Chat now with support
Chat with Support

Safeguard for Sudo 7.2.3 - Administration Guide

Introducing Safeguard for Sudo Planning Deployment Installation and Configuration Upgrade Safeguard for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Supported sudo plugins Troubleshooting Safeguard Variables Safeguard programs Installation Packages Supported Sudoers directives Unsupported Sudo Options Safeguard for Sudo Policy Evaluation

Supported Sudoers directives

Sudo Plugin supports the following sudo command options :

Table 51: Supported Sudoers directives
Sudoers option Type Explanation
always_query_group_plugin flag Query the group plugin for unknown system groups.

always_set_home

flag

Always set $HOME to the target user's home directory.

authenticate

flag

Require users to authenticate by default.

authfail_message

string

Authentication failure message.

badpass_message

string

Incorrect password message.

case_insensitive_group

flag

Ignore case when matching group names.

case_insensitive_user

flag

Ignore case when matching user names.

closefrom

number

File descriptors starting at this value will be closed when running a command.

closefrom_override

flag

If set, the user may use sudo's -C option.

command_timeout

number

Time in seconds after which the command will be terminated.

editor

string

A colon-separated list of editor path names used by sudoedit and visudo.

env_check

list

Environment variables to check for safety.

env_delete

list

Environment variables to remove.

env_editor

flag

Visudo will honor the SUDO_EDITOR, VISUAL and EDITOR EDITOR environment variables.

env_file

string

Path to the sudo-specific environment file.

env_keep

list

Environment variables to preserve.

env_reset

flag

Reset the environment to a default set of variables.

exec_background

flag

Start the command as a background process.

exempt_group

string

Users in this group are exempt from password and PATH requirements.

fqdn

flag

Require fully-qualified hostnames in the sudoers file.

group_plugin

string

Plugin for non-Unix group support.

ignore_audit_errors

flag

Allow commands to be run even if sudo cannot write to the audit log.

ignore_dot

flag

Ignore '.' in the PATH environment variable.

ignore_iolog_errors

flag

Allow commands to be run even if sudo cannot write to the I/O log.

ignore_unknown_defaults

flag

Ignore unknown Defaults entries in sudoers instead of producing a warning.

insults

flag

Insult the user when they enter an incorrect password.

intercept

flag

Intercept further commands and apply sudoers restrictions to them.

intercept_allow_setid

flag

Allow an intercepted command to run set setuid or setgid programs.

intercept_authenticate

flag

Subsequent commands in an intercepted session must be authenticated.

intercept_type

string

The mechanism used by the intercept and log_subcmds options: dso or ptrace.

intercept_verify

flag

Whether to verify the command and arguments after execution.

iolog_dir

string

Directory in which to store input/output logs.

iolog_file

string

File in which to store the input/output log.

lecture

string

Lecture user the first time they run sudo: never, once, always.

lecture_file

string

File containing the sudo lecture.

listpw

string

When to require a password for 'list' pseudocommand: never, any, all, always.

log_allowed

flag

Log when a command is allowed by sudoers.

log_denied

flag

Log when a command is denied by sudoers.

log_exit_status

flag

Log the exit status of commands.

log_format

string

The format of logs to produce: sudo or json.

log_host

flag

Log the hostname in the (non-syslog) log file.

log_input

flag

Log user's input for the command being run.

log_output

flag

Log the output of the command being run.

log_passwords

flag

Store plaintext passwords in I/O log input.

log_subcmds

flag

Log sub-commands run by the original command.

log_year

flag

Log the year in the (non-syslog) log file.

logfile

string

Path to log file.

loglinelen

number

Length at which to wrap log file lines (0 for no wrap).

mail_all_cmnds

flag

Send mail if the user tries to run a command.

mail_always

flag

Always send mail when sudo is run.

mail_badpass

flag

Send mail if user authentication fails.

mail_no_host

flag

Send mail if the user is not in sudoers for this host.

mail_no_perms

flag

Send mail if the user is not allowed to run a command.

mail_no_user

flag

Send mail if the user is not in sudoers.

mailerflags

string

Flags for mail program.

mailerpath

string

Path to mail program.

mailfrom

string

Address to send mail from.

mailsub

string

Subject line for mail messages.

mailto

string

Address to send mail to.

match_group_by_gid

flag

Resolve groups in sudoers and match on the group ID, not the name.

netgroup_tuple

flag

Match netgroups based on the entire tuple: user, host and domain.

noexec

flag

Preload the sudo_noexec library which replaces the exec functions.

passprompt

string

Default password prompt.

