isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add [arg ...] after command in SYNOPSIS and usage output.

Browse Source 
Use Ar markup when referring to the command and args.
This commit is contained in:
Todd C. Miller
2022-12-20 09:09:25 -07:00
parent 9d5ed2f9ef
commit eada918bbb
4 changed files with 651 additions and 305 deletions
Download Patch File Download Diff File Expand all files Collapse all files

475
docs/sudo.man.in
View File

@@ -25,7 +25,7 @@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
.TH "SUDO" "@mansectsu@" "December 12, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .TH "SUDO" "@mansectsu@" "December 20, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -58,7 +58,7 @@
[\fB\-p\fR\ \fIprompt\fR] [\fB\-p\fR\ \fIprompt\fR]
[\fB\-U\fR\ \fIuser\fR] [\fB\-U\fR\ \fIuser\fR]
[\fB\-u\fR\ \fIuser\fR] [\fB\-u\fR\ \fIuser\fR]
[\fIcommand\fR] [\fIcommand\fR\ [\fIarg\ ...\fR]]
.br .br
.HP 5n .HP 5n
\fBsudo\fR \fBsudo\fR
@@ -77,7 +77,7 @@
[\fB\-u\fR\ \fIuser\fR] [\fB\-u\fR\ \fIuser\fR]
[\fIVAR\fR=\fIvalue\fR] [\fIVAR\fR=\fIvalue\fR]
[\fB\-i\fR\ |\ \fB\-s\fR] [\fB\-i\fR\ |\ \fB\-s\fR]
[\fIcommand\fR] [\fIcommand\fR\ [\fIarg\ ...\fR]]
.br .br
.HP 9n .HP 9n
\fBsudoedit\fR \fBsudoedit\fR
@@ -177,8 +177,9 @@ option (described below), is implied.
Security policies and audit plugins may log successful and failed attempts Security policies and audit plugins may log successful and failed attempts
to run to run
\fBsudo\fR. \fBsudo\fR.
If an I/O plugin is configured, the running command's input and If an I/O plugin is configured, the running
output may be logged as well. \fIcommand\fR's
input and output may be logged as well.
.PP .PP
The options are as follows: The options are as follows:
.TP 12n .TP 12n
@@ -237,22 +238,27 @@ Ring the bell as part of the password prompt when a terminal is present.
This option has no effect if an askpass program is used. This option has no effect if an askpass program is used.
.TP 12n .TP 12n
\fB\-b\fR, \fB\--background\fR \fB\-b\fR, \fB\--background\fR
Run the given command in the background. Run the given
\fIcommand\fR
in the background.
It is not possible to use shell job control to manipulate background It is not possible to use shell job control to manipulate background
processes started by processes started by
\fBsudo\fR. \fBsudo\fR.
Most interactive commands will fail to work properly in background Most interactive
mode. \fIcommand\fRs
will fail to work properly in background mode.
.TP 12n .TP 12n
\fB\-C\fR \fInum\fR, \fB\--close-from\fR=\fInum\fR \fB\-C\fR \fInum\fR, \fB\--close-from\fR=\fInum\fR
Close all file descriptors greater than or equal to Close all file descriptors greater than or equal to
\fInum\fR \fInum\fR
before executing a command. before executing a
\fIcommand\fR.
Values less than three are not permitted. Values less than three are not permitted.
By default, By default,
\fBsudo\fR \fBsudo\fR
will close all open file descriptors other than standard input, will close all open file descriptors other than standard input,
standard output, and standard error when executing a command. standard output, and standard error when executing a
\fIcommand\fR.
The security policy may restrict the user's ability to use this option. The security policy may restrict the user's ability to use this option.
The The
\fIsudoers\fR \fIsudoers\fR
@@ -264,8 +270,9 @@ option.
.if \n(LC \{\ .if \n(LC \{\
.TP 12n .TP 12n
\fB\-c\fR \fIclass\fR, \fB\--login-class\fR=\fIclass\fR \fB\-c\fR \fIclass\fR, \fB\--login-class\fR=\fIclass\fR
Run the command with resource limits and scheduling priority of Run the
the specified login \fIcommand\fR
with resource limits and scheduling priority of the specified login
\fIclass\fR. \fIclass\fR.
The The
\fIclass\fR \fIclass\fR
@@ -279,10 +286,14 @@ If
is is
\fB-\fR, \fB-\fR,
the default login class of the target user will be used. the default login class of the target user will be used.
Otherwise, the command must be run as the superuser (user-ID 0), or Otherwise, the
\fIcommand\fR
must be run as the superuser (user-ID 0), or
\fBsudo\fR \fBsudo\fR
must be run from a shell that is already running as the superuser. must be run from a shell that is already running as the superuser.
If the command is being run as a login shell, additional If the
\fIcommand\fR
is being run as a login shell, additional
\fI/etc/login.conf\fR \fI/etc/login.conf\fR
settings, such as the umask and environment variables, will settings, such as the umask and environment variables, will
be applied, if present. be applied, if present.
@@ -292,7 +303,9 @@ login classes.
.\} .\}
.TP 12n .TP 12n
\fB\-D\fR \fIdirectory\fR, \fB\--chdir\fR=\fIdirectory\fR \fB\-D\fR \fIdirectory\fR, \fB\--chdir\fR=\fIdirectory\fR
Run the command in the specified Run the
\fIcommand\fR
in the specified
\fIdirectory\fR \fIdirectory\fR
instead of the current working directory. instead of the current working directory.
The security policy may return an error if the user does not have The security policy may return an error if the user does not have
@@ -313,7 +326,10 @@ permission to preserve the environment.
This option may be specified multiple times. This option may be specified multiple times.
.TP 12n .TP 12n
\fB\-e\fR, \fB\--edit\fR \fB\-e\fR, \fB\--edit\fR
Edit one or more files instead of running a command. Edit one or more
\fIfile\fRs
instead of running a
\fIcommand\fR.
In lieu of a path name, the string "sudoedit" is used when consulting In lieu of a path name, the string "sudoedit" is used when consulting
the security policy. the security policy.
If the user is authorized by the policy, the following steps are If the user is authorized by the policy, the following steps are
@@ -371,7 +387,9 @@ not be edited unless that user is root (version 1.8.16 and higher).
Users are never allowed to edit device special files. Users are never allowed to edit device special files.
.sp .sp
If the specified file does not exist, it will be created. If the specified file does not exist, it will be created.
Unlike most commands run by Unlike most
\fIcommand\fRs
run by
\fIsudo\fR, \fIsudo\fR,
the editor is run with the invoking user's environment unmodified. the editor is run with the invoking user's environment unmodified.
If the temporary file becomes empty after editing, the user will If the temporary file becomes empty after editing, the user will
@@ -384,7 +402,9 @@ file.
.RE .RE
.TP 12n .TP 12n
\fB\-g\fR \fIgroup\fR, \fB\--group\fR=\fIgroup\fR \fB\-g\fR \fIgroup\fR, \fB\--group\fR=\fIgroup\fR
Run the command with the primary group set to Run the
\fIcommand\fR
with the primary group set to
\fIgroup\fR \fIgroup\fR
instead of the primary group specified by the target instead of the primary group specified by the target
user's password database entry. user's password database entry.
@@ -397,13 +417,17 @@ prefixed with the
character (e.g., character (e.g.,
\(oq#0\(cq \(oq#0\(cq
for GID 0). for GID 0).
When running a command as a GID, many shells require that the When running a
\fIcommand\fR
as a GID, many shells require that the
\(oq#\(cq \(oq#\(cq
be escaped with a backslash be escaped with a backslash
(\(oq\e\(cq). (\(oq\e\(cq).
If no If no
\fB\-u\fR \fB\-u\fR
option is specified, the command will be run as the invoking user. option is specified, the
\fIcommand\fR
will be run as the invoking user.
In either case, the primary group will be set to In either case, the primary group will be set to
\fIgroup\fR. \fIgroup\fR.
The The
@@ -426,12 +450,16 @@ Depending on the policy, this may be the default behavior.
Display a short help message to the standard output and exit. Display a short help message to the standard output and exit.
.TP 12n .TP 12n
\fB\-h\fR \fIhost\fR, \fB\--host\fR=\fIhost\fR \fB\-h\fR \fIhost\fR, \fB\--host\fR=\fIhost\fR
Run the command on the specified Run the
\fIcommand\fR
on the specified
\fIhost\fR \fIhost\fR
if the security policy plugin supports remote commands. if the security policy plugin supports remote
\fIcommand\fRs.
The The
\fIsudoers\fR \fIsudoers\fR
plugin does not currently support running remote commands. plugin does not currently support running remote
\fIcommand\fRs.
This may also be used in conjunction with the This may also be used in conjunction with the
\fB\-l\fR \fB\-l\fR
option to list a user's privileges for the remote host. option to list a user's privileges for the remote host.
@@ -445,25 +473,35 @@ This means that login-specific resource files such as
or or
\fI.login\fR \fI.login\fR
will be read by the shell. will be read by the shell.
If a command is specified, it is passed to the shell as a simple If a
command using the \fIcommand\fR
is specified, it is passed to the shell as a simple
\fIcommand\fR
using the
\fB\-c\fR \fB\-c\fR
option. option.
