From eada918bbbf7819e45d84ede7b1ef213d1fffc8c Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Tue, 20 Dec 2022 09:09:25 -0700 Subject: [PATCH] Add [arg ...] after command in SYNOPSIS and usage output. Use Ar markup when referring to the command and args. --- docs/sudo.man.in | 475 ++++++++++++++++++++++++++++++-------------- docs/sudo.mdoc.in | 475 ++++++++++++++++++++++++++++++-------------- src/parse_args.c | 2 +- src/sudo_usage.h.in | 4 +- 4 files changed, 651 insertions(+), 305 deletions(-) diff --git a/docs/sudo.man.in b/docs/sudo.man.in index 3ff04aff8..4dd91544a 100644 --- a/docs/sudo.man.in +++ b/docs/sudo.man.in @@ -25,7 +25,7 @@ .nr BA @BAMAN@ .nr LC @LCMAN@ .nr PS @PSMAN@ -.TH "SUDO" "@mansectsu@" "December 12, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" +.TH "SUDO" "@mansectsu@" "December 20, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .nh .if n .ad l .SH "NAME" @@ -58,7 +58,7 @@ [\fB\-p\fR\ \fIprompt\fR] [\fB\-U\fR\ \fIuser\fR] [\fB\-u\fR\ \fIuser\fR] -[\fIcommand\fR] +[\fIcommand\fR\ [\fIarg\ ...\fR]] .br .HP 5n \fBsudo\fR @@ -77,7 +77,7 @@ [\fB\-u\fR\ \fIuser\fR] [\fIVAR\fR=\fIvalue\fR] [\fB\-i\fR\ |\ \fB\-s\fR] -[\fIcommand\fR] +[\fIcommand\fR\ [\fIarg\ ...\fR]] .br .HP 9n \fBsudoedit\fR @@ -177,8 +177,9 @@ option (described below), is implied. Security policies and audit plugins may log successful and failed attempts to run \fBsudo\fR. -If an I/O plugin is configured, the running command's input and -output may be logged as well. +If an I/O plugin is configured, the running +\fIcommand\fR's +input and output may be logged as well. .PP The options are as follows: .TP 12n @@ -237,22 +238,27 @@ Ring the bell as part of the password prompt when a terminal is present. This option has no effect if an askpass program is used. .TP 12n \fB\-b\fR, \fB\--background\fR -Run the given command in the background. +Run the given +\fIcommand\fR +in the background. It is not possible to use shell job control to manipulate background processes started by \fBsudo\fR. -Most interactive commands will fail to work properly in background -mode. +Most interactive +\fIcommand\fRs +will fail to work properly in background mode. .TP 12n \fB\-C\fR \fInum\fR, \fB\--close-from\fR=\fInum\fR Close all file descriptors greater than or equal to \fInum\fR -before executing a command. +before executing a +\fIcommand\fR. Values less than three are not permitted. By default, \fBsudo\fR will close all open file descriptors other than standard input, -standard output, and standard error when executing a command. +standard output, and standard error when executing a +\fIcommand\fR. The security policy may restrict the user's ability to use this option. The \fIsudoers\fR @@ -264,8 +270,9 @@ option. .if \n(LC \{\ .TP 12n \fB\-c\fR \fIclass\fR, \fB\--login-class\fR=\fIclass\fR -Run the command with resource limits and scheduling priority of -the specified login +Run the +\fIcommand\fR +with resource limits and scheduling priority of the specified login \fIclass\fR. The \fIclass\fR @@ -279,10 +286,14 @@ If is \fB-\fR, the default login class of the target user will be used. -Otherwise, the command must be run as the superuser (user-ID 0), or +Otherwise, the +\fIcommand\fR +must be run as the superuser (user-ID 0), or \fBsudo\fR must be run from a shell that is already running as the superuser. -If the command is being run as a login shell, additional +If the +\fIcommand\fR +is being run as a login shell, additional \fI/etc/login.conf\fR settings, such as the umask and environment variables, will be applied, if present. @@ -292,7 +303,9 @@ login classes. .\} .TP 12n \fB\-D\fR \fIdirectory\fR, \fB\--chdir\fR=\fIdirectory\fR -Run the command in the specified +Run the +\fIcommand\fR +in the specified \fIdirectory\fR instead of the current working directory. The security policy may return an error if the user does not have @@ -313,7 +326,10 @@ permission to preserve the environment. This option may be specified multiple times. .TP 12n \fB\-e\fR, \fB\--edit\fR -Edit one or more files instead of running a command. +Edit one or more +\fIfile\fRs +instead of running a +\fIcommand\fR. In lieu of a path name, the string "sudoedit" is used when consulting the security policy. If the user is authorized by the policy, the following steps are @@ -371,7 +387,9 @@ not be edited unless that user is root (version 1.8.16 and higher). Users are never allowed to edit device special files. .sp If the specified file does not exist, it will be created. -Unlike most commands run by +Unlike most +\fIcommand\fRs +run by \fIsudo\fR, the editor is run with the invoking user's environment unmodified. If the temporary file becomes empty after editing, the user will @@ -384,7 +402,9 @@ file. .RE .TP 12n \fB\-g\fR \fIgroup\fR, \fB\--group\fR=\fIgroup\fR -Run the command with the primary group set to +Run the +\fIcommand\fR +with the primary group set to \fIgroup\fR instead of the primary group specified by the target user's password database entry. @@ -397,13 +417,17 @@ prefixed with the character (e.g., \(oq#0\(cq for GID 0). -When running a command as a GID, many shells require that the +When running a +\fIcommand\fR +as a GID, many shells require that the \(oq#\(cq be escaped with a backslash (\(oq\e\(cq). If no \fB\-u\fR -option is specified, the command will be run as the invoking user. +option is specified, the +\fIcommand\fR +will be run as the invoking user. In either case, the primary group will be set to \fIgroup\fR. The @@ -426,12 +450,16 @@ Depending on the policy, this may be the default behavior. Display a short help message to the standard output and exit. .TP 12n \fB\-h\fR \fIhost\fR, \fB\--host\fR=\fIhost\fR -Run the command on the specified +Run the +\fIcommand\fR +on the specified \fIhost\fR -if the security policy plugin supports remote commands. +if the security policy plugin supports remote +\fIcommand\fRs. The \fIsudoers\fR -plugin does not currently support running remote commands. +plugin does not currently support running remote +\fIcommand\fRs. This may also be used in conjunction with the \fB\-l\fR option to list a user's privileges for the remote host. @@ -445,25 +473,35 @@ This means that login-specific resource files such as or \fI.login\fR will be read by the shell. -If a command is specified, it is passed to the shell as a simple -command using the +If a +\fIcommand\fR +is specified, it is passed to the shell as a simple +\fIcommand\fR +using the \fB\-c\fR option. -The command and any arguments are concatenated, separated by spaces, -after escaping each character +The +\fIcommand\fR +and any +\fIarg\fRs +are concatenated, separated by spaces, after escaping each character (including white space) with a backslash (\(oq\e\(cq) except for alphanumerics, underscores, hyphens, and dollar signs. -If no command is specified, an interactive shell is executed. +If no +\fIcommand\fR +is specified, an interactive shell is executed. \fBsudo\fR attempts to change to that user's home directory before running the shell. -The command is run with an environment similar to the one -a user would receive at log in. -Most shells behave differently when a command is specified -as compared to an interactive session; consult the shell's manual +The +\fIcommand\fR +is run with an environment similar to the one a user would receive at