1 SUDO(1m) System Manager's Manual SUDO(1m)
4 s
\bsu
\bud
\bdo
\bo, s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt - execute a command as another user
6 S
\bSY
\bYN
\bNO
\bOP
\bPS
\bSI
\bIS
\bS
7 s
\bsu
\bud
\bdo
\bo -
\b-h
\bh | -
\b-K
\bK | -
\b-k
\bk | -
\b-V
\bV
8 s
\bsu
\bud
\bdo
\bo -
\b-v
\bv [-
\b-A
\bAk
\bkn
\bnS
\bS] [-
\b-a
\ba _
\ba_
\bu_
\bt_
\bh_
\b__
\bt_
\by_
\bp_
\be] [-
\b-g
\bg _
\bg_
\br_
\bo_
\bu_
\bp _
\bn_
\ba_
\bm_
\be | _
\b#_
\bg_
\bi_
\bd] [-
\b-p
\bp _
\bp_
\br_
\bo_
\bm_
\bp_
\bt]
9 [-
\b-u
\bu _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be | _
\b#_
\bu_
\bi_
\bd]
10 s
\bsu
\bud
\bdo
\bo -
\b-l
\bl[_
\bl] [-
\b-A
\bAk
\bkn
\bnS
\bS] [-
\b-a
\ba _
\ba_
\bu_
\bt_
\bh_
\b__
\bt_
\by_
\bp_
\be] [-
\b-g
\bg _
\bg_
\br_
\bo_
\bu_
\bp _
\bn_
\ba_
\bm_
\be | _
\b#_
\bg_
\bi_
\bd] [-
\b-p
\bp _
\bp_
\br_
\bo_
\bm_
\bp_
\bt]
11 [-
\b-U
\bU _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be] [-
\b-u
\bu _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be | _
\b#_
\bu_
\bi_
\bd] [_
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd]
12 s
\bsu
\bud
\bdo
\bo [-
\b-A
\bAb
\bbE
\bEH
\bHn
\bnP
\bPS
\bS] [-
\b-a
\ba _
\ba_
\bu_
\bt_
\bh_
\b__
\bt_
\by_
\bp_
\be] [-
\b-C
\bC _
\bf_
\bd] [-
\b-c
\bc _
\bc_
\bl_
\ba_
\bs_
\bs | _
\b-]
13 [-
\b-g
\bg _
\bg_
\br_
\bo_
\bu_
\bp _
\bn_
\ba_
\bm_
\be | _
\b#_
\bg_
\bi_
\bd] [-
\b-p
\bp _
\bp_
\br_
\bo_
\bm_
\bp_
\bt] [-
\b-r
\br _
\br_
\bo_
\bl_
\be] [-
\b-t
\bt _
\bt_
\by_
\bp_
\be]
14 [-
\b-u
\bu _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be | _
\b#_
\bu_
\bi_
\bd] [V
\bVA
\bAR
\bR=_
\bv_
\ba_
\bl_
\bu_
\be] -
\b-i
\bi | -
\b-s
\bs [_
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd]
15 s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt [-
\b-A
\bAn
\bnS
\bS] [-
\b-a
\ba _
\ba_
\bu_
\bt_
\bh_
\b__
\bt_
\by_
\bp_
\be] [-
\b-C
\bC _
\bf_
\bd] [-
\b-c
\bc _
\bc_
\bl_
\ba_
\bs_
\bs | _
\b-]
16 [-
\b-g
\bg _
\bg_
\br_
\bo_
\bu_
\bp _
\bn_
\ba_
\bm_
\be | _
\b#_
\bg_
\bi_
\bd] [-
\b-p
\bp _
\bp_
\br_
\bo_
\bm_
\bp_
\bt] [-
\b-u
\bu _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be | _
\b#_
\bu_
\bi_
\bd] file
19 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
20 s
\bsu
\bud
\bdo
\bo allows a permitted user to execute a _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd as the superuser or
21 another user, as specified by the security policy.
