1 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
6 sudo, sudoedit - execute a command as another user
8 S
\bSY
\bYN
\bNO
\bOP
\bPS
\bSI
\bIS
\bS
9 s
\bsu
\bud
\bdo
\bo -
\b-h
\bh | -
\b-K
\bK | -
\b-k
\bk | -
\b-V
\bV
11 s
\bsu
\bud
\bdo
\bo -
\b-v
\bv [-
\b-A
\bAk
\bkn
\bnS
\bS] [-
\b-a
\ba _
\ba_
\bu_
\bt_
\bh_
\b__
\bt_
\by_
\bp_
\be] [-
\b-g
\bg _
\bg_
\br_
\bo_
\bu_
\bp _
\bn_
\ba_
\bm_
\be|_
\b#_
\bg_
\bi_
\bd] [-
\b-p
\bp _
\bp_
\br_
\bo_
\bm_
\bp_
\bt]
12 [-
\b-u
\bu _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be|_
\b#_
\bu_
\bi_
\bd]
14 s
\bsu
\bud
\bdo
\bo -
\b-l
\bl[
\b[l
\bl]
\b] [-
\b-A
\bAk
\bkn
\bnS
\bS] [-
\b-a
\ba _
\ba_
\bu_
\bt_
\bh_
\b__
\bt_
\by_
\bp_
\be] [-
\b-g
\bg _
\bg_
\br_
\bo_
\bu_
\bp _
\bn_
\ba_
\bm_
\be|_
\b#_
\bg_
\bi_
\bd] [-
\b-p
\bp _
\bp_
\br_
\bo_
\bm_
\bp_
\bt]
15 [-
\b-U
\bU _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be] [-
\b-u
\bu _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be|_
\b#_
\bu_
\bi_
\bd] [_
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd]
17 s
\bsu
\bud
\bdo
\bo [-
\b-A
\bAb
\bbE
\bEH
\bHn
\bnP
\bPS
\bS] [-
\b-a
\ba _
\ba_
\bu_
\bt_
\bh_
\b__
\bt_
\by_
\bp_
\be] [-
\b-C
\bC _
\bf_
\bd] [-
\b-c
\bc _
\bc_
\bl_
\ba_
\bs_
\bs|_
\b-]
18 [-
\b-g
\bg _
\bg_
\br_
\bo_
\bu_
\bp _
\bn_
\ba_
\bm_
\be|_
\b#_
\bg_
\bi_
\bd] [-
\b-p
\bp _
\bp_
\br_
\bo_
\bm_
\bp_
\bt] [-
\b-r
\br _
\br_
\bo_
\bl_
\be] [-
\b-t
\bt _
\bt_
\by_
\bp_
\be]
19 [-
\b-u
\bu _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be|_
\b#_
\bu_
\bi_
\bd] [V
\bVA
\bAR
\bR=_
\bv_
\ba_
\bl_
\bu_
\be] [-
\b-i
\bi | -
\b-s
\bs] [_
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd]
21 s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt [-
\b-A
\bAn
\bnS
\bS] [-
\b-a
\ba _
\ba_
\bu_
\bt_
\bh_
\b__
\bt_
\by_
\bp_
\be] [-
\b-C
\bC _
\bf_
\bd] [-
\b-c
\bc _
\bc_
\bl_
\ba_
\bs_
\bs|_
\b-]
22 [-
\b-g
\bg _
\bg_
\br_
\bo_
\bu_
\bp _
\bn_
\ba_
\bm_
\be|_
\b#_
\bg_
\bi_
\bd] [-
\b-p
\bp _
\bp_
\br_
\bo_
\bm_
\bp_
\bt] [-
\b-u
\bu _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be|_
\b#_
\bu_
\bi_
\bd] file ...
24 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
25 s
\bsu
\bud
\bdo
\bo allows a permitted user to execute a _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd as the superuser or
26 another user, as specified by the security policy. The real and
27 effective uid and gid are set to match those of the target user, as
28 specified in the password database, and the group vector is initialized
29 based on the group database (unless the -
\b-P
\bP option was specified).
31 s
\bsu
\bud
\bdo
\bo supports a plugin architecture for security policies and
32 input/output logging. Third parties can develop and distribute their
33 own policy and I/O logging modules to work seamlessly with the s
\bsu
\bud
\bdo
\bo
34 front end. The default security policy is _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, which is configured
35 via the file _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, or via LDAP. See the PLUGINS section for
38 The security policy determines what privileges, if any, a user has to
39 run s
\bsu
\bud
\bdo
\bo. The policy may require that users authenticate themselves
40 with a password or another authentication mechanism. If authentication
41 is required, s
\bsu
\bud
\bdo
\bo will exit if the user's password is not entered
42 within a configurable time limit. This limit is policy-specific; the
43 default password prompt timeout for the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs security policy is 5
46 Security policies may support credential caching to allow the user to
47 run s
\bsu
\bud
\bdo
\bo again for a period of time without requiring authentication.
