760 lines
33 KiB
Groff
760 lines
33 KiB
Groff
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2009
|
|
.\" Todd C. Miller <Todd.Miller@courtesan.com>
|
|
.\"
|
|
.\" Permission to use, copy, modify, and distribute this software for any
|
|
.\" purpose with or without fee is hereby granted, provided that the above
|
|
.\" copyright notice and this permission notice appear in all copies.
|
|
.\"
|
|
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
.\"
|
|
.\" Sponsored in part by the Defense Advanced Research Projects
|
|
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
|
|
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
|
|
.\"
|
|
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
|
|
.\"
|
|
.\" Standard preamble:
|
|
.\" ========================================================================
|
|
.de Sp \" Vertical space (when we can't use .PP)
|
|
.if t .sp .5v
|
|
.if n .sp
|
|
..
|
|
.de Vb \" Begin verbatim text
|
|
.ft CW
|
|
.nf
|
|
.ne \\$1
|
|
..
|
|
.de Ve \" End verbatim text
|
|
.ft R
|
|
.fi
|
|
..
|
|
.\" Set up some character translations and predefined strings. \*(-- will
|
|
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
|
|
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
|
|
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
|
|
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
|
|
.\" nothing in troff, for use with C<>.
|
|
.tr \(*W-
|
|
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
|
|
.ie n \{\
|
|
. ds -- \(*W-
|
|
. ds PI pi
|
|
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
|
|
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
|
|
. ds L" ""
|
|
. ds R" ""
|
|
. ds C`
|
|
. ds C'
|
|
'br\}
|
|
.el\{\
|
|
. ds -- \|\(em\|
|
|
. ds PI \(*p
|
|
. ds L" ``
|
|
. ds R" ''
|
|
'br\}
|
|
.\"
|
|
.\" Escape single quotes in literal strings from groff's Unicode transform.
|
|
.ie \n(.g .ds Aq \(aq
|
|
.el .ds Aq '
|
|
.\"
|
|
.\" If the F register is turned on, we'll generate index entries on stderr for
|
|
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
|
|
.\" entries marked with X<> in POD. Of course, you'll have to process the
|
|
.\" output yourself in some meaningful fashion.
|
|
.ie \nF \{\
|
|
. de IX
|
|
. tm Index:\\$1\t\\n%\t"\\$2"
|
|
..
|
|
. nr % 0
|
|
. rr F
|
|
.\}
|
|
.el \{\
|
|
. de IX
|
|
..
|
|
.\}
|
|
.\"
|
|
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
|
|
.\" Fear. Run. Save yourself. No user-serviceable parts.
|
|
. \" fudge factors for nroff and troff
|
|
.if n \{\
|
|
. ds #H 0
|
|
. ds #V .8m
|
|
. ds #F .3m
|
|
. ds #[ \f1
|
|
. ds #] \fP
|
|
.\}
|
|
.if t \{\
|
|
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
|
|
. ds #V .6m
|
|
. ds #F 0
|
|
. ds #[ \&
|
|
. ds #] \&
|
|
.\}
|
|
. \" simple accents for nroff and troff
|
|
.if n \{\
|
|
. ds ' \&
|
|
. ds ` \&
|
|
. ds ^ \&
|
|
. ds , \&
|
|
. ds ~ ~
|
|
. ds /
|
|
.\}
|
|
.if t \{\
|
|
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
|
|
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
|
|
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
|
|
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
|
|
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
|
|
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
|
|
.\}
|
|
. \" troff and (daisy-wheel) nroff accents
|
|
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
|
|
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
|
|
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
|
|
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
|
|
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
|
|
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
|
|
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
|
|
.ds ae a\h'-(\w'a'u*4/10)'e
|
|
.ds Ae A\h'-(\w'A'u*4/10)'E
|
|
. \" corrections for vroff
|
|
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
|
|
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
|
|
. \" for low resolution devices (crt and lpr)
|
|
.if \n(.H>23 .if \n(.V>19 \
|
|
\{\
|
|
. ds : e
|
|
. ds 8 ss
|
|
. ds o a
|
|
. ds d- d\h'-1'\(ga
|
|
. ds D- D\h'-1'\(hy
|
|
. ds th \o'bp'
|
|
. ds Th \o'LP'
|
|
. ds ae ae
|
|
. ds Ae AE
|
|
.\}
|
|
.rm #[ #] #H #V #F C
|
|
.\" ========================================================================
|
|
.\"
|
|
.IX Title "SUDO @mansectsu@"
|
|
.TH SUDO @mansectsu@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS"
|
|
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
|
|
.\" way too many mistakes in technical documents.