The command and any arguments are concatenated, separated by spaces, The
after escaping each character \fIcommand\fR
and any
\fIarg\fRs
are concatenated, separated by spaces, after escaping each character
(including white space) (including white space)
with a backslash with a backslash
(\(oq\e\(cq) (\(oq\e\(cq)
except for alphanumerics, underscores, except for alphanumerics, underscores,
hyphens, and dollar signs. hyphens, and dollar signs.
If no command is specified, an interactive shell is executed. If no
\fIcommand\fR
is specified, an interactive shell is executed.
\fBsudo\fR \fBsudo\fR
attempts to change to that user's home directory before running the attempts to change to that user's home directory before running the
shell. shell.
The command is run with an environment similar to the one The
a user would receive at log in. \fIcommand\fR
Most shells behave differently when a command is specified is run with an environment similar to the one a user would receive at log in.
as compared to an interactive session; consult the shell's manual Most shells behave differently when a
\fIcommand\fR
is specified as compared to an interactive session; consult the shell's manual
for details. for details.
The The
\fICommand environment\fR \fICommand environment\fR
@@ -471,7 +509,9 @@ section in the
sudoers(@mansectform@) sudoers(@mansectform@)
manual documents how the manual documents how the
\fB\-i\fR \fB\-i\fR
option affects the environment in which a command is run when the option affects the environment in which a
\fIcommand\fR
is run when the
\fIsudoers\fR \fIsudoers\fR
policy is in use. policy is in use.
.TP 12n .TP 12n
@@ -479,12 +519,16 @@ policy is in use.
Similar to the Similar to the
\fB\-k\fR \fB\-k\fR
option, except that it removes the user's cached credentials entirely option, except that it removes the user's cached credentials entirely
and may not be used in conjunction with a command or other option. and may not be used in conjunction with a
\fIcommand\fR
or other option.
This option does not require a password. This option does not require a password.
Not all security policies support credential caching. Not all security policies support credential caching.
.TP 12n .TP 12n
\fB\-k\fR, \fB\--reset-timestamp\fR \fB\-k\fR, \fB\--reset-timestamp\fR
When used without a command, invalidates the user's cached credentials. When used without a
\fIcommand\fR,
invalidates the user's cached credentials.
In other words, the next time In other words, the next time
\fBsudo\fR \fBsudo\fR
is run a password will be required. is run a password will be required.
@@ -495,8 +539,9 @@ permissions from a
\fI.logout\fR \fI.logout\fR
file. file.
.sp .sp
When used in conjunction with a command or an option that may require When used in conjunction with a
a password, this option will cause \fIcommand\fR
or an option that may require a password, this option will cause
\fBsudo\fR \fBsudo\fR
to ignore the user's cached credentials. to ignore the user's cached credentials.
As a result, As a result,
@@ -509,9 +554,8 @@ Not all security policies support credential caching.
\fB\-l\fR, \fB\--list\fR \fB\-l\fR, \fB\--list\fR
If no If no
\fIcommand\fR \fIcommand\fR
is specified, is specified, list the privileges for the invoking user (or the
list the allowed (and forbidden) commands for the user specified by the
invoking user (or the user specified by the
\fB\-U\fR \fB\-U\fR
option) on the current host. option) on the current host.
A longer list format is used if this option is specified multiple times A longer list format is used if this option is specified multiple times
@@ -520,8 +564,10 @@ and the security policy supports a verbose output format.
If a If a
\fIcommand\fR \fIcommand\fR
is specified and is permitted by the security policy, the fully-qualified is specified and is permitted by the security policy, the fully-qualified
path to the command is displayed along with any command line path to the
arguments. \fIcommand\fR
is displayed along with any
\fIarg\fRs.
If a If a
\fIcommand\fR \fIcommand\fR
is specified but not allowed by the policy, is specified but not allowed by the policy,
@@ -535,7 +581,7 @@ Unlike the
\fB\-k\fR \fB\-k\fR
flag, existing cached credentials are used if they are valid. flag, existing cached credentials are used if they are valid.
To detect when the user's cached credentials are valid (or when no To detect when the user's cached credentials are valid (or when no
authentication is required), the following command can be used: authentication is required), the following can be used:
.RS 18n .RS 18n
sudo -Nnv sudo -Nnv
.RE .RE
@@ -546,7 +592,9 @@ Not all security policies support credential caching.
.TP 12n .TP 12n
\fB\-n\fR, \fB\--non-interactive\fR \fB\-n\fR, \fB\--non-interactive\fR
Avoid prompting the user for input of any kind. Avoid prompting the user for input of any kind.
If a password is required for the command to run, If a password is required for the
\fIcommand\fR
to run,
\fBsudo\fR \fBsudo\fR
will display an error message and exit. will display an error message and exit.
.TP 12n .TP 12n
@@ -592,8 +640,9 @@ flags in
sudoers(@mansectform@)) sudoers(@mansectform@))
.TP 4n .TP 4n
\&%U \&%U
expanded to the login name of the user the command will be run as expanded to the login name of the user the
(defaults to root unless the \fIcommand\fR
will be run as (defaults to root unless the
\fB\-u\fR \fB\-u\fR
option is also specified) option is also specified)
.TP 4n .TP 4n
@@ -623,14 +672,16 @@ Change to the specified root
\fIdirectory\fR \fIdirectory\fR
(see (see
chroot(@mansectsu@)) chroot(@mansectsu@))
before running the command. before running the
\fIcommand\fR.
The security policy may return an error if the user does not have The security policy may return an error if the user does not have
permission to specify the root directory. permission to specify the root directory.
.if \n(SL \{\ .if \n(SL \{\
.TP 12n .TP 12n
\fB\-r\fR \fIrole\fR, \fB\--role\fR=\fIrole\fR \fB\-r\fR \fIrole\fR, \fB\--role\fR=\fIrole\fR
Run the command with an SELinux security context that includes Run the
the specified \fIcommand\fR
with an SELinux security context that includes the specified
\fIrole\fR. \fIrole\fR.
.\} .\}
.TP 12n .TP 12n
@@ -643,26 +694,34 @@ Run the shell specified by the
\fRSHELL\fR \fRSHELL\fR
environment variable if it is set or the shell specified by the environment variable if it is set or the shell specified by the
invoking user's password database entry. invoking user's password database entry.
If a command is specified, it is passed to the shell as a simple If a
command using the \fIcommand\fR
is specified, it is passed to the shell as a simple command using the
\fB\-c\fR \fB\-c\fR
option. option.
The command and any arguments are concatenated, separated by spaces, The
after escaping each character \fIcommand\fR
and any
\fIarg\fRs
are concatenated, separated by spaces, after escaping each character
(including white space) (including white space)
with a backslash with a backslash
(\(oq\e\(cq) (\(oq\e\(cq)
except for alphanumerics, underscores, except for alphanumerics, underscores,
hyphens, and dollar signs. hyphens, and dollar signs.
If no command is specified, an interactive shell is executed. If no
Most shells behave differently when a command is specified \fIcommand\fR
as compared to an interactive session; consult the shell's manual is specified, an interactive shell is executed.
Most shells behave differently when a
\fIcommand\fR
is specified as compared to an interactive session; consult the shell's manual
for details. for details.
.if \n(SL \{\ .if \n(SL \{\
.TP 12n .TP 12n
\fB\-t\fR \fItype\fR, \fB\--type\fR=\fItype\fR \fB\-t\fR \fItype\fR, \fB\--type\fR=\fItype\fR
Run the command with an SELinux security context that includes Run the
the specified \fIcommand\fR
with an SELinux security context that includes the specified
\fItype\fR. \fItype\fR.
If no If no
\fItype\fR \fItype\fR
@@ -678,23 +737,29 @@ instead of for the invoking user.
The security policy may restrict listing other users' privileges. The security policy may restrict listing other users' privileges.
When using the When using the
\fIsudoers\fR \fIsudoers\fR
policy, only root or a user with the ability to run any command as policy, only root or a user with the ability to run any
either root or the specified \fIcommand\fR
as either root or the specified
\fIuser\fR \fIuser\fR
on the current host may use this option. on the current host may use this option.
.TP 12n .TP 12n
\fB\-T\fR \fItimeout\fR, \fB\--command-timeout\fR=\fItimeout\fR \fB\-T\fR \fItimeout\fR, \fB\--command-timeout\fR=\fItimeout\fR
Used to set a timeout for the command. Used to set a timeout for the
If the timeout expires before the command has exited, the \fIcommand\fR.
command will be terminated. If the timeout expires before the
The security policy may restrict the ability to set command timeouts. \fIcommand\fR
has exited, the
\fIcommand\fR
will be terminated.
The security policy may restrict the user's ability to set timeouts.
The The
\fIsudoers\fR \fIsudoers\fR
policy requires that user-specified timeouts be explicitly enabled. policy requires that user-specified timeouts be explicitly enabled.
.TP 12n .TP 12n
\fB\-u\fR \fIuser\fR, \fB\--user\fR=\fIuser\fR \fB\-u\fR \fIuser\fR, \fB\--user\fR=\fIuser\fR
Run the command as a user other than the default target user Run the
(usually \fIcommand\fR
as a user other than the default target user (usually
\fIroot\fR). \fIroot\fR).
The The
\fIuser\fR \fIuser\fR
@@ -705,7 +770,9 @@ prefixed with the
character (e.g., character (e.g.,
\(oq#0\(cq \(oq#0\(cq
for UID 0). for UID 0).