48 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy caches credentials for 5 minutes, unless overridden
49 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4). By running s
\bsu
\bud
\bdo
\bo with the -
\b-v
\bv option, a user can update
50 the cached credentials without running a _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd.
52 When invoked as s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt, the -
\b-e
\be option (described below), is implied.
54 Security policies may log successful and failed attempts to use s
\bsu
\bud
\bdo
\bo.
55 If an I/O plugin is configured, the running command's input and output
56 may be logged as well.
58 O
\bOP
\bPT
\bTI
\bIO
\bON
\bNS
\bS
59 s
\bsu
\bud
\bdo
\bo accepts the following command line options:
61 -A Normally, if s
\bsu
\bud
\bdo
\bo requires a password, it will read it from
62 the user's terminal. If the -
\b-A
\bA (_
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs) option is
63 specified, a (possibly graphical) helper program is
64 executed to read the user's password and output the
65 password to the standard output. If the SUDO_ASKPASS
66 environment variable is set, it specifies the path to the
67 helper program. Otherwise, if _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf contains a
68 line specifying the askpass program, that value will be
71 # Path to askpass helper program
72 Path askpass /usr/X11R6/bin/ssh-askpass
74 If no askpass program is available, sudo will exit with an
77 -a _
\bt_
\by_
\bp_
\be The -
\b-a
\ba (_
\ba_
\bu_
\bt_
\bh_
\be_
\bn_
\bt_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn _
\bt_
\by_
\bp_
\be) option causes s
\bsu
\bud
\bdo
\bo to use the
78 specified authentication type when validating the user, as
79 allowed by _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf. The system administrator may
80 specify a list of sudo-specific authentication methods by
81 adding an "auth-sudo" entry in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf. This
82 option is only available on systems that support BSD
85 -b The -
\b-b
\bb (_
\bb_
\ba_
\bc_
\bk_
\bg_
\br_
\bo_
\bu_
\bn_
\bd) option tells s
\bsu
\bud
\bdo
\bo to run the given
86 command in the background. Note that if you use the -
\b-b
\bb
87 option you cannot use shell job control to manipulate the
88 process. Most interactive commands will fail to work
89 properly in background mode.
91 -C _
\bf_
\bd Normally, s
\bsu
\bud
\bdo
\bo will close all open file descriptors other
92 than standard input, standard output and standard error.
93 The -
\b-C
\bC (_
\bc_
\bl_
\bo_
\bs_
\be _
\bf_
\br_
\bo_
\bm) option allows the user to specify a
94 starting point above the standard error (file descriptor
95 three). Values less than three are not permitted. The
96 security policy may restrict the user's ability to use the
97 -
\b-C
\bC option. The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy only permits use of the -
\b-C
\bC
98 option when the administrator has enabled the
99 _
\bc_
\bl_
\bo_
\bs_
\be_
\bf_
\br_
\bo_
\bm_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be option.
101 -c _
\bc_
\bl_
\ba_
\bs_
\bs The -
\b-c
\bc (_
\bc_
\bl_
\ba_
\bs_
\bs) option causes s
\bsu
\bud
\bdo
\bo to run the specified
102 command with resources limited by the specified login
103 class. The _
\bc_
\bl_
\ba_
\bs_
\bs argument can be either a class name as
104 defined in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf, or a single '-' character.
105 Specifying a _
\bc_
\bl_
\ba_
\bs_
\bs of - indicates that the command should
106 be run restricted by the default login capabilities for the
107 user the command is run as. If the _
\bc_
\bl_
\ba_
\bs_
\bs argument
108 specifies an existing user class, the command must be run
109 as root, or the s
\bsu
\bud
\bdo
\bo command must be run from a shell that
110 is already root. This option is only available on systems
111 with BSD login classes.
113 -E The -
\b-E
\bE (_
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be _
\be_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt) option indicates to the
114 security policy that the user wishes to preserve their
115 existing environment variables. The security policy may
116 return an error if the -
\b-E
\bE option is specified and the user
117 does not have permission to preserve the environment.
119 -e The -
\b-e
\be (_
\be_
\bd_
\bi_
\bt) option indicates that, instead of running a
120 command, the user wishes to edit one or more files. In
121 lieu of a command, the string "sudoedit" is used when
122 consulting the security policy. If the user is authorized
123 by the policy, the following steps are taken:
125 1. Temporary copies are made of the files to be edited
126 with the owner set to the invoking user.