|
|
.if n .ad l
|
|
.nh
|
|
.SH "NAME"
|
|
sudo, sudoedit \- execute a command as another user
|
|
.SH "SYNOPSIS"
|
|
.IX Header "SYNOPSIS"
|
|
\&\fBsudo\fR \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-L\fR | \fB\-V\fR
|
|
.PP
|
|
\&\fBsudo\fR \fB\-v\fR [\fB\-AknS\fR]
|
|
@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
|
|
[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
|
|
[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
|
|
.PP
|
|
\&\fBsudo\fR \fB\-l[l]\fR [\fB\-AknS\fR]
|
|
@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
|
|
[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
|
|
[\fB\-U\fR\ \fIuser\ name\fR] [\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] [\fIcommand\fR]
|
|
.PP
|
|
\&\fBsudo\fR [\fB\-AbEHnPS\fR]
|
|
@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
|
|
[\fB\-C\fR\ \fIfd\fR]
|
|
@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
|
|
[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
|
|
@SEMAN@[\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR]
|
|
[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR]
|
|
[\fB\s-1VAR\s0\fR=\fIvalue\fR] [\fB\-i\fR\ |\ \fB\-s\fR] [\fIcommand\fR]
|
|
.PP
|
|
\&\fBsudoedit\fR [\fB\-AnS\fR]
|
|
@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
|
|
[\fB\-C\fR\ \fIfd\fR]
|
|
@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
|
|
[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
|
|
[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] file ...
|
|
.SH "DESCRIPTION"
|
|
.IX Header "DESCRIPTION"
|
|
\&\fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the
|
|
superuser or another user, as specified in the \fIsudoers\fR file.
|
|
The real and effective uid and gid are set to match those of the
|
|
target user as specified in the passwd file and the group vector
|
|
is initialized based on the group file (unless the \fB\-P\fR option was
|
|
specified). If the invoking user is root or if the target user is
|
|
the same as the invoking user, no password is required. Otherwise,
|
|
\&\fBsudo\fR requires that users authenticate themselves with a password
|
|
by default (\s-1NOTE:\s0 in the default configuration this is the user's
|
|
password, not the root password). Once a user has been authenticated,
|
|
a timestamp is updated and the user may then use sudo without a
|
|
password for a short period of time (\f(CW\*(C`@timeout@\*(C'\fR minutes unless
|
|
overridden in \fIsudoers\fR).
|
|
.PP
|
|
When invoked as \fBsudoedit\fR, the \fB\-e\fR option (described below),
|
|
is implied.
|
|
.PP
|
|
\&\fBsudo\fR determines who is an authorized user by consulting the file
|
|
\&\fI@sysconfdir@/sudoers\fR. By running \fBsudo\fR with the \fB\-v\fR option,
|
|
a user can update the time stamp without running a \fIcommand\fR. The
|
|
password prompt itself will also time out if the user's password
|
|
is not entered within \f(CW\*(C`@password_timeout@\*(C'\fR minutes (unless overridden
|
|
via \fIsudoers\fR).
|
|
.PP
|
|
If a user who is not listed in the \fIsudoers\fR file tries to run a
|
|
command via \fBsudo\fR, mail is sent to the proper authorities, as
|
|
defined at configure time or in the \fIsudoers\fR file (defaults to
|
|
\&\f(CW\*(C`@mailto@\*(C'\fR). Note that the mail will not be sent if an unauthorized
|
|
user tries to run sudo with the \fB\-l\fR or \fB\-v\fR option. This allows
|
|
users to determine for themselves whether or not they are allowed
|
|
to use \fBsudo\fR.
|
|
.PP
|
|
If \fBsudo\fR is run by root and the \f(CW\*(C`SUDO_USER\*(C'\fR environment variable
|
|
is set, \fBsudo\fR will use this value to determine who the actual
|
|
user is. This can be used by a user to log commands through sudo
|
|
even when a root shell has been invoked. It also allows the \fB\-e\fR
|
|
option to remain useful even when being run via a sudo-run script or
|
|
program. Note however, that the sudoers lookup is still done for
|
|
root, not the user specified by \f(CW\*(C`SUDO_USER\*(C'\fR.
|
|
.PP
|
|
\&\fBsudo\fR can log both successful and unsuccessful attempts (as well
|
|
as errors) to \fIsyslog\fR\|(3), a log file, or both. By default \fBsudo\fR
|
|
will log via \fIsyslog\fR\|(3) but this is changeable at configure time
|
|
or via the \fIsudoers\fR file.
|
|
.SH "OPTIONS"
|
|
.IX Header "OPTIONS"
|
|
\&\fBsudo\fR accepts the following command line options:
|
|
.IP "\-A" 12
|
|
.IX Item "-A"
|
|
Normally, if \fBsudo\fR requires a password, it will read it from the
|
|
current terminal. If the \fB\-A\fR (\fIaskpass\fR) option is specified,
|
|
a (possibly graphical) helper program is executed to read the
|
|
user's password and output the password to the standard output. If
|
|
the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR environment variable is set, it specifies the
|
|
path to the helper program. Otherwise, the value specified by the
|
|
\&\fIaskpass\fR option in \fIsudoers\fR\|(@mansectform@) is used.
|
|
@BAMAN@.IP "\-a \fItype\fR" 12
|
|
@BAMAN@.IX Item "-a type"
|
|
@BAMAN@The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the
|
|
@BAMAN@specified authentication type when validating the user, as allowed
|
|
@BAMAN@by \fI/etc/login.conf\fR. The system administrator may specify a list
|
|
@BAMAN@of sudo-specific authentication methods by adding an \*(L"auth-sudo\*(R"
|
|
@BAMAN@entry in \fI/etc/login.conf\fR. This option is only available on systems
|
|
@BAMAN@that support \s-1BSD\s0 authentication.
