336 lines
12 KiB
Plaintext
336 lines
12 KiB
Plaintext
=cut
|
|
Copyright (c) 1994-1996,1998-1999 Todd C. Miller <Todd.Miller@courtesan.com>
|
|
All rights reserved.
|
|
|
|
Redistribution and use in source and binary forms, with or without
|
|
modification, are permitted provided that the following conditions
|
|
are met:
|
|
|
|
1. Redistributions of source code must retain the above copyright
|
|
notice, this list of conditions and the following disclaimer.
|
|
|
|
2. Redistributions in binary form must reproduce the above copyright
|
|
notice, this list of conditions and the following disclaimer in the
|
|
documentation and/or other materials provided with the distribution.
|
|
|
|
3. The name of the author may not be used to endorse or promote products
|
|
derived from this software without specific prior written permission
|
|
from the author.
|
|
|
|
4. Products derived from this software may not be called "Sudo" nor
|
|
may "Sudo" appear in their names without specific prior written
|
|
permission from the author.
|
|
|
|
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
|
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
|
|
THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
|
|
OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
|
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
|
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
|
|
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
$Sudo$
|
|
=pod
|
|
|
|
=head1 NAME
|
|
|
|
sudo - execute a command as another user
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
B<sudo> B<-V> | B<-h> | B<-l> | B<-L> | B<-v> | B<-k> | B<-K> | B<-s> |
|
|
[ B<-H> ] [B<-S> ] [ B<-b> ] | [ B<-p> prompt ] [ B<-c> class|- ]
|
|
[ B<-u> username/#uid ] I<command>
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
B<sudo> allows a permitted user to execute a I<command> as the
|
|
superuser or another user, as specified in the sudoers file. The
|
|
real and effective uid and gid are set to match those of the target
|
|
user as specified in the passwd file (the group vector is also
|
|
initialized when the target user is not root). By default, B<sudo>
|
|
requires that users authenticate themselves with a password
|
|
(NOTE: this is the user's password, not the root password). Once
|
|
a user has been authenticated, a timestamp is updated and the
|
|
user may then use sudo without a password for a short period of time
|
|
(five minutes by default).
|
|
|
|
B<sudo> determines who is an authorized user by consulting the
|
|
file F<@sysconfdir@/sudoers>. By giving B<sudo> the B<-v> flag a user
|
|
can update the time stamp without running a I<command.>
|
|
The password prompt itself will also time out if the user's password is
|
|
not entered with N minutes (again, this is defined at configure
|
|
time and defaults to 5 minutes).
|
|
|
|
If a user that is not listed in the I<sudoers> file tries to run
|
|
a command via B<sudo>, mail is sent to the proper authorities,
|
|
as defined at configure time (defaults to root). Note that the
|
|
mail will not be sent if an unauthorized user tries to run sudo
|
|
with the B<-l> or B<-v> flags. This allows users to determine
|
|
for themselves whether or not they are allowed to use B<sudo>.
|
|
|
|
B<sudo> can log both successful an unsuccessful attempts (as well
|
|
as errors) to syslog(3), a log file, or both. By default B<sudo>
|
|
will log via syslog(3) but this is changeable at configure time.
|
|
|
|
=head1 OPTIONS
|
|
|
|
B<sudo> accepts the following command line options:
|
|
|
|
=over 4
|
|
|
|
=item -V
|
|
|
|
The B<-V> (I<version>) option causes B<sudo> to print the
|
|
version number and exit.
|
|
|
|
=item -l
|
|
|
|
The B<-l> (I<list>) option will list out the allowed (and
|
|
forbidden) commands for the user on the current host.
|
|
|
|
=item -L
|
|
|
|
The B<-L> (I<list> defaults) option will list out the parameters
|
|
that may be set in a I<Defaults> line along with a short description
|
|
for each. This option is useful in conjunction with grep(1).
|
|
|
|
=item -h
|
|
|
|
The B<-h> (I<help>) option causes B<sudo> to print a usage message and exit.
|
|
|
|
=item -v
|
|
|
|
If given the B<-v> (I<validate>) option, B<sudo> will update the
|
|
user's timestamp, prompting for the user's password if necessary.
|
|
This extends the B<sudo> timeout to for another N minutes
|
|
(where N is defined at installation time and defaults to 5
|
|
minutes) but does not run a command.
|
|
|
|
=item -k
|
|
|
|
The B<-k> (I<kill>) option to B<sudo> invalidates the user's timestamp
|
|
by setting the time on it to the epoch. The next time B<sudo> is
|
|
run a password will be required. This option does not require a password
|
|
and was added to allow a user to revoke B<sudo> permissions from a .logout
|
|
file.