128 2. The editor specified by the policy is run to edit the
129 temporary files. The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy uses the
130 SUDO_EDITOR, VISUAL and EDITOR environment variables
131 (in that order). If none of SUDO_EDITOR, VISUAL or
132 EDITOR are set, the first program listed in the _
\be_
\bd_
\bi_
\bt_
\bo_
\br
133 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4) option is used.
135 3. If they have been modified, the temporary files are
136 copied back to their original location and the
137 temporary versions are removed.
139 If the specified file does not exist, it will be created.
140 Note that unlike most commands run by s
\bsu
\bud
\bdo
\bo, the editor is
141 run with the invoking user's environment unmodified. If,
142 for some reason, s
\bsu
\bud
\bdo
\bo is unable to update a file with its
143 edited version, the user will receive a warning and the
144 edited copy will remain in a temporary file.
146 -g _
\bg_
\br_
\bo_
\bu_
\bp Normally, s
\bsu
\bud
\bdo
\bo runs a command with the primary group set to
147 the one specified by the password database for the user the
148 command is being run as (by default, root). The -
\b-g
\bg (_
\bg_
\br_
\bo_
\bu_
\bp)
149 option causes s
\bsu
\bud
\bdo
\bo to run the command with the primary
150 group set to _
\bg_
\br_
\bo_
\bu_
\bp instead. To specify a _
\bg_
\bi_
\bd instead of a
151 _
\bg_
\br_
\bo_
\bu_
\bp _
\bn_
\ba_
\bm_
\be, use _
\b#_
\bg_
\bi_
\bd. When running commands as a _
\bg_
\bi_
\bd, many
152 shells require that the '#' be escaped with a backslash
153 ('\'). If no -
\b-u
\bu option is specified, the command will be
154 run as the invoking user (not root). In either case, the
155 primary group will be set to _
\bg_
\br_
\bo_
\bu_
\bp.
157 -H The -
\b-H
\bH (_
\bH_
\bO_
\bM_
\bE) option requests that the security policy set
158 the HOME environment variable to the home directory of the
159 target user (root by default) as specified by the password
160 database. Depending on the policy, this may be the default
163 -h The -
\b-h
\bh (_
\bh_
\be_
\bl_
\bp) option causes s
\bsu
\bud
\bdo
\bo to print a short help
164 message to the standard output and exit.
167 The -
\b-i
\bi (_
\bs_
\bi_
\bm_
\bu_
\bl_
\ba_
\bt_
\be _
\bi_
\bn_
\bi_
\bt_
\bi_
\ba_
\bl _
\bl_
\bo_
\bg_
\bi_
\bn) option runs the shell
168 specified by the password database entry of the target user
169 as a login shell. This means that login-specific resource
170 files such as .profile or .login will be read by the shell.
171 If a command is specified, it is passed to the shell for
172 execution via the shell's -
\b-c
\bc option. If no command is
173 specified, an interactive shell is executed. s
\bsu
\bud
\bdo
\bo attempts
174 to change to that user's home directory before running the
175 shell. The security policy shall initialize the
176 environment to a minimal set of variables, similar to what
177 is present when a user logs in. The _
\bC_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd _
\bE_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt
178 section in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4) manual documents how the -
\b-i
\bi
179 option affects the environment in which a command is run
180 when the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy is in use.
182 -K The -
\b-K
\bK (sure _
\bk_
\bi_
\bl_
\bl) option is like -
\b-k
\bk except that it removes
183 the user's cached credentials entirely and may not be used
184 in conjunction with a command or other option. This option
185 does not require a password. Not all security policies
186 support credential caching.
189 When used alone, the -
\b-k
\bk (_
\bk_
\bi_
\bl_
\bl) option to s
\bsu
\bud
\bdo
\bo invalidates
190 the user's cached credentials. The next time s
\bsu
\bud
\bdo
\bo is run a
191 password will be required. This option does not require a
192 password and was added to allow a user to revoke s
\bsu
\bud
\bdo
\bo
193 permissions from a .logout file. Not all security policies
194 support credential caching.
