232 lines
8.1 KiB
Plaintext
232 lines
8.1 KiB
Plaintext
=cut
|
|
$Sudo$
|
|
=pod
|
|
|
|
=head1 NAME
|
|
|
|
sudo - execute a command as the superuser
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
B<sudo> B<-V> | B<-h> | B<-l> | B<-v> | B<-k> | B<-s> | B<-H> |
|
|
[ B<-b> ] | [ B<-r> realm ] | [ B<-p> prompt ] [ B<-u> username/#uid] I<command>
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
B<sudo> allows a permitted user to execute a I<command>
|
|
as the superuser (real and effective uid and gid are set
|
|
to C<0> and root's group as set in the passwd file respectively).
|
|
|
|
B<sudo> determines who is an authorized user by consulting the
|
|
file I</etc/sudoers>. By giving B<sudo> the C<-v> flag a user
|
|
can update the time stamp without running a I<command.>
|
|
The password prompt itself will also time out if the user's password is
|
|
not entered with N minutes (again, this is defined at installation
|
|
time and defaults to 5 minutes).
|
|
|
|
If an unauthorized user executes B<sudo>, mail will be sent from the
|
|
user to the local authorities (defined at installation time).
|
|
|
|
B<sudo> was designed to log via the 4.3 BSD syslog(3) facility but
|
|
can log to a file instead if so desired (or to both syslog and a file).
|
|
|
|
=head1 OPTIONS
|
|
|
|
B<sudo> accepts the following command line options:
|
|
|
|
=over 4
|
|
|
|
=item -V
|
|
|
|
The C<-V> (I<version>) option causes B<sudo> to print the
|
|
version number and exit.
|
|
|
|
=item -l
|
|
|
|
The C<-l> (I<list>) option will list out the allowed and
|
|
forbidden commands for the user on the current host.
|
|
|
|
=item -h
|
|
|
|
The C<-h> (I<help>) option causes B<sudo> to print the version
|
|
of B<sudo> and a usage message before exiting.
|
|
|
|
=item -v
|
|
|
|
If given the C<-v> (I<validate>) option, B<sudo> will update the
|
|
user's timestamp file, prompting for the user's password if necessary.
|
|
This extends the B<sudo> timeout to for another N minutes
|
|
(where N is defined at installation time and defaults to 5
|
|
minutes) but does not run a command.
|
|
|
|
=item -k
|
|
|
|
The C<-k> (I<kill>) option to B<sudo> removes the user's timestamp
|
|
file, thus requiring the user's password the next time B<sudo> is run.
|
|
This option does not require a password and was added to
|
|
allow a user to revoke B<sudo> permissions from a .logout file.
|
|
|
|
=item -b
|
|
|
|
The C<-b> (I<background>) option tells B<sudo> to run the given
|
|
command in the background. Note that if you use the C<-b>
|
|
option you cannot use shell job control to manipulate the command.
|
|
|
|
=item -r
|
|
|
|
The C<-r> (I<realm>) option is only available if B<sudo> was configured
|
|
with B<Kerberos> version 5 support. It allows the user to specify a
|
|
B<Kerberos> realm other than the system default to use when authenticating
|
|
the user via B<Kerberos>.
|
|
|
|
=item -p
|
|
|
|
The C<-p> (I<prompt>) option allows you to override the default
|
|
password prompt and use a custom one. If the password prompt
|
|
contains the C<%u> escape, C<%u> will be replaced by the user's
|
|
login name. Similarly, C<%h> will be replaced by the local
|
|
hostname.
|
|
|
|
=item -u
|
|
|
|
The C<-u> (I<user>) option causes sudo to run the specified command
|
|
as a user other than I<root>. To specify a I<uid> instead of a
|
|
I<username>, use "#uid".
|
|
|
|
=item -s
|
|
|
|
The C<-s> (I<shell>) option runs the shell specified by the I<SHELL>
|
|
environment variable if it is set or the shell as specified
|
|
in passwd(5).
|
|
|
|
=item -H
|
|
|
|
The C<-H> (I<HOME>) option sets the I<HOME> environment variable
|
|
to the homedir of the target user (root by default) as specified
|
|
in passwd(5).
|
|
|
|
=item --
|
|
|
|
The C<--> flag indicates that B<sudo> should stop processing command
|
|
line arguments. It is most useful in conjunction with the C<-s> flag.
|
|
|
|
=back
|
|
|
|
=head1 RETURN VALUES
|
|
|
|
B<sudo> quits with an exit value of 1 if there is a
|
|
configuration/permission problem or if B<sudo> cannot execute the
|
|
given command. In the latter case the error string is printed to
|
|
stderr via perror(3). If B<sudo> cannot stat(2) one or more entries
|
|
in the user's PATH the error is printed on stderr via perror(3).
|
|
(If the directory does not exist or if it is not really a directory,
|
|
the entry is ignored and no error is printed.) This should not
|
|
happen under normal circumstances. The most common reason for
|
|
stat(3) to return "permission denied" is if you are running an
|
|
automounter and one of the directories in your PATH is on a machine
|
|
that is currently unreachable.
