isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add [arg ...] after command in SYNOPSIS and usage output.

Browse Source 
Use Ar markup when referring to the command and args.
This commit is contained in:
Todd C. Miller
2022-12-20 09:09:25 -07:00
parent 9d5ed2f9ef
commit eada918bbb
4 changed files with 651 additions and 305 deletions
Download Patch File Download Diff File Expand all files Collapse all files

475
docs/sudo.man.in
View File

@@ -25,7 +25,7 @@
.nr BA @BAMAN@
.nr LC @LCMAN@
.nr PS @PSMAN@
.TH "SUDO" "@mansectsu@" "December 12, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.TH "SUDO" "@mansectsu@" "December 20, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -58,7 +58,7 @@
[\fB\-p\fR\ \fIprompt\fR]
[\fB\-U\fR\ \fIuser\fR]
[\fB\-u\fR\ \fIuser\fR]
[\fIcommand\fR]
[\fIcommand\fR\ [\fIarg\ ...\fR]]
.br
.HP 5n
\fBsudo\fR
@@ -77,7 +77,7 @@
[\fB\-u\fR\ \fIuser\fR]
[\fIVAR\fR=\fIvalue\fR]
[\fB\-i\fR\ |\ \fB\-s\fR]
[\fIcommand\fR]
[\fIcommand\fR\ [\fIarg\ ...\fR]]
.br
.HP 9n
\fBsudoedit\fR
@@ -177,8 +177,9 @@ option (described below), is implied.
Security policies and audit plugins may log successful and failed attempts
to run
\fBsudo\fR.
If an I/O plugin is configured, the running command's input and
output may be logged as well.
If an I/O plugin is configured, the running
\fIcommand\fR's
input and output may be logged as well.
.PP
The options are as follows:
.TP 12n
@@ -237,22 +238,27 @@ Ring the bell as part of the password prompt when a terminal is present.
This option has no effect if an askpass program is used.
.TP 12n
\fB\-b\fR, \fB\--background\fR
Run the given command in the background.
Run the given
\fIcommand\fR
in the background.
It is not possible to use shell job control to manipulate background
processes started by
\fBsudo\fR.
Most interactive commands will fail to work properly in background
mode.
Most interactive
\fIcommand\fRs
will fail to work properly in background mode.
.TP 12n
\fB\-C\fR \fInum\fR, \fB\--close-from\fR=\fInum\fR
Close all file descriptors greater than or equal to
\fInum\fR
before executing a command.
before executing a
\fIcommand\fR.
Values less than three are not permitted.
By default,
\fBsudo\fR
will close all open file descriptors other than standard input,
standard output, and standard error when executing a command.
standard output, and standard error when executing a
\fIcommand\fR.
The security policy may restrict the user's ability to use this option.
The
\fIsudoers\fR
@@ -264,8 +270,9 @@ option.
.if \n(LC \{\
.TP 12n
\fB\-c\fR \fIclass\fR, \fB\--login-class\fR=\fIclass\fR
Run the command with resource limits and scheduling priority of
the specified login
Run the
\fIcommand\fR
with resource limits and scheduling priority of the specified login
\fIclass\fR.
The
\fIclass\fR
@@ -279,10 +286,14 @@ If
is
\fB-\fR,
the default login class of the target user will be used.
Otherwise, the command must be run as the superuser (user-ID 0), or
Otherwise, the
\fIcommand\fR
must be run as the superuser (user-ID 0), or
\fBsudo\fR
must be run from a shell that is already running as the superuser.
If the command is being run as a login shell, additional
If the
\fIcommand\fR
is being run as a login shell, additional
\fI/etc/login.conf\fR
settings, such as the umask and environment variables, will
be applied, if present.
@@ -292,7 +303,9 @@ login classes.
.\}
.TP 12n
\fB\-D\fR \fIdirectory\fR, \fB\--chdir\fR=\fIdirectory\fR
Run the command in the specified
Run the
\fIcommand\fR
in the specified
\fIdirectory\fR
instead of the current working directory.
