isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add -U option to use in conjunction with -l instead of -u.

Browse Source 
Add support for "sudo -l command" to test a specific command.
This commit is contained in:
Todd C. Miller
2004-11-24 21:31:51 +00:00
parent f75a034f06
commit 5f06b19a6e
6 changed files with 234 additions and 152 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
parse.c
View File

@@ -135,7 +135,7 @@ sudoers_lookup(pwflag)
} }
} }
} }
if (matched == TRUE) { if (matched == TRUE || user_uid == 0) {
/* User has an entry for this host. */ /* User has an entry for this host. */
CLR(validated, VALIDATE_NOT_OK); CLR(validated, VALIDATE_NOT_OK);
SET(validated, VALIDATE_OK); SET(validated, VALIDATE_OK);
@@ -238,6 +238,42 @@ display_privs(pw)
} }
} }
/*
* Check user_cmnd against sudoers and print the matching entry if the
* command is allowed.
*/
int
display_cmnd(pw)
struct passwd *pw;
{
struct cmndspec *cs;
struct member *match, *runas;
struct privilege *priv;
struct userspec *us;
for (match = NULL, us = userspecs; us != NULL; us = us->next) {
if (user_matches(pw, us->user) != TRUE ||
host_matches(us->privileges->hostlist) != TRUE)
continue;
for (priv = us->privileges; priv != NULL; priv = priv->next) {
runas = NULL;
for (cs = priv->cmndlist; cs != NULL; cs = cs->next) {
if (cs->runaslist != NULL)
runas = cs->runaslist;
if (runas_matches(runas) == TRUE &&
cmnd_matches(cs->cmnd) != UNSPEC)
match = cs->cmnd;
}
}
}
if (match == NULL || match->negated)
return(1);
printf("%s%s%s\n", safe_cmnd, user_args ? " " : "",
user_args ? user_args : "");
return(0);
}
/* /*
* Print the contents of a struct member to stdout * Print the contents of a struct member to stdout
*/ */

49
sudo.c
View File

@@ -239,6 +239,9 @@ main(argc, argv, envp)
user_cmnd = "list"; user_cmnd = "list";
pwflag = I_LISTPW; pwflag = I_LISTPW;
break; break;
case MODE_CHECK:
pwflag = I_LISTPW;
break;
} }
/* Must have a command to run... */ /* Must have a command to run... */
@@ -361,6 +364,8 @@ main(argc, argv, envp)
log_auth(validated, 1); log_auth(validated, 1);
if (sudo_mode == MODE_VALIDATE) if (sudo_mode == MODE_VALIDATE)
exit(0); exit(0);
else if (sudo_mode == MODE_CHECK)
exit(display_cmnd(list_pw ? list_pw : sudo_user.pw));
else if (sudo_mode == MODE_LIST) { else if (sudo_mode == MODE_LIST) {
display_privs(list_pw ? list_pw : sudo_user.pw); display_privs(list_pw ? list_pw : sudo_user.pw);
#ifdef HAVE_LDAP #ifdef HAVE_LDAP
@@ -548,7 +553,7 @@ init_vars(sudo_mode)
/* It is now safe to use log_error() and set_perms() */ /* It is now safe to use log_error() and set_perms() */
#ifdef HAVE_GETGROUPS #ifdef HAVE_GETGROUPS
if ((user_ngroups = getgroups(0, NULL)) > 0) { if (list_pw == NULL && (user_ngroups = getgroups(0, NULL)) > 0) {
user_groups = emalloc2(user_ngroups, sizeof(gid_t)); user_groups = emalloc2(user_ngroups, sizeof(gid_t));
if (getgroups(user_ngroups, user_groups) < 0) if (getgroups(user_ngroups, user_groups) < 0)
log_error(USE_ERRNO|MSG_ONLY, "can't get group vector"); log_error(USE_ERRNO|MSG_ONLY, "can't get group vector");
@@ -618,8 +623,8 @@ set_cmnd(sudo_mode)
/* Resolve the path and return. */ /* Resolve the path and return. */
rval = FOUND; rval = FOUND;
user_stat = emalloc(sizeof(struct stat)); user_stat = emalloc(sizeof(struct stat));
if (sudo_mode & (MODE_RUN | MODE_EDIT)) { if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) {