23 s
\bsu
\bud
\bdo
\bo supports a plugin architecture for security policies and
24 input/output logging. Third parties can develop and distribute their own
25 policy and I/O logging plugins to work seamlessly with the s
\bsu
\bud
\bdo
\bo front
26 end. The default security policy is _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, which is configured via the
27 file _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, or via LDAP. See the _
\bP_
\bl_
\bu_
\bg_
\bi_
\bn_
\bs section for more
30 The security policy determines what privileges, if any, a user has to run
31 s
\bsu
\bud
\bdo
\bo. The policy may require that users authenticate themselves with a
32 password or another authentication mechanism. If authentication is
33 required, s
\bsu
\bud
\bdo
\bo will exit if the user's password is not entered within a
34 configurable time limit. This limit is policy-specific; the default
35 password prompt timeout for the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs security policy is 5 minutes.
37 Security policies may support credential caching to allow the user to run
38 s
\bsu
\bud
\bdo
\bo again for a period of time without requiring authentication. The
39 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy caches credentials for 5 minutes, unless overridden in
40 sudoers(4). By running s
\bsu
\bud
\bdo
\bo with the -
\b-v
\bv option, a user can update the
41 cached credentials without running a _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd.
43 When invoked as s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt, the -
\b-e
\be option (described below), is implied.
45 Security policies may log successful and failed attempts to use s
\bsu
\bud
\bdo
\bo. If
46 an I/O plugin is configured, the running command's input and output may
49 The options are as follows:
51 -
\b-A
\bA Normally, if s
\bsu
\bud
\bdo
\bo requires a password, it will read it from
52 the user's terminal. If the -
\b-A
\bA (_
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs) option is
53 specified, a (possibly graphical) helper program is executed
54 to read the user's password and output the password to the
55 standard output. If the SUDO_ASKPASS environment variable is
56 set, it specifies the path to the helper program. Otherwise,
57 if sudo.conf(4) contains a line specifying the askpass
58 program, that value will be used. For example:
60 # Path to askpass helper program
61 Path askpass /usr/X11R6/bin/ssh-askpass
63 If no askpass program is available, s
\bsu
\bud
\bdo
\bo will exit with an
66 -
\b-a
\ba _
\bt_
\by_
\bp_
\be The -
\b-a
\ba (_
\ba_
\bu_
\bt_
\bh_
\be_
\bn_
\bt_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn _
\bt_
\by_
\bp_
\be) option causes s
\bsu
\bud
\bdo
\bo to use the
67 specified authentication type when validating the user, as
68 allowed by _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf. The system administrator may
69 specify a list of sudo-specific authentication methods by
70 adding an ``auth-sudo'' entry in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf. This
71 option is only available on systems that support BSD
74 -
\b-b
\bb The -
\b-b
\bb (_
\bb_
\ba_
\bc_
\bk_
\bg_
\br_
\bo_
\bu_
\bn_
\bd) option tells s
\bsu
\bud
\bdo
\bo to run the given
75 command in the background. Note that if you use the -
\b-b
\bb
76 option you cannot use shell job control to manipulate the
77 process. Most interactive commands will fail to work
78 properly in background mode.
80 -
\b-C
\bC _
\bf_
\bd Normally, s
\bsu
\bud
\bdo
\bo will close all open file descriptors other
81 than standard input, standard output and standard error. The
82 -
\b-C
\bC (_
\bc_
\bl_
\bo_
\bs_
\be _
\bf_
\br_
\bo_
\bm) option allows the user to specify a starting
83 point above the standard error (file descriptor three).
84 Values less than three are not permitted. The security
85 policy may restrict the user's ability to use the -
\b-C
\bC option.
86 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy only permits use of the -
\b-C
\bC option when the
87 administrator has enabled the _
\bc_
\bl_
\bo_
\bs_
\be_
\bf_
\br_
\bo_
\bm_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be option.
89 -
\b-c
\bc _
\bc_
\bl_
\ba_
\bs_
\bs The -
\b-c
\bc (_
\bc_
\bl_
\ba_
\bs_
\bs) option causes s
\bsu
\bud
\bdo
\bo to run the specified
90 command with resources limited by the specified login class.
91 The _
\bc_
\bl_
\ba_
\bs_
\bs argument can be either a class name as defined in
92 _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf, or a single `-' character. Specifying a
93 _
\bc_
\bl_
\ba_
\bs_
\bs of - indicates that the command should be run
94 restricted by the default login capabilities for the user the
95 command is run as. If the _
\bc_
\bl_
\ba_
\bs_
\bs argument specifies an
96 existing user class, the command must be run as root, or the
97 s
\bsu
\bud
\bdo
\bo command must be run from a shell that is already root.
