4 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
8 sudo, sudoedit - execute a command as another user
10 S
\bSY
\bYN
\bNO
\bOP
\bPS
\bSI
\bIS
\bS
11 s
\bsu
\bud
\bdo
\bo -
\b-h
\bh | -
\b-K
\bK | -
\b-k
\bk | -
\b-L
\bL | -
\b-l
\bl | -
\b-V
\bV | -
\b-v
\bv
13 s
\bsu
\bud
\bdo
\bo [-
\b-b
\bbE
\bEH
\bHP
\bPS
\bS] [-
\b-a
\ba _
\ba_
\bu_
\bt_
\bh_
\b__
\bt_
\by_
\bp_
\be] [-
\b-c
\bc _
\bc_
\bl_
\ba_
\bs_
\bs|_
\b-] [-
\b-p
\bp _
\bp_
\br_
\bo_
\bm_
\bp_
\bt]
14 [-
\b-u
\bu _
\bu_
\bs_
\be_
\br_
\bn_
\ba_
\bm_
\be|_
\b#_
\bu_
\bi_
\bd] [V
\bVA
\bAR
\bR=_
\bv_
\ba_
\bl_
\bu_
\be] {-
\b-i
\bi | -
\b-s
\bs | _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd}
16 s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt [-
\b-S
\bS] [-
\b-a
\ba _
\ba_
\bu_
\bt_
\bh_
\b__
\bt_
\by_
\bp_
\be] [-
\b-c
\bc _
\bc_
\bl_
\ba_
\bs_
\bs|_
\b-] [-
\b-p
\bp _
\bp_
\br_
\bo_
\bm_
\bp_
\bt]
17 [-
\b-u
\bu _
\bu_
\bs_
\be_
\br_
\bn_
\ba_
\bm_
\be|_
\b#_
\bu_
\bi_
\bd] file ...
19 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
20 s
\bsu
\bud
\bdo
\bo allows a permitted user to execute a _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd as the
21 superuser or another user, as specified in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
22 file. The real and effective uid and gid are set to match
23 those of the target user as specified in the passwd file
24 and the group vector is initialized based on the group
25 file (unless the -
\b-P
\bP option was specified). If the invok
26 ing user is root or if the target user is the same as the
27 invoking user, no password is required. Otherwise, s
\bsu
\bud
\bdo
\bo
28 requires that users authenticate themselves with a pass
29 word by default (NOTE: in the default configuration this
30 is the user's password, not the root password). Once a
31 user has been authenticated, a timestamp is updated and
32 the user may then use sudo without a password for a short
33 period of time (5 minutes unless overridden in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs).
35 When invoked as s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt, the -
\b-e
\be option (described below),
38 s
\bsu
\bud
\bdo
\bo determines who is an authorized user by consulting
39 the file _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. By giving s
\bsu
\bud
\bdo
\bo the -
\b-v
\bv flag, a user
40 can update the time stamp without running a _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd. The
41 password prompt itself will also time out if the user's
42 password is not entered within 5 minutes (unless overrid
43 den via _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs).
45 If a user who is not listed in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file tries to
46 run a command via s
\bsu
\bud
\bdo
\bo, mail is sent to the proper author
47 ities, as defined at configure time or in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file
48 (defaults to root). Note that the mail will not be sent
49 if an unauthorized user tries to run sudo with the -
\b-l
\bl or
50 -
\b-v
\bv flags. This allows users to determine for themselves
51 whether or not they are allowed to use s
\bsu
\bud
\bdo
\bo.
53 If s
\bsu
\bud
\bdo
\bo is run by root and the SUDO_USER environment vari
54 able is set, s
\bsu
\bud
\bdo
\bo will use this value to determine who the
55 actual user is. This can be used by a user to log com
56 mands through sudo even when a root shell has been
57 invoked. It also allows the -
\b-e
\be flag to remain useful even
58 when being run via a sudo-run script or program. Note
59 however, that the sudoers lookup is still done for root,
60 not the user specified by SUDO_USER.
64 1.6.9p8 November 2, 2007 1
70 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
73 s
\bsu
\bud
\bdo
\bo can log both successful and unsuccessful attempts (as
74 well as errors) to _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3), a log file, or both. By
75 default s
\bsu
\bud
\bdo
\bo will log via _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3) but this is changeable
76 at configure time or via the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file.
78 O
\bOP
\bPT
\bTI
\bIO
\bON
\bNS
\bS
79 s
\bsu
\bud
\bdo
\bo accepts the following command line options:
81 -a The -
\b-a
\ba (_
\ba_
\bu_
\bt_
\bh_
\be_
\bn_
\bt_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn _
\bt_
\by_
\bp_
\be) option causes s
\bsu
\bud
\bdo
\bo to use
82 the specified authentication type when validating the
83 user, as allowed by _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf. The system
84 administrator may specify a list of sudo-specific
85 authentication methods by adding an "auth-sudo" entry
86 in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf. This option is only available on
87 systems that support BSD authentication.
89 -b The -
\b-b
\bb (_
\bb_
\ba_
\bc_
\bk_
\bg_
\br_
\bo_
\bu_
\bn_
\bd) option tells s
\bsu
\bud
\bdo
\bo to run the given
90 command in the background. Note that if you use the
91 -
\b-b
\bb option you cannot use shell job control to manipu
94 -c The -
\b-c
\bc (_
\bc_
\bl_
\ba_
\bs_
\bs) option causes s
\bsu
\bud
\bdo
\bo to run the specified
95 command with resources limited by the specified login
96 class. The _
\bc_
\bl_
\ba_
\bs_
\bs argument can be either a class name
97 as defined in /etc/login.conf, or a single '-' charac
98 ter. Specifying a _
\bc_
\bl_
\ba_
\bs_
\bs of - indicates that the com
99 mand should be run restricted by the default login
100 capabilities for the user the command is run as. If
101 the _
\bc_
\bl_
\ba_
\bs_
\bs argument specifies an existing user class,
102 the command must be run as root, or the s
\bsu
\bud
\bdo
\bo command
103 must be run from a shell that is already root. This
104 option is only available on systems with BSD login
107 -E The -
\b-E
\bE (_
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be _
\be_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt) option will override the
108 _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4)). It is only available
109 when either the matching command has the SETENV tag or
110 the _
\bs_
\be_
\bt_
\be_
\bn_
\bv option is set in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4).
112 -e The -
\b-e
\be (_
\be_
\bd_
\bi_
\bt) option indicates that, instead of run
113 ning a command, the user wishes to edit one or more
114 files. In lieu of a command, the string "sudoedit" is
115 used when consulting the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. If the user is
116 authorized by _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs the following steps are taken:
118 1. Temporary copies are made of the files to be
119 edited with the owner set to the invoking user.
121 2. The editor specified by the VISUAL or EDITOR envi
122 ronment variables is run to edit the temporary
123 files. If neither VISUAL nor EDITOR are set, the
124 program listed in the _
\be_
\bd_
\bi_
\bt_
\bo_
\br _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs variable is
130 1.6.9p8 November 2, 2007 2
136 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
139 3. If they have been modified, the temporary files
140 are copied back to their original location and the
141 temporary versions are removed.
143 If the specified file does not exist, it will be cre
144 ated. Note that unlike most commands run by s
\bsu
\bud
\bdo
\bo, the
145 editor is run with the invoking user's environment
146 unmodified. If, for some reason, s
\bsu
\bud
\bdo
\bo is unable to
147 update a file with its edited version, the user will
148 receive a warning and the edited copy will remain in a
151 -H The -
\b-H
\bH (_
\bH_
\bO_
\bM_
\bE) option sets the HOME environment vari
152 able to the homedir of the target user (root by
153 default) as specified in _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(4). By default, s
\bsu
\bud
\bdo
\bo
154 does not modify HOME (see _
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be and _
\ba_
\bl_
\bw_
\ba_
\by_
\bs_
\b__
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be
155 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4)).
157 -h The -
\b-h
\bh (_
\bh_
\be_
\bl_
\bp) option causes s
\bsu
\bud
\bdo
\bo to print a usage mes
160 -i The -
\b-i
\bi (_
\bs_
\bi_
\bm_
\bu_
\bl_
\ba_
\bt_
\be _
\bi_
\bn_
\bi_
\bt_
\bi_
\ba_
\bl _
\bl_
\bo_
\bg_
\bi_
\bn) option runs the shell
161 specified in the _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(4) entry of the user that the
162 command is being run as. The command name argument
163 given to the shell begins with a `-' to tell the shell
164 to run as a login shell. s
\bsu
\bud
\bdo
\bo attempts to change to
165 that user's home directory before running the shell.
166 It also initializes the environment, leaving _
\bT_
\bE_
\bR_
\bM
167 unchanged, setting _
\bH_
\bO_
\bM_
\bE, _
\bS_
\bH_
\bE_
\bL_
\bL, _
\bU_
\bS_
\bE_
\bR, _
\bL_
\bO_
\bG_
\bN_
\bA_
\bM_
\bE, and
168 _
\bP_
\bA_
\bT_
\bH, and unsetting all other environment variables.
169 Note that because the shell to use is determined
170 before the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file is parsed, a _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt
171 setting in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will specify the user to run the
172 shell as but will not affect which shell is actually
175 -K The -
\b-K
\bK (sure _
\bk_
\bi_
\bl_
\bl) option is like -
\b-k
\bk except that it
176 removes the user's timestamp entirely. Like -
\b-k
\bk, this
177 option does not require a password.
179 -k The -
\b-k
\bk (_
\bk_
\bi_
\bl_
\bl) option to s
\bsu
\bud
\bdo
\bo invalidates the user's
180 timestamp by setting the time on it to the Epoch. The
181 next time s
\bsu
\bud
\bdo
\bo is run a password will be required.
182 This option does not require a password and was added
183 to allow a user to revoke s
\bsu
\bud
\bdo
\bo permissions from a
186 -L The -
\b-L
\bL (_
\bl_
\bi_
\bs_
\bt defaults) option will list out the param
187 eters that may be set in a _
\bD_
\be_
\bf_
\ba_
\bu_
\bl_
\bt_
\bs line along with a
188 short description for each. This option is useful in
189 conjunction with _
\bg_
\br_
\be_
\bp(1).
191 -l The -
\b-l
\bl (_
\bl_
\bi_
\bs_
\bt) option will list out the allowed (and
192 forbidden) commands for the invoking user on the
196 1.6.9p8 November 2, 2007 3
202 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
207 -P The -
\b-P
\bP (_
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be _
\bg_
\br_
\bo_
\bu_
\bp _
\bv_
\be_
\bc_
\bt_
\bo_
\br) option causes s
\bsu
\bud
\bdo
\bo to
208 preserve the invoking user's group vector unaltered.
209 By default, s
\bsu
\bud
\bdo
\bo will initialize the group vector to
210 the list of groups the target user is in. The real
211 and effective group IDs, however, are still set to
212 match the target user.
214 -p The -
\b-p
\bp (_
\bp_
\br_
\bo_
\bm_
\bp_
\bt) option allows you to override the
215 default password prompt and use a custom one. The
216 following percent (`%') escapes are supported:
218 %H expanded to the local hostname including the
219 domain name (on if the machine's hostname is fully
220 qualified or the _
\bf_
\bq_
\bd_
\bn _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs option is set)
222 %h expanded to the local hostname without the domain
225 %U expanded to the login name of the user the command
226 will be run as (defaults to root)
228 %u expanded to the invoking user's login name
230 %% two consecutive % characters are collapsed into a
233 -S The -
\b-S
\bS (_
\bs_
\bt_
\bd_
\bi_
\bn) option causes s
\bsu
\bud
\bdo
\bo to read the password
234 from the standard input instead of the terminal
237 -s The -
\b-s
\bs (_
\bs_
\bh_
\be_
\bl_
\bl) option runs the shell specified by the
238 _
\bS_
\bH_
\bE_
\bL_
\bL environment variable if it is set or the shell
239 as specified in _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(4).
241 -u The -
\b-u
\bu (_
\bu_
\bs_
\be_
\br) option causes s
\bsu
\bud
\bdo
\bo to run the specified
242 command as a user other than _
\br_
\bo_
\bo_
\bt. To specify a _
\bu_
\bi_
\bd
243 instead of a _
\bu_
\bs_
\be_
\br_
\bn_
\ba_
\bm_
\be, use _
\b#_
\bu_
\bi_
\bd. When running com
244 mands as a _
\bu_
\bi_
\bd, many shells require that the '#' be
245 escaped with a backslash ('\'). Note that if the _
\bt_
\ba_
\br_
\b
246 _
\bg_
\be_
\bt_
\bp_
\bw Defaults option is set (see _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4)) it is
247 not possible to run commands with a uid not listed in
248 the password database.
250 -V The -
\b-V
\bV (_
\bv_
\be_
\br_
\bs_
\bi_
\bo_
\bn) option causes s
\bsu
\bud
\bdo
\bo to print the ver
251 sion number and exit. If the invoking user is already
252 root the -
\b-V
\bV option will print out a list of the
253 defaults s
\bsu
\bud
\bdo
\bo was compiled with as well as the
254 machine's local network addresses.
256 -v If given the -
\b-v
\bv (_
\bv_
\ba_
\bl_
\bi_
\bd_
\ba_
\bt_
\be) option, s
\bsu
\bud
\bdo
\bo will update
257 the user's timestamp, prompting for the user's pass
258 word if necessary. This extends the s
\bsu
\bud
\bdo
\bo timeout for
262 1.6.9p8 November 2, 2007 4
268 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
271 another 5 minutes (or whatever the timeout is set to
272 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs) but does not run a command.
274 -- The -
\b--
\b- flag indicates that s
\bsu
\bud
\bdo
\bo should stop processing
275 command line arguments. It is most useful in conjunc
276 tion with the -
\b-s
\bs flag.
278 Environment variables to be set for the command may also
279 be passed on the command line in the form of V
\bVA
\bAR
\bR=_
\bv_
\ba_
\bl_
\bu_
\be,
280 e.g. L
\bLD
\bD_
\b_L
\bLI
\bIB
\bBR
\bRA
\bAR
\bRY
\bY_
\b_P
\bPA
\bAT
\bTH
\bH=_
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bp_
\bk_
\bg_
\b/_
\bl_
\bi_
\bb. Variables
281 passed on the command line are subject to the same
282 restrictions as normal environment variables with one
283 important exception. If the _
\bs_
\be_
\bt_
\be_
\bn_
\bv option is set in _
\bs_
\bu_
\bd_
\bo_
\b
284 _
\be_
\br_
\bs or the command to be run has the SETENV tag set the
285 user may set variables that would overwise be forbidden.
286 See _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4) for more information.
288 R
\bRE
\bET
\bTU
\bUR
\bRN
\bN V
\bVA
\bAL
\bLU
\bUE
\bES
\bS
289 Upon successful execution of a program, the return value
290 from s
\bsu
\bud
\bdo
\bo will simply be the return value of the program
293 Otherwise, s
\bsu
\bud
\bdo
\bo quits with an exit value of 1 if there is
294 a configuration/permission problem or if s
\bsu
\bud
\bdo
\bo cannot exe
295 cute the given command. In the latter case the error
296 string is printed to stderr. If s
\bsu
\bud
\bdo
\bo cannot _
\bs_
\bt_
\ba_
\bt(2) one
297 or more entries in the user's PATH an error is printed on
298 stderr. (If the directory does not exist or if it is not
299 really a directory, the entry is ignored and no error is
300 printed.) This should not happen under normal circum
301 stances. The most common reason for _
\bs_
\bt_
\ba_
\bt(2) to return
302 "permission denied" is if you are running an automounter
303 and one of the directories in your PATH is on a machine
304 that is currently unreachable.
306 S
\bSE
\bEC
\bCU
\bUR
\bRI
\bIT
\bTY
\bY N
\bNO
\bOT
\bTE
\bES
\bS
307 s
\bsu
\bud
\bdo
\bo tries to be safe when executing external commands.
309 There are two distinct ways to deal with environment vari
310 ables. By default, the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs option is
311 enabled. This causes commands to be executed with a mini
312 mal environment containing TERM, PATH, HOME, SHELL, LOG
313 NAME, USER and USERNAME in addition to variables from the
314 invoking process permitted by the _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp
315 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs options. There is effectively a whitelist for
316 environment variables.
318 If, however, the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is disabled in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs,
319 any variables not explicitly denied by the _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and
320 _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be options are inherited from the invoking pro
321 cess. In this case, _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be behave like
322 a blacklist. Since it is not possible to blacklist all
323 potentially dangerous environment variables, use of the
324 default _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt behavior is encouraged.
328 1.6.9p8 November 2, 2007 5
334 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
337 In all cases, environment variables with a value beginning
338 with () are removed as they could be interpreted as b
\bba
\bas
\bsh
\bh
339 functions. The list of environment variables that s
\bsu
\bud
\bdo
\bo
340 allows or denies is contained in the output of sudo -V
343 Note that the dynamic linker on most operating systems
344 will remove variables that can control dynamic linking
345 from the environment of setuid executables, including
346 s
\bsu
\bud
\bdo
\bo. Depending on the operating system this may include
347 _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and oth
348 ers. These type of variables are removed from the envi
349 ronment before s
\bsu
\bud
\bdo
\bo even begins execution and, as such, it
350 is not possible for s
\bsu
\bud
\bdo
\bo to preserve them.
352 To prevent command spoofing, s
\bsu
\bud
\bdo
\bo checks "." and "" (both
353 denoting current directory) last when searching for a com
354 mand in the user's PATH (if one or both are in the PATH).
355 Note, however, that the actual PATH environment variable
356 is _
\bn_
\bo_
\bt modified and is passed unchanged to the program
357 that s
\bsu
\bud
\bdo
\bo executes.
359 s
\bsu
\bud
\bdo
\bo will check the ownership of its timestamp directory
360 (_
\b/_
\bv_
\ba_
\br_
\b/_
\br_
\bu_
\bn_
\b/_
\bs_
\bu_
\bd_
\bo by default) and ignore the directory's con
361 tents if it is not owned by root or if it is writable by a
362 user other than root. On systems that allow non-root
363 users to give away files via _
\bc_
\bh_
\bo_
\bw_
\bn(2), if the timestamp
364 directory is located in a directory writable by anyone
365 (e.g., _
\b/_
\bt_
\bm_
\bp), it is possible for a user to create the
366 timestamp directory before s
\bsu
\bud
\bdo
\bo is run. However, because
367 s
\bsu
\bud
\bdo
\bo checks the ownership and mode of the directory and
368 its contents, the only damage that can be done is to
369 "hide" files by putting them in the timestamp dir. This
370 is unlikely to happen since once the timestamp dir is
371 owned by root and inaccessible by any other user, the user
372 placing files there would be unable to get them back out.
373 To get around this issue you can use a directory that is
374 not world-writable for the timestamps (_
\b/_
\bv_
\ba_
\br_
\b/_
\ba_
\bd_
\bm_
\b/_
\bs_
\bu_
\bd_
\bo for
375 instance) or create _
\b/_
\bv_
\ba_
\br_
\b/_
\br_
\bu_
\bn_
\b/_
\bs_
\bu_
\bd_
\bo with the appropriate
376 owner (root) and permissions (0700) in the system startup
379 s
\bsu
\bud
\bdo
\bo will not honor timestamps set far in the future.
380 Timestamps with a date greater than current_time + 2 *
381 TIMEOUT will be ignored and sudo will log and complain.
382 This is done to keep a user from creating his/her own
383 timestamp with a bogus date on systems that allow users to
386 Please note that s
\bsu
\bud
\bdo
\bo will normally only log the command
387 it explicitly runs. If a user runs a command such as sudo
388 su or sudo sh, subsequent commands run from that shell
389 will _
\bn_
\bo_
\bt be logged, nor will s
\bsu
\bud
\bdo
\bo's access control affect
390 them. The same is true for commands that offer shell
394 1.6.9p8 November 2, 2007 6
400 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
403 escapes (including most editors). Because of this, care
404 must be taken when giving users access to commands via
405 s
\bsu
\bud
\bdo
\bo to verify that the command does not inadvertently
406 give the user an effective root shell. For more informa
407 tion, please see the PREVENTING SHELL ESCAPES section in
408 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4).
410 E
\bEN
\bNV
\bVI
\bIR
\bRO
\bON
\bNM
\bME
\bEN
\bNT
\bT
411 s
\bsu
\bud
\bdo
\bo utilizes the following environment variables:
413 EDITOR Default editor to use in -
\b-e
\be (sudoedit)
414 mode if VISUAL is not set
416 HOME In -
\b-s
\bs or -
\b-H
\bH mode (or if sudo was config
417 ured with the --enable-shell-sets-home
418 option), set to homedir of the target user
420 PATH Set to a sane value if the _
\bs_
\be_
\bc_
\bu_
\br_
\be_
\b__
\bp_
\ba_
\bt_
\bh
421 sudoers option is set.