if (ISSET(sudo_mode, MODE_RUN)) { if (ISSET(sudo_mode, MODE_RUN | MODE_CHECK)) {
set_perms(PERM_RUNAS); set_perms(PERM_RUNAS);
rval = find_path(NewArgv[0], &user_cmnd, user_stat, user_path); rval = find_path(NewArgv[0], &user_cmnd, user_stat, user_path);
set_perms(PERM_ROOT); set_perms(PERM_ROOT);
@@ -817,6 +822,15 @@ parse_args(argc, argv)
case 'S': case 'S':
SET(tgetpass_flags, TGP_STDIN); SET(tgetpass_flags, TGP_STDIN);
break; break;
case 'U':
/* Must have an associated list user. */
if (NewArgv[1] == NULL)
usage(1);
if ((list_pw = sudo_getpwnam(NewArgv[1])) == NULL)
errorx(1, "unknown user %s", NewArgv[1]);
NewArgc--;
NewArgv++;
break;
case '-': case '-':
NewArgc--; NewArgc--;
NewArgv++; NewArgv++;
@@ -833,19 +847,23 @@ parse_args(argc, argv)
NewArgc--; NewArgc--;
NewArgv++; NewArgv++;
} }
if (NewArgc > 0 && rval == MODE_LIST)
rval = MODE_CHECK;
if (user_runas != NULL) { if (user_runas != NULL && !ISSET(rval, (MODE_EDIT|MODE_RUN|MODE_CHECK))) {
if (rval == MODE_LIST) { if (excl != '\0')
if ((list_pw = sudo_getpwnam(*user_runas)) == NULL) warningx("the `-u' and '-%c' options may not be used together",
errorx(1, "unknown user %s", *user_runas); excl);
user_runas = NULL; usage(1);
} else if (!ISSET(rval, (MODE_EDIT|MODE_RUN))) { }
warningx("the `-u' and '-%c' options may not be used together", excl); if (list_pw != NULL && rval != MODE_LIST && rval != MODE_CHECK) {
usage(1); if (excl != '\0')
} warningx("the `-U' and '-%c' options may not be used together",
excl);
usage(1);
} }
if ((NewArgc == 0 && (rval & MODE_EDIT)) || if ((NewArgc == 0 && (rval & MODE_EDIT)) ||
(NewArgc > 0 && !(rval & (MODE_RUN | MODE_EDIT)))) (NewArgc > 0 && !(rval & (MODE_RUN | MODE_EDIT | MODE_CHECK))))
usage(1); usage(1);
return(rval); return(rval);
@@ -1126,7 +1144,10 @@ usage(exit_val)
continue; continue;
*p = " file [...]"; *p = " file [...]";
} else { } else {
fprintf(stderr, "usage: %s -K | -L | -V | -h | -k | -l | -v\n", fprintf(stderr, "usage: %s -K | -L | -V | -h | -k | -v\n",
getprogname());
fprintf(stderr,
"usage: %s [-U username] [-u username|#uid] -l [command]\n",
getprogname()); getprogname());
} }

212
sudo.cat
View File

@@ -8,7 +8,9 @@ NNAAMMEE
sudo, sudoedit - execute a command as another user sudo, sudoedit - execute a command as another user
SSYYNNOOPPSSIISS SSYYNNOOPPSSIISS
ssuuddoo --KK | --LL | --VV | --hh | --kk | --ll | --vv ssuuddoo --KK | --LL | --VV | --hh | --kk | --vv
ssuuddoo [--UU _u_s_e_r_n_a_m_e] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] --ll [_c_o_m_m_a_n_d]
ssuuddoo [--HHPPSSbb] [--aa _a_u_t_h___t_y_p_e] [--cc _c_l_a_s_s|_-] [--pp _p_r_o_m_p_t] ssuuddoo [--HHPPSSbb] [--aa _a_u_t_h___t_y_p_e] [--cc _c_l_a_s_s|_-] [--pp _p_r_o_m_p_t]
[--uu _u_s_e_r_n_a_m_e|_#_u_i_d] {--ee file [...] | --ii | --ss | _c_o_m_m_a_n_d} [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] {--ee file [...] | --ii | --ss | _c_o_m_m_a_n_d}
@@ -56,12 +58,10 @@ DDEESSCCRRIIPPTTIIOONN
mands through sudo even when a root shell has been mands through sudo even when a root shell has been
invoked. It also allows the --ee flag to remain useful even invoked. It also allows the --ee flag to remain useful even
when being run via a sudo-run script or program. Note when being run via a sudo-run script or program. Note
however, that the sudoers lookup is still done for root,
not the user specified by SUDO_USER.
