1 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
6 sudo, sudoedit - execute a command as another user
8 S
\bSY
\bYN
\bNO
\bOP
\bPS
\bSI
\bIS
\bS
9 s
\bsu
\bud
\bdo
\bo [-
\b-D
\bD _
\bl_
\be_
\bv_
\be_
\bl] -
\b-h
\bh | -
\b-K
\bK | -
\b-k
\bk | -
\b-V
\bV
11 s
\bsu
\bud
\bdo
\bo -
\b-v
\bv [-
\b-A
\bAk
\bkn
\bnS
\bS] [-
\b-a
\ba _
\ba_
\bu_
\bt_
\bh_
\b__
\bt_
\by_
\bp_
\be] [-
\b-D
\bD _
\bl_
\be_
\bv_
\be_
\bl] [-
\b-g
\bg _
\bg_
\br_
\bo_
\bu_
\bp _
\bn_
\ba_
\bm_
\be|_
\b#_
\bg_
\bi_
\bd]
12 [-
\b-p
\bp _
\bp_
\br_
\bo_
\bm_
\bp_
\bt] [-
\b-u
\bu _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be|_
\b#_
\bu_
\bi_
\bd]
14 s
\bsu
\bud
\bdo
\bo -
\b-l
\bl[
\b[l
\bl]
\b] [-
\b-A
\bAk
\bkn
\bnS
\bS] [-
\b-a
\ba _
\ba_
\bu_
\bt_
\bh_
\b__
\bt_
\by_
\bp_
\be] [-
\b-D
\bD _
\bl_
\be_
\bv_
\be_
\bl] [-
\b-g
\bg _
\bg_
\br_
\bo_
\bu_
\bp _
\bn_
\ba_
\bm_
\be|_
\b#_
\bg_
\bi_
\bd]
15 [-
\b-p
\bp _
\bp_
\br_
\bo_
\bm_
\bp_
\bt] [-
\b-U
\bU _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be] [-
\b-u
\bu _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be|_
\b#_
\bu_
\bi_
\bd] [_
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd]
17 s
\bsu
\bud
\bdo
\bo [-
\b-A
\bAb
\bbE
\bEH
\bHn
\bnP
\bPS
\bS] [-
\b-a
\ba _
\ba_
\bu_
\bt_
\bh_
\b__
\bt_
\by_
\bp_
\be] [-
\b-C
\bC _
\bf_
\bd] [-
\b-D
\bD _
\bl_
\be_
\bv_
\be_
\bl] [-
\b-c
\bc _
\bc_
\bl_
\ba_
\bs_
\bs|_
\b-]
18 [-
\b-g
\bg _
\bg_
\br_
\bo_
\bu_
\bp _
\bn_
\ba_
\bm_
\be|_
\b#_
\bg_
\bi_
\bd] [-
\b-p
\bp _
\bp_
\br_
\bo_
\bm_
\bp_
\bt] [-
\b-r
\br _
\br_
\bo_
\bl_
\be] [-
\b-t
\bt _
\bt_
\by_
\bp_
\be]
19 [-
\b-u
\bu _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be|_
\b#_
\bu_
\bi_
\bd] [V
\bVA
\bAR
\bR=_
\bv_
\ba_
\bl_
\bu_
\be] [-
\b-i
\bi | -
\b-s
\bs] [_
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd]
21 s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt [-
\b-A
\bAn
\bnS
\bS] [-
\b-a
\ba _
\ba_
\bu_
\bt_
\bh_
\b__
\bt_
\by_
\bp_
\be] [-
\b-C
\bC _
\bf_
\bd] [-
\b-c
\bc _
\bc_
\bl_
\ba_
\bs_
\bs|_
\b-] [-
\b-D
\bD _
\bl_
\be_
\bv_
\be_
\bl]
22 [-
\b-g
\bg _
\bg_
\br_
\bo_
\bu_
\bp _
\bn_
\ba_
\bm_
\be|_
\b#_
\bg_
\bi_
\bd] [-
\b-p
\bp _
\bp_
\br_
\bo_
\bm_
\bp_
\bt] [-
\b-u
\bu _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be|_
\b#_
\bu_
\bi_
\bd] file ...