98 This option is only available on systems with BSD login
101 -
\b-E
\bE The -
\b-E
\bE (_
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be _
\be_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt) option indicates to the
102 security policy that the user wishes to preserve their
103 existing environment variables. The security policy may
104 return an error if the -
\b-E
\bE option is specified and the user
105 does not have permission to preserve the environment.
107 -
\b-e
\be The -
\b-e
\be (_
\be_
\bd_
\bi_
\bt) option indicates that, instead of running a
108 command, the user wishes to edit one or more files. In lieu
109 of a command, the string "sudoedit" is used when consulting
110 the security policy. If the user is authorized by the
111 policy, the following steps are taken:
113 1. Temporary copies are made of the files to be edited
114 with the owner set to the invoking user.
116 2. The editor specified by the policy is run to edit the
117 temporary files. The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy uses the
118 SUDO_EDITOR, VISUAL and EDITOR environment variables
119 (in that order). If none of SUDO_EDITOR, VISUAL or
120 EDITOR are set, the first program listed in the _
\be_
\bd_
\bi_
\bt_
\bo_
\br
121 sudoers(4) option is used.
123 3. If they have been modified, the temporary files are
124 copied back to their original location and the
125 temporary versions are removed.
127 If the specified file does not exist, it will be created.
128 Note that unlike most commands run by _
\bs_
\bu_
\bd_
\bo, the editor is run
129 with the invoking user's environment unmodified. If, for
130 some reason, s
\bsu
\bud
\bdo
\bo is unable to update a file with its edited
131 version, the user will receive a warning and the edited copy
132 will remain in a temporary file.
134 -
\b-g
\bg _
\bg_
\br_
\bo_
\bu_
\bp Normally, s
\bsu
\bud
\bdo
\bo runs a command with the primary group set to
135 the one specified by the password database for the user the
136 command is being run as (by default, root). The -
\b-g
\bg (_
\bg_
\br_
\bo_
\bu_
\bp)
137 option causes s
\bsu
\bud
\bdo
\bo to run the command with the primary group
138 set to _
\bg_
\br_
\bo_
\bu_
\bp instead. To specify a _
\bg_
\bi_
\bd instead of a _
\bg_
\br_
\bo_
\bu_
\bp
139 _
\bn_
\ba_
\bm_
\be, use _
\b#_
\bg_
\bi_
\bd. When running commands as a _
\bg_
\bi_
\bd, many shells
140 require that the `#' be escaped with a backslash (`\'). If
141 no -
\b-u
\bu option is specified, the command will be run as the
142 invoking user (not root). In either case, the primary group
143 will be set to _
\bg_
\br_
\bo_
\bu_
\bp.
145 -
\b-H
\bH The -
\b-H
\bH (_
\bH_
\bO_
\bM_
\bE) option requests that the security policy set
146 the HOME environment variable to the home directory of the
147 target user (root by default) as specified by the password
148 database. Depending on the policy, this may be the default
151 -
\b-h
\bh The -
\b-h
\bh (_
\bh_
\be_
\bl_
\bp) option causes s
\bsu
\bud
\bdo
\bo to print a short help
152 message to the standard output and exit.
154 -
\b-i
\bi [_
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd]
155 The -
\b-i
\bi (_
\bs_
\bi_
\bm_
\bu_
\bl_
\ba_
\bt_
\be _
\bi_
\bn_
\bi_
\bt_
\bi_
\ba_
\bl _
\bl_
\bo_
\bg_
\bi_
\bn) option runs the shell
156 specified by the password database entry of the target user
157 as a login shell. This means that login-specific resource
158 files such as _
\b._
\bp_
\br_
\bo_
\bf_
\bi_
\bl_
\be or _
\b._
\bl_
\bo_
\bg_
\bi_
\bn will be read by the shell.