1.6.9 November 11, 2004 1 1.6.9 November 24, 2004 1
@@ -70,6 +70,9 @@ DDEESSCCRRIIPPTTIIOONN
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
however, that the sudoers lookup is still done for root,
not the user specified by SUDO_USER.
ssuuddoo can log both successful and unsuccessful attempts (as ssuuddoo can log both successful and unsuccessful attempts (as
well as errors) to _s_y_s_l_o_g(3), a log file, or both. By well as errors) to _s_y_s_l_o_g(3), a log file, or both. By
default ssuuddoo will log via _s_y_s_l_o_g(3) but this is changeable default ssuuddoo will log via _s_y_s_l_o_g(3) but this is changeable
@@ -104,6 +107,11 @@ OOPPTTIIOONNSS
from the standard input instead of the terminal from the standard input instead of the terminal
device. device.
-U The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with
the --ll option to specify the user whose privileges
should be listed. Only root or a user with ssuuddoo ALL
on the current host may use this option.
-V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print the ver<65> -V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print the ver<65>
sion number and exit. If the invoking user is already sion number and exit. If the invoking user is already
root the --VV option will print out a list of the root the --VV option will print out a list of the
@@ -116,18 +124,10 @@ OOPPTTIIOONNSS
administrator may specify a list of sudo-specific administrator may specify a list of sudo-specific
authentication methods by adding an "auth-sudo" entry authentication methods by adding an "auth-sudo" entry
in /etc/login.conf. This option is only available on in /etc/login.conf. This option is only available on
systems that support BSD authentication where ssuuddoo has
been configured with the --with-bsdauth option.
-b The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run the given
command in the background. Note that if you use the
--bb option you cannot use shell job control to manipu<70>
late the process.
1.6.9 November 24, 2004 2
1.6.9 November 11, 2004 2
@@ -136,6 +136,14 @@ OOPPTTIIOONNSS
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
systems that support BSD authentication where ssuuddoo has
been configured with the --with-bsdauth option.
-b The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run the given
command in the background. Note that if you use the
--bb option you cannot use shell job control to manipu<70>
late the process.
-c The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified -c The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified
command with resources limited by the specified login command with resources limited by the specified login
class. The _c_l_a_s_s argument can be either a class name class. The _c_l_a_s_s argument can be either a class name
@@ -182,6 +190,18 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
sage and exit. sage and exit.
-i The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell -i The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell
1.6.9 November 24, 2004 3
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
specified in the passwd(4) entry of the user that the specified in the passwd(4) entry of the user that the
command is being run as. The command name argument command is being run as. The command name argument
given to the shell begins with a `-' to tell the shell given to the shell begins with a `-' to tell the shell
@@ -191,17 +211,6 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
unchanged, setting _H_O_M_E, _S_H_E_L_L, _U_S_E_R, _L_O_G_N_A_M_E, and unchanged, setting _H_O_M_E, _S_H_E_L_L, _U_S_E_R, _L_O_G_N_A_M_E, and
_P_A_T_H, and unsetting all other environment variables. _P_A_T_H, and unsetting all other environment variables.