423 SHELL Used to determine shell to run with -s
426 SUDO_PROMPT Used as the default password prompt
428 SUDO_COMMAND Set to the command run by sudo
430 SUDO_USER Set to the login of the user who invoked
433 SUDO_UID Set to the uid of the user who invoked
436 SUDO_GID Set to the gid of the user who invoked
439 SUDO_PS1 If set, PS1 will be set to its value
441 USER Set to the target user (root unless the -
\b-u
\bu
444 VISUAL Default editor to use in -
\b-e
\be (sudoedit)
448 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs List of who can run what
449 _
\b/_
\bv_
\ba_
\br_
\b/_
\br_
\bu_
\bn_
\b/_
\bs_
\bu_
\bd_
\bo Directory containing timestamps
451 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
452 Note: the following examples assume suitable _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4)
455 To get a file listing of an unreadable directory:
460 1.6.9p8 November 2, 2007 7
466 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
469 $ sudo ls /usr/local/protected
471 To list the home directory of user yazza on a machine
472 where the file system holding ~yazza is not exported as
475 $ sudo -u yazza ls ~yazza
477 To edit the _
\bi_
\bn_
\bd_
\be_
\bx_
\b._
\bh_
\bt_
\bm_
\bl file as user www:
479 $ sudo -u www vi ~www/htdocs/index.html
481 To shutdown a machine:
483 $ sudo shutdown -r +15 "quick reboot"
485 To make a usage listing of the directories in the /home
486 partition. Note that this runs the commands in a sub-
487 shell to make the cd and file redirection work.
489 $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
491 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
492 _
\bg_
\br_
\be_
\bp(1), _
\bs_
\bu(1), _
\bs_
\bt_
\ba_
\bt(2), _
\bl_
\bo_
\bg_
\bi_
\bn_
\b__
\bc_
\ba_
\bp(3), _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(4),
493 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4), _
\bv_
\bi_
\bs_
\bu_
\bd_
\bo(1m)
495 A
\bAU
\bUT
\bTH
\bHO
\bOR
\bRS
\bS
496 Many people have worked on s
\bsu
\bud
\bdo
\bo over the years; this ver
497 sion consists of code written primarily by:
502 See the HISTORY file in the s
\bsu
\bud
\bdo
\bo distribution or visit
503 http://www.sudo.ws/sudo/history.html for a short history
506 C
\bCA
\bAV
\bVE
\bEA
\bAT
\bTS
\bS
507 There is no easy way to prevent a user from gaining a root
508 shell if that user is allowed to run arbitrary commands
509 via s
\bsu
\bud
\bdo
\bo. Also, many programs (such as editors) allow the
510 user to run commands via shell escapes, thus avoiding
511 s
\bsu
\bud
\bdo
\bo's checks. However, on most systems it is possible to
512 prevent shell escapes with s
\bsu
\bud
\bdo
\bo's _
\bn_
\bo_
\be_
\bx_
\be_
\bc functionality.
513 See the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4) manual for details.
515 It is not meaningful to run the cd command directly via
518 $ sudo cd /usr/local/protected
520 since when the command exits the parent process (your
521 shell) will still be the same. Please see the EXAMPLES
522 section for more information.
526 1.6.9p8 November 2, 2007 8
532 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
535 If users have sudo ALL there is nothing to prevent them
536 from creating their own program that gives them a root
537 shell regardless of any '!' elements in the user specifi
540 Running shell scripts via s
\bsu
\bud
\bdo
\bo can expose the same kernel
541 bugs that make setuid shell scripts unsafe on some operat
542 ing systems (if your OS has a /dev/fd/ directory, setuid
543 shell scripts are generally safe).
546 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a
547 bug report at http://www.sudo.ws/sudo/bugs/
549 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
550 Limited free support is available via the sudo-users mail
551 ing list, see http://www.sudo.ws/mail
552 man/listinfo/sudo-users to subscribe or search the
555 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
556 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied war
557 ranties, including, but not limited to, the implied war
558 ranties of merchantability and fitness for a particular
559 purpose are disclaimed. See the LICENSE file distributed
560 with s
\bsu
\bud
\bdo
\bo or http://www.sudo.ws/sudo/license.html for com
592 1.6.9p8 November 2, 2007 9