4 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
8 sudo, sudoedit - execute a command as another user
10 S
\bSY
\bYN
\bNO
\bOP
\bPS
\bSI
\bIS
\bS
11 s
\bsu
\bud
\bdo
\bo -
\b-h
\bh | -
\b-K
\bK | -
\b-k
\bk | -
\b-L
\bL | -
\b-l
\bl | -
\b-V
\bV | -
\b-v
\bv
13 s
\bsu
\bud
\bdo
\bo [-
\b-b
\bbE
\bEH
\bHP
\bPS
\bS] [-
\b-a
\ba _
\ba_
\bu_
\bt_
\bh_
\b__
\bt_
\by_
\bp_
\be] [-
\b-c
\bc _
\bc_
\bl_
\ba_
\bs_
\bs|_
\b-] [-
\b-p
\bp _
\bp_
\br_
\bo_
\bm_
\bp_
\bt]
14 [-
\b-u
\bu _
\bu_
\bs_
\be_
\br_
\bn_
\ba_
\bm_
\be|_
\b#_
\bu_
\bi_
\bd] [V
\bVA
\bAR
\bR=_
\bv_
\ba_
\bl_
\bu_
\be] {-
\b-i
\bi | -
\b-s
\bs | _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd}
16 s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt [-
\b-S
\bS] [-
\b-a
\ba _
\ba_
\bu_
\bt_
\bh_
\b__
\bt_
\by_
\bp_
\be] [-
\b-c
\bc _
\bc_
\bl_
\ba_
\bs_
\bs|_
\b-] [-
\b-p
\bp _
\bp_
\br_
\bo_
\bm_
\bp_
\bt]
17 [-
\b-u
\bu _
\bu_
\bs_
\be_
\br_
\bn_
\ba_
\bm_
\be|_
\b#_
\bu_
\bi_
\bd] file ...
19 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
20 s
\bsu
\bud
\bdo
\bo allows a permitted user to execute a _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd as the
21 superuser or another user, as specified in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
22 file. The real and effective uid and gid are set to match
23 those of the target user as specified in the passwd file
24 and the group vector is initialized based on the group
25 file (unless the -
\b-P
\bP option was specified). If the invok
26 ing user is root or if the target user is the same as the
27 invoking user, no password is required. Otherwise, s
\bsu
\bud
\bdo
\bo
28 requires that users authenticate themselves with a pass
29 word by default (NOTE: in the default configuration this
30 is the user's password, not the root password). Once a
31 user has been authenticated, a timestamp is updated and
32 the user may then use sudo without a password for a short
33 period of time (5 minutes unless overridden in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs).
35 When invoked as s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt, the -
\b-e
\be option (described below),
38 s
\bsu
\bud
\bdo
\bo determines who is an authorized user by consulting
39 the file _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. By giving s
\bsu
\bud
\bdo
\bo the -
\b-v
\bv flag, a user
40 can update the time stamp without running a _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd. The
41 password prompt itself will also time out if the user's
42 password is not entered within 5 minutes (unless overrid
43 den via _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs).
45 If a user who is not listed in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file tries to
46 run a command via s
\bsu
\bud
\bdo
\bo, mail is sent to the proper author
47 ities, as defined at configure time or in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file
48 (defaults to root). Note that the mail will not be sent
49 if an unauthorized user tries to run sudo with the -
\b-l
\bl or
50 -
\b-v
\bv flags. This allows users to determine for themselves
51 whether or not they are allowed to use s
\bsu
\bud
\bdo
\bo.
53 If s
\bsu
\bud
\bdo
\bo is run by root and the SUDO_USER environment vari
54 able is set, s
\bsu
\bud
\bdo
\bo will use this value to determine who the
55 actual user is. This can be used by a user to log com
56 mands through sudo even when a root shell has been
57 invoked. It also allows the -
\b-e
\be flag to remain useful even
58 when being run via a sudo-run script or program. Note
59 however, that the sudoers lookup is still done for root,
60 not the user specified by SUDO_USER.
64 1.6.9p15 March 23, 2008 1
70 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
73 s
\bsu
\bud
\bdo
\bo can log both successful and unsuccessful attempts (as
74 well as errors) to _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3), a log file, or both. By
75 default s
\bsu
\bud
\bdo
\bo will log via _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3) but this is changeable
76 at configure time or via the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file.
78 O
\bOP
\bPT
\bTI
\bIO
\bON
\bNS
\bS
79 s
\bsu
\bud
\bdo
\bo accepts the following command line options:
81 -a The -
\b-a
\ba (_
\ba_
\bu_
\bt_
\bh_
\be_
\bn_
\bt_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn _
\bt_
\by_
\bp_
\be) option causes s
\bsu
\bud
\bdo
\bo to use
82 the specified authentication type when validating the
83 user, as allowed by _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf. The system
84 administrator may specify a list of sudo-specific
85 authentication methods by adding an "auth-sudo" entry
86 in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf. This option is only available on
87 systems that support BSD authentication.