1.6.9 November 11, 2004 3
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-k The --kk (_k_i_l_l) option to ssuuddoo invalidates the user's -k The --kk (_k_i_l_l) option to ssuuddoo invalidates the user's
timestamp by setting the time on it to the epoch. The timestamp by setting the time on it to the epoch. The
next time ssuuddoo is run a password will be required. next time ssuuddoo is run a password will be required.
@@ -209,11 +218,15 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
to allow a user to revoke ssuuddoo permissions from a to allow a user to revoke ssuuddoo permissions from a
.logout file. .logout file.
-l The --ll (_l_i_s_t) option will list out the allowed (and -l [_c_o_m_m_a_n_d]
forbidden) commands for the user on the current host. If no _c_o_m_m_a_n_d is specified, the --ll (_l_i_s_t) option will
If the --uu flag is specified and the invoking user has list the allowed (and forbidden) commands for the
ssuuddoo ALL on the current host, the information listed invoking user (or the user specified by the --UU option)
will be for the user specified by the --uu flag. on the current host. If a _c_o_m_m_a_n_d is specified and is
permitted by _s_u_d_o_e_r_s, the fully-qualified path to the
command is displayed along with any command line argu<67>
ments. If _c_o_m_m_a_n_d is not allowed, ssuuddoo will exit with
a return value of 1.
-p The --pp (_p_r_o_m_p_t) option allows you to override the -p The --pp (_p_r_o_m_p_t) option allows you to override the
default password prompt and use a custom one. The default password prompt and use a custom one. The
@@ -243,6 +256,18 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
command as a user other than _r_o_o_t. To specify a _u_i_d command as a user other than _r_o_o_t. To specify a _u_i_d
instead of a _u_s_e_r_n_a_m_e, use _#_u_i_d. Note that if the instead of a _u_s_e_r_n_a_m_e, use _#_u_i_d. Note that if the
_t_a_r_g_e_t_p_w Defaults option is set (see sudoers(4)) it is _t_a_r_g_e_t_p_w Defaults option is set (see sudoers(4)) it is
1.6.9 November 24, 2004 4
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
not possible to run commands with a uid not listed in not possible to run commands with a uid not listed in
the password database. the password database.
@@ -256,18 +281,6 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
command line arguments. It is most useful in conjunc<6E> command line arguments. It is most useful in conjunc<6E>
tion with the --ss flag. tion with the --ss flag.
1.6.9 November 11, 2004 4
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
RREETTUURRNN VVAALLUUEESS RREETTUURRNN VVAALLUUEESS
Upon successful execution of a program, the return value Upon successful execution of a program, the return value
from ssuuddoo will simply be the return value of the program from ssuuddoo will simply be the return value of the program
@@ -309,6 +322,18 @@ SSEECCUURRIITTYY NNOOTTEESS
as root. as root.
To prevent command spoofing, ssuuddoo checks "." and "" (both To prevent command spoofing, ssuuddoo checks "." and "" (both
1.6.9 November 24, 2004 5
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
denoting current directory) last when searching for a com<6F> denoting current directory) last when searching for a com<6F>
mand in the user's PATH (if one or both are in the PATH). mand in the user's PATH (if one or both are in the PATH).
