2 Copyright (c) 1994-1996,1998-2003 Todd C. Miller <Todd.Miller@courtesan.com>
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions
9 1. Redistributions of source code must retain the above copyright
10 notice, this list of conditions and the following disclaimer.
12 2. Redistributions in binary form must reproduce the above copyright
13 notice, this list of conditions and the following disclaimer in the
14 documentation and/or other materials provided with the distribution.
16 3. The name of the author may not be used to endorse or promote products
17 derived from this software without specific prior written permission
20 4. Products derived from this software may not be called "Sudo" nor
21 may "Sudo" appear in their names without specific prior written
22 permission from the author.
24 THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
25 INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
26 AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
27 THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
28 EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
29 PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
30 OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
31 WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
32 OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
33 ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35 Sponsored in part by the Defense Advanced Research Projects
36 Agency (DARPA) and Air Force Research Laboratory, Air Force
37 Materiel Command, USAF, under agreement number F39502-99-1-0512.
39 $Sudo: sudoers.pod,v 1.68 2003/03/15 20:31:02 millert Exp $
44 Japanese Version Copyright (c) 2000-2004 Yuichi SATO
46 Translated Sat Oct 14 19:24:27 JST 2000
47 by Yuichi SATO <ysato444@yahoo.co.jp>
48 Updated & Modified Tue Nov 19 02:21:57 JST 2002 by Yuichi SATO
49 Updated & Modified Fri Apr 16 07:45:02 JST 2004 by Yuichi SATO
55 WORD: Backus Naur Form ¥Ð¥Ã¥«¥¹¡¦¥Ê¥¦¥¢µË¡
57 WORD: production rule À¸À®µ¬Â§
59 WORD: alias ¥¨¥¤¥ê¥¢¥¹
60 WORD: parentheses ³ç¸Ì
62 WORD: pound sign ¥·¥ã¡¼¥×µ¹æ
63 WORD: reserved word ͽÌó¸ì
64 WORD: exclamation point ´¶Ã²Éä
66 WORD: facility µ¡Ç½Ê¬Îà
74 sudoers - list of which users may execute what
78 sudoers - ¤É¤Î¥æ¡¼¥¶¤¬²¿¤ò¼Â¹Ô¤Ç¤¤ë¤«¤Î¥ê¥¹¥È
84 The I<sudoers> file is composed of two types of entries:
85 aliases (basically variables) and user specifications
86 (which specify who may run what). The grammar of I<sudoers>
87 will be described below in Extended Backus-Naur Form (EBNF).
88 Don't despair if you don't know what EBNF is; it is fairly
89 simple, and the definitions below are annotated.
93 I<sudoers> ¥Õ¥¡¥¤¥ë¤Ï¡¢2 ¤Ä¤Î¥¿¥¤¥×¤Î¥¨¥ó¥È¥ê¤«¤é¹½À®¤µ¤ì¤ë¡£
94 (´ðËÜŪ¤Ë¤ÏÊÑ¿ô¤Ç¤¢¤ë) ¥¨¥¤¥ê¥¢¥¹¤È
95 (郎²¿¤ò¼Â¹Ô¤Ç¤¤ë¤«¤ò»ØÄꤹ¤ë) ¥æ¡¼¥¶»ØÄê¤Ç¤¢¤ë¡£
96 I<sudoers> ¤Îʸˡ¤ò¡¢ Extended Backus-Naur Form (EBNF)
97 (³ÈÄ¥¥Ð¥Ã¥«¥¹¡¦¥Ê¥¦¥¢µË¡) ¤òÍѤ¤¤Æ°Ê²¼¤Ëµ½Ò¤¹¤ë¡£
98 EBNF ¤òÃΤé¤Ê¤¯¤Æ¤âÄü¤á¤Ê¤¤¤Ç¤Û¤·¤¤¡£
99 EBNF ¤Ï³ä¤Ë´Ê·é¤Ç¤¢¤ë¤·¡¢°Ê²¼¤ÎÄêµÁ¤Ë¤ÏÃí¼á¤ò¤Ä¤±¤Æ¤¢¤ë¡£
101 =head2 Quick guide to EBNF
105 EBNF is a concise and exact way of describing the grammar of a language.
106 Each EBNF definition is made up of I<production rules>. E.g.,
110 EBNF ¤Ï¸À¸ì¤Îʸˡ¤òµ½Ò¤¹¤ë´Êñ¤Ç¸·Ì©¤ÊÊýË¡¤Ç¤¢¤ë¡£
111 EBNF ¤Î³ÆÄêµÁ¤Ï¡¢I<À¸À®µ¬Â§>¤«¤é¤Ê¤Ã¤Æ¤¤¤ë¡£
113 symbol ::= definition | alternate1 | alternate2 ...
117 Each I<production rule> references others and thus makes up a
118 grammar for the language. EBNF also contains the following
119 operators, which many readers will recognize from regular
120 expressions. Do not, however, confuse them with "wildcard"
121 characters, which have different meanings.
125 ³ÆI<À¸À®µ¬Â§>¤Ï¾¤ÎÀ¸À®µ¬Â§¤ò»²¾È¤¹¤ë¡£
126 ¤³¤Î¤è¤¦¤Ë¤·¤Æ¸À¸ì¤Îʸˡ¤¬¤Ç¤¤¢¤¬¤ë¡£
127 EBNF ¤Ï°Ê²¼¤Î¤è¤¦¤Ê¥ª¥Ú¥ì¡¼¥¿¤ò´Þ¤à¡£
128 ¤³¤ì¤Ï¿¤¯¤Î¿Í¤¬Àµµ¬É½¸½¤Ç¤ªÆëÀ÷¤ß¤À¤í¤¦¡£
129 ¤·¤«¤·¡¢¤³¤ì¤È¤Ï°Û¤Ê¤ë°ÕÌ£¤ò»ý¤Ã¤¿¡¢
130 ¡Ö¥ï¥¤¥ë¥É¥«¡¼¥É¡×ʸ»ú¤Èº®Æ±¤·¤Æ¤Ï¤Ê¤é¤Ê¤¤
131 (ÌõÃí: ¸å¼Ô¤Ï¥·¥§¥ë¤Î¥ï¥¤¥ë¥É¥«¡¼¥É¥Ñ¥¿¡¼¥ó¤Î¤³¤È¤À¤í¤¦¡£
132 B<regex>(7) ¤È B<glob>(7)
141 Means that the preceding symbol (or group of symbols) is optional.
142 That is, it may appear once or not at all.
146 Á°¤ËÃÖ¤«¤ì¤¿¥·¥ó¥Ü¥ë (¤Þ¤¿¤Ï¡¢¥·¥ó¥Ü¥ë¤Î¥°¥ë¡¼¥×) ¤¬
147 ¾Êά²Äǽ¤Ç¤¢¤ë¤³¤È¤ò°ÕÌ£¤¹¤ë¡£
148 ¤Ä¤Þ¤ê¡¢¥·¥ó¥Ü¥ë¤¬ 1 ¸ÄÅо줹¤ë¤«¡¢¤¢¤ë¤¤¤ÏÁ´Á³Åо줷¤Ê¤¤¤«¤Ç¤¢¤ë¡£
154 Means that the preceding symbol (or group of symbols) may appear
159 Á°¤ËÃÖ¤«¤ì¤¿¥·¥ó¥Ü¥ë (¤Þ¤¿¤Ï¡¢¥·¥ó¥Ü¥ë¤Î¥°¥ë¡¼¥×) ¤¬ 0 ¸Ä°Ê¾åÅо줹¤ë¡£
165 Means that the preceding symbol (or group of symbols) may appear
170 Á°¤ËÃÖ¤«¤ì¤¿¥·¥ó¥Ü¥ë (¤Þ¤¿¤Ï¡¢¥·¥ó¥Ü¥ë¤Î¥°¥ë¡¼¥×) ¤¬ 1 ¸Ä°Ê¾åÅо줹¤ë¡£
176 Parentheses may be used to group symbols together. For clarity,
177 we will use single quotes ('') to designate what is a verbatim character
178 string (as opposed to a symbol name).
182 ³ç¸Ì¤ò»È¤¦¤È¥·¥ó¥Ü¥ë¤ò¥°¥ë¡¼¥×¤Ë¤Þ¤È¤á¤ë¤³¤È¤¬¤Ç¤¤ë¡£
183 °Ê¹ß¤ÎÎã¤Ç¤Ï¡¢(¥·¥ó¥Ü¥ë̾¤Ç¤Ï¤Ê¤¤) ʸ»úÄ̤ê¤Îʸ»úÎó¤Ï
184 ¥·¥ó¥°¥ë¥¯¥ª¡¼¥È ('') ¤ò»ÈÍѤ·¤ÆÌÀ¼¨¤¹¤ë¡£
190 There are four kinds of aliases: C<User_Alias>, C<Runas_Alias>,
191 C<Host_Alias> and C<Cmnd_Alias>.
195 C<User_Alias>, C<Runas_Alias>,
196 C<Host_Alias>, C<Cmnd_Alias>
197 ¤È¤¤¤¦ 4 ¼ïÎà¤Î¥¨¥¤¥ê¥¢¥¹¤¬¤¢¤ë¡£
199 Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
200 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
201 'Host_Alias' Host_Alias (':' Host_Alias)* |
202 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
204 User_Alias ::= NAME '=' User_List
206 Runas_Alias ::= NAME '=' Runas_List
208 Host_Alias ::= NAME '=' Host_List
210 Cmnd_Alias ::= NAME '=' Cmnd_List
212 NAME ::= [A-Z]([A-Z][0-9]_)*
216 Each I<alias> definition is of the form
220 ³ÆI<¥¨¥¤¥ê¥¢¥¹>ÄêµÁ¤Ï¡¢¼¡¤Î·Á¼°¤ò¤È¤ë¡£
222 Alias_Type NAME = item1, item2, ...
226 where I<Alias_Type> is one of C<User_Alias>, C<Runas_Alias>, C<Host_Alias>,
227 or C<Cmnd_Alias>. A C<NAME> is a string of uppercase letters, numbers,
228 and underscore characters ('_'). A C<NAME> B<must> start with an
229 uppercase letter. It is possible to put several alias definitions
230 of the same type on a single line, joined by a colon (':'). E.g.,
234 ¤³¤³¤Ç I<Alias_Type> ¤Ï¡¢ C<User_Alias>,
235 C<Runas_Alias>, C<Host_Alias>,
236 C<Cmnd_Alias> ¤Î¤¦¤Á¤Î 1 ¤Ä¤Ç¤¢¤ë¡£
237 C<NAME> ¤Ï¡¢Âçʸ»ú¡¦¿ô»ú¡¦
238 ¥¢¥ó¥À¡¼¥¹¥³¥¢Ê¸»ú ('_') ¤«¤é¹½À®¤µ¤ì¤ëʸ»úÎó¤Ç¤¢¤ë¡£
239 C<NAME> ¤ÏÂçʸ»ú¤«¤é»Ï¤Þ¤Ã¤Æ¤¤¤Ê¤±¤ì¤ÐB<¤Ê¤é¤Ê¤¤>¡£
240 ¥³¥í¥ó (':') ¤Ç¤Ä¤Ê¤²¤ì¤Ð¡¢
241 Ʊ°ì¥¿¥¤¥×¤ÎÊ£¿ô¤Î¥¨¥¤¥ê¥¢¥¹ÄêµÁ¤ò 1 ¹Ô¤ËÃÖ¤¯¤³¤È¤¬¤Ç¤¤ë¡£
244 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
248 The definitions of what constitutes a valid I<alias> member follow.
252 ³¤±¤Æ¡¢Í¸ú¤ÊI<¥¨¥¤¥ê¥¢¥¹>¥á¥ó¥Ð¤ò¹½À®¤¹¤ëÍ×ÁǤÎÄêµÁ¤òµ½Ò¤¹¤ë¡£
257 User ::= '!'* username |
264 A C<User_List> is made up of one or more usernames, uids
265 (prefixed with '#'), System groups (prefixed with '%'),
266 netgroups (prefixed with '+') and other aliases. Each list
267 item may be prefixed with one or more '!' operators. An odd number
268 of '!' operators negate the value of the item; an even number
269 just cancel each other out.
273 C<User_List> ¤Ë¤Ï¡¢¥æ¡¼¥¶Ì¾¡¦¥æ¡¼¥¶ ID ('#' ¤òÁ°¤ËÉÕ¤±¤ë)¡¦
274 ¥·¥¹¥Æ¥à¥°¥ë¡¼¥× ('%' ¤òÁ°¤ËÉÕ¤±¤ë) ¡¦
275 ¥Í¥Ã¥È¥°¥ë¡¼¥× ('+' ¤òÁ°¤ËÉÕ¤±¤ë)¡¦
276 Ê̤Υ¨¥¤¥ê¥¢¥¹¡¢¤¬ 1 ¸Ä°Ê¾å´Þ¤Þ¤ì¤ë¡£
277 ¥ê¥¹¥È¤Î³Æ¥¢¥¤¥Æ¥à¤ÎÁ°¤Ë¤Ï¡¢1 ¸Ä°Ê¾å¤Î '!' ¥ª¥Ú¥ì¡¼¥¿¤òÃÖ¤¤¤Æ¤â¤è¤¤¡£
278 ´ñ¿ô¸Ä¤Î '!' ¥ª¥Ú¥ì¡¼¥¿¤Ï¥¢¥¤¥Æ¥à¤ÎÃͤò̵¸ú¤Ë¤¹¤ë¡£
279 ¶ö¿ô¸Ä¤Î¥ª¥Ú¥ì¡¼¥¿¤Ï¡¢¸ß¤¤¤ËÁ껦¤µ¤ì¤ë¤À¤±¤Ç¤¢¤ë¡£
281 Runas_List ::= Runas_User |
282 Runas_User ',' Runas_List
284 Runas_User ::= '!'* username |
292 A C<Runas_List> is similar to a C<User_List> except that it can
293 also contain uids (prefixed with '#') and instead of C<User_Alias>es
294 it can contain C<Runas_Alias>es.
298 C<Runas_List> ¤Ï C<User_List> ¤È»÷¤Æ¤¤¤ë¤¬¡¢
299 ('#' ¤òÁ°¤ËÉÕ¤±¤¿) uid ¤ò´Þ¤á¤ë¤³¤È¤â¤Ç¤¤ë¡£
300 ¤Þ¤¿ C<User_Alias> ¤Ç¤Ï¤Ê¤¯¡¢
301 C<Runas_Alias> ¤ò´Þ¤á¤ë¤³¤È¤¬¤Ç¤¤ë¡£
306 Host ::= '!'* hostname |
308 '!'* network(/netmask)? |
314 A C<Host_List> is made up of one or more hostnames, IP addresses,
315 network numbers, netgroups (prefixed with '+') and other aliases.
316 Again, the value of an item may be negated with the '!' operator.
317 If you do not specify a netmask with a network number, the netmask
318 of the host's ethernet interface(s) will be used when matching.
319 The netmask may be specified either in dotted quad notation (e.g.
320 255.255.255.0) or CIDR notation (number of bits, e.g. 24). A hostname
321 may include shell-style wildcards (see `Wildcards' section below),
322 but unless the C<hostname> command on your machine returns the fully
323 qualified hostname, you'll need to use the I<fqdn> option for wildcards
328 C<Host_List> ¤Ë¤Ï¡¢¥Û¥¹¥È̾¡¦IP ¥¢¥É¥ì¥¹¡¦
329 ¥Í¥Ã¥È¥ï¡¼¥¯Èֹ桦¥Í¥Ã¥È¥°¥ë¡¼¥× ('+' ¤òÁ°¤ËÉÕ¤±¤ë)¡¦
330 ¤½¤Î¾¤Î¥¨¥¤¥ê¥¢¥¹¡¢¤¬ 1 ¸Ä°Ê¾å´Þ¤Þ¤ì¤ë¡£
331 ¤³¤³¤Ç¤â¡¢¥¢¥¤¥Æ¥à¤ÎÃÍ¤Ï '!' ¥ª¥Ú¥ì¡¼¥¿¤Ë¤è¤Ã¤Æ̵¸ú¤Ë¤µ¤ì¤ë¡£
332 ¥Í¥Ã¥È¥ï¡¼¥¯ÈÖ¹æ¤Ë¥Í¥Ã¥È¥Þ¥¹¥¯¤ò»ØÄꤷ¤Ê¤¤¾ì¹ç¡¢
333 ¥Û¥¹¥È¤Î¥¤¡¼¥µ¥Í¥Ã¥È¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤Î¥Í¥Ã¥È¥Þ¥¹¥¯¤¬
334 ¥Þ¥Ã¥Á¥ó¥°¤ÎºÝ¤Ë»È¤ï¤ì¤ë¡£
335 ¥Í¥Ã¥È¥Þ¥¹¥¯¤Ï¡¢¥É¥Ã¥È¤Ç 4 ¤Ä¤Ë¶èÀڤä¿É½µ (Î㤨¤Ð 255.255.255.0) ¤È
336 CIDR ɽµ (¥Ó¥Ã¥È¤Î¿ô¡¢Î㤨¤Ð 24) ¤Î¤É¤Á¤é¤Ç»ØÄꤷ¤Æ¤â¤è¤¤¡£
337 ¥Û¥¹¥È̾¤Ë¤Ï¡¢¥·¥§¥ë·Á¼°¤Î¥ï¥¤¥ë¥É¥«¡¼¥É
338 (°Ê²¼¤Î¡Ö¥ï¥¤¥ë¥É¥«¡¼¥É¡×¤Î¥»¥¯¥·¥ç¥ó¤ò»²¾È) ¤ò»È¤Ã¤Æ¤â¤è¤¤¡£
339 ¤¿¤À¤·¡¢·×»»µ¡¤Î C<hostname> ¥³¥Þ¥ó¥É¤¬
340 ´°Á´¤Ê¥É¥á¥¤¥ó̾ÉÕ¤¤Î¥Û¥¹¥È̾¤òÊÖ¤µ¤Ê¤¤¾ì¹ç¤Ë
341 ¥ï¥¤¥ë¥É¥«¡¼¥É¤ò»È¤¨¤ë¤è¤¦¤Ë¤¹¤ë¤Ë¤Ï¡¢
342 I<fqdn> ¥ª¥×¥·¥ç¥ó¤ò»ØÄꤹ¤ëɬÍפ¬¤¢¤ë¤À¤í¤¦¡£
347 commandname ::= filename |
351 Cmnd ::= '!'* commandname |
357 A C<Cmnd_List> is a list of one or more commandnames, directories, and other
358 aliases. A commandname is a fully qualified filename which may include
359 shell-style wildcards (see `Wildcards' section below). A simple
360 filename allows the user to run the command with any arguments he/she
361 wishes. However, you may also specify command line arguments (including
362 wildcards). Alternately, you can specify C<""> to indicate that the command
363 may only be run B<without> command line arguments. A directory is a
364 fully qualified pathname ending in a '/'. When you specify a directory
365 in a C<Cmnd_List>, the user will be able to run any file within that directory
366 (but not in any subdirectories therein).
370 C<Cmnd_List> ¤Ï¡¢¥³¥Þ¥ó¥É̾¡¦¥Ç¥£¥ì¥¯¥È¥ê¡¦Ê̤Υ¨¥¤¥ê¥¢¥¹¡¢¤¬
371 1 ¸Ä°Ê¾å´Þ¤Þ¤ì¤ë¥ê¥¹¥È¤Ç¤¢¤ë¡£
372 ¥³¥Þ¥ó¥É̾¤Ï´°Á´¤Ê¥Õ¥¡¥¤¥ë̾¤Ç¡¢¥·¥§¥ë·Á¼°¤Î¥ï¥¤¥ë¥É¥«¡¼¥É
373 (°Ê²¼¤Î¡Ö¥ï¥¤¥ë¥É¥«¡¼¥É¡×¥»¥¯¥·¥ç¥ó¤ò»²¾È) ¤ò»È¤¦¤³¤È¤¬¤Ç¤¤ë¡£
374 ñ¤Ê¤ë¥Õ¥¡¥¤¥ë̾¤Ë¤¹¤ë¤È¡¢Ë¾¤ß¤Î°ú¤¿ô¤È¤È¤â¤Ë¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤¹¤ë¤³¤È¤¬¤Ç¤¤ë¡£
375 ¤·¤«¤·¡¢¤µ¤é¤Ë (¥ï¥¤¥ë¥É¥«¡¼¥É¤ò¤â´Þ¤à)
376 ¥³¥Þ¥ó¥É¥é¥¤¥ó°ú¤¿ô¤ò»ØÄꤹ¤ë¤³¤È¤â¤Ç¤¤ë¡£
377 È¿ÂФˡ¢¥³¥Þ¥ó¥É¥é¥¤¥ó°ú¤¿ôB<¤Ê¤·>¤Ç¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤µ¤»¤ë¤Ë¤Ï¡¢
378 C<""> ¤ò»ØÄꤹ¤ì¤ÐÎɤ¤¡£
379 ¥Ç¥£¥ì¥¯¥È¥ê¤Ï '/' ¤Ç½ª¤ï¤ë´°Á´¤Ê¥Ñ¥¹Ì¾¤Ç¤¢¤ë¡£
380 C<Cmnd_List> ¤Ç¥Ç¥£¥ì¥¯¥È¥ê¤ò»ØÄꤹ¤ë¤È¡¢
381 ¥æ¡¼¥¶¤Ï¤½¤Î¥Ç¥£¥ì¥¯¥È¥ê¤Ë¤¢¤ëÁ´¤Æ¤Î¥Õ¥¡¥¤¥ë¤ò¼Â¹Ô¤Ç¤¤ë
382 (¤·¤«¤·¡¢¤½¤Î¥µ¥Ö¥Ç¥£¥ì¥¯¥È¥ê¤Ë¤¢¤ë¥Õ¥¡¥¤¥ë¤Ï¼Â¹Ô¤Ç¤¤Ê¤¤)¡£
386 If a C<Cmnd> has associated command line arguments, then the arguments
387 in the C<Cmnd> must match exactly those given by the user on the command line
388 (or match the wildcards if there are any). Note that the following
389 characters must be escaped with a '\' if they are used in command
390 arguments: ',', ':', '=', '\'.
394 C<Cmnd> ¤¬¥³¥Þ¥ó¥É¥é¥¤¥ó°ú¤¿ô¤È´ØÏ¢¤Å¤±¤é¤ì¤Æ¤¤¤ë¾ì¹ç¡¢
395 C<Cmnd> ¤ÎÃæ¤Î°ú¤¿ô¤Ï¡¢
396 ¥æ¡¼¥¶¤¬¥³¥Þ¥ó¥É¥é¥¤¥ó¤Ç»ØÄꤷ¤¿°ú¤¿ô¤È´°Á´¤Ë¥Þ¥Ã¥Á¤·¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤
397 (¥ï¥¤¥ë¥É¥«¡¼¥É¤¬¤¢¤Ã¤¿¾ì¹ç¤Ï¡¢¤½¤ì¤È´°Á´¤Ë¥Þ¥Ã¥Á¤·¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤)¡£
398 ',', ':', '=', '\' ¤È¤¤¤¦Ê¸»ú¤ò
399 ¥³¥Þ¥ó¥É¥é¥¤¥ó°ú¤¿ô¤È¤·¤Æ»È¤¦¾ì¹ç¡¢
400 '\' ¤Ç¥¨¥¹¥±¡¼¥×¤·¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤ÅÀ¤ËÃí°Õ¤¹¤ë¤³¤È¡£
406 Certain configuration options may be changed from their default
407 values at runtime via one or more C<Default_Entry> lines. These
408 may affect all users on any host, all users on a specific host, a
409 specific user, or commands being run as a specific user. When
410 multiple entries match, they are applied in order. Where there are
411 conflicting values, the last value on a matching line takes effect.
415 ¤¢¤ëÀßÄꥪ¥×¥·¥ç¥ó¤ÎÃͤò¡¢
416 1 ¹Ô°Ê¾å¤Î C<Default_Entry> ¹Ô¤ò»È¤Ã¤Æ¡¢
417 ¥Ç¥Õ¥©¥ë¥È¤ÎÃͤ«¤éÊѹ¹¤¹¤ë¤³¤È¤¬¤Ç¤¤ë¡£
418 ¤³¤Î¹Ô¤¬¸ú²Ì¤ò»ý¤ÄÈϰϤϡ¢Á´¤Æ¤Î¥Û¥¹¥È¾å¤ÎÁ´¤Æ¤Î¥æ¡¼¥¶¤Ë¤¹¤ë¤³¤È¤â¡¢
419 »ØÄꤷ¤¿¥Û¥¹¥È¾å¤ÎÁ´¤Æ¤Î¥æ¡¼¥¶¤Ë¤¹¤ë¤³¤È¤â¡¢
420 »ØÄꤷ¤¿¥æ¡¼¥¶¤Ë¤¹¤ë¤³¤È¤â¡¢
421 »ØÄꤷ¤¿¥æ¡¼¥¶¤È¤·¤Æ¼Â¹Ô¤µ¤ì¤ë¥³¥Þ¥ó¥É¤Ë¤¹¤ë¤³¤È¤â¤Ç¤¤ë¡£
422 Ê£¿ô¤Î¥¨¥ó¥È¥ê¤¬¥Þ¥Ã¥Á¤¹¤ë¾ì¹ç¤Ï¡¢½çÈÖ¤ËŬÍѤµ¤ì¤ë¡£
423 Ì·½â¤¹¤ëÃͤ¬¤¢¤ë¾ì¹ç¤Ï¡¢¥Þ¥Ã¥Á¤¹¤ë¹Ô¤ÎºÇ¸å¤ÎÃͤ¬¸ú²Ì¤ò»ý¤Ä¡£
425 Default_Type ::= 'Defaults' ||
426 'Defaults' '@' Host ||
427 'Defaults' ':' User ||
428 'Defaults' '>' RunasUser
430 Default_Entry ::= Default_Type Parameter_List
432 Parameter ::= Parameter '=' Value ||
433 Parameter '+=' Value ||
434 Parameter '-=' Value ||
439 Parameters may be B<flags>, B<integer> values, B<strings>, or B<lists>.
440 Flags are implicitly boolean and can be turned off via the '!'
441 operator. Some integer, string and list parameters may also be
442 used in a boolean context to disable them. Values may be enclosed
443 in double quotes (C<">) when they contain multiple words. Special
444 characters may be escaped with a backslash (C<\>).
448 Parameter ¤Ï B<¥Õ¥é¥°>¡¦B<À°¿ô>¡¦
449 B<ʸ»úÎó>¡¦B<¥ê¥¹¥È>¤Î¤¤¤º¤ì¤«¤Ç¤¢¤ë¡£
450 ¥Õ¥é¥°¤Ï¼Â¤Ï¿¿µ¶ÃͤǤ¢¤ê¡¢'!' ¥ª¥Ú¥ì¡¼¥¿¤Ç off ¤Ë¤Ç¤¤ë¡£
451 À°¿ô¡¦Ê¸»úÎ󡦥ꥹ¥È¤Î¥Ñ¥é¥á¡¼¥¿¤Î¤Ê¤«¤Ë¤â¿¿µ¶ÃͤΰÕÌ£¤Ç»È¤¨¤ë¤â¤Î¤¬¤¢¤ê¡¢
452 ¤½¤ì¤é¤Ï̵¸ú¤Ë¤Ç¤¤ë¡£
453 ÃͤËÊ£¿ô¤Î¥ï¡¼¥É¤¬´Þ¤Þ¤ì¤ë¾ì¹ç¤Ï¡¢
454 ¥À¥Ö¥ë¥¯¥ª¡¼¥È (C<">) ¤Ç°Ï¤Þ¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
455 Æüìʸ»ú¤Ï¥Ð¥Ã¥¯¥¹¥é¥Ã¥·¥å (C<\>) ¤Ç
456 ¥¨¥¹¥±¡¼¥×¤·¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
460 Lists have two additional assignment operators, C<+=> and C<-=>.
461 These operators are used to add to and delete from a list respectively.
462 It is not an error to use the C<-=> operator to remove an element
463 that does not exist in a list.
467 ¥ê¥¹¥È¤Ë¤Ï¤½¤Î¾¤Ë 2 ¤Ä¤ÎÂåÆþ¥ª¥Ú¥ì¡¼¥¿
468 C<+=> ¤È C<-=> ¤¬¤¢¤ë¡£
469 ¤³¤ì¤é¤Î¥ª¥Ú¥ì¡¼¥¿¤Ï¤½¤ì¤¾¤ì¥ê¥¹¥È¤ÎÄɲäȺï½ü¤ò¹Ô¤¦¡£
470 C<-=> ¥ª¥Ú¥ì¡¼¥¿¤ò»È¤Ã¤Æ
471 ¥ê¥¹¥È¤Ë¸ºß¤·¤Ê¤¤Í×ÁǤòºï½ü¤¹¤ë¤È¥¨¥é¡¼¤Ë¤Ê¤ë¡£
475 Note that since the I<sudoers> file is parsed in order the best place
476 to put the Defaults section is after the Host, User, and Cmnd aliases
477 but before the user specifications.
481 I<sudoers> ¥Õ¥¡¥¤¥ë¤Ï½çÈ֤˲ò¼á¤µ¤ì¤ë¤¿¤á¡¢
482 ¥Ç¥Õ¥©¥ë¥È¥»¥¯¥·¥ç¥ó¤ÎÇÛÃÖ¾ì½ê¤Ï Host, User, Cmnd ¥¨¥¤¥ê¥¢¥¹¤è¤ê¸å¤Ç¡¢
483 ¤«¤Ä¥æ¡¼¥¶»ØÄê¤è¤êÁ°¤Ë¤¹¤ëÅÀ¤ËÃí°Õ¤¹¤ë¤³¤È¡£
495 =item long_otp_prompt
499 When validating with a One Time Password scheme (B<S/Key> or B<OPIE>),
500 a two-line prompt is used to make it easier to cut and paste the
501 challenge to a local window. It's not as pretty as the default but
502 some people find it more convenient. This flag is I<@long_otp_prompt@>
507 (B<S/Key> ¤ä B<OPIE> ¤Ê¤É¤Î)
508 ¥ï¥ó¥¿¥¤¥à¥Ñ¥¹¥ï¡¼¥É¤ò»ÈÍѤ·¤Æ¤¤¤ë¾ì¹ç¤Ë¤³¤Î¥ª¥×¥·¥ç¥ó¤¬Í¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤È¡¢
509 ¥í¡¼¥«¥ë¤Ê¥¦¥¤¥ó¥É¥¦¤ËÆþÎϤ·¤¿¥Ñ¥¹¥ï¡¼¥É¤ò
510 ´Êñ¤Ë¥«¥Ã¥È¡õ¥Ú¡¼¥¹¥È¤Ç¤¤ë¤è¤¦¤Ë¡¢2 ¹Ô¤Î¥×¥í¥ó¥×¥È¤¬»È¤ï¤ì¤ë¡£
511 ¤³¤ì¤ò¥Ç¥Õ¥©¥ë¥È¤Ë¤¹¤ë¤Î¤ÏÎɤ¯¤Ê¤¤¤¬¡¢ÊØÍø¤À¤È¸À¤¦¿Í¤â¤¤¤ë¡£
512 ¤³¤Î¥Õ¥é¥°¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï I<@long_otp_prompt@> ¤Ç¤¢¤ë¡£
518 If set, B<sudo> will ignore '.' or '' (current dir) in the C<PATH>
519 environment variable; the C<PATH> itself is not modified. This
520 flag is I<@ignore_dot@> by default.
524 ¤³¤Î¥Õ¥é¥°¤òÀßÄꤹ¤ë¤È¡¢´Ä¶ÊÑ¿ô C<PATH> ¤Ë¤¢¤ë
525 (¥«¥ì¥ó¥È¥Ç¥£¥ì¥¯¥È¥ê¤òɽ¤¹) '.' ¤È '' ¤¬Ìµ»ë¤µ¤ì¤ë¡£
526 C<PATH> ¤½¤Î¤â¤Î¤ÏÊѹ¹¤µ¤ì¤Ê¤¤¡£
527 ¤³¤Î¥Õ¥é¥°¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï I<@ignore_dot@> ¤Ç¤¢¤ë¡£
533 Send mail to the I<mailto> user every time a users runs B<sudo>.
534 This flag is I<off> by default.
538 ¥æ¡¼¥¶¤¬ B<sudo> ¤ò¼Â¹Ô¤¹¤ëÅ٤ˡ¢I<mailto> ¥æ¡¼¥¶¤Ë¥á¡¼¥ë¤¬Á÷¤é¤ì¤ë¡£
539 ¤³¤Î¥Õ¥é¥°¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï I<off> ¤Ç¤¢¤ë¡£
545 Send mail to the I<mailto> user if the user running sudo does not
546 enter the correct password. This flag is I<off> by default.
550 sudo ¤ò¼Â¹Ô¤·¤¿¥æ¡¼¥¶¤¬Àµ¤·¤¤¥Ñ¥¹¥ï¡¼¥É¤òÆþÎϤ·¤Ê¤«¤Ã¤¿¾ì¹ç¡¢
551 I<mailto> ¥æ¡¼¥¶¤Ë¥á¡¼¥ë¤¬Á÷¤é¤ì¤ë¡£
552 ¤³¤Î¥Õ¥é¥°¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï I<off> ¤Ç¤¢¤ë¡£
558 If set, mail will be sent to the I<mailto> user if the invoking
559 user is not in the I<sudoers> file. This flag is I<@mail_no_user@>
564 ¤³¤Î¥Õ¥é¥°¤òÀßÄꤹ¤ë¤È¡¢
565 sudo ¤òµ¯Æ°¤·¤¿¥æ¡¼¥¶¤¬ I<sudoers> ¥Õ¥¡¥¤¥ë¤Ë¤Ê¤¤¾ì¹ç¡¢
566 I<mailto> ¥æ¡¼¥¶¤Ë¥á¡¼¥ë¤¬Á÷¤é¤ì¤ë¡£
567 ¤³¤Î¥Õ¥é¥°¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï I<@mail_no_user@> ¤Ç¤¢¤ë¡£
573 If set, mail will be sent to the I<mailto> user if the invoking
574 user exists in the I<sudoers> file, but is not allowed to run
575 commands on the current host. This flag is I<@mail_no_host@> by default.
579 ¤³¤Î¥Õ¥é¥°¤òÀßÄꤹ¤ë¤È¡¢
580 sudo ¤òµ¯Æ°¤·¤¿¥æ¡¼¥¶¤¬ I<sudoers> ¥Õ¥¡¥¤¥ë¤Ë¸ºß¤¹¤ë¤¬¡¢
581 ¸½ºß¤Î¥Û¥¹¥È¤Ç¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤¹¤ë¤³¤È¤¬µö²Ä¤µ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢
582 I<mailto> ¥æ¡¼¥¶¤Ë¥á¡¼¥ë¤¬Á÷¤é¤ì¤ë¡£
583 ¤³¤Î¥Õ¥é¥°¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï I<@mail_no_host@> ¤Ç¤¢¤ë¡£
589 If set, mail will be sent to the I<mailto> user if the invoking
590 user is allowed to use B<sudo> but the command they are trying is not
591 listed in their I<sudoers> file entry. This flag is I<@mail_no_perms@>
596 ¤³¤Î¥Õ¥é¥°¤òÀßÄꤹ¤ë¤È¡¢
597 ¥æ¡¼¥¶¤¬ B<sudo> ¤ò»È¤¦¤³¤È¤Ïµö²Ä¤µ¤ì¤Æ¤¤¤ë¤¬¡¢
598 ¼Â¹Ô¤·¤è¤¦¤È¤·¤¿¥³¥Þ¥ó¥É¤¬ I<sudoers> ¥Õ¥¡¥¤¥ë¤Î¥¨¥ó¥È¥ê¤Ë¤Ê¤¤¾ì¹ç¡¢
599 I<mailto> ¥æ¡¼¥¶¤Ë¥á¡¼¥ë¤¬Á÷¤é¤ì¤ë¡£
600 ¤³¤Î¥Õ¥é¥°¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï I<@mail_no_perms@> ¤Ç¤¢¤ë¡£
606 If set, users must authenticate on a per-tty basis. Normally,
607 B<sudo> uses a directory in the ticket dir with the same name as
608 the user running it. With this flag enabled, B<sudo> will use a
609 file named for the tty the user is logged in on in that directory.
610 This flag is I<@tty_tickets@> by default.
614 ¤³¤Î¥Õ¥é¥°¤òÀßÄꤹ¤ë¤È¡¢
615 ¥æ¡¼¥¶¤Ï tty Ëè¤Ëǧ¾Ú¤·¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
616 Ä̾B<sudo> ¤Ï¥Á¥±¥Ã¥È¥Ç¥£¥ì¥¯¥È¥ê¤ÎÃæ¤Ë¤¢¤ë
617 ¼Â¹Ô¤·¤Æ¤¤¤ë¥æ¡¼¥¶¤ÈƱ¤¸Ì¾Á°¤Î¥Ç¥£¥ì¥¯¥È¥ê¤ò»È¤¦¡£
618 ¤³¤Î¥Õ¥é¥°¤¬ on ¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤È¡¢B<sudo> ¤Ï
619 ¥Á¥±¥Ã¥È¥Ç¥£¥ì¥¯¥È¥ê¤ÎÃæ¤Ë¤¢¤ë
620 ¥æ¡¼¥¶¤¬¥í¥°¥¤¥ó¤·¤Æ¤¤¤ë tty ¤ËÂбþ¤·¤¿¥Õ¥¡¥¤¥ë̾¤ò»È¤¦¡£
621 ¤³¤Î¥Õ¥é¥°¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï I<@tty_tickets@> ¤Ç¤¢¤ë¡£
627 If set, a user will receive a short lecture the first time he/she
628 runs B<sudo>. This flag is I<@lecture@> by default.
632 ¤³¤Î¥Õ¥é¥°¤òÀßÄꤹ¤ë¤È¡¢
633 ½é¤á¤Æ B<sudo> ¤ò¼Â¹Ô¤·¤¿¤È¤¡¢¥æ¡¼¥¶¤Ïû¤¤¥ì¥¯¥Á¥ã¡¼¤ò¼õ¤±¼è¤ë¡£
634 ¤³¤Î¥Õ¥é¥°¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï I<@lecture@> ¤Ç¤¢¤ë¡£
640 If set, users must authenticate themselves via a password (or other
641 means of authentication) before they may run commands. This default
642 may be overridden via the C<PASSWD> and C<NOPASSWD> tags.
643 This flag is I<on> by default.
647 ¤³¤Î¥Õ¥é¥°¤òÀßÄꤹ¤ë¤È¡¢
648 ¥æ¡¼¥¶¤Ï¥Ñ¥¹¥ï¡¼¥É (¤â¤·¤¯¤Ï¡¢Ê̤Îǧ¾ÚÊýË¡) ¤Ç¼«Ê¬¼«¿È¤ËÂФ·¤Æ
649 ǧ¾Ú¤ò¤·¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
650 ¤³¤Î¥Ç¥Õ¥©¥ë¥È¤ÎÃÍ¤Ï C<PASSWD> ¥¿¥°¤È
651 C<NOPASSWD> ¥¿¥°¤ò»È¤Ã¤ÆÊѹ¹¤Ç¤¤ë¡£
652 ¤³¤Î¥Õ¥é¥°¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï I<on> ¤Ç¤¢¤ë¡£
658 If set, root is allowed to run B<sudo> too. Disabling this prevents users
659 from "chaining" B<sudo> commands to get a root shell by doing something
660 like C<"sudo sudo /bin/sh">.
661 This flag is I<on> by default.
665 ¤³¤Î¥Õ¥é¥°¤òÀßÄꤹ¤ë¤È¡¢root ¤â B<sudo> ¤¬¼Â¹Ô¤Ç¤¤ë¡£
666 ¤³¤Î¥Õ¥é¥°¤ò off ¤Ë¤¹¤ë¤È¡¢
667 ¥æ¡¼¥¶¤¬ C<"sudo sudo /bin/sh"> ¤Î¤è¤¦¤Ê
668 ¡ÖÏ¢º¿¤·¤¿¡×B<sudo> ¥³¥Þ¥ó¥É¤Ë¤è¤Ã¤Æ¡¢
669 root ¤Î¥·¥§¥ë¤òÆþ¼ê¤·¤è¤¦¤È¤¹¤ë¤³¤È¤¬ËɻߤǤ¤ë¡£
670 ¤³¤Î¥Õ¥é¥°¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï I<on> ¤Ç¤¢¤ë¡£
676 If set, the hostname will be logged in the (non-syslog) B<sudo> log file.
677 This flag is I<off> by default.
681 ¤³¤Î¥Õ¥é¥°¤òÀßÄꤹ¤ë¤È¡¢
682 ¥Û¥¹¥È̾¤¬ (syslog ¤Ç¤Ï¤Ê¤¤) B<sudo> ¥í¥°¥Õ¥¡¥¤¥ë¤ËµÏ¿¤µ¤ì¤ë¡£
683 ¤³¤Î¥Õ¥é¥°¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï I<off> ¤Ç¤¢¤ë¡£
689 If set, the four-digit year will be logged in the (non-syslog) B<sudo> log file.
690 This flag is I<off> by default.
694 ¤³¤Î¥Õ¥é¥°¤òÀßÄꤹ¤ë¤È¡¢
695 4 ·å¤Îǯ¤¬ (syslog ¤Ç¤Ï¤Ê¤¤) B<sudo> ¥í¥°¥Õ¥¡¥¤¥ë¤ËµÏ¿¤µ¤ì¤ë¡£
696 ¤³¤Î¥Õ¥é¥°¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï I<off> ¤Ç¤¢¤ë¡£
702 If set and B<sudo> is invoked with no arguments it acts as if the
703 B<-s> flag had been given. That is, it runs a shell as root (the
704 shell is determined by the C<SHELL> environment variable if it is
705 set, falling back on the shell listed in the invoking user's
706 /etc/passwd entry if not). This flag is I<off> by default.
710 ¤³¤Î¥Õ¥é¥°¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë B<sudo> ¤¬°ú¤¿ô¤Ê¤·¤Çµ¯Æ°¤µ¤ì¤ë¤È¡¢
711 B<-s> ¥Õ¥é¥°¤¬Í¿¤¨¤é¤ì¤¿¾ì¹ç¤ÈƱÍͤËÆ°ºî¤¹¤ë¡£
712 ¤Ä¤Þ¤ê¡¢sudo ¤Ï¥·¥§¥ë¤ò root ¤È¤·¤Æ¼Â¹Ô¤¹¤ë
713 (´Ä¶ÊÑ¿ô C<SHELL> ¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë¾ì¹ç¡¢
714 ¥·¥§¥ë¤Ï¤½¤Î´Ä¶ÊÑ¿ô¤Ç·èÄꤵ¤ì¤ë¡£
715 ÀßÄꤵ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢
716 µ¯Æ°¤·¤¿¥æ¡¼¥¶¤Î /etc/passwd ¤Î¥¨¥ó¥È¥ê¤Ë¤¢¤ë¥·¥§¥ë¤ò»È¤¦)¡£
717 ¤³¤Î¥Õ¥é¥°¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï I<off> ¤Ç¤¢¤ë¡£
723 If set and B<sudo> is invoked with the B<-s> flag the C<HOME>
724 environment variable will be set to the home directory of the target
725 user (which is root unless the B<-u> option is used). This effectively
726 makes the B<-s> flag imply B<-H>. This flag is I<off> by default.
730 ¤³¤Î¥Õ¥é¥°¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë
731 B<sudo> ¤¬ B<-s> ¥Õ¥é¥°¤Çµ¯Æ°¤µ¤ì¤ë¤È¡¢
732 ´Ä¶ÊÑ¿ô C<HOME> ¤¬Âоݥ桼¥¶¤Î¥Û¡¼¥à¥Ç¥£¥ì¥¯¥È¥ê¤ËÀßÄꤵ¤ì¤ë
733 (¤³¤Î¾ì¹ç¤ÎÂоݥ桼¥¶¤Ï¡¢B<-u> ¥ª¥×¥·¥ç¥ó¤Ç»ØÄꤵ¤ì¤Ê¤¤¸Â¤ê root ¤Ç¤¢¤ë)¡£
734 ¤³¤Î¥Õ¥é¥°¤Ï¡¢B<-s> ¥Õ¥é¥°¤¬»È¤ï¤ì¤¿¾ì¹ç¤Ë
735 B<-H> ¤ò°ÅÌۤΤ¦¤Á¤Ë͸ú¤Ë¤¹¤ë¡£
736 ¤³¤Î¥Õ¥é¥°¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï I<off> ¤Ç¤¢¤ë¡£
738 =item always_set_home
742 If set, B<sudo> will set the C<HOME> environment variable to the home
743 directory of the target user (which is root unless the B<-u> option is used).
744 This effectively means that the B<-H> flag is always implied.
745 This flag is I<off> by default.
749 ¤³¤Î¥Õ¥é¥°¤òÀßÄꤹ¤ë¤È¡¢B<sudo> ¤Ï´Ä¶ÊÑ¿ô C<HOME> ¤ò
750 Âоݥ桼¥¶ (B<-u> ¥ª¥×¥·¥ç¥ó¤ò»È¤ï¤Ê¤¤¸Â¤ê¤Ï root) ¤Î
751 ¥Û¡¼¥à¥Ç¥£¥ì¥¯¥È¥ê¤ËÀßÄꤹ¤ë¡£
752 ¤³¤Î¥Õ¥é¥°¤Ï B<-H> ¤ò°ÅÌۤΤ¦¤Á¤Ë͸ú¤Ë¤¹¤ë¡£
753 ¤³¤Î¥Õ¥é¥°¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï I<off> ¤Ç¤¢¤ë¡£
759 Normally, B<sudo> will tell the user when a command could not be
760 found in their C<PATH> environment variable. Some sites may wish
761 to disable this as it could be used to gather information on the
762 location of executables that the normal user does not have access
763 to. The disadvantage is that if the executable is simply not in
764 the user's C<PATH>, B<sudo> will tell the user that they are not
765 allowed to run it, which can be confusing. This flag is I<off> by
770 Ä̾ï B<sudo> ¤Ï¥³¥Þ¥ó¥É¤¬ C<PATH>
771 ´Ä¶ÊÑ¿ô¤Ë¸«¤Ä¤«¤é¤Ê¤¤¾ì¹ç¥æ¡¼¥¶¤Ë¹ðÃΤ¹¤ë¡£
772 Ä̾ï¤Î¥æ¡¼¥¶¤¬¡¢¥¢¥¯¥»¥¹¤Ç¤¤Ê¤¤¼Â¹Ô¥Õ¥¡¥¤¥ë¤Î¾ì½ê¤Ë´Ø¤¹¤ë
773 ¾ðÊó¤ò¼ý½¸¤Ç¤¤Ê¤¤¤è¤¦¤Ë¡¢
774 ¥µ¥¤¥È¤Ë¤è¤Ã¤Æ¤Ï¤³¤Î¹ðÃΤò¥æ¡¼¥¶¤Ë¹Ô¤ï¤Ê¤¤¤è¤¦¤Ë¤·¤¿¤¤¤³¤È¤¬¤¢¤ë¤«¤â¤·¤ì¤Ê¤¤¡£
775 ¤·¤«¤·¹ðÃΤò¹Ô¤ï¤Ê¤¤¤È¡¢
776 ñ¤Ë¼Â¹Ô¥Õ¥¡¥¤¥ë¤¬¥æ¡¼¥¶¤Î C<PATH> ¤Ë¤Ê¤¤¤À¤±¤Î¾ì¹ç¤Ç¤â¡¢
777 B<sudo> ¤Ï¥æ¡¼¥¶¤Ë¡Ö¼Â¹Ôµö²Ä¤¬¤Ê¤¤¡×¤ÈÅÁ¤¨¤Æ¤·¤Þ¤¤¡¢
779 ¤³¤Î¥Õ¥é¥°¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï I<off> ¤Ç¤¢¤ë¡£
781 =item preserve_groups
785 By default B<sudo> will initialize the group vector to the list of
786 groups the target user is in. When I<preserve_groups> is set, the
787 user's existing group vector is left unaltered. The real and
788 effective group IDs, however, are still set to match the target
789 user. This flag is I<off> by default.
793 ¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï¡¢B<sudo> ¤Ï¥°¥ë¡¼¥×¥Ù¥¯¥È¥ë¤ò
794 Âоݥ桼¥¶¤¬½ê°¤¹¤ë¥°¥ë¡¼¥×¤Î¥ê¥¹¥È¤Ç½é´ü²½¤¹¤ë¡£
795 I<preserve_groups> ¤¬ÀßÄꤵ¤ì¤¿¾ì¹ç¡¢
796 ¥æ¡¼¥¶¤¬´û¤Ë»ý¤Ã¤Æ¤¤¤ë¥°¥ë¡¼¥×¥Ù¥¯¥È¥ë¤ÏÊѹ¹¤µ¤ì¤Ê¤¤¡£
797 ¤À¤À¤·¼Â¥°¥ë¡¼¥× ID ¤È¼Â¸ú¥°¥ë¡¼¥× ID ¤Ï¡¢
798 Âоݥ桼¥¶¤Ë¥Þ¥Ã¥Á¤¹¤ë¤è¤¦¤ËÀßÄꤵ¤ì¤ë¡£
799 ¤³¤Î¥Õ¥é¥°¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï I<off> ¤Ç¤¢¤ë¡£
805 Set this flag if you want to put fully qualified hostnames in the
806 I<sudoers> file. I.e., instead of myhost you would use myhost.mydomain.edu.
807 You may still use the short form if you wish (and even mix the two).
808 Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups
809 which may make B<sudo> unusable if DNS stops working (for example
810 if the machine is not plugged into the network). Also note that
811 you must use the host's official name as DNS knows it. That is,
812 you may not use a host alias (C<CNAME> entry) due to performance
813 issues and the fact that there is no way to get all aliases from
814 DNS. If your machine's hostname (as returned by the C<hostname>
815 command) is already fully qualified you shouldn't need to set
816 I<fqdn>. This flag is I<@fqdn@> by default.
820 I<sudoers> ¥Õ¥¡¥¤¥ë¤Ë´°Á´¤Ê¥É¥á¥¤¥ó̾ÉÕ¤¤Î¥Û¥¹¥È̾¤òÆþ¤ì¤¿¤¤¾ì¹ç¤Ï¡¢
821 ¤³¤Î¥Õ¥é¥°¤òÀßÄꤹ¤ë¡£
822 ¤¹¤Ê¤ï¤Á myhost ¤Ç¤Ï¤Ê¤¯ myhost.mydomain.edu ¤ò»È¤¤¤¿¤¤¾ì¹ç¤Ç¤¢¤ë¡£
823 ¤³¤Î¥Õ¥é¥°¤òÀßÄꤷ¤Æ¤â¡¢»È¤¤¤¿¤±¤ì¤Ðû¤¤·Á¼°¤ò»È¤¦¤³¤È¤¬¤Ç¤¤ë
824 (û¤¤·Á¼°¤È´°Á´¤Ê·Á¼°¤òº®¤¼¤Æ»È¤¦¤³¤È¤â¤Ç¤¤ë)¡£
825 I<fqdn> ¤ò on ¤Ë¤¹¤ë¤È¡¢B<sudo> ¤Ï
826 DNS ¤Î¥ë¥Ã¥¯¥¢¥Ã¥×¤¬É¬ÍפˤʤëÅÀ¤ËÃí°Õ¤¹¤ë¤³¤È¡£
827 DNS ¤Î¥ë¥Ã¥¯¥¢¥Ã¥×¤ò¤¹¤ë¤È¡¢
828 DNS ¤¬²ÔƯ¤·¤Æ¤¤¤Ê¤¤¾ì¹ç
829 (·×»»µ¡¤¬¥Í¥Ã¥È¥ï¡¼¥¯¤ËÀܳ¤µ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¤Ê¤É¤Ë)
830 B<sudo> ¤¬»ÈÍѤǤ¤Ê¤¯¤Ê¤ë¡£
831 DNS ¤Ë¤¢¤ë¥Û¥¹¥È¤ÎÀµ¼°¤Ê̾Á°¤ò»È¤ï¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤ÅÀ¤Ë¤âÃí°Õ¤¹¤ë¤³¤È¡£
832 ¤Ä¤Þ¤ê¡¢¥Ñ¥Õ¥©¡¼¥Þ¥ó¥¹¤ÎÌäÂê¤È
833 DNS ¤«¤éÁ´¤Æ¤Î¥¨¥¤¥ê¥¢¥¹¤ò¼èÆÀ¤Ç¤¤Ê¤¤¤È¤¤¤¦ÌäÂ꤫¤é¡¢
834 ¥Û¥¹¥È̾¤Î¥¨¥¤¥ê¥¢¥¹ (C<CNAME> ¥¨¥ó¥È¥ê) ¤ò»È¤¦¤³¤È¤Ï¤Ç¤¤Ê¤¤¡£
835 (C<hostname> ¥³¥Þ¥ó¥É¤ÇÊÖ¤µ¤ì¤ë) ·×»»µ¡¤Î¥Û¥¹¥È̾¤¬
836 ´û¤Ë¥É¥á¥¤¥ó̾ÉÕ¤¤Î´°Á´¤Ê¤â¤Î¤Ç¤¢¤ë¾ì¹ç¡¢
837 I<fqdn> ¤òÀßÄꤹ¤ë¤Ù¤¤Ç¤Ï¤Ê¤¤¡£
838 ¤³¤Î¥Õ¥é¥°¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï I<@fqdn@> ¤Ç¤¢¤ë¡£
844 If set, B<sudo> will insult users when they enter an incorrect
845 password. This flag is I<@insults@> by default.
849 ¤³¤Î¥Õ¥é¥°¤òÀßÄꤹ¤ë¤È¡¢B<sudo> ¤Ï
850 ÉÔÀµ¤Ê¥Ñ¥¹¥ï¡¼¥É¤òÆþÎϤ·¤¿¥æ¡¼¥¶¤òÉî¿«¤¹¤ë¡£
851 ¤³¤Î¥Õ¥é¥°¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï I<@insults@> ¤Ç¤¢¤ë¡£
857 If set, B<sudo> will only run when the user is logged in to a real
858 tty. This will disallow things like C<"rsh somehost sudo ls"> since
859 rsh(1) does not allocate a tty. Because it is not possible to turn
860 off echo when there is no tty present, some sites may with to set
861 this flag to prevent a user from entering a visible password. This
862 flag is I<off> by default.
866 ¤³¤Î¥Õ¥é¥°¤òÀßÄꤹ¤ë¤È¡¢
867 ¥æ¡¼¥¶¤¬ real tty ¤«¤é¥í¥°¥¤¥ó¤·¤Æ¤¤¤ë¤È¤¤Î¤ß B<sudo> ¤¬¼Â¹Ô¤Ç¤¤ë¡£
868 rsh(1) ¤Ï tty ¤ò³ÎÊݤ·¤Ê¤¤¤Î¤Ç¡¢
869 C<"rsh somehost sudo ls"> ¤È¤¤¤Ã¤¿¤³¤È¤¬µö²Ä¤µ¤ì¤Ê¤¯¤Ê¤ë¡£
870 tty ¤¬¤Ê¤¤¤È¥¨¥³¡¼¤¬¾Ã¤»¤Ê¤¤¤Î¤Ç¡¢
871 ÆþÎÏ»þ¤Ë¥Ñ¥¹¥ï¡¼¥É¤¬¸½¤ì¤Æ¤·¤Þ¤¦¤Î¤òËɻߤ¹¤ë¤¿¤á¤Ë¡¢
872 ¤³¤Î¥Õ¥é¥°¤òÀßÄꤷ¤¿¤¤¤È»×¤¦¥µ¥¤¥È¤â¤¢¤ë¤À¤í¤¦¡£
873 ¤³¤Î¥Õ¥é¥°¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï I<off> ¤Ç¤¢¤ë¡£
879 If set, B<visudo> will use the value of the EDITOR or VISUAL
880 environment variables before falling back on the default editor list.
881 Note that this may create a security hole as it allows the user to
882 run any arbitrary command as root without logging. A safer alternative
883 is to place a colon-separated list of editors in the C<editor>
884 variable. B<visudo> will then only use the EDITOR or VISUAL if
885 they match a value specified in C<editor>. This flag is C<@env_editor@> by
890 ¤³¤Î¥Õ¥é¥°¤òÀßÄꤹ¤ë¤È¡¢B<visudo> ¤Ï
891 ¥Ç¥Õ¥©¥ë¥È¤Î¥¨¥Ç¥£¥¿¥ê¥¹¥È¤ò»È¤¦Á°¤Ë¡¢
892 ´Ä¶ÊÑ¿ô EDITOR ¤È VISUAL ¤ÎÃͤò»È¤¦¡£
893 ¥æ¡¼¥¶¤Ï¥í¥°¤ËµÏ¿¤µ¤ì¤ë¤³¤È¤Ê¤¯
894 Ǥ°Õ¤Î¥³¥Þ¥ó¥É¤ò root ¤È¤·¤Æ¼Â¹Ô¤Ç¤¤Æ¤·¤Þ¤¦¤Î¤Ç¡¢
895 ¥»¥¥å¥ê¥Æ¥£¥Û¡¼¥ë¤òºî¤Ã¤Æ¤·¤Þ¤¦ÅÀ¤ËÃí°Õ¤¹¤ë¤³¤È¡£
896 °ÂÁ´¤ÊÂåÂذƤȤ·¤Æ¤Ï¡¢
897 ¥³¥í¥ó¤Ç¶èÀڤä¿¥¨¥Ç¥£¥¿¤Î¥ê¥¹¥È¤ò
898 C<editor> ÊÑ¿ô¤ËÀßÄꤹ¤ë¤³¤È¤Ç¤¢¤ë¡£
899 ¤½¤¦¤¹¤ë¤ÈB<visudo> ¤Ï¡¢
900 C<editor> ¤Ë»ØÄꤵ¤ì¤¿ÃͤË
901 EDITOR ¤Þ¤¿¤Ï VISUAL ¤¬¥Þ¥Ã¥Á¤¹¤ë¤È¤¤Ë¤Î¤ß¡¢
903 ¤³¤Î¥Õ¥é¥°¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï I<@env_editor@> ¤Ç¤¢¤ë¡£
909 If set, B<sudo> will prompt for the root password instead of the password
910 of the invoking user. This flag is I<off> by default.
914 ¤³¤Î¥Õ¥é¥°¤òÀßÄꤹ¤ë¤È¡¢B<sudo> ¤Ï
915 µ¯Æ°¤·¤¿¥æ¡¼¥¶¤Î¥Ñ¥¹¥ï¡¼¥É¤Ç¤Ï¤Ê¤¯¡¢
916 root ¤Î¥Ñ¥¹¥ï¡¼¥É¤òÍ׵᤹¤ë¡£
917 ¤³¤Î¥Õ¥é¥°¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï I<off> ¤Ç¤¢¤ë¡£
923 If set, B<sudo> will prompt for the password of the user defined by the
924 I<runas_default> option (defaults to C<root>) instead of the password
925 of the invoking user. This flag is I<off> by default.
929 ¤³¤Î¥Õ¥é¥°¤òÀßÄꤹ¤ë¤È¡¢B<sudo> ¤Ï
930 µ¯Æ°¤·¤¿¥æ¡¼¥¶¤Î¥Ñ¥¹¥ï¡¼¥É¤Ç¤Ï¤Ê¤¯¡¢
931 I<runas_default> ¥ª¥×¥·¥ç¥ó¤ÇÄêµÁ¤µ¤ì¤¿¥æ¡¼¥¶
932 (¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï C<root>) ¤Î¥Ñ¥¹¥ï¡¼¥É¤òÍ׵᤹¤ë¡£
933 ¤³¤Î¥Õ¥é¥°¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï I<off> ¤Ç¤¢¤ë¡£
939 If set, B<sudo> will prompt for the password of the user specified by
940 the B<-u> flag (defaults to C<root>) instead of the password of the
941 invoking user. This flag is I<off> by default.
945 ¤³¤Î¥Õ¥é¥°¤òÀßÄꤹ¤ë¤È¡¢B<sudo> ¤Ï
946 µ¯Æ°¤·¤¿¥æ¡¼¥¶¤Î¥Ñ¥¹¥ï¡¼¥É¤Ç¤Ï¤Ê¤¯¡¢
947 B<-u> ¥Õ¥é¥°¤Ç»ØÄꤵ¤ì¤¿¥æ¡¼¥¶
948 (¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï C<root>) ¤Î¥Ñ¥¹¥ï¡¼¥É¤òÍ׵᤹¤ë¡£
949 ¤³¤Î¥Õ¥é¥°¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï I<off> ¤Ç¤¢¤ë¡£
955 Normally, B<sudo> will set the C<LOGNAME> and C<USER> environment variables
956 to the name of the target user (usually root unless the B<-u> flag is given).
957 However, since some programs (including the RCS revision control system)
958 use C<LOGNAME> to determine the real identity of the user, it may be desirable
959 to change this behavior. This can be done by negating the set_logname option.
963 Ä̾ï B<sudo> ¤Ï´Ä¶ÊÑ¿ô C<LOGNAME> ¤È
965 (B<-u> ¥Õ¥é¥°¤Ç»ØÄꤵ¤ì¤Ê¤¤¤±¤ì¤Ð¤Õ¤Ä¤¦¤Ï root) ¤Î̾Á°¤ËÀßÄꤹ¤ë¡£
966 ¤·¤«¤·¡¢¼ÂºÝ¤Î¥æ¡¼¥¶¤Î¼±Ê̤Ë
967 C<LOGNAME> ¤ò»È¤¦¥×¥í¥°¥é¥à
968 (RCS revision control system ¤Ê¤É¤¬´Þ¤Þ¤ì¤ë) ¤¬¤¢¤ë¤Î¤Ç¡¢
969 ¤³¤ÎµóÆ°¤òÊѹ¹¤·¤¿¤¤¤³¤È¤â¤¢¤ë¡£
970 ¤³¤ì¤Ë¤Ï set_logname ¥ª¥×¥·¥ç¥ó¤ò I<off> ¤Ë¤¹¤ì¤Ð¤è¤¤¡£
976 Normally, when B<sudo> executes a command the real and effective
977 UIDs are set to the target user (root by default). This option
978 changes that behavior such that the real UID is left as the invoking
979 user's UID. In other words, this makes B<sudo> act as a setuid
980 wrapper. This can be useful on systems that disable some potentially
981 dangerous functionality when a program is run setuid. Note, however,
982 that this means that sudo will run with the real uid of the invoking
983 user which may allow that user to kill B<sudo> before it can log a
984 failure, depending on how your OS defines the interaction between
985 signals and setuid processes.
989 Ä̾ï B<sudo> ¤¬¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤¹¤ë¾ì¹ç¡¢
990 ¼Â UID ¤È¼Â¹Ô UID ¤ÏÂоݥ桼¥¶ (¥Ç¥Õ¥©¥ë¥È¤Ï root) ¤ËÀßÄꤵ¤ì¤ë¡£
991 ¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¼Â UID ¤ò
992 µ¯Æ°¤·¤¿¥æ¡¼¥¶¤Î UID ¤Î¤Þ¤Þ¤Ë¤¹¤ë¤è¤¦¤ËÆ°ºî¤òÊѹ¹¤¹¤ë¡£
993 ¸À¤¤´¹¤¨¤ë¤È¡¢¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï B<sudo> ¤ò setuid ¥é¥Ã¥Ñ¡¼¤È¤·¤Æ
994 Æ°ºî¤µ¤»¤ë¤È¤¤¤¦¤³¤È¤Ç¤¢¤ë¡£
995 ¤³¤ì¤Ï¥×¥í¥°¥é¥à¤¬ setuid ¤µ¤ì¤Æ¼Â¹Ô¤µ¤ì¤ë¤È¤¤Î
996 ÀøºßŪ¤Ë´í¸±¤Êµ¡Ç½¤ò̵¸ú¤Ë¤·¤Æ¤¤¤ë¥·¥¹¥Æ¥à¤ÇÌòΩ¤Ä¡£
997 ¤¿¤À¤· B<sudo> ¤Ïµ¯Æ°¤·¤¿¥æ¡¼¥¶¤Î¼Â UID ¤Ç¼Â¹Ô¤µ¤ì¤ë¤Î¤Ç¡¢
998 OS ¤Ë¤ª¤±¤ë¥·¥°¥Ê¥ë¤È setuid ¥×¥í¥»¥¹¤ÎÁê¸ßºîÍѤÎÄêµÁ¤Ë¤è¤Ã¤Æ¤Ï¡¢
999 B<sudo> ¤¬¼ºÇÔ¤ò¥í¥°¤ËµÏ¿¤¹¤ëÁ°¤Ë¥æ¡¼¥¶¤¬ kill ¤Ç¤¤ëÅÀ¤ËÃí°Õ¤¹¤ë¤³¤È¡£
1005 If set, B<sudo> will reset the environment to only contain the
1006 following variables: C<HOME>, C<LOGNAME>, C<PATH>, C<SHELL>, C<TERM>,
1007 and C<USER> (in addition to the C<SUDO_*> variables).
1008 Of these, only C<TERM> is copied unaltered from the old environment.
1009 The other variables are set to default values (possibly modified
1010 by the value of the I<set_logname> option). If B<sudo> was compiled
1011 with the C<SECURE_PATH> option, its value will be used for the C<PATH>
1012 environment variable.
1013 Other variables may be preserved with the I<env_keep> option.
1017 ¤³¤Î¥Õ¥é¥°¤òÀßÄꤹ¤ë¤È¡¢B<sudo> ¤Ï°Ê²¼¤ÎÊÑ¿ô¤Î¤ß¤ò´Þ¤à¤è¤¦¤Ë
1018 ´Ä¶¤ò¥ê¥»¥Ã¥È¤¹¤ë: C<HOME>, C<LOGNAME>,
1019 C<PATH>, C<SHELL>, C<TERM>,
1020 C<USER> (C<SUDO_*> °Ê³°¤Ë)¡£
1021 ¤³¤ì¤é¤Î¤¦¤Á¤Ç C<TERM> ¤À¤±¤¬
1022 °ÊÁ°¤Î´Ä¶¤«¤é¥³¥Ô¡¼¤µ¤ì¤ë¡£
1023 ¾¤ÎÊÑ¿ô¤Ï¥Ç¥Õ¥©¥ë¥È¤ÎÃͤËÀßÄꤵ¤ì¤ë
1024 (I<set_logname> ¥ª¥×¥·¥ç¥ó¤ÎÃͤÇÊѹ¹²Äǽ)¡£
1025 B<sudo> ¤¬ C<SECURE_PATH> ¥ª¥×¥·¥ç¥ó¤òÉÕ¤±¤Æ
1026 ¥³¥ó¥Ñ¥¤¥ë¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¡¢
1027 ¤½¤ÎÃͤϴĶÊÑ¿ô C<PATH> ¤Ë»È¤ï¤ì¤ë¡£
1028 ¾¤ÎÊÑ¿ô¤Ï I<env_keep> ¥ª¥×¥·¥ç¥ó¤ÇÊݸ¤¹¤ë¤³¤È¤â¤Ç¤¤ë¡£
1030 =item use_loginclass
1034 If set, B<sudo> will apply the defaults specified for the target user's
1035 login class if one exists. Only available if B<sudo> is configured with
1036 the --with-logincap option. This flag is I<off> by default.
1040 ¤³¤Î¥Õ¥é¥°¤òÀßÄꤹ¤ë¤È¡¢B<sudo> ¤Ï¡¢
1041 Âоݥ桼¥¶¤Î¥í¥°¥¤¥ó¥¯¥é¥¹¤¬¤¢¤ì¤Ð¡¢¤½¤ì¤Ë»ØÄꤵ¤ì¤¿¥Ç¥Õ¥©¥ë¥È¤ÎÃͤòŬÍѤ¹¤ë¡£
1042 B<sudo> ¤Î (¥³¥ó¥Ñ¥¤¥ë»þ¤Ë) --with-logincap ¥ª¥×¥·¥ç¥ó¤¬
1043 ÀßÄꤵ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¤Î¤ß¡¢Í¸ú¤Ç¤¢¤ë¡£
1044 ¤³¤Î¥Õ¥é¥°¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï I<off> ¤Ç¤¢¤ë¡£
1062 The number of tries a user gets to enter his/her password before
1063 B<sudo> logs the failure and exits. The default is C<@passwd_tries@>.
1067 B<sudo> ¤¬¼ºÇÔ¤ò¥í¥°¤ËµÏ¿¤·¤Æ½ªÎ»¤¹¤ë¤Þ¤Ç¤Ë¡¢
1068 ¥æ¡¼¥¶¤¬¥Ñ¥¹¥ï¡¼¥É¤òÆþÎϤǤ¤ë²ó¿ô¡£
1069 ¥Ç¥Õ¥©¥ë¥È¤Ï C<@passwd_tries@>¡£
1075 B<Integers that can be used in a boolean context>:
1079 B<¿¿µ¶ÃͤȤ·¤Æ¤â»ÈÍѤµ¤ì¤ëÀ°¿ô>:
1087 Number of characters per line for the file log. This value is used
1088 to decide when to wrap lines for nicer log files. This has no
1089 effect on the syslog log file, only the file log. The default is
1090 C<@loglen@> (use 0 or negate the option to disable word wrap).
1094 ¥Õ¥¡¥¤¥ë¥í¥°¤Î 1 ¹ÔÅö¤¿¤ê¤Îʸ»ú¿ô¡£
1095 ¤³¤ÎÃͤϡ¢¥í¥°¥Õ¥¡¥¤¥ë¤ò¸«¤ä¤¹¤¯¤¹¤ë¤¿¤á¤Ë¡¢
1096 ¹Ô¤ò²¿·å¤ÇÀÞ¤êÊÖ¤¹¤«¤ò·èÄꤹ¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë¡£
1097 syslog ¥Õ¥¡¥¤¥ë¤Ë¤Ï²¿¤â±Æ¶Á¤»¤º¡¢¥Õ¥¡¥¤¥ë¥í¥°¤À¤±¤Ë±Æ¶Á¤¹¤ë¡£
1098 ¥Ç¥Õ¥©¥ë¥È¤Ï C<@loglen@>
1099 (ÀÞ¤êÊÖ¤·¤ò¤·¤Ê¤¤¾ì¹ç¤Ï 0 ¤ò»ØÄꤹ¤ë¤«¡¢
1100 ¤³¤Î¥ª¥×¥·¥ç¥ó¤ò̵¸ú¤Ë¤¹¤ë)¡£
1102 =item timestamp_timeout
1106 Number of minutes that can elapse before B<sudo> will ask for a
1107 passwd again. The default is C<@timeout@>. Set this to C<0> to always
1108 prompt for a password.
1109 If set to a value less than C<0> the user's timestamp will never
1110 expire. This can be used to allow users to create or delete their
1111 own timestamps via C<sudo -v> and C<sudo -k> respectively.
1115 B<sudo> ¤¬ºÆÅ٥ѥ¹¥ï¡¼¥É¤ò¿Ò¤Í¤ë¤Þ¤Ç¤Ë·Ð²á¤¹¤ëʬ¿ô¡£
1116 ¥Ç¥Õ¥©¥ë¥È¤Ï C<@timeout@>¡£
1117 ¾ï¤Ë¥Ñ¥¹¥ï¡¼¥É¤òÍ׵ᤵ¤»¤ë¤Ë¤Ï C<0> ¤ËÀßÄꤹ¤ë¡£
1118 C<0> ¤è¤ê¾®¤µ¤¤ÃͤËÀßÄꤹ¤ë¤È¡¢
1119 ¥æ¡¼¥¶¤Î¥¿¥¤¥à¥¹¥¿¥ó¥×¤Ï¼º¸ú¤·¤Ê¤¤¡£
1120 ¤³¤ì¤Ï¥æ¡¼¥¶¤¬¼«¿È¤Î¥¿¥¤¥à¥¹¥¿¥ó¥×¤ÎºîÀ®¡¦ºï½ü¤ò
1122 C<sudo -k> ¤Ç²Äǽ¤Ë¤¹¤ë¤¿¤á¤Ë»È¤¦¡£
1124 =item passwd_timeout
1128 Number of minutes before the B<sudo> password prompt times out.
1129 The default is C<@password_timeout@>, set this to C<0> for no password timeout.
1133 B<sudo> ¤Î¥Ñ¥¹¥ï¡¼¥ÉÍ׵᤬»þ´ÖÀÚ¤ì¤Ë¤Ê¤ë¤Þ¤Ç¤Îʬ¿ô¡£
1134 ¥Ç¥Õ¥©¥ë¥È¤Ï C<@password_timeout@>¡£
1135 ¥Ñ¥¹¥ï¡¼¥ÉÍ×µá¤Î»þ´ÖÀÚ¤ì¤ò¤Ê¤¯¤¹¤Ë¤Ï C<0> ¤ËÀßÄꤹ¤ë¡£
1141 Umask to use when running the command. Negate this option or set
1142 it to 0777 to preserve the user's umask. The default is C<@sudo_umask@>.
1146 ¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤¹¤ë¾ì¹ç¤Î umask¡£
1147 ¥æ¡¼¥¶¤Î umask ¤ò¾å½ñ¤¤·¤Ê¤¤¤¿¤á¤Ë¤Ï¡¢
1148 ¤³¤Î¥ª¥×¥·¥ç¥ó¤ò̵¸ú¤Ë¤¹¤ë¤« 0777 ¤ËÀßÄꤹ¤ë¤³¤È¡£
1149 ¥Ç¥Õ¥©¥ë¥È¤Ï C<@sudo_umask@>¡£
1167 Subject of the mail sent to the I<mailto> user. The escape C<%h>
1168 will expand to the hostname of the machine.
1169 Default is C<@mailsub@>.
1173 I<mailto> ¥æ¡¼¥¶¤ËÁ÷¤é¤ì¤ë¥á¡¼¥ë¤Î Subject (Âê̾)¡£
1174 ¥¨¥¹¥±¡¼¥× C<%h> ¤Ï·×»»µ¡¤Î¥Û¥¹¥È̾¤ËŸ³«¤µ¤ì¤ë¡£
1175 ¥Ç¥Õ¥©¥ë¥È¤Ï C<@mailsub@>¡£
1177 =item badpass_message
1181 Message that is displayed if a user enters an incorrect password.
1182 The default is C<@badpass_message@> unless insults are enabled.
1186 ¥æ¡¼¥¶¤¬ÉÔÀµ¤Ê¥Ñ¥¹¥ï¡¼¥É¤òÆþÎϤ·¤¿¾ì¹ç¤Ëɽ¼¨¤µ¤ì¤ë¥á¥Ã¥»¡¼¥¸¡£
1187 insults ¤¬ÀßÄꤵ¤ì¤Æ¤¤¤Ê¤¤¸Â¤ê¡¢
1188 ¥Ç¥Õ¥©¥ë¥È¤Ï C<@badpass_message@>¡£
1194 The directory in which B<sudo> stores its timestamp files.
1195 The default is F<@timedir@>.
1199 B<sudo> ¤¬¥¿¥¤¥à¥¹¥¿¥ó¥×¥Õ¥¡¥¤¥ë¤òÃÖ¤¯¥Ç¥£¥ì¥¯¥È¥ê¡£
1200 ¥Ç¥Õ¥©¥ë¥È¤Ï F<@timedir@>¡£
1202 =item timestampowner
1206 The owner of the timestamp directory and the timestamps stored therein.
1207 The default is C<root>.
1211 ¥¿¥¤¥à¥¹¥¿¥ó¥×¥Ç¥£¥ì¥¯¥È¥ê¤È¡¢
1212 ¤½¤³¤Ë³ÊǼ¤µ¤ì¤ë¥¿¥¤¥à¥¹¥¿¥ó¥×¥Õ¥¡¥¤¥ë¤Î½êͼԡ£
1213 ¥Ç¥Õ¥©¥ë¥È¤Ï C<root>¡£
1219 The default prompt to use when asking for a password; can be overridden
1220 via the B<-p> option or the C<SUDO_PROMPT> environment variable.
1221 The following percent (`C<%>') escapes are supported:
1225 ¥Ñ¥¹¥ï¡¼¥É¤ò¿Ò¤Í¤ë¤È¤¤Ë»È¤ï¤ì¤ë¥Ç¥Õ¥©¥ë¥È¤Î¥×¥í¥ó¥×¥È¡£
1226 B<-p> ¥ª¥×¥·¥ç¥ó¤ä´Ä¶ÊÑ¿ô
1227 C<SUDO_PROMPT> ¤ò»È¤Ã¤ÆÊѹ¹¤Ç¤¤ë¡£
1228 °Ê²¼¤Î¤è¤¦¤Ê¥Ñ¡¼¥»¥ó¥È (`C<%>') ¥¨¥¹¥±¡¼¥×¤¬¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤ë¡£
1236 expanded to the invoking user's login name
1240 µ¯Æ°¤·¤¿¥æ¡¼¥¶¤Î¥í¥°¥¤¥ó̾¤ËŸ³«¤µ¤ì¤ë¡£
1246 expanded to the login name of the user the command will
1247 be run as (defaults to root)
1251 ¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤¹¤ë¥æ¡¼¥¶¤Î¥í¥°¥¤¥ó̾¤ËŸ³«¤µ¤ì¤ë
1252 (¥Ç¥Õ¥©¥ë¥È¤Ï root ¤Ç¤¢¤ë)¡£
1258 expanded to the local hostname without the domain name
1262 ¥É¥á¥¤¥ó̾¤ò´Þ¤Þ¤Ê¤¤¥í¡¼¥«¥ë¥Û¥¹¥È̾¤ËŸ³«¤µ¤ì¤ë¡£
1268 expanded to the local hostname including the domain name
1269 (on if the machine's hostname is fully qualified or the I<fqdn>
1274 (¥Þ¥·¥ó¤Î¥Û¥¹¥È̾¤¬´°Á´Ì¾¤Ç¤¢¤ë¾ì¹ç¡¢
1275 ¤Þ¤¿¤Ï I<fqdn> sudoers ¥ª¥×¥·¥ç¥ó¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë¾ì¹ç)
1276 ¥É¥á¥¤¥ó̾¤ò´Þ¤à¥í¡¼¥«¥ë¥Û¥¹¥È̾¤ËŸ³«¤µ¤ì¤ë¡£
1282 two consecutive C<%> characters are collaped into a single C<%> character
1286 2 ¤ÄϢ³¤·¤¿ C<%> ʸ»ú¤Ï 1 ¤Ä¤Î C<%> ʸ»ú¤Ë¤µ¤ì¤ë¡£
1292 The default value is C<@passprompt@>.
1296 ¥Ç¥Õ¥©¥ë¥ÈÃÍ¤Ï C<@passprompt@>¡£
1302 The default user to run commands as if the B<-u> flag is not specified
1303 on the command line. This defaults to C<@runas_default@>.
1307 B<-u> ¥Õ¥é¥°¤¬¥³¥Þ¥ó¥É¥é¥¤¥ó¤Ç»ØÄꤵ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¤Ë¡¢
1308 ¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤¹¤ë¥Ç¥Õ¥©¥ë¥È¤Î¥æ¡¼¥¶¡£
1309 ¥Ç¥Õ¥©¥ë¥È¤Ï C<@runas_default@>¡£
1311 =item syslog_goodpri
1315 Syslog priority to use when user authenticates successfully.
1316 Defaults to C<@goodpri@>.
1320 ¥æ¡¼¥¶¤¬Ç§¾Ú¤ËÀ®¸ù¤·¤¿¾ì¹ç¤Ë»È¤ï¤ì¤ë syslog ¤ÎÍ¥ÀèÅÙ (priority)¡£
1321 ¥Ç¥Õ¥©¥ë¥È¤Ï C<@goodpri@>¡£
1327 Syslog priority to use when user authenticates unsuccessfully.
1328 Defaults to C<@badpri@>.
1332 ¥æ¡¼¥¶¤¬Ç§¾Ú¤Ë¼ºÇÔ¤·¤¿¾ì¹ç¤Ë»È¤ï¤ì¤ë syslog ¤ÎÍ¥ÀèÅÙ¡£
1333 ¥Ç¥Õ¥©¥ë¥È¤Ï C<@badpri@>¡£
1339 A colon (':') separated list of editors allowed to be used with
1340 B<visudo>. B<visudo> will choose the editor that matches the user's
1341 USER environment variable if possible, or the first editor in the
1342 list that exists and is executable. The default is the path to vi
1347 B<visudo> ¤Ç»ÈÍѲÄǽ¤Ê¥¨¥Ç¥£¥¿¤Î¥ê¥¹¥È¡£
1348 ¥ê¥¹¥È¤Ï¥³¥í¥ó (':') ¤Ç¶èÀڤ롣
1349 B<visudo> ¤Ï¥æ¡¼¥¶¤Î USER ´Ä¶ÊÑ¿ô¤¬ÀßÄꤵ¤ì¤Æ¤¤¤ë¾ì¹ç¤Ë¤Ï¡¢
1350 ¤½¤ì¤Ë¥Þ¥Ã¥Á¤¹¤ë¥¨¥Ç¥£¥¿¤òÁªÂò¤¹¤ë¡£
1351 ÀßÄꤵ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¤Ï¡¢
1352 ¥ê¥¹¥ÈÃæ¤Ë¸ºß¤¹¤ë¼Â¹Ô²Äǽ¤ÊºÇ½é¤Î¥¨¥Ç¥£¥¿¤òÁªÂò¤¹¤ë¡£
1353 ¥Ç¥Õ¥©¥ë¥È¤Ï¥·¥¹¥Æ¥à¾å¤Î vi ¤Î¥Ñ¥¹¡£
1359 B<Strings that can be used in a boolean context>:
1363 B<¿¿µ¶ÃͤȤ·¤Æ¤â»ÈÍѤµ¤ì¤ëʸ»úÎó>:
1371 Path to the B<sudo> log file (not the syslog log file). Setting a path
1372 turns on logging to a file; negating this option turns it off.
1376 (syslog ¥í¥°¥Õ¥¡¥¤¥ë¤Ç¤Ï¤Ê¤¯) B<sudo> ¥í¥°¥Õ¥¡¥¤¥ë¤Ø¤Î¥Ñ¥¹¡£
1377 ¥Ñ¥¹¤òÀßÄꤹ¤ë¤È¡¢¤½¤Î¥Õ¥¡¥¤¥ë¤Ø¥í¥°¤¬µÏ¿¤µ¤ì¤ë¡£
1378 ¤³¤Î¥ª¥×¥·¥ç¥ó¤ò̵¸ú¤Ë¤¹¤ì¤Ð¡¢µÏ¿¤µ¤ì¤Ê¤¤¡£
1384 Syslog facility if syslog is being used for logging (negate to
1385 disable syslog logging). Defaults to C<@logfac@>.
1389 ¥í¥°¤ÎµÏ¿¤Ë syslog ¤¬»È¤ï¤ì¤Æ¤¤¤ë¾ì¹ç¤Î syslog ¤Îµ¡Ç½Ê¬Îà (facility)
1390 (syslog ¤Ë¤è¤ë¥í¥°¤ÎµÏ¿¤ò¤·¤Ê¤¤¾ì¹ç¤Ï¡¢ÀßÄꤷ¤Ê¤¤¤³¤È)¡£
1391 ¥Ç¥Õ¥©¥ë¥È¤Ï C<@logfac@>¡£
1397 Path to mail program used to send warning mail.
1398 Defaults to the path to sendmail found at configure time.
1402 ·Ù¹ð¥á¡¼¥ë¤òÁ÷¤ë¤Î¤Ë»È¤ï¤ì¤ë¥á¡¼¥ë¥×¥í¥°¥é¥à¤Î¥Ñ¥¹¡£
1403 ¥Ç¥Õ¥©¥ë¥È¤Ï¡¢(¥³¥ó¥Ñ¥¤¥ë¤Î) ÀßÄê»þ¤Ë¸«¤Ä¤«¤Ã¤¿ sendmail ¤Î¥Ñ¥¹¡£
1409 Flags to use when invoking mailer. Defaults to B<-t>.
1413 ¥á¡¼¥é¡¼¤òµ¯Æ°¤¹¤ë¤È¤¤Ë»È¤ï¤ì¤ë¥Õ¥é¥°¡£
1414 ¥Ç¥Õ¥©¥ë¥È¤Ï B<-t>¡£
1420 Address to send warning and error mail to. The address should
1421 be enclosed in double quotes (C<">) to protect against sudo
1422 interpreting the C<@> sign. Defaults to C<@mailto@>.
1426 ·Ù¹ð¥á¡¼¥ë¤È¥¨¥é¡¼¥á¡¼¥ë¤òÁ÷¤ë¥¢¥É¥ì¥¹¡£
1427 ¥¢¥É¥ì¥¹¤Ï¡¢sudo ¤¬ C<@> µ¹æ¤ò²ò¼á¤·¤Ê¤¤¤è¤¦¤Ë¡¢
1428 ¥À¥Ö¥ë¥¯¥©¡¼¥È (C<">) ¤Ç³ç¤é¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
1429 ¥Ç¥Õ¥©¥ë¥È¤Ï C<@mailto@>¡£
1435 Users in this group are exempt from password and PATH requirements.
1436 This is not set by default.
1440 ¤³¤Î¥°¥ë¡¼¥×¤Ë°¤¹¤ë¥æ¡¼¥¶¤Ï¡¢¥Ñ¥¹¥ï¡¼¥É¤È PATH ¤¬É¬Íפʤ¤¡£
1441 ¥Ç¥Õ¥©¥ë¥È¤Ç¤ÏÀßÄꤵ¤ì¤Æ¤¤¤Ê¤¤¡£
1447 This option controls when a password will be required when a user runs
1448 B<sudo> with the B<-v> flag. It has the following possible values:
1452 ¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢¥æ¡¼¥¶¤¬ B<sudo> ¤ò B<-v> ¥ª¥×¥·¥ç¥ó¤Ç¼Â¹Ô¤·¤¿¤È¤¤Ë¡¢
1453 ¤¤¤Ä¥Ñ¥¹¥ï¡¼¥É¤¬É¬ÍפȤµ¤ì¤ë¤«¤òÀ©¸æ¤¹¤ë¡£
1454 ¤³¤Î¥ª¥×¥·¥ç¥ó¤Ë¤Ï°Ê²¼¤ÎÃͤΤ¤¤º¤ì¤«¤òÀßÄê¤Ç¤¤ë¡£
1462 All the user's I<sudoers> entries for the current host must have
1463 the C<NOPASSWD> flag set to avoid entering a password.
1467 ¥Ñ¥¹¥ï¡¼¥É¤ÎÆþÎϤò¤Ê¤·¤Ç¤¹¤Þ¤»¤ë¤¿¤á¤Ë¤Ï¡¢
1468 ¸½ºß¤Î¥Û¥¹¥È¤Î¤¹¤Ù¤Æ¤Î¥æ¡¼¥¶¤Î I<sudoers> ¥¨¥ó¥È¥ê¤Ë
1469 C<NOPASSWD> ¥Õ¥é¥°¤¬ÀßÄꤵ¤ì¤Æ¤¤¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
1475 At least one of the user's I<sudoers> entries for the current host
1476 must have the C<NOPASSWD> flag set to avoid entering a password.
1480 ¥Ñ¥¹¥ï¡¼¥É¤ÎÆþÎϤò¤Ê¤·¤Ç¤¹¤Þ¤»¤ë¤¿¤á¤Ë¤Ï¡¢
1481 ¸½ºß¤Î¥Û¥¹¥È¤Î¾¯¤Ê¤¯¤È¤â°ì¿Í¤Î¥æ¡¼¥¶¤Î
1482 I<sudoers> ¥¨¥ó¥È¥ê¤Ë C<NOPASSWD> ¥Õ¥é¥°¤¬
1483 ÀßÄꤵ¤ì¤Æ¤¤¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
1489 The user need never enter a password to use the B<-v> flag.
1493 ¥æ¡¼¥¶¤Ï¡¢B<-v> ¥Õ¥é¥°¤ò»È¤¦ºÝ¤Ë¥Ñ¥¹¥ï¡¼¥É¤òɬÍפȤ·¤Ê¤¤¡£
1499 The user must always enter a password to use the B<-v> flag.
1503 ¥æ¡¼¥¶¤Ï¡¢B<-v> ¥Õ¥é¥°¤ò»È¤¦ºÝ¤Ë¾ï¤Ë¥Ñ¥¹¥ï¡¼¥É¤òÆþÎϤ·¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
1509 The default value is `all'.
1513 ¥Ç¥Õ¥©¥ë¥È¤ÎÃÍ¤Ï `all' ¤Ç¤¢¤ë¡£
1519 This option controls when a password will be required when a
1520 user runs B<sudo> with the B<-l> flag. It has the following possible values:
1524 ¤³¤Î¥ª¥×¥·¥ç¥ó¤Ï¡¢¥æ¡¼¥¶¤¬ B<sudo> ¤ò B<-l> ¥Õ¥é¥°¤Ç¼Â¹Ô¤·¤¿¤È¤¤Ë¡¢
1525 ¤¤¤Ä¥Ñ¥¹¥ï¡¼¥É¤¬É¬ÍפȤµ¤ì¤ë¤«¤òÀ©¸æ¤¹¤ë¡£
1526 ¤³¤Î¥ª¥×¥·¥ç¥ó¤Ë¤Ï°Ê²¼¤ÎÃͤΤ¤¤º¤ì¤«¤òÀßÄê¤Ç¤¤ë¡£
1534 All the user's I<sudoers> entries for the current host must have
1535 the C<NOPASSWD> flag set to avoid entering a password.
1539 ¥Ñ¥¹¥ï¡¼¥É¤ÎÆþÎϤò¤Ê¤·¤Ç¤¹¤Þ¤»¤ë¤¿¤á¤Ë¤Ï¡¢
1540 ¸½ºß¤Î¥Û¥¹¥È¤Î¤¹¤Ù¤Æ¤Î¥æ¡¼¥¶¤Î I<sudoers> ¥¨¥ó¥È¥ê¤Ë
1541 C<NOPASSWD> ¥Õ¥é¥°¤¬ÀßÄꤵ¤ì¤Æ¤¤¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
1547 At least one of the user's I<sudoers> entries for the current host
1548 must have the C<NOPASSWD> flag set to avoid entering a password.
1552 ¥Ñ¥¹¥ï¡¼¥É¤ÎÆþÎϤò¤Ê¤·¤Ç¤¹¤Þ¤»¤ë¤¿¤á¤Ë¤Ï¡¢
1553 ¸½ºß¤Î¥Û¥¹¥È¤Î¾¯¤Ê¤¯¤È¤â°ì¿Í¤Î¥æ¡¼¥¶¤Î I<sudoers> ¥¨¥ó¥È¥ê¤Ë
1554 C<NOPASSWD> ¥Õ¥é¥°¤¬ÀßÄꤵ¤ì¤Æ¤¤¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
1560 The user need never enter a password to use the B<-l> flag.
1564 ¥æ¡¼¥¶¤Ï¡¢B<-l> ¥Õ¥é¥°¤ò»È¤¦ºÝ¤Ë¥Ñ¥¹¥ï¡¼¥É¤òɬÍפȤ·¤Ê¤¤¡£
1570 The user must always enter a password to use the B<-l> flag.
1574 ¥æ¡¼¥¶¤Ï¡¢B<-l> ¥Õ¥é¥°¤ò»È¤¦ºÝ¤Ë¾ï¤Ë¥Ñ¥¹¥ï¡¼¥É¤òÆþÎϤ·¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
1580 The default value is `any'.
1584 ¥Ç¥Õ¥©¥ë¥È¤ÎÃÍ¤Ï `any' ¤Ç¤¢¤ë¡£
1590 B<Lists that can be used in a boolean context>:
1594 B<¿¿µ¶ÃͤȤ·¤Æ¤â»ÈÍѤµ¤ì¤ë¥ê¥¹¥È>:
1602 Environment variables to be removed from the user's environment if
1603 the variable's value contains C<%> or C</> characters. This can
1604 be used to guard against printf-style format vulnerabilities in
1605 poorly-written programs. The argument may be a double-quoted,
1606 space-separated list or a single value without double-quotes. The
1607 list can be replaced, added to, deleted from, or disabled by using
1608 the C<=>, C<+=>, C<-=>, and C<!> operators respectively. The default
1609 list of environment variables to check is printed when B<sudo> is
1610 run by root with the I<-V> option.
1614 ÊÑ¿ô¤ÎÃÍ¤Ë C<%> ʸ»ú¤Þ¤¿¤Ï C</> ʸ»ú¤ò
1615 ´Þ¤ó¤Ç¤¤¤ë¾ì¹ç¤Ë¡¢¥æ¡¼¥¶¤Î´Ä¶¤«¤éºï½ü¤µ¤ì¤ë´Ä¶ÊÑ¿ô¡£
1616 ¤³¤ì¤ÏÎɤ¯¹Í¤¨¤º¤Ë½ñ¤«¤ì¤¿¥×¥í¥°¥é¥à¤Ë¤ª¤±¤ë
1617 printf ·Á¼°¤ÎÀȼåÀ¤òËɤ°¤¿¤á¤Ë¤¢¤ë¡£
1618 °ú¤¿ô¤Ï¥À¥Ö¥ë¥¯¥©¡¼¥Æ¡¼¥·¥ç¥ó¤Ç°Ï¤ó¤À¥¹¥Ú¡¼¥¹¶èÀÚ¤ê¤Î¥ê¥¹¥È¡¢
1619 ¤Þ¤¿¤Ï¥¯¥©¡¼¥È¤·¤Ê¤¤ 1 ¸Ä¤ÎÃͤǤ¢¤ë¡£
1620 ¥ê¥¹¥È¤ÎÃÖ´¹¡¦Äɲᦺï½ü¡¦Ìµ¸ú²½¤Ï¡¢¤½¤ì¤¾¤ì
1622 C<-=>, C<!> ¥ª¥Ú¥ì¡¼¥¿¤Ç¤Ç¤¤ë¡£
1623 ¥Á¥§¥Ã¥¯¤µ¤ì¤ë´Ä¶ÊÑ¿ô¤Î¥Ç¥Õ¥©¥ë¥È¤Î¥ê¥¹¥È¤Ï¡¢
1624 B<sudo> ¤Ë I<-V> ¤ò¤Ä¤±¤Æ¼Â¹Ô¤¹¤ë¤Èɽ¼¨¤µ¤ì¤ë¡£
1630 Environment variables to be removed from the user's environment.
1631 The argument may be a double-quoted, space-separated list or a
1632 single value without double-quotes. The list can be replaced, added
1633 to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
1634 C<!> operators respectively. The default list of environment
1635 variables to remove is printed when B<sudo> is run by root with the
1636 I<-V> option. Note that many operating systems will remove potentially
1637 dangerous variables from the environment of any setuid process (such
1642 ¥æ¡¼¥¶¤Î´Ä¶¤«¤éºï½ü¤µ¤ì¤ë´Ä¶ÊÑ¿ô¡£
1643 °ú¤¿ô¤Ï¥À¥Ö¥ë¥¯¥©¡¼¥Æ¡¼¥·¥ç¥ó¤Ç°Ï¤ó¤À¥¹¥Ú¡¼¥¹¶èÀÚ¤ê¤Î¥ê¥¹¥È¡¢
1644 ¤Þ¤¿¤Ï¥¯¥©¡¼¥È¤·¤Ê¤¤ 1 ¸Ä¤ÎÃͤǤ¢¤ë¡£
1645 ¥ê¥¹¥È¤ÎÃÖ´¹¡¦Äɲᦺï½ü¡¦Ìµ¸ú²½¤Ï¡¢¤½¤ì¤¾¤ì
1647 C<-=>, C<!> ¥ª¥Ú¥ì¡¼¥¿¤Ç¤Ç¤¤ë¡£
1648 ¥Á¥§¥Ã¥¯¤µ¤ì¤ë´Ä¶ÊÑ¿ô¤Î¥Ç¥Õ¥©¥ë¥È¤Î¥ê¥¹¥È¤Ï¡¢
1649 B<sudo> ¤Ë I<-V> ¤ò¤Ä¤±¤Æ¼Â¹Ô¤¹¤ë¤Èɽ¼¨¤µ¤ì¤ë¡£
1650 ¿¤¯¤Î OS ¤Ç¤Ï (B<sudo> ¤Î¤è¤¦¤Ê) setuid ¥×¥í¥»¥¹¤Î´Ä¶ÊÑ¿ô¤«¤é
1651 ´í¸±À¤¬Â¸ºß¤¹¤ë²ÄǽÀ¤Î¤¢¤ë¤â¤Î¤ò¼è¤ê½ü¤¯¡£
1657 Environment variables to be preserved in the user's environment
1658 when the I<env_reset> option is in effect. This allows fine-grained
1659 control over the environment B<sudo>-spawned processes will receive.
1660 The argument may be a double-quoted, space-separated list or a
1661 single value without double-quotes. The list can be replaced, added
1662 to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
1663 C<!> operators respectively. This list has no default members.
1667 I<env_reset> ¥ª¥×¥·¥ç¥ó¤¬¼Â¹Ô¤µ¤ì¤ë¤È¤¤Ë¡¢
1668 ¥æ¡¼¥¶¤Î´Ä¶¤ÇÊݸ¤µ¤ì¤ë´Ä¶ÊÑ¿ô¡£
1669 ¤³¤ì¤Ë¤è¤ê B<sudo> ¤¬µ¯Æ°¤·¤¿¥×¥í¥»¥¹¤¬¼õ¤±¼è¤ë´Ä¶¤òºÙ¤«¤¯À©¸æ¤Ç¤¤ë¡£
1670 °ú¤¿ô¤Ï¥À¥Ö¥ë¥¯¥©¡¼¥Æ¡¼¥·¥ç¥ó¤Ç°Ï¤ó¤À¥¹¥Ú¡¼¥¹¶èÀÚ¤ê¤Î¥ê¥¹¥È¡¢
1671 ¤Þ¤¿¤Ï¥¯¥©¡¼¥È¤·¤Ê¤¤ 1 ¸Ä¤ÎÃͤǤ¢¤ë¡£
1672 ¥ê¥¹¥È¤ÎÃÖ´¹¡¦Äɲᦺï½ü¡¦Ìµ¸ú²½¤Ï¡¢¤½¤ì¤¾¤ì
1674 C<-=>, C<!> ¥ª¥Ú¥ì¡¼¥¿¤Ç¤Ç¤¤ë¡£
1675 ¤³¤Î¥ê¥¹¥È¤Ï¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï²¿¤â´Þ¤Þ¤Ê¤¤¡£
1681 When logging via syslog(3), B<sudo> accepts the following values for the syslog
1682 facility (the value of the B<syslog> Parameter): B<authpriv> (if your OS
1683 supports it), B<auth>, B<daemon>, B<user>, B<local0>, B<local1>, B<local2>,
1684 B<local3>, B<local4>, B<local5>, B<local6>, and B<local7>. The following
1685 syslog priorities are supported: B<alert>, B<crit>, B<debug>, B<emerg>,
1686 B<err>, B<info>, B<notice>, and B<warning>.
1690 syslog(3) ¤Ç¥í¥°¤òµÏ¿¤·¤Æ¤¤¤ë¾ì¹ç¡¢
1691 B<sudo> ¤Ï syslog ¤Îµ¡Ç½Ê¬Îà (B<syslog> ¥Ñ¥é¥á¡¼¥¿¤ÎÃÍ) ¤È¤·¤Æ¡¢
1692 B<authpriv> (OS ¤¬¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤ë¾ì¹ç),
1693 B<auth>, B<daemon>, B<user>, B<local0>, B<local1>, B<local2>,
1694 B<local3>, B<local4>, B<local5>, B<local6>, B<local7>
1696 syslog ¤ÎÍ¥ÀèÅ٤Ȥ·¤Æ¤Ï¡¢
1697 B<alert>, B<crit>, B<debug>, B<emerg>,
1698 B<err>, B<info>, B<notice>, B<warning>
1699 ¤¬¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤ë¡£
1701 =head2 User Specification
1703 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
1706 Cmnd_Spec_List ::= Cmnd_Spec |
1707 Cmnd_Spec ',' Cmnd_Spec_List
1709 Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd
1711 Runas_Spec ::= '(' Runas_List ')'
1715 A B<user specification> determines which commands a user may run
1716 (and as what user) on specified hosts. By default, commands are
1717 run as B<root>, but this can be changed on a per-command basis.
1721 B<¥æ¡¼¥¶ÀßÄê>¤Ï¡¢»ØÄꤷ¤¿¥Û¥¹¥È¾å¤Ç¥æ¡¼¥¶¤¬ (¤É¤Î¥æ¡¼¥¶¤È¤·¤Æ)
1722 ¤É¤Î¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤Ç¤¤ë¤«¤ò·èÄꤹ¤ë¡£
1723 ¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï¥³¥Þ¥ó¥É¤Ï B<root> ¤È¤·¤Æ¼Â¹Ô¤µ¤ì¤ë¤¬¡¢
1724 ¤³¤ì¤Ï¥³¥Þ¥ó¥ÉËè¤ËÊѹ¹²Äǽ¤Ç¤¢¤ë¡£
1728 Let's break that down into its constituent parts:
1732 ¥æ¡¼¥¶ÀßÄê¤ò¹½À®Í×ÁǤ´¤È¤Ëʬ¤±¤Æ¤ß¤ë¡£
1738 A C<Runas_Spec> is simply a C<Runas_List> (as defined above)
1739 enclosed in a set of parentheses. If you do not specify a
1740 C<Runas_Spec> in the user specification, a default C<Runas_Spec>
1741 of B<root> will be used. A C<Runas_Spec> sets the default for
1742 commands that follow it. What this means is that for the entry:
1746 C<Runas_Spec> ¤Ïñ¤Ë
1747 (¾å¤ÇÄêµÁ¤·¤¿) C<Runas_List> ¤ò³ç¸Ì¤Ç³ç¤Ã¤¿¤â¤Î¤Ç¤¢¤ë¡£
1748 ¥æ¡¼¥¶ÀßÄê¤Ç C<Runas_Spec> ¤ò»ØÄꤷ¤Ê¤¤¤È¡¢
1749 B<root> ¤Î¥Ç¥Õ¥©¥ë¥È¤Î C<Runas_Spec> ¤¬»È¤ï¤ì¤ë¡£
1750 C<Runas_Spec> ¤Ï¡¢¤½¤Î¸å¤Ë³¤¯¥³¥Þ¥ó¥É¤Î¥Ç¥Õ¥©¥ë¥È¤òÀßÄꤹ¤ë¡£
1753 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
1757 The user B<dgb> may run F</bin/ls>, F</bin/kill>, and
1758 F</usr/bin/lprm> -- but only as B<operator>. E.g.,
1762 ¤Î¤è¤¦¤Ê¥¨¥ó¥È¥ê¤¬¤¢¤ë¾ì¹ç¡¢
1763 ¥æ¡¼¥¶ B<dgb> ¤Ï¡¢I</bin/ls>, I</bin/kill>, I</usr/bin/lprm> ¤ò
1764 ¼Â¹Ô¤Ç¤¤ë -- ¤¿¤À¤· B<operator> ¤È¤·¤Æ¤Î¤ß¡£Î㤨¤Ð:
1766 sudo -u operator /bin/ls
1770 It is also possible to override a C<Runas_Spec> later on in an
1771 entry. If we modify the entry like so:
1775 C<Runas_Spec> ¤ò¸å¤«¤é¥¨¥ó¥È¥ê¤ÎÃæ¤Ç¾å½ñ¤¤¹¤ë¤³¤È¤â²Äǽ¤Ç¤¢¤ë¡£
1777 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
1781 Then user B<dgb> is now allowed to run F</bin/ls> as B<operator>,
1782 but F</bin/kill> and F</usr/bin/lprm> as B<root>.
1786 ¤Î¤è¤¦¤Ë½¤Àµ¤¹¤ë¤È¡¢
1787 ¥æ¡¼¥¶ B<dgb> ¤Ï I</bin/ls> ¤ò B<operator> ¤È¤·¤Æ¡¢
1788 ¤Þ¤¿ I</bin/kill> ¤È I</usr/bin/lprm> ¤ò B<root> ¤È¤·¤Æ
1789 ¼Â¹Ô¤¹¤ë¤³¤È¤¬µö²Ä¤µ¤ì¤ë¡£
1791 =head2 NOPASSWD and PASSWD
1795 By default, B<sudo> requires that a user authenticate him or herself
1796 before running a command. This behavior can be modified via the
1797 C<NOPASSWD> tag. Like a C<Runas_Spec>, the C<NOPASSWD> tag sets
1798 a default for the commands that follow it in the C<Cmnd_Spec_List>.
1799 Conversely, the C<PASSWD> tag can be used to reverse things.
1804 ¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï¡¢B<sudo> ¤Ï
1805 ¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤¹¤ëÁ°¤Ë¥æ¡¼¥¶¼«¿È¤Îǧ¾Ú¤òɬÍפȤ¹¤ë¡£
1806 ¤³¤ÎÆ°ºî¤Ï C<NOPASSWD> ¥¿¥°¤ÇÊѹ¹¤¹¤ë¤³¤È¤¬¤Ç¤¤ë¡£
1807 C<Runas_Spec> ¤ÈƱÍͤˡ¢C<NOPASSWD> ¥¿¥°¤Ï
1808 ¥³¥Þ¥ó¥É¤Î¥Ç¥Õ¥©¥ë¥È¤ò¤½¤Î¸å¤Ë³¤¯
1809 C<Cmnd_Spec_List> ¤ËÀßÄꤹ¤ë¡£
1810 µÕ¤Ë C<PASSWD> ¤Ï¤³¤ì¤ò¸µ¤ËÌ᤹¤¿¤á¤Ë»È¤ï¤ì¤ë¡£
1813 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
1817 would allow the user B<ray> to run F</bin/kill>, F</bin/ls>, and
1818 F</usr/bin/lprm> as root on the machine rushmore as B<root> without
1819 authenticating himself. If we only want B<ray> to be able to
1820 run F</bin/kill> without a password the entry would be:
1824 ¤È¤¹¤ë¤È¡¢¥æ¡¼¥¶ B<ray> ¤ÏÈ༫¿È¤Ø¤Îǧ¾Ú¤Ê¤·¤Ç
1825 ·×»»µ¡ rushmore ¤Î B<root> ¤È¤·¤Æ
1826 I</bin/kill>, I</bin/ls>, I</usr/bin/lprm>
1827 ¤ò¼Â¹Ô¤¹¤ë¤³¤È¤¬¤Ç¤¤ë¡£
1828 B<ray> ¤Ë I</bin/kill> ¤À¤±¤ò
1829 ¥Ñ¥¹¥ï¡¼¥É¤Ê¤·¤Ç¼Â¹Ô¤µ¤»¤ë¤è¤¦¤Ë¤·¤¿¤¤¾ì¹ç¡¢¥¨¥ó¥È¥ê¤Ï¼¡¤Î¤è¤¦¤Ë¤Ê¤ë¡£
1831 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
1835 Note, however, that the C<PASSWD> tag has no effect on users who are
1836 in the group specified by the exempt_group option.
1840 ¤¿¤À¤·¡¢C<PASSWD> ¥¿¥°¤Ï exempt_group ¥ª¥×¥·¥ç¥ó¤Ç
1841 »ØÄꤵ¤ì¤¿¥°¥ë¡¼¥×¤Ë°¤·¤Æ¤¤¤ë¥æ¡¼¥¶¤Ë¤Ï¸ú²Ì¤¬¤Ê¤¤ÅÀ¤ËÃí°Õ¤¹¤ë¤³¤È¡£
1845 By default, if the C<NOPASSWD> tag is applied to any of the entries
1846 for a user on the current host, he or she will be able to run
1847 C<sudo -l> without a password. Additionally, a user may only run
1848 C<sudo -v> without a password if the C<NOPASSWD> tag is present
1849 for all a user's entries that pertain to the current host.
1850 This behavior may be overridden via the verifypw and listpw options.
1854 ¥Ç¥Õ¥©¥ë¥È¤Ç¤Ï¡¢¸½ºß¤Î¥Û¥¹¥È¾å¤Î¤¢¤ë¥æ¡¼¥¶¤Î¤É¤ì¤«¤Î¥¨¥ó¥È¥ê¤Ë
1855 C<NOPASSWD> ¥¿¥°¤¬Å¬ÍѤµ¤ì¤Æ¤¤¤ì¤Ð¡¢
1856 ¤½¤Î¥æ¡¼¥¶¤Ï C<sudo -l> ¤ò
1857 ¥Ñ¥¹¥ï¡¼¥É¤Ê¤·¤Ë¼Â¹Ô¤Ç¤¤ë¤è¤¦¤Ë¤Ê¤ë¡£
1858 ¤µ¤é¤Ë¡¢¤¢¤ë¥æ¡¼¥¶¤Î¸½ºß¤Î¥Û¥¹¥È¤Ë´ØÏ¢¤¹¤ëÁ´¤Æ¤Î¥¨¥ó¥È¥ê¤Ë
1859 C<NOPASSWD> ¥¿¥°¤¬¤¢¤ë¾ì¹ç¤Ë¸Â¤ê¡¢
1860 ¤½¤Î¥æ¡¼¥¶¤Ï C<sudo -v> ¤ò
1861 ¥Ñ¥¹¥ï¡¼¥É¤Ê¤·¤Ë¼Â¹Ô¤Ç¤¤ë¤è¤¦¤Ë¤Ê¤ë¡£
1862 ¤³¤ÎÆ°ºî¤Ï verifypw ¤È listpw ¥ª¥×¥·¥ç¥ó¤ò»È¤Ã¤ÆÊѹ¹¤Ç¤¤ë¡£
1864 =head2 Wildcards (aka meta characters):
1868 B<sudo> allows shell-style I<wildcards> to be used in pathnames
1869 as well as command line arguments in the I<sudoers> file. Wildcard
1870 matching is done via the B<POSIX> C<fnmatch(3)> routine. Note that
1871 these are I<not> regular expressions.
1875 B<sudo> ¤Ï I<sudoers> ¥Õ¥¡¥¤¥ë¤Ë¤ª¤¤¤Æ¡¢
1876 ¥³¥Þ¥ó¥É¥é¥¤¥ó°ú¤¿ô¤ä¥Ñ¥¹Ì¾¤ËÂФ·¤Æ
1877 ¥·¥§¥ë·Á¼°¤ÎI<¥ï¥¤¥ë¥É¥«¡¼¥É>¤ò»È¤¦¤³¤È¤¬¤Ç¤¤ë¡£
1878 ¥ï¥¤¥ë¥É¥«¡¼¥É¤Î¥Þ¥Ã¥Á¥ó¥°¤Ï¡¢
1879 B<POSIX> ¤Î C<fnmatch(3)> ¥ë¡¼¥Á¥ó¤ò»È¤Ã¤Æ¹Ô¤ï¤ì¤ë¡£
1880 Àµµ¬É½¸½I<¤Ç¤Ï¤Ê¤¤>ÅÀ¤ËÃí°Õ¤¹¤ë¤³¤È¡£
1888 Matches any set of zero or more characters.
1892 Ǥ°Õ¤Î 0 ¸Ä°Ê¾å¤Îʸ»ú¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
1898 Matches any single character.
1902 Ǥ°Õ¤Î 1 ¸Ä¤Îʸ»ú¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
1908 Matches any character in the specified range.
1912 »ØÄꤷ¤¿ÈϰϤˤ¢¤ëǤ°Õ¤Îʸ»ú¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
1918 Matches any character B<not> in the specified range.
1922 »ØÄꤷ¤¿ÈϰϤËB<¤Ê¤¤>Ǥ°Õ¤Îʸ»ú¤Ë¥Þ¥Ã¥Á¤¹¤ë¡£
1928 For any character "x", evaluates to "x". This is used to
1929 escape special characters such as: "*", "?", "[", and "}".
1933 "x" ¤Çɾ²Á¤µ¤ì¤ëǤ°Õ¤Îʸ»ú "x"¡£
1934 ¤³¤ì¤Ï¡¢"*", "?", "[", "}" ¤Î¤è¤¦¤Ê
1935 ¥¨¥¹¥±¡¼¥×ʸ»ú¤ËÂФ·¤Æ»È¤ï¤ì¤ë¡£
1941 Note that a forward slash ('/') will B<not> be matched by
1942 wildcards used in the pathname. When matching the command
1943 line arguments, however, a slash B<does> get matched by
1944 wildcards. This is to make a path like:
1948 ¥Õ¥©¥ï¡¼¥É¥¹¥é¥Ã¥·¥å ('/') ¤Ï¡¢¥Ñ¥¹Ì¾¤Ç»È¤ï¤ì¤ë¥ï¥¤¥ë¥É¥«¡¼¥É¤ËÂФ·¤Æ¤Ï
1949 ¥Þ¥Ã¥ÁB<¤·¤Ê¤¤>ÅÀ¤ËÃí°Õ¤¹¤ë¤³¤È¡£
1950 ¥³¥Þ¥ó¥É¥é¥¤¥ó°ú¤¿ô¤ËÂФ·¤Æ¥Þ¥Ã¥Á¥ó¥°¤ò¤¹¤ë¾ì¹ç¡¢
1951 ¥¹¥é¥Ã¥·¥å¤Ï¥ï¥¤¥ë¥É¥«¡¼¥É¤Ë¥Þ¥Ã¥ÁB<¤¹¤ë>¡£
1958 match C</usr/bin/who> but not C</usr/bin/X11/xterm>.
1963 C</usr/bin/who> ¤Ë¤Ï¥Þ¥Ã¥Á¤µ¤»¡¢
1964 C</usr/bin/X11/xterm> ¤Ë¤Ï¥Þ¥Ã¥Á¤µ¤»¤Ê¤¤¤è¤¦¤Ë¤¹¤ë¤¿¤á¤Ç¤¢¤ë¡£
1966 =head2 Exceptions to wildcard rules:
1970 The following exceptions apply to the above rules:
1974 ¾å¤Îµ¬Â§¤ËÂФ·¤Æ¡¢¼¡¤ÎÎã³°¤¬Å¬ÍѤµ¤ì¤ë¡£
1982 If the empty string C<""> is the only command line argument in the
1983 I<sudoers> entry it means that command is not allowed to be run
1984 with B<any> arguments.
1988 ¶õ¤Îʸ»úÎó C<""> ¤¬ I<sudoers> ¥¨¥ó¥È¥ê¤Î
1989 Í£°ì¤Î¥³¥Þ¥ó¥É¥é¥¤¥ó°ú¤¿ô¤Ç¤¢¤ë¾ì¹ç¡¢
1990 ¡Ö¥³¥Þ¥ó¥É¤Ë°ú¤¿ô¤òB<¤Ä¤±¤¿>¤È¤¤Ï¡¢¼Â¹Ô¤¹¤ë¤³¤È¤¬µö²Ä¤µ¤ì¤Ê¤¤¡×
1991 ¤È¤¤¤¦¤³¤È¤ò°ÕÌ£¤¹¤ë¡£
1995 =head2 Other special characters and reserved words:
1999 The pound sign ('#') is used to indicate a comment (unless it
2000 occurs in the context of a user name and is followed by one or
2001 more digits, in which case it is treated as a uid). Both the
2002 comment character and any text after it, up to the end of the line,
2007 ¥·¥ã¡¼¥×µ¹æ ('#') ¤Ï¥³¥á¥ó¥È¤òɽ¤¹¤¿¤á¤Ë»È¤ï¤ì¤ë¡£
2008 (¥æ¡¼¥¶Ì¾¤Ç»È¤ï¤ì¤Æ¤¤¤ë¾ì¹ç¤Ï½ü¤¯¡£
2009 ¤Þ¤¿¡¢1 ¸Ä°Ê¾å¤Î¿ô»ú¤¬Â³¤¤¤Æ¤¤¤Æ¡¢¥æ¡¼¥¶ ID ¤È¤·¤Æ°·¤ï¤ì¤ë¾ì¹ç¤â½ü¤¯¡£)
2010 ¥³¥á¥ó¥Èʸ»ú¤È¤½¤ì°Ê¹ß¤Î¥Æ¥¥¹¥È¤Ï¡¢¹ÔËö¤Þ¤Ç̵»ë¤µ¤ì¤ë¡£
2014 The reserved word B<ALL> is a built in I<alias> that always causes
2015 a match to succeed. It can be used wherever one might otherwise
2016 use a C<Cmnd_Alias>, C<User_Alias>, C<Runas_Alias>, or C<Host_Alias>.
2017 You should not try to define your own I<alias> called B<ALL> as the
2018 built in alias will be used in preference to your own. Please note
2019 that using B<ALL> can be dangerous since in a command context, it
2020 allows the user to run B<any> command on the system.
2024 ͽÌó¸ì B<ALL> ¤ÏÁȹþ¤ß¤ÎI<¥¨¥¤¥ê¥¢¥¹>¤Ç¡¢
2025 ¾ï¤Ë¥Þ¥Ã¥Á¤òÀ®¸ù¤µ¤»¤ë¡£
2026 ¤³¤ÎͽÌó¸ì¤Ï¤É¤³¤Ç¤â»È¤¨¤ë¡£
2027 ¤³¤ì¤ò»È¤¤¤¿¤¯¤Ê¤¤¾ì¹ç¤Ï¡¢
2028 C<Cmnd_Alias>, C<User_Alias>,
2029 C<Runas_Alias>, C<Host_Alias>
2031 B<ALL> ¤È¤¤¤¦ I<¥¨¥¤¥ê¥¢¥¹> ¤ò¼«Ê¬¤ÇÄêµÁ¤·¤è¤¦¤È¤·¤Æ¤Ï¤Ê¤é¤Ê¤¤¡£
2032 Áȹþ¤ß¤Î¥¨¥¤¥ê¥¢¥¹¤¬Í¥À褵¤ì¤ë¤«¤é¤Ç¤¢¤ë¡£
2033 B<ALL> ¤ò»È¤¦¤È´í¸±¤Ë¤Ê¤ë²ÄǽÀ¤¬¤¢¤ëÅÀ¤ËÃí°Õ¤¹¤ë¤³¤È¡£
2034 ¤Ê¤¼¤Ê¤é¡¢¤³¤ì¤ò¥³¥Þ¥ó¥É¤Î»ØÄê¤Ç»È¤¦¤È¡¢
2035 ¥æ¡¼¥¶¤Ï¥·¥¹¥Æ¥à¾å¤ÎB<Á´¤Æ¤Î>¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤Ç¤¤ë¤«¤é¤Ç¤¢¤ë¡£
2039 An exclamation point ('!') can be used as a logical I<not> operator
2040 both in an I<alias> and in front of a C<Cmnd>. This allows one to
2041 exclude certain values. Note, however, that using a C<!> in
2042 conjunction with the built in C<ALL> alias to allow a user to
2043 run "all but a few" commands rarely works as intended (see SECURITY
2048 ´¶Ã²Éä ('!') ¤Ï¡¢I<¥¨¥¤¥ê¥¢¥¹>¤ÎÃæ¤È C<Cmnd> ¤ÎÁ°¤Ç¡¢
2049 ÏÀÍý³Ø¤Î I<not> ¥ª¥Ú¥ì¡¼¥¿¤È¤·¤Æ»È¤¦¤³¤È¤¬¤Ç¤¤ë¡£
2050 ¤³¤ì¤Ë¤è¤ê¡¢¤¢¤ëÃͤòÇÓ½ü¤Ç¤¤ë¡£
2052 Áȹþ¤ß¤Î C<ALL> ¥¨¥¤¥ê¥¢¥¹¤ÈÁȤ߹ç¤ï¤»¤Æ¡¢
2053 ¥æ¡¼¥¶¤¬ "Á´¤Æ¤Ç¤Ï¤Ê¤¯°ìÉô¤Î" ¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤Ç¤¤ë¤è¤¦¤Ë
2054 ¤·¤è¤¦¤È¤·¤Æ¤â¡¢°Õ¿Þ¤·¤¿¤è¤¦¤ËÆ°ºî¤¹¤ë¤³¤È¤Ïµ©¤Ç¤¢¤ëÅÀ¤ËÃí°Õ¤¹¤ë¤³¤È
2055 (°Ê²¼¤Î¡Ö¥»¥¥å¥ê¥Æ¥£¾å¤ÎÃí°Õ¡×¤ò»²¾È)¡£
2059 Long lines can be continued with a backslash ('\') as the last
2060 character on the line.
2064 Ť¤¹Ô¤Ï¡¢¥Ð¥Ã¥¯¥¹¥é¥Ã¥·¥å ('\') ¤ò¹Ô¤ÎºÇ¸å¤Îʸ»ú¤Ë¤¹¤ì¤Ð
2065 ³¤±¤ë¤³¤È¤¬¤Ç¤¤ë¡£
2069 Whitespace between elements in a list as well as special syntactic
2070 characters in a I<User Specification> ('=', ':', '(', ')') is optional.
2074 ¥ê¥¹¥È¤Ë¤ª¤±¤ë¹½À®Í×ÁǴ֤ζõÇò¤ä¡¢
2075 I<¥æ¡¼¥¶ÀßÄê>¤Ë¤ª¤±¤ëÆüì¤Ê¹½Ê¸Ê¸»ú
2076 ('=', ':', '(', ')') ¤Ï¡¢¤Ê¤¯¤Æ¤â¤è¤¤¡£
2080 The following characters must be escaped with a backslash ('\') when
2081 used as part of a word (e.g. a username or hostname):
2082 '@', '!', '=', ':', ',', '(', ')', '\'.
2086 '@', '!', '=', ':', ',', '(', ')', '\'
2087 ¤È¤¤¤¦Ê¸»ú¤ò¥ï¡¼¥É (Î㤨¤Ð¡¢¥æ¡¼¥¶Ì¾¤ä¥Û¥¹¥È̾) ¤Î°ìÉô¤È¤·¤Æ»È¤¦¾ì¹ç¤Ï¡¢
2088 ¥Ð¥Ã¥¯¥¹¥é¥Ã¥·¥å ('\') ¤Ç¥¨¥¹¥±¡¼¥×¤·¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
2094 Below are example I<sudoers> entries. Admittedly, some of
2095 these are a bit contrived. First, we define our I<aliases>:
2099 °Ê²¼¤Ï I<sudoers> ¥¨¥ó¥È¥ê¤ÎÎã¤Ç¤¢¤ë¡£
2100 ÀµÄ¾¤Ê¤È¤³¤í¡¢¤¤¤¯¤Ä¤«¤Ï¾¯¤·¤ï¤¶¤È¤é¤·¤¤¡£
2101 »Ï¤á¤ËI<¥¨¥¤¥ê¥¢¥¹>¤òÄêµÁ¤¹¤ë¡£
2103 # User alias specification
2104 User_Alias FULLTIMERS = millert, mikef, dowdy
2105 User_Alias PARTTIMERS = bostley, jwfox, crawl
2106 User_Alias WEBMASTERS = will, wendy, wim
2108 # Runas alias specification
2109 Runas_Alias OP = root, operator
2110 Runas_Alias DB = oracle, sybase
2112 # Host alias specification
2113 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
2114 SGI = grolsch, dandelion, black :\
2115 ALPHA = widget, thalamus, foobar :\
2116 HPPA = boa, nag, python
2117 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
2118 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
2119 Host_Alias SERVERS = master, mail, www, ns
2120 Host_Alias CDROM = orion, perseus, hercules
2122 # Cmnd alias specification
2123 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
2124 /usr/sbin/restore, /usr/sbin/rrestore
2125 Cmnd_Alias KILL = /usr/bin/kill
2126 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
2127 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
2128 Cmnd_Alias HALT = /usr/sbin/halt, /usr/sbin/fasthalt
2129 Cmnd_Alias REBOOT = /usr/sbin/reboot, /usr/sbin/fastboot
2130 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
2131 /usr/local/bin/tcsh, /usr/bin/rsh, \
2133 Cmnd_Alias SU = /usr/bin/su
2137 Here we override some of the compiled in default values. We want
2138 B<sudo> to log via syslog(3) using the I<auth> facility in all
2139 cases. We don't want to subject the full time staff to the B<sudo>
2140 lecture, user B<millert> need not give a password, and we don't
2141 want to set the C<LOGNAME> or C<USER> environment variables when
2142 running commands as root. Additionally, on the machines in the
2143 I<SERVERS> C<Host_Alias>, we keep an additional local log file and
2144 make sure we log the year in each log line since the log entries
2145 will be kept around for several years.
2149 °Ê²¼¤ÎÀßÄê¤Ç¤Ï¡¢¥³¥ó¥Ñ¥¤¥ë»þ¤Î¥Ç¥Õ¥©¥ë¥ÈÃͤΤ¤¤¯¤Ä¤«¤ò¾å½ñ¤¤¹¤ë¡£
2150 B<sudo> ¤Ë syslog(3) ¤ò»È¤Ã¤Æ
2151 Á´¤Æ¤Î¾ì¹ç¤Ë¤Ä¤¤¤Æ I<auth> µ¡Ç½Ê¬Îà¤Ç¥í¥°¤òµÏ¿¤µ¤»¤ë¡£
2152 ¥Õ¥ë¥¿¥¤¥à¤Î¥¹¥¿¥Ã¥Õ¤Ë¤Ï¡¢B<sudo> ¤Î¥ì¥¯¥Á¥ã¡¼¤ò¼õ¤±¤ëɬÍפò¤Ê¤¯¤¹¡£
2153 ¤Þ¤¿¥æ¡¼¥¶ B<millert> ¤Ï¥Ñ¥¹¥ï¡¼¥É¤òÆþÎϤ·¤Ê¤¯¤Æ¤è¤¤¤è¤¦¤Ë¤¹¤ë¡£
2154 ¤½¤·¤Æ¥³¥Þ¥ó¥É¤¬ root ¤È¤·¤Æ¼Â¹Ô¤µ¤ì¤ë¤È¤¤Ë
2155 ´Ä¶ÊÑ¿ô C<LOGNAME> ¤È C<USER> ¤òÀßÄꤷ¤Ê¤¤¤è¤¦¤Ë¤¹¤ë¡£
2156 ¤µ¤é¤Ë C<Host_Alias> ¤Î I<SERVERS> ¤Ë¤¢¤ë·×»»µ¡¤Ë
2157 (syslog ¤È¤ÏÊ̤Ë) ¥í¡¼¥«¥ë¤Î¥í¥°¥Õ¥¡¥¤¥ë¤òÊݸ¤·¡¢
2158 Ť¤¥í¥°¥¨¥ó¥È¥ê¤ò¿ôǯ¤ËÅϤêÊݸ¤¹¤ë¤¿¤á¤Ë¥í¥°¤Î³Æ¹Ô¤Ëǯ¤òµÏ¿¤¹¤ë¡£
2160 # Override built in defaults
2161 Defaults syslog=auth
2162 Defaults>root !set_logname
2163 Defaults:FULLTIMERS !lecture
2164 Defaults:millert !authenticate
2165 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
2169 The I<User specification> is the part that actually determines who may
2174 I<¥æ¡¼¥¶ÀßÄê>¤Ï¡¢Ã¯¤¬²¿¤ò¼Â¹Ô¤Ç¤¤ë¤«¤ò¼ÂºÝ¤Ë·èÄꤷ¤Æ¤¤¤ëÉôʬ¤Ç¤¢¤ë¡£
2176 root ALL = (ALL) ALL
2177 %wheel ALL = (ALL) ALL
2181 We let B<root> and any user in group B<wheel> run any command on any
2186 B<root> ¤È B<wheel> ¥°¥ë¡¼¥×¤Î¥æ¡¼¥¶¤Ë¡¢
2187 Á´¤Æ¤Î¥æ¡¼¥¶¤È¤·¤Æ¡¢Á´¤Æ¤Î¥Û¥¹¥È¾å¤Î¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤Ç¤¤ë¤è¤¦¤Ë¤·¤Æ¤¤¤ë¡£
2189 FULLTIMERS ALL = NOPASSWD: ALL
2193 Full time sysadmins (B<millert>, B<mikef>, and B<dowdy>) may run any
2194 command on any host without authenticating themselves.
2198 ¥Õ¥ë¥¿¥¤¥à¤Î¥·¥¹¥Æ¥à´ÉÍý¼Ô (B<millert>, B<mikef>, B<dowdy>) ¤Ï¡¢
2199 ¼«Ê¬¼«¿È¤Îǧ¾Ú¤ò¤¹¤ë¤³¤È¤Ê¤¯¡¢Á´¤Æ¤Î¥Û¥¹¥È¾å¤ÇÁ´¤Æ¤Î¥³¥Þ¥ó¥É¤¬¼Â¹Ô¤Ç¤¤ë¡£
2201 PARTTIMERS ALL = ALL
2205 Part time sysadmins (B<bostley>, B<jwfox>, and B<crawl>) may run any
2206 command on any host but they must authenticate themselves first
2207 (since the entry lacks the C<NOPASSWD> tag).
2211 ¥Ñ¡¼¥È¥¿¥¤¥à¤Î¥·¥¹¥Æ¥à´ÉÍý¼Ô (B<bostley>, B<jwfox>, B<crawl>) ¤Ï¡¢
2212 Á´¤Æ¤Î¥Û¥¹¥È¾å¤ÇÁ´¤Æ¤Î¥³¥Þ¥ó¥É¤¬¼Â¹Ô¤Ç¤¤ë¤¬¡¢
2213 (¥¨¥ó¥È¥ê¤Ë C<NOPASSWD> ¥¿¥°¤¬¤Ê¤¤¤Î¤Ç)
2214 ºÇ½é¤Ë¼«Ê¬¼«¿È¤Îǧ¾Ú¤¬É¬ÍפǤ¢¤ë¡£
2220 The user B<jack> may run any command on the machines in the I<CSNETS> alias
2221 (the networks C<128.138.243.0>, C<128.138.204.0>, and C<128.138.242.0>).
2222 Of those networks, only C<128.138.204.0> has an explicit netmask (in
2223 CIDR notation) indicating it is a class C network. For the other
2224 networks in I<CSNETS>, the local machine's netmask will be used
2229 ¥æ¡¼¥¶ B<jack> ¤Ï¡¢I<CSNETS> ¥¨¥¤¥ê¥¢¥¹
2230 (¥Í¥Ã¥È¥ï¡¼¥¯ C<128.138.243.0>,
2231 C<128.138.204.0>, C<128.138.242.0>)
2232 ¤Ë¤¢¤ë·×»»µ¡¾å¤Ç¡¢Á´¤Æ¤Î¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤Ç¤¤ë¡£
2233 ¤³¤ì¤é¤Î¥Í¥Ã¥È¥ï¡¼¥¯¤Î¤¦¤Á¡¢
2234 ¥Í¥Ã¥È¥ï¡¼¥¯ C<128.138.204.0> ¤À¤±¤Ë
2235 ¥¯¥é¥¹ C ¥Í¥Ã¥È¥ï¡¼¥¯¤ò¼¨¤¹ÌÀ¼¨Åª¤Ê (CIDR ɽµ¤Î) ¥Í¥Ã¥È¥Þ¥¹¥¯¤¬¤¢¤ë¡£
2236 I<CSNETS> ¤Ë¤¢¤ë¾¤Î¥Í¥Ã¥È¥ï¡¼¥¯¤Ë¤Ä¤¤¤Æ¤Ï¡¢
2237 ¥Þ¥Ã¥Á¥ó¥°¤ÎºÝ¤Ë¥í¡¼¥«¥ë¤Î·×»»µ¡¤Î¥Í¥Ã¥È¥Þ¥¹¥¯¤¬»È¤ï¤ì¤ë¡£
2243 The user B<lisa> may run any command on any host in the I<CUNETS> alias
2244 (the class B network C<128.138.0.0>).
2248 ¥æ¡¼¥¶ B<lisa> ¤Ï¡¢I<CUNETS> ¥¨¥¤¥ê¥¢¥¹
2249 (¥¯¥é¥¹ B ¥Í¥Ã¥È¥ï¡¼¥¯ C<128.138.0.0>) ¤Ë¤¢¤ë
2250 Á´¤Æ¤Î¥Û¥¹¥È¤Ç¡¢Á´¤Æ¤Î¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤Ç¤¤ë¡£
2252 operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\
2257 The B<operator> user may run commands limited to simple maintenance.
2258 Here, those are commands related to backups, killing processes, the
2259 printing system, shutting down the system, and any commands in the
2260 directory F</usr/oper/bin/>.
2264 ¥æ¡¼¥¶ B<operator> ¤Ï¡¢
2265 ´Êñ¤Ê¥á¥ó¥Æ¥Ê¥ó¥¹ÍѤΥ³¥Þ¥ó¥É¤Ë¸Â¤Ã¤Æ¼Â¹Ô¤¹¤ë¤³¤È¤¬¤Ç¤¤ë¡£
2266 ¤³¤ì¤é¤Ï¥Ç¥£¥ì¥¯¥È¥ê I</usr/oper/bin/> ¤Ë¤¢¤ë¥³¥Þ¥ó¥ÉÁ´¤Æ¤Ç¡¢
2267 ¥Ð¥Ã¥¯¥¢¥Ã¥×¡¦¥×¥í¥»¥¹¤Î kill¡¦°õºþ¥·¥¹¥Æ¥à¡¦¥·¥¹¥Æ¥à¤Î¥·¥ã¥Ã¥È¥À¥¦¥ó¡¢
2268 ¤È¤¤¤Ã¤¿¤³¤È¤Ë´ØÏ¢¤·¤¿¤â¤Î¤Ç¤¢¤ë¡£
2270 joe ALL = /usr/bin/su operator
2274 The user B<joe> may only su(1) to operator.
2278 ¥æ¡¼¥¶ B<joe> ¤Ï¡¢operator ¤Ë¤Ê¤ë¤¿¤á¤Î su(1) ¤·¤«¼Â¹Ô¤Ç¤¤Ê¤¤¡£
2280 pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
2284 The user B<pete> is allowed to change anyone's password except for
2285 root on the I<HPPA> machines. Note that this assumes passwd(1)
2286 does not take multiple usernames on the command line.
2290 ¥æ¡¼¥¶ B<pete> ¤Ï¡¢I<HPPA> ·×»»µ¡¾å¤Ç
2291 root °Ê³°¤ÎÁ´¤Æ¤Î¥æ¡¼¥¶¤Î¥Ñ¥¹¥ï¡¼¥É¤òÊѹ¹¤¹¤ë¤³¤È¤¬µö²Ä¤µ¤ì¤Æ¤¤¤ë¡£
2292 ¤³¤³¤Ç¤Ï¡¢passwd(1) ¤¬¥³¥Þ¥ó¥É¥é¥¤¥ó¤«¤é
2293 Ê£¿ô¤Î¥æ¡¼¥¶Ì¾¤ò¼õ¤±ÉÕ¤±¤Ê¤¤¤³¤È¤ò²¾Äꤷ¤Æ¤¤¤ëÅÀ¤ËÃí°Õ¤¹¤ë¤³¤È¡£
2295 bob SPARC = (OP) ALL : SGI = (OP) ALL
2299 The user B<bob> may run anything on the I<SPARC> and I<SGI> machines
2300 as any user listed in the I<OP> C<Runas_Alias> (B<root> and B<operator>).
2304 ¥æ¡¼¥¶ B<bob> ¤Ï¡¢I<SPARC> ¤È I<SGI> ·×»»µ¡¾å¤Ç¡¢
2305 C<Runas_Alias> ¤Î I<OP> ¤Ë¥ê¥¹¥È¤µ¤ì¤¿¥æ¡¼¥¶
2306 (B<root> ¤È B<operator>) ¤È¤·¤Æ¡¢Á´¤Æ¤Î¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤Ç¤¤ë¡£
2312 The user B<jim> may run any command on machines in the I<biglab> netgroup.
2313 B<Sudo> knows that "biglab" is a netgroup due to the '+' prefix.
2317 ¥æ¡¼¥¶ B<jim> ¤Ï¡¢I<biglab> ¥Í¥Ã¥È¥°¥ë¡¼¥×¤Ë¤¢¤ëÁ´¤Æ¤Î·×»»µ¡¤Ç¡¢
2318 Á´¤Æ¤Î¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤Ç¤¤ë¡£
2319 B<sudo> ¤Ï¡¢"biglab" ¤¬¥Í¥Ã¥È¥°¥ë¡¼¥×¤Ç¤¢¤ë¤³¤È¤ò
2320 ¥×¥ì¥Õ¥£¥Ã¥¯¥¹ '+' ¤Ë¤è¤Ã¤ÆÃΤ롣
2322 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
2326 Users in the B<secretaries> netgroup need to help manage the printers
2327 as well as add and remove users, so they are allowed to run those
2328 commands on all machines.
2332 B<secretaries> ¥Í¥Ã¥È¥°¥ë¡¼¥×¤Ë°¤¹¤ë¥æ¡¼¥¶¤Ï¡¢
2333 ¥æ¡¼¥¶¤ÎÄɲᦺï½ü¤À¤±¤Ç¤Ê¤¯¥×¥ê¥ó¥¿´ÉÍý¤ÎÊä½õ¤ò¤¹¤ëɬÍפ¬¤¢¤ë¤Î¤Ç¡¢
2334 ¤³¤ì¤é¤Î¥³¥Þ¥ó¥É¤òÁ´¤Æ¤Î·×»»µ¡¾å¤Ç¼Â¹Ô¤¹¤ë¤³¤È¤¬µö²Ä¤µ¤ì¤Æ¤¤¤ë¡£
2336 fred ALL = (DB) NOPASSWD: ALL
2340 The user B<fred> can run commands as any user in the I<DB> C<Runas_Alias>
2341 (B<oracle> or B<sybase>) without giving a password.
2345 ¥æ¡¼¥¶ B<fred> ¤Ï¡¢C<Runas_Alias> ¤Î
2347 (B<oracle> ¤È B<sybase>) ¤È¤·¤Æ¡¢¥Ñ¥¹¥ï¡¼¥É¤Ê¤·¤Ç¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤Ç¤¤ë¡£
2349 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
2353 On the I<ALPHA> machines, user B<john> may su to anyone except root
2354 but he is not allowed to give su(1) any flags.
2358 I<ALPHA> ·×»»µ¡¾å¤Ç¡¢¥æ¡¼¥¶ B<john> ¤Ï¡¢
2359 su ¤Ç root °Ê³°¤ÎÁ´¤Æ¤Î¥æ¡¼¥¶¤Ë¤Ê¤ì¤ë¡£
2360 ¤·¤«¤· su(1) ¤Ë¥Õ¥é¥°¤ò»ØÄꤹ¤ë¤³¤È¤Ï¤Ç¤¤Ê¤¤¡£
2362 jen ALL, !SERVERS = ALL
2366 The user B<jen> may run any command on any machine except for those
2367 in the I<SERVERS> C<Host_Alias> (master, mail, www and ns).
2371 ¥æ¡¼¥¶ B<jen> ¤Ï¡¢C<Host_Alias> ¤Î
2372 I<SERVERS> ¤Ë¤¢¤ë·×»»µ¡
2373 (master, mail, www, ns) °Ê³°¤Ç¡¢Á´¤Æ¤Î¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤Ç¤¤ë¡£
2375 jill SERVERS = /usr/bin/, !SU, !SHELLS
2379 For any machine in the I<SERVERS> C<Host_Alias>, B<jill> may run
2380 any commands in the directory /usr/bin/ except for those commands
2381 belonging to the I<SU> and I<SHELLS> C<Cmnd_Aliases>.
2385 C<Host_Alias> ¤Î I<SERVERS> ¤Ë¤¢¤ë·×»»µ¡¤Ç¡¢
2386 B<jill> ¤Ï /usr/bin ¥Ç¥£¥ì¥¯¥È¥ê¤Ë¤¢¤ëÁ´¤Æ¤Î¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤Ç¤¤ë¡£
2387 ¤¿¤À¤·¡¢C<Cmnd_Aliases> ¤Î
2388 I<SU> ¤È I<SHELLS> ¤Ë°¤·¤Æ¤¤¤ë¥³¥Þ¥ó¥É¤Ï½ü¤¯¡£
2390 steve CSNETS = (operator) /usr/local/op_commands/
2394 The user B<steve> may run any command in the directory /usr/local/op_commands/
2395 but only as user operator.
2399 ¥æ¡¼¥¶ B<steve> ¤Ï¡¢¥Ç¥£¥ì¥¯¥È¥ê /usr/local/op_commands/ ¤Ë¤¢¤ë
2400 Á´¤Æ¤Î¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤Ç¤¤ë¡£¤¿¤À¤·¡¢¥æ¡¼¥¶ operator ¤È¤·¤Æ¤Î¤ß¼Â¹Ô¤Ç¤¤ë¡£
2402 matt valkyrie = KILL
2406 On his personal workstation, valkyrie, B<matt> needs to be able to
2407 kill hung processes.
2411 B<matt> ¤Ï¡¢Èà¤Î¸Ä¿Í¤Î¥ï¡¼¥¯¥¹¥Æ¡¼¥·¥ç¥ó valkyrie ¤Ç¡¢
2412 ¥Ï¥ó¥°¤·¤¿¥×¥í¥»¥¹¤ò kill ¤Ç¤¤ëɬÍפ¬¤¢¤ë¡£
2414 WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
2418 On the host www, any user in the I<WEBMASTERS> C<User_Alias> (will,
2419 wendy, and wim), may run any command as user www (which owns the
2420 web pages) or simply su(1) to www.
2424 ¥Û¥¹¥È www ¤Ç¡¢C<User_Alias> ¤Î
2425 I<WEBMASTERS> ¤Ë¤¢¤ë¥æ¡¼¥¶
2426 (will, wendy, wim) ¤Ï¡¢(web ¥Ú¡¼¥¸¤ò½êͤ·¤Æ¤¤¤ë) ¥æ¡¼¥¶ www ¤È¤·¤Æ
2427 Á´¤Æ¤Î¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤Ç¤¤ë¡£
2428 ¤Þ¤¿¡¢Ã±¤Ë su(1) ¤Ç www ¤Ë¤Ê¤ì¤ë¡£
2430 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
2431 /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
2435 Any user may mount or unmount a CD-ROM on the machines in the CDROM
2436 C<Host_Alias> (orion, perseus, hercules) without entering a password.
2437 This is a bit tedious for users to type, so it is a prime candidate
2438 for encapsulating in a shell script.
2442 Á´¤Æ¤Î¥æ¡¼¥¶¤Ï¡¢C<Host_Alias> ¤Î
2443 CD-ROM ¤Ë¤¢¤ë·×»»µ¡ (orion, perseus, hercules) ¤Ç
2444 ¥Ñ¥¹¥ï¡¼¥É¤Ê¤·¤Ç CD-ROM ¤Î¥Þ¥¦¥ó¥È¤È¥¢¥ó¥Þ¥¦¥ó¥È¤¬¤Ç¤¤ë¡£
2445 ¤³¤Î¥³¥Þ¥ó¥É¤ò¥æ¡¼¥¶¤¬ÆþÎϤ¹¤ë¤Î¤ÏŤ¯¤ÆÂçÊѤʤΤǡ¢
2446 ¥·¥§¥ë¥¹¥¯¥ê¥×¥È¤Ë½ñ¤¤¤Æ¥«¥×¥»¥ë²½¤·¤Æ¤·¤Þ¤¦Êý¤¬¤è¤¤¡£
2448 =head1 SECURITY NOTES
2452 It is generally not effective to "subtract" commands from C<ALL>
2453 using the '!' operator. A user can trivially circumvent this
2454 by copying the desired command to a different name and then
2455 executing that. For example:
2459 '!' ¥ª¥Ú¥ì¡¼¥¿¤ò»È¤Ã¤Æ C<ALL> ¤«¤é
2460 ¥³¥Þ¥ó¥É¤ò¡Öº¹¤·°ú¤¯¡×¤³¤È¤Ï¡¢°ìÈ̤˸ú²ÌŪ¤Ç¤Ï¤Ê¤¤¡£
2461 ¥æ¡¼¥¶¤Ï¡¢Íߤ·¤¤¥³¥Þ¥ó¥É¤òÊ̤Ê̾Á°¤Ç¥³¥Ô¡¼¤·¤Æ¼Â¹Ô¤¹¤ì¤Ð¡¢
2462 ¤³¤ì¤ò´Êñ¤Ë²óÈò¤Ç¤¤Æ¤·¤Þ¤¦¡£
2465 bill ALL = ALL, !SU, !SHELLS
2469 Doesn't really prevent B<bill> from running the commands listed in
2470 I<SU> or I<SHELLS> since he can simply copy those commands to a
2471 different name, or use a shell escape from an editor or other
2472 program. Therefore, these kind of restrictions should be considered
2473 advisory at best (and reinforced by policy).
2477 ¾å¤ÎÎã¤Ç¤Ï¡¢¼ÂºÝ¤Ë¤Ï I<SU> ¤È
2478 I<SHELLS> ¤Ë¥ê¥¹¥È¤µ¤ì¤Æ¤¤¤ë¥³¥Þ¥ó¥É¤ò
2479 B<bill> ¤Ë¼Â¹Ô¤µ¤»¤Ê¤¤¤è¤¦¤Ë¤¹¤ë¤³¤È¤¬¤Ç¤¤Ê¤¤¡£
2480 ¤Ê¤¼¤Ê¤é¡¢bill ¤Ï¡¢¤³¤ì¤é¤Î¥³¥Þ¥ó¥É¤òÊ̤Ê̾Á°¤Ë¥³¥Ô¡¼¤·¤¿¤ê¡¢
2481 ¥¨¥Ç¥£¥¿¤ä¾¤Î¥³¥Þ¥ó¥É¤Î¥·¥§¥ë¥¨¥¹¥±¡¼¥×¤«¤é»È¤¨¤ë¤«¤é¤Ç¤¢¤ë¡£
2482 ¤è¤Ã¤Æ¡¢¤³¤Î¤è¤¦¤ÊÀ©¸Â¤Ï¡¢¤»¤¤¤¼¤¤Êä½õŪ¤Ê¤â¤Î¤È¹Í¤¨¤ë¤Ù¤¤Ç¤¢¤ë
2483 (¤µ¤é¤Ë¥Ý¥ê¥·¡¼¤Ç¶¯²½¤¹¤Ù¤¤Ç¤¢¤ë)¡£
2489 The I<sudoers> file should B<always> be edited by the B<visudo>
2490 command which locks the file and does grammatical checking. It is
2491 imperative that I<sudoers> be free of syntax errors since B<sudo>
2492 will not run with a syntactically incorrect I<sudoers> file.
2496 I<sudoers> ¥Õ¥¡¥¤¥ë¤Ï¡¢B<¾ï¤Ë> B<visudo> ¥³¥Þ¥ó¥É¤ÇÊÔ½¸¤¹¤Ù¤¤Ç¤¢¤ë¡£
2497 ¤³¤Î¥³¥Þ¥ó¥É¤Ï¡¢¥Õ¥¡¥¤¥ë¤ò¥í¥Ã¥¯¤·¡¢Ê¸Ë¡¥Á¥§¥Ã¥¯¤ò¤¹¤ë¡£
2499 I<sudoers> ¥Õ¥¡¥¤¥ë¤¬Ê¸Ë¡Åª¤Ë´Ö°ã¤Ã¤Æ¤¤¤ë¤È¼Â¹Ô¤Ç¤¤Ê¤¤¤Î¤Ç¡¢
2500 I<sudoers> ¤Ë¤Ï¥¨¥é¡¼¤¬¤Ò¤È¤Ä¤â̵¤¤¤è¤¦¤Ë¤·¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
2504 When using netgroups of machines (as opposed to users), if you
2505 store fully qualified hostnames in the netgroup (as is usually the
2506 case), you either need to have the machine's hostname be fully qualified
2507 as returned by the C<hostname> command or use the I<fqdn> option in
2512 (¥æ¡¼¥¶¤Î¤Ç¤Ï¤Ê¤¯) ·×»»µ¡¤Î¥Í¥Ã¥È¥°¥ë¡¼¥×¤ò»È¤¦¾ì¹ç¡¢
2513 (¤è¤¯¤¢¤ë¤è¤¦¤Ë) ¥Í¥Ã¥È¥°¥ë¡¼¥×¤Ë
2514 ´°Á´¤Ê¥É¥á¥¤¥ó̾ÉÕ¤¤Î¥Û¥¹¥È̾¤òÆþ¤ì¤ë¾ì¹ç¡¢
2515 ¥Û¥¹¥È̾¤Ï C<hostname> ¥³¥Þ¥ó¥É¤ÇÊÖ¤µ¤ì¤ë
2516 ´°Á´¤Ê¥É¥á¥¤¥ó̾ÉÕ¤¤Î¤â¤Î¤Ç¤¢¤ëɬÍפ¬¤¢¤ë¡£
2517 ¤Þ¤¿ I<sudoers> ¤Ë I<fqdn> ¥ª¥×¥·¥ç¥ó¤ò»ØÄꤹ¤ëɬÍפ¬¤¢¤ë¡£
2523 @sysconfdir@/sudoers List of who can run what
2524 /etc/group Local groups file
2525 /etc/netgroup List of network groups
2529 @sysconfdir@/sudoers 郎²¿¤ò¼Â¹Ô¤Ç¤¤ë¤«¤Î¥ê¥¹¥È
2530 /etc/group ¥í¡¼¥«¥ë¤Î¥°¥ë¡¼¥×¥Õ¥¡¥¤¥ë
2531 /etc/netgroup ¥Í¥Ã¥È¥ï¡¼¥¯¥°¥ë¡¼¥×¤Î¥ê¥¹¥È
2535 rsh(1), su(1), fnmatch(3), sudo(8), visudo(8)