24 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
25 s
\bsu
\bud
\bdo
\bo allows a permitted user to execute a _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd as the superuser or
26 another user, as specified by the security policy. The real and
27 effective uid and gid are set to match those of the target user, as
28 specified in the password database, and the group vector is initialized
29 based on the group database (unless the -
\b-P
\bP option was specified).
31 s
\bsu
\bud
\bdo
\bo supports a plugin architecture for security policies and
32 input/output logging. Third parties can develop and distribute their
33 own policy and I/O logging modules to work seemlessly with the s
\bsu
\bud
\bdo
\bo
34 front end. The default security policy is _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, which is configured
35 via the file _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, or via LDAP. See the PLUGINS section for
38 The security policy determines what privileges, if any, a user has to
39 run s
\bsu
\bud
\bdo
\bo. The policy may require that users authenticate themselves
40 with a password or another authentication mechanism. If authentication
41 is required, s
\bsu
\bud
\bdo
\bo will exit if the user's password is not entered
42 within a configurable time limit. This limit is policy-specific; the
43 default password prompt timeout for the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs security policy is 5
46 Security policies may support credential caching to allow the user to
47 run s
\bsu
\bud
\bdo
\bo again for a period of time without requiring authentication.
48 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy caches credentials for 5 minutes, unless overridden
49 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4). By running s
\bsu
\bud
\bdo
\bo with the -
\b-v
\bv option, a user can update
50 the cached credentials without running a _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd.
52 When invoked as s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt, the -
\b-e
\be option (described below), is implied.
54 Security policies may log successful and failed attempts to use s
\bsu
\bud
\bdo
\bo.
55 If an I/O plugin is configured, the running command's input and output
56 may be logged as well.
58 O
\bOP
\bPT
\bTI
\bIO
\bON
\bNS
\bS
59 s
\bsu
\bud
\bdo
\bo accepts the following command line options:
61 -A Normally, if s
\bsu
\bud
\bdo
\bo requires a password, it will read it from
62 the user's terminal. If the -
\b-A
\bA (_
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs) option is
63 specified, a (possibly graphical) helper program is
64 executed to read the user's password and output the
65 password to the standard output. If the SUDO_ASKPASS
66 environment variable is set, it specifies the path to the
67 helper program. Otherwise, if _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf contains a
68 line specifying the askpass program, that value will be
71 # Path to askpass helper program
72 Path askpass /usr/X11R6/bin/ssh-askpass
74 If no askpass program is available, sudo will exit with an
77 -a _
\bt_
\by_
\bp_
\be The -
\b-a
\ba (_
\ba_
\bu_
\bt_
\bh_
\be_
\bn_
\bt_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn _
\bt_
\by_
\bp_
\be) option causes s
\bsu
\bud
\bdo
\bo to use the
78 specified authentication type when validating the user, as
79 allowed by _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf. The system administrator may
80 specify a list of sudo-specific authentication methods by
81 adding an "auth-sudo" entry in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf. This
82 option is only available on systems that support BSD
85 -b The -
\b-b
\bb (_
\bb_
\ba_
\bc_
\bk_
\bg_
\br_
\bo_
\bu_
\bn_
\bd) option tells s
\bsu
\bud
\bdo
\bo to run the given
86 command in the background. Note that if you use the -
\b-b
\bb
87 option you cannot use shell job control to manipulate the
88 process. Most interactive commands will fail to work
89 properly in background mode.
91 -C _
\bf_
\bd Normally, s
\bsu
\bud
\bdo
\bo will close all open file descriptors other
92 than standard input, standard output and standard error.
93 The -
\b-C
\bC (_
\bc_
\bl_
\bo_
\bs_
\be _
\bf_
\br_
\bo_
\bm) option allows the user to specify a
94 starting point above the standard error (file descriptor
95 three). Values less than three are not permitted. The
96 security policy may restrict the user's ability to use the
97 -
\b-C
\bC option. The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy only permits use of the -
\b-C
\bC
98 option when the administrator has enabled the
99 _
\bc_
\bl_
\bo_
\bs_
\be_
\bf_
\br_
\bo_
\bm_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be option.
