1- #
2- # Sample /etc/sudoers file.
3- #
4- # This file MUST be edited with the 'visudo' command as root.
5- #
6- # See the sudoers man page for the details on how to write a sudoers file.
1+ ##
2+ ## Sample sudoers file.
3+ ##
4+ ## This file MUST be edited with the 'visudo' command as root.
5+ ## Failure to use 'visudo' may result in syntax or file permission errors
6+ ## that prevent sudo from running.
7+
8+ ## Please consider adding local content in /etc/sudoers.d/ instead of
9+ ## directly modifying this file.
10+
11+ ##
12+ ## See the sudoers man page for the details on how to write a sudoers file.
13+ ##
714
815##
916# Override built-in defaults
@@ -16,21 +23,11 @@ Defaults@SERVERS log_year, logfile=@log_dir@/sudo.log
1623Defaults!PAGERS noexec
1724
1825##
19- # User alias specification
20- ##
21- User_Alias FULLTIMERS = millert, mikef, dowdy
22- User_Alias PARTTIMERS = bostley, jwfox, crawl
23- User_Alias WEBADMIN = will, wendy, wim
24-
25- ##
26- # Runas alias specification
27- ##
28- Runas_Alias OP = root, operator
29- Runas_Alias DB = oracle, sybase
30-
31- ##
32- # Host alias specification
26+ ## Host alias specification
3327##
28+ ## Groups of machines. These may include host names (optionally with wildcards),
29+ ## IP addresses, network numbers or netgroups.
30+ # Host_Alias WEBSERVERS = www1, www2, www3
3431Host_Alias SPARC = bigtime, eclipse, moet, anchor:\
3532 SGI = grolsch, dandelion, black:\
3633 ALPHA = widget, thalamus, foobar:\
@@ -41,8 +38,27 @@ Host_Alias SERVERS = primary, mail, www, ns
4138Host_Alias CDROM = orion, perseus, hercules
4239
4340##
44- # Cmnd alias specification
41+ ## User alias specification
42+ ##
43+ ## Groups of users. These may consist of user names, uids, Unix groups,
44+ ## or netgroups.
45+ # User_Alias ADMINS = millert, dowdy, mikef
46+ User_Alias FULLTIMERS = millert, mikef, dowdy
47+ User_Alias PARTTIMERS = bostley, jwfox, crawl
48+ User_Alias WEBADMIN = will, wendy, wim
49+
50+ ##
51+ ## Cmnd alias specification
4552##
53+ ## Groups of commands. Often used to group related commands together.
54+ # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
55+ # /usr/bin/pkill, /usr/bin/top
56+ #
57+ # Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
58+ #
59+ # Cmnd_Alias PKGMAN = /usr/bin/apt, /usr/bin/dpkg, /usr/bin/rpm, \
60+ # /usr/bin/yum, /usr/bin/dnf, /usr/bin/zypper, \
61+ # /usr/bin/pacman
4662Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \
4763 /usr/sbin/rrestore, /usr/bin/mt, \
4864 sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
@@ -51,7 +67,6 @@ Cmnd_Alias KILL = /usr/bin/kill, /usr/bin/top
5167Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
5268Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
5369Cmnd_Alias HALT = /usr/sbin/halt
54- Cmnd_Alias REBOOT = /usr/sbin/reboot
5570Cmnd_Alias SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
5671 /usr/local/bin/tcsh, /usr/bin/rsh, \
5772 /usr/local/bin/zsh
@@ -61,12 +76,133 @@ Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \
6176Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
6277
6378##
64- # User specification
79+ ## Defaults specification
80+ ##
81+ ## Preserve editor environment variables for visudo.
82+ ## To preserve these for all commands, remove the "!visudo" qualifier.
83+ Defaults!@visudo@ env_keep += "SUDO_EDITOR EDITOR VISUAL"
84+ ##
85+ ## Preserve EDITOR environment variables for all users in the sudo group.
86+ ## This allows running arbitrary commands, but sudo members are root
87+ ## equivalent anyway.
88+ #Defaults:%sudo env_keep += "SUDO_EDITOR EDITOR VISUAL"
89+ ##
90+ ## Use a hard-coded PATH instead of the user's to find commands.
91+ ## This also helps prevent poorly written scripts from running
92+ ## arbitrary commands under sudo.
93+ @secure_path_config@Defaults secure_path="@secure_path@"
94+ ##
95+ ## You may wish to keep some of the following environment variables
96+ ## when running commands via sudo.
97+ ##
98+ ## Locale settings
99+ # Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
100+ ##
101+ ## Run X applications through sudo; HOME is used to find the
102+ ## .Xauthority file. Note that other programs use HOME to find
103+ ## configuration files and this may lead to privilege escalation!