|
|
.IP "\-b" 12
|
|
.IX Item "-b"
|
|
The \fB\-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given
|
|
command in the background. Note that if you use the \fB\-b\fR
|
|
option you cannot use shell job control to manipulate the process.
|
|
.IP "\-C \fIfd\fR" 12
|
|
.IX Item "-C fd"
|
|
Normally, \fBsudo\fR will close all open file descriptors other than
|
|
standard input, standard output and standard error. The \fB\-C\fR
|
|
(\fIclose from\fR) option allows the user to specify a starting point
|
|
above the standard error (file descriptor three). Values less than
|
|
three are not permitted. This option is only available if the
|
|
administrator has enabled the \fIclosefrom_override\fR option in
|
|
\&\fIsudoers\fR\|(@mansectform@).
|
|
@LCMAN@.IP "\-c \fIclass\fR" 12
|
|
@LCMAN@.IX Item "-c class"
|
|
@LCMAN@The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command
|
|
@LCMAN@with resources limited by the specified login class. The \fIclass\fR
|
|
@LCMAN@argument can be either a class name as defined in \fI/etc/login.conf\fR,
|
|
@LCMAN@or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates
|
|
@LCMAN@that the command should be run restricted by the default login
|
|
@LCMAN@capabilities for the user the command is run as. If the \fIclass\fR
|
|
@LCMAN@argument specifies an existing user class, the command must be run
|
|
@LCMAN@as root, or the \fBsudo\fR command must be run from a shell that is already
|
|
@LCMAN@root. This option is only available on systems with \s-1BSD\s0 login classes.
|
|
.IP "\-E" 12
|
|
.IX Item "-E"
|
|
The \fB\-E\fR (\fIpreserve\fR \fIenvironment\fR) option will override the
|
|
\&\fIenv_reset\fR option in \fIsudoers\fR\|(@mansectform@)). It is only
|
|
available when either the matching command has the \f(CW\*(C`SETENV\*(C'\fR tag
|
|
or the \fIsetenv\fR option is set in \fIsudoers\fR\|(@mansectform@).
|
|
.IP "\-e" 12
|
|
.IX Item "-e"
|
|
The \fB\-e\fR (\fIedit\fR) option indicates that, instead of running
|
|
a command, the user wishes to edit one or more files. In lieu
|
|
of a command, the string \*(L"sudoedit\*(R" is used when consulting
|
|
the \fIsudoers\fR file. If the user is authorized by \fIsudoers\fR
|
|
the following steps are taken:
|
|
.RS 12
|
|
.IP "1." 4
|
|
Temporary copies are made of the files to be edited with the owner
|
|
set to the invoking user.
|
|
.IP "2." 4
|
|
The editor specified by the \f(CW\*(C`SUDO_EDITOR\*(C'\fR, \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR
|
|
environment variables is run to edit the temporary files. If none
|
|
of \f(CW\*(C`SUDO_EDITOR\*(C'\fR, \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR are set, the first program
|
|
listed in the \fIeditor\fR \fIsudoers\fR variable is used.
|
|
.IP "3." 4
|
|
If they have been modified, the temporary files are copied back to
|
|
their original location and the temporary versions are removed.
|
|
.RE
|
|
.RS 12
|
|
.Sp
|
|
If the specified file does not exist, it will be created. Note
|
|
that unlike most commands run by \fBsudo\fR, the editor is run with
|
|
the invoking user's environment unmodified. If, for some reason,
|
|
\&\fBsudo\fR is unable to update a file with its edited version, the
|
|
user will receive a warning and the edited copy will remain in a
|
|
temporary file.
|
|
.RE
|
|
.IP "\-g \fIgroup\fR" 12
|
|
.IX Item "-g group"
|
|
Normally, \fBsudo\fR sets the primary group to the one specified by
|
|
the passwd database for the user the command is being run as (by
|
|
default, root). The \fB\-g\fR (\fIgroup\fR) option causes \fBsudo\fR to run
|
|
the specified command with the primary group set to \fIgroup\fR. To
|
|
specify a \fIgid\fR instead of a \fIgroup name\fR, use \fI#gid\fR. When
|
|
running commands as a \fIgid\fR, many shells require that the '#' be
|
|
escaped with a backslash ('\e'). If no \fB\-u\fR option is specified,
|
|
the command will be run as the invoking user (not root). In either
|
|
case, the primary group will be set to \fIgroup\fR.
|
|
.IP "\-H" 12
|
|
.IX Item "-H"
|
|
The \fB\-H\fR (\fI\s-1HOME\s0\fR) option sets the \f(CW\*(C`HOME\*(C'\fR environment variable
|
|
to the homedir of the target user (root by default) as specified
|
|
in \fIpasswd\fR\|(@mansectform@). By default, \fBsudo\fR does not modify \f(CW\*(C`HOME\*(C'\fR
|
|
(see \fIset_home\fR and \fIalways_set_home\fR in \fIsudoers\fR\|(@mansectform@)).
|
|
.IP "\-h" 12
|
|
.IX Item "-h"
|
|
The \fB\-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a usage message and exit.
|
|
.IP "\-i [command]" 12
|
|
.IX Item "-i [command]"
|
|
The \fB\-i\fR (\fIsimulate initial login\fR) option runs the shell specified
|
|
in the \fIpasswd\fR\|(@mansectform@) entry of the target user as a login shell. This
|
|
means that login-specific resource files such as \f(CW\*(C`.profile\*(C'\fR or
|
|
\&\f(CW\*(C`.login\*(C'\fR will be read by the shell. If a command is specified,
|
|
it is passed to the shell for execution. Otherwise, an interactive
|
|
shell is executed. \fBsudo\fR attempts to change to that user's home
|
|
directory before running the shell. It also initializes the
|
|
environment, leaving \fI\s-1DISPLAY\s0\fR and \fI\s-1TERM\s0\fR unchanged, setting
|
|
\&\fI\s-1HOME\s0\fR, \fI\s-1SHELL\s0\fR, \fI\s-1USER\s0\fR, \fI\s-1LOGNAME\s0\fR, and \fI\s-1PATH\s0\fR, as well as
|
|
the contents of \fI/etc/environment\fR on Linux and \s-1AIX\s0 systems.
|
|
All other environment variables are removed.
|
|
.IP "\-K" 12
|
|
.IX Item "-K"
|
|
The \fB\-K\fR (sure \fIkill\fR) option is like \fB\-k\fR except that it removes
|
|
the user's timestamp entirely and may not be used in conjunction
|
|
with a command or other option. This option does not require a
|
|
password.
|
|
.IP "\-k" 12
|
|
.IX Item "-k"
|
|
When used by itself, the \fB\-k\fR (\fIkill\fR) option to \fBsudo\fR invalidates
|
|
the user's timestamp by setting the time on it to the Epoch. The
|
|
next time \fBsudo\fR is run a password will be required. This option
|
|
does not require a password and was added to allow a user to revoke
|
|
\&\fBsudo\fR permissions from a .logout file.
|
|
.Sp
|
|
When used in conjunction with a command or an option that may require
|
|
a password, the \fB\-k\fR option will cause \fBsudo\fR to ignore the user's
|
|
timestamp file. As a result, \fBsudo\fR will prompt for a password
|
|
(if one is required by \fIsudoers\fR) and will not update the user's
|
|
timestamp file.
|
|
.IP "\-L" 12
|
|
.IX Item "-L"
|
|
The \fB\-L\fR (\fIlist\fR defaults) option will list the parameters that
|
|
may be set in a \fIDefaults\fR line along with a short description for
|
|
each. This option will be removed from a future version of \fBsudo\fR.
|
|
.IP "\-l[l] [\fIcommand\fR]" 12
|
|
.IX Item "-l[l] [command]"
|
|
If no \fIcommand\fR is specified, the \fB\-l\fR (\fIlist\fR) option will list
|
|
the allowed (and forbidden) commands for the invoking user (or the
|
|
user specified by the \fB\-U\fR option) on the current host. If a
|
|
\&\fIcommand\fR is specified and is permitted by \fIsudoers\fR, the
|
|
fully-qualified path to the command is displayed along with any
|
|
command line arguments. If \fIcommand\fR is specified but not allowed,
|
|
\&\fBsudo\fR will exit with a status value of 1. If the \fB\-l\fR option is
|
|
specified with an \fBl\fR argument (i.e. \fB\-ll\fR), or if \fB\-l\fR
|
|
is specified multiple times, a longer list format is used.
|
|
.IP "\-n" 12
|
|
.IX Item "-n"
|
|
The \fB\-n\fR (\fInon-interactive\fR) option prevents \fBsudo\fR from prompting
|
|
the user for a password. If a password is required for the command
|
|
to run, \fBsudo\fR will display an error messages and exit.
|
|
.IP "\-P" 12
|
|
.IX Item "-P"
|
|
The \fB\-P\fR (\fIpreserve\fR \fIgroup vector\fR) option causes \fBsudo\fR to
|
|
preserve the invoking user's group vector unaltered. By default,
|
|
\&\fBsudo\fR will initialize the group vector to the list of groups the
|
|
target user is in. The real and effective group IDs, however, are
|
|
still set to match the target user.
|
|
.IP "\-p \fIprompt\fR" 12
|
|
.IX Item "-p prompt"
|
|
The \fB\-p\fR (\fIprompt\fR) option allows you to override the default
|
|
password prompt and use a custom one. The following percent (`\f(CW\*(C`%\*(C'\fR')
|
|
escapes are supported:
|
|
.RS 12
|
|
.ie n .IP "%H" 4
|
|
.el .IP "\f(CW%H\fR" 4
|
|
.IX Item "%H"
|
|
expanded to the local host name including the domain name
|
|
(on if the machine's host name is fully qualified or the \fIfqdn\fR
|
|
\&\fIsudoers\fR option is set)
|
|
.ie n .IP "%h" 4
|
|
.el .IP "\f(CW%h\fR" 4
|
|
.IX Item "%h"
|
|
expanded to the local host name without the domain name
|
|
.ie n .IP "%p" 4
|
|
.el .IP "\f(CW%p\fR" 4
|
|
.IX Item "%p"
|
|
expanded to the user whose password is being asked for (respects the
|
|
\&\fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags in \fIsudoers\fR)
|
|
.ie n .IP "%U" 4
|
|
.el .IP "\f(CW%U\fR" 4
|
|
.IX Item "%U"
|
|
expanded to the login name of the user the command will
|
|
be run as (defaults to root)
|
|
.ie n .IP "%u" 4
|
|
.el .IP "\f(CW%u\fR" 4
|
|
.IX Item "%u"
|
|
expanded to the invoking user's login name
|
|
.ie n .IP "\*(C`%%\*(C'" 4
|
|
.el .IP "\f(CW\*(C`%%\*(C'\fR" 4
|
|
.IX Item "%%"
|
|
two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character
|
|
.RE
|
|
.RS 12
|
|
.Sp
|
|
The prompt specified by the \fB\-p\fR option will override the system
|
|
password prompt on systems that support \s-1PAM\s0 unless the
|
|
\&\fIpassprompt_override\fR flag is disabled in \fIsudoers\fR.
|
|
.RE
|
|
@SEMAN@.IP "\-r \fIrole\fR" 12
|
|
@SEMAN@.IX Item "-r role"
|
|
@SEMAN@The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to
|
|
@SEMAN@have the role specified by \fIrole\fR.
|
|
.IP "\-S" 12
|
|
.IX Item "-S"
|
|
The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from
|
|
the standard input instead of the terminal device. The password must
|
|
be followed by a newline character.
|
|
.IP "\-s [command]" 12
|
|
.IX Item "-s [command]"
|
|
The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\s0\fR
|
|
environment variable if it is set or the shell as specified in
|
|
\&\fIpasswd\fR\|(@mansectform@). If a command is specified, it is passed to the shell
|
|
for execution. Otherwise, an interactive shell is executed.
|
|
@SEMAN@.IP "\-t \fItype\fR" 12
|
|
@SEMAN@.IX Item "-t type"
|
|
@SEMAN@The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to
|
|
@SEMAN@have the type specified by \fItype\fR. If no type is specified, the default
|
|
@SEMAN@type is derived from the specified role.
|
|
.IP "\-U \fIuser\fR" 12
|
|
.IX Item "-U user"
|
|
The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the \fB\-l\fR
|
|
option to specify the user whose privileges should be listed. Only
|
|
root or a user with \fBsudo\fR \f(CW\*(C`ALL\*(C'\fR on the current host may use this
|
|
option.
|
|
.IP "\-u \fIuser\fR" 12
|
|
.IX Item "-u user"
|
|
The \fB\-u\fR (\fIuser\fR) option causes \fBsudo\fR to run the specified
|
|
command as a user other than \fIroot\fR. To specify a \fIuid\fR instead
|
|
of a \fIuser name\fR, use \fI#uid\fR. When running commands as a \fIuid\fR,
|
|
many shells require that the '#' be escaped with a backslash ('\e').
|
|
Note that if the \fItargetpw\fR Defaults option is set (see \fIsudoers\fR\|(@mansectform@))
|
|
it is not possible to run commands with a uid not listed in the
|
|
password database.
|
|
.IP "\-V" 12
|
|
.IX Item "-V"
|
|
The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the version
|
|
number and exit. If the invoking user is already root the \fB\-V\fR
|
|
option will print out a list of the defaults \fBsudo\fR was compiled
|
|
with as well as the machine's local network addresses.
|
|
.IP "\-v" 12
|
|
.IX Item "-v"
|
|
If given the \fB\-v\fR (\fIvalidate\fR) option, \fBsudo\fR will update the
|
|
user's timestamp, prompting for the user's password if necessary.
|
|
This extends the \fBsudo\fR timeout for another \f(CW\*(C`@timeout@\*(C'\fR minutes
|
|
(or whatever the timeout is set to in \fIsudoers\fR) but does not run
|
|
a command.
|
|
.IP "\-\-" 12
|
|
The \fB\-\-\fR option indicates that \fBsudo\fR should stop processing command
|
|
line arguments. It is most useful in conjunction with the \fB\-s\fR option.
|
|
.PP
|
|
Environment variables to be set for the command may also be passed
|
|
on the command line in the form of \fB\s-1VAR\s0\fR=\fIvalue\fR, e.g.
|
|
\&\fB\s-1LD_LIBRARY_PATH\s0\fR=\fI/usr/local/pkg/lib\fR. Variables passed on the
|
|
command line are subject to the same restrictions as normal environment
|
|
variables with one important exception. If the \fIsetenv\fR option
|
|
is set in \fIsudoers\fR, the command to be run has the \f(CW\*(C`SETENV\*(C'\fR tag
|
|
set or the command matched is \f(CW\*(C`ALL\*(C'\fR, the user may set variables
|
|
that would overwise be forbidden. See \fIsudoers\fR\|(@mansectform@) for more information.
|
|
.SH "RETURN VALUES"
|
|
.IX Header "RETURN VALUES"
|
|
Upon successful execution of a program, the exit status from \fBsudo\fR
|
|
will simply be the exit status of the program that was executed.
|
|
.PP
|
|
Otherwise, \fBsudo\fR quits with an exit value of 1 if there is a
|
|
configuration/permission problem or if \fBsudo\fR cannot execute the
|
|
given command. In the latter case the error string is printed to
|
|
stderr. If \fBsudo\fR cannot \fIstat\fR\|(2) one or more entries in the user's
|
|
\&\f(CW\*(C`PATH\*(C'\fR an error is printed on stderr. (If the directory does not
|
|
exist or if it is not really a directory, the entry is ignored and
|
|
no error is printed.) This should not happen under normal
|
|
circumstances. The most common reason for \fIstat\fR\|(2) to return
|
|
\&\*(L"permission denied\*(R" is if you are running an automounter and one
|
|
of the directories in your \f(CW\*(C`PATH\*(C'\fR is on a machine that is currently
|
|
unreachable.
