| 1 | ## sudoers file. |
|---|
| 2 | ## |
|---|
| 3 | ## This file MUST be edited with the 'visudo' command as root. |
|---|
| 4 | ## Failure to use 'visudo' may result in syntax or file permission errors |
|---|
| 5 | ## that prevent sudo from running. |
|---|
| 6 | ## |
|---|
| 7 | ## See the sudoers man page for the details on how to write a sudoers file. |
|---|
| 8 | ## |
|---|
| 9 | |
|---|
| 10 | ## |
|---|
| 11 | ## Host alias specification |
|---|
| 12 | ## |
|---|
| 13 | ## Groups of machines. These may include host names (optionally with wildcards), |
|---|
| 14 | ## IP addresses, network numbers or netgroups. |
|---|
| 15 | # Host_Alias WEBSERVERS = www1, www2, www3 |
|---|
| 16 | |
|---|
| 17 | ## |
|---|
| 18 | ## User alias specification |
|---|
| 19 | ## |
|---|
| 20 | ## Groups of users. These may consist of user names, uids, Unix groups, |
|---|
| 21 | ## or netgroups. |
|---|
| 22 | # User_Alias ADMINS = millert, dowdy, mikef |
|---|
| 23 | |
|---|
| 24 | ## |
|---|
| 25 | ## Cmnd alias specification |
|---|
| 26 | ## |
|---|
| 27 | ## Groups of commands. Often used to group related commands together. |
|---|
| 28 | # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ |
|---|
| 29 | # /usr/bin/pkill, /usr/bin/top |
|---|
| 30 | # |
|---|
| 31 | # Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff |
|---|
| 32 | # |
|---|
| 33 | # Cmnd_Alias DEBUGGERS = /usr/bin/gdb, /usr/bin/lldb, /usr/bin/strace, \ |
|---|
| 34 | # /usr/bin/truss, /usr/bin/bpftrace, \ |
|---|
| 35 | # /usr/bin/dtrace, /usr/bin/dtruss |
|---|
| 36 | # |
|---|
| 37 | # Cmnd_Alias PKGMAN = /usr/bin/apt, /usr/bin/dpkg, /usr/bin/rpm, \ |
|---|
| 38 | # /usr/bin/yum, /usr/bin/dnf, /usr/bin/zypper, \ |
|---|
| 39 | # /usr/bin/pacman |
|---|
| 40 | |
|---|
| 41 | ## |
|---|
| 42 | ## Defaults specification |
|---|
| 43 | ## |
|---|
| 44 | ## Preserve editor environment variables for visudo. |
|---|
| 45 | ## To preserve these for all commands, remove the "!visudo" qualifier. |
|---|
| 46 | Defaults!/opt/local/sbin/visudo env_keep += "SUDO_EDITOR EDITOR VISUAL" |
|---|
| 47 | ## |
|---|
| 48 | ## Use a hard-coded PATH instead of the user's to find commands. |
|---|
| 49 | ## This also helps prevent poorly written scripts from running |
|---|
| 50 | ## artbitrary commands under sudo. |
|---|
| 51 | Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" |
|---|
| 52 | ## |
|---|
| 53 | ## You may wish to keep some of the following environment variables |
|---|
| 54 | ## when running commands via sudo. |
|---|
| 55 | ## |
|---|
| 56 | ## Locale settings |
|---|
| 57 | # Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" |
|---|
| 58 | ## |
|---|
| 59 | ## Run X applications through sudo; HOME is used to find the |
|---|
| 60 | ## .Xauthority file. Note that other programs use HOME to find |
|---|
| 61 | ## configuration files and this may lead to privilege escalation! |
|---|
| 62 | # Defaults env_keep += "HOME" |
|---|
| 63 | ## |
|---|
| 64 | ## X11 resource path settings |
|---|
| 65 | # Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" |
|---|
| 66 | ## |
|---|
| 67 | ## Desktop path settings |
|---|
| 68 | # Defaults env_keep += "QTDIR KDEDIR" |
|---|
| 69 | ## |
|---|
| 70 | ## Allow sudo-run commands to inherit the callers' ConsoleKit session |
|---|
| 71 | # Defaults env_keep += "XDG_SESSION_COOKIE" |
|---|
| 72 | ## |
|---|
| 73 | ## Uncomment to enable special input methods. Care should be taken as |
|---|
| 74 | ## this may allow users to subvert the command being run via sudo. |
|---|
| 75 | # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" |
|---|
| 76 | ## |
|---|
| 77 | ## Uncomment to disable "use_pty" when running commands as root. |
|---|
| 78 | ## Commands run as non-root users will run in a pseudo-terminal, |
|---|