When running commands as a UID, many shells require that the When running
\fIcommand\fRs as
a UID, many shells require that the
\(oq#\(cq \(oq#\(cq
be escaped with a backslash be escaped with a backslash
(\(oq\e\(cq). (\(oq\e\(cq).
@@ -724,7 +791,7 @@ Print the
version string as well as the version string of any configured plugins. version string as well as the version string of any configured plugins.
If the invoking user is already root, the If the invoking user is already root, the
\fB\-V\fR \fB\-V\fR
option will display the arguments passed to configure when option will display the options passed to configure when
\fBsudo\fR \fBsudo\fR
was built; plugins may display additional information such as was built; plugins may display additional information such as
default options. default options.
@@ -736,15 +803,18 @@ For the
\fIsudoers\fR \fIsudoers\fR
plugin, this extends the plugin, this extends the
\fBsudo\fR \fBsudo\fR
timeout for another @timeout@ minutes by default, but does not run a command. timeout for another @timeout@ minutes by default, but does not run a
\fIcommand\fR.
Not all security policies support cached credentials. Not all security policies support cached credentials.
.TP 12n .TP 12n
\fB\--\fR \fB\--\fR
The The
\fB\--\fR \fB\--\fR
option indicates that is used to delimit the end of the
\fBsudo\fR \fBsudo\fR
should stop processing command line arguments. options.
Subsequent options are passed to the
\fIcommand\fR.
.PP .PP
Options that take a value may only be specified once unless Options that take a value may only be specified once unless
otherwise indicated in the description. otherwise indicated in the description.
@@ -753,25 +823,32 @@ scripts that invoke
\fBsudo\fR \fBsudo\fR
with user-controlled input. with user-controlled input.
.PP .PP
Environment variables to be set for the command may also be passed Environment variables to be set for the
on the command line in the form of \fIcommand\fR
may also be passed as options to
\fBsudo\fR
in the form
\fIVAR\fR=\fIvalue\fR, \fIVAR\fR=\fIvalue\fR,
e.g., for example
\fRLD_LIBRARY_PATH\fR=\fI/usr/local/pkg/lib\fR. \fRLD_LIBRARY_PATH\fR=\fI/usr/local/pkg/lib\fR.
Variables passed on the command line are subject to restrictions Environment variables may be subject to restrictions
imposed by the security policy plugin. imposed by the security policy plugin.
The The
\fIsudoers\fR \fIsudoers\fR
policy subjects variables passed on the command line to the same policy subjects environment variables passed as options to the same
restrictions as normal environment variables with one important restrictions as existing environment variables with one important
exception. difference.
If the If the
\fIsetenv\fR \fIsetenv\fR
option is set in option is set in
\fIsudoers\fR, \fIsudoers\fR,
the command to be run has the the
\fIcommand\fR
to be run has the
\fRSETENV\fR \fRSETENV\fR
tag set or the command matched is tag set or the
\fIcommand\fR
matched is
\fBALL\fR, \fBALL\fR,
the user may set variables that would otherwise be forbidden. the user may set variables that would otherwise be forbidden.
See See
@@ -780,8 +857,10 @@ for more information.
.SH "COMMAND EXECUTION" .SH "COMMAND EXECUTION"
When When
\fBsudo\fR \fBsudo\fR
executes a command, the security policy specifies the execution executes a
environment for the command. \fIcommand\fR,
the security policy specifies the execution environment for the
\fIcommand\fR.
Typically, the real and effective user and group and IDs are set to Typically, the real and effective user and group and IDs are set to
match those of the target user, as specified in the password database, match those of the target user, as specified in the password database,
and the group vector is initialized based on the group database and the group vector is initialized based on the group database
@@ -835,7 +914,8 @@ scheduling priority (aka nice value)
.SS "Process model" .SS "Process model"
There are two distinct ways There are two distinct ways
\fBsudo\fR \fBsudo\fR
can run a command. can run a
\fIcommand\fR.
.PP .PP
If an I/O logging plugin is configured to log terminal I/O, or if If an I/O logging plugin is configured to log terminal I/O, or if
the security policy explicitly requests it, a new pseudo-terminal the security policy explicitly requests it, a new pseudo-terminal
@@ -853,26 +933,42 @@ controlling terminal, calls
fork(2) fork(2)
again, sets up the execution environment as described above, and then uses the again, sets up the execution environment as described above, and then uses the
execve(2) execve(2)
system call to run the command in the child process. system call to run the
\fIcommand\fR
in the child process.
The The
\fImonitor\fR \fImonitor\fR
exists to relay job control signals between the user's exists to relay job control signals between the user's
terminal and the pty the command is being run in. terminal and the pty the
This makes it possible to suspend and resume the command normally. \fIcommand\fR
is being run in.
This makes it possible to suspend and resume the
\fIcommand\fR
normally.
Without the Without the
\fImonitor\fR, \fIthe command would be in what POSIX terms an\fR \fImonitor\fR,
the
\fIcommand\fR
would be in what POSIX terms an
\(lqorphaned process group\(rq \(lqorphaned process group\(rq
and it would not receive any job control signals from the kernel. and it would not receive any job control signals from the kernel.
When the command exits or is terminated by a signal, the When the
\fIcommand\fR
exits or is terminated by a signal, the
\fImonitor\fR \fImonitor\fR
passes the command's exit status to the main passes the
\fIcommand\fR's
exit status to the main
\fBsudo\fR \fBsudo\fR
process and exits. process and exits.
After receiving the command's exit status, the main After receiving the
\fIcommand\fR's
exit status, the main
\fBsudo\fR \fBsudo\fR
process passes the command's exit status to the security policy's process passes the
close function, as well as the close function of any configured audit \fIcommand\fR's
plugin, and exits. exit status to the security policy's close function, as well as the
close function of any configured audit plugin, and exits.
.PP .PP
If no pty is used, If no pty is used,
\fBsudo\fR \fBsudo\fR
@@ -880,23 +976,31 @@ calls
fork(2), fork(2),
sets up the execution environment as described above, and uses the sets up the execution environment as described above, and uses the
execve(2) execve(2)
system call to run the command in the child process. system call to run the
\fIcommand\fR
in the child process.
The main The main
\fBsudo\fR \fBsudo\fR
process waits until the command has completed, then passes the process waits until the
command's exit status to the security policy's close function, as \fIcommand\fR
well as the close function of any configured audit plugins, and exits. has completed, then passes the
\fIcommand\fR's
exit status to the security policy's close function, as well as the
close function of any configured audit plugins, and exits.
As a special case, if the policy plugin does not define a close As a special case, if the policy plugin does not define a close
function, function,
\fBsudo\fR \fBsudo\fR
will execute the command directly instead of calling will execute the
\fIcommand\fR
directly instead of calling
fork(2) fork(2)
first. first.
The The
\fIsudoers\fR \fIsudoers\fR
policy plugin will only define a close function when I/O logging policy plugin will only define a close function when I/O logging
is enabled, a pty is required, an SELinux role is specified, the is enabled, a pty is required, an SELinux role is specified, the
command has an associated timeout, or the \fIcommand\fR
has an associated timeout, or the
\fIpam_session\fR \fIpam_session\fR
or or
\fIpam_setcred\fR \fIpam_setcred\fR
@@ -909,41 +1013,57 @@ are enabled by default on systems using PAM.
.PP .PP
On systems that use PAM, the security policy's close function On systems that use PAM, the security policy's close function
is responsible for closing the PAM session. is responsible for closing the PAM session.
It may also log the command's exit status. It may also log the
\fIcommand\fR's
exit status.
.SS "Signal handling" .SS "Signal handling"
When the command is run as a child of the When the
\fIcommand\fR
is run as a child of the
\fBsudo\fR \fBsudo\fR
process, process,
\fBsudo\fR \fBsudo\fR
will relay signals it receives to the command. will relay signals it receives to the
\fIcommand\fR.
The The
\fRSIGINT\fR \fRSIGINT\fR
and and
\fRSIGQUIT\fR \fRSIGQUIT\fR
signals are only relayed when the command is being run in a new pty signals are only relayed when the
or when the signal was sent by a user process, not the kernel. \fIcommand\fR
This prevents the command from receiving is being run in a new pty or when the signal was sent by a user
process, not the kernel.
This prevents the
\fIcommand\fR
from receiving
\fRSIGINT\fR \fRSIGINT\fR
twice each time the user enters control-C. twice each time the user enters control-C.
Some signals, such as Some signals, such as
\fRSIGSTOP\fR \fRSIGSTOP\fR
and and
\fRSIGKILL\fR, \fRSIGKILL\fR,
cannot be caught and thus will not be relayed to the command. cannot be caught and thus will not be relayed to the
\fIcommand\fR.
As a general rule, As a general rule,
\fRSIGTSTP\fR \fRSIGTSTP\fR
should be used instead of should be used instead of
\fRSIGSTOP\fR \fRSIGSTOP\fR
when you wish to suspend a command being run by when you wish to suspend a
\fIcommand\fR
being run by
\fBsudo\fR. \fBsudo\fR.
.PP .PP
As a special case, As a special case,
\fBsudo\fR \fBsudo\fR
will not relay signals that were sent by the command it is running. will not relay signals that were sent by the
This prevents the command from accidentally killing itself. \fIcommand\fR
it is running.
