1 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
6 sudo, sudoedit - execute a command as another user
8 S
\bSY
\bYN
\bNO
\bOP
\bPS
\bSI
\bIS
\bS
9 s
\bsu
\bud
\bdo
\bo [-
\b-D
\bD _
\bl_
\be_
\bv_
\be_
\bl] -
\b-h
\bh | -
\b-K
\bK | -
\b-k
\bk | -
\b-V
\bV
11 s
\bsu
\bud
\bdo
\bo -
\b-v
\bv [-
\b-A
\bAk
\bkn
\bnS
\bS] [-
\b-a
\ba _
\ba_
\bu_
\bt_
\bh_
\b__
\bt_
\by_
\bp_
\be] [-
\b-D
\bD _
\bl_
\be_
\bv_
\be_
\bl] [-
\b-g
\bg _
\bg_
\br_
\bo_
\bu_
\bp _
\bn_
\ba_
\bm_
\be|_
\b#_
\bg_
\bi_
\bd]
12 [-
\b-p
\bp _
\bp_
\br_
\bo_
\bm_
\bp_
\bt] [-
\b-u
\bu _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be|_
\b#_
\bu_
\bi_
\bd]
14 s
\bsu
\bud
\bdo
\bo -
\b-l
\bl[
\b[l
\bl]
\b] [-
\b-A
\bAk
\bkn
\bnS
\bS] [-
\b-a
\ba _
\ba_
\bu_
\bt_
\bh_
\b__
\bt_
\by_
\bp_
\be] [-
\b-D
\bD _
\bl_
\be_
\bv_
\be_
\bl] [-
\b-g
\bg _
\bg_
\br_
\bo_
\bu_
\bp _
\bn_
\ba_
\bm_
\be|_
\b#_
\bg_
\bi_
\bd]
15 [-
\b-p
\bp _
\bp_
\br_
\bo_
\bm_
\bp_
\bt] [-
\b-U
\bU _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be] [-
\b-u
\bu _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be|_
\b#_
\bu_
\bi_
\bd] [_
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd]
17 s
\bsu
\bud
\bdo
\bo [-
\b-A
\bAb
\bbE
\bEH
\bHn
\bnP
\bPS
\bS] [-
\b-a
\ba _
\ba_
\bu_
\bt_
\bh_
\b__
\bt_
\by_
\bp_
\be] [-
\b-C
\bC _
\bf_
\bd] [-
\b-D
\bD _
\bl_
\be_
\bv_
\be_
\bl] [-
\b-c
\bc _
\bc_
\bl_
\ba_
\bs_
\bs|_
\b-]
18 [-
\b-g
\bg _
\bg_
\br_
\bo_
\bu_
\bp _
\bn_
\ba_
\bm_
\be|_
\b#_
\bg_
\bi_
\bd] [-
\b-p
\bp _
\bp_
\br_
\bo_
\bm_
\bp_
\bt] [-
\b-r
\br _
\br_
\bo_
\bl_
\be] [-
\b-t
\bt _
\bt_
\by_
\bp_
\be]
19 [-
\b-u
\bu _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be|_
\b#_
\bu_
\bi_
\bd] [V
\bVA
\bAR
\bR=_
\bv_
\ba_
\bl_
\bu_
\be] [-
\b-i
\bi | -
\b-s
\bs] [_
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd]
21 s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt [-
\b-A
\bAn
\bnS
\bS] [-
\b-a
\ba _
\ba_
\bu_
\bt_
\bh_
\b__
\bt_
\by_
\bp_
\be] [-
\b-C
\bC _
\bf_
\bd] [-
\b-c
\bc _
\bc_
\bl_
\ba_
\bs_
\bs|_
\b-] [-
\b-D
\bD _
\bl_
\be_
\bv_
\be_
\bl]
22 [-
\b-g
\bg _
\bg_
\br_
\bo_
\bu_
\bp _
\bn_
\ba_
\bm_
\be|_
\b#_
\bg_
\bi_
\bd] [-
\b-p
\bp _
\bp_
\br_
\bo_
\bm_
\bp_
\bt] [-
\b-u
\bu _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be|_
\b#_
\bu_
\bi_
\bd] file ...