101 -c _
\bc_
\bl_
\ba_
\bs_
\bs The -
\b-c
\bc (_
\bc_
\bl_
\ba_
\bs_
\bs) option causes s
\bsu
\bud
\bdo
\bo to run the specified
102 command with resources limited by the specified login
103 class. The _
\bc_
\bl_
\ba_
\bs_
\bs argument can be either a class name as
104 defined in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf, or a single '-' character.
105 Specifying a _
\bc_
\bl_
\ba_
\bs_
\bs of - indicates that the command should
106 be run restricted by the default login capabilities for the
107 user the command is run as. If the _
\bc_
\bl_
\ba_
\bs_
\bs argument
108 specifies an existing user class, the command must be run
109 as root, or the s
\bsu
\bud
\bdo
\bo command must be run from a shell that
110 is already root. This option is only available on systems
111 with BSD login classes.
113 -D _
\bl_
\be_
\bv_
\be_
\bl Enable debugging of s
\bsu
\bud
\bdo
\bo plugins and s
\bsu
\bud
\bdo
\bo itself. The
114 _
\bl_
\be_
\bv_
\be_
\bl may be a value from 1 through 9.
116 -E The -
\b-E
\bE (_
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be _
\be_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt) option indicates to the
117 security policy that the uses wishes to preserve their
118 existing environment variables. The security policy may
119 return an error if the -
\b-E
\bE option is specified and the user
120 does not have permission to preserve the environment.
122 -e The -
\b-e
\be (_
\be_
\bd_
\bi_
\bt) option indicates that, instead of running a
123 command, the user wishes to edit one or more files. In
124 lieu of a command, the string "sudoedit" is used when
125 consulting the security policy. If the user is authorized
126 by the policy, the following steps are taken:
128 1. Temporary copies are made of the files to be edited
129 with the owner set to the invoking user.
131 2. The editor specified by the policy is run to edit the
132 temporary files. The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy uses the
133 SUDO_EDITOR, VISUAL and EDITOR environment variables
134 (in that order). If none of SUDO_EDITOR, VISUAL or
135 EDITOR are set, the first program listed in the _
\be_
\bd_
\bi_
\bt_
\bo_
\br
136 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4) option is used.
138 3. If they have been modified, the temporary files are
139 copied back to their original location and the
140 temporary versions are removed.
142 If the specified file does not exist, it will be created.
143 Note that unlike most commands run by s
\bsu
\bud
\bdo
\bo, the editor is
144 run with the invoking user's environment unmodified. If,
145 for some reason, s
\bsu
\bud
\bdo
\bo is unable to update a file with its
146 edited version, the user will receive a warning and the
147 edited copy will remain in a temporary file.
149 -g _
\bg_
\br_
\bo_
\bu_
\bp Normally, s
\bsu
\bud
\bdo
\bo runs a command with the primary group set to
150 the one specified by the password database for the user the
151 command is being run as (by default, root). The -
\b-g
\bg (_
\bg_
\br_
\bo_
\bu_
\bp)
152 option causes s
\bsu
\bud
\bdo
\bo to run the command with the primary
153 group set to _
\bg_
\br_
\bo_
\bu_
\bp instead. To specify a _
\bg_
\bi_
\bd instead of a
154 _
\bg_
\br_
\bo_
\bu_
\bp _
\bn_
\ba_
\bm_
\be, use _
\b#_
\bg_
\bi_
\bd. When running commands as a _
\bg_
\bi_
\bd, many
155 shells require that the '#' be escaped with a backslash
156 ('\'). If no -
\b-u
\bu option is specified, the command will be
157 run as the invoking user (not root). In either case, the
158 primary group will be set to _
\bg_
\br_
\bo_
\bu_
\bp.
160 -H The -
\b-H
\bH (_
\bH_
\bO_
\bM_
\bE) option requests that the security policy set
161 the HOME environment variable to the home directory of the
162 target user (root by default) as specified by the password
163 database. Depending on the policy, this may be the default
166 -h The -
\b-h
\bh (_
\bh_
\be_
\bl_
\bp) option causes s
\bsu
\bud
\bdo
\bo to print a short help
167 message to the standard output and exit.