This prevents the
\fIcommand\fR
from accidentally killing itself.
On some systems, the On some systems, the
reboot(@mansectsu@) reboot(@mansectsu@)
command sends utility sends
\fRSIGTERM\fR \fRSIGTERM\fR
to all non-system processes other than itself before rebooting to all non-system processes other than itself before rebooting
the system. the system.
@@ -955,9 +1075,13 @@ signal it received back to
reboot(@mansectsu@), reboot(@mansectsu@),
which might then exit before the system was actually rebooted, which might then exit before the system was actually rebooted,
leaving it in a half-dead state similar to single user mode. leaving it in a half-dead state similar to single user mode.
Note, however, that this check only applies to the command run by Note, however, that this check only applies to the
\fIcommand\fR
run by
\fBsudo\fR \fBsudo\fR
and not any other processes that the command may create. and not any other processes that the
\fIcommand\fR
may create.
As a result, running a script that calls As a result, running a script that calls
reboot(@mansectsu@) reboot(@mansectsu@)
or or
@@ -972,7 +1096,9 @@ are run using the
\fBexec\fR() \fBexec\fR()
family of functions instead of family of functions instead of
\fBsystem\fR() \fBsystem\fR()
(which interposes a shell between the command and the calling process). (which interposes a shell between the
\fIcommand\fR
and the calling process).
.SS "Plugins" .SS "Plugins"
Plugins may be specified via Plugins may be specified via
\fIPlugin\fR \fIPlugin\fR
@@ -1002,27 +1128,38 @@ manual for more information about the
\fBsudo\fR \fBsudo\fR
plugin architecture. plugin architecture.
.SH "EXIT VALUE" .SH "EXIT VALUE"
Upon successful execution of a command, the exit status from Upon successful execution of a
\fIcommand\fR,
the exit status from
\fBsudo\fR \fBsudo\fR
will be the exit status of the program that was executed. will be the exit status of the program that was executed.
If the command terminated due to receipt of a signal, If the
\fIcommand\fR
terminated due to receipt of a signal,
\fBsudo\fR \fBsudo\fR
will send itself the same signal that terminated the command. will send itself the same signal that terminated the
\fIcommand\fR.
.PP .PP
If the If the
\fB\-l\fR \fB\-l\fR
option was specified without a command, option was specified without a
\fIcommand\fR,
\fBsudo\fR \fBsudo\fR
will exit with a value of 0 if the user is allowed to run will exit with a value of 0 if the user is allowed to run
\fBsudo\fR \fBsudo\fR
and they authenticated successfully (as required by the security policy). and they authenticated successfully (as required by the security policy).
If a command is specified with the If a
\fIcommand\fR
is specified with the
\fB\-l\fR \fB\-l\fR
option, the exit value will only be 0 if the command is permitted by the option, the exit value will only be 0 if the
security policy, otherwise it will be 1. \fIcommand\fR
is permitted by the security policy, otherwise it will be 1.
.PP .PP
If there is an authentication failure, a configuration/permission If there is an authentication failure, a configuration/permission
problem, or if the given command cannot be executed, problem, or if the given
\fIcommand\fR
cannot be executed,
\fBsudo\fR \fBsudo\fR
exits with a value of 1. exits with a value of 1.
In the latter case, the error string is printed to the standard error. In the latter case, the error string is printed to the standard error.
@@ -1046,12 +1183,15 @@ your
is on a machine that is currently unreachable. is on a machine that is currently unreachable.
.SH "SECURITY NOTES" .SH "SECURITY NOTES"
\fBsudo\fR \fBsudo\fR
tries to be safe when executing external commands. tries to be safe when executing external
\fIcommand\fRs.
.PP .PP
To prevent command spoofing, To prevent command spoofing,
\fBsudo\fR \fBsudo\fR
checks "." and "" (both denoting current directory) last when checks "." and "" (both denoting current directory) last when
searching for a command in the user's searching for a
\fIcommand\fR
in the user's
\fRPATH\fR \fRPATH\fR
(if one or both are in the (if one or both are in the
\fRPATH\fR). \fRPATH\fR).
@@ -1068,27 +1208,43 @@ be granted
\fBsudo\fR \fBsudo\fR
privileges to execute files that are writable by the user or privileges to execute files that are writable by the user or
that reside in a directory that is writable by the user. that reside in a directory that is writable by the user.
If the user can modify or replace the command there is no way If the user can modify or replace the
to limit what additional commands they can run. \fIcommand\fR
there is no way to limit what additional
\fIcommand\fRs
they can run.
.PP .PP
By default, By default,
\fBsudo\fR \fBsudo\fR
will only log the command it explicitly runs. will only log the
If a user runs a command such as \fIcommand\fR
it explicitly runs.
If a user runs a
\fIcommand\fR
such as
\(oqsudo su\(cq \(oqsudo su\(cq
or or
\(oqsudo sh\(cq, \(oqsudo sh\(cq,
subsequent commands run from that shell are not subject to subsequent
\fIcommand\fRs
run from that shell are not subject to
\fBsudo\fR's \fBsudo\fR's
security policy. security policy.
The same is true for commands that offer shell escapes (including The same is true for
most editors). \fIcommand\fRs
If I/O logging is enabled, subsequent commands will have their input and/or that offer shell escapes (including most editors).
output logged, but there will not be traditional logs for those commands. If I/O logging is enabled, subsequent
Because of this, care must be taken when giving users access to commands via \fIcommand\fRs
will have their input and/or output logged, but there will not be
traditional logs for those
\fIcommand\fRs.
Because of this, care must be taken when giving users access to
\fIcommand\fRs
via
\fBsudo\fR \fBsudo\fR
to verify that the command does not inadvertently give the user an to verify that the
effective root shell. \fIcommand\fR
does not inadvertently give the user an effective root shell.
For information on ways to address this, see the For information on ways to address this, see the
\fIPreventing shell escapes\fR \fIPreventing shell escapes\fR
section in section in
@@ -1097,7 +1253,9 @@ sudoers(@mansectform@).
To prevent the disclosure of potentially sensitive information, To prevent the disclosure of potentially sensitive information,
\fBsudo\fR \fBsudo\fR
disables core dumps by default while it is executing (they are disables core dumps by default while it is executing (they are
re-enabled for the command that is run). re-enabled for the
\fIcommand\fR
that is run).
This historical practice dates from a time when most operating This historical practice dates from a time when most operating
systems allowed set-user-ID processes to dump core by default. systems allowed set-user-ID processes to dump core by default.
To aid in debugging To aid in debugging
@@ -1120,7 +1278,8 @@ manual for more information.
.SH "ENVIRONMENT" .SH "ENVIRONMENT"
\fBsudo\fR \fBsudo\fR
utilizes the following environment variables. utilizes the following environment variables.
The security policy has control over the actual content of the command's The security policy has control over the actual content of the
\fIcommand\fR's
environment. environment.
.TP 17n .TP 17n
\fREDITOR\fR \fREDITOR\fR
@@ -1202,9 +1361,13 @@ if no terminal is available or if the
option is specified. option is specified.
.TP 17n .TP 17n
\fRSUDO_COMMAND\fR \fRSUDO_COMMAND\fR
Set to the command run by sudo, including command line arguments. Set to the
The command line arguments are truncated at 4096 characters to \fIcommand\fR
prevent a potential execution error. run by sudo, including any
\fIarg\fRs.
The
\fIarg\fRs
are truncated at 4096 characters to prevent a potential execution error.
.TP 17n .TP 17n
\fRSUDO_EDITOR\fR \fRSUDO_EDITOR\fR
Default editor to use in Default editor to use in
@@ -1302,7 +1465,9 @@ $ sudo shutdown -r +15 "quick reboot"
.fi .fi
.PP .PP
To make a usage listing of the directories in the /home partition. To make a usage listing of the directories in the /home partition.
The commands are run in a sub-shell to allow the The
\fIcommands\fR
are run in a sub-shell to allow the
\(oqcd\(cq \(oqcd\(cq
command and file redirection to work. command and file redirection to work.
.nf .nf
@@ -1440,8 +1605,8 @@ The user did not enter a password before the password timeout
Your user-ID does not appear in the system passwd database. Your user-ID does not appear in the system passwd database.
.TP 6n .TP 6n
\fRyou may not specify environment variables in edit mode\fR \fRyou may not specify environment variables in edit mode\fR
It is only possible to specify environment variables when running It is only possible to specify environment variables when running a
a command. \fIcommand\fR.
When editing a file, the editor is run with the user's environment unmodified. When editing a file, the editor is run with the user's environment unmodified.
.SH "SEE ALSO" .SH "SEE ALSO"
su(1), su(1),
@@ -1475,9 +1640,12 @@ exhaustive list of people who have contributed to
\fBsudo\fR. \fBsudo\fR.
.SH "CAVEATS" .SH "CAVEATS"
There is no easy way to prevent a user from gaining a root shell There is no easy way to prevent a user from gaining a root shell
if that user is allowed to run arbitrary commands via if that user is allowed to run arbitrary
\fIcommands\fR
via
\fBsudo\fR. \fBsudo\fR.
Also, many programs (such as editors) allow the user to run commands Also, many programs (such as editors) allow the user to run
\fIcommand\fRs
via shell escapes, thus avoiding via shell escapes, thus avoiding
\fBsudo\fR's \fBsudo\fR's
checks. checks.
@@ -1489,7 +1657,8 @@ functionality.
.PP .PP
It is not meaningful to run the It is not meaningful to run the
\(oqcd\(cq \(oqcd\(cq
command directly via sudo, e.g., \fIcommand\fR
directly via sudo, e.g.,
.nf .nf
.sp .sp
.RS 4n .RS 4n
@@ -1497,11 +1666,15 @@ $ sudo cd /usr/local/protected
.RE .RE
.fi .fi
.PP .PP
since when the command exits the parent process (your shell) will since when the
still be the same. \fIcommand\fR
See the exits the parent process (your shell) will still be the same.
\fIEXAMPLES\fR The
section for more information. \fB\-D\fR
option can be used to run a
\fIcommand\fR
in a specific
\fIdirectory\fR.
.PP .PP
Running shell scripts via Running shell scripts via
\fBsudo\fR \fBsudo\fR

475
docs/sudo.mdoc.in
View File

@@ -24,7 +24,7 @@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
.Dd December 12, 2022 .Dd December 20, 2022
.Dt SUDO @mansectsu@ .Dt SUDO @mansectsu@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@@ -55,7 +55,7 @@
.Op Fl p Ar prompt .Op Fl p Ar prompt
.Op Fl U Ar user .Op Fl U Ar user
.Op Fl u Ar user .Op Fl u Ar user
.Op Ar command .Op Ar command Op Ar arg ...
.Nm sudo .Nm sudo
.Op Fl ABbEHnPS .Op Fl ABbEHnPS
.if \n(BA \{\ .if \n(BA \{\
@@ -78,7 +78,7 @@
.Op Fl u Ar user .Op Fl u Ar user
.Op Ar VAR Ns = Ns Ar value .Op Ar VAR Ns = Ns Ar value
.Op Fl i | s .Op Fl i | s
.Op Ar command .Op Ar command Op Ar arg ...
.Nm sudoedit .Nm sudoedit
.Op Fl ABkNnS .Op Fl ABkNnS
.if \n(BA \{\ .if \n(BA \{\
@@ -181,8 +181,9 @@ option (described below), is implied.
Security policies and audit plugins may log successful and failed attempts Security policies and audit plugins may log successful and failed attempts
to run to run
.Nm . .Nm .
If an I/O plugin is configured, the running command's input and If an I/O plugin is configured, the running
output may be logged as well. .Ar command Ns 's
input and output may be logged as well.
.Pp .Pp
The options are as follows: The options are as follows:
.Bl -tag -width Fl .Bl -tag -width Fl
@@ -233,21 +234,26 @@ authentication.
Ring the bell as part of the password prompt when a terminal is present. Ring the bell as part of the password prompt when a terminal is present.
This option has no effect if an askpass program is used. This option has no effect if an askpass program is used.
.It Fl b , -background .It Fl b , -background
Run the given command in the background. Run the given
.Ar command
in the background.
It is not possible to use shell job control to manipulate background It is not possible to use shell job control to manipulate background
processes started by processes started by
.Nm . .Nm .
Most interactive commands will fail to work properly in background Most interactive
mode. .Ar command Ns s
will fail to work properly in background mode.
.It Fl C Ar num , Fl -close-from Ns = Ns Ar num .It Fl C Ar num , Fl -close-from Ns = Ns Ar num
Close all file descriptors greater than or equal to Close all file descriptors greater than or equal to
.Ar num .Ar num
before executing a command. before executing a
.Ar command .
Values less than three are not permitted. Values less than three are not permitted.
By default, By default,
.Nm .Nm
will close all open file descriptors other than standard input, will close all open file descriptors other than standard input,
standard output, and standard error when executing a command. standard output, and standard error when executing a
.Ar command .
The security policy may restrict the user's ability to use this option. The security policy may restrict the user's ability to use this option.
The The
.Em sudoers .Em sudoers
@@ -258,8 +264,9 @@ option when the administrator has enabled the
option. option.
.if \n(LC \{\ .if \n(LC \{\
.It Fl c Ar class , Fl -login-class Ns = Ns Ar class .It Fl c Ar class , Fl -login-class Ns = Ns Ar class
Run the command with resource limits and scheduling priority of Run the
the specified login .Ar command
with resource limits and scheduling priority of the specified login
.Ar class . .Ar class .
The The
.Ar class .Ar class
@@ -273,10 +280,14 @@ If
is is
.Cm - , .Cm - ,
the default login class of the target user will be used. the default login class of the target user will be used.
Otherwise, the command must be run as the superuser (user-ID 0), or Otherwise, the
.Ar command
must be run as the superuser (user-ID 0), or
.Nm .Nm
must be run from a shell that is already running as the superuser. must be run from a shell that is already running as the superuser.
If the command is being run as a login shell, additional If the
.Ar command
is being run as a login shell, additional
.Pa /etc/login.conf .Pa /etc/login.conf
settings, such as the umask and environment variables, will settings, such as the umask and environment variables, will
be applied, if present. be applied, if present.
@@ -285,7 +296,9 @@ This option is only available on systems with
login classes. login classes.
.\} .\}
.It Fl D Ar directory , Fl -chdir Ns = Ns Ar directory .It Fl D Ar directory , Fl -chdir Ns = Ns Ar directory
Run the command in the specified Run the
.Ar command
in the specified
.Ar directory .Ar directory
instead of the current working directory. instead of the current working directory.
The security policy may return an error if the user does not have The security policy may return an error if the user does not have
@@ -303,7 +316,10 @@ The security policy may return an error if the user does not have
permission to preserve the environment. permission to preserve the environment.
This option may be specified multiple times. This option may be specified multiple times.
.It Fl e , -edit .It Fl e , -edit
Edit one or more files instead of running a command. Edit one or more
.Ar file Ns s
instead of running a
.Ar command .
In lieu of a path name, the string "sudoedit" is used when consulting In lieu of a path name, the string "sudoedit" is used when consulting
the security policy. the security policy.
If the user is authorized by the policy, the following steps are If the user is authorized by the policy, the following steps are
@@ -354,7 +370,9 @@ not be edited unless that user is root (version 1.8.16 and higher).
Users are never allowed to edit device special files. Users are never allowed to edit device special files.
.Pp .Pp
If the specified file does not exist, it will be created. If the specified file does not exist, it will be created.
Unlike most commands run by Unlike most
.Ar command Ns s
run by
.Em sudo , .Em sudo ,
the editor is run with the invoking user's environment unmodified. the editor is run with the invoking user's environment unmodified.
If the temporary file becomes empty after editing, the user will If the temporary file becomes empty after editing, the user will
@@ -365,7 +383,9 @@ is unable to update a file with its edited version, the user will
receive a warning and the edited copy will remain in a temporary receive a warning and the edited copy will remain in a temporary
file. file.
.It Fl g Ar group , Fl -group Ns = Ns Ar group .It Fl g Ar group , Fl -group Ns = Ns Ar group
Run the command with the primary group set to Run the
.Ar command
with the primary group set to
.Ar group .Ar group
instead of the primary group specified by the target instead of the primary group specified by the target
user's password database entry. user's password database entry.
@@ -378,13 +398,17 @@ prefixed with the
character (e.g., character (e.g.,
.Ql #0 .Ql #0
for GID 0). for GID 0).
When running a command as a GID, many shells require that the When running a
.Ar command
as a GID, many shells require that the
.Ql # .Ql #
be escaped with a backslash be escaped with a backslash
.Pq Ql \e . .Pq Ql \e .
If no If no
.Fl u .Fl u
option is specified, the command will be run as the invoking user. option is specified, the
.Ar command
will be run as the invoking user.
In either case, the primary group will be set to In either case, the primary group will be set to
.Ar group . .Ar group .
The The
@@ -404,12 +428,16 @@ Depending on the policy, this may be the default behavior.
.It Fl h , -help .It Fl h , -help
Display a short help message to the standard output and exit. Display a short help message to the standard output and exit.
.It Fl h Ar host , Fl -host Ns = Ns Ar host .It Fl h Ar host , Fl -host Ns = Ns Ar host
Run the command on the specified Run the
.Ar command
on the specified
.Ar host .Ar host
if the security policy plugin supports remote commands. if the security policy plugin supports remote
.Ar command Ns s.
The The
.Em sudoers .Em sudoers
plugin does not currently support running remote commands. plugin does not currently support running remote
.Ar command Ns s.
This may also be used in conjunction with the This may also be used in conjunction with the
.Fl l .Fl l
option to list a user's privileges for the remote host. option to list a user's privileges for the remote host.
@@ -422,25 +450,35 @@ This means that login-specific resource files such as
or or
.Pa .login .Pa .login
will be read by the shell. will be read by the shell.
If a command is specified, it is passed to the shell as a simple If a
command using the .Ar command
is specified, it is passed to the shell as a simple
.Ar command
using the
.Fl c .Fl c
option. option.
The command and any arguments are concatenated, separated by spaces, The
after escaping each character .Ar command
and any
.Ar arg Ns s
are concatenated, separated by spaces, after escaping each character
.Pq including white space .Pq including white space
with a backslash with a backslash
.Pq Ql \e .Pq Ql \e
except for alphanumerics, underscores, except for alphanumerics, underscores,
hyphens, and dollar signs. hyphens, and dollar signs.