196 When used in conjunction with a command or an option that
197 may require a password, the -
\b-k
\bk option will cause s
\bsu
\bud
\bdo
\bo to
198 ignore the user's cached credentials. As a result, s
\bsu
\bud
\bdo
\bo
199 will prompt for a password (if one is required by the
200 security policy) and will not update the user's cached
203 -l[l] [_
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd]
204 If no _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd is specified, the -
\b-l
\bl (_
\bl_
\bi_
\bs_
\bt) option will list
205 the allowed (and forbidden) commands for the invoking user
206 (or the user specified by the -
\b-U
\bU option) on the current
207 host. If a _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd is specified and is permitted by the
208 security policy, the fully-qualified path to the command is
209 displayed along with any command line arguments. If
210 _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd is specified but not allowed, s
\bsu
\bud
\bdo
\bo will exit with a
211 status value of 1. If the -
\b-l
\bl option is specified with an l
\bl
212 argument (i.e. -
\b-l
\bll
\bl), or if -
\b-l
\bl is specified multiple times,
213 a longer list format is used.
215 -n The -
\b-n
\bn (_
\bn_
\bo_
\bn_
\b-_
\bi_
\bn_
\bt_
\be_
\br_
\ba_
\bc_
\bt_
\bi_
\bv_
\be) option prevents s
\bsu
\bud
\bdo
\bo from
216 prompting the user for a password. If a password is
217 required for the command to run, s
\bsu
\bud
\bdo
\bo will display an error
220 -P The -
\b-P
\bP (_
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be _
\bg_
\br_
\bo_
\bu_
\bp _
\bv_
\be_
\bc_
\bt_
\bo_
\br) option causes s
\bsu
\bud
\bdo
\bo to
221 preserve the invoking user's group vector unaltered. By
222 default, the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy will initialize the group
223 vector to the list of groups the target user is in. The
224 real and effective group IDs, however, are still set to
225 match the target user.
227 -p _
\bp_
\br_
\bo_
\bm_
\bp_
\bt The -
\b-p
\bp (_
\bp_
\br_
\bo_
\bm_
\bp_
\bt) option allows you to override the default
228 password prompt and use a custom one. The following
229 percent (`%') escapes are supported by the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy:
231 %H expanded to the host name including the domain name (on
232 if the machine's host name is fully qualified or the
233 _
\bf_
\bq_
\bd_
\bn option is set in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4))
235 %h expanded to the local host name without the domain name
237 %p expanded to the name of the user whose password is
238 being requested (respects the _
\br_
\bo_
\bo_
\bt_
\bp_
\bw, _
\bt_
\ba_
\br_
\bg_
\be_
\bt_
\bp_
\bw and
239 _
\br_
\bu_
\bn_
\ba_
\bs_
\bp_
\bw flags in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4))
241 %U expanded to the login name of the user the command will
242 be run as (defaults to root unless the -u option is
245 %u expanded to the invoking user's login name
247 %% two consecutive % characters are collapsed into a
250 The prompt specified by the -
\b-p
\bp option will override the
251 system password prompt on systems that support PAM unless
252 the _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be flag is disabled in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
254 -r _
\br_
\bo_
\bl_
\be The -
\b-r
\br (_
\br_
\bo_
\bl_
\be) option causes the new (SELinux) security
255 context to have the role specified by _
\br_
\bo_
\bl_
\be.
257 -S The -
\b-S
\bS (_
\bs_
\bt_
\bd_
\bi_
\bn) option causes s
\bsu
\bud
\bdo
\bo to read the password from
258 the standard input instead of the terminal device. The
259 password must be followed by a newline character.
262 The -
\b-s
\bs (_
\bs_
\bh_
\be_
\bl_
\bl) option runs the shell specified by the _
\bS_
\bH_
\bE_
\bL_
\bL
263 environment variable if it is set or the shell as specified
264 in the password database. If a command is specified, it is
265 passed to the shell for execution via the shell's -
\b-c
\bc
266 option. If no command is specified, an interactive shell
269 -t _
\bt_
\by_
\bp_
\be The -
\b-t
\bt (_
\bt_
\by_
\bp_
\be) option causes the new (SELinux) security
270 context to have the type specified by _
\bt_
\by_
\bp_
\be. If no type is
271 specified, the default type is derived from the specified
274 -U _
\bu_
\bs_
\be_
\br The -
\b-U
\bU (_
\bo_
\bt_
\bh_
\be_
\br _
\bu_
\bs_
\be_
\br) option is used in conjunction with the
275 -
\b-l
\bl option to specify the user whose privileges should be
276 listed. The security policy may restrict listing other
277 users' privileges. The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy only allows root or
278 a user with the ALL privilege on the current host to use
281 -u _
\bu_
\bs_
\be_
\br The -
\b-u
\bu (_
\bu_
\bs_
\be_
\br) option causes s
\bsu
\bud
\bdo
\bo to run the specified
282 command as a user other than _
\br_
\bo_
\bo_
\bt. To specify a _
\bu_
\bi_
\bd
283 instead of a _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be, use _
\b#_
\bu_
\bi_
\bd. When running commands as
284 a _
\bu_
\bi_
\bd, many shells require that the '#' be escaped with a
285 backslash ('\'). Security policies may restrict _
\bu_
\bi_
\bds to
286 those listed in the password database. The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy
287 allows _
\bu_
\bi_
\bds that are not in the password database as long
288 as the _
\bt_
\ba_
\br_
\bg_
\be_
\bt_
\bp_
\bw option is not set. Other security policies
289 may not support this.