170 The -
\b-i
\bi (_
\bs_
\bi_
\bm_
\bu_
\bl_
\ba_
\bt_
\be _
\bi_
\bn_
\bi_
\bt_
\bi_
\ba_
\bl _
\bl_
\bo_
\bg_
\bi_
\bn) option runs the shell
171 specified by the password database entry of the target user
172 as a login shell. This means that login-specific resource
173 files such as .profile or .login will be read by the shell.
174 If a command is specified, it is passed to the shell for
175 execution via the shell's -
\b-c
\bc option. If no command is
176 specified, an interactive shell is executed. s
\bsu
\bud
\bdo
\bo attempts
177 to change to that user's home directory before running the
178 shell. The security policy shall initialize the
179 environment to a minimal set of variables, similar to what
180 is present when a user logs in.
182 -K The -
\b-K
\bK (sure _
\bk_
\bi_
\bl_
\bl) option is like -
\b-k
\bk except that it removes
183 the user's cached credentials entirely and may not be used
184 in conjunction with a command or other option. This option
185 does not require a password. Not all security policies
186 support credential caching.
189 When used alone, the -
\b-k
\bk (_
\bk_
\bi_
\bl_
\bl) option to s
\bsu
\bud
\bdo
\bo invalidates
190 the user's cached credentials. The next time s
\bsu
\bud
\bdo
\bo is run a
191 password will be required. This option does not require a
192 password and was added to allow a user to revoke s
\bsu
\bud
\bdo
\bo
193 permissions from a .logout file. Not all security policies
194 support credential caching.
196 When used in conjunction with a command or an option that
197 may require a password, the -
\b-k
\bk option will cause s
\bsu
\bud
\bdo
\bo to
198 ignore the user's cached credentials. As a result, s
\bsu
\bud
\bdo
\bo
199 will prompt for a password (if one is required by the
200 security policy) and will not update the user's cached
203 -l[l] [_
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd]
204 If no _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd is specified, the -
\b-l
\bl (_
\bl_
\bi_
\bs_
\bt) option will list
205 the allowed (and forbidden) commands for the invoking user
206 (or the user specified by the -
\b-U
\bU option) on the current
207 host. If a _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd is specified and is permitted by the
208 security policy, the fully-qualified path to the command is
209 displayed along with any command line arguments. If
210 _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd is specified but not allowed, s
\bsu
\bud
\bdo
\bo will exit with a
211 status value of 1. If the -
\b-l
\bl option is specified with an l
\bl
212 argument (i.e. -
\b-l
\bll
\bl), or if -
\b-l
\bl is specified multiple times,
213 a longer list format is used.
215 -n The -
\b-n
\bn (_
\bn_
\bo_
\bn_
\b-_
\bi_
\bn_
\bt_
\be_
\br_
\ba_
\bc_
\bt_
\bi_
\bv_
\be) option prevents s
\bsu
\bud
\bdo
\bo from
216 prompting the user for a password. If a password is
217 required for the command to run, s
\bsu
\bud
\bdo
\bo will display an error
220 -P The -
\b-P
\bP (_
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be _
\bg_
\br_
\bo_
\bu_
\bp _
\bv_
\be_
\bc_
\bt_
\bo_
\br) option causes s
\bsu
\bud
\bdo
\bo to
221 preserve the invoking user's group vector unaltered. By
222 default, the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy will initialize the group
223 vector to the list of groups the target user is in. The
224 real and effective group IDs, however, are still set to
225 match the target user.