24 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
25 s
\bsu
\bud
\bdo
\bo allows a permitted user to execute a _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd as the superuser or
26 another user, as specified by the security policy. The real and
27 effective uid and gid are set to match those of the target user, as
28 specified in the password database, and the group vector is initialized
29 based on the group database (unless the -
\b-P
\bP option was specified).
31 s
\bsu
\bud
\bdo
\bo supports a plugin architecture for security policies and
32 input/output logging. Third parties can develop and distribute their
33 own policy and I/O logging modules to work seemlessly with the s
\bsu
\bud
\bdo
\bo
34 front end. The default security policy is _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, which is configured
35 via the file _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, or via LDAP. See the PLUGINS section for
38 The security policy determines what privileges, if any, a user has to
39 run s
\bsu
\bud
\bdo
\bo. The policy may require that users authenticate themselves
40 with a password or another authentication mechanism. If authentication
41 is required, s
\bsu
\bud
\bdo
\bo will exit if the user's password is not entered
42 within a configurable time limit. This limit is policy-specific; the
43 default password prompt timeout for the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs security policy is 5
46 Security policies may support credential caching to allow the user to
47 run s
\bsu
\bud
\bdo
\bo again for a period of time without requiring authentication.
48 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy caches credentials for 5 minutes, unless overridden
49 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4). By running s
\bsu
\bud
\bdo
\bo with the -
\b-v
\bv option, a user can update
50 the cached credentials without running a _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd.
52 When invoked as s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt, the -
\b-e
\be option (described below), is implied.
54 Security policies may log successful and failed attempts to use s
\bsu
\bud
\bdo
\bo.
55 If an I/O plugin is configured, the running command's input and output
56 may be logged as well.
58 O
\bOP
\bPT
\bTI
\bIO
\bON
\bNS
\bS
59 s
\bsu
\bud
\bdo
\bo accepts the following command line options:
61 -A Normally, if s
\bsu
\bud
\bdo
\bo requires a password, it will read it from
62 the user's terminal. If the -
\b-A
\bA (_
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs) option is
63 specified, a (possibly graphical) helper program is
64 executed to read the user's password and output the
65 password to the standard output. If the SUDO_ASKPASS
66 environment variable is set, it specifies the path to the
67 helper program. Otherwise, if _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf contains a
68 line specifying the askpass program, that value will be
71 # Path to askpass helper program
72 Path askpass /usr/X11R6/bin/ssh-askpass
74 If no askpass program is available, sudo will exit with an
77 -a _
\bt_
\by_
\bp_
\be The -
\b-a
\ba (_
\ba_
\bu_
\bt_
\bh_
\be_
\bn_
\bt_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn _
\bt_
\by_
\bp_
\be) option causes s
\bsu
\bud
\bdo
\bo to use the
78 specified authentication type when validating the user, as
79 allowed by _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf. The system administrator may
80 specify a list of sudo-specific authentication methods by
81 adding an "auth-sudo" entry in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf. This
82 option is only available on systems that support BSD
85 -b The -
\b-b
\bb (_
\bb_
\ba_
\bc_
\bk_
\bg_
\br_
\bo_
\bu_
\bn_
\bd) option tells s
\bsu
\bud
\bdo
\bo to run the given
86 command in the background. Note that if you use the -
\b-b
\bb
87 option you cannot use shell job control to manipulate the
88 process. Most interactive commands will fail to work
89 properly in background mode.
91 -C _
\bf_
\bd Normally, s
\bsu
\bud
\bdo
\bo will close all open file descriptors other
92 than standard input, standard output and standard error.
93 The -
\b-C
\bC (_
\bc_
\bl_
\bo_
\bs_
\be _
\bf_
\br_
\bo_
\bm) option allows the user to specify a
94 starting point above the standard error (file descriptor
95 three). Values less than three are not permitted. The
96 security policy may restrict the user's ability to use the
97 -
\b-C
\bC option. The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy only permits use of the -
\b-C
\bC
98 option when the administrator has enabled the
99 _
\bc_
\bl_
\bo_
\bs_
\be_
\bf_
\br_
\bo_
\bm_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be option.