|
|
.SH "SECURITY NOTES"
|
|
.IX Header "SECURITY NOTES"
|
|
\&\fBsudo\fR tries to be safe when executing external commands.
|
|
.PP
|
|
There are two distinct ways to deal with environment variables.
|
|
By default, the \fIenv_reset\fR \fIsudoers\fR option is enabled.
|
|
This causes commands to be executed with a minimal environment
|
|
containing \f(CW\*(C`TERM\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR
|
|
and \f(CW\*(C`USERNAME\*(C'\fR in addition to variables from the invoking process
|
|
permitted by the \fIenv_check\fR and \fIenv_keep\fR \fIsudoers\fR options.
|
|
There is effectively a whitelist for environment variables.
|
|
.PP
|
|
If, however, the \fIenv_reset\fR option is disabled in \fIsudoers\fR, any
|
|
variables not explicitly denied by the \fIenv_check\fR and \fIenv_delete\fR
|
|
options are inherited from the invoking process. In this case,
|
|
\&\fIenv_check\fR and \fIenv_delete\fR behave like a blacklist. Since it
|
|
is not possible to blacklist all potentially dangerous environment
|
|
variables, use of the default \fIenv_reset\fR behavior is encouraged.
|
|
.PP
|
|
In all cases, environment variables with a value beginning with
|
|
\&\f(CW\*(C`()\*(C'\fR are removed as they could be interpreted as \fBbash\fR functions.
|
|
The list of environment variables that \fBsudo\fR allows or denies is
|
|
contained in the output of \f(CW\*(C`sudo \-V\*(C'\fR when run as root.
|
|
.PP
|
|
Note that the dynamic linker on most operating systems will remove
|
|
variables that can control dynamic linking from the environment of
|
|
setuid executables, including \fBsudo\fR. Depending on the operating
|
|
system this may include \f(CW\*(C`_RLD*\*(C'\fR, \f(CW\*(C`DYLD_*\*(C'\fR, \f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`LDR_*\*(C'\fR,
|
|
\&\f(CW\*(C`LIBPATH\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR, and others. These type of variables are
|
|
removed from the environment before \fBsudo\fR even begins execution
|
|
and, as such, it is not possible for \fBsudo\fR to preserve them.
|
|
.PP
|
|
To prevent command spoofing, \fBsudo\fR checks \*(L".\*(R" and "" (both denoting
|
|
current directory) last when searching for a command in the user's
|
|
\&\s-1PATH\s0 (if one or both are in the \s-1PATH\s0). Note, however, that the
|
|
actual \f(CW\*(C`PATH\*(C'\fR environment variable is \fInot\fR modified and is passed
|
|
unchanged to the program that \fBsudo\fR executes.
|
|
.PP
|
|
\&\fBsudo\fR will check the ownership of its timestamp directory
|
|
(\fI@timedir@\fR by default) and ignore the directory's contents if
|
|
it is not owned by root or if it is writable by a user other than
|
|
root. On systems that allow non-root users to give away files via
|
|
\&\fIchown\fR\|(2), if the timestamp directory is located in a directory
|
|
writable by anyone (e.g., \fI/tmp\fR), it is possible for a user to
|
|
create the timestamp directory before \fBsudo\fR is run. However,
|
|
because \fBsudo\fR checks the ownership and mode of the directory and
|
|
its contents, the only damage that can be done is to \*(L"hide\*(R" files
|
|
by putting them in the timestamp dir. This is unlikely to happen
|
|
since once the timestamp dir is owned by root and inaccessible by
|
|
any other user, the user placing files there would be unable to get
|
|
them back out. To get around this issue you can use a directory
|
|
that is not world-writable for the timestamps (\fI/var/adm/sudo\fR for
|
|
instance) or create \fI@timedir@\fR with the appropriate owner (root)
|
|
and permissions (0700) in the system startup files.
|
|
.PP
|
|
\&\fBsudo\fR will not honor timestamps set far in the future.
|
|
Timestamps with a date greater than current_time + 2 * \f(CW\*(C`TIMEOUT\*(C'\fR
|
|
will be ignored and sudo will log and complain. This is done to
|
|
keep a user from creating his/her own timestamp with a bogus
|
|
date on systems that allow users to give away files.
|
|
.PP
|
|
Please note that \fBsudo\fR will normally only log the command it
|
|
explicitly runs. If a user runs a command such as \f(CW\*(C`sudo su\*(C'\fR or
|
|
\&\f(CW\*(C`sudo sh\*(C'\fR, subsequent commands run from that shell will \fInot\fR be
|
|
logged, nor will \fBsudo\fR's access control affect them. The same
|
|
is true for commands that offer shell escapes (including most
|
|
editors). Because of this, care must be taken when giving users
|
|
access to commands via \fBsudo\fR to verify that the command does not
|
|
inadvertently give the user an effective root shell. For more
|
|
information, please see the \f(CW\*(C`PREVENTING SHELL ESCAPES\*(C'\fR section in
|
|
\&\fIsudoers\fR\|(@mansectform@).