227 -p _
\bp_
\br_
\bo_
\bm_
\bp_
\bt The -
\b-p
\bp (_
\bp_
\br_
\bo_
\bm_
\bp_
\bt) option allows you to override the default
228 password prompt and use a custom one. The following
229 percent (`%') escapes are supported by the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy:
231 %H expanded to the host name including the domain name (on
232 if the machine's host name is fully qualified or the
233 _
\bf_
\bq_
\bd_
\bn option is set in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4))
235 %h expanded to the local host name without the domain name
237 %p expanded to the name of the user whose password is
238 being requested (respects the _
\br_
\bo_
\bo_
\bt_
\bp_
\bw, _
\bt_
\ba_
\br_
\bg_
\be_
\bt_
\bp_
\bw and
239 _
\br_
\bu_
\bn_
\ba_
\bs_
\bp_
\bw flags in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4))
241 %U expanded to the login name of the user the command will
242 be run as (defaults to root unless the -u option is
245 %u expanded to the invoking user's login name
247 %% two consecutive % characters are collapsed into a
250 The prompt specified by the -
\b-p
\bp option will override the
251 system password prompt on systems that support PAM unless
252 the _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be flag is disabled in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
254 -r _
\br_
\bo_
\bl_
\be The -
\b-r
\br (_
\br_
\bo_
\bl_
\be) option causes the new (SELinux) security
255 context to have the role specified by _
\br_
\bo_
\bl_
\be.
257 -S The -
\b-S
\bS (_
\bs_
\bt_
\bd_
\bi_
\bn) option causes s
\bsu
\bud
\bdo
\bo to read the password from
258 the standard input instead of the terminal device. The
259 password must be followed by a newline character.
262 The -
\b-s
\bs (_
\bs_
\bh_
\be_
\bl_
\bl) option runs the shell specified by the _
\bS_
\bH_
\bE_
\bL_
\bL
263 environment variable if it is set or the shell as specified
264 in the password database. If a command is specified, it is
265 passed to the shell for execution via the shell's -
\b-c
\bc
266 option. If no command is specified, an interactive shell
269 -t _
\bt_
\by_
\bp_
\be The -
\b-t
\bt (_
\bt_
\by_
\bp_
\be) option causes the new (SELinux) security
270 context to have the type specified by _
\bt_
\by_
\bp_
\be. If no type is
271 specified, the default type is derived from the specified
274 -U _
\bu_
\bs_
\be_
\br The -
\b-U
\bU (_
\bo_
\bt_
\bh_
\be_
\br _
\bu_
\bs_
\be_
\br) option is used in conjunction with the
275 -
\b-l
\bl option to specify the user whose privileges should be
276 listed. The security policy may restrict listing other
277 users' privileges. The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy only allows root or
278 a user with the ALL privilege on the current host to use
281 -u _
\bu_
\bs_
\be_
\br The -
\b-u
\bu (_
\bu_
\bs_
\be_
\br) option causes s
\bsu
\bud
\bdo
\bo to run the specified
282 command as a user other than _
\br_
\bo_
\bo_
\bt. To specify a _
\bu_
\bi_
\bd
283 instead of a _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be, use _
\b#_
\bu_
\bi_
\bd. When running commands as
284 a _
\bu_
\bi_
\bd, many shells require that the '#' be escaped with a
285 backslash ('\'). Security policies may restrict _
\bu_
\bi_
\bds to
286 those listed in the password database. The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy
287 allows _
\bu_
\bi_
\bds that are not in the password database as long
288 as the _
\bt_
\ba_
\br_
\bg_
\be_
\bt_
\bp_
\bw option is not set. Other security policies
289 may not support this.
291 -V The -
\b-V
\bV (_
\bv_
\be_
\br_
\bs_
\bi_
\bo_
\bn) option causes s
\bsu
\bud
\bdo
\bo to print its version
292 string and the version string of the security policy plugin
293 and any I/O plugins. If the invoking user is already root
294 the -
\b-V
\bV option will display the arguments passed to
295 configure when _
\bs_
\bu_
\bd_
\bo was built and plugins may display more
296 verbose information such as default options.
298 -v When given the -
\b-v
\bv (_
\bv_
\ba_
\bl_
\bi_
\bd_
\ba_
\bt_
\be) option, s
\bsu
\bud
\bdo
\bo will update the
299 user's cached credentials, authenticating the user's
300 password if necessary. For the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs plugin, this
301 extends the s
\bsu
\bud
\bdo
\bo timeout for another 5 minutes (or whatever
302 the timeout is set to in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs) but does not run a
303 command. Not all security policies support cached
306 -- The -
\b--
\b- option indicates that s
\bsu
\bud
\bdo
\bo should stop processing
307 command line arguments.