101 -c _
\bc_
\bl_
\ba_
\bs_
\bs The -
\b-c
\bc (_
\bc_
\bl_
\ba_
\bs_
\bs) option causes s
\bsu
\bud
\bdo
\bo to run the specified
102 command with resources limited by the specified login
103 class. The _
\bc_
\bl_
\ba_
\bs_
\bs argument can be either a class name as
104 defined in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf, or a single '-' character.
105 Specifying a _
\bc_
\bl_
\ba_
\bs_
\bs of - indicates that the command should
106 be run restricted by the default login capabilities for the
107 user the command is run as. If the _
\bc_
\bl_
\ba_
\bs_
\bs argument
108 specifies an existing user class, the command must be run
109 as root, or the s
\bsu
\bud
\bdo
\bo command must be run from a shell that
110 is already root. This option is only available on systems
111 with BSD login classes.
113 -D _
\bl_
\be_
\bv_
\be_
\bl Enable debugging of s
\bsu
\bud
\bdo
\bo plugins and s
\bsu
\bud
\bdo
\bo itself. The
114 _
\bl_
\be_
\bv_
\be_
\bl may be a value from 1 through 9.
116 -E The -
\b-E
\bE (_
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be _
\be_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt) option indicates to the
117 security policy that the user wishes to preserve their
118 existing environment variables. The security policy may
119 return an error if the -
\b-E
\bE option is specified and the user
120 does not have permission to preserve the environment.
122 -e The -
\b-e
\be (_
\be_
\bd_
\bi_
\bt) option indicates that, instead of running a
123 command, the user wishes to edit one or more files. In
124 lieu of a command, the string "sudoedit" is used when
125 consulting the security policy. If the user is authorized
126 by the policy, the following steps are taken:
128 1. Temporary copies are made of the files to be edited
129 with the owner set to the invoking user.
131 2. The editor specified by the policy is run to edit the
132 temporary files. The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy uses the
133 SUDO_EDITOR, VISUAL and EDITOR environment variables
134 (in that order). If none of SUDO_EDITOR, VISUAL or
135 EDITOR are set, the first program listed in the _
\be_
\bd_
\bi_
\bt_
\bo_
\br
136 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4) option is used.
138 3. If they have been modified, the temporary files are
139 copied back to their original location and the
140 temporary versions are removed.
142 If the specified file does not exist, it will be created.
143 Note that unlike most commands run by s
\bsu
\bud
\bdo
\bo, the editor is
144 run with the invoking user's environment unmodified. If,
145 for some reason, s
\bsu
\bud
\bdo
\bo is unable to update a file with its
146 edited version, the user will receive a warning and the
147 edited copy will remain in a temporary file.
149 -g _
\bg_
\br_
\bo_
\bu_
\bp Normally, s
\bsu
\bud
\bdo
\bo runs a command with the primary group set to
150 the one specified by the password database for the user the
151 command is being run as (by default, root). The -
\b-g
\bg (_
\bg_
\br_
\bo_
\bu_
\bp)
152 option causes s
\bsu
\bud
\bdo
\bo to run the command with the primary
153 group set to _
\bg_
\br_
\bo_
\bu_
\bp instead. To specify a _
\bg_
\bi_
\bd instead of a
154 _
\bg_
\br_
\bo_
\bu_
\bp _
\bn_
\ba_
\bm_
\be, use _
\b#_
\bg_
\bi_
\bd. When running commands as a _
\bg_
\bi_
\bd, many
155 shells require that the '#' be escaped with a backslash
156 ('\'). If no -
\b-u
\bu option is specified, the command will be
157 run as the invoking user (not root). In either case, the
158 primary group will be set to _
\bg_
\br_
\bo_
\bu_
\bp.
160 -H The -
\b-H
\bH (_
\bH_
\bO_
\bM_
\bE) option requests that the security policy set
161 the HOME environment variable to the home directory of the
162 target user (root by default) as specified by the password
163 database. Depending on the policy, this may be the default
166 -h The -
\b-h
\bh (_
\bh_
\be_
\bl_
\bp) option causes s
\bsu
\bud
\bdo
\bo to print a short help
167 message to the standard output and exit.