159 If a command is specified, it is passed to the shell for
160 execution via the shell's -
\b-c
\bc option. If no command is
161 specified, an interactive shell is executed. s
\bsu
\bud
\bdo
\bo attempts
162 to change to that user's home directory before running the
163 shell. The security policy shall initialize the environment
164 to a minimal set of variables, similar to what is present
165 when a user logs in. The _
\bC_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd _
\bE_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt section in the
166 sudoers(4) manual documents how the -
\b-i
\bi option affects the
167 environment in which a command is run when the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy
170 -
\b-K
\bK The -
\b-K
\bK (sure _
\bk_
\bi_
\bl_
\bl) option is like -
\b-k
\bk except that it removes
171 the user's cached credentials entirely and may not be used in
172 conjunction with a command or other option. This option does
173 not require a password. Not all security policies support
176 -
\b-k
\bk [_
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd]
177 When used alone, the -
\b-k
\bk (_
\bk_
\bi_
\bl_
\bl) option to s
\bsu
\bud
\bdo
\bo invalidates the
178 user's cached credentials. The next time s
\bsu
\bud
\bdo
\bo is run a
179 password will be required. This option does not require a
180 password and was added to allow a user to revoke s
\bsu
\bud
\bdo
\bo
181 permissions from a _
\b._
\bl_
\bo_
\bg_
\bo_
\bu_
\bt file. Not all security policies
182 support credential caching.
184 When used in conjunction with a command or an option that may
185 require a password, the -
\b-k
\bk option will cause s
\bsu
\bud
\bdo
\bo to ignore
186 the user's cached credentials. As a result, s
\bsu
\bud
\bdo
\bo will prompt
187 for a password (if one is required by the security policy)
188 and will not update the user's cached credentials.
190 -
\b-l
\bl[l
\bl] [_
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd]
191 If no _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd is specified, the -
\b-l
\bl (_
\bl_
\bi_
\bs_
\bt) option will list
192 the allowed (and forbidden) commands for the invoking user
193 (or the user specified by the -
\b-U
\bU option) on the current host.
194 If a _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd is specified and is permitted by the security
195 policy, the fully-qualified path to the command is displayed
196 along with any command line arguments. If _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd is
197 specified but not allowed, s
\bsu
\bud
\bdo
\bo will exit with a status value
198 of 1. If the -
\b-l
\bl option is specified with an _
\bl argument (i.e.
199 -
\b-l
\bll
\bl), or if -
\b-l
\bl is specified multiple times, a longer list
202 -
\b-n
\bn The -
\b-n
\bn (_
\bn_
\bo_
\bn_
\b-_
\bi_
\bn_
\bt_
\be_
\br_
\ba_
\bc_
\bt_
\bi_
\bv_
\be) option prevents s
\bsu
\bud
\bdo
\bo from prompting
203 the user for a password. If a password is required for the
204 command to run, s
\bsu
\bud
\bdo
\bo will display an error message and exit.
206 -
\b-P
\bP The -
\b-P
\bP (_
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be _
\bg_
\br_
\bo_
\bu_
\bp _
\bv_
\be_
\bc_
\bt_
\bo_
\br) option causes s
\bsu
\bud
\bdo
\bo to preserve
207 the invoking user's group vector unaltered. By default, the
208 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy will initialize the group vector to the list
209 of groups the target user is in. The real and effective
210 group IDs, however, are still set to match the target user.
212 -
\b-p
\bp _
\bp_
\br_
\bo_
\bm_
\bp_
\bt The -
\b-p
\bp (_
\bp_
\br_
\bo_
\bm_
\bp_
\bt) option allows you to override the default
213 password prompt and use a custom one. The following percent
214 (`%') escapes are supported by the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy:
216 %H expanded to the host name including the domain name (on
217 if the machine's host name is fully qualified or the _
\bf_
\bq_
\bd_
\bn
218 option is set in sudoers(4))
220 %h expanded to the local host name without the domain name
222 %p expanded to the name of the user whose password is being
223 requested (respects the _
\br_
\bo_
\bo_
\bt_
\bp_
\bw, _
\bt_
\ba_
\br_
\bg_
\be_
\bt_
\bp_
\bw, and _
\br_
\bu_
\bn_
\ba_
\bs_
\bp_
\bw
226 %U expanded to the login name of the user the command will
227 be run as (defaults to root unless the -
\b-u
\bu option is also
230 %u expanded to the invoking user's login name
232 %% two consecutive `%' characters are collapsed into a
235 The prompt specified by the -
\b-p
\bp option will override the
236 system password prompt on systems that support PAM unless the
237 _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be flag is disabled in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
239 -
\b-r
\br _
\br_
\bo_
\bl_
\be The -
\b-r
\br (_
\br_
\bo_
\bl_
\be) option causes the new (SELinux) security
240 context to have the role specified by _
\br_
\bo_
\bl_
\be.
242 -
\b-S
\bS The -
\b-S
\bS (_
\bs_
\bt_
\bd_
\bi_
\bn) option causes s
\bsu
\bud
\bdo
\bo to read the password from
243 the standard input instead of the terminal device. The
244 password must be followed by a newline character.
246 -
\b-s
\bs [_
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd]
247 The -
\b-s
\bs (_
\bs_
\bh_
\be_
\bl_
\bl) option runs the shell specified by the SHELL
248 environment variable if it is set or the shell as specified
249 in the password database. If a command is specified, it is
250 passed to the shell for execution via the shell's -
\b-c
\bc option.
251 If no command is specified, an interactive shell is executed.
253 -
\b-t
\bt _
\bt_
\by_
\bp_
\be The -
\b-t
\bt (_
\bt_
\by_
\bp_
\be) option causes the new (SELinux) security
254 context to have the type specified by _
\bt_
\by_
\bp_
\be. If no type is
255 specified, the default type is derived from the specified
258 -
\b-U
\bU _
\bu_
\bs_
\be_
\br The -
\b-U
\bU (_
\bo_
\bt_
\bh_
\be_
\br _
\bu_
\bs_
\be_
\br) option is used in conjunction with the -
\b-l
\bl
259 option to specify the user whose privileges should be listed.
260 The security policy may restrict listing other users'
261 privileges. The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy only allows root or a user
262 with the ALL privilege on the current host to use this
265 -
\b-u
\bu _
\bu_
\bs_
\be_
\br The -
\b-u
\bu (_
\bu_
\bs_
\be_
\br) option causes s
\bsu
\bud
\bdo
\bo to run the specified command
266 as a user other than _
\br_
\bo_
\bo_
\bt. To specify a _
\bu_
\bi_
\bd instead of a
267 _
\bu_
\bs_
\be_
\br _
\bn_
\ba_
\bm_
\be, _
\b#_
\bu_
\bi_
\bd. When running commands as a _
\bu_
\bi_
\bd, many shells
268 require that the `#' be escaped with a backslash (`\').
269 Security policies may restrict _
\bu_
\bi_
\bds to those listed in the
270 password database. The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs policy allows _
\bu_
\bi_
\bds that are
271 not in the password database as long as the _
\bt_
\ba_
\br_
\bg_
\be_
\bt_
\bp_
\bw option
272 is not set. Other security policies may not support this.
274 -
\b-V
\bV The -
\b-V
\bV (_
\bv_
\be_
\br_
\bs_
\bi_
\bo_
\bn) option causes s
\bsu
\bud
\bdo
\bo to print its version
275 string and the version string of the security policy plugin
276 and any I/O plugins. If the invoking user is already root
277 the -
\b-V
\bV option will display the arguments passed to configure
278 when s
\bsu
\bud
\bdo
\bo was built and plugins may display more verbose
279 information such as default options.
281 -
\b-v
\bv When given the -
\b-v
\bv (_
\bv_
\ba_
\bl_
\bi_
\bd_
\ba_
\bt_
\be) option, s
\bsu
\bud
\bdo
\bo will update the
282 user's cached credentials, authenticating the user's password
283 if necessary. For the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs plugin, this extends the s
\bsu
\bud
\bdo
\bo
284 timeout for another 5 minutes (or whatever the timeout is set
285 to by the security policy) but does not run a command. Not
286 all security policies support cached credentials.
288 -
\b--
\b- The -
\b--
\b- option indicates that s
\bsu
\bud
\bdo
\bo should stop processing
289 command line arguments.
291 Environment variables to be set for the command may also be passed on the
292 command line in the form of V
\bVA
\bAR
\bR=_
\bv_
\ba_
\bl_
\bu_
\be, e.g.
293 L
\bLD
\bD_
\b_L
\bLI
\bIB
\bBR
\bRA
\bAR
\bRY
\bY_
\b_P
\bPA
\bAT
\bTH
\bH=_
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bp_
\bk_
\bg_
\b/_
\bl_
\bi_
\bb. Variables passed on the command line
294 are subject to the same restrictions as normal environment variables with
295 one important exception. If the _
\bs_
\be_
\bt_
\be_
\bn_
\bv option is set in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, the
296 command to be run has the SETENV tag set or the command matched is ALL,
297 the user may set variables that would otherwise be forbidden. See
298 sudoers(4) for more information.
300 C
\bCO
\bOM
\bMM
\bMA
\bAN
\bND
\bD E
\bEX
\bXE
\bEC
\bCU
\bUT
\bTI
\bIO
\bON
\bN
301 When s
\bsu
\bud
\bdo
\bo executes a command, the security policy specifies the execution
302 environment for the command. Typically, the real and effective uid and
303 gid are set to match those of the target user, as specified in the
304 password database, and the group vector is initialized based on the group
305 database (unless the -
\b-P
\bP option was specified).
307 The following parameters may be specified by security policy:
309 o
\bo real and effective user ID
311 o
\bo real and effective group ID
313 o
\bo supplementary group IDs
315 o
\bo the environment list
317 o
\bo current working directory
319 o
\bo file creation mode mask (umask)
321 o
\bo SELinux role and type
325 o
\bo Solaris privileges
329 o
\bo scheduling priority (aka nice value)
331 P
\bPr
\bro
\boc
\bce
\bes
\bss
\bs m
\bmo
\bod
\bde
\bel
\bl
332 When s
\bsu
\bud
\bdo
\bo runs a command, it calls fork(2), sets up the execution
333 environment as described above, and calls the execve system call in the
334 child process. The main s
\bsu
\bud
\bdo
\bo process waits until the command has
335 completed, then passes the command's exit status to the security policy's
336 close function and exits. If an I/O logging plugin is configured or if
337 the security policy explicitly requests it, a new pseudo-terminal
338 (``pty'') is created and a second s
\bsu
\bud
\bdo
\bo process is used to relay job
339 control signals between the user's existing pty and the new pty the
340 command is being run in. This extra process makes it possible to, for
341 example, suspend and resume the command. Without it, the command would
342 be in what POSIX terms an ``orphaned process group'' and it would not
343 receive any job control signals. As a special case, if the policy plugin
344 does not define a close function and no pty is required, s
\bsu
\bud
\bdo
\bo will
345 execute the command directly instead of calling fork(2) first.
347 S
\bSi
\big
\bgn
\bna
\bal
\bl h
\bha
\ban
\bnd
\bdl
\bli
\bin
\bng
\bg
348 Because the command is run as a child of the s
\bsu
\bud
\bdo
\bo process, s
\bsu
\bud
\bdo
\bo will
349 relay signals it receives to the command. Unless the command is being
350 run in a new pty, the SIGHUP, SIGINT and SIGQUIT signals are not relayed
351 unless they are sent by a user process, not the kernel. Otherwise, the
352 command would receive SIGINT twice every time the user entered control-C.
353 Some signals, such as SIGSTOP and SIGKILL, cannot be caught and thus will
354 not be relayed to the command. As a general rule, SIGTSTP should be used
355 instead of SIGSTOP when you wish to suspend a command being run by s
\bsu
\bud
\bdo
\bo.
357 As a special case, s
\bsu
\bud
\bdo
\bo will not relay signals that were sent by the
358 command it is running. This prevents the command from accidentally
359 killing itself. On some systems, the reboot(1m) command sends SIGTERM to
360 all non-system processes other than itself before rebooting the system.
361 This prevents s
\bsu
\bud
\bdo
\bo from relaying the SIGTERM signal it received back to
362 reboot(1m), which might then exit before the system was actually rebooted,
363 leaving it in a half-dead state similar to single user mode. Note,
364 however, that this check only applies to the command run by s
\bsu
\bud
\bdo
\bo and not
365 any other processes that the command may create. As a result, running a
366 script that calls reboot(1m) or shutdown(1m) via s
\bsu
\bud
\bdo
\bo may cause the system
367 to end up in this undefined state unless the reboot(1m) or shutdown(1m) are
368 run using the e
\bex
\bxe
\bec
\bc() family of functions instead of s
\bsy
\bys
\bst
\bte
\bem
\bm() (which
369 interposes a shell between the command and the calling process).
371 If no I/O logging plugins are loaded and the policy plugin has not
372 defined a c
\bcl
\blo
\bos
\bse
\be() function, set a command timeout or required that the
373 command be run in a new pty, s
\bsu
\bud
\bdo
\bo may execute the command directly
374 instead of running it as a child process.