309 Environment variables to be set for the command may also be passed on
310 the command line in the form of V
\bVA
\bAR
\bR=_
\bv_
\ba_
\bl_
\bu_
\be, e.g.
311 L
\bLD
\bD_
\b_L
\bLI
\bIB
\bBR
\bRA
\bAR
\bRY
\bY_
\b_P
\bPA
\bAT
\bTH
\bH=_
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bp_
\bk_
\bg_
\b/_
\bl_
\bi_
\bb. Variables passed on the command
312 line are subject to the same restrictions as normal environment
313 variables with one important exception. If the _
\bs_
\be_
\bt_
\be_
\bn_
\bv option is set in
314 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, the command to be run has the SETENV tag set or the command
315 matched is ALL, the user may set variables that would overwise be
316 forbidden. See _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4) for more information.
318 P
\bPL
\bLU
\bUG
\bGI
\bIN
\bNS
\bS
319 Plugins are dynamically loaded based on the contents of the
320 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf file. If no _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf file is present, or it
321 contains no Plugin lines, s
\bsu
\bud
\bdo
\bo will use the traditional _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
322 security policy and I/O logging, which corresponds to the following
323 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf file.
326 # Default /etc/sudo.conf file
329 # Plugin plugin_name plugin_path
330 # Path askpass /path/to/askpass
331 # Path noexec /path/to/noexec.so
333 # The plugin_path is relative to /usr/local/libexec unless
335 # The plugin_name corresponds to a global symbol in the plugin
336 # that contains the plugin interface structure.
338 Plugin policy_plugin sudoers.so
339 Plugin io_plugin sudoers.so
341 A Plugin line consists of the Plugin keyword, followed by the
342 _
\bs_
\by_
\bm_
\bb_
\bo_
\bl_
\b__
\bn_
\ba_
\bm_
\be and the _
\bp_
\ba_
\bt_
\bh to the shared object containing the plugin.
343 The _
\bs_
\by_
\bm_
\bb_
\bo_
\bl_
\b__
\bn_
\ba_
\bm_
\be is the name of the struct policy_plugin or struct
344 io_plugin in the plugin shared object. The _
\bp_
\ba_
\bt_
\bh may be fully qualified
345 or relative. If not fully qualified it is relative to the
346 _
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bl_
\bi_
\bb_
\be_
\bx_
\be_
\bc directory. Any additional parameters after the _
\bp_
\ba_
\bt_
\bh
347 are ignored. Lines that don't begin with Plugin or Path are silently
350 For more information, see the _
\bs_
\bu_
\bd_
\bo_
\b__
\bp_
\bl_
\bu_
\bg_
\bi_
\bn(1m) manual.
353 A Path line consists of the Path keyword, followed by the name of the
354 path to set and its value. E.g.
356 Path noexec /usr/local/libexec/sudo_noexec.so
357 Path askpass /usr/X11R6/bin/ssh-askpass
359 The following plugin-agnostic paths may be set in the _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf
362 askpass The fully qualified path to a helper program used to
363 read the user's password when no terminal is available.
364 This may be the case when s
\bsu
\bud
\bdo
\bo is executed from a
365 graphical (as opposed to text-based) application. The
366 program specified by _
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs should display the
367 argument passed to it as the prompt and write the
368 user's password to the standard output. The value of
369 _
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs may be overridden by the SUDO_ASKPASS
370 environment variable.
372 noexec The fully-qualified path to a shared library containing
373 dummy versions of the _
\be_
\bx_
\be_
\bc_
\bv_
\b(_
\b), _
\be_
\bx_
\be_
\bc_
\bv_
\be_
\b(_
\b) and _
\bf_
\be_
\bx_
\be_
\bc_
\bv_
\be_
\b(_
\b)
374 library functions that just return an error. This is
375 used to implement the _
\bn_
\bo_
\be_
\bx_
\be_
\bc functionality on systems
376 that support LD_PRELOAD or its equivalent. Defaults to
377 _
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bl_
\bi_
\bb_
\be_
\bx_
\be_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b__
\bn_
\bo_
\be_
\bx_
\be_
\bc_
\b._
\bs_
\bo.