Note, however, that the actual PATH environment variable Note, however, that the actual PATH environment variable
@@ -322,18 +347,6 @@ SSEECCUURRIITTYY NNOOTTEESS
cally. cally.
ssuuddoo will check the ownership of its timestamp directory ssuuddoo will check the ownership of its timestamp directory
1.6.9 November 11, 2004 5
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
(_/_v_a_r_/_r_u_n_/_s_u_d_o by default) and ignore the directory's con<6F> (_/_v_a_r_/_r_u_n_/_s_u_d_o by default) and ignore the directory's con<6F>
tents if it is not owned by root and only writable by tents if it is not owned by root and only writable by
root. On systems that allow non-root users to give away root. On systems that allow non-root users to give away
@@ -374,6 +387,19 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
EENNVVIIRROONNMMEENNTT EENNVVIIRROONNMMEENNTT
ssuuddoo utilizes the following environment variables: ssuuddoo utilizes the following environment variables:
1.6.9 November 24, 2004 6
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
EDITOR Default editor to use in -e (sudoedit) mode if EDITOR Default editor to use in -e (sudoedit) mode if
VISUAL is not set VISUAL is not set
@@ -388,18 +414,6 @@ EENNVVIIRROONNMMEENNTT
SUDO_PROMPT Used as the default password prompt SUDO_PROMPT Used as the default password prompt
1.6.9 November 11, 2004 6
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO_COMMAND Set to the command run by sudo SUDO_COMMAND Set to the command run by sudo
SUDO_USER Set to the login of the user who invoked sudo SUDO_USER Set to the login of the user who invoked sudo
@@ -441,6 +455,17 @@ EEXXAAMMPPLLEESS
$ sudo shutdown -r +15 "quick reboot" $ sudo shutdown -r +15 "quick reboot"
1.6.9 November 24, 2004 7
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
To make a usage listing of the directories in the /home To make a usage listing of the directories in the /home
partition. Note that this runs the commands in a sub- partition. Note that this runs the commands in a sub-
shell to make the cd and file redirection work. shell to make the cd and file redirection work.
@@ -455,17 +480,6 @@ AAUUTTHHOORRSS
Many people have worked on ssuuddoo over the years; this ver<65> Many people have worked on ssuuddoo over the years; this ver<65>
sion consists of code written primarily by: sion consists of code written primarily by:
1.6.9 November 11, 2004 7
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
Todd Miller Todd Miller
Chris Jepeway Chris Jepeway
@@ -505,6 +519,19 @@ BBUUGGSS
If you feel you have found a bug in ssuuddoo, please submit a If you feel you have found a bug in ssuuddoo, please submit a
bug report at http://www.sudo.ws/sudo/bugs/ bug report at http://www.sudo.ws/sudo/bugs/
1.6.9 November 24, 2004 8
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SSUUPPPPOORRTT SSUUPPPPOORRTT
Commercial support is available for ssuuddoo, see Commercial support is available for ssuuddoo, see
http://www.sudo.ws/sudo/support.html for details. http://www.sudo.ws/sudo/support.html for details.
@@ -519,20 +546,18 @@ DDIISSCCLLAAIIMMEERR
ranties, including, but not limited to, the implied war<61> ranties, including, but not limited to, the implied war<61>
ranties of merchantability and fitness for a particular ranties of merchantability and fitness for a particular
purpose are disclaimed. See the LICENSE file distributed purpose are disclaimed. See the LICENSE file distributed
with ssuuddoo or http://www.sudo.ws/sudo/license.html for with ssuuddoo or http://www.sudo.ws/sudo/license.html for com<6F>
plete details.
1.6.9 November 11, 2004 8
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
complete details.