170 The -
\b-i
\bi (_
\bs_
\bi_
\bm_
\bu_
\bl_
\ba_
\bt_
\be _
\bi_
\bn_
\bi_
\bt_
\bi_
\ba_
\bl _
\bl_
\bo_
\bg_
\bi_
\bn) option runs the shell
171 specified by the password database entry of the target user
172 as a login shell. This means that login-specific resource
173 files such as .profile or .login will be read by the shell.
174 If a command is specified, it is passed to the shell for
175 execution via the shell's -
\b-c
\bc option. If no command is
176 specified, an interactive shell is executed. s
\bsu
\bud
\bdo
\bo attempts
177 to change to that user's home directory before running the
178 shell. The security policy shall initialize the
179 environment to a minimal set of variables, similar to what
180 is present when a user logs in. The _
\bC_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd _
\bE_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt
181 section in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4) manual documents how the -
\b-i
\bi
182 option affects the environment in which a command is run
183 when the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy is in use.
185 -K The -
\b-K
\bK (sure _
\bk_
\bi_
\bl_
\bl) option is like -
\b-k
\bk except that it removes
186 the user's cached credentials entirely and may not be used
187 in conjunction with a command or other option. This option
188 does not require a password. Not all security policies
189 support credential caching.
192 When used alone, the -
\b-k
\bk (_
\bk_
\bi_
\bl_
\bl) option to s
\bsu
\bud
\bdo
\bo invalidates
193 the user's cached credentials. The next time s
\bsu
\bud
\bdo
\bo is run a
194 password will be required. This option does not require a
195 password and was added to allow a user to revoke s
\bsu
\bud
\bdo
\bo
196 permissions from a .logout file. Not all security policies
197 support credential caching.
199 When used in conjunction with a command or an option that
200 may require a password, the -
\b-k
\bk option will cause s
\bsu
\bud
\bdo
\bo to
201 ignore the user's cached credentials. As a result, s
\bsu
\bud
\bdo
\bo
202 will prompt for a password (if one is required by the
203 security policy) and will not update the user's cached
206 -l[l] [_
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd]
207 If no _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd is specified, the -
\b-l
\bl (_
\bl_
\bi_
\bs_
\bt) option will list
208 the allowed (and forbidden) commands for the invoking user
209 (or the user specified by the -
\b-U
\bU option) on the current
210 host. If a _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd is specified and is permitted by the
211 security policy, the fully-qualified path to the command is
212 displayed along with any command line arguments. If
213 _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd is specified but not allowed, s
\bsu
\bud
\bdo
\bo will exit with a
214 status value of 1. If the -
\b-l
\bl option is specified with an l
\bl
215 argument (i.e. -
\b-l
\bll
\bl), or if -
\b-l
\bl is specified multiple times,
216 a longer list format is used.
218 -n The -
\b-n
\bn (_
\bn_
\bo_
\bn_
\b-_
\bi_
\bn_
\bt_
\be_
\br_
\ba_
\bc_
\bt_
\bi_
\bv_
\be) option prevents s
\bsu
\bud
\bdo
\bo from
219 prompting the user for a password. If a password is
220 required for the command to run, s
\bsu
\bud
\bdo
\bo will display an error
223 -P The -
\b-P
\bP (_
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be _
\bg_
\br_
\bo_
\bu_
\bp _
\bv_
\be_
\bc_
\bt_
\bo_
\br) option causes s
\bsu
\bud
\bdo
\bo to
224 preserve the invoking user's group vector unaltered. By
225 default, the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy will initialize the group
226 vector to the list of groups the target user is in. The
227 real and effective group IDs, however, are still set to
228 match the target user.