379 R
\bRE
\bET
\bTU
\bUR
\bRN
\bN V
\bVA
\bAL
\bLU
\bUE
\bES
\bS
380 Upon successful execution of a program, the exit status from s
\bsu
\bud
\bdo
\bo will
381 simply be the exit status of the program that was executed.
383 Otherwise, s
\bsu
\bud
\bdo
\bo exits with a value of 1 if there is a
384 configuration/permission problem or if s
\bsu
\bud
\bdo
\bo cannot execute the given
385 command. In the latter case the error string is printed to the
386 standard error. If s
\bsu
\bud
\bdo
\bo cannot _
\bs_
\bt_
\ba_
\bt(2) one or more entries in the
387 user's PATH, an error is printed on stderr. (If the directory does not
388 exist or if it is not really a directory, the entry is ignored and no
389 error is printed.) This should not happen under normal circumstances.
390 The most common reason for _
\bs_
\bt_
\ba_
\bt(2) to return "permission denied" is if
391 you are running an automounter and one of the directories in your PATH
392 is on a machine that is currently unreachable.
394 S
\bSE
\bEC
\bCU
\bUR
\bRI
\bIT
\bTY
\bY N
\bNO
\bOT
\bTE
\bES
\bS
395 s
\bsu
\bud
\bdo
\bo tries to be safe when executing external commands.
397 To prevent command spoofing, s
\bsu
\bud
\bdo
\bo checks "." and "" (both denoting
398 current directory) last when searching for a command in the user's PATH
399 (if one or both are in the PATH). Note, however, that the actual PATH
400 environment variable is _
\bn_
\bo_
\bt modified and is passed unchanged to the
401 program that s
\bsu
\bud
\bdo
\bo executes.
403 Please note that s
\bsu
\bud
\bdo
\bo will normally only log the command it explicitly
404 runs. If a user runs a command such as sudo su or sudo sh, subsequent
405 commands run from that shell are not subject to s
\bsu
\bud
\bdo
\bo's security policy.
406 The same is true for commands that offer shell escapes (including most
407 editors). If I/O logging is enabled, subsequent commands will have
408 their input and/or output logged, but there will not be traditional
409 logs for those commands. Because of this, care must be taken when
410 giving users access to commands via s
\bsu
\bud
\bdo
\bo to verify that the command
411 does not inadvertently give the user an effective root shell. For more
412 information, please see the PREVENTING SHELL ESCAPES section in
413 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4).
415 E
\bEN
\bNV
\bVI
\bIR
\bRO
\bON
\bNM
\bME
\bEN
\bNT
\bT
416 s
\bsu
\bud
\bdo
\bo utilizes the following environment variables. The security policy
417 has control over the content of the command's environment.
419 EDITOR Default editor to use in -
\b-e
\be (sudoedit) mode if neither
420 SUDO_EDITOR nor VISUAL is set
422 MAIL In -
\b-i
\bi mode or when _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt is enabled in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, set
423 to the mail spool of the target user
425 HOME Set to the home directory of the target user if -
\b-i
\bi or
426 -
\b-H
\bH are specified, _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt or _
\ba_
\bl_
\bw_
\ba_
\by_
\bs_
\b__
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be are set
427 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, or when the -
\b-s
\bs option is specified and
428 _
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be is set in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