passprompt_regex

flag

List of regular expressions to use when matching a password prompt.

passwd_timeout

number

Password prompt timeout.

passwd_tries

number

Number of tries to enter a password.

path_info

flag

Allow some information gathering to give useful error messages.

preserve_groups

flag

Don't initialize the group vector to that of the target user.

requiretty

flag

Only allow the user to run sudo if they have a tty.

restricted_env_file

string

Path to the restricted sudo-specific environment file.

rlimit_as

number

The maximum size to which the process's address space may grow (in bytes).

rlimit_core

number

The largest size core dump file that may be created (in bytes).

rlimit_cpu

number

The maximum amount of CPU time that the process may use (in seconds).

rlimit_data

number

The maximum size of the data segment for the process (in bytes).

rlimit_fsize

number

The largest size file that the process may create (in bytes).

rlimit_locks

number

The maximum number of locks that the process may establish.

rlimit_memlock

number

The maximum size that the process may lock in memory (in bytes).

rlimit_nofile

number

The maximum number of files that the process may have open.

rlimit_nproc

number

The maximum number of processes that the user may run simultaneously.

rlimit_rss

number

The maximum size to which the process's resident set size may grow (in bytes).

rlimit_stack

number

The maximum size to which the process's stack may grow (in bytes).

root_sudo

flag

Root may run sudo.

rootpw

flag

Prompt for root's password, not the users's.

runas_allow_unknown_id

flag

Allow the use of unknown runas user and/or group ID.

runas_check_shell

flag

Only permit running commands as a user with a valid shell.

runas_default

string

Default user to run commands as.

runaspw

flag

Prompt for the runas_default user's password, not the users's.

runchroot

string

Root directory to change to before executing the command.

runcwd

string

Working directory to change to before executing the command.

secure_path

string

Override the user's PATH environment variable.

set_home

flag

Set HOME to the target user when starting a shell with -s.

set_logname

flag

Set the LOGNAME and USER environment variables.

set_utmp

flag

Add an entry to the utmp/utmpx file when allocating a pty.

setenv

flag

Allow users to set arbitrary environment variables.

shell_noargs

flag

If sudo is invoked with no arguments, start a shell.

sudoedit_checkdir

flag

Check parent directories for writability when editing files with sudoedit.

sudoedit_follow

flag

Follow symbolic links when editing files with sudoedit.

sudoers_locale

string

Locale to use while parsing sudoers.

syslog

string

Syslog facility if syslog is being used for logging.

syslog_badpri

string

Syslog priority to use when user authenticates unsuccessfully.

syslog_goodpri

string

Syslog priority to use when user authenticates successfully.

syslog_maxlen

number

Log entries larger than this value will be split into multiple syslog messages.

syslog_pid

flag

Include the process ID when logging via syslog.

targetpw

flag

Prompt for the target user's password, not the users's.

timestamp_timeout

number

Authentication timestamp timeout.

tty_tickets

flag

Use a separate timestamp for each user/tty combo.

umask

number

Umask to use or 0777 to use user's.

umask_override

flag

The umask specified in sudoers will override the user's, even if it is more permissive.

use_netgroups

flag

Enable sudoers netgroup support.

user_command_timeouts

flag

Allow the user to specify a timeout on the command line.

utmp_runas

flag

Set the user in utmp to the runas user, not the invoking user.

verifypw string When to require a password for 'verify' pseudocommand: never, any, all, always.

Unsupported Sudo Options

Sudo Plugin supports all sudo command options except those listed in the following tables:

Unsupported command line sudo options

Table 52: Unsupported command line sudo options
Sudo option Description
-a <type> Uses the specified authentication type.
-c <class> Runs the specified command with resources limited by the specified login class.
-ll Lists allowed commands in long format.
-r <role>

Causes security context to have specified role.

SELinux RBAC is not supported.

-t <type>

Causes security context to have specified type.

SELinux RBAC is not supported.

Behavioral change

Table 53: Behavioral change
Sudo option Description
-k and -K These flags only remove the user’s credentials within the cache.
env_file When in "offline policy evaluation" mode, this option only works if the file is present on the off-line host.
fqdn Normally, when a policy has this flag enabled, sudo resolves host names on the policy server. However, when in off-line mode, sudo resolves host names from the policy cache server, which may produce different results.
group_plugin When in "off-line policy evaluation" mode, this option only works if the off-line host has group_plugin in the same path as the primary/secondary server.
lecture_file When in "off-line policy evaluation" mode, this option only works if the file is present on the off-line host.
logfile When in "off-line policy evaluation" mode, this option only works if the file is present on the off-line host.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating