diff options
| author | Xiao Pan <xyz@flylightning.xyz> | 2024-07-22 18:19:51 -0700 |
|---|---|---|
| committer | Xiao Pan <xyz@flylightning.xyz> | 2024-07-22 18:19:51 -0700 |
| commit | 5de09dd89f079433dafbcf7628a69cc2b62ec26d (patch) | |
| tree | 809b441cd55804e3c9dbba28ded7b306f208d99f /etc | |
| parent | c3782b726564d41df64bd345655f6fb382c8adc2 (diff) | |
/etc/sudoers pacnew
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/sudoers | 31 |
1 files changed, 28 insertions, 3 deletions
diff --git a/etc/sudoers b/etc/sudoers index cfd22989..2569d3a2 100644 --- a/etc/sudoers +++ b/etc/sudoers @@ -27,11 +27,29 @@ ## Groups of commands. Often used to group related commands together. # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ # /usr/bin/pkill, /usr/bin/top +# # Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff +# +# Cmnd_Alias DEBUGGERS = /usr/bin/gdb, /usr/bin/lldb, /usr/bin/strace, \ +# /usr/bin/truss, /usr/bin/bpftrace, \ +# /usr/bin/dtrace, /usr/bin/dtruss +# +# Cmnd_Alias PKGMAN = /usr/bin/apt, /usr/bin/dpkg, /usr/bin/rpm, \ +# /usr/bin/yum, /usr/bin/dnf, /usr/bin/zypper, \ +# /usr/bin/pacman ## ## Defaults specification ## +## Preserve editor environment variables for visudo. +## To preserve these for all commands, remove the "!visudo" qualifier. +Defaults!/usr/bin/visudo env_keep += "SUDO_EDITOR EDITOR VISUAL" +## +## Use a hard-coded PATH instead of the user's to find commands. +## This also helps prevent poorly written scripts from running +## artbitrary commands under sudo. +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin" +## ## You may wish to keep some of the following environment variables ## when running commands via sudo. ## @@ -56,9 +74,6 @@ ## this may allow users to subvert the command being run via sudo. # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ## -## Uncomment to use a hard-coded PATH instead of the user's to find commands -# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -## ## Uncomment to restore the historic behavior where a command is run in ## the user's own terminal. # Defaults !use_pty @@ -75,6 +90,16 @@ # Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!REBOOT !log_output # Defaults maxseq = 1000 +## +## Uncomment to disable intercept and log_subcmds for debuggers and +## tracers. Otherwise, anything that uses ptrace(2) will be unable +## to run under sudo if intercept_type is set to "trace". +# Defaults!DEBUGGERS !intercept, !log_subcmds +## +## Uncomment to disable intercept and log_subcmds for package managers. +## Some package scripts run a huge number of commands, which is made +## slower by these options and also can clutter up the logs. +# Defaults!PKGMAN !intercept, !log_subcmds ## ## Runas alias specification |