376 P
\bPl
\blu
\bug
\bgi
\bin
\bns
\bs
377 Plugins are dynamically loaded based on the contents of the sudo.conf(4)
378 file. If no sudo.conf(4) file is present, or it contains no Plugin
379 lines, s
\bsu
\bud
\bdo
\bo will use the traditional _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs security policy and I/O
380 logging. See the sudo.conf(4) manual for details of the _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf
381 file and the sudo_plugin(1m) manual for more information about the s
\bsu
\bud
\bdo
\bo
384 E
\bEX
\bXI
\bIT
\bT V
\bVA
\bAL
\bLU
\bUE
\bE
385 Upon successful execution of a program, the exit status from _
\bs_
\bu_
\bd_
\bo will
386 simply be the exit status of the program that was executed.
388 Otherwise, s
\bsu
\bud
\bdo
\bo exits with a value of 1 if there is a
389 configuration/permission problem or if s
\bsu
\bud
\bdo
\bo cannot execute the given
390 command. In the latter case the error string is printed to the standard
391 error. If s
\bsu
\bud
\bdo
\bo cannot stat(2) one or more entries in the user's PATH, an
392 error is printed on stderr. (If the directory does not exist or if it is
393 not really a directory, the entry is ignored and no error is printed.)
394 This should not happen under normal circumstances. The most common
395 reason for stat(2) to return ``permission denied'' is if you are running
396 an automounter and one of the directories in your PATH is on a machine
397 that is currently unreachable.
399 S
\bSE
\bEC
\bCU
\bUR
\bRI
\bIT
\bTY
\bY N
\bNO
\bOT
\bTE
\bES
\bS
400 s
\bsu
\bud
\bdo
\bo tries to be safe when executing external commands.
402 To prevent command spoofing, s
\bsu
\bud
\bdo
\bo checks "." and "" (both denoting
403 current directory) last when searching for a command in the user's PATH
404 (if one or both are in the PATH). Note, however, that the actual PATH
405 environment variable is _
\bn_
\bo_
\bt modified and is passed unchanged to the
406 program that s
\bsu
\bud
\bdo
\bo executes.
408 Please note that s
\bsu
\bud
\bdo
\bo will normally only log the command it explicitly
409 runs. If a user runs a command such as sudo su or sudo sh, subsequent
410 commands run from that shell are not subject to s
\bsu
\bud
\bdo
\bo's security policy.
411 The same is true for commands that offer shell escapes (including most
412 editors). If I/O logging is enabled, subsequent commands will have their
413 input and/or output logged, but there will not be traditional logs for
414 those commands. Because of this, care must be taken when giving users
415 access to commands via s
\bsu
\bud
\bdo
\bo to verify that the command does not
416 inadvertently give the user an effective root shell. For more
417 information, please see the _
\bP_
\bR_
\bE_
\bV_
\bE_
\bN_
\bT_
\bI_
\bN_
\bG _
\bS_
\bH_
\bE_
\bL_
\bL _
\bE_
\bS_
\bC_
\bA_
\bP_
\bE_
\bS section in
420 To prevent the disclosure of potentially sensitive information, s
\bsu
\bud
\bdo
\bo
421 disables core dumps by default while it is executing (they are re-enabled
422 for the command that is run). To aid in debugging s
\bsu
\bud
\bdo
\bo crashes, you may
423 wish to re-enable core dumps by setting ``disable_coredump'' to false in
424 the sudo.conf(4) file as follows:
426 Set disable_coredump false
428 See the sudo.conf(4) manual for more information.
430 E
\bEN
\bNV
\bVI
\bIR
\bRO
\bON
\bNM
\bME
\bEN
\bNT
\bT
431 s
\bsu
\bud
\bdo
\bo utilizes the following environment variables. The security policy
432 has control over the actual content of the command's environment.
434 EDITOR Default editor to use in -
\b-e
\be (sudoedit) mode if neither
435 SUDO_EDITOR nor VISUAL is set.
437 MAIL In -
\b-i
\bi mode or when _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt is enabled in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, set
438 to the mail spool of the target user.
440 HOME Set to the home directory of the target user if -
\b-i
\bi or -
\b-H
\bH
441 are specified, _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt or _
\ba_
\bl_
\bw_
\ba_
\by_
\bs_
\b__
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be are set in
442 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, or when the -
\b-s
\bs option is specified and _
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be
443 is set in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
445 PATH May be overridden by the security policy.
447 SHELL Used to determine shell to run with -
\b-s
\bs option.