@@ -564,31 +589,6 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
1.6.9 November 24, 2004 9
1.6.9 November 11, 2004 9

36
sudo.h
View File

@@ -83,23 +83,24 @@ struct sudo_user {
#define NOT_FOUND_DOT -1 #define NOT_FOUND_DOT -1
/* /*
* Various modes sudo can be in (based on arguments) in octal * Various modes sudo can be in (based on arguments) in hex
*/ */
#define MODE_RUN 000001 #define MODE_RUN 0x0001
#define MODE_VALIDATE 000002 #define MODE_EDIT 0x0002
#define MODE_INVALIDATE 000004 #define MODE_VALIDATE 0x0004
#define MODE_KILL 000010 #define MODE_INVALIDATE 0x0008
#define MODE_VERSION 000020 #define MODE_KILL 0x0010
#define MODE_HELP 000040 #define MODE_VERSION 0x0020
#define MODE_LIST 000100 #define MODE_HELP 0x0040
#define MODE_LISTDEFS 000200 #define MODE_LIST 0x0080
#define MODE_BACKGROUND 000400 #define MODE_CHECK 0x0100
#define MODE_SHELL 001000 #define MODE_LISTDEFS 0x0200
#define MODE_LOGIN_SHELL 002000 #define MODE_BACKGROUND 0x0400
#define MODE_IMPLIED_SHELL 004000 #define MODE_SHELL 0x0800
#define MODE_RESET_HOME 010000 #define MODE_LOGIN_SHELL 0x1000
#define MODE_PRESERVE_GROUPS 020000 #define MODE_IMPLIED_SHELL 0x2000
#define MODE_EDIT 040000 #define MODE_RESET_HOME 0x4000
#define MODE_PRESERVE_GROUPS 0x8000
/* /*
* Used with set_perms() * Used with set_perms()
@@ -238,7 +239,8 @@ int pam_prep_user __P((struct passwd *));
void zero_bytes __P((volatile VOID *, size_t)); void zero_bytes __P((volatile VOID *, size_t));
int gettime __P((struct timespec *)); int gettime __P((struct timespec *));
FILE *open_sudoers __P((const char *, int *)); FILE *open_sudoers __P((const char *, int *));
void display_privs __P((struct passwd *)); void display_privs __P((struct passwd *));
int display_cmnd __P((struct passwd *));
void sudo_setpwent __P((void)); void sudo_setpwent __P((void));
void sudo_endpwent __P((void)); void sudo_endpwent __P((void));
void sudo_setgrent __P((void)); void sudo_setgrent __P((void));

27
sudo.man.in
View File

@@ -149,12 +149,14 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "SUDO @mansectsu@" .IX Title "SUDO @mansectsu@"
.TH SUDO @mansectsu@ "November 11, 2004" "1.6.9" "MAINTENANCE COMMANDS" .TH SUDO @mansectsu@ "November 24, 2004" "1.6.9" "MAINTENANCE COMMANDS"
.SH "NAME" .SH "NAME"
sudo, sudoedit \- execute a command as another user sudo, sudoedit \- execute a command as another user
.SH "SYNOPSIS" .SH "SYNOPSIS"
.IX Header "SYNOPSIS" .IX Header "SYNOPSIS"
\&\fBsudo\fR \fB\-K\fR | \fB\-L\fR | \fB\-V\fR | \fB\-h\fR | \fB\-k\fR | \fB\-l\fR | \fB\-v\fR \&\fBsudo\fR \fB\-K\fR | \fB\-L\fR | \fB\-V\fR | \fB\-h\fR | \fB\-k\fR | \fB\-v\fR
.PP
\&\fBsudo\fR [\fB\-U\fR\ \fIusername\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] \fB\-l\fR [\fIcommand\fR]
.PP .PP
\&\fBsudo\fR [\fB\-HPSb\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] \&\fBsudo\fR [\fB\-HPSb\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
[\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
@@ -239,6 +241,12 @@ still set to match the target user.
.IX Item "-S" .IX Item "-S"
The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from
the standard input instead of the terminal device. the standard input instead of the terminal device.
.IP "\-U" 4
.IX Item "-U"
The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the \fB\-l\fR
option to specify the user whose privileges should be listed. Only
root or a user with \fBsudo\fR \f(CW\*(C`ALL\*(C'\fR on the current host may use this
option.