log in. +Most shells behave differently when a +\fIcommand\fR +is specified as compared to an interactive session; consult the shell's manual for details. The \fICommand environment\fR @@ -471,7 +509,9 @@ section in the sudoers(@mansectform@) manual documents how the \fB\-i\fR -option affects the environment in which a command is run when the +option affects the environment in which a +\fIcommand\fR +is run when the \fIsudoers\fR policy is in use. .TP 12n @@ -479,12 +519,16 @@ policy is in use. Similar to the \fB\-k\fR option, except that it removes the user's cached credentials entirely -and may not be used in conjunction with a command or other option. +and may not be used in conjunction with a +\fIcommand\fR +or other option. This option does not require a password. Not all security policies support credential caching. .TP 12n \fB\-k\fR, \fB\--reset-timestamp\fR -When used without a command, invalidates the user's cached credentials. +When used without a +\fIcommand\fR, +invalidates the user's cached credentials. In other words, the next time \fBsudo\fR is run a password will be required. @@ -495,8 +539,9 @@ permissions from a \fI.logout\fR file. .sp -When used in conjunction with a command or an option that may require -a password, this option will cause +When used in conjunction with a +\fIcommand\fR +or an option that may require a password, this option will cause \fBsudo\fR to ignore the user's cached credentials. As a result, @@ -509,9 +554,8 @@ Not all security policies support credential caching. \fB\-l\fR, \fB\--list\fR If no \fIcommand\fR -is specified, -list the allowed (and forbidden) commands for the -invoking user (or the user specified by the +is specified, list the privileges for the invoking user (or the +user specified by the \fB\-U\fR option) on the current host. A longer list format is used if this option is specified multiple times @@ -520,8 +564,10 @@ and the security policy supports a verbose output format. If a \fIcommand\fR is specified and is permitted by the security policy, the fully-qualified -path to the command is displayed along with any command line -arguments. +path to the +\fIcommand\fR +is displayed along with any +\fIarg\fRs. If a \fIcommand\fR is specified but not allowed by the policy, @@ -535,7 +581,7 @@ Unlike the \fB\-k\fR flag, existing cached credentials are used if they are valid. To detect when the user's cached credentials are valid (or when no -authentication is required), the following command can be used: +authentication is required), the following can be used: .RS 18n sudo -Nnv .RE @@ -546,7 +592,9 @@ Not all security policies support credential caching. .TP 12n \fB\-n\fR, \fB\--non-interactive\fR Avoid prompting the user for input of any kind. -If a password is required for the command to run, +If a password is required for the +\fIcommand\fR +to run, \fBsudo\fR will display an error message and exit. .TP 12n @@ -592,8 +640,9 @@ flags in sudoers(@mansectform@)) .TP 4n \&%U -expanded to the login name of the user the command will be run as -(defaults to root unless the +expanded to the login name of the user the +\fIcommand\fR +will be run as (defaults to root unless the \fB\-u\fR option is also specified) .TP 4n @@ -623,14 +672,16 @@ Change to the specified root \fIdirectory\fR (see chroot(@mansectsu@)) -before running the command. +before running the +\fIcommand\fR. The security policy may return an error if the user does not have permission to specify the root directory. .if \n(SL \{\ .TP 12n \fB\-r\fR \fIrole\fR, \fB\--role\fR=\fIrole\fR -Run the command with an SELinux security context that includes -the specified +Run the +\fIcommand\fR +with an SELinux security context that includes the specified \fIrole\fR. .\} .TP 12n @@ -643,26 +694,34 @@ Run the shell specified by the \fRSHELL\fR environment variable if it is set or the shell specified by the invoking user's password database entry. -If a command is specified, it is passed to the shell as a simple -command using the +If a +\fIcommand\fR +is specified, it is passed to the shell as a simple command using the \fB\-c\fR option. -The command and any arguments are concatenated, separated by spaces, -after escaping each character +The +\fIcommand\fR +and any +\fIarg\fRs +are concatenated, separated by spaces, after escaping each character (including white space) with a backslash (\(oq\e\(cq) except for alphanumerics, underscores, hyphens, and dollar signs. -If no command is specified, an interactive shell is executed. -Most shells behave differently when a command is specified -as compared to an interactive session; consult the shell's manual +If no +\fIcommand\fR +is specified, an interactive shell is executed. +Most shells behave differently when a +\fIcommand\fR +is specified as compared to an interactive session; consult the shell's manual for details. .if \n(SL \{\ .TP 12n \fB\-t\fR \fItype\fR, \fB\--type\fR=\fItype\fR -Run the command with an SELinux security context that includes -the specified +Run the +\fIcommand\fR +with an SELinux security context that includes the specified \fItype\fR. If no \fItype\fR @@ -678,23 +737,29 @@ instead of for the invoking user. The security policy may restrict listing other users' privileges. When using the \fIsudoers\fR -policy, only root or a user with the ability to run any command as -either root or the specified +policy, only root or a user with the ability to run any +\fIcommand\fR +as either root or the specified \fIuser\fR on the current host may use this option. .TP 12n \fB\-T\fR \fItimeout\fR, \fB\--command-timeout\fR=\fItimeout\fR -Used to set a timeout for the command. -If the timeout expires before the command has exited, the -command will be terminated. -The security policy may restrict the ability to set command timeouts. +Used to set a timeout for the +\fIcommand\fR. +If the timeout expires before the +\fIcommand\fR +has exited, the +\fIcommand\fR +will be terminated. +The security policy may restrict the user's ability to set timeouts. The \fIsudoers\fR policy requires that user-specified timeouts be explicitly enabled. .TP 12n \fB\-u\fR \fIuser\fR, \fB\--user\fR=\fIuser\fR -Run the command as a user other than the default target user -(usually +Run the +\fIcommand\fR +as a user other than the default target user (usually \fIroot\fR). The \fIuser\fR @@ -705,7 +770,9 @@ prefixed with the character (e.g., \(oq#0\(cq for UID 0). -When running commands as a UID, many shells require that the +When running +\fIcommand\fRs as +a UID, many shells require that the \(oq#\(cq be escaped with a backslash (\(oq\e\(cq). @@ -724,7 +791,7 @@ Print the version string as well as the version string of any configured plugins. If the invoking user is already root, the \fB\-V\fR -option will display the arguments passed to configure when +option will display the options passed to configure when \fBsudo\fR was built; plugins may display additional information such as default options. @@ -736,15 +803,18 @@ For the \fIsudoers\fR plugin, this extends the \fBsudo\fR -timeout for another @timeout@ minutes by default, but does not run a command. +timeout for another @timeout@ minutes by default, but does not run a +\fIcommand\fR. Not all security policies support cached credentials. .TP 12n \fB\--\fR The \fB\--\fR -option indicates that +is used to delimit the end of