449 SUDO_ASKPASS Specifies the path to a helper program used to read the
450 password if no terminal is available or if the -
\b-A
\bA option
453 SUDO_COMMAND Set to the command run by sudo.
455 SUDO_EDITOR Default editor to use in -
\b-e
\be (sudoedit) mode.
457 SUDO_GID Set to the group ID of the user who invoked sudo.
459 SUDO_PROMPT Used as the default password prompt.
461 SUDO_PS1 If set, PS1 will be set to its value for the program
464 SUDO_UID Set to the user ID of the user who invoked sudo.
466 SUDO_USER Set to the login name of the user who invoked sudo.
468 USER Set to the target user (root unless the -
\b-u
\bu option is
471 VISUAL Default editor to use in -
\b-e
\be (sudoedit) mode if
472 SUDO_EDITOR is not set.
475 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b._
\bc_
\bo_
\bn_
\bf s
\bsu
\bud
\bdo
\bo front end configuration
477 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
478 Note: the following examples assume a properly configured security
481 To get a file listing of an unreadable directory:
483 $ sudo ls /usr/local/protected
485 To list the home directory of user yaz on a machine where the file system
486 holding ~yaz is not exported as root:
488 $ sudo -u yaz ls ~yaz
490 To edit the _
\bi_
\bn_
\bd_
\be_
\bx_
\b._
\bh_
\bt_
\bm_
\bl file as user www:
492 $ sudo -u www vi ~www/htdocs/index.html
494 To view system logs only accessible to root and users in the adm group:
496 $ sudo -g adm view /var/log/syslog
498 To run an editor as jim with a different primary group:
500 $ sudo -u jim -g audio vi ~jim/sound.txt
502 To shut down a machine:
504 $ sudo shutdown -r +15 "quick reboot"
506 To make a usage listing of the directories in the /home partition. Note
507 that this runs the commands in a sub-shell to make the cd and file
510 $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
512 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
513 su(1), stat(2), login_cap(3), passwd(4), sudo.conf(4), sudoers(4),
514 sudo_plugin(1m), sudoreplay(1m), visudo(1m)
516 H
\bHI
\bIS
\bST
\bTO
\bOR
\bRY
\bY
517 See the HISTORY file in the s
\bsu
\bud
\bdo
\bo distribution
518 (http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
520 A
\bAU
\bUT
\bTH
\bHO
\bOR
\bRS
\bS
521 Many people have worked on s
\bsu
\bud
\bdo
\bo over the years; this version consists of
522 code written primarily by:
526 See the CONTRIBUTORS file in the s
\bsu
\bud
\bdo
\bo distribution
527 (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of
528 people who have contributed to s
\bsu
\bud
\bdo
\bo.
530 C
\bCA
\bAV
\bVE
\bEA
\bAT
\bTS
\bS
531 There is no easy way to prevent a user from gaining a root shell if that
532 user is allowed to run arbitrary commands via s
\bsu
\bud
\bdo
\bo. Also, many programs
533 (such as editors) allow the user to run commands via shell escapes, thus
534 avoiding s
\bsu
\bud
\bdo
\bo's checks. However, on most systems it is possible to
535 prevent shell escapes with the sudoers(4) plugin's _
\bn_
\bo_
\be_
\bx_
\be_
\bc functionality.
537 It is not meaningful to run the cd command directly via sudo, e.g.,
539 $ sudo cd /usr/local/protected
541 since when the command exits the parent process (your shell) will still
542 be the same. Please see the _
\bE_
\bX_
\bA_
\bM_
\bP_
\bL_
\bE_
\bS section for more information.
544 Running shell scripts via s
\bsu
\bud
\bdo
\bo can expose the same kernel bugs that make
545 setuid shell scripts unsafe on some operating systems (if your OS has a
546 /dev/fd/ directory, setuid shell scripts are generally safe).
549 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a bug report at
550 http://www.sudo.ws/sudo/bugs/
552 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
553 Limited free support is available via the sudo-users mailing list, see
554 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
557 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
558 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied warranties,
559 including, but not limited to, the implied warranties of merchantability
560 and fitness for a particular purpose are disclaimed. See the LICENSE
561 file distributed with s
\bsu
\bud
\bdo
\bo or http://www.sudo.ws/sudo/license.html for
564 Sudo 1.8.7 March 13, 2013 Sudo 1.8.7