.IP "\-V" 4 .IP "\-V" 4
.IX Item "-V" .IX Item "-V"
The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the version The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the version
@@ -320,12 +328,15 @@ by setting the time on it to the epoch. The next time \fBsudo\fR is
run a password will be required. This option does not require a password run a password will be required. This option does not require a password
and was added to allow a user to revoke \fBsudo\fR permissions from a .logout and was added to allow a user to revoke \fBsudo\fR permissions from a .logout
file. file.
.IP "\-l" 4 .IP "\-l [\fIcommand\fR]" 4
.IX Item "-l" .IX Item "-l [command]"
The \fB\-l\fR (\fIlist\fR) option will list out the allowed (and forbidden) If no \fIcommand\fR is specified, the \fB\-l\fR (\fIlist\fR) option will list
commands for the user on the current host. If the \fB\-u\fR flag is the allowed (and forbidden) commands for the invoking user (or the
specified and the invoking user has \fBsudo\fR \f(CW\*(C`ALL\*(C'\fR on the current host, user specified by the \fB\-U\fR option) on the current host. If a
the information listed will be for the user specified by the \fB\-u\fR flag. \&\fIcommand\fR is specified and is permitted by \fIsudoers\fR, the
fully-qualified path to the command is displayed along with any
command line arguments. If \fIcommand\fR is not allowed, \fBsudo\fR will
exit with a return value of 1.
.IP "\-p" 4 .IP "\-p" 4
.IX Item "-p" .IX Item "-p"
The \fB\-p\fR (\fIprompt\fR) option allows you to override the default The \fB\-p\fR (\fIprompt\fR) option allows you to override the default

24
sudo.pod
View File

@@ -27,7 +27,9 @@ sudo, sudoedit - execute a command as another user
=head1 SYNOPSIS =head1 SYNOPSIS
B<sudo> B<-K> | B<-L> | B<-V> | B<-h> | B<-k> | B<-l> | B<-v> B<sudo> B<-K> | B<-L> | B<-V> | B<-h> | B<-k> | B<-v>
B<sudo> S<[B<-U> I<username>]> S<[B<-u> I<username>|I<#uid>]> B<-l> [I<command>]
B<sudo> [B<-HPSb>] S<[B<-a> I<auth_type>]> S<[B<-c> I<class>|I<->]> B<sudo> [B<-HPSb>] S<[B<-a> I<auth_type>]> S<[B<-c> I<class>|I<->]>
S<[B<-p> I<prompt>]> S<[B<-u> I<username>|I<#uid>]> S<[B<-p> I<prompt>]> S<[B<-u> I<username>|I<#uid>]>
@@ -122,6 +124,13 @@ still set to match the target user.
The B<-S> (I<stdin>) option causes B<sudo> to read the password from The B<-S> (I<stdin>) option causes B<sudo> to read the password from
the standard input instead of the terminal device. the standard input instead of the terminal device.
=item -U
The B<-U> (I<other user>) option is used in conjunction with the B<-l>
option to specify the user whose privileges should be listed. Only
root or a user with B<sudo> C<ALL> on the current host may use this
option.
=item -V =item -V
The B<-V> (I<version>) option causes B<sudo> to print the version The B<-V> (I<version>) option causes B<sudo> to print the version
@@ -217,12 +226,15 @@ run a password will be required. This option does not require a password
and was added to allow a user to revoke B<sudo> permissions from a .logout and was added to allow a user to revoke B<sudo> permissions from a .logout
file. file.
=item -l =item -l [I<command>]
The B<-l> (I<list>) option will list out the allowed (and forbidden) If no I<command> is specified, the B<-l> (I<list>) option will list
commands for the user on the current host. If the B<-u> flag is the allowed (and forbidden) commands for the invoking user (or the
specified and the invoking user has B<sudo> C<ALL> on the current host, user specified by the B<-U> option) on the current host. If a
the information listed will be for the user specified by the B<-u> flag. I<command> is specified and is permitted by I<sudoers>, the
fully-qualified path to the command is displayed along with any
command line arguments. If I<command> is not allowed, B<sudo> will
exit with a return value of 1.
=item -p =item -p