4 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
8 sudo, sudoedit - execute a command as another user
10 S
\bSY
\bYN
\bNO
\bOP
\bPS
\bSI
\bIS
\bS
11 s
\bsu
\bud
\bdo
\bo -
\b-h
\bh | -
\b-K
\bK | -
\b-k
\bk | -
\b-L
\bL | -
\b-l
\bl | -
\b-V
\bV | -
\b-v
\bv
13 s
\bsu
\bud
\bdo
\bo [-
\b-b
\bbE
\bEH
\bHP
\bPS
\bS] [-
\b-a
\ba _
\ba_
\bu_
\bt_
\bh_
\b__
\bt_
\by_
\bp_
\be] [-
\b-c
\bc _
\bc_
\bl_
\ba_
\bs_
\bs|_
\b-] [-
\b-p
\bp _
\bp_
\br_
\bo_
\bm_
\bp_
\bt]
14 [-
\b-u
\bu _
\bu_
\bs_
\be_
\br_
\bn_
\ba_
\bm_
\be|_
\b#_
\bu_
\bi_
\bd] [V
\bVA
\bAR
\bR=_
\bv_
\ba_
\bl_
\bu_
\be] {-
\b-i
\bi | -
\b-s
\bs | _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd}
16 s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt [-
\b-S
\bS] [-
\b-a
\ba _
\ba_
\bu_
\bt_
\bh_
\b__
\bt_
\by_
\bp_
\be] [-
\b-c
\bc _
\bc_
\bl_
\ba_
\bs_
\bs|_
\b-] [-
\b-p
\bp _
\bp_
\br_
\bo_
\bm_
\bp_
\bt]
17 [-
\b-u
\bu _
\bu_
\bs_
\be_
\br_
\bn_
\ba_
\bm_
\be|_
\b#_
\bu_
\bi_
\bd] file ...
19 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
20 s
\bsu
\bud
\bdo
\bo allows a permitted user to execute a _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd as the
21 superuser or another user, as specified in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
22 file. The real and effective uid and gid are set to match
23 those of the target user as specified in the passwd file
24 and the group vector is initialized based on the group
25 file (unless the -
\b-P
\bP option was specified). If the invok
26 ing user is root or if the target user is the same as the
27 invoking user, no password is required. Otherwise, s
\bsu
\bud
\bdo
\bo
28 requires that users authenticate themselves with a pass
29 word by default (NOTE: in the default configuration this
30 is the user's password, not the root password). Once a
31 user has been authenticated, a timestamp is updated and
32 the user may then use sudo without a password for a short
33 period of time (5 minutes unless overridden in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs).
35 When invoked as s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt, the -
\b-e
\be option (described below),
38 s
\bsu
\bud
\bdo
\bo determines who is an authorized user by consulting
39 the file _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. By giving s
\bsu
\bud
\bdo
\bo the -
\b-v
\bv flag, a user
40 can update the time stamp without running a _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd. The
41 password prompt itself will also time out if the user's
42 password is not entered within 5 minutes (unless overrid
43 den via _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs).
45 If a user who is not listed in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file tries to
46 run a command via s
\bsu
\bud
\bdo
\bo, mail is sent to the proper author
47 ities, as defined at configure time or in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file
48 (defaults to root). Note that the mail will not be sent
49 if an unauthorized user tries to run sudo with the -
\b-l
\bl or
50 -
\b-v
\bv flags. This allows users to determine for themselves
51 whether or not they are allowed to use s
\bsu
\bud
\bdo
\bo.
53 If s
\bsu
\bud
\bdo
\bo is run by root and the SUDO_USER environment vari
54 able is set, s
\bsu
\bud
\bdo
\bo will use this value to determine who the
55 actual user is. This can be used by a user to log com
56 mands through sudo even when a root shell has been
57 invoked. It also allows the -
\b-e
\be flag to remain useful even
58 when being run via a sudo-run script or program. Note
59 however, that the sudoers lookup is still done for root,
60 not the user specified by SUDO_USER.