the \fBsudo\fR -should stop processing command line arguments. +options. +Subsequent options are passed to the +\fIcommand\fR. .PP Options that take a value may only be specified once unless otherwise indicated in the description. @@ -753,25 +823,32 @@ scripts that invoke \fBsudo\fR with user-controlled input. .PP -Environment variables to be set for the command may also be passed -on the command line in the form of +Environment variables to be set for the +\fIcommand\fR +may also be passed as options to +\fBsudo\fR +in the form \fIVAR\fR=\fIvalue\fR, -e.g., +for example \fRLD_LIBRARY_PATH\fR=\fI/usr/local/pkg/lib\fR. -Variables passed on the command line are subject to restrictions +Environment variables may be subject to restrictions imposed by the security policy plugin. The \fIsudoers\fR -policy subjects variables passed on the command line to the same -restrictions as normal environment variables with one important -exception. +policy subjects environment variables passed as options to the same +restrictions as existing environment variables with one important +difference. If the \fIsetenv\fR option is set in \fIsudoers\fR, -the command to be run has the +the +\fIcommand\fR +to be run has the \fRSETENV\fR -tag set or the command matched is +tag set or the +\fIcommand\fR +matched is \fBALL\fR, the user may set variables that would otherwise be forbidden. See @@ -780,8 +857,10 @@ for more information. .SH "COMMAND EXECUTION" When \fBsudo\fR -executes a command, the security policy specifies the execution -environment for the command. +executes a +\fIcommand\fR, +the security policy specifies the execution environment for the +\fIcommand\fR. Typically, the real and effective user and group and IDs are set to match those of the target user, as specified in the password database, and the group vector is initialized based on the group database @@ -835,7 +914,8 @@ scheduling priority (aka nice value) .SS "Process model" There are two distinct ways \fBsudo\fR -can run a command. +can run a +\fIcommand\fR. .PP If an I/O logging plugin is configured to log terminal I/O, or if the security policy explicitly requests it, a new pseudo-terminal @@ -853,26 +933,42 @@ controlling terminal, calls fork(2) again, sets up the execution environment as described above, and then uses the execve(2) -system call to run the command in the child process. +system call to run the +\fIcommand\fR +in the child process. The \fImonitor\fR exists to relay job control signals between the user's -terminal and the pty the command is being run in. -This makes it possible to suspend and resume the command normally. +terminal and the pty the +\fIcommand\fR +is being run in. +This makes it possible to suspend and resume the +\fIcommand\fR +normally. Without the -\fImonitor\fR, \fIthe command would be in what POSIX terms an\fR +\fImonitor\fR, +the +\fIcommand\fR +would be in what POSIX terms an \(lqorphaned process group\(rq and it would not receive any job control signals from the kernel. -When the command exits or is terminated by a signal, the +When the +\fIcommand\fR +exits or is terminated by a signal, the \fImonitor\fR -passes the command's exit status to the main +passes the +\fIcommand\fR's +exit status to the main \fBsudo\fR process and exits. -After receiving the command's exit status, the main +After receiving the +\fIcommand\fR's +exit status, the main \fBsudo\fR -process passes the command's exit status to the security policy's -close function, as well as the close function of any configured audit -plugin, and exits. +process passes the +\fIcommand\fR's +exit status to the security policy's close function, as well as the +close function of any configured audit plugin, and exits. .PP If no pty is used, \fBsudo\fR @@ -880,23 +976,31 @@ calls fork(2), sets up the execution environment as described above, and uses the execve(2) -system call to run the command in the child process. +system call to run the +\fIcommand\fR +in the child process. The main \fBsudo\fR -process waits until the command has completed, then passes the -command's exit status to the security policy's close function, as -well as the close function of any configured audit plugins, and exits. +process waits until the +\fIcommand\fR +has completed, then passes the +\fIcommand\fR's +exit status to the security policy's close function, as well as the +close function of any configured audit plugins, and exits. As a special case, if the policy plugin does not define a close function, \fBsudo\fR -will execute the command directly instead of calling +will execute the +\fIcommand\fR +directly instead of calling fork(2) first. The \fIsudoers\fR policy plugin will only define a close function when I/O logging is enabled, a pty is required, an SELinux role is specified, the -command has an associated timeout, or the +\fIcommand\fR +has an associated timeout, or the \fIpam_session\fR or \fIpam_setcred\fR @@ -909,41 +1013,57 @@ are enabled by default on systems using PAM. .PP On systems that use PAM, the security policy's close function is responsible for closing the PAM session. -It may also log the command's exit status. +It may also log the +\fIcommand\fR's +exit status. .SS "Signal handling" -When the command is run as a child of the +When the +\fIcommand\fR +is run as a child of the \fBsudo\fR process, \fBsudo\fR -will relay signals it receives to the command. +will relay signals it receives to the +\fIcommand\fR. The \fRSIGINT\fR and \fRSIGQUIT\fR -signals are only relayed when the command is being run in a new pty -or when the signal was sent by a user process, not the kernel. -This prevents the command from receiving +signals are only relayed when the +\fIcommand\fR +is being run in a new pty or when the signal was sent by a user +process, not the kernel. +This prevents the +\fIcommand\fR +from receiving \fRSIGINT\fR twice each time the user enters control-C. Some signals, such as \fRSIGSTOP\fR and \fRSIGKILL\fR, -cannot be caught and thus will not be relayed to the command. +cannot be caught and thus will not be relayed to the +\fIcommand\fR. As a general rule, \fRSIGTSTP\fR should be used instead of \fRSIGSTOP\fR -when you wish to suspend a command being run by +when you wish to suspend a +\fIcommand\fR +being run by \fBsudo\fR. .PP As a special case, \fBsudo\fR -will not relay signals that were sent by the command it is running. -This prevents the command from accidentally killing itself. +will not relay signals that were sent by the +\fIcommand\fR +it is running. +This prevents the +\fIcommand\fR +from accidentally killing itself. On some systems, the reboot(@mansectsu@) -command sends +utility sends \fRSIGTERM\fR to all non-system processes other than itself before rebooting the system. @@ -955,9 +1075,13 @@ signal it received back to reboot(@mansectsu@), which might then exit before the system was actually rebooted, leaving it in a half-dead state similar to single user mode. -Note, however, that this check only applies to the command run by +Note, however, that this check only applies to the +\fIcommand\fR +run by \fBsudo\fR -and not any other processes that the command may create. +and not any other processes that the +\fIcommand\fR +may create. As a result, running a script that calls reboot(@mansectsu@) or @@ -972,7 +1096,9 @@ are run using the \fBexec\fR() family