230 -p _
\bp_
\br_
\bo_
\bm_
\bp_
\bt The -
\b-p
\bp (_
\bp_
\br_
\bo_
\bm_
\bp_
\bt) option allows you to override the default
231 password prompt and use a custom one. The following
232 percent (`%') escapes are supported by the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy:
234 %H expanded to the host name including the domain name (on
235 if the machine's host name is fully qualified or the
236 _
\bf_
\bq_
\bd_
\bn option is set in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4))
238 %h expanded to the local host name without the domain name
240 %p expanded to the name of the user whose password is
241 being requested (respects the _
\br_
\bo_
\bo_
\bt_
\bp_
\bw, _
\bt_
\ba_
\br_
\bg_
\be_
\bt_
\bp_
\bw and
242 _
\br_
\bu_
\bn_
\ba_
\bs_
\bp_
\bw flags in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4))
244 %U expanded to the login name of the user the command will
245 be run as (defaults to root unless the -u option is
248 %u expanded to the invoking user's login name
250 %% two consecutive % characters are collapsed into a
253 The prompt specified by the -
\b-p
\bp option will override the
254 system password prompt on systems that support PAM unless
255 the _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be flag is disabled in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
257 -r _
\br_
\bo_
\bl_
\be The -
\b-r
\br (_
\br_
\bo_
\bl_
\be) option causes the new (SELinux) security
258 context to have the role specified by _
\br_
\bo_
\bl_
\be.
260 -S The -
\b-S
\bS (_
\bs_
\bt_
\bd_
\bi_
\bn) option causes s
\bsu
\bud
\bdo
\bo to read the password from
261 the standard input instead of the terminal device. The
262 password must be followed by a newline character.
265 The -
\b-s
\bs (_
\bs_
\bh_
\be_
\bl_
\bl) option runs the shell specified by the _
\bS_
\bH_
\bE_
\bL_
\bL
266 environment variable if it is set or the shell as specified
267 in the password database. If a command is specified, it is
268 passed to the shell for execution via the shell's -
\b-c
\bc
269 option. If no command is specified, an interactive shell
272 -t _
\bt_
\by_
\bp_
\be The -
\b-t
\bt (_
\bt_
\by_
\bp_
\be) option causes the new (SELinux) security
273 context to have the type specified by _
\bt_
\by_
\bp_
\be. If no type is
274 specified, the default type is derived from the specified
277 -U _
\bu_
\bs_
\be_
\br The -
\b-U
\bU (_
\bo_
\bt_
\bh_
\be_
\br _
\bu_
\bs_
\be_
\br) option is used in conjunction with the
278 -
\b-l
\bl option to specify the user whose privileges should be
279 listed. The security policy may restrict listing other
280 users' privileges. The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy only allows root or
281 a user with the ALL privilege on the current host to use
284 -u _
\bu_
\bs_
\be_
\br The -
\b-u
\bu (_
\bu_
\bs_
\be_
\br) option causes s
\bsu
\bud
\bdo
\bo to run the specified
285 command as a user other than _
\br_
\bo_
\bo_
\bt. To specify a _
\bu_
\bi_
\bd
286 instead of a _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be, use _
\b#_
\bu_
\bi_
\bd. When running commands as
287 a _
\bu_
\bi_
\bd, many shells require that the '#' be escaped with a
288 backslash ('\'). Security policies may restrict _
\bu_
\bi_
\bds to
289 those listed in the password database. The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy
290 allows _
\bu_
\bi_
\bds that are not in the password database as long
291 as the _
\bt_
\ba_
\br_
\bg_
\be_
\bt_
\bp_
\bw option is not set. Other security policies
292 may not support this.
294 -V The -
\b-V
\bV (_
\bv_
\be_
\br_
\bs_
\bi_
\bo_
\bn) option causes s
\bsu
\bud
\bdo
\bo to print its version
295 string and the version string of the security policy plugin
296 and any I/O plugins. If the invoking user is already root
297 the -
\b-V
\bV option will display the arguments passed to
298 configure when _
\bs_
\bu_
\bd_
\bo was built and plugins may display more
299 verbose information such as default options.