65 1.6.9p15 March 23, 2008 1
67 1.6.9p16 May 8, 2008 1
68 >>>>>>> 17fe41bae8a65fb88683c9795414556ed9b636e9:sudo.cat
74 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
77 s
\bsu
\bud
\bdo
\bo can log both successful and unsuccessful attempts (as
78 well as errors) to _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3), a log file, or both. By
79 default s
\bsu
\bud
\bdo
\bo will log via _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3) but this is changeable
80 at configure time or via the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file.
82 O
\bOP
\bPT
\bTI
\bIO
\bON
\bNS
\bS
83 s
\bsu
\bud
\bdo
\bo accepts the following command line options:
85 -a The -
\b-a
\ba (_
\ba_
\bu_
\bt_
\bh_
\be_
\bn_
\bt_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn _
\bt_
\by_
\bp_
\be) option causes s
\bsu
\bud
\bdo
\bo to use
86 the specified authentication type when validating the
87 user, as allowed by _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf. The system
88 administrator may specify a list of sudo-specific
89 authentication methods by adding an "auth-sudo" entry
90 in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf. This option is only available on
91 systems that support BSD authentication.
93 -b The -
\b-b
\bb (_
\bb_
\ba_
\bc_
\bk_
\bg_
\br_
\bo_
\bu_
\bn_
\bd) option tells s
\bsu
\bud
\bdo
\bo to run the given
94 command in the background. Note that if you use the
95 -
\b-b
\bb option you cannot use shell job control to manipu
98 -c The -
\b-c
\bc (_
\bc_
\bl_
\ba_
\bs_
\bs) option causes s
\bsu
\bud
\bdo
\bo to run the specified
99 command with resources limited by the specified login
100 class. The _
\bc_
\bl_
\ba_
\bs_
\bs argument can be either a class name
101 as defined in /etc/login.conf, or a single '-' charac
102 ter. Specifying a _
\bc_
\bl_
\ba_
\bs_
\bs of - indicates that the com
103 mand should be run restricted by the default login
104 capabilities for the user the command is run as. If
105 the _
\bc_
\bl_
\ba_
\bs_
\bs argument specifies an existing user class,
106 the command must be run as root, or the s
\bsu
\bud
\bdo
\bo command
107 must be run from a shell that is already root. This
108 option is only available on systems with BSD login
111 -E The -
\b-E
\bE (_
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be _
\be_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt) option will override the
112 _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4)). It is only available
113 when either the matching command has the SETENV tag or
114 the _
\bs_
\be_
\bt_
\be_
\bn_
\bv option is set in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4).
116 -e The -
\b-e
\be (_
\be_
\bd_
\bi_
\bt) option indicates that, instead of run
117 ning a command, the user wishes to edit one or more
118 files. In lieu of a command, the string "sudoedit" is
119 used when consulting the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. If the user is
120 authorized by _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs the following steps are taken:
122 1. Temporary copies are made of the files to be
123 edited with the owner set to the invoking user.
125 2. The editor specified by the VISUAL or EDITOR envi
126 ronment variables is run to edit the temporary
127 files. If neither VISUAL nor EDITOR are set, the
128 program listed in the _
\be_
\bd_
\bi_
\bt_
\bo_
\br _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs variable is
134 <<<<<<< HEAD:sudo.cat
135 1.6.9p15 March 23, 2008 2
137 1.6.9p16 May 8, 2008 2
138 >>>>>>> 17fe41bae8a65fb88683c9795414556ed9b636e9:sudo.cat
144 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
147 3. If they have been modified, the temporary files
148 are copied back to their original location and the
149 temporary versions are removed.
151 If the specified file does not exist, it will be cre
152 ated. Note that unlike most commands run by s
\bsu
\bud
\bdo
\bo, the
153 editor is run with the invoking user's environment
154 unmodified. If, for some reason, s
\bsu
\bud
\bdo
\bo is unable to
155 update a file with its edited version, the user will
156 receive a warning and the edited copy will remain in a
159 -H The -
\b-H
\bH (_
\bH_
\bO_
\bM_
\bE) option sets the HOME environment vari
160 able to the homedir of the target user (root by
161 default) as specified in _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(4). By default, s
\bsu
\bud
\bdo
\bo
162 does not modify HOME (see _
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be and _
\ba_
\bl_
\bw_
\ba_
\by_
\bs_
\b__
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be
163 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4)).
165 -h The -
\b-h
\bh (_
\bh_
\be_
\bl_
\bp) option causes s
\bsu
\bud
\bdo
\bo to print a usage mes
168 -i The -
\b-i
\bi (_
\bs_
\bi_
\bm_
\bu_
\bl_
\ba_
\bt_
\be _
\bi_
\bn_
\bi_
\bt_
\bi_
\ba_
\bl _
\bl_
\bo_
\bg_
\bi_
\bn) option runs the shell
169 specified in the _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(4) entry of the user that the
170 command is being run as. The command name argument
171 given to the shell begins with a `-' to tell the shell
172 to run as a login shell. s
\bsu
\bud
\bdo
\bo attempts to change to
173 that user's home directory before running the shell.
174 It also initializes the environment, leaving _
\bT_
\bE_
\bR_
\bM
175 unchanged, setting _
\bH_
\bO_
\bM_
\bE, _
\bS_
\bH_
\bE_
\bL_
\bL, _
\bU_
\bS_
\bE_
\bR, _
\bL_
\bO_
\bG_
\bN_
\bA_
\bM_
\bE, and
176 _
\bP_
\bA_
\bT_
\bH, and unsetting all other environment variables.
177 Note that because the shell to use is determined
178 before the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file is parsed, a _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt
179 setting in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will specify the user to run the
180 shell as but will not affect which shell is actually
183 -K The -
\b-K
\bK (sure _
\bk_
\bi_
\bl_
\bl) option is like -
\b-k
\bk except that it
184 removes the user's timestamp entirely. Like -
\b-k
\bk, this
185 option does not require a password.
187 -k The -
\b-k
\bk (_
\bk_
\bi_
\bl_
\bl) option to s
\bsu
\bud
\bdo
\bo invalidates the user's
188 timestamp by setting the time on it to the Epoch. The
189 next time s
\bsu
\bud
\bdo
\bo is run a password will be required.
190 This option does not require a password and was added
191 to allow a user to revoke s
\bsu
\bud
\bdo
\bo permissions from a
194 -L The -
\b-L
\bL (_
\bl_
\bi_
\bs_
\bt defaults) option will list out the param
195 eters that may be set in a _
\bD_
\be_
\bf_
\ba_
\bu_
\bl_
\bt_
\bs line along with a
196 short description for each. This option is useful in
197 conjunction with _
\bg_
\br_
\be_
\bp(1).
199 -l The -
\b-l
\bl (_
\bl_
\bi_
\bs_
\bt) option will list out the allowed (and
200 forbidden) commands for the invoking user on the
204 <<<<<<< HEAD:sudo.cat
205 1.6.9p15 March 23, 2008 3
207 1.6.9p16 May 8, 2008 3
208 >>>>>>> 17fe41bae8a65fb88683c9795414556ed9b636e9:sudo.cat
214 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
219 -P The -
\b-P
\bP (_
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be _
\bg_
\br_
\bo_
\bu_
\bp _
\bv_
\be_
\bc_
\bt_
\bo_
\br) option causes s
\bsu
\bud
\bdo
\bo to
220 preserve the invoking user's group vector unaltered.
221 By default, s
\bsu
\bud
\bdo
\bo will initialize the group vector to
222 the list of groups the target user is in. The real
223 and effective group IDs, however, are still set to
224 match the target user.
226 -p The -
\b-p
\bp (_
\bp_
\br_
\bo_
\bm_
\bp_
\bt) option allows you to override the
227 default password prompt and use a custom one. The
228 following percent (`%') escapes are supported:
230 %H expanded to the local hostname including the
231 domain name (on if the machine's hostname is fully
232 qualified or the _
\bf_
\bq_
\bd_
\bn _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs option is set)
234 %h expanded to the local hostname without the domain
237 %p expanded to the user whose password is being asked
238 for (respects the _
\br_
\bo_
\bo_
\bt_
\bp_
\bw, _
\bt_
\ba_
\br_
\bg_
\be_
\bt_
\bp_
\bw and _
\br_
\bu_
\bn_
\ba_
\bs_
\bp_
\bw
239 flags in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs)
241 %U expanded to the login name of the user the command
242 will be run as (defaults to root)
244 %u expanded to the invoking user's login name
246 %% two consecutive % characters are collapsed into a
249 -S The -
\b-S
\bS (_
\bs_
\bt_
\bd_
\bi_
\bn) option causes s
\bsu
\bud
\bdo
\bo to read the password
250 from the standard input instead of the terminal
253 -s The -
\b-s
\bs (_
\bs_
\bh_
\be_
\bl_
\bl) option runs the shell specified by the
254 _
\bS_
\bH_
\bE_
\bL_
\bL environment variable if it is set or the shell
255 as specified in _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(4).
257 -u The -
\b-u
\bu (_
\bu_
\bs_
\be_
\br) option causes s
\bsu
\bud
\bdo
\bo to run the specified
258 command as a user other than _
\br_
\bo_
\bo_
\bt. To specify a _
\bu_
\bi_
\bd
259 instead of a _
\bu_
\bs_
\be_
\br_
\bn_
\ba_
\bm_
\be, use _
\b#_
\bu_
\bi_
\bd. When running com
260 mands as a _
\bu_
\bi_
\bd, many shells require that the '#' be
261 escaped with a backslash ('\'). Note that if the _
\bt_
\ba_
\br_
\b
262 _
\bg_
\be_
\bt_
\bp_
\bw Defaults option is set (see _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4)) it is
263 not possible to run commands with a uid not listed in
264 the password database.
266 -V The -
\b-V
\bV (_
\bv_
\be_
\br_
\bs_
\bi_
\bo_
\bn) option causes s
\bsu
\bud
\bdo
\bo to print the ver
267 sion number and exit. If the invoking user is already
268 root the -
\b-V
\bV option will print out a list of the
269 defaults s
\bsu
\bud
\bdo
\bo was compiled with as well as the
270 machine's local network addresses.
274 <<<<<<< HEAD:sudo.cat
275 1.6.9p15 March 23, 2008 4
277 1.6.9p16 May 8, 2008 4
278 >>>>>>> 17fe41bae8a65fb88683c9795414556ed9b636e9:sudo.cat
284 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
287 -v If given the -
\b-v
\bv (_
\bv_
\ba_
\bl_
\bi_
\bd_
\ba_
\bt_
\be) option, s
\bsu
\bud
\bdo
\bo will update
288 the user's timestamp, prompting for the user's pass
289 word if necessary. This extends the s
\bsu
\bud
\bdo
\bo timeout for
290 another 5 minutes (or whatever the timeout is set to
291 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs) but does not run a command.
293 -- The -
\b--
\b- flag indicates that s
\bsu
\bud
\bdo
\bo should stop processing
294 command line arguments. It is most useful in conjunc
295 tion with the -
\b-s
\bs flag.
297 Environment variables to be set for the command may also
298 be passed on the command line in the form of V
\bVA
\bAR
\bR=_
\bv_
\ba_
\bl_
\bu_
\be,
299 e.g. L
\bLD
\bD_
\b_L
\bLI
\bIB
\bBR
\bRA
\bAR
\bRY
\bY_
\b_P
\bPA
\bAT
\bTH
\bH=_
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bp_
\bk_
\bg_
\b/_
\bl_
\bi_
\bb. Variables
300 passed on the command line are subject to the same
301 restrictions as normal environment variables with one
302 important exception. If the _
\bs_
\be_
\bt_
\be_
\bn_
\bv option is set in _
\bs_
\bu_
\bd_
\bo_
\b
303 _
\be_
\br_
\bs, the command to be run has the SETENV tag set or the
304 command matched is ALL, the user may set variables that
305 would overwise be forbidden. See _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4) for more
308 R
\bRE
\bET
\bTU
\bUR
\bRN
\bN V
\bVA
\bAL
\bLU
\bUE
\bES
\bS
309 Upon successful execution of a program, the return value
310 from s
\bsu
\bud
\bdo
\bo will simply be the return value of the program
313 Otherwise, s
\bsu
\bud
\bdo
\bo quits with an exit value of 1 if there is
314 a configuration/permission problem or if s
\bsu
\bud
\bdo
\bo cannot exe
315 cute the given command. In the latter case the error
316 string is printed to stderr. If s
\bsu
\bud
\bdo
\bo cannot _
\bs_
\bt_
\ba_
\bt(2) one
317 or more entries in the user's PATH an error is printed on
318 stderr. (If the directory does not exist or if it is not
319 really a directory, the entry is ignored and no error is
320 printed.) This should not happen under normal circum
321 stances. The most common reason for _
\bs_
\bt_
\ba_
\bt(2) to return
322 "permission denied" is if you are running an automounter
323 and one of the directories in your PATH is on a machine
324 that is currently unreachable.
326 S
\bSE
\bEC
\bCU
\bUR
\bRI
\bIT
\bTY
\bY N
\bNO
\bOT
\bTE
\bES
\bS
327 s
\bsu
\bud
\bdo
\bo tries to be safe when executing external commands.
329 There are two distinct ways to deal with environment vari
330 ables. By default, the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs option is
331 enabled. This causes commands to be executed with a mini
332 mal environment containing TERM, PATH, HOME, SHELL, LOG
333 NAME, USER and USERNAME in addition to variables from the
334 invoking process permitted by the _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp
335 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs options. There is effectively a whitelist for
336 environment variables.
338 If, however, the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is disabled in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs,
339 any variables not explicitly denied by the _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and
340 _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be options are inherited from the invoking
344 <<<<<<< HEAD:sudo.cat
345 1.6.9p15 March 23, 2008 5
347 1.6.9p16 May 8, 2008 5
348 >>>>>>> 17fe41bae8a65fb88683c9795414556ed9b636e9:sudo.cat
354 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
357 process. In this case, _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be behave
358 like a blacklist. Since it is not possible to blacklist
359 all potentially dangerous environment variables, use of
360 the default _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt behavior is encouraged.
362 In all cases, environment variables with a value beginning
363 with () are removed as they could be interpreted as b
\bba
\bas
\bsh
\bh
364 functions. The list of environment variables that s
\bsu
\bud
\bdo
\bo
365 allows or denies is contained in the output of sudo -V
368 Note that the dynamic linker on most operating systems
369 will remove variables that can control dynamic linking
370 from the environment of setuid executables, including
371 s
\bsu
\bud
\bdo
\bo. Depending on the operating system this may include
372 _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and oth
373 ers. These type of variables are removed from the envi
374 ronment before s
\bsu
\bud
\bdo
\bo even begins execution and, as such, it
375 is not possible for s
\bsu
\bud
\bdo
\bo to preserve them.
377 To prevent command spoofing, s
\bsu
\bud
\bdo
\bo checks "." and "" (both
378 denoting current directory) last when searching for a com
379 mand in the user's PATH (if one or both are in the PATH).
380 Note, however, that the actual PATH environment variable
381 is _
\bn_
\bo_
\bt modified and is passed unchanged to the program
382 that s
\bsu
\bud
\bdo
\bo executes.
384 s
\bsu
\bud
\bdo
\bo will check the ownership of its timestamp directory
385 (_
\b/_
\bv_
\ba_
\br_
\b/_
\br_
\bu_
\bn_
\b/_
\bs_
\bu_
\bd_
\bo by default) and ignore the directory's con
386 tents if it is not owned by root or if it is writable by a
387 user other than root. On systems that allow non-root
388 users to give away files via _
\bc_
\bh_
\bo_
\bw_
\bn(2), if the timestamp
389 directory is located in a directory writable by anyone
390 (e.g., _
\b/_
\bt_
\bm_
\bp), it is possible for a user to create the
391 timestamp directory before s
\bsu
\bud
\bdo
\bo is run. However, because
392 s
\bsu
\bud
\bdo
\bo checks the ownership and mode of the directory and
393 its contents, the only damage that can be done is to
394 "hide" files by putting them in the timestamp dir. This
395 is unlikely to happen since once the timestamp dir is
396 owned by root and inaccessible by any other user, the user
397 placing files there would be unable to get them back out.
398 To get around this issue you can use a directory that is
399 not world-writable for the timestamps (_
\b/_
\bv_
\ba_
\br_
\b/_
\ba_
\bd_
\bm_
\b/_
\bs_
\bu_
\bd_
\bo for
400 instance) or create _
\b/_
\bv_
\ba_
\br_
\b/_
\br_
\bu_
\bn_
\b/_
\bs_
\bu_
\bd_
\bo with the appropriate
401 owner (root) and permissions (0700) in the system startup
404 s
\bsu
\bud
\bdo
\bo will not honor timestamps set far in the future.
405 Timestamps with a date greater than current_time + 2 *
406 TIMEOUT will be ignored and sudo will log and complain.
407 This is done to keep a user from creating his/her own
408 timestamp with a bogus date on systems that allow users to
414 <<<<<<< HEAD:sudo.cat
415 1.6.9p15 March 23, 2008 6
417 1.6.9p16 May 8, 2008 6
418 >>>>>>> 17fe41bae8a65fb88683c9795414556ed9b636e9:sudo.cat
424 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
427 Please note that s
\bsu
\bud
\bdo
\bo will normally only log the command
428 it explicitly runs. If a user runs a command such as sudo
429 su or sudo sh, subsequent commands run from that shell
430 will _
\bn_
\bo_
\bt be logged, nor will s
\bsu
\bud
\bdo
\bo's access control affect
431 them. The same is true for commands that offer shell
432 escapes (including most editors). Because of this, care
433 must be taken when giving users access to commands via
434 s
\bsu
\bud
\bdo
\bo to verify that the command does not inadvertently
435 give the user an effective root shell. For more informa
436 tion, please see the PREVENTING SHELL ESCAPES section in
437 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4).
439 E
\bEN
\bNV
\bVI
\bIR
\bRO
\bON
\bNM
\bME
\bEN
\bNT
\bT
440 s
\bsu
\bud
\bdo
\bo utilizes the following environment variables:
442 EDITOR Default editor to use in -
\b-e
\be (sudoedit)
443 mode if VISUAL is not set
445 HOME In -
\b-s
\bs or -
\b-H
\bH mode (or if sudo was config
446 ured with the --enable-shell-sets-home
447 option), set to homedir of the target user
449 PATH Set to a sane value if the _
\bs_
\be_
\bc_
\bu_
\br_
\be_
\b__
\bp_
\ba_
\bt_
\bh
450 sudoers option is set.
452 SHELL Used to determine shell to run with -s
455 SUDO_PROMPT Used as the default password prompt
457 SUDO_COMMAND Set to the command run by sudo
459 SUDO_USER Set to the login of the user who invoked
462 SUDO_UID Set to the uid of the user who invoked
465 SUDO_GID Set to the gid of the user who invoked
468 SUDO_PS1 If set, PS1 will be set to its value
470 USER Set to the target user (root unless the -
\b-u
\bu
473 VISUAL Default editor to use in -
\b-e
\be (sudoedit)
477 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs List of who can run what
479 _
\b/_
\bv_
\ba_
\br_
\b/_
\br_
\bu_
\bn_
\b/_
\bs_
\bu_
\bd_
\bo Directory containing timestamps
484 <<<<<<< HEAD:sudo.cat
485 1.6.9p15 March 23, 2008 7
487 1.6.9p16 May 8, 2008 7
488 >>>>>>> 17fe41bae8a65fb88683c9795414556ed9b636e9:sudo.cat
494 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
497 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
498 Note: the following examples assume suitable _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4)
501 To get a file listing of an unreadable directory:
503 $ sudo ls /usr/local/protected
505 To list the home directory of user yazza on a machine
506 where the file system holding ~yazza is not exported as
509 $ sudo -u yazza ls ~yazza
511 To edit the _
\bi_
\bn_
\bd_
\be_
\bx_
\b._
\bh_
\bt_
\bm_
\bl file as user www:
513 $ sudo -u www vi ~www/htdocs/index.html
515 To shutdown a machine:
517 $ sudo shutdown -r +15 "quick reboot"
519 To make a usage listing of the directories in the /home
520 partition. Note that this runs the commands in a sub-
521 shell to make the cd and file redirection work.
523 $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
525 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
526 _
\bg_
\br_
\be_
\bp(1), _
\bs_
\bu(1), _
\bs_
\bt_
\ba_
\bt(2), _
\bl_
\bo_
\bg_
\bi_
\bn_
\b__
\bc_
\ba_
\bp(3), _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(4),
527 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(5), _
\bv_
\bi_
\bs_
\bu_
\bd_
\bo(1m)
529 A
\bAU
\bUT
\bTH
\bHO
\bOR
\bRS
\bS
530 Many people have worked on s
\bsu
\bud
\bdo
\bo over the years; this ver
531 sion consists of code written primarily by:
536 See the HISTORY file in the s
\bsu
\bud
\bdo
\bo distribution or visit
537 http://www.sudo.ws/sudo/history.html for a short history
540 C
\bCA
\bAV
\bVE
\bEA
\bAT
\bTS
\bS
541 There is no easy way to prevent a user from gaining a root
542 shell if that user is allowed to run arbitrary commands
543 via s
\bsu
\bud
\bdo
\bo. Also, many programs (such as editors) allow the
544 user to run commands via shell escapes, thus avoiding
545 s
\bsu
\bud
\bdo
\bo's checks. However, on most systems it is possible to
546 prevent shell escapes with s
\bsu
\bud
\bdo
\bo's _
\bn_
\bo_
\be_
\bx_
\be_
\bc functionality.
547 See the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4) manual for details.
549 It is not meaningful to run the cd command directly via
554 <<<<<<< HEAD:sudo.cat
555 1.6.9p15 March 23, 2008 8
557 1.6.9p16 May 8, 2008 8
558 >>>>>>> 17fe41bae8a65fb88683c9795414556ed9b636e9:sudo.cat
564 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
567 $ sudo cd /usr/local/protected
569 since when the command exits the parent process (your
570 shell) will still be the same. Please see the EXAMPLES
571 section for more information.
573 If users have sudo ALL there is nothing to prevent them
574 from creating their own program that gives them a root
575 shell regardless of any '!' elements in the user specifi
578 Running shell scripts via s
\bsu
\bud
\bdo
\bo can expose the same kernel
579 bugs that make setuid shell scripts unsafe on some operat
580 ing systems (if your OS has a /dev/fd/ directory, setuid
581 shell scripts are generally safe).
584 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a
585 bug report at http://www.sudo.ws/sudo/bugs/
587 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
588 Limited free support is available via the sudo-users mail
589 ing list, see http://www.sudo.ws/mail
590 man/listinfo/sudo-users to subscribe or search the
593 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
594 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied war
595 ranties, including, but not limited to, the implied war
596 ranties of merchantability and fitness for a particular
597 purpose are disclaimed. See the LICENSE file distributed
598 with s
\bsu
\bud
\bdo
\bo or http://www.sudo.ws/sudo/license.html for com
624 <<<<<<< HEAD:sudo.cat
625 1.6.9p15 March 23, 2008 9
627 1.6.9p16 May 8, 2008 9
628 >>>>>>> 17fe41bae8a65fb88683c9795414556ed9b636e9:sudo.cat