291 -V The -
\b-V
\bV (_
\bv_
\be_
\br_
\bs_
\bi_
\bo_
\bn) option causes s
\bsu
\bud
\bdo
\bo to print its version
292 string and the version string of the security policy plugin
293 and any I/O plugins. If the invoking user is already root
294 the -
\b-V
\bV option will display the arguments passed to
295 configure when _
\bs_
\bu_
\bd_
\bo was built and plugins may display more
296 verbose information such as default options.
298 -v When given the -
\b-v
\bv (_
\bv_
\ba_
\bl_
\bi_
\bd_
\ba_
\bt_
\be) option, s
\bsu
\bud
\bdo
\bo will update the
299 user's cached credentials, authenticating the user's
300 password if necessary. For the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs plugin, this
301 extends the s
\bsu
\bud
\bdo
\bo timeout for another 5 minutes (or whatever
302 the timeout is set to in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs) but does not run a
303 command. Not all security policies support cached
306 -- The -
\b--
\b- option indicates that s
\bsu
\bud
\bdo
\bo should stop processing
307 command line arguments.
309 Environment variables to be set for the command may also be passed on
310 the command line in the form of V
\bVA
\bAR
\bR=_
\bv_
\ba_
\bl_
\bu_
\be, e.g.
311 L
\bLD
\bD_
\b_L
\bLI
\bIB
\bBR
\bRA
\bAR
\bRY
\bY_
\b_P
\bPA
\bAT
\bTH
\bH=_
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bp_
\bk_
\bg_
\b/_
\bl_
\bi_
\bb. Variables passed on the command
312 line are subject to the same restrictions as normal environment
313 variables with one important exception. If the _
\bs_
\be_
\bt_
\be_
\bn_
\bv option is set in
314 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, the command to be run has the SETENV tag set or the command
315 matched is ALL, the user may set variables that would otherwise be
316 forbidden. See _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4) for more information.
318 P
\bPL
\bLU
\bUG
\bGI
\bIN
\bNS
\bS
319 Plugins are dynamically loaded based on the contents of the
320 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf file. If no _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf file is present, or it
321 contains no Plugin lines, s
\bsu
\bud
\bdo
\bo will use the traditional _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
322 security policy and I/O logging, which corresponds to the following
323 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf file.
326 # Default /etc/sudo.conf file
329 # Plugin plugin_name plugin_path plugin_options ...
330 # Path askpass /path/to/askpass
331 # Path noexec /path/to/sudo_noexec.so
332 # Debug sudo /var/log/sudo_debug all@warn
333 # Set disable_coredump true
335 # The plugin_path is relative to /usr/local/libexec unless
337 # The plugin_name corresponds to a global symbol in the plugin
338 # that contains the plugin interface structure.
339 # The plugin_options are optional.
341 Plugin policy_plugin sudoers.so
342 Plugin io_plugin sudoers.so
344 A Plugin line consists of the Plugin keyword, followed by the
345 _
\bs_
\by_
\bm_
\bb_
\bo_
\bl_
\b__
\bn_
\ba_
\bm_
\be and the _
\bp_
\ba_
\bt_
\bh to the shared object containing the plugin.
346 The _
\bs_
\by_
\bm_
\bb_
\bo_
\bl_
\b__
\bn_
\ba_
\bm_
\be is the name of the struct policy_plugin or struct
347 io_plugin in the plugin shared object. The _
\bp_
\ba_
\bt_
\bh may be fully qualified
348 or relative. If not fully qualified it is relative to the
349 _
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bl_
\bi_
\bb_
\be_
\bx_
\be_
\bc directory. Any additional parameters after the _
\bp_
\ba_
\bt_
\bh
350 are passed as arguments to the plugin's _
\bo_
\bp_
\be_
\bn function. Lines that
351 don't begin with Plugin, Path, Debug or Set are silently ignored.
353 For more information, see the _
\bs_
\bu_
\bd_
\bo_
\b__
\bp_
\bl_
\bu_
\bg_
\bi_
\bn(1m) manual.