|
|
|
|
=item -K
|
|
|
|
The B<-K> (sure I<kill>) option to B<sudo> removes the user's timestamp
|
|
entirely. This option does not require a password.
|
|
|
|
=item -b
|
|
|
|
The B<-b> (I<background>) option tells B<sudo> to run the given
|
|
command in the background. Note that if you use the B<-b>
|
|
option you cannot use shell job control to manipulate the command.
|
|
|
|
=item -p
|
|
|
|
The B<-p> (I<prompt>) option allows you to override the default
|
|
password prompt and use a custom one. If the password prompt
|
|
contains the C<%u> escape, C<%u> will be replaced with the user's
|
|
login name. Similarly, C<%h> will be replaced with the local
|
|
hostname.
|
|
|
|
=item -c
|
|
|
|
The B<-c> (I<class>) option causes B<sudo> to run the specified command
|
|
with resources limited by the specified login class. The I<class>
|
|
argument can be either a class name as defined in /etc/login.conf,
|
|
or a single '-' character. Specifying the I<class> as '-' means
|
|
that the command should be run restricted by the default login
|
|
capibilities of the user the command is run as. If the I<class>
|
|
argument specifies an existing user class, the command must be run
|
|
as root, or the B<sudo> command must be run from a shell that is already
|
|
root. This option is only available on systems with BSD login classes
|
|
where B<sudo> has been configured with the --with-logincap option.
|
|
|
|
=item -u
|
|
|
|
The B<-u> (I<user>) option causes B<sudo> to run the specified command
|
|
as a user other than I<root>. To specify a I<uid> instead of a
|
|
I<username>, use "#uid".
|
|
|
|
=item -s
|
|
|
|
The B<-s> (I<shell>) option runs the shell specified by the I<SHELL>
|
|
environment variable if it is set or the shell as specified
|
|
in passwd(5).
|
|
|
|
=item -H
|
|
|
|
The B<-H> (I<HOME>) option sets the I<HOME> environment variable
|
|
to the homedir of the target user (root by default) as specified
|
|
in passwd(5). By default, B<sudo> does not modify I<HOME>.
|
|
|
|
=item -S
|
|
|
|
The B<-S> (I<stdin>) option causes B<sudo> to read the password from
|
|
standard input instead of the terminal device.
|
|
|
|
=item --
|
|
|
|
The B<--> flag indicates that B<sudo> should stop processing command
|
|
line arguments. It is most useful in conjunction with the B<-s> flag.
|
|
|
|
=back
|
|
|
|
=head1 RETURN VALUES
|
|
|
|
Upon successful execution of a program, the return value from B<sudo>
|
|
will simply be the return value of the program that was executed.
|
|
|
|
Otherwise, B<sudo> quits with an exit value of 1 if there is a
|
|
configuration/permission problem or if B<sudo> cannot execute the
|
|
given command. In the latter case the error string is printed to
|
|
stderr. If B<sudo> cannot stat(2) one or more entries in the user's
|
|
C<PATH> an error is printed on stderr. (If the directory does not
|
|
exist or if it is not really a directory, the entry is ignored and
|
|
no error is printed.) This should not happen under normal
|
|
circumstances. The most common reason for stat(2) to return
|
|
"permission denied" is if you are running an automounter and one
|
|
of the directories in your C<PATH> is on a machine that is currently
|
|
unreachable.
|
|
|
|
=head1 SECURITY NOTES
|
|
|
|
B<sudo> tries to be safe when executing external commands. Variables
|
|
that control how dynamic loading and binding is done can be used
|
|
to subvert the program that B<sudo> runs. To combat this the
|
|
C<LD_*>, C<_RLD_*>, C<SHLIB_PATH> (HP-UX only), and C<LIBPATH> (AIX
|
|
only) environment variables are removed from the environment passed
|
|
on to all commands executed. B<sudo> will also remove the C<IFS>,
|
|
C<ENV>, C<BASH_ENV>, C<KRB_CONF>, C<KRB5_CONFIG>, C<LOCALDOMAIN>,
|
|
C<RES_OPTIONS> and C<HOSTALIASES> variables as they too can pose a
|
|
threat.
|
|
|
|
To prevent command spoofing, B<sudo> checks "." and "" (both denoting
|
|
current directory) last when searching for a command in the user's
|
|
PATH (if one or both are in the PATH). Note, however, that the
|
|
actual C<PATH> environment variable is I<not> modified and is passed
|
|
unchanged to the program that B<sudo> executes.
|
|
|
|
For security reasons, if your OS supports shared libraries and does
|
|
not disable user-defined library search paths for setuid programs
|
|
(most do), you should either use a linker option that disables this
|
|
behavior or link B<sudo> statically.