104+ # Defaults env_keep += "HOME"
105+ ##
106+ ## X11 resource path settings
107+ # Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
108+ ##
109+ ## Desktop path settings
110+ # Defaults env_keep += "QTDIR KDEDIR"
111+ ##
112+ ## Allow sudo-run commands to inherit the callers' ConsoleKit session
113+ # Defaults env_keep += "XDG_SESSION_COOKIE"
114+ ##
115+ ## Uncomment to enable special input methods. Care should be taken as
116+ ## this may allow users to subvert the command being run via sudo.
117+ # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
118+ ##
119+ ## Uncomment to preserve proxy settings from user environments of root
120+ ## equivalent users (group sudo)
121+ # Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy"
122+ ##
123+ ## Uncomment to preserve environment variables for grep
124+ # Defaults:%sudo env_keep += "GREP_COLOR"
125+ ##
126+ ## Uncomment to preserve git related environment. While you shouldn't
127+ ## normally run git as root, you need to with etckeeper
128+ # Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*"
129+ ##
130+ ## Uncomment to preserve Debian-related environment variables. root
131+ ## won't have sensible values for them.
132+ # Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME"
133+ ##
134+ ## Uncomment to allow root to use the calling user's ssh agent
135+ ## transparently. This enabled "sudo scp" or "sudo rsync"
136+ # Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK"
137+ ##
138+ ## Uncomment to allow root to use the calling user's gpg agent
139+ ## transparently. This enabled "sudo scp" or "sudo rsync"
140+ # Defaults:%sudo env_keep += "GPG_AGENT_INFO"
141+ ##
142+ ## Uncomment to disable "use_pty" when running commands as root.
143+ ## Commands run as non-root users will run in a pseudo-terminal,
144+ ## not the user's own terminal, to prevent command injection.
145+ # Defaults>root !use_pty
146+ ##
147+ ## Uncomment to run commands in the background by default.
148+ ## This can be used to prevent sudo from consuming user input while
149+ ## a non-interactive command runs if "use_pty" or I/O logging are
150+ ## enabled. Some commands may not run properly in the background.
151+ # Defaults exec_background
152+ ##
153+ ## Uncomment to send mail if the user does not enter the correct password.
154+ # Defaults mail_badpass
155+ ##
156+ ## Uncomment to enable logging of a command's output, except for
157+ ## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
158+ ## Sudo will create up to 2,176,782,336 I/O logs before recycling them.
159+ ## Set maxseq to a smaller number if you don't have unlimited disk space.
160+ # Defaults log_output
161+ # Defaults!/usr/bin/sudoreplay !log_output
162+ # Defaults!/usr/local/bin/sudoreplay !log_output
163+ # Defaults!REBOOT !log_output
164+ # Defaults maxseq = 1000
165+ ##
166+ ## Uncomment to disable intercept and log_subcmds for debuggers and
167+ ## tracers. Otherwise, anything that uses ptrace(2) will be unable
168+ ## to run under sudo if intercept_type is set to "trace".
169+ # Defaults!DEBUGGERS !intercept, !log_subcmds
170+ ##
171+ ## Uncomment to disable intercept and log_subcmds for package managers.
172+ ## Some package scripts run a huge number of commands, which is made
173+ ## slower by these options and also can clutter up the logs.
174+ # Defaults!PKGMAN !intercept, !log_subcmds
175+ ##
176+ ## Uncomment to disable PAM silent mode. Otherwise messages by PAM
177+ ## modules such as pam_faillock will not be printed.
178+ # Defaults !pam_silent
179+
180+ ##
181+ ## Runas alias specification
182+ ##
183+ Runas_Alias OP = root, operator
184+ Runas_Alias DB = oracle, sybase
185+
186+
187+ ##
188+ ## User privilege specification
65189##
190+ root ALL=(ALL:ALL) ALL
191+
192+ ## Uncomment to allow members of group wheel to execute any command
193+ # %wheel ALL=(ALL:ALL) ALL
194+
195+ ## Same thing without a password
196+ # %wheel ALL=(ALL:ALL) NOPASSWD: ALL
197+
198+ ## Uncomment to allow members of group sudo to execute any command
199+ # %sudo ALL=(ALL:ALL) ALL
200+
201+ ## Uncomment to allow any user to run sudo if they know the password
202+ ## of the user they are running the command as (root by default).
203+ # Defaults targetpw # Ask for the password of the target user
204+ # ALL ALL=(ALL:ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
66205
67- # root and users in group wheel can run anything on any machine as any user
68- root ALL = (ALL:ALL) ALL
69- %wheel ALL = (ALL:ALL) ALL
70206
71207# full time sysadmins can run anything on any machine without a password
72208FULLTIMERS ALL = (ALL:ALL) NOPASSWD: ALL
@@ -131,3 +267,6 @@ WEBADMIN www = (www) ALL, (root) /usr/bin/su www
131267# anyone can mount/unmount a cd-rom on the machines in the CDROM alias
132268ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
133269 /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
270+
271+ ## Read drop-in files from @sysconfdir@/sudoers.d
272+ @includedir @sysconfdir@/sudoers.d
0 commit comments