The security policy may return an error if the user does not have
@@ -313,7 +326,10 @@ permission to preserve the environment.
This option may be specified multiple times.
.TP 12n
\fB\-e\fR, \fB\--edit\fR
Edit one or more files instead of running a command.
Edit one or more
\fIfile\fRs
instead of running a
\fIcommand\fR.
In lieu of a path name, the string "sudoedit" is used when consulting
the security policy.
If the user is authorized by the policy, the following steps are
@@ -371,7 +387,9 @@ not be edited unless that user is root (version 1.8.16 and higher).
Users are never allowed to edit device special files.
.sp
If the specified file does not exist, it will be created.
Unlike most commands run by
Unlike most
\fIcommand\fRs
run by
\fIsudo\fR,
the editor is run with the invoking user's environment unmodified.
If the temporary file becomes empty after editing, the user will
@@ -384,7 +402,9 @@ file.
.RE
.TP 12n
\fB\-g\fR \fIgroup\fR, \fB\--group\fR=\fIgroup\fR
Run the command with the primary group set to
Run the
\fIcommand\fR
with the primary group set to
\fIgroup\fR
instead of the primary group specified by the target
user's password database entry.
@@ -397,13 +417,17 @@ prefixed with the
character (e.g.,
\(oq#0\(cq
for GID 0).
When running a command as a GID, many shells require that the
When running a
\fIcommand\fR
as a GID, many shells require that the
\(oq#\(cq
be escaped with a backslash
(\(oq\e\(cq).
If no
\fB\-u\fR
option is specified, the command will be run as the invoking user.
option is specified, the
\fIcommand\fR
will be run as the invoking user.
In either case, the primary group will be set to
\fIgroup\fR.
The
@@ -426,12 +450,16 @@ Depending on the policy, this may be the default behavior.
Display a short help message to the standard output and exit.
.TP 12n
\fB\-h\fR \fIhost\fR, \fB\--host\fR=\fIhost\fR
Run the command on the specified
Run the
\fIcommand\fR
on the specified
\fIhost\fR
if the security policy plugin supports remote commands.
if the security policy plugin supports remote
\fIcommand\fRs.
The
\fIsudoers\fR
plugin does not currently support running remote commands.
plugin does not currently support running remote
\fIcommand\fRs.
This may also be used in conjunction with the
\fB\-l\fR
option to list a user's privileges for the remote host.
@@ -445,25 +473,35 @@ This means that login-specific resource files such as
or
\fI.login\fR
will be read by the shell.
If a command is specified, it is passed to the shell as a simple
command using the
If a
\fIcommand\fR
is specified, it is passed to the shell as a simple
\fIcommand\fR
using the
\fB\-c\fR
option.
The command and any arguments are concatenated, separated by spaces,
after escaping each character
The
\fIcommand\fR
and any
\fIarg\fRs
are concatenated, separated by spaces, after escaping each character
(including white space)
with a backslash
(\(oq\e\(cq)
except for alphanumerics, underscores,
hyphens, and dollar signs.
If no command is specified, an interactive shell is executed.
If no
\fIcommand\fR
is specified, an interactive shell is executed.
\fBsudo\fR
attempts to change to that user's home directory before running the
shell.
The command is run with an environment similar to the one
a user would receive at log in.
Most shells behave differently when a command is specified
as compared to an interactive session; consult the shell's manual
The
\fIcommand\fR
is run with an environment similar to the one a user would receive at log in.
Most shells behave differently when a
\fIcommand\fR
is specified as compared to an interactive session; consult the shell's manual
for details.
The
\fICommand environment\fR
@@ -471,7 +509,9 @@ section in the
sudoers(@mansectform@)
manual documents how the
\fB\-i\fR
option affects the environment in which a command is run when the
option affects the environment in which a
\fIcommand\fR
is run when the
\fIsudoers\fR
policy is in use.
.TP 12n
@@ -479,12 +519,16 @@ policy is in use.
Similar to the
\fB\-k\fR
option, except that it removes the user's cached credentials entirely
and may not be used in conjunction with a command or other option.
and may not be used in conjunction with a
\fIcommand\fR
or other option.