|
|
.SH "ENVIRONMENT"
|
|
.IX Header "ENVIRONMENT"
|
|
\&\fBsudo\fR utilizes the following environment variables:
|
|
.ie n .IP "\*(C`EDITOR\*(C'" 16
|
|
.el .IP "\f(CW\*(C`EDITOR\*(C'\fR" 16
|
|
.IX Item "EDITOR"
|
|
Default editor to use in \fB\-e\fR (sudoedit) mode if neither \f(CW\*(C`SUDO_EDITOR\*(C'\fR
|
|
nor \f(CW\*(C`VISUAL\*(C'\fR is set
|
|
.ie n .IP "\*(C`HOME\*(C'" 16
|
|
.el .IP "\f(CW\*(C`HOME\*(C'\fR" 16
|
|
.IX Item "HOME"
|
|
In \fB\-s\fR or \fB\-H\fR mode (or if sudo was configured with the
|
|
\&\-\-enable\-shell\-sets\-home option), set to homedir of the target user
|
|
.ie n .IP "\*(C`PATH\*(C'" 16
|
|
.el .IP "\f(CW\*(C`PATH\*(C'\fR" 16
|
|
.IX Item "PATH"
|
|
Set to a sane value if the \fIsecure_path\fR sudoers option is set.
|
|
.ie n .IP "\*(C`SHELL\*(C'" 16
|
|
.el .IP "\f(CW\*(C`SHELL\*(C'\fR" 16
|
|
.IX Item "SHELL"
|
|
Used to determine shell to run with \f(CW\*(C`\-s\*(C'\fR option
|
|
.ie n .IP "\*(C`SUDO_ASKPASS\*(C'" 16
|
|
.el .IP "\f(CW\*(C`SUDO_ASKPASS\*(C'\fR" 16
|
|
.IX Item "SUDO_ASKPASS"
|
|
Specifies the path to a helper program used to read the password
|
|
if no terminal is available or if the \f(CW\*(C`\-A\*(C'\fR option is specified.
|
|
.ie n .IP "\*(C`SUDO_COMMAND\*(C'" 16
|
|
.el .IP "\f(CW\*(C`SUDO_COMMAND\*(C'\fR" 16
|
|
.IX Item "SUDO_COMMAND"
|
|
Set to the command run by sudo
|
|
.ie n .IP "\*(C`SUDO_EDITOR\*(C'" 16
|
|
.el .IP "\f(CW\*(C`SUDO_EDITOR\*(C'\fR" 16
|
|
.IX Item "SUDO_EDITOR"
|
|
Default editor to use in \fB\-e\fR (sudoedit) mode
|
|
.ie n .IP "\*(C`SUDO_GID\*(C'" 16
|
|
.el .IP "\f(CW\*(C`SUDO_GID\*(C'\fR" 16
|
|
.IX Item "SUDO_GID"
|
|
Set to the group \s-1ID\s0 of the user who invoked sudo
|
|
.ie n .IP "\*(C`SUDO_PROMPT\*(C'" 16
|
|
.el .IP "\f(CW\*(C`SUDO_PROMPT\*(C'\fR" 16
|
|
.IX Item "SUDO_PROMPT"
|
|
Used as the default password prompt
|
|
.ie n .IP "\*(C`SUDO_PS1\*(C'" 16
|
|
.el .IP "\f(CW\*(C`SUDO_PS1\*(C'\fR" 16
|
|
.IX Item "SUDO_PS1"
|
|
If set, \f(CW\*(C`PS1\*(C'\fR will be set to its value for the program being run
|
|
.ie n .IP "\*(C`SUDO_UID\*(C'" 16
|
|
.el .IP "\f(CW\*(C`SUDO_UID\*(C'\fR" 16
|
|
.IX Item "SUDO_UID"
|
|
Set to the user \s-1ID\s0 of the user who invoked sudo
|
|
.ie n .IP "\*(C`SUDO_USER\*(C'" 16
|
|
.el .IP "\f(CW\*(C`SUDO_USER\*(C'\fR" 16
|
|
.IX Item "SUDO_USER"
|
|
Set to the login of the user who invoked sudo
|
|
.ie n .IP "\*(C`USER\*(C'" 16
|
|
.el .IP "\f(CW\*(C`USER\*(C'\fR" 16
|
|
.IX Item "USER"
|
|
Set to the target user (root unless the \fB\-u\fR option is specified)
|
|
.ie n .IP "\*(C`VISUAL\*(C'" 16
|
|
.el .IP "\f(CW\*(C`VISUAL\*(C'\fR" 16
|
|
.IX Item "VISUAL"
|
|
Default editor to use in \fB\-e\fR (sudoedit) mode if \f(CW\*(C`SUDO_EDITOR\*(C'\fR
|
|
is not set
|
|
.SH "FILES"
|
|
.IX Header "FILES"
|
|
.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24
|
|
.el .IP "\fI@sysconfdir@/sudoers\fR" 24
|
|
.IX Item "@sysconfdir@/sudoers"
|
|
List of who can run what
|
|
.ie n .IP "\fI@timedir@\fR" 24
|
|
.el .IP "\fI@timedir@\fR" 24
|
|
.IX Item "@timedir@"
|
|
Directory containing timestamps
|
|
.IP "\fI/etc/environment\fR" 24
|
|
.IX Item "/etc/environment"
|
|
Initial environment for \fB\-i\fR mode on Linux and \s-1AIX\s0
|
|
.SH "EXAMPLES"
|
|
.IX Header "EXAMPLES"
|
|
Note: the following examples assume suitable \fIsudoers\fR\|(@mansectform@) entries.