of functions instead of \fBsystem\fR() -(which interposes a shell between the command and the calling process). +(which interposes a shell between the +\fIcommand\fR +and the calling process). .SS "Plugins" Plugins may be specified via \fIPlugin\fR @@ -1002,27 +1128,38 @@ manual for more information about the \fBsudo\fR plugin architecture. .SH "EXIT VALUE" -Upon successful execution of a command, the exit status from +Upon successful execution of a +\fIcommand\fR, +the exit status from \fBsudo\fR will be the exit status of the program that was executed. -If the command terminated due to receipt of a signal, +If the +\fIcommand\fR +terminated due to receipt of a signal, \fBsudo\fR -will send itself the same signal that terminated the command. +will send itself the same signal that terminated the +\fIcommand\fR. .PP If the \fB\-l\fR -option was specified without a command, +option was specified without a +\fIcommand\fR, \fBsudo\fR will exit with a value of 0 if the user is allowed to run \fBsudo\fR and they authenticated successfully (as required by the security policy). -If a command is specified with the +If a +\fIcommand\fR +is specified with the \fB\-l\fR -option, the exit value will only be 0 if the command is permitted by the -security policy, otherwise it will be 1. +option, the exit value will only be 0 if the +\fIcommand\fR +is permitted by the security policy, otherwise it will be 1. .PP If there is an authentication failure, a configuration/permission -problem, or if the given command cannot be executed, +problem, or if the given +\fIcommand\fR +cannot be executed, \fBsudo\fR exits with a value of 1. In the latter case, the error string is printed to the standard error. @@ -1046,12 +1183,15 @@ your is on a machine that is currently unreachable. .SH "SECURITY NOTES" \fBsudo\fR -tries to be safe when executing external commands. +tries to be safe when executing external +\fIcommand\fRs. .PP To prevent command spoofing, \fBsudo\fR checks "." and "" (both denoting current directory) last when -searching for a command in the user's +searching for a +\fIcommand\fR +in the user's \fRPATH\fR (if one or both are in the \fRPATH\fR). @@ -1068,27 +1208,43 @@ be granted \fBsudo\fR privileges to execute files that are writable by the user or that reside in a directory that is writable by the user. -If the user can modify or replace the command there is no way -to limit what additional commands they can run. +If the user can modify or replace the +\fIcommand\fR +there is no way to limit what additional +\fIcommand\fRs +they can run. .PP By default, \fBsudo\fR -will only log the command it explicitly runs. -If a user runs a command such as +will only log the +\fIcommand\fR +it explicitly runs. +If a user runs a +\fIcommand\fR +such as \(oqsudo su\(cq or \(oqsudo sh\(cq, -subsequent commands run from that shell are not subject to +subsequent +\fIcommand\fRs +run from that shell are not subject to \fBsudo\fR's security policy. -The same is true for commands that offer shell escapes (including -most editors). -If I/O logging is enabled, subsequent commands will have their input and/or -output logged, but there will not be traditional logs for those commands. -Because of this, care must be taken when giving users access to commands via +The same is true for +\fIcommand\fRs +that offer shell escapes (including most editors). +If I/O logging is enabled, subsequent +\fIcommand\fRs +will have their input and/or output logged, but there will not be +traditional logs for those +\fIcommand\fRs. +Because of this, care must be taken when giving users access to +\fIcommand\fRs +via \fBsudo\fR -to verify that the command does not inadvertently give the user an -effective root shell. +to verify that the +\fIcommand\fR +does not inadvertently give the user an effective root shell. For information on ways to address this, see the \fIPreventing shell escapes\fR section in @@ -1097,7 +1253,9 @@ sudoers(@mansectform@). To prevent the disclosure of potentially sensitive information, \fBsudo\fR disables core dumps by default while it is executing (they are -re-enabled for the command that is run). +re-enabled for the +\fIcommand\fR +that is run). This historical practice dates from a time when most operating systems allowed set-user-ID processes to dump core by default. To aid in debugging @@ -1120,7 +1278,8 @@ manual for more information. .SH "ENVIRONMENT" \fBsudo\fR utilizes the following environment variables. -The security policy has control over the actual content of the command's +The security policy has control over the actual content of the +\fIcommand\fR's environment. .TP 17n \fREDITOR\fR @@ -1202,9 +1361,13 @@ if no terminal is available or if the option is specified. .TP 17n \fRSUDO_COMMAND\fR -Set to the command run by sudo, including command line arguments. -The command line arguments are truncated at 4096 characters to -prevent a potential execution error. +Set to the +\fIcommand\fR +run by sudo, including any +\fIarg\fRs. +The +\fIarg\fRs +are truncated at 4096 characters to prevent a potential execution error. .TP 17n \fRSUDO_EDITOR\fR Default editor to use in @@ -1302,7 +1465,9 @@ $ sudo shutdown -r +15 "quick reboot" .fi .PP To make a usage listing of the directories in the /home partition. -The commands are run in a sub-shell to allow the +The +\fIcommands\fR +are run in a sub-shell to allow the \(oqcd\(cq command and file redirection to work. .nf @@ -1440,8 +1605,8 @@ The user did not enter a password before the password timeout Your user-ID does not appear in the system passwd database. .TP 6n \fRyou may not specify environment variables in edit mode\fR -It is only possible to specify environment variables when running -a command. +It is only possible to specify environment variables when running a +\fIcommand\fR. When editing a file, the editor is run with the user's environment unmodified. .SH "SEE ALSO" su(1), @@ -1475,9 +1640,12 @@ exhaustive list of people who have contributed to \fBsudo\fR. .SH "CAVEATS" There is no easy way to prevent a user from gaining a root shell -if that user is allowed to run arbitrary commands via +if that user is allowed to run arbitrary +\fIcommands\fR +via \fBsudo\fR. -Also, many programs (such as editors) allow the user to run commands +Also, many programs (such as editors) allow the user to run +\fIcommand\fRs via shell escapes, thus avoiding \fBsudo\fR's checks. @@ -1489,7 +1657,8 @@ functionality. .PP It is not meaningful to run the \(oqcd\(cq -command directly via sudo, e.g., +\fIcommand\fR +directly via sudo, e.g., .nf .sp .RS 4n @@ -1497,11 +1666,15 @@ $ sudo cd /usr/local/protected .RE .fi .PP -since when the command exits the parent process (your shell) will -still be the same. -See the -\fIEXAMPLES\fR -section for more information. +since when the +\fIcommand\fR +exits the parent process (your shell) will still be the same. +The +\fB\-D\fR +option can be used to run a +\fIcommand\fR +in a specific +\fIdirectory\fR. .PP Running shell scripts via \fBsudo\fR diff --git a/docs/sudo.mdoc.in b/docs/sudo.mdoc.in index ffde30b4d..405f6c437 100644 --- a/docs/sudo.mdoc.in +++ b/docs/sudo.mdoc.in @@ -24,7 +24,7 @@ .nr BA @BAMAN@ .nr LC @LCMAN@ .nr PS @PSMAN@ -.Dd December 12, 2022 +.Dd December 20, 2022 .Dt SUDO @mansectsu@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -55,7 +55,7 @@ .Op Fl p Ar prompt .Op Fl U Ar user .Op Fl u Ar user -.Op Ar command +.Op Ar command Op Ar arg ... .Nm sudo .Op Fl ABbEHnPS .if \n(BA \{\ @@ -78,7 +78,7 @@ .Op Fl u Ar user .Op Ar VAR Ns = Ns Ar value .Op Fl i | s -.Op Ar command +.Op Ar command Op Ar arg ... .Nm sudoedit .Op Fl ABkNnS .if \n(BA \{\ @@ -181,8 +181,9 @@ option (described below), is implied. Security policies and audit plugins may log successful and failed attempts to run .Nm . -If an I/O plugin is configured, the running command's input and -output may be logged as well. +If an I/O plugin is configured, the running +.Ar command Ns 's +input and output may be logged as well. .Pp The options are as follows: .Bl -tag -width Fl @@ -233,21 +234,26 @@ authentication. Ring the bell as part of the password prompt when a terminal is present. This option has no effect if an askpass program is used. .It Fl b , -background -Run the given command in the background. +Run the given +.Ar command +in the background. It is not possible to use shell job control to manipulate background processes started by .Nm . -Most interactive commands will fail to work properly in background -mode. +Most interactive +.Ar command Ns s +will fail to work properly in background mode. .It Fl C Ar num , Fl -close-from Ns = Ns Ar num Close all file descriptors greater than or equal to .Ar num -before executing a command. +before executing a +.Ar command . Values less than three are not permitted. By default, .Nm will close all open file descriptors other than standard input, -standard output, and standard error when executing a command. +standard output, and standard error when executing a +.Ar command . The security policy may restrict the user's ability to use this option. The .Em sudoers @@ -258,8 +264,9 @@ option when the administrator has enabled the option. .if \n(LC \{\ .It Fl c Ar class , Fl -login-class Ns = Ns Ar class -Run the command with resource limits and scheduling priority of -the specified login +Run the +.Ar command +with resource limits and scheduling priority of the specified login .Ar class . The .Ar class @@ -273,10 +280,14 @@ If is .Cm - , the default login class of the target user will be used. -Otherwise, the command must be run as the superuser (user-ID 0), or +Otherwise, the +.Ar command +must be run as the superuser (user-ID 0), or .Nm must be run from a shell that is already running as the superuser. -If the command is being run as a login shell, additional +If the +.Ar command +is being run as a login shell, additional .Pa /etc/login.conf settings, such as the umask and environment variables, will be applied, if present. @@ -285,7 +296,9 @@ This option is only available on systems with login classes. .\} .It Fl D Ar directory , Fl -chdir Ns = Ns Ar directory -Run the command in the specified +Run the +.Ar command +in the specified .Ar directory instead of the current working directory. The security policy may return an error if the user does not have @@ -303,7 +316,10 @@ The security policy may return an error if the user does not have permission to preserve the environment. This option may be specified multiple times. .It Fl e , -edit -Edit one or more files instead of running a command. +Edit one or more +.Ar file Ns s +instead of running a +.Ar command . In lieu of a path name, the string "sudoedit" is used when consulting the security policy. If the user is authorized by the policy, the following steps are @@ -354,7 +370,9 @@ not be edited unless that user is root (version 1.8.16 and higher). Users are never allowed to edit device special files. .Pp If the specified file does not exist, it will be created. -Unlike most commands run by +Unlike most +.Ar command Ns s +run by .Em sudo , the editor is run with the invoking user's environment unmodified. If the temporary file becomes empty after editing, the user will @@ -365,7 +383,9 @@ is unable to update a file with its edited version, the user will receive a warning and the edited copy will remain in a temporary file. .It Fl g Ar group , Fl -group Ns = Ns Ar group -Run the command with the primary group set to +Run the +.Ar command +with the primary group set to .Ar group instead of the primary group specified by the target user's password database entry. @@ -378,13 +398,17 @@ prefixed with the character (e.g., .Ql #0 for GID 0). -When running a command as a GID, many shells require that the +When running a +.Ar command +as a GID, many shells require that the .Ql # be escaped with a backslash .Pq Ql \e . If no .Fl u -option is specified, the command will be run as the invoking user. +option is specified, the +.Ar command +will be run as the invoking user. In either case, the primary group will be set to .Ar group . The @@ -404,12 +428,16 @@ Depending on the policy, this may be the default behavior. .It Fl h , -help Display a short help message to the standard output and exit. .It Fl h Ar host , Fl -host Ns = Ns Ar host -Run the command on the specified +Run the +.Ar command +on the specified .Ar host -if the security policy plugin supports remote commands. +if the security policy plugin supports remote +.Ar command Ns s. The .Em sudoers -plugin does not currently support running remote commands. +plugin does not currently support running remote +.Ar command Ns s. This may also be used in conjunction with the .Fl l option to list a user's privileges for the remote host. @@ -422,25 +450,35 @@ This means that login-specific resource files such as or .Pa .login will be read by the shell. -If a command is specified, it is passed to the shell as a simple -command using the +If a +.Ar command +is specified, it is passed to the shell as a simple +.Ar command +using the .Fl c option. -The command and any arguments are concatenated, separated by spaces, -after escaping each character +The +.Ar command +and any +.Ar arg Ns s +are concatenated, separated by spaces, after escaping each character .Pq including white space with a backslash .Pq Ql \e except for alphanumerics, underscores, hyphens, and dollar signs. -If no command is specified, an interactive shell is executed. +If no +.Ar command +is specified, an interactive shell is executed. .Nm attempts to change to that user's home directory before running the shell. -The command is run with an environment similar to the one -a user would receive at log in. -Most shells behave differently when a command is specified -as compared to an interactive session; consult the shell's manual +The +.Ar command +is run with an environment similar to the one a user would receive at log in. +Most shells behave differently when a +.Ar command +is specified as compared to an interactive session; consult the shell's manual for details. The .Em Command environment @@ -448,18 +486,24 @@ section in the .Xr sudoers @mansectform@ manual documents how the .Fl i -option affects the environment in which a command is run when the +option affects the environment in which a +.Ar command +is run when the .Em sudoers policy is in use. .It Fl K , -remove-timestamp Similar to the .Fl k option, except that it removes the user's cached credentials entirely -and may not be used in conjunction with a command or other option. +and may not be used in conjunction with a +.Ar command +or other option. This option does not require a password. Not all security policies