This option does not require a password.
Not all security policies support credential caching.
.TP 12n
\fB\-k\fR, \fB\--reset-timestamp\fR
When used without a command, invalidates the user's cached credentials.
When used without a
\fIcommand\fR,
invalidates the user's cached credentials.
In other words, the next time
\fBsudo\fR
is run a password will be required.
@@ -495,8 +539,9 @@ permissions from a
\fI.logout\fR
file.
.sp
When used in conjunction with a command or an option that may require
a password, this option will cause
When used in conjunction with a
\fIcommand\fR
or an option that may require a password, this option will cause
\fBsudo\fR
to ignore the user's cached credentials.
As a result,
@@ -509,9 +554,8 @@ Not all security policies support credential caching.
\fB\-l\fR, \fB\--list\fR
If no
\fIcommand\fR
is specified,
list the allowed (and forbidden) commands for the
invoking user (or the user specified by the
is specified, list the privileges for the invoking user (or the
user specified by the
\fB\-U\fR
option) on the current host.
A longer list format is used if this option is specified multiple times
@@ -520,8 +564,10 @@ and the security policy supports a verbose output format.
If a
\fIcommand\fR
is specified and is permitted by the security policy, the fully-qualified
path to the command is displayed along with any command line
arguments.
path to the
\fIcommand\fR
is displayed along with any
\fIarg\fRs.
If a
\fIcommand\fR
is specified but not allowed by the policy,
@@ -535,7 +581,7 @@ Unlike the
\fB\-k\fR
flag, existing cached credentials are used if they are valid.
To detect when the user's cached credentials are valid (or when no
authentication is required), the following command can be used:
authentication is required), the following can be used:
.RS 18n
sudo -Nnv
.RE
@@ -546,7 +592,9 @@ Not all security policies support credential caching.
.TP 12n
\fB\-n\fR, \fB\--non-interactive\fR
Avoid prompting the user for input of any kind.
If a password is required for the command to run,
If a password is required for the
\fIcommand\fR
to run,
\fBsudo\fR
will display an error message and exit.
.TP 12n
@@ -592,8 +640,9 @@ flags in
sudoers(@mansectform@))
.TP 4n
\&%U
expanded to the login name of the user the command will be run as
(defaults to root unless the
expanded to the login name of the user the
\fIcommand\fR
will be run as (defaults to root unless the
\fB\-u\fR
option is also specified)
.TP 4n
@@ -623,14 +672,16 @@ Change to the specified root
\fIdirectory\fR
(see
chroot(@mansectsu@))
before running the command.
before running the
\fIcommand\fR.
The security policy may return an error if the user does not have
permission to specify the root directory.
.if \n(SL \{\
.TP 12n
\fB\-r\fR \fIrole\fR, \fB\--role\fR=\fIrole\fR
Run the command with an SELinux security context that includes
the specified
Run the
\fIcommand\fR
with an SELinux security context that includes the specified
\fIrole\fR.
.\}
.TP 12n
@@ -643,26 +694,34 @@ Run the shell specified by the
\fRSHELL\fR
environment variable if it is set or the shell specified by the
invoking user's password database entry.
If a command is specified, it is passed to the shell as a simple
command using the
If a
\fIcommand\fR
is specified, it is passed to the shell as a simple command using the
\fB\-c\fR
option.
The command and any arguments are concatenated, separated by spaces,
after escaping each character
The
\fIcommand\fR
and any
\fIarg\fRs
are concatenated, separated by spaces, after escaping each character
(including white space)
with a backslash
(\(oq\e\(cq)
except for alphanumerics, underscores,
hyphens, and dollar signs.
If no command is specified, an interactive shell is executed.
Most shells behave differently when a command is specified
as compared to an interactive session; consult the shell's manual
If no
\fIcommand\fR
is specified, an interactive shell is executed.
Most shells behave differently when a
\fIcommand\fR
is specified as compared to an interactive session; consult the shell's manual
for details.