|
|
.PP
|
|
To get a file listing of an unreadable directory:
|
|
.PP
|
|
.Vb 1
|
|
\& $ sudo ls /usr/local/protected
|
|
.Ve
|
|
.PP
|
|
To list the home directory of user yaz on a machine where the
|
|
file system holding ~yaz is not exported as root:
|
|
.PP
|
|
.Vb 1
|
|
\& $ sudo \-u yaz ls ~yaz
|
|
.Ve
|
|
.PP
|
|
To edit the \fIindex.html\fR file as user www:
|
|
.PP
|
|
.Vb 1
|
|
\& $ sudo \-u www vi ~www/htdocs/index.html
|
|
.Ve
|
|
.PP
|
|
To view system logs only accessible to root and users in the adm group:
|
|
.PP
|
|
.Vb 1
|
|
\& $ sudo \-g adm view /var/log/syslog
|
|
.Ve
|
|
.PP
|
|
To run an editor as jim with a different primary group:
|
|
.PP
|
|
.Vb 1
|
|
\& $ sudo \-u jim \-g audio vi ~jim/sound.txt
|
|
.Ve
|
|
.PP
|
|
To shutdown a machine:
|
|
.PP
|
|
.Vb 1
|
|
\& $ sudo shutdown \-r +15 "quick reboot"
|
|
.Ve
|
|
.PP
|
|
To make a usage listing of the directories in the /home
|
|
partition. Note that this runs the commands in a sub-shell
|
|
to make the \f(CW\*(C`cd\*(C'\fR and file redirection work.
|
|
.PP
|
|
.Vb 1
|
|
\& $ sudo sh \-c "cd /home ; du \-s * | sort \-rn > USAGE"
|
|
.Ve
|
|
.SH "SEE ALSO"
|
|
.IX Header "SEE ALSO"
|
|
\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2),
|
|
@LCMAN@\&\fIlogin_cap\fR\|(3),
|
|
\&\fIpasswd\fR\|(@mansectform@), \fIsudoers\fR\|(5), \fIvisudo\fR\|(@mansectsu@)
|
|
.SH "AUTHORS"
|
|
.IX Header "AUTHORS"
|
|
Many people have worked on \fBsudo\fR over the years; this
|
|
version consists of code written primarily by:
|
|
.PP
|
|
.Vb 1
|
|
\& Todd C. Miller
|
|
.Ve
|
|
.PP
|
|
See the \s-1HISTORY\s0 file in the \fBsudo\fR distribution or visit
|
|
http://www.sudo.ws/sudo/history.html for a short history
|
|
of \fBsudo\fR.
|
|
.SH "CAVEATS"
|
|
.IX Header "CAVEATS"
|
|
There is no easy way to prevent a user from gaining a root shell
|
|
if that user is allowed to run arbitrary commands via \fBsudo\fR.
|
|
Also, many programs (such as editors) allow the user to run commands
|
|
via shell escapes, thus avoiding \fBsudo\fR's checks. However, on
|
|
most systems it is possible to prevent shell escapes with \fBsudo\fR's
|
|
\&\fInoexec\fR functionality. See the \fIsudoers\fR\|(@mansectform@) manual
|
|
for details.
|
|
.PP
|
|
It is not meaningful to run the \f(CW\*(C`cd\*(C'\fR command directly via sudo, e.g.,
|
|
.PP
|
|
.Vb 1
|
|
\& $ sudo cd /usr/local/protected
|
|
.Ve
|
|
.PP
|
|
since when the command exits the parent process (your shell) will
|
|
still be the same. Please see the \s-1EXAMPLES\s0 section for more information.
|
|
.PP
|
|
If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from
|
|
creating their own program that gives them a root shell regardless
|
|
of any '!' elements in the user specification.
|
|
.PP
|
|
Running shell scripts via \fBsudo\fR can expose the same kernel bugs that
|
|
make setuid shell scripts unsafe on some operating systems (if your \s-1OS\s0
|
|
has a /dev/fd/ directory, setuid shell scripts are generally safe).
|
|
.SH "BUGS"
|
|
.IX Header "BUGS"
|
|
If you feel you have found a bug in \fBsudo\fR, please submit a bug report
|
|
at http://www.sudo.ws/sudo/bugs/
|
|
.SH "SUPPORT"
|
|
.IX Header "SUPPORT"
|
|
Limited free support is available via the sudo-users mailing list,
|
|
see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
|
|
search the archives.
|
|
.SH "DISCLAIMER"
|
|
.IX Header "DISCLAIMER"
|
|
\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
|
|
including, but not limited to, the implied warranties of merchantability
|
|
and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
|
|
file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
|
|
for complete details.
|