If no command is specified, an interactive shell is executed. If no
.Ar command
is specified, an interactive shell is executed.
.Nm .Nm
attempts to change to that user's home directory before running the attempts to change to that user's home directory before running the
shell. shell.
The command is run with an environment similar to the one The
a user would receive at log in. .Ar command
Most shells behave differently when a command is specified is run with an environment similar to the one a user would receive at log in.
as compared to an interactive session; consult the shell's manual Most shells behave differently when a
.Ar command
is specified as compared to an interactive session; consult the shell's manual
for details. for details.
The The
.Em Command environment .Em Command environment
@@ -448,18 +486,24 @@ section in the
.Xr sudoers @mansectform@ .Xr sudoers @mansectform@
manual documents how the manual documents how the
.Fl i .Fl i
option affects the environment in which a command is run when the option affects the environment in which a
.Ar command
is run when the
.Em sudoers .Em sudoers
policy is in use. policy is in use.
.It Fl K , -remove-timestamp .It Fl K , -remove-timestamp
Similar to the Similar to the
.Fl k .Fl k
option, except that it removes the user's cached credentials entirely option, except that it removes the user's cached credentials entirely
and may not be used in conjunction with a command or other option. and may not be used in conjunction with a
.Ar command
or other option.
This option does not require a password. This option does not require a password.
Not all security policies support credential caching. Not all security policies support credential caching.
.It Fl k , -reset-timestamp .It Fl k , -reset-timestamp
When used without a command, invalidates the user's cached credentials. When used without a
.Ar command ,
invalidates the user's cached credentials.
In other words, the next time In other words, the next time
.Nm .Nm
is run a password will be required. is run a password will be required.
@@ -470,8 +514,9 @@ permissions from a
.Pa .logout .Pa .logout
file. file.
.Pp .Pp
When used in conjunction with a command or an option that may require When used in conjunction with a
a password, this option will cause .Ar command
or an option that may require a password, this option will cause
.Nm .Nm
to ignore the user's cached credentials. to ignore the user's cached credentials.
As a result, As a result,
@@ -483,9 +528,8 @@ Not all security policies support credential caching.
.It Fl l , Fl -list .It Fl l , Fl -list
If no If no
.Ar command .Ar command
is specified, is specified, list the privileges for the invoking user (or the
list the allowed (and forbidden) commands for the user specified by the
invoking user (or the user specified by the
.Fl U .Fl U
option) on the current host. option) on the current host.
A longer list format is used if this option is specified multiple times A longer list format is used if this option is specified multiple times
@@ -494,8 +538,10 @@ and the security policy supports a verbose output format.
If a If a
.Ar command .Ar command
is specified and is permitted by the security policy, the fully-qualified is specified and is permitted by the security policy, the fully-qualified
path to the command is displayed along with any command line path to the
arguments. .Ar command
is displayed along with any
.Ar arg Ns s.
If a If a
.Ar command .Ar command
is specified but not allowed by the policy, is specified but not allowed by the policy,
@@ -508,13 +554,15 @@ Unlike the
.Fl k .Fl k
flag, existing cached credentials are used if they are valid. flag, existing cached credentials are used if they are valid.
To detect when the user's cached credentials are valid (or when no To detect when the user's cached credentials are valid (or when no
authentication is required), the following command can be used: authentication is required), the following can be used:
.Dl sudo -Nnv .Dl sudo -Nnv
.Pp .Pp
Not all security policies support credential caching. Not all security policies support credential caching.
.It Fl n , -non-interactive .It Fl n , -non-interactive
Avoid prompting the user for input of any kind. Avoid prompting the user for input of any kind.
If a password is required for the command to run, If a password is required for the
.Ar command
to run,
.Nm .Nm
will display an error message and exit. will display an error message and exit.
.It Fl P , -preserve-groups .It Fl P , -preserve-groups
@@ -551,8 +599,9 @@ and
flags in flags in
.Xr sudoers @mansectform@ ) .Xr sudoers @mansectform@ )
.It \&%U .It \&%U
expanded to the login name of the user the command will be run as expanded to the login name of the user the
(defaults to root unless the .Ar command
will be run as (defaults to root unless the
.Fl u .Fl u
option is also specified) option is also specified)
.It %u .It %u
@@ -579,13 +628,15 @@ Change to the specified root
.Ar directory .Ar directory
(see (see
.Xr chroot @mansectsu@ ) .Xr chroot @mansectsu@ )
before running the command. before running the
.Ar command .
The security policy may return an error if the user does not have The security policy may return an error if the user does not have
permission to specify the root directory. permission to specify the root directory.
.if \n(SL \{\ .if \n(SL \{\
.It Fl r Ar role , Fl -role Ns = Ns Ar role .It Fl r Ar role , Fl -role Ns = Ns Ar role
Run the command with an SELinux security context that includes Run the
the specified .Ar command
with an SELinux security context that includes the specified
.Ar role . .Ar role .
.\} .\}
.It Fl S , -stdin .It Fl S , -stdin
@@ -596,25 +647,33 @@ Run the shell specified by the
.Ev SHELL .Ev SHELL
environment variable if it is set or the shell specified by the environment variable if it is set or the shell specified by the
invoking user's password database entry. invoking user's password database entry.
If a command is specified, it is passed to the shell as a simple If a
command using the .Ar command
is specified, it is passed to the shell as a simple command using the
.Fl c .Fl c
option. option.
The command and any arguments are concatenated, separated by spaces, The
after escaping each character .Ar command
and any
.Ar arg Ns s
are concatenated, separated by spaces, after escaping each character
.Pq including white space .Pq including white space
with a backslash with a backslash
.Pq Ql \e .Pq Ql \e
except for alphanumerics, underscores, except for alphanumerics, underscores,
hyphens, and dollar signs. hyphens, and dollar signs.
If no command is specified, an interactive shell is executed. If no
Most shells behave differently when a command is specified .Ar command
as compared to an interactive session; consult the shell's manual is specified, an interactive shell is executed.
Most shells behave differently when a
.Ar command
is specified as compared to an interactive session; consult the shell's manual
for details. for details.
.if \n(SL \{\ .if \n(SL \{\
.It Fl t Ar type , Fl -type Ns = Ns Ar type .It Fl t Ar type , Fl -type Ns = Ns Ar type
Run the command with an SELinux security context that includes Run the
the specified .Ar command
with an SELinux security context that includes the specified
.Ar type . .Ar type .
If no If no
.Ar type .Ar type
@@ -629,21 +688,27 @@ instead of for the invoking user.
The security policy may restrict listing other users' privileges. The security policy may restrict listing other users' privileges.
When using the When using the
.Em sudoers .Em sudoers
policy, only root or a user with the ability to run any command as policy, only root or a user with the ability to run any
either root or the specified .Ar command
as either root or the specified
.Ar user .Ar user
on the current host may use this option. on the current host may use this option.
.It Fl T Ar timeout , Fl -command-timeout Ns = Ns Ar timeout .It Fl T Ar timeout , Fl -command-timeout Ns = Ns Ar timeout
Used to set a timeout for the command. Used to set a timeout for the
If the timeout expires before the command has exited, the .Ar command .
command will be terminated. If the timeout expires before the
The security policy may restrict the ability to set command timeouts. .Ar command
has exited, the
.Ar command
will be terminated.
The security policy may restrict the user's ability to set timeouts.
The The
.Em sudoers .Em sudoers
policy requires that user-specified timeouts be explicitly enabled. policy requires that user-specified timeouts be explicitly enabled.
.It Fl u Ar user , Fl -user Ns = Ns Ar user .It Fl u Ar user , Fl -user Ns = Ns Ar user
Run the command as a user other than the default target user Run the
(usually .Ar command
as a user other than the default target user (usually
.Em root ) . .Em root ) .
The The
.Ar user .Ar user
@@ -654,7 +719,9 @@ prefixed with the
character (e.g., character (e.g.,
.Ql #0 .Ql #0
for UID 0). for UID 0).
When running commands as a UID, many shells require that the When running
.Ar command Ns s as
a UID, many shells require that the
.Ql # .Ql #
be escaped with a backslash be escaped with a backslash
.Pq Ql \e . .Pq Ql \e .
@@ -672,7 +739,7 @@ Print the
version string as well as the version string of any configured plugins. version string as well as the version string of any configured plugins.
If the invoking user is already root, the If the invoking user is already root, the
.Fl V .Fl V
option will display the arguments passed to configure when option will display the options passed to configure when
.Nm .Nm
was built; plugins may display additional information such as was built; plugins may display additional information such as
default options. default options.
@@ -683,14 +750,17 @@ For the
.Em sudoers .Em sudoers
plugin, this extends the plugin, this extends the
.Nm .Nm
timeout for another @timeout@ minutes by default, but does not run a command. timeout for another @timeout@ minutes by default, but does not run a
.Ar command .
Not all security policies support cached credentials. Not all security policies support cached credentials.
.It Fl - .It Fl -
The The
.Fl - .Fl -
option indicates that is used to delimit the end of the
.Nm .Nm
should stop processing command line arguments. options.
Subsequent options are passed to the
.Ar command .
.El .El
.Pp .Pp
Options that take a value may only be specified once unless Options that take a value may only be specified once unless
@@ -700,25 +770,32 @@ scripts that invoke
.Nm sudo .Nm sudo
with user-controlled input. with user-controlled input.