.if \n(SL \{\
.TP 12n
\fB\-t\fR \fItype\fR, \fB\--type\fR=\fItype\fR
Run the command with an SELinux security context that includes
the specified
Run the
\fIcommand\fR
with an SELinux security context that includes the specified
\fItype\fR.
If no
\fItype\fR
@@ -678,23 +737,29 @@ instead of for the invoking user.
The security policy may restrict listing other users' privileges.
When using the
\fIsudoers\fR
policy, only root or a user with the ability to run any command as
either root or the specified
policy, only root or a user with the ability to run any
\fIcommand\fR
as either root or the specified
\fIuser\fR
on the current host may use this option.
.TP 12n
\fB\-T\fR \fItimeout\fR, \fB\--command-timeout\fR=\fItimeout\fR
Used to set a timeout for the command.
If the timeout expires before the command has exited, the
command will be terminated.
The security policy may restrict the ability to set command timeouts.
Used to set a timeout for the
\fIcommand\fR.
If the timeout expires before the
\fIcommand\fR
has exited, the
\fIcommand\fR
will be terminated.
The security policy may restrict the user's ability to set timeouts.
The
\fIsudoers\fR
policy requires that user-specified timeouts be explicitly enabled.
.TP 12n
\fB\-u\fR \fIuser\fR, \fB\--user\fR=\fIuser\fR
Run the command as a user other than the default target user
(usually
Run the
\fIcommand\fR
as a user other than the default target user (usually
\fIroot\fR).
The
\fIuser\fR
@@ -705,7 +770,9 @@ prefixed with the
character (e.g.,
\(oq#0\(cq
for UID 0).
When running commands as a UID, many shells require that the
When running
\fIcommand\fRs as
a UID, many shells require that the
\(oq#\(cq
be escaped with a backslash
(\(oq\e\(cq).
@@ -724,7 +791,7 @@ Print the
version string as well as the version string of any configured plugins.
If the invoking user is already root, the
\fB\-V\fR
option will display the arguments passed to configure when
option will display the options passed to configure when
\fBsudo\fR
was built; plugins may display additional information such as
default options.
@@ -736,15 +803,18 @@ For the
\fIsudoers\fR
plugin, this extends the
\fBsudo\fR
timeout for another @timeout@ minutes by default, but does not run a command.
timeout for another @timeout@ minutes by default, but does not run a
\fIcommand\fR.
Not all security policies support cached credentials.
.TP 12n
\fB\--\fR
The
\fB\--\fR
option indicates that
is used to delimit the end of the
\fBsudo\fR
should stop processing command line arguments.
options.
Subsequent options are passed to the
\fIcommand\fR.
.PP
Options that take a value may only be specified once unless
otherwise indicated in the description.
@@ -753,25 +823,32 @@ scripts that invoke
\fBsudo\fR
with user-controlled input.
.PP
Environment variables to be set for the command may also be passed
on the command line in the form of
Environment variables to be set for the
\fIcommand\fR
may also be passed as options to
\fBsudo\fR
in the form
\fIVAR\fR=\fIvalue\fR,
e.g.,
for example
\fRLD_LIBRARY_PATH\fR=\fI/usr/local/pkg/lib\fR.
Variables passed on the command line are subject to restrictions
Environment variables may be subject to restrictions
imposed by the security policy plugin.
The
\fIsudoers\fR
policy subjects variables passed on the command line to the same
restrictions as normal environment variables with one important
exception.
policy subjects environment variables passed as options to the same
restrictions as existing environment variables with one important
difference.
If the
\fIsetenv\fR
option is set in
\fIsudoers\fR,
the command to be run has the
the
\fIcommand\fR
to be run has the
\fRSETENV\fR
tag set or the command matched is
tag set or the
\fIcommand\fR
matched is
\fBALL\fR,
the user may set variables that would otherwise be forbidden.
See
@@ -780,8 +857,10 @@ for more information.
.SH "COMMAND EXECUTION"
When
\fBsudo\fR
executes a command, the security policy specifies the execution
environment for the command.
executes a
\fIcommand\fR,
the security policy specifies the execution environment for the
\fIcommand\fR.