356 A Path line consists of the Path keyword, followed by the name of the
357 path to set and its value. E.g.
359 Path noexec /usr/local/libexec/sudo_noexec.so
360 Path askpass /usr/X11R6/bin/ssh-askpass
362 The following plugin-agnostic paths may be set in the _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf
365 askpass The fully qualified path to a helper program used to
366 read the user's password when no terminal is available.
367 This may be the case when s
\bsu
\bud
\bdo
\bo is executed from a
368 graphical (as opposed to text-based) application. The
369 program specified by _
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs should display the
370 argument passed to it as the prompt and write the
371 user's password to the standard output. The value of
372 _
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs may be overridden by the SUDO_ASKPASS
373 environment variable.
375 noexec The fully-qualified path to a shared library containing
376 dummy versions of the _
\be_
\bx_
\be_
\bc_
\bv_
\b(_
\b), _
\be_
\bx_
\be_
\bc_
\bv_
\be_
\b(_
\b) and _
\bf_
\be_
\bx_
\be_
\bc_
\bv_
\be_
\b(_
\b)
377 library functions that just return an error. This is
378 used to implement the _
\bn_
\bo_
\be_
\bx_
\be_
\bc functionality on systems
379 that support LD_PRELOAD or its equivalent. Defaults to
380 _
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bl_
\bi_
\bb_
\be_
\bx_
\be_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b__
\bn_
\bo_
\be_
\bx_
\be_
\bc_
\b._
\bs_
\bo.
382 D
\bDE
\bEB
\bBU
\bUG
\bG F
\bFL
\bLA
\bAG
\bGS
\bS
383 s
\bsu
\bud
\bdo
\bo versions 1.8.4 and higher support a flexible debugging framework
384 that can help track down what s
\bsu
\bud
\bdo
\bo is doing internally if there is a
387 A Debug line consists of the Debug keyword, followed by the name of the
388 program to debug (s
\bsu
\bud
\bdo
\bo, v
\bvi
\bis
\bsu
\bud
\bdo
\bo, s
\bsu
\bud
\bdo
\bor
\bre
\bep
\bpl
\bla
\bay
\by), the debug file name and a
389 comma-separated list of debug flags. The debug flag syntax used by
390 s
\bsu
\bud
\bdo
\bo and the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs plugin is _
\bs_
\bu_
\bb_
\bs_
\by_
\bs_
\bt_
\be_
\bm@_
\bp_
\br_
\bi_
\bo_
\br_
\bi_
\bt_
\by but the plugin is
391 free to use a different format so long as it does not include a command
396 Debug sudo /var/log/sudo_debug all@warn,plugin@info
398 would log all debugging statements at the _
\bw_
\ba_
\br_
\bn level and higher in
399 addition to those at the _
\bi_
\bn_
\bf_
\bo level for the plugin subsystem.
401 Currently, only one Debug entry per program is supported. The sudo
402 Debug entry is shared by the s
\bsu
\bud
\bdo
\bo front end, s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt and the plugins.
403 A future release may add support for per-plugin Debug lines and/or
404 support for multiple debugging files for a single program.
406 The priorities used by the s
\bsu
\bud
\bdo
\bo front end, in order of decreasing
407 severity, are: _
\bc_
\br_
\bi_
\bt, _
\be_
\br_
\br, _
\bw_
\ba_
\br_
\bn, _
\bn_
\bo_
\bt_
\bi_
\bc_
\be, _
\bd_
\bi_
\ba_
\bg, _
\bi_
\bn_
\bf_
\bo, _
\bt_
\br_
\ba_
\bc_
\be and _
\bd_
\be_
\bb_
\bu_
\bg.
408 Each priority, when specified, also includes all priorities higher than
409 it. For example, a priority of _
\bn_
\bo_
\bt_
\bi_
\bc_
\be would include debug messages
410 logged at _
\bn_
\bo_
\bt_
\bi_
\bc_
\be and higher.
412 The following subsystems are used by s
\bsu
\bud
\bdo
\bo:
414 _
\ba_
\bl_
\bl matches every subsystem
416 _
\ba_
\br_
\bg_
\bs command line argument processing
418 _
\bc_
\bo_
\bn_
\bv user conversation
420 _
\be_
\bd_
\bi_
\bt sudoedit
422 _
\be_
\bx_
\be_
\bc command execution
424 _
\bm_
\ba_
\bi_
\bn s
\bsu
\bud
\bdo
\bo main function
426 _
\bn_
\be_
\bt_
\bi_
\bf network interface handling
428 _
\bp_
\bc_
\bo_
\bm_
\bm communication with the plugin
430 _
\bp_
\bl_
\bu_
\bg_
\bi_
\bn plugin configuration
432 _
\bp_
\bt_
\by pseudo-tty related code
434 _
\bs_
\be_
\bl_
\bi_
\bn_
\bu_
\bx SELinux-specific handling
436 _
\bu_
\bt_
\bi_
\bl utility functions
438 _
\bu_
\bt_
\bm_
\bp utmp handling
440 R
\bRE
\bET
\bTU
\bUR
\bRN
\bN V
\bVA
\bAL
\bLU
\bUE
\bES
\bS
441 Upon successful execution of a program, the exit status from s
\bsu
\bud
\bdo
\bo will
442 simply be the exit status of the program that was executed.