support credential caching. .It Fl k , -reset-timestamp -When used without a command, invalidates the user's cached credentials. +When used without a +.Ar command , +invalidates the user's cached credentials. In other words, the next time .Nm is run a password will be required. @@ -470,8 +514,9 @@ permissions from a .Pa .logout file. .Pp -When used in conjunction with a command or an option that may require -a password, this option will cause +When used in conjunction with a +.Ar command +or an option that may require a password, this option will cause .Nm to ignore the user's cached credentials. As a result, @@ -483,9 +528,8 @@ Not all security policies support credential caching. .It Fl l , Fl -list If no .Ar command -is specified, -list the allowed (and forbidden) commands for the -invoking user (or the user specified by the +is specified, list the privileges for the invoking user (or the +user specified by the .Fl U option) on the current host. A longer list format is used if this option is specified multiple times @@ -494,8 +538,10 @@ and the security policy supports a verbose output format. If a .Ar command is specified and is permitted by the security policy, the fully-qualified -path to the command is displayed along with any command line -arguments. +path to the +.Ar command +is displayed along with any +.Ar arg Ns s. If a .Ar command is specified but not allowed by the policy, @@ -508,13 +554,15 @@ Unlike the .Fl k flag, existing cached credentials are used if they are valid. To detect when the user's cached credentials are valid (or when no -authentication is required), the following command can be used: +authentication is required), the following can be used: .Dl sudo -Nnv .Pp Not all security policies support credential caching. .It Fl n , -non-interactive Avoid prompting the user for input of any kind. -If a password is required for the command to run, +If a password is required for the +.Ar command +to run, .Nm will display an error message and exit. .It Fl P , -preserve-groups @@ -551,8 +599,9 @@ and flags in .Xr sudoers @mansectform@ ) .It \&%U -expanded to the login name of the user the command will be run as -(defaults to root unless the +expanded to the login name of the user the +.Ar command +will be run as (defaults to root unless the .Fl u option is also specified) .It %u @@ -579,13 +628,15 @@ Change to the specified root .Ar directory (see .Xr chroot @mansectsu@ ) -before running the command. +before running the +.Ar command . The security policy may return an error if the user does not have permission to specify the root directory. .if \n(SL \{\ .It Fl r Ar role , Fl -role Ns = Ns Ar role -Run the command with an SELinux security context that includes -the specified +Run the +.Ar command +with an SELinux security context that includes the specified .Ar role . .\} .It Fl S , -stdin @@ -596,25 +647,33 @@ Run the shell specified by the .Ev SHELL environment variable if it is set or the shell specified by the invoking user's password database entry. -If a command is specified, it is passed to the shell as a simple -command using the +If a +.Ar command +is specified, it is passed to the shell as a simple command using the .Fl c option. -The command and any arguments are concatenated, separated by spaces, -after escaping each character +The +.Ar command +and any +.Ar arg Ns s +are concatenated, separated by spaces, after escaping each character .Pq including white space with a backslash .Pq Ql \e except for alphanumerics, underscores, hyphens, and dollar signs. -If no command is specified, an interactive shell is executed. -Most shells behave differently when a command is specified -as compared to an interactive session; consult the shell's manual +If no +.Ar command +is specified, an interactive shell is executed. +Most shells behave differently when a +.Ar command +is specified as compared to an interactive session; consult the shell's manual for details. .if \n(SL \{\ .It Fl t Ar type , Fl -type Ns = Ns Ar type -Run the command with an SELinux security context that includes -the specified +Run the +.Ar command +with an SELinux security context that includes the specified .Ar type . If no .Ar type @@ -629,21 +688,27 @@ instead of for the invoking user. The security policy may restrict listing other users' privileges. When using the .Em sudoers -policy, only root or a user with the ability to run any command as -either root or the specified +policy, only root or a user with the ability to run any +.Ar command +as either root or the specified .Ar user on the current host may use this option. .It Fl T Ar timeout , Fl -command-timeout Ns = Ns Ar timeout -Used to set a timeout for the command. -If the timeout expires before the command has exited, the -command will be terminated. -The security policy may restrict the ability to set command timeouts. +Used to set a timeout for the +.Ar command . +If the timeout expires before the +.Ar command +has exited, the +.Ar command +will be terminated. +The security policy may restrict the user's ability to set timeouts. The .Em sudoers policy requires that user-specified timeouts be explicitly enabled. .It Fl u Ar user , Fl -user Ns = Ns Ar user -Run the command as a user other than the default target user -(usually +Run the +.Ar command +as a user other than the default target user (usually .Em root ) . The .Ar user @@ -654,7 +719,9 @@ prefixed with the character (e.g., .Ql #0 for UID 0). -When running commands as a UID, many shells require that the +When running +.Ar command Ns s as +a UID, many shells require that the .Ql # be escaped with a backslash .Pq Ql \e . @@ -672,7 +739,7 @@ Print the version string as well as the version string of any configured plugins. If the invoking user is already root, the .Fl V -option will display the arguments passed to configure when +option will display the options passed to configure when .Nm was built; plugins may display additional information such as default options. @@ -683,14 +750,17 @@ For the .Em sudoers plugin, this extends the .Nm -timeout for another @timeout@ minutes by default, but does not run a command. +timeout for another @timeout@ minutes by default, but does not run a +.Ar command . Not all security policies support cached credentials. .It Fl - The .Fl - -option indicates that +is used to delimit the end of the .Nm -should stop processing command line arguments. +options. +Subsequent options are passed to the +.Ar command . .El .Pp Options that take a value may only be specified once unless @@ -700,25 +770,32 @@ scripts that invoke .Nm sudo with user-controlled input. .Pp -Environment variables to be set for the command may also be passed -on the command line in the form of +Environment variables to be set for the +.Ar command +may also be passed as options to +.Nm +in the form .Ar VAR Ns = Ns Ar value , -e.g., +for example .Ev LD_LIBRARY_PATH Ns = Ns Pa /usr/local/pkg/lib . -Variables passed on the command line are subject to restrictions +Environment variables may be subject to restrictions imposed by the security policy plugin. The .Em sudoers -policy subjects variables passed on the command line to the same -restrictions as normal environment variables with one important -exception. +policy subjects environment variables passed as options to the same +restrictions as existing environment