isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
70da65274ca355a9e0a6009c51838b51b5ce6c47
sudo/sudo.man
Todd C. Miller 8adfa4e1dc added BUGS and annotated -l description
1995-06-14 08:43:57 +00:00

296 lines
9.8 KiB
Groff
Raw Blame History

.\" $Id$
.TH SUDO 8
.SH NAME
sudo \- execute a command as the superuser
.SH SYNOPSIS
.B sudo
.B \-V
|
.B \-h
|
.B \-l
|
.B \-v
|
.B \-k
|
.B \-b
| [
.B \-p
prompt ]
.I command
.SH DESCRIPTION
.B sudo
allows a permitted user to execute a
.I command
as the superuser (real and effective uid and gid are set to 0 and root's
group as set in the passwd file respectively).
.sp
.B sudo
determines who is an authorized user by consulting the file
.I /etc/sudoers.
By giving
.B sudo
the
.I \-v
flag a user can update the time stamp without running a
.I command.
The password prompt itself will also time out if the password is
not entered with N minutes (again, this is defined at installation
time and defaults to 5 minutes).
.sp
The
.I sudoers
file is composed of an optional host alias section, an optional command
alias section and the user specification section. All command or host
aliases need to start with their respective keywords
(Host_Alias/User_Alias/Cmnd_Alias).
If there are multiple occurrences of a user, the union of the entries
will be used.
.nf
user specification format:
user access_group [: access_group] ...
access_group ::= host_type = [op]cmnd_type [,[op]cmnd_type] ...
host_type ::= a lower\-case host name OR a host alias.
cmnd_type ::= an command OR a command alias.
op ::= the logical '!' NOT operator.
host alias section format:
Host_Alias HOSTALIAS = host\-list
Host_Alias ::= a keyword.
HOSTALIAS ::= an upper\-case alias name.
host\-list ::= a comma separated list of hosts/addresses/networks.
user alias section format:
User_Alias USERALIAS = user\-list
User_Alias ::= a keyword.
USERALIAS ::= an upper\-case alias name.
user\-list ::= a comma separated list of users.
command alias section format:
Cmnd_Alias CMNDALIAS = cmnd\-list
Cmnd_Alias ::= a keyword.
CMNDALIAS ::= an upper\-case alias name.
cmnd\-list ::= a comma separated list commands.
Text after a pound sign '#' is considered a comment.
Long lines can be newline escaped with the backslash '\\' character.
The reserved alias 'ALL' can be used for both {Host,User,Cmnd}_Alias'.
DO NOT define an alias of 'ALL', it will NOT be used.
Note that 'ALL' implies the entire universe of hosts/users/commands.
You can subtract elements from the universe by using the syntax:
user host=ALL,!ALIAS1,!/etc/halt...
Note that the '!' notation only works in a user's command list. You
may not use it to subtract elements in a User_Alias, Host_Alias, or
Cmnd_Alias.
.fi
.SH EXAMPLES
.nf
# Host alias specification
Host_Alias HUB=houdini:\\
REMOTE=merlin,kodiakthorn,spirit
Host_Alias SERVERS=houdini,merlin,kodiakthorn,spirit
Host_Alias CSNETS=128.138.243.0,128.138.204.0,\\
128.138.205.192
# User alias specification
User_Alias FULLTIME=millert,dowdy,mikef
User_Alias PARTTIME=juola,mccreary,tor
# Command alias specification
Cmnd_Alias LPCS=/usr/etc/lpc,/usr/ucb/lprm
Cmnd_Alias SHELLS=/bin/sh,/bin/csh,/bin/tcsh,/bin/ksh
Cmnd_Alias SU=/bin/su
Cmnd_Alias MISC=/bin/rm,/bin/cat:\\
SHUTDOWN=/etc/halt,/etc/shutdown
# User specification
FULLTIME ALL=ALL
PARTTIME ALL=ALL,!SHELLS,!SU
britt REMOTE=SHUTDOWN:ALL=LPCS
nieusma SERVERS=SHUTDOWN,/etc/reboot:\\
HUB=ALL,!SHELLS
jill houdini=/etc/shutdown,MISC
markm HUB=ALL,!MISC,!/etc/shutdown,!/etc/halt
davehieb merlin=ALL:SERVERS=/etc/halt:\\
kodiakthorn=ALL
steve CSNETS=/usr/su_commands/
.fi
.sp
The above
.I sudoers
file specification is composed of 4 host alias specifications, 2 user alias
specifications, 4 command alias specifications and 8 user specifications. Full
time staff (those in the FULLTIME alias) are allowed to execute any command on
any host. Part time staff (those in the PARTTIME alias) are allowed to execute
any command except for the group of SHELL and SU commands on any machine.
Britt is permitted to execute /etc/halt, /etc/shutdown, /usr/etc/lpc and
/usr/ucb/lprm on the REMOTE machines (merlin, kodiakthorn, and spirit).