301 -v When given the -
\b-v
\bv (_
\bv_
\ba_
\bl_
\bi_
\bd_
\ba_
\bt_
\be) option, s
\bsu
\bud
\bdo
\bo will update the
302 user's cached credentials, authenticating the user's
303 password if necessary. For the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs plugin, this
304 extends the s
\bsu
\bud
\bdo
\bo timeout for another 5 minutes (or whatever
305 the timeout is set to in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs) but does not run a
306 command. Not all security policies support cached
309 -- The -
\b--
\b- option indicates that s
\bsu
\bud
\bdo
\bo should stop processing
310 command line arguments.
312 Environment variables to be set for the command may also be passed on
313 the command line in the form of V
\bVA
\bAR
\bR=_
\bv_
\ba_
\bl_
\bu_
\be, e.g.
314 L
\bLD
\bD_
\b_L
\bLI
\bIB
\bBR
\bRA
\bAR
\bRY
\bY_
\b_P
\bPA
\bAT
\bTH
\bH=_
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bp_
\bk_
\bg_
\b/_
\bl_
\bi_
\bb. Variables passed on the command
315 line are subject to the same restrictions as normal environment
316 variables with one important exception. If the _
\bs_
\be_
\bt_
\be_
\bn_
\bv option is set in
317 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, the command to be run has the SETENV tag set or the command
318 matched is ALL, the user may set variables that would overwise be
319 forbidden. See _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4) for more information.
321 P
\bPL
\bLU
\bUG
\bGI
\bIN
\bNS
\bS
322 Plugins are dynamically loaded based on the contents of the
323 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf file. If no _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf file is present, or it
324 contains no Plugin lines, s
\bsu
\bud
\bdo
\bo will use the traditional _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
325 security policy and I/O logging, which corresponds to the following
326 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf file.
329 # Default /etc/sudo.conf file
332 # Plugin plugin_name plugin_path
333 # Path askpass /path/to/askpass
334 # Path noexec /path/to/noexec.so
336 # The plugin_path is relative to /usr/local/libexec unless
338 # The plugin_name corresponds to a global symbol in the plugin
339 # that contains the plugin interface structure.
341 Plugin policy_plugin sudoers.so
342 Plugin io_plugin sudoers.so
344 A Plugin line consists of the Plugin keyword, followed by the
345 _
\bs_
\by_
\bm_
\bb_
\bo_
\bl_
\b__
\bn_
\ba_
\bm_
\be and the _
\bp_
\ba_
\bt_
\bh to the shared object containing the plugin.
346 The _
\bs_
\by_
\bm_
\bb_
\bo_
\bl_
\b__
\bn_
\ba_
\bm_
\be is the name of the struct policy_plugin or struct
347 io_plugin in the plugin shared object. The _
\bp_
\ba_
\bt_
\bh may be fully qualified
348 or relative. If not fully qualified it is relative to the
349 _
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bl_
\bi_
\bb_
\be_
\bx_
\be_
\bc directory. Any additional parameters after the _
\bp_
\ba_
\bt_
\bh
350 are ignored. Lines that don't begin with Plugin or Path are silently
353 For more information, see the _
\bs_
\bu_
\bd_
\bo_
\b__
\bp_
\bl_
\bu_
\bg_
\bi_
\bn(1m) manual.
356 A Path line consists of the Path keyword, followed by the name of the
357 path to set and its value. E.g.
359 Path noexec /usr/local/libexec/sudo_noexec.so
360 Path askpass /usr/X11R6/bin/ssh-askpass
362 The following plugin-agnostic paths may be set in the _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf
365 askpass The fully qualified path to a helper program used to
366 read the user's password when no terminal is available.
367 This may be the case when s
\bsu
\bud
\bdo
\bo is executed from a
368 graphical (as opposed to text-based) application. The
369 program specified by _
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs should display the
370 argument passed to it as the prompt and write the
371 user's password to the standard output. The value of
372 _
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs may be overridden by the SUDO_ASKPASS
373 environment variable.
375 noexec The fully-qualified path to a shared library containing
376 dummy versions of the _
\be_
\bx_
\be_
\bc_
\bv_
\b(_
\b), _
\be_
\bx_
\be_
\bc_
\bv_
\be_
\b(_
\b) and _
\bf_
\be_
\bx_
\be_
\bc_
\bv_
\be_
\b(_
\b)
377 library functions that just return an error. This is
378 used to implement the _
\bn_
\bo_
\be_
\bx_
\be_
\bc functionality on systems
379 that support LD_PRELOAD or its equivalent. Defaults to
380 _
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bl_
\bi_
\bb_
\be_
\bx_
\be_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b__
\bn_
\bo_
\be_
\bx_
\be_
\bc_
\b._
\bs_
\bo.