Typically, the real and effective user and group and IDs are set to
match those of the target user, as specified in the password database,
and the group vector is initialized based on the group database
@@ -835,7 +914,8 @@ scheduling priority (aka nice value)
.SS "Process model"
There are two distinct ways
\fBsudo\fR
can run a command.
can run a
\fIcommand\fR.
.PP
If an I/O logging plugin is configured to log terminal I/O, or if
the security policy explicitly requests it, a new pseudo-terminal
@@ -853,26 +933,42 @@ controlling terminal, calls
fork(2)
again, sets up the execution environment as described above, and then uses the
execve(2)
system call to run the command in the child process.
system call to run the
\fIcommand\fR
in the child process.
The
\fImonitor\fR
exists to relay job control signals between the user's
terminal and the pty the command is being run in.
This makes it possible to suspend and resume the command normally.
terminal and the pty the
\fIcommand\fR
is being run in.
This makes it possible to suspend and resume the
\fIcommand\fR
normally.
Without the
\fImonitor\fR, \fIthe command would be in what POSIX terms an\fR
\fImonitor\fR,
the
\fIcommand\fR
would be in what POSIX terms an
\(lqorphaned process group\(rq
and it would not receive any job control signals from the kernel.
When the command exits or is terminated by a signal, the
When the
\fIcommand\fR
exits or is terminated by a signal, the
\fImonitor\fR
passes the command's exit status to the main
passes the
\fIcommand\fR's
exit status to the main
\fBsudo\fR
process and exits.
After receiving the command's exit status, the main
After receiving the
\fIcommand\fR's
exit status, the main
\fBsudo\fR
process passes the command's exit status to the security policy's
close function, as well as the close function of any configured audit
plugin, and exits.
process passes the
\fIcommand\fR's
exit status to the security policy's close function, as well as the
close function of any configured audit plugin, and exits.
.PP
If no pty is used,
\fBsudo\fR
@@ -880,23 +976,31 @@ calls
fork(2),
sets up the execution environment as described above, and uses the
execve(2)
system call to run the command in the child process.
system call to run the
\fIcommand\fR
in the child process.
The main
\fBsudo\fR
process waits until the command has completed, then passes the
command's exit status to the security policy's close function, as
well as the close function of any configured audit plugins, and exits.
process waits until the
\fIcommand\fR
has completed, then passes the
\fIcommand\fR's
exit status to the security policy's close function, as well as the
close function of any configured audit plugins, and exits.
As a special case, if the policy plugin does not define a close
function,
\fBsudo\fR
will execute the command directly instead of calling
will execute the
\fIcommand\fR
directly instead of calling
fork(2)
first.
The
\fIsudoers\fR
policy plugin will only define a close function when I/O logging
is enabled, a pty is required, an SELinux role is specified, the
command has an associated timeout, or the
\fIcommand\fR
has an associated timeout, or the
\fIpam_session\fR
or
\fIpam_setcred\fR
@@ -909,41 +1013,57 @@ are enabled by default on systems using PAM.
.PP
On systems that use PAM, the security policy's close function
is responsible for closing the PAM session.
It may also log the command's exit status.
It may also log the
\fIcommand\fR's
exit status.
.SS "Signal handling"
When the command is run as a child of the
When the
\fIcommand\fR
is run as a child of the
\fBsudo\fR
process,
\fBsudo\fR
will relay signals it receives to the command.
will relay signals it receives to the
\fIcommand\fR.
The
\fRSIGINT\fR
and
\fRSIGQUIT\fR
signals are only relayed when the command is being run in a new pty
or when the signal was sent by a user process, not the kernel.
This prevents the command from receiving
signals are only relayed when the
\fIcommand\fR
is being run in a new pty or when the signal was sent by a user
process, not the kernel.
This prevents the
\fIcommand\fR
from receiving
\fRSIGINT\fR
twice each time the user enters control-C.
Some signals, such as
\fRSIGSTOP\fR
and
\fRSIGKILL\fR,
cannot be caught and thus will not be relayed to the command.
cannot be caught and thus will not be relayed to the
\fIcommand\fR.