Nieusma is allowed to run /etc/halt, /etc/shutdown, and /etc/halt on all
machines and all commands except for the group of SHELL commands on the HUB
machines. Jill is permitted to execute /etc/shutdown, /bin/rm, and /bin/cat
on houdini. Davehieb can execute any command on machines merlin and kodiakthorn
and can halt the SERVERS. Steve can run any command located in the directory
/usr/su_commands on all machines on the subnets listed in CSNETS (note that
the 128.138.192 net has a netmask of 255.255.255.192 which is why its
network number is 128.138.192.192.
.B sudo
will do a logical and of a machine's ip address(es) with its netmask to decide
whether that machine is on a given network).
The
.I sudoers
file should
.B always
be edited by the
.B visudo
command which locks the file and does grammatical checking. It is
imperative that the
.I sudoers
be free of syntax errors since sudo will not run with a syntactically
incorrect sudoers file.
.B sudo
was designed to log via the 4.3 BSD syslog(3) facility but
can log to a file instead if so desired (or to both syslog and a file).
.sp
If an unauthorized user executes sudo, mail will be sent from the user to
the local authorities (defined at installation time).
.sp
All preferences are defined at installation time and are derived from
the options.h and pathnames.h include files as well as as well as the
Makefile.
.SH OPTIONS
.B sudo
accepts the following command line options:
.IP \-V
The \-V (version) option causes
.B sudo
to print the version number and exit.
.IP \-l
The \-l (list) option will list out the allowed and forbidden commands
for the user on the current host. Note that Command Aliases are
currently not expanded.
.IP \-h
The \-h (help) option causes
.B sudo
to print the version of sudo and a usage message before exiting.
.IP \-v
If given the \-v (validate) option,
.B sudo
will update the user's timestamp file, prompting for a password if necessary.
This extends the
.B sudo
timeout to for another N minutes (where N is defined at installation time and
defaults to 5 minutes) but does not run a command.
.IP \-k
The \-k (kill) option to
.B sudo
removes the user's timestamp file, thus requiring a password the next time
.B sudo
is run. This option does not require and password and was added to
allow a user to revoke
.B sudo
permissions from a .logout file.
.IP \-b
The \-b (background) option tells
.B sudo
to run the given command in the background. Note that if you use the
\-b option you cannot use shell job control to manipulate the command.
.IP \-p
The \-p (prompt) option allows you to override the default password
prompt and use a custom one.
.SH RETURN VALUES
.B sudo
quits with an exit value of 1 if there is a configuration/permission problem
or if
.B sudo
cannot execute the given command. In the latter case the error string is
printed to stdout via
.BR perror (3).
If
.B sudo
cannot
.BR stat (3)
one or more entries in the user's PATH the error is printed on stdout via
.BR perror (3).
(If the directory does not exist or if it is not really a directory, the
entry is ignored and no error is printed.) This should not happen under
normal circumstances. The most common reason for
.BR stat (3)
to return "permission denied" is if you are running an automounter and
one of the directories in your PATH is on a machine that is currently
unreachable.
.SH SECURITY NOTES
.B sudo
tries to be safe when executing external commands. To this end
LD_*, SHLIB_PATH (HP\-UX only), LIBPATH (AIX only), and _RLD_* (Digital UNIX
only) environmental variables are removed from the environment passed on to
all commands executed.
.B sudo
also sets the IFS environmental variable to its default value (" \\t\\n").
.sp
To prevent command spoofing,
.B sudo
checks '.' and '' (both denoting current directory) last when searching for
a command in the user's PATH (if one or both are in the PATH).
Note, however, that the actual PATH environmental variable is
.I not
modified and is passed unchanged to the program that
.B sudo
executes.
.sp
For security reasons, if your OS supports shared libraries,
.B sudo
should always be statically linked unless the dynamic loader disables
user\-defined library search paths for setuid programs.
.SH FILES
.nf
/etc/sudoers file of authorized users.
.fi
.SH ENVIRONMENT VARIABLES
.nf
SUDO_COMMAND Set to the command run by sudo
SUDO_USER Set to the login of the user who invoked sudo
SUDO_UID Set to the uid of the user who invoked sudo
SUDO_GID Set to the gid of the user who invoked sudo
.fi
.SH AUTHORS
Many people have worked on
.B sudo
over the years, this version consists of code written primarily by:
.nf
Jeff Nieusma <nieusma@internetone.com>
David Hieb <davehieb@internetone.com>
Todd Miller <Todd.Miller@cs.colorado.edu>
Chris Jepeway <jepeway@cs.utk.edu>
See the HISTORY file in the sudo distribution for more details.
.fi
.sp
Please send all bugs, comments, and changes to sudo\-bugs@cs.colorado.edu.
.SH BUGS
The \-l (list) option should expand Command Aliases.
a password.
.SH DISCLAIMER
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
.sp
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
675 Mass Ave, Cambridge, MA 02139, USA.
.SH CAVEATS
There is no easy way to prevent a user from gaining a root shell if
that user has access to commands that are shell scripts or that
allow shell escapes.
.SH SEE ALSO
.BR su (1)
Reference in New Issue View Git Blame Copy Permalink