.Pp .Pp
Environment variables to be set for the command may also be passed Environment variables to be set for the
on the command line in the form of .Ar command
may also be passed as options to
.Nm
in the form
.Ar VAR Ns = Ns Ar value , .Ar VAR Ns = Ns Ar value ,
e.g., for example
.Ev LD_LIBRARY_PATH Ns = Ns Pa /usr/local/pkg/lib . .Ev LD_LIBRARY_PATH Ns = Ns Pa /usr/local/pkg/lib .
Variables passed on the command line are subject to restrictions Environment variables may be subject to restrictions
imposed by the security policy plugin. imposed by the security policy plugin.
The The
.Em sudoers .Em sudoers
policy subjects variables passed on the command line to the same policy subjects environment variables passed as options to the same
restrictions as normal environment variables with one important restrictions as existing environment variables with one important
exception. difference.
If the If the
.Em setenv .Em setenv
option is set in option is set in
.Em sudoers , .Em sudoers ,
the command to be run has the the
.Ar command
to be run has the
.Dv SETENV .Dv SETENV
tag set or the command matched is tag set or the
.Ar command
matched is
.Sy ALL , .Sy ALL ,
the user may set variables that would otherwise be forbidden. the user may set variables that would otherwise be forbidden.
See See
@@ -727,8 +804,10 @@ for more information.
.Sh COMMAND EXECUTION .Sh COMMAND EXECUTION
When When
.Nm .Nm
executes a command, the security policy specifies the execution executes a
environment for the command. .Ar command ,
the security policy specifies the execution environment for the
.Ar command .
Typically, the real and effective user and group and IDs are set to Typically, the real and effective user and group and IDs are set to
match those of the target user, as specified in the password database, match those of the target user, as specified in the password database,
and the group vector is initialized based on the group database and the group vector is initialized based on the group database
@@ -771,7 +850,8 @@ scheduling priority (aka nice value)
.Ss Process model .Ss Process model
There are two distinct ways There are two distinct ways
.Nm .Nm
can run a command. can run a
.Ar command .
.Pp .Pp
If an I/O logging plugin is configured to log terminal I/O, or if If an I/O logging plugin is configured to log terminal I/O, or if
the security policy explicitly requests it, a new pseudo-terminal the security policy explicitly requests it, a new pseudo-terminal
@@ -789,26 +869,42 @@ controlling terminal, calls
.Xr fork 2 .Xr fork 2
again, sets up the execution environment as described above, and then uses the again, sets up the execution environment as described above, and then uses the
.Xr execve 2 .Xr execve 2
system call to run the command in the child process. system call to run the
.Ar command
in the child process.
The The
.Em monitor .Em monitor
exists to relay job control signals between the user's exists to relay job control signals between the user's
terminal and the pty the command is being run in. terminal and the pty the
This makes it possible to suspend and resume the command normally. .Ar command
is being run in.
This makes it possible to suspend and resume the
.Ar command
normally.
Without the Without the
.Em monitor , the command would be in what POSIX terms an .Em monitor ,
the
.Ar command
would be in what POSIX terms an
.Dq orphaned process group .Dq orphaned process group
and it would not receive any job control signals from the kernel. and it would not receive any job control signals from the kernel.
When the command exits or is terminated by a signal, the When the
.Ar command
exits or is terminated by a signal, the
.Em monitor .Em monitor
passes the command's exit status to the main passes the
.Ar command Ns 's
exit status to the main
.Nm .Nm
process and exits. process and exits.
After receiving the command's exit status, the main After receiving the
.Ar command Ns 's
exit status, the main
.Nm .Nm
process passes the command's exit status to the security policy's process passes the
close function, as well as the close function of any configured audit .Ar command Ns 's
plugin, and exits. exit status to the security policy's close function, as well as the
close function of any configured audit plugin, and exits.
.Pp .Pp
If no pty is used, If no pty is used,
.Nm .Nm
@@ -816,23 +912,31 @@ calls
.Xr fork 2 , .Xr fork 2 ,
sets up the execution environment as described above, and uses the sets up the execution environment as described above, and uses the
.Xr execve 2 .Xr execve 2
system call to run the command in the child process. system call to run the
.Ar command
in the child process.
The main The main
.Nm .Nm
process waits until the command has completed, then passes the process waits until the
command's exit status to the security policy's close function, as .Ar command
well as the close function of any configured audit plugins, and exits. has completed, then passes the
.Ar command Ns 's
exit status to the security policy's close function, as well as the
close function of any configured audit plugins, and exits.
As a special case, if the policy plugin does not define a close As a special case, if the policy plugin does not define a close
function, function,
.Nm .Nm
will execute the command directly instead of calling will execute the
.Ar command
directly instead of calling
.Xr fork 2 .Xr fork 2
first. first.
The The
.Em sudoers .Em sudoers
policy plugin will only define a close function when I/O logging policy plugin will only define a close function when I/O logging
is enabled, a pty is required, an SELinux role is specified, the is enabled, a pty is required, an SELinux role is specified, the
command has an associated timeout, or the .Ar command
has an associated timeout, or the
.Em pam_session .Em pam_session
or or
.Em pam_setcred .Em pam_setcred
@@ -845,41 +949,57 @@ are enabled by default on systems using PAM.
.Pp .Pp
On systems that use PAM, the security policy's close function On systems that use PAM, the security policy's close function
is responsible for closing the PAM session. is responsible for closing the PAM session.
It may also log the command's exit status. It may also log the
.Ar command Ns 's
exit status.
.Ss Signal handling .Ss Signal handling
When the command is run as a child of the When the
.Ar command
is run as a child of the
.Nm .Nm
process, process,
.Nm .Nm
will relay signals it receives to the command. will relay signals it receives to the
.Ar command .
The The
.Dv SIGINT .Dv SIGINT
and and
.Dv SIGQUIT .Dv SIGQUIT
signals are only relayed when the command is being run in a new pty signals are only relayed when the
or when the signal was sent by a user process, not the kernel. .Ar command
This prevents the command from receiving is being run in a new pty or when the signal was sent by a user
process, not the kernel.
This prevents the
.Ar command
from receiving
.Dv SIGINT .Dv SIGINT
twice each time the user enters control-C. twice each time the user enters control-C.
Some signals, such as Some signals, such as
.Dv SIGSTOP .Dv SIGSTOP
and and
.Dv SIGKILL , .Dv SIGKILL ,
cannot be caught and thus will not be relayed to the command. cannot be caught and thus will not be relayed to the
.Ar command .
As a general rule, As a general rule,
.Dv SIGTSTP .Dv SIGTSTP
should be used instead of should be used instead of
.Dv SIGSTOP .Dv SIGSTOP
when you wish to suspend a command being run by when you wish to suspend a
.Ar command
being run by
.Nm . .Nm .
.Pp .Pp
As a special case, As a special case,
.Nm .Nm
will not relay signals that were sent by the command it is running. will not relay signals that were sent by the
This prevents the command from accidentally killing itself. .Ar command
it is running.
This prevents the
.Ar command
from accidentally killing itself.
On some systems, the On some systems, the
.Xr reboot @mansectsu@ .Xr reboot @mansectsu@
command sends utility sends
.Dv SIGTERM .Dv SIGTERM
to all non-system processes other than itself before rebooting to all non-system processes other than itself before rebooting
the system. the system.
@@ -891,9 +1011,13 @@ signal it received back to
.Xr reboot @mansectsu@ , .Xr reboot @mansectsu@ ,
which might then exit before the system was actually rebooted, which might then exit before the system was actually rebooted,
leaving it in a half-dead state similar to single user mode. leaving it in a half-dead state similar to single user mode.
Note, however, that this check only applies to the command run by Note, however, that this check only applies to the
.Ar command
run by
.Nm .Nm
and not any other processes that the command may create. and not any other processes that the
.Ar command
may create.
As a result, running a script that calls As a result, running a script that calls
.Xr reboot @mansectsu@ .Xr reboot @mansectsu@
or or
@@ -908,7 +1032,9 @@ are run using the
.Fn exec .Fn exec
family of functions instead of family of functions instead of
.Fn system .Fn system
(which interposes a shell between the command and the calling process). (which interposes a shell between the
.Ar command
and the calling process).
.Ss Plugins .Ss Plugins
Plugins may be specified via Plugins may be specified via
.Em Plugin .Em Plugin
@@ -938,27 +1064,38 @@ manual for more information about the
.Nm .Nm
plugin architecture. plugin architecture.
.Sh EXIT VALUE .Sh EXIT VALUE
Upon successful execution of a command, the exit status from Upon successful execution of a
.Ar command ,
the exit status from
.Nm .Nm
will be the exit status of the program that was executed. will be the exit status of the program that was executed.
If the command terminated due to receipt of a signal, If the
.Ar command
terminated due to receipt of a signal,
.Nm .Nm
will send itself the same signal that terminated the command. will send itself the same signal that terminated the
.Ar command .
.Pp .Pp
If the If the
.Fl l .Fl l
option was specified without a command, option was specified without a
.Ar command ,
.Nm .Nm
will exit with a value of 0 if the user is allowed to run will exit with a value of 0 if the user is allowed to run
.Nm .Nm
and they authenticated successfully (as required by the security policy). and they authenticated successfully (as required by the security policy).