|
|
|
|
B<sudo> will check the ownership of its timestamp directory
|
|
(F<@TIMEDIR@> by default) and ignore the directory's contents if
|
|
it is not owned by root and only writable by root. On systems that
|
|
allow non-root users to give away files via chown(2), if the timestamp
|
|
directory is located in a directory writable by anyone (eg: F</tmp>),
|
|
it is possible for a user to create the timestamp directory before
|
|
B<sudo> is run. However, because B<sudo> checks the ownership and
|
|
mode of the directory and its contents, the only damage that can
|
|
be done is to "hide" files by putting them in the timestamp dir.
|
|
This is unlikely to happen since once the timestamp dir is owned
|
|
by root and inaccessible by any other user the user placing files
|
|
there would be unable to get them back out. To get around this
|
|
issue you can use a directory that is not world-writable for the
|
|
timestamps (F</var/adm/sudo> for instance) or create F<@TIMEDIR@>
|
|
with the appropriate owner (root) and permissions (0700) in the
|
|
system startup files.
|
|
|
|
B<sudo> will not honor timestamps set far in the future.
|
|
Timestamps with a date greater than current_time + 2 * C<TIMEOUT>
|
|
will be ignored and sudo will log and complain. This is done to
|
|
keep a user from creating his/her own timestamp with a bogus
|
|
date on system that allow users to give away files.
|
|
|
|
=head1 EXAMPLES
|
|
|
|
Note: the following examples assume suitable sudoers(5) entries.
|
|
|
|
To get a file listing of an unreadable directory:
|
|
|
|
% sudo ls /usr/local/protected
|
|
|
|
To list the home directory of user yazza on a machine where the
|
|
filesystem holding ~yazza is not exported as root:
|
|
|
|
% sudo -u yazza ls ~yazza
|
|
|
|
To edit the F<index.html> file as user www:
|
|
|
|
% sudo -u www vi ~www/htdocs/index.html
|
|
|
|
To shutdown a machine:
|
|
|
|
% sudo shutdown -r +15 "quick reboot"
|
|
|
|
To make a usage listing of the directories in the /home
|
|
partition. Note that this runs the commands in a sub-shell
|
|
to make the C<cd> and file redirection work.
|
|
|
|
% sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
|
|
|
|
=head1 ENVIRONMENT
|
|
|
|
B<sudo> utilizes the following environment variables:
|
|
|
|
PATH Set to a sane value if SECURE_PATH is set
|
|
SHELL Used to determine shell to run with -s option
|
|
USER Set to the target user (root unless the -u option
|
|
is specified)
|
|
HOME In -s or -H mode (or if sudo was configured with
|
|
the --enable-shell-sets-home option), set to
|
|
homedir of the target user.
|
|
SUDO_PROMPT Used as the default password prompt
|
|
SUDO_COMMAND Set to the command run by sudo
|
|
SUDO_USER Set to the login of the user who invoked sudo
|
|
SUDO_UID Set to the uid of the user who invoked sudo
|
|
SUDO_GID Set to the gid of the user who invoked sudo
|
|
SUDO_PS1 If set, PS1 will be set to its value
|
|
|
|
=head1 FILES
|
|
|
|
@sysconfdir@/sudoers List of who can run what
|
|
@TIMEDIR@ Directory containing timestamps
|
|
|
|
=head1 AUTHORS
|
|
|
|
Many people have worked on B<sudo> over the years, this
|
|
version consists of code written primarily by:
|
|
|
|
Todd Miller
|
|
Chris Jepeway
|
|
|
|
See the HISTORY file in the B<sudo> distribution for a short history
|
|
of B<sudo>.
|
|
|
|
=head1 BUGS
|
|
|
|
If you feel you have found a bug in sudo, please submit a bug report
|
|
at http://www.courtesan.com/sudo/bugs/
|
|
|
|
=head1 DISCLAIMER
|
|
|
|
B<Sudo> is provided ``AS IS'' and any express or implied warranties,
|
|
including, but not limited to, the implied warranties of merchantability
|
|
and fitness for a particular purpose are disclaimed.
|
|
See the LICENSE file distributed with B<sudo> for complete details.
|
|
|
|
=head1 CAVEATS
|
|
|
|
There is no easy way to prevent a user from gaining a root shell if
|
|
that user has access to commands allowing shell escapes.
|
|
|
|
If users have sudo C<ALL> there is nothing to prevent them from creating
|
|
their own program that gives them a root shell regardless of any '!'
|
|
elements in the user specification.
|
|
|
|
Running shell scripts via B<sudo> can expose the same kernel bugs
|
|
that make setuid shell scripts unsafe on some operating systems
|
|
(if your OS supports the /dev/fd/ directory, setuid shell scripts
|
|
are generally safe).
|
|
|
|
=head1 SEE ALSO
|
|
|
|
login_cap(3), sudoers(5), visudo(8), su(1).
|