|
|
|
|
=head1 SECURITY NOTES
|
|
|
|
B<sudo> tries to be safe when executing external commands. Variables
|
|
that control how dynamic loading and binding is done can be used
|
|
to subvert the program that B<sudo> runs. To combat this the
|
|
C<LD_*>, C<_RLD_*>, C<SHLIB_PATH> (HP-UX only), and C<LIBPATH> (AIX
|
|
only) environment variables are removed from the environment passed
|
|
on to all commands executed. B<sudo> will also remove the C<IFS>,
|
|
C<ENV>, C<BASH_ENV>, C<KRB_CONF> and C<KRB5_CONFIG> variables as
|
|
they too can pose a threat.
|
|
|
|
To prevent command spoofing, B<sudo> checks "." and "" (both denoting
|
|
current directory) last when searching for a command in the user's
|
|
PATH (if one or both are in the PATH). Note, however, that the
|
|
actual PATH environment variable is I<not> modified and is passed
|
|
unchanged to the program that B<sudo> executes.
|
|
|
|
For security reasons, if your OS supports shared libraries, B<sudo>
|
|
should always be statically linked unless the dynamic loader disables
|
|
user-defined library search paths for setuid programs. (Most modern
|
|
dynamic loaders do this.)
|
|
|
|
B<sudo> will check the ownership of its timestamp directory
|
|
(F</var/run/sudo> or F</tmp/.odus> by default) and ignore the
|
|
directory's contents if it is not owned by root and only read,
|
|
writable, and executable by root. On systems that allow users to
|
|
give files away to root (via chown), if the timestamp directory is
|
|
located in a directory writable by anyone (ie: F</tmp>), it is
|
|
possible for a user to create the timestamp directory before B<sudo>
|
|
is run. However, because B<sudo> checks the ownership and mode of
|
|
the directory, the only damage that can be done is to "hide" files
|
|
by putting them in the timestamp dir. This is unlikely to happen
|
|
since once the timestamp dir is owned by root and inaccessible by
|
|
any other user the user placing files there would be unable to get
|
|
them back out. To get around this issue you can use a directory
|
|
that is not world-writable for the timestamps (F</var/adm/sudo> for
|
|
instance).
|
|
|
|
C<sudo> will not honor timestamp files set far in the future.
|
|
Timestamp files with a date greater than current_time + 2 * C<TIMEOUT>
|
|
will be ignored and sudo complain about a "preposterous stampfile
|
|
date". This is done to keep a user from creating his/her own
|
|
timestamp file with a bogus date.
|
|
|
|
=head1 FILES
|
|
|
|
/etc/sudoers file of authorized users.
|
|
|
|
=head1 ENVIRONMENT VARIABLES
|
|
|
|
PATH Set to a sane value if SECURE_PATH is set
|
|
SHELL Used to determine shell to run with -s option
|
|
USER Set to the target user (root unless the -u option
|
|
is specified)
|
|
HOME In -s mode, set to homedir of root (or runas user)
|
|
if built with the SHELL_SETS_HOME option
|
|
SUDO_PROMPT Replaces the default password prompt
|
|
SUDO_COMMAND Set to the command run by sudo
|
|
SUDO_USER Set to the login of the user who invoked sudo
|
|
SUDO_UID Set to the uid of the user who invoked sudo
|
|
SUDO_GID Set to the gid of the user who invoked sudo
|
|
SUDO_PS1 If set, PS1 will be set to its value
|
|
|
|
=head1 AUTHORS
|
|
|
|
Many people have worked on B<sudo> over the years, this
|
|
version consists of code written primarily by:
|
|
|
|
Jeff Nieusma
|
|
David Hieb
|
|
Todd Miller
|
|
Chris Jepeway
|
|
|
|
See the HISTORY file in the B<sudo> distribution for more details.
|
|
|
|
Please send all bugs, comments, and changes to sudo-bugs@courtesan.com.
|
|
|
|
=head1 DISCLAIMER
|
|
|
|
This program is distributed in the hope that it will be useful, but
|
|
WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License along
|
|
with this program; if not, write to the Free Software Foundation, Inc.,
|
|
675 Mass Ave, Cambridge, MA 02139, USA.
|
|
|
|
=head1 CAVEATS
|
|
|
|
There is no easy way to prevent a user from gaining a root shell if
|
|
that user has access to commands allow shell escapes.
|
|
|
|
If users have sudo ALL there is nothing to prevent them from creating
|
|
their own program that gives them a root shell regardless of any '!'
|
|
elements in the user specification.
|
|
|
|
Running shell scripts via B<sudo> can expose the same kernel bugs
|
|
that make setuid shell scripts unsafe on some operating systems.
|
|
|
|
=head1 SEE ALSO
|
|
|
|
sudoers(5), visudo(8), su(1).
|