If a command is specified with the If a
.Ar command
is specified with the
.Fl l .Fl l
option, the exit value will only be 0 if the command is permitted by the option, the exit value will only be 0 if the
security policy, otherwise it will be 1. .Ar command
is permitted by the security policy, otherwise it will be 1.
.Pp .Pp
If there is an authentication failure, a configuration/permission If there is an authentication failure, a configuration/permission
problem, or if the given command cannot be executed, problem, or if the given
.Ar command
cannot be executed,
.Nm .Nm
exits with a value of 1. exits with a value of 1.
In the latter case, the error string is printed to the standard error. In the latter case, the error string is printed to the standard error.
@@ -982,12 +1119,15 @@ your
is on a machine that is currently unreachable. is on a machine that is currently unreachable.
.Sh SECURITY NOTES .Sh SECURITY NOTES
.Nm .Nm
tries to be safe when executing external commands. tries to be safe when executing external
.Ar command Ns s.
.Pp .Pp
To prevent command spoofing, To prevent command spoofing,
.Nm .Nm
checks "." and "" (both denoting current directory) last when checks "." and "" (both denoting current directory) last when
searching for a command in the user's searching for a
.Ar command
in the user's
.Ev PATH .Ev PATH
(if one or both are in the (if one or both are in the
.Ev PATH ) . .Ev PATH ) .
@@ -1004,27 +1144,43 @@ be granted
.Nm .Nm
privileges to execute files that are writable by the user or privileges to execute files that are writable by the user or
that reside in a directory that is writable by the user. that reside in a directory that is writable by the user.
If the user can modify or replace the command there is no way If the user can modify or replace the
to limit what additional commands they can run. .Ar command
there is no way to limit what additional
.Ar command Ns s
they can run.
.Pp .Pp
By default, By default,
.Nm .Nm
will only log the command it explicitly runs. will only log the
If a user runs a command such as .Ar command
it explicitly runs.
If a user runs a
.Ar command
such as
.Ql sudo su .Ql sudo su
or or
.Ql sudo sh , .Ql sudo sh ,
subsequent commands run from that shell are not subject to subsequent
.Ar command Ns s
run from that shell are not subject to
.Nm sudo Ns 's .Nm sudo Ns 's
security policy. security policy.
The same is true for commands that offer shell escapes (including The same is true for
most editors). .Ar command Ns s
If I/O logging is enabled, subsequent commands will have their input and/or that offer shell escapes (including most editors).
output logged, but there will not be traditional logs for those commands. If I/O logging is enabled, subsequent
Because of this, care must be taken when giving users access to commands via .Ar command Ns s
will have their input and/or output logged, but there will not be
traditional logs for those
.Ar command Ns s.
Because of this, care must be taken when giving users access to
.Ar command Ns s
via
.Nm .Nm
to verify that the command does not inadvertently give the user an to verify that the
effective root shell. .Ar command
does not inadvertently give the user an effective root shell.
For information on ways to address this, see the For information on ways to address this, see the
.Em Preventing shell escapes .Em Preventing shell escapes
section in section in
@@ -1033,7 +1189,9 @@ section in
To prevent the disclosure of potentially sensitive information, To prevent the disclosure of potentially sensitive information,
.Nm .Nm
disables core dumps by default while it is executing (they are disables core dumps by default while it is executing (they are
re-enabled for the command that is run). re-enabled for the
.Ar command
that is run).
This historical practice dates from a time when most operating This historical practice dates from a time when most operating
systems allowed set-user-ID processes to dump core by default. systems allowed set-user-ID processes to dump core by default.
To aid in debugging To aid in debugging
@@ -1053,7 +1211,8 @@ manual for more information.
.Sh ENVIRONMENT .Sh ENVIRONMENT
.Nm .Nm
utilizes the following environment variables. utilizes the following environment variables.
The security policy has control over the actual content of the command's The security policy has control over the actual content of the
.Ar command Ns 's
environment. environment.
.Bl -tag -width 15n .Bl -tag -width 15n
.It Ev EDITOR .It Ev EDITOR
@@ -1128,9 +1287,13 @@ if no terminal is available or if the
.Fl A .Fl A
option is specified. option is specified.
.It Ev SUDO_COMMAND .It Ev SUDO_COMMAND
Set to the command run by sudo, including command line arguments. Set to the
The command line arguments are truncated at 4096 characters to .Ar command
prevent a potential execution error. run by sudo, including any
.Ar arg Ns s.
The
.Ar arg Ns s
are truncated at 4096 characters to prevent a potential execution error.
.It Ev SUDO_EDITOR .It Ev SUDO_EDITOR
Default editor to use in Default editor to use in
.Fl e .Fl e
@@ -1204,7 +1367,9 @@ $ sudo shutdown -r +15 "quick reboot"
.Ed .Ed
.Pp .Pp
To make a usage listing of the directories in the /home partition. To make a usage listing of the directories in the /home partition.
The commands are run in a sub-shell to allow the The
.Ar commands
are run in a sub-shell to allow the
.Ql cd .Ql cd
command and file redirection to work. command and file redirection to work.
.Bd -literal -offset 4n .Bd -literal -offset 4n
@@ -1325,8 +1490,8 @@ The user did not enter a password before the password timeout
.It Li you do not exist in the passwd database .It Li you do not exist in the passwd database
Your user-ID does not appear in the system passwd database. Your user-ID does not appear in the system passwd database.
.It Li you may not specify environment variables in edit mode .It Li you may not specify environment variables in edit mode
It is only possible to specify environment variables when running It is only possible to specify environment variables when running a
a command. .Ar command .
When editing a file, the editor is run with the user's environment unmodified. When editing a file, the editor is run with the user's environment unmodified.
.El .El
.Sh SEE ALSO .Sh SEE ALSO
@@ -1360,9 +1525,12 @@ exhaustive list of people who have contributed to
.Nm . .Nm .
.Sh CAVEATS .Sh CAVEATS
There is no easy way to prevent a user from gaining a root shell There is no easy way to prevent a user from gaining a root shell
if that user is allowed to run arbitrary commands via if that user is allowed to run arbitrary
.Ar commands
via
.Nm . .Nm .
Also, many programs (such as editors) allow the user to run commands Also, many programs (such as editors) allow the user to run
.Ar command Ns s
via shell escapes, thus avoiding via shell escapes, thus avoiding
.Nm sudo Ns 's .Nm sudo Ns 's
checks. checks.
@@ -1374,16 +1542,21 @@ functionality.
.Pp .Pp
It is not meaningful to run the It is not meaningful to run the
.Ql cd .Ql cd
command directly via sudo, e.g., .Ar command
directly via sudo, e.g.,
.Bd -literal -offset 4n .Bd -literal -offset 4n
$ sudo cd /usr/local/protected $ sudo cd /usr/local/protected
.Ed .Ed
.Pp .Pp
since when the command exits the parent process (your shell) will since when the
still be the same. .Ar command
See the exits the parent process (your shell) will still be the same.
.Sx EXAMPLES The
section for more information. .Fl D
option can be used to run a
.Ar command
in a specific
.Ar directory .
.Pp .Pp
Running shell scripts via Running shell scripts via
.Nm .Nm

2
src/parse_args.c
View File

@@ -52,7 +52,7 @@ sudo_noreturn static void usage_excl(void);
sudo_noreturn static void usage_excl_ticket(void); sudo_noreturn static void usage_excl_ticket(void);
/* /*
* Mapping of command line flags to name/value settings. * Mapping of command line options to name/value settings.
* Do not reorder, indexes must match ARG_ defines in sudo.h. * Do not reorder, indexes must match ARG_ defines in sudo.h.
*/ */
static struct sudo_settings sudo_settings[] = { static struct sudo_settings sudo_settings[] = {

4
src/sudo_usage.h.in
View File

@@ -27,8 +27,8 @@
#define SUDO_USAGE0 " -h | -V" #define SUDO_USAGE0 " -h | -V"
#define SUDO_USAGE1 " -h | -K | -k | -V" #define SUDO_USAGE1 " -h | -K | -k | -V"
#define SUDO_USAGE2 " -v [-ABkNnS] @BSDAUTH_USAGE@[-g group] [-h host] [-p prompt] [-u user]" #define SUDO_USAGE2 " -v [-ABkNnS] @BSDAUTH_USAGE@[-g group] [-h host] [-p prompt] [-u user]"
#define SUDO_USAGE3 " -l [-ABkNnS] @BSDAUTH_USAGE@[-g group] [-h host] [-p prompt] [-U user] [-u user] [command]" #define SUDO_USAGE3 " -l [-ABkNnS] @BSDAUTH_USAGE@[-g group] [-h host] [-p prompt] [-U user] [-u user] [command [arg ...]]"
#define SUDO_USAGE4 " [-ABbEHkNnPS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C num] [-D directory] @LOGINCAP_USAGE@[-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] [VAR=value] [-i|-s] [<command>]" #define SUDO_USAGE4 " [-ABbEHkNnPS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C num] [-D directory] @LOGINCAP_USAGE@[-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] [VAR=value] [-i | -s] [command [arg ...]]"
#define SUDO_USAGE5 " -e [-ABkNnS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C num] @LOGINCAP_USAGE@[-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ..." #define SUDO_USAGE5 " -e [-ABkNnS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C num] @LOGINCAP_USAGE@[-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ..."
/* /*