running ## artbitrary commands under sudo. Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin" ## ## You may wish to keep some of the following environment variables ## when running commands via sudo. ## ## Locale settings # Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" ## ## Run X applications through sudo; HOME is used to find the ## .Xauthority file. Note that other programs use HOME to find ## configuration files and this may lead to privilege escalation! # Defaults env_keep += "HOME" ## ## X11 resource path settings # Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" ## ## Desktop path settings # Defaults env_keep += "QTDIR KDEDIR" ## ## Allow sudo-run commands to inherit the callers' ConsoleKit session # Defaults env_keep += "XDG_SESSION_COOKIE" ## ## Uncomment to enable special input methods. Care should be taken as ## this may allow users to subvert the command being run via sudo. # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ## ## Uncomment to disable "use_pty" when running commands as root. ## Commands run as non-root users will run in a pseudo-terminal, ## not the user's own terminal, to prevent command injection. # Defaults>root !use_pty ## ## Uncomment to run commands in the background by default. ## This can be used to prevent sudo from consuming user input while ## a non-interactive command runs if "use_pty" or I/O logging are ## enabled. Some commands may not run properly in the background. # Defaults exec_background ## ## Uncomment to send mail if the user does not enter the correct password. # Defaults mail_badpass ## ## Uncomment to enable logging of a command's output, except for ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. ## Sudo will create up to 2,176,782,336 I/O logs before recycling them. ## Set maxseq to a smaller number if you don't have unlimited disk space. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output # Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!REBOOT !log_output # Defaults maxseq = 1000 ## ## Uncomment to disable intercept and log_subcmds for debuggers and ## tracers. Otherwise, anything that uses ptrace(2) will be unable ## to run under sudo if intercept_type is set to "trace". # Defaults!DEBUGGERS !intercept, !log_subcmds ## ## Uncomment to disable intercept and log_subcmds for package managers. ## Some package scripts run a huge number of commands, which is made ## slower by these options and also can clutter up the logs. # Defaults!PKGMAN !intercept, !log_subcmds ## ## Runas alias specification ## ## ## User privilege specification ## root ALL=(ALL:ALL) ALL default ALL=(ALL:ALL) ALL ## Uncomment to allow members of group wheel to execute any command %wheel ALL=(ALL:ALL) ALL ## Same thing without a password # %wheel ALL=(ALL:ALL) NOPASSWD: ALL ## Uncomment to allow members of group sudo to execute any command # %sudo ALL=(ALL:ALL) ALL ## Uncomment to allow any user to run sudo if they know the password ## of the user they are running the command as (root by default). # Defaults targetpw # Ask for the password of the target user # ALL ALL=(ALL:ALL) ALL # WARNING: only use this together with 'Defaults targetpw' ## Read drop-in files from /etc/sudoers.d @includedir /etc/sudoers.d