444 Otherwise, s
\bsu
\bud
\bdo
\bo exits with a value of 1 if there is a
445 configuration/permission problem or if s
\bsu
\bud
\bdo
\bo cannot execute the given
446 command. In the latter case the error string is printed to the
447 standard error. If s
\bsu
\bud
\bdo
\bo cannot _
\bs_
\bt_
\ba_
\bt(2) one or more entries in the
448 user's PATH, an error is printed on stderr. (If the directory does not
449 exist or if it is not really a directory, the entry is ignored and no
450 error is printed.) This should not happen under normal circumstances.
451 The most common reason for _
\bs_
\bt_
\ba_
\bt(2) to return "permission denied" is if
452 you are running an automounter and one of the directories in your PATH
453 is on a machine that is currently unreachable.
455 S
\bSE
\bEC
\bCU
\bUR
\bRI
\bIT
\bTY
\bY N
\bNO
\bOT
\bTE
\bES
\bS
456 s
\bsu
\bud
\bdo
\bo tries to be safe when executing external commands.
458 To prevent command spoofing, s
\bsu
\bud
\bdo
\bo checks "." and "" (both denoting
459 current directory) last when searching for a command in the user's PATH
460 (if one or both are in the PATH). Note, however, that the actual PATH
461 environment variable is _
\bn_
\bo_
\bt modified and is passed unchanged to the
462 program that s
\bsu
\bud
\bdo
\bo executes.
464 Please note that s
\bsu
\bud
\bdo
\bo will normally only log the command it explicitly
465 runs. If a user runs a command such as sudo su or sudo sh, subsequent
466 commands run from that shell are not subject to s
\bsu
\bud
\bdo
\bo's security policy.
467 The same is true for commands that offer shell escapes (including most
468 editors). If I/O logging is enabled, subsequent commands will have
469 their input and/or output logged, but there will not be traditional
470 logs for those commands. Because of this, care must be taken when
471 giving users access to commands via s
\bsu
\bud
\bdo
\bo to verify that the command
472 does not inadvertently give the user an effective root shell. For more
473 information, please see the PREVENTING SHELL ESCAPES section in
474 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4).
476 To prevent the disclosure of potentially sensitive information, s
\bsu
\bud
\bdo
\bo
477 disables core dumps by default while it is executing (they are re-
478 enabled for the command that is run). To aid in debugging s
\bsu
\bud
\bdo
\bo
479 crashes, you may wish to re-enable core dumps by setting
480 "disable_coredump" to false in the _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf file.
482 Set disable_coredump false
484 Note that by default, most operating systems disable core dumps from
485 setuid programs, which includes s
\bsu
\bud
\bdo
\bo. To actually get a s
\bsu
\bud
\bdo
\bo core file
486 you may need to enable core dumps for setuid processes. On BSD and
487 Linux systems this is accomplished via the sysctl command, on Solaris
488 the coreadm command can be used.
490 E
\bEN
\bNV
\bVI
\bIR
\bRO
\bON
\bNM
\bME
\bEN
\bNT
\bT
491 s
\bsu
\bud
\bdo
\bo utilizes the following environment variables. The security policy
492 has control over the content of the command's environment.
494 EDITOR Default editor to use in -
\b-e
\be (sudoedit) mode if neither
495 SUDO_EDITOR nor VISUAL is set
497 MAIL In -
\b-i
\bi mode or when _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt is enabled in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, set
498 to the mail spool of the target user
500 HOME Set to the home directory of the target user if -
\b-i
\bi or
501 -
\b-H
\bH are specified, _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt or _
\ba_
\bl_
\bw_
\ba_
\by_
\bs_
\b__
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be are set
502 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, or when the -
\b-s
\bs option is specified and
503 _
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be is set in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