382 R
\bRE
\bET
\bTU
\bUR
\bRN
\bN V
\bVA
\bAL
\bLU
\bUE
\bES
\bS
383 Upon successful execution of a program, the exit status from s
\bsu
\bud
\bdo
\bo will
384 simply be the exit status of the program that was executed.
386 Otherwise, s
\bsu
\bud
\bdo
\bo exits with a value of 1 if there is a
387 configuration/permission problem or if s
\bsu
\bud
\bdo
\bo cannot execute the given
388 command. In the latter case the error string is printed to the
389 standard error. If s
\bsu
\bud
\bdo
\bo cannot _
\bs_
\bt_
\ba_
\bt(2) one or more entries in the
390 user's PATH, an error is printed on stderr. (If the directory does not
391 exist or if it is not really a directory, the entry is ignored and no
392 error is printed.) This should not happen under normal circumstances.
393 The most common reason for _
\bs_
\bt_
\ba_
\bt(2) to return "permission denied" is if
394 you are running an automounter and one of the directories in your PATH
395 is on a machine that is currently unreachable.
397 S
\bSE
\bEC
\bCU
\bUR
\bRI
\bIT
\bTY
\bY N
\bNO
\bOT
\bTE
\bES
\bS
398 s
\bsu
\bud
\bdo
\bo tries to be safe when executing external commands.
400 To prevent command spoofing, s
\bsu
\bud
\bdo
\bo checks "." and "" (both denoting
401 current directory) last when searching for a command in the user's PATH
402 (if one or both are in the PATH). Note, however, that the actual PATH
403 environment variable is _
\bn_
\bo_
\bt modified and is passed unchanged to the
404 program that s
\bsu
\bud
\bdo
\bo executes.
406 Please note that s
\bsu
\bud
\bdo
\bo will normally only log the command it explicitly
407 runs. If a user runs a command such as sudo su or sudo sh, subsequent
408 commands run from that shell are not subject to s
\bsu
\bud
\bdo
\bo's security policy.
409 The same is true for commands that offer shell escapes (including most
410 editors). If I/O logging is enabled, subsequent commands will have
411 their input and/or output logged, but there will not be traditional
412 logs for those commands. Because of this, care must be taken when
413 giving users access to commands via s
\bsu
\bud
\bdo
\bo to verify that the command
414 does not inadvertently give the user an effective root shell. For more
415 information, please see the PREVENTING SHELL ESCAPES section in
416 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4).
418 E
\bEN
\bNV
\bVI
\bIR
\bRO
\bON
\bNM
\bME
\bEN
\bNT
\bT
419 s
\bsu
\bud
\bdo
\bo utilizes the following environment variables. The security policy
420 has control over the content of the command's environment.
422 EDITOR Default editor to use in -
\b-e
\be (sudoedit) mode if neither
423 SUDO_EDITOR nor VISUAL is set
425 MAIL In -
\b-i
\bi mode or when _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt is enabled in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, set
426 to the mail spool of the target user
428 HOME Set to the home directory of the target user if -
\b-i
\bi or
429 -
\b-H
\bH are specified, _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt or _
\ba_
\bl_
\bw_
\ba_
\by_
\bs_
\b__
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be are set
430 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, or when the -
\b-s
\bs option is specified and
431 _
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be is set in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