| 79 | ## not the user's own terminal, to prevent command injection. |
|---|
| 80 | # Defaults>root !use_pty |
|---|
| 81 | ## |
|---|
| 82 | ## Uncomment to run commands in the background by default. |
|---|
| 83 | ## This can be used to prevent sudo from consuming user input while |
|---|
| 84 | ## a non-interactive command runs if "use_pty" or I/O logging are |
|---|
| 85 | ## enabled. Some commands may not run properly in the background. |
|---|
| 86 | # Defaults exec_background |
|---|
| 87 | ## |
|---|
| 88 | ## Uncomment to send mail if the user does not enter the correct password. |
|---|
| 89 | # Defaults mail_badpass |
|---|
| 90 | ## |
|---|
| 91 | ## Uncomment to enable logging of a command's output, except for |
|---|
| 92 | ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. |
|---|
| 93 | ## Sudo will create up to 2,176,782,336 I/O logs before recycling them. |
|---|
| 94 | ## Set maxseq to a smaller number if you don't have unlimited disk space. |
|---|
| 95 | # Defaults log_output |
|---|
| 96 | # Defaults!/usr/bin/sudoreplay !log_output |
|---|
| 97 | # Defaults!/usr/local/bin/sudoreplay !log_output |
|---|
| 98 | # Defaults!REBOOT !log_output |
|---|
| 99 | # Defaults maxseq = 1000 |
|---|
| 100 | Defaults env_reset |
|---|
| 101 | Defaults env_keep += "BLOCKSIZE" |
|---|
| 102 | Defaults env_keep += "COLORFGBG COLORTERM" |
|---|
| 103 | Defaults env_keep += "__CF_USER_TEXT_ENCODING" |
|---|
| 104 | Defaults env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE" |
|---|
| 105 | Defaults env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME" |
|---|
| 106 | Defaults env_keep += "LINES COLUMNS" |
|---|
| 107 | Defaults env_keep += "LSCOLORS" |
|---|
| 108 | Defaults env_keep += "SSH_AUTH_SOCK" |
|---|
| 109 | Defaults env_keep += "TZ" |
|---|
| 110 | Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY" |
|---|
| 111 | Defaults env_keep += "EDITOR VISUAL" |
|---|
| 112 | Defaults env_keep += "HOME MAIL" |
|---|
| 113 | |
|---|
| 114 | ## |
|---|
| 115 | ## Uncomment to disable intercept and log_subcmds for debuggers and |
|---|
| 116 | ## tracers. Otherwise, anything that uses ptrace(2) will be unable |
|---|
| 117 | ## to run under sudo if intercept_type is set to "trace". |
|---|
| 118 | # Defaults!DEBUGGERS !intercept, !log_subcmds |
|---|
| 119 | ## |
|---|
| 120 | ## Uncomment to disable intercept and log_subcmds for package managers. |
|---|
| 121 | ## Some package scripts run a huge number of commands, which is made |
|---|
| 122 | ## slower by these options and also can clutter up the logs. |
|---|
| 123 | # Defaults!PKGMAN !intercept, !log_subcmds |
|---|
| 124 | |
|---|
| 125 | ## |
|---|
| 126 | ## Runas alias specification |
|---|
| 127 | ## |
|---|
| 128 | |
|---|
| 129 | ## |
|---|
| 130 | ## User privilege specification |
|---|
| 131 | ## |
|---|
| 132 | root ALL=(ALL:ALL) ALL |
|---|
| 133 | %admin ALL=(ALL) ALL |
|---|
| 134 | |
|---|
| 135 | ## Uncomment to allow members of group wheel to execute any command |
|---|
| 136 | # %wheel ALL=(ALL:ALL) ALL |
|---|
| 137 | |
|---|
| 138 | ## Same thing without a password |
|---|
| 139 | # %wheel ALL=(ALL:ALL) NOPASSWD: ALL |
|---|
| 140 | |
|---|
| 141 | ## Uncomment to allow members of group sudo to execute any command |
|---|
| 142 | # %sudo ALL=(ALL:ALL) ALL |
|---|
| 143 | |
|---|
| 144 | ## Uncomment to allow any user to run sudo if they know the password |
|---|
| 145 | ## of the user they are running the command as (root by default). |
|---|
| 146 | # Defaults targetpw # Ask for the password of the target user |
|---|
| 147 | # ALL ALL=(ALL:ALL) ALL # WARNING: only use this together with 'Defaults targetpw' |
|---|
| 148 | |
|---|
| 149 | ## Read drop-in files from /opt/local/etc/sudoers.d |
|---|
| 150 | @includedir /opt/local/etc/sudoers.d |
|---|
