#;
#; /etc/sudoers
#; Sample sudoers file
#;
#; +----------------------------------------------------+
#; | Author:   DePaul University                        |
#; |            Computer Security Response Team         |
#; |           WWW:  <http://security.depaul.edu/>      |
#; |           SMTP: <security@depaul.edu>              |
#; +----------------------------------------------------+
#;
#; Copyright (c) 2004. DePaul University. All Rights Reserved.
#;
#; Platform: Tested on the following platforms
#;             OpenBSD 3.1, 3.2, 3.3, 3.4, 3.5
#;             FreeBSD 4.4, 4.5, 4.6, 4.9, 5.1
#;
#; Note:     This file MUST be edited with the 'visudo' command as root.
#;           Sudo can be found on the web at...
#;             <http://www.courtesan.com/sudo/>
#;
#; Revised:  $Id: sudoers,v 1.3 2004/04/29 20:49:31 epancer Exp $     
#;

#; Host aliases, in the form of subnets or (eek!) hostnames.
Host_Alias       DPUNET          = 140.192.0.0/16
Host_Alias       PRIVNET         = 10.6.66.0/25, 10.6.67.128/28, \
                                   172.21.43.253/32
Host_Alias       SHELLSERVER     = 192.168.43.0/29, shell1, pop3

#; User aliases
User_Alias       SYSTEM_ADMIN    = nancy, drew
User_Alias       STUDENT_WORKERS = tom, dick, harry

#; RunAs aliases; what privileges are given to the sudoee
Runas_Alias      DBA             = oracle

#; Command aliases. What people can do.
Cmnd_Alias       SU              = /usr/bin/su, /usr/bin/sudo
Cmnd_Alias       VISUDO          = /usr/sbin/visudo
Cmnd_Alias       HALT            = /sbin/halt
Cmnd_Alias       REBOOT          = /sbin/reboot
Cmnd_Alias       PASSWORD        = /usr/bin/passwd [A-z]*, \
                                   !/usr/bin/passwd root

# Defaults specification
Defaults         syslog=auth,log_year,logfile=/var/log/sudo.log, \
                 mail_no_perms, tty_tickets, loglinelen=0, \
                 mailto="youraddress@example.org"

#; Root can do anything w/o a password.
root             ALL            = (ALL) NOPASSWD: ALL

#; Anyone in the wheel group can do anything so long
#; as they meet the password requirement.
%wheel           ALL            = (ALL) ALL

#; Nancy can do anything on the private network EXCEPT
#; for su and visudo.
nancy            PRIVNET        = (ALL) ALL,!SU,!VISUDO

#; Students workers can only halt and reboot machines 
#; on the private network.
STUDENT_WORKERS  PRIVNET        = (ALL) HALT,REBOOT

#; On the shell servers, student workers can reset passwords
#; except for root's password.
STUDENT_WORKERS  SHELLSERVER    = (ALL) PASSWORD

#; Anyone in the dba group can do anything as the user oracle
#; on any hosts on the private network. However, they can't
#; su or visudo!
%dba             PRIVNET        = (DBA) ALL,!SU,!VISUDO

#; 
# vim: ts=8 sw=8 nowrap
#;