As a general rule,
\fRSIGTSTP\fR
should be used instead of
\fRSIGSTOP\fR
when you wish to suspend a command being run by
when you wish to suspend a
\fIcommand\fR
being run by
\fBsudo\fR.
.PP
As a special case,
\fBsudo\fR
will not relay signals that were sent by the command it is running.
This prevents the command from accidentally killing itself.
will not relay signals that were sent by the
\fIcommand\fR
it is running.
This prevents the
\fIcommand\fR
from accidentally killing itself.
On some systems, the
reboot(@mansectsu@)
command sends
utility sends
\fRSIGTERM\fR
to all non-system processes other than itself before rebooting
the system.
@@ -955,9 +1075,13 @@ signal it received back to
reboot(@mansectsu@),
which might then exit before the system was actually rebooted,
leaving it in a half-dead state similar to single user mode.
Note, however, that this check only applies to the command run by
Note, however, that this check only applies to the
\fIcommand\fR
run by
\fBsudo\fR
and not any other processes that the command may create.
and not any other processes that the
\fIcommand\fR
may create.
As a result, running a script that calls
reboot(@mansectsu@)
or
@@ -972,7 +1096,9 @@ are run using the
\fBexec\fR()
family of functions instead of
\fBsystem\fR()
(which interposes a shell between the command and the calling process).
(which interposes a shell between the
\fIcommand\fR
and the calling process).
.SS "Plugins"
Plugins may be specified via
\fIPlugin\fR
@@ -1002,27 +1128,38 @@ manual for more information about the
\fBsudo\fR
plugin architecture.
.SH "EXIT VALUE"
Upon successful execution of a command, the exit status from
Upon successful execution of a
\fIcommand\fR,
the exit status from
\fBsudo\fR
will be the exit status of the program that was executed.
If the command terminated due to receipt of a signal,
If the
\fIcommand\fR
terminated due to receipt of a signal,
\fBsudo\fR
will send itself the same signal that terminated the command.
will send itself the same signal that terminated the
\fIcommand\fR.
.PP
If the
\fB\-l\fR
option was specified without a command,
option was specified without a
\fIcommand\fR,
\fBsudo\fR
will exit with a value of 0 if the user is allowed to run
\fBsudo\fR
and they authenticated successfully (as required by the security policy).
If a command is specified with the
If a
\fIcommand\fR
is specified with the
\fB\-l\fR
option, the exit value will only be 0 if the command is permitted by the
security policy, otherwise it will be 1.
option, the exit value will only be 0 if the
\fIcommand\fR
is permitted by the security policy, otherwise it will be 1.
.PP
If there is an authentication failure, a configuration/permission
problem, or if the given command cannot be executed,
problem, or if the given
\fIcommand\fR
cannot be executed,
\fBsudo\fR
exits with a value of 1.
In the latter case, the error string is printed to the standard error.
@@ -1046,12 +1183,15 @@ your
is on a machine that is currently unreachable.
.SH "SECURITY NOTES"
\fBsudo\fR
tries to be safe when executing external commands.
tries to be safe when executing external
\fIcommand\fRs.
.PP
To prevent command spoofing,
\fBsudo\fR
checks "." and "" (both denoting current directory) last when
searching for a command in the user's
searching for a
\fIcommand\fR
in the user's
\fRPATH\fR
(if one or both are in the
\fRPATH\fR).
@@ -1068,27 +1208,43 @@ be granted
\fBsudo\fR
privileges to execute files that are writable by the user or
that reside in a directory that is writable by the user.
If the user can modify or replace the command there is no way
to limit what additional commands they can run.
If the user can modify or replace the
\fIcommand\fR
there is no way to limit what additional
\fIcommand\fRs
they can run.
.PP
By default,
\fBsudo\fR
will only log the command it explicitly runs.
If a user runs a command such as
will only log the
\fIcommand\fR
it explicitly runs.
If a user runs a
\fIcommand\fR
such as
\(oqsudo su\(cq
or
\(oqsudo sh\(cq,
subsequent commands run from that shell are not subject to
subsequent
\fIcommand\fRs
run from that shell are not subject to
\fBsudo\fR's
security policy.