505 PATH May be overridden by the security policy.
507 SHELL Used to determine shell to run with -s option
509 SUDO_ASKPASS Specifies the path to a helper program used to read the
510 password if no terminal is available or if the -A
513 SUDO_COMMAND Set to the command run by sudo
515 SUDO_EDITOR Default editor to use in -
\b-e
\be (sudoedit) mode
517 SUDO_GID Set to the group ID of the user who invoked sudo
519 SUDO_PROMPT Used as the default password prompt
521 SUDO_PS1 If set, PS1 will be set to its value for the program
524 SUDO_UID Set to the user ID of the user who invoked sudo
526 SUDO_USER Set to the login of the user who invoked sudo
528 USER Set to the target user (root unless the -
\b-u
\bu option is
531 VISUAL Default editor to use in -
\b-e
\be (sudoedit) mode if
532 SUDO_EDITOR is not set
535 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf s
\bsu
\bud
\bdo
\bo front end configuration
537 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
538 Note: the following examples assume a properly configured security
541 To get a file listing of an unreadable directory:
543 $ sudo ls /usr/local/protected
545 To list the home directory of user yaz on a machine where the file
546 system holding ~yaz is not exported as root:
548 $ sudo -u yaz ls ~yaz
550 To edit the _
\bi_
\bn_
\bd_
\be_
\bx_
\b._
\bh_
\bt_
\bm_
\bl file as user www:
552 $ sudo -u www vi ~www/htdocs/index.html
554 To view system logs only accessible to root and users in the adm group:
556 $ sudo -g adm view /var/log/syslog
558 To run an editor as jim with a different primary group:
560 $ sudo -u jim -g audio vi ~jim/sound.txt
562 To shutdown a machine:
564 $ sudo shutdown -r +15 "quick reboot"
566 To make a usage listing of the directories in the /home partition.
567 Note that this runs the commands in a sub-shell to make the cd and file
570 $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
572 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
573 _
\bg_
\br_
\be_
\bp(1), _
\bs_
\bu(1), _
\bs_
\bt_
\ba_
\bt(2), _
\bl_
\bo_
\bg_
\bi_
\bn_
\b__
\bc_
\ba_
\bp(3), _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(4), _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4),
574 _
\bs_
\bu_
\bd_
\bo_
\b__
\bp_
\bl_
\bu_
\bg_
\bi_
\bn(1m), _
\bs_
\bu_
\bd_
\bo_
\br_
\be_
\bp_
\bl_
\ba_
\by(1m), _
\bv_
\bi_
\bs_
\bu_
\bd_
\bo(1m)
576 A
\bAU
\bUT
\bTH
\bHO
\bOR
\bRS
\bS
577 Many people have worked on s
\bsu
\bud
\bdo
\bo over the years; this version consists
578 of code written primarily by:
582 See the CONTRIBUTORS file in the s
\bsu
\bud
\bdo
\bo distribution
583 (http://www.sudo.ws/sudo/contributors.html) for a list of people who
584 have contributed to s
\bsu
\bud
\bdo
\bo.
586 H
\bHI
\bIS
\bST
\bTO
\bOR
\bRY
\bY
587 See the HISTORY file in the s
\bsu
\bud
\bdo
\bo distribution
588 (http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
590 C
\bCA
\bAV
\bVE
\bEA
\bAT
\bTS
\bS
591 There is no easy way to prevent a user from gaining a root shell if
592 that user is allowed to run arbitrary commands via s
\bsu
\bud
\bdo
\bo. Also, many
593 programs (such as editors) allow the user to run commands via shell
594 escapes, thus avoiding s
\bsu
\bud
\bdo
\bo's checks. However, on most systems it is
595 possible to prevent shell escapes with the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4) module's _
\bn_
\bo_
\be_
\bx_
\be_
\bc
598 It is not meaningful to run the cd command directly via sudo, e.g.,
600 $ sudo cd /usr/local/protected
602 since when the command exits the parent process (your shell) will still
603 be the same. Please see the EXAMPLES section for more information.
605 Running shell scripts via s
\bsu
\bud
\bdo
\bo can expose the same kernel bugs that
606 make setuid shell scripts unsafe on some operating systems (if your OS
607 has a /dev/fd/ directory, setuid shell scripts are generally safe).
610 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a bug report at
611 http://www.sudo.ws/sudo/bugs/
613 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
614 Limited free support is available via the sudo-users mailing list, see
615 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
618 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
619 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied warranties,
620 including, but not limited to, the implied warranties of
621 merchantability and fitness for a particular purpose are disclaimed.
622 See the LICENSE file distributed with s
\bsu
\bud
\bdo
\bo or
623 http://www.sudo.ws/sudo/license.html for complete details.
627 1.8.5 March 15, 2012 SUDO(1m)
projects / debian / sudo / blob