433 PATH May be overridden by the security policy.
435 SHELL Used to determine shell to run with -s option
437 SUDO_ASKPASS Specifies the path to a helper program used to read the
438 password if no terminal is available or if the -A
441 SUDO_COMMAND Set to the command run by sudo
443 SUDO_EDITOR Default editor to use in -
\b-e
\be (sudoedit) mode
445 SUDO_GID Set to the group ID of the user who invoked sudo
447 SUDO_PROMPT Used as the default password prompt
449 SUDO_PS1 If set, PS1 will be set to its value for the program
452 SUDO_UID Set to the user ID of the user who invoked sudo
454 SUDO_USER Set to the login of the user who invoked sudo
456 USER Set to the target user (root unless the -
\b-u
\bu option is
459 VISUAL Default editor to use in -
\b-e
\be (sudoedit) mode if
460 SUDO_EDITOR is not set
463 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf s
\bsu
\bud
\bdo
\bo plugin and path configuration
465 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
466 Note: the following examples assume a properly configured security
469 To get a file listing of an unreadable directory:
471 $ sudo ls /usr/local/protected
473 To list the home directory of user yaz on a machine where the file
474 system holding ~yaz is not exported as root:
476 $ sudo -u yaz ls ~yaz
478 To edit the _
\bi_
\bn_
\bd_
\be_
\bx_
\b._
\bh_
\bt_
\bm_
\bl file as user www:
480 $ sudo -u www vi ~www/htdocs/index.html
482 To view system logs only accessible to root and users in the adm group:
484 $ sudo -g adm view /var/log/syslog
486 To run an editor as jim with a different primary group:
488 $ sudo -u jim -g audio vi ~jim/sound.txt
490 To shutdown a machine:
492 $ sudo shutdown -r +15 "quick reboot"
494 To make a usage listing of the directories in the /home partition.
495 Note that this runs the commands in a sub-shell to make the cd and file
498 $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
500 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
501 _
\bg_
\br_
\be_
\bp(1), _
\bs_
\bu(1), _
\bs_
\bt_
\ba_
\bt(2), _
\bl_
\bo_
\bg_
\bi_
\bn_
\b__
\bc_
\ba_
\bp(3), _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(4), _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4),
502 _
\bs_
\bu_
\bd_
\bo_
\b__
\bp_
\bl_
\bu_
\bg_
\bi_
\bn(1m), _
\bs_
\bu_
\bd_
\bo_
\br_
\be_
\bp_
\bl_
\ba_
\by(1m), _
\bv_
\bi_
\bs_
\bu_
\bd_
\bo(1m)
504 A
\bAU
\bUT
\bTH
\bHO
\bOR
\bRS
\bS
505 Many people have worked on s
\bsu
\bud
\bdo
\bo over the years; this version consists
506 of code written primarily by:
510 See the HISTORY file in the s
\bsu
\bud
\bdo
\bo distribution or visit
511 http://www.sudo.ws/sudo/history.html for a short history of s
\bsu
\bud
\bdo
\bo.
513 C
\bCA
\bAV
\bVE
\bEA
\bAT
\bTS
\bS
514 There is no easy way to prevent a user from gaining a root shell if
515 that user is allowed to run arbitrary commands via s
\bsu
\bud
\bdo
\bo. Also, many
516 programs (such as editors) allow the user to run commands via shell
517 escapes, thus avoiding s
\bsu
\bud
\bdo
\bo's checks. However, on most systems it is
518 possible to prevent shell escapes with the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4) module's _
\bn_
\bo_
\be_
\bx_
\be_
\bc
521 It is not meaningful to run the cd command directly via sudo, e.g.,
523 $ sudo cd /usr/local/protected
525 since when the command exits the parent process (your shell) will still
526 be the same. Please see the EXAMPLES section for more information.
528 Running shell scripts via s
\bsu
\bud
\bdo
\bo can expose the same kernel bugs that
529 make setuid shell scripts unsafe on some operating systems (if your OS
530 has a /dev/fd/ directory, setuid shell scripts are generally safe).
533 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a bug report at
534 http://www.sudo.ws/sudo/bugs/
536 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
537 Limited free support is available via the sudo-users mailing list, see
538 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
541 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
542 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied warranties,
543 including, but not limited to, the implied warranties of
544 merchantability and fitness for a particular purpose are disclaimed.
545 See the LICENSE file distributed with s
\bsu
\bud
\bdo
\bo or
546 http://www.sudo.ws/sudo/license.html for complete details.
550 1.8.3 September 16, 2011 SUDO(1m)