1# 2# Sample /etc/sudoers file. 3# 4# This file MUST be edited with the 'visudo' command as root. 5# 6# See the sudoers man page for the details on how to write a sudoers file. 7 8## 9# Override built-in defaults 10## 11Defaults syslog=auth 12Defaults>root !set_logname 13Defaults:FULLTIMERS !lecture 14Defaults:millert !authenticate 15Defaults@SERVERS log_year, logfile=/var/log/sudo.log 16Defaults!PAGERS noexec 17 18## 19# User alias specification 20## 21User_Alias FULLTIMERS = millert, mikef, dowdy 22User_Alias PARTTIMERS = bostley, jwfox, crawl 23User_Alias WEBMASTERS = will, wendy, wim 24 25## 26# Runas alias specification 27## 28Runas_Alias OP = root, operator 29Runas_Alias DB = oracle, sybase 30 31## 32# Host alias specification 33## 34Host_Alias SPARC = bigtime, eclipse, moet, anchor:\ 35 SGI = grolsch, dandelion, black:\ 36 ALPHA = widget, thalamus, foobar:\ 37 HPPA = boa, nag, python 38Host_Alias CUNETS = 128.138.0.0/255.255.0.0 39Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 40Host_Alias SERVERS = master, mail, www, ns 41Host_Alias CDROM = orion, perseus, hercules 42 43## 44# Cmnd alias specification 45## 46Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \ 47 /usr/sbin/rrestore, /usr/bin/mt 48Cmnd_Alias KILL = /usr/bin/kill 49Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm 50Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown 51Cmnd_Alias HALT = /usr/sbin/halt 52Cmnd_Alias REBOOT = /usr/sbin/reboot 53Cmnd_Alias SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ 54 /usr/local/bin/tcsh, /usr/bin/rsh, \ 55 /usr/local/bin/zsh 56Cmnd_Alias SU = /usr/bin/su 57Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \ 58 /usr/bin/chfn 59Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less 60 61## 62# User specification 63## 64 65# root and users in group wheel can run anything on any machine as any user 66root ALL = (ALL) ALL 67%wheel ALL = (ALL) ALL 68 69# full time sysadmins can run anything on any machine without a password 70FULLTIMERS ALL = NOPASSWD: ALL 71 72# part time sysadmins may run anything but need a password 73PARTTIMERS ALL = ALL 74 75# jack may run anything on machines in CSNETS 76jack CSNETS = ALL 77 78# lisa may run any command on any host in CUNETS (a class B network) 79lisa CUNETS = ALL 80 81# operator may run maintenance commands and anything in /usr/oper/bin/ 82operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ 83 sudoedit /etc/printcap, /usr/oper/bin/ 84 85# joe may su only to operator 86joe ALL = /usr/bin/su operator 87 88# pete may change passwords for anyone but root on the hp snakes 89pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root 90 91# bob may run anything on the sparc and sgi machines as any user 92# listed in the Runas_Alias "OP" (ie: root and operator) 93bob SPARC = (OP) ALL : SGI = (OP) ALL 94 95# jim may run anything on machines in the biglab netgroup 96jim +biglab = ALL 97 98# users in the secretaries netgroup need to help manage the printers 99# as well as add and remove users 100+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser 101 102# fred can run commands as oracle or sybase without a password 103fred ALL = (DB) NOPASSWD: ALL 104 105# on the alphas, john may su to anyone but root and flags are not allowed 106john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* 107 108# jen can run anything on all machines except the ones 109# in the "SERVERS" Host_Alias 110jen ALL, !SERVERS = ALL 111 112# jill can run any commands in the directory /usr/bin/, except for 113# those in the SU and SHELLS aliases. 114jill SERVERS = /usr/bin/, !SU, !SHELLS 115 116# steve can run any command in the directory /usr/local/op_commands/ 117# as user operator. 118steve CSNETS = (operator) /usr/local/op_commands/ 119 120# matt needs to be able to kill things on his workstation when 121# they get hung. 122matt valkyrie = KILL 123 124# users in the WEBMASTERS User_Alias (will, wendy, and wim) 125# may run any command as user www (which owns the web pages) 126# or simply su to www. 127WEBMASTERS www = (www) ALL, (root) /usr/bin/su www 128 129# anyone can mount/unmount a cd-rom on the machines in the CDROM alias 130ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ 131 /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM 132