The same is true for commands that offer shell escapes (including
most editors).
If I/O logging is enabled, subsequent commands will have their input and/or
output logged, but there will not be traditional logs for those commands.
Because of this, care must be taken when giving users access to commands via
The same is true for
\fIcommand\fRs
that offer shell escapes (including most editors).
If I/O logging is enabled, subsequent
\fIcommand\fRs
will have their input and/or output logged, but there will not be
traditional logs for those
\fIcommand\fRs.
Because of this, care must be taken when giving users access to
\fIcommand\fRs
via
\fBsudo\fR
to verify that the command does not inadvertently give the user an
effective root shell.
to verify that the
\fIcommand\fR
does not inadvertently give the user an effective root shell.
For information on ways to address this, see the
\fIPreventing shell escapes\fR
section in
@@ -1097,7 +1253,9 @@ sudoers(@mansectform@).
To prevent the disclosure of potentially sensitive information,
\fBsudo\fR
disables core dumps by default while it is executing (they are
re-enabled for the command that is run).
re-enabled for the
\fIcommand\fR
that is run).
This historical practice dates from a time when most operating
systems allowed set-user-ID processes to dump core by default.
To aid in debugging
@@ -1120,7 +1278,8 @@ manual for more information.
.SH "ENVIRONMENT"
\fBsudo\fR
utilizes the following environment variables.
The security policy has control over the actual content of the command's
The security policy has control over the actual content of the
\fIcommand\fR's
environment.
.TP 17n
\fREDITOR\fR
@@ -1202,9 +1361,13 @@ if no terminal is available or if the
option is specified.
.TP 17n
\fRSUDO_COMMAND\fR
Set to the command run by sudo, including command line arguments.
The command line arguments are truncated at 4096 characters to
prevent a potential execution error.
Set to the
\fIcommand\fR
run by sudo, including any
\fIarg\fRs.
The
\fIarg\fRs
are truncated at 4096 characters to prevent a potential execution error.
.TP 17n
\fRSUDO_EDITOR\fR
Default editor to use in
@@ -1302,7 +1465,9 @@ $ sudo shutdown -r +15 "quick reboot"
.fi
.PP
To make a usage listing of the directories in the /home partition.
The commands are run in a sub-shell to allow the
The
\fIcommands\fR
are run in a sub-shell to allow the
\(oqcd\(cq
command and file redirection to work.
.nf
@@ -1440,8 +1605,8 @@ The user did not enter a password before the password timeout
Your user-ID does not appear in the system passwd database.
.TP 6n
\fRyou may not specify environment variables in edit mode\fR
It is only possible to specify environment variables when running
a command.
It is only possible to specify environment variables when running a
\fIcommand\fR.
When editing a file, the editor is run with the user's environment unmodified.
.SH "SEE ALSO"
su(1),
@@ -1475,9 +1640,12 @@ exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "CAVEATS"
There is no easy way to prevent a user from gaining a root shell
if that user is allowed to run arbitrary commands via
if that user is allowed to run arbitrary
\fIcommands\fR
via
\fBsudo\fR.
Also, many programs (such as editors) allow the user to run commands
Also, many programs (such as editors) allow the user to run
\fIcommand\fRs
via shell escapes, thus avoiding
\fBsudo\fR's
checks.
@@ -1489,7 +1657,8 @@ functionality.
.PP
It is not meaningful to run the
\(oqcd\(cq
command directly via sudo, e.g.,
\fIcommand\fR
directly via sudo, e.g.,
.nf
.sp
.RS 4n
@@ -1497,11 +1666,15 @@ $ sudo cd /usr/local/protected
.RE
.fi
.PP
since when the command exits the parent process (your shell) will
still be the same.
See the
\fIEXAMPLES\fR
section for more information.
since when the
\fIcommand\fR
exits the parent process (your shell) will still be the same.
The
\fB\-D\fR
option can be used to run a
\fIcommand\fR
in a specific
\fIdirectory\fR.
.PP
Running shell scripts via
\fBsudo\fR