variables with one important +difference. If the .Em setenv option is set in .Em sudoers , -the command to be run has the +the +.Ar command +to be run has the .Dv SETENV -tag set or the command matched is +tag set or the +.Ar command +matched is .Sy ALL , the user may set variables that would otherwise be forbidden. See @@ -727,8 +804,10 @@ for more information. .Sh COMMAND EXECUTION When .Nm -executes a command, the security policy specifies the execution -environment for the command. +executes a +.Ar command , +the security policy specifies the execution environment for the +.Ar command . Typically, the real and effective user and group and IDs are set to match those of the target user, as specified in the password database, and the group vector is initialized based on the group database @@ -771,7 +850,8 @@ scheduling priority (aka nice value) .Ss Process model There are two distinct ways .Nm -can run a command. +can run a +.Ar command . .Pp If an I/O logging plugin is configured to log terminal I/O, or if the security policy explicitly requests it, a new pseudo-terminal @@ -789,26 +869,42 @@ controlling terminal, calls .Xr fork 2 again, sets up the execution environment as described above, and then uses the .Xr execve 2 -system call to run the command in the child process. +system call to run the +.Ar command +in the child process. The .Em monitor exists to relay job control signals between the user's -terminal and the pty the command is being run in. -This makes it possible to suspend and resume the command normally. +terminal and the pty the +.Ar command +is being run in. +This makes it possible to suspend and resume the +.Ar command +normally. Without the -.Em monitor , the command would be in what POSIX terms an +.Em monitor , +the +.Ar command +would be in what POSIX terms an .Dq orphaned process group and it would not receive any job control signals from the kernel. -When the command exits or is terminated by a signal, the +When the +.Ar command +exits or is terminated by a signal, the .Em monitor -passes the command's exit status to the main +passes the +.Ar command Ns 's +exit status to the main .Nm process and exits. -After receiving the command's exit status, the main +After receiving the +.Ar command Ns 's +exit status, the main .Nm -process passes the command's exit status to the security policy's -close function, as well as the close function of any configured audit -plugin, and exits. +process passes the +.Ar command Ns 's +exit status to the security policy's close function, as well as the +close function of any configured audit plugin, and exits. .Pp If no pty is used, .Nm @@ -816,23 +912,31 @@ calls .Xr fork 2 , sets up the execution environment as described above, and uses the .Xr execve 2 -system call to run the command in the child process. +system call to run the +.Ar command +in the child process. The main .Nm -process waits until the command has completed, then passes the -command's exit status to the security policy's close function, as -well as the close function of any configured audit plugins, and exits. +process waits until the +.Ar command +has completed, then passes the +.Ar command Ns 's +exit status to the security policy's close function, as well as the +close function of any configured audit plugins, and exits. As a special case, if the policy plugin does not define a close function, .Nm -will execute the command directly instead of calling +will execute the +.Ar command +directly instead of calling .Xr fork 2 first. The .Em sudoers policy plugin will only define a close function when I/O logging is enabled, a pty is required, an SELinux role is specified, the -command has an associated timeout, or the +.Ar command +has an associated timeout, or the .Em pam_session or .Em pam_setcred @@ -845,41 +949,57 @@ are enabled by default on systems using PAM. .Pp On systems that use PAM, the security policy's close function is responsible for closing the PAM session. -It may also log the command's exit status. +It may also log the +.Ar command Ns 's +exit status. .Ss Signal handling -When the command is run as a child of the +When the +.Ar command +is run as a child of the .Nm process, .Nm -will relay signals it receives to the command. +will relay signals it receives to the +.Ar command . The .Dv SIGINT and .Dv SIGQUIT -signals are only relayed when the command is being run in a new pty -or when the signal was sent by a user process, not the kernel. -This prevents the command from receiving +signals are only relayed when the +.Ar command +is being run in a new pty or when the signal was sent by a user +process, not the kernel. +This prevents the +.Ar command +from receiving .Dv SIGINT twice each time the user enters control-C. Some signals, such as .Dv SIGSTOP and .Dv SIGKILL , -cannot be caught and thus will not be relayed to the command. +cannot be caught and thus will not be relayed to the +.Ar command . As a general rule, .Dv SIGTSTP should be used instead of .Dv SIGSTOP -when you wish to suspend a command being run by +when you wish to suspend a +.Ar command +being run by .Nm . .Pp As a special case, .Nm -will not relay signals that were sent by the command it is running. -This prevents the command from accidentally killing itself. +will not relay signals that were sent by the +.Ar command +it is running. +This prevents the +.Ar command +from accidentally killing itself. On some systems, the .Xr reboot @mansectsu@ -command sends +utility sends .Dv SIGTERM to all non-system processes other than itself before rebooting the system. @@ -891,9 +1011,13 @@ signal it received back to .Xr reboot @mansectsu@ , which might then exit before the system was actually rebooted, leaving it in a half-dead state similar to single user mode. -Note, however, that this check only applies to the command run by +Note, however, that this check only applies to the +.Ar command +run by .Nm -and not any other processes that the command may create. +and not any other processes that the +.Ar command +may create. As a result, running a script that calls .Xr reboot @mansectsu@ or @@ -908,7 +1032,9 @@ are run using the .Fn exec family of functions instead of .Fn system -(which interposes a shell between the command and the calling process). +(which interposes a shell between the +.Ar command +and the calling process). .Ss Plugins Plugins may be specified via .Em Plugin @@ -938,27 +1064,38 @@ manual for more information about the .Nm plugin architecture. .Sh EXIT VALUE -Upon successful execution of a command, the exit status from +Upon successful execution of a +.Ar command , +the exit status from .Nm will be the exit status of the program that was executed. -If the command terminated due to receipt of a signal, +If the +.Ar command +terminated due to receipt of a signal, .Nm -will send itself the same signal that terminated the command. +will send itself the same signal that terminated the +.Ar command . .Pp If the .Fl l -option was specified without a command, +option was specified without a +.Ar command , .Nm will exit with a value of 0 if the user is allowed to run .Nm and they authenticated successfully (as required by the security policy). -If a command is specified with the +If a +.Ar command +is specified with the .Fl l -option, the exit value will only be 0 if the command is permitted by the -security policy, otherwise it will be 1. +option, the exit value will only be 0 if the +.Ar command +is permitted by the security policy, otherwise it will be 1. .Pp If there is an authentication failure, a configuration/permission -problem, or if the given command cannot be executed, +problem, or if the given +.Ar command +cannot be executed, .Nm exits with a value of 1. In the latter case, the error string is printed to the standard error. @@ -982,12 +1119,15 @@ your is on a machine that is currently unreachable. .Sh SECURITY NOTES .Nm -tries to be safe when executing external commands. +tries to be safe when executing external +.Ar command Ns s. .Pp To prevent command spoofing, .Nm checks "." and "" (both denoting current directory) last when -searching for a command in the user's +searching for a +.Ar command +in the user's .Ev PATH (if one or both are in the .Ev PATH ) . @@ -1004,27 +1144,43 @@ be granted .Nm privileges to execute files that are writable by the user or that reside in a directory that is writable by the user. -If the user can modify or replace the command there is no way -to limit what additional commands they can run. +If the user can modify or replace the +.Ar command +there is no way to limit what additional +.Ar command Ns s +they can run. .Pp By default, .Nm -will only log the command it explicitly runs. -If a user runs a command such as +will only log the +.Ar command +it explicitly runs. +If a user runs a +.Ar command +such as .Ql sudo su or .Ql sudo sh , -subsequent commands run from that shell are not subject to +subsequent +.Ar command Ns s +run from that shell are not subject to .Nm sudo Ns 's security policy. -The same is true for commands that offer shell escapes (including -most editors). -If I/O logging is enabled, subsequent commands will have their input and/or -output logged, but there will not be traditional logs for those commands. -Because of this, care must be taken when giving users access to commands via +The same is true for +.Ar command Ns s +that offer shell escapes (including most editors). +If I/O logging is enabled, subsequent +.Ar command Ns s +will have their input and/or output logged, but there will not be +traditional logs for those +.Ar command Ns s. +Because of this, care must be taken when giving users access to +.Ar command Ns s +via .Nm -to verify that the command does not inadvertently give the user an -effective root shell. +to verify that the +.Ar command +does not inadvertently give the user an effective root shell. For information on ways to address this, see the .Em Preventing shell escapes section in @@ -1033,7 +1189,9 @@ section in To prevent the disclosure of potentially sensitive information, .Nm disables core dumps by default while it is executing (they are -re-enabled for the command that is run). +re-enabled for the +.Ar command +that is run). This historical practice dates from a time when most operating systems allowed set-user-ID processes to dump core by default. To aid in debugging @@ -1053,7 +1211,8 @@ manual for more information. .Sh ENVIRONMENT .Nm utilizes the following environment variables. -The security policy has control over the actual content of the command's +The security policy has control over the actual content of the +.Ar command Ns 's environment. .Bl -tag -width 15n .It Ev EDITOR @@ -1128,9 +1287,13 @@ if no terminal is available or if the .Fl A option is specified. .It Ev SUDO_COMMAND -Set to the command run by sudo, including command line arguments. -The command line arguments are truncated at 4096 characters to -prevent a potential execution error. +Set to the +.Ar command +run by sudo, including any +.Ar arg Ns s. +The +.Ar arg Ns s +are truncated at 4096 characters to prevent a potential execution error. .It Ev SUDO_EDITOR Default editor to use in .Fl e @@ -1204,7 +1367,9 @@ $ sudo shutdown -r +15 "quick reboot" .Ed .Pp To make a usage listing of the directories in the /home partition. -The commands are run in a sub-shell to allow the +The +.Ar commands +are run in a sub-shell to allow the .Ql cd command and file redirection to work. .Bd -literal -offset 4n @@ -1325,8 +1490,8 @@ The user did not enter a password before the password timeout .It Li you do not exist in the passwd database Your user-ID does not appear in the system passwd database. .It Li you may not specify environment variables in edit mode -It is only possible to specify environment variables when running -a command. +It is only possible to specify environment variables when running a +.Ar command . When editing a file, the editor is run with the user's environment unmodified. .El .Sh SEE ALSO @@ -1360,9 +1525,12 @@ exhaustive list of people who have contributed to .Nm . .Sh CAVEATS There is no easy way to prevent a user from gaining a root shell -if that user is allowed to run arbitrary commands via +if that user is allowed to run arbitrary +.Ar commands +via .Nm . -Also, many programs (such as editors) allow the user to run commands +Also, many programs (such as editors) allow the user to run +.Ar command Ns s via shell escapes, thus avoiding .Nm sudo Ns 's checks. @@ -1374,16 +1542,21 @@ functionality. .Pp It is not meaningful to run the .Ql cd -command directly via sudo, e.g., +.Ar command +directly via sudo, e.g., .Bd -literal -offset 4n $ sudo cd /usr/local/protected .Ed .Pp -since when the command exits the parent process (your shell) will -still be the same. -See the -.Sx EXAMPLES -section for more information. +since when the +.Ar command +exits the parent process (your shell) will still be the same. +The +.Fl D +option can be used to run a +.Ar command +in a specific +.Ar directory . .Pp Running shell scripts via .Nm diff --git a/src/parse_args.c b/src/parse_args.c index d5aed095c..414eed008 100644 --- a/src/parse_args.c +++ b/src/parse_args.c @@ -52,7 +52,7 @@ sudo_noreturn static void usage_excl(void); sudo_noreturn static void usage_excl_ticket(void); /* - * Mapping of command line flags to name/value settings. + * Mapping of command line options to name/value settings. * Do not reorder, indexes must match ARG_ defines in sudo.h. */ static struct sudo_settings sudo_settings[] = { diff --git a/src/sudo_usage.h.in b/src/sudo_usage.h.in index 9b85a8580..c020e24d4 100644 --- a/src/sudo_usage.h.in +++ b/src/sudo_usage.h.in @@ -27,8 +27,8 @@ #define SUDO_USAGE0 " -h | -V" #define SUDO_USAGE1 " -h | -K | -k | -V" #define SUDO_USAGE2 " -v [-ABkNnS] @BSDAUTH_USAGE@[-g group] [-h host] [-p prompt] [-u user]" -#define SUDO_USAGE3 " -l [-ABkNnS] @BSDAUTH_USAGE@[-g group] [-h host] [-p prompt] [-U user] [-u user] [command]" -#define SUDO_USAGE4 " [-ABbEHkNnPS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C num] [-D directory] @LOGINCAP_USAGE@[-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] [VAR=value] [-i|-s] []" +#define SUDO_USAGE3 " -l [-ABkNnS] @BSDAUTH_USAGE@[-g group] [-h host] [-p prompt] [-U user] [-u user] [command [arg ...]]" +#define SUDO_USAGE4 " [-ABbEHkNnPS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C num] [-D directory] @LOGINCAP_USAGE@[-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] [VAR=value] [-i | -s] [command [arg ...]]" #define SUDO_USAGE5 " -e [-ABkNnS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C num] @LOGINCAP_USAGE@[-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ..." /*