430 PATH May be overridden by the security policy.
432 SHELL Used to determine shell to run with -s option
434 SUDO_ASKPASS Specifies the path to a helper program used to read the
435 password if no terminal is available or if the -A
438 SUDO_COMMAND Set to the command run by sudo
440 SUDO_EDITOR Default editor to use in -
\b-e
\be (sudoedit) mode
442 SUDO_GID Set to the group ID of the user who invoked sudo
444 SUDO_PROMPT Used as the default password prompt
446 SUDO_PS1 If set, PS1 will be set to its value for the program
449 SUDO_UID Set to the user ID of the user who invoked sudo
451 SUDO_USER Set to the login of the user who invoked sudo
453 USER Set to the target user (root unless the -
\b-u
\bu option is
456 VISUAL Default editor to use in -
\b-e
\be (sudoedit) mode if
457 SUDO_EDITOR is not set
460 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf s
\bsu
\bud
\bdo
\bo plugin and path configuration
462 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
463 Note: the following examples assume a properly configured security
466 To get a file listing of an unreadable directory:
468 $ sudo ls /usr/local/protected
470 To list the home directory of user yaz on a machine where the file
471 system holding ~yaz is not exported as root:
473 $ sudo -u yaz ls ~yaz
475 To edit the _
\bi_
\bn_
\bd_
\be_
\bx_
\b._
\bh_
\bt_
\bm_
\bl file as user www:
477 $ sudo -u www vi ~www/htdocs/index.html
479 To view system logs only accessible to root and users in the adm group:
481 $ sudo -g adm view /var/log/syslog
483 To run an editor as jim with a different primary group:
485 $ sudo -u jim -g audio vi ~jim/sound.txt
487 To shutdown a machine:
489 $ sudo shutdown -r +15 "quick reboot"
491 To make a usage listing of the directories in the /home partition.
492 Note that this runs the commands in a sub-shell to make the cd and file
495 $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
497 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
498 _
\bg_
\br_
\be_
\bp(1), _
\bs_
\bu(1), _
\bs_
\bt_
\ba_
\bt(2), _
\bl_
\bo_
\bg_
\bi_
\bn_
\b__
\bc_
\ba_
\bp(3), _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(4), _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4),
499 _
\bs_
\bu_
\bd_
\bo_
\b__
\bp_
\bl_
\bu_
\bg_
\bi_
\bn(1m), _
\bs_
\bu_
\bd_
\bo_
\br_
\be_
\bp_
\bl_
\ba_
\by(1m), _
\bv_
\bi_
\bs_
\bu_
\bd_
\bo(1m)
501 A
\bAU
\bUT
\bTH
\bHO
\bOR
\bRS
\bS
502 Many people have worked on s
\bsu
\bud
\bdo
\bo over the years; this version consists
503 of code written primarily by:
507 See the HISTORY file in the s
\bsu
\bud
\bdo
\bo distribution or visit
508 http://www.sudo.ws/sudo/history.html for a short history of s
\bsu
\bud
\bdo
\bo.
510 C
\bCA
\bAV
\bVE
\bEA
\bAT
\bTS
\bS
511 There is no easy way to prevent a user from gaining a root shell if
512 that user is allowed to run arbitrary commands via s
\bsu
\bud
\bdo
\bo. Also, many
513 programs (such as editors) allow the user to run commands via shell
514 escapes, thus avoiding s
\bsu
\bud
\bdo
\bo's checks. However, on most systems it is
515 possible to prevent shell escapes with the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4) module's _
\bn_
\bo_
\be_
\bx_
\be_
\bc
518 It is not meaningful to run the cd command directly via sudo, e.g.,
520 $ sudo cd /usr/local/protected
522 since when the command exits the parent process (your shell) will still
523 be the same. Please see the EXAMPLES section for more information.
525 Running shell scripts via s
\bsu
\bud
\bdo
\bo can expose the same kernel bugs that
526 make setuid shell scripts unsafe on some operating systems (if your OS
527 has a /dev/fd/ directory, setuid shell scripts are generally safe).
530 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a bug report at
531 http://www.sudo.ws/sudo/bugs/
533 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
534 Limited free support is available via the sudo-users mailing list, see
535 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
538 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
539 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied warranties,
540 including, but not limited to, the implied warranties of
541 merchantability and fitness for a particular purpose are disclaimed.
542 See the LICENSE file distributed with s
\bsu
\bud
\bdo
\bo or
543 http://www.sudo.ws/sudo/license.html for complete details.
547 1.8.1p2 May 16, 2011 SUDO(1m)