89 -b The -
\b-b
\bb (_
\bb_
\ba_
\bc_
\bk_
\bg_
\br_
\bo_
\bu_
\bn_
\bd) option tells s
\bsu
\bud
\bdo
\bo to run the given
90 command in the background. Note that if you use the
91 -
\b-b
\bb option you cannot use shell job control to manipu
94 -c The -
\b-c
\bc (_
\bc_
\bl_
\ba_
\bs_
\bs) option causes s
\bsu
\bud
\bdo
\bo to run the specified
95 command with resources limited by the specified login
96 class. The _
\bc_
\bl_
\ba_
\bs_
\bs argument can be either a class name
97 as defined in /etc/login.conf, or a single '-' charac
98 ter. Specifying a _
\bc_
\bl_
\ba_
\bs_
\bs of - indicates that the com
99 mand should be run restricted by the default login
100 capabilities for the user the command is run as. If
101 the _
\bc_
\bl_
\ba_
\bs_
\bs argument specifies an existing user class,
102 the command must be run as root, or the s
\bsu
\bud
\bdo
\bo command
103 must be run from a shell that is already root. This
104 option is only available on systems with BSD login
107 -E The -
\b-E
\bE (_
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be _
\be_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt) option will override the
108 _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4)). It is only available
109 when either the matching command has the SETENV tag or
110 the _
\bs_
\be_
\bt_
\be_
\bn_
\bv option is set in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4).
112 -e The -
\b-e
\be (_
\be_
\bd_
\bi_
\bt) option indicates that, instead of run
113 ning a command, the user wishes to edit one or more
114 files. In lieu of a command, the string "sudoedit" is
115 used when consulting the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. If the user is
116 authorized by _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs the following steps are taken:
118 1. Temporary copies are made of the files to be
119 edited with the owner set to the invoking user.
121 2. The editor specified by the VISUAL or EDITOR envi
122 ronment variables is run to edit the temporary
123 files. If neither VISUAL nor EDITOR are set, the
124 program listed in the _
\be_
\bd_
\bi_
\bt_
\bo_
\br _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs variable is
130 1.6.9p15 March 23, 2008 2
136 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
139 3. If they have been modified, the temporary files
140 are copied back to their original location and the
141 temporary versions are removed.
143 If the specified file does not exist, it will be cre
144 ated. Note that unlike most commands run by s
\bsu
\bud
\bdo
\bo, the
145 editor is run with the invoking user's environment
146 unmodified. If, for some reason, s
\bsu
\bud
\bdo
\bo is unable to
147 update a file with its edited version, the user will
148 receive a warning and the edited copy will remain in a
151 -H The -
\b-H
\bH (_
\bH_
\bO_
\bM_
\bE) option sets the HOME environment vari
152 able to the homedir of the target user (root by
153 default) as specified in _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(4). By default, s
\bsu
\bud
\bdo
\bo
154 does not modify HOME (see _
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be and _
\ba_
\bl_
\bw_
\ba_
\by_
\bs_
\b__
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be
155 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4)).
157 -h The -
\b-h
\bh (_
\bh_
\be_
\bl_
\bp) option causes s
\bsu
\bud
\bdo
\bo to print a usage mes
160 -i The -
\b-i
\bi (_
\bs_
\bi_
\bm_
\bu_
\bl_
\ba_
\bt_
\be _
\bi_
\bn_
\bi_
\bt_
\bi_
\ba_
\bl _
\bl_
\bo_
\bg_
\bi_
\bn) option runs the shell
161 specified in the _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(4) entry of the user that the
162 command is being run as. The command name argument
163 given to the shell begins with a `-' to tell the shell
164 to run as a login shell. s
\bsu
\bud
\bdo
\bo attempts to change to
165 that user's home directory before running the shell.
166 It also initializes the environment, leaving _
\bT_
\bE_
\bR_
\bM
167 unchanged, setting _
\bH_
\bO_
\bM_
\bE, _
\bS_
\bH_
\bE_
\bL_
\bL, _
\bU_
\bS_
\bE_
\bR, _
\bL_
\bO_
\bG_
\bN_
\bA_
\bM_
\bE, and
168 _
\bP_
\bA_
\bT_
\bH, and unsetting all other environment variables.
169 Note that because the shell to use is determined
170 before the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file is parsed, a _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt
171 setting in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will specify the user to run the
172 shell as but will not affect which shell is actually
175 -K The -
\b-K
\bK (sure _
\bk_
\bi_
\bl_
\bl) option is like -
\b-k
\bk except that it
176 removes the user's timestamp entirely. Like -
\b-k
\bk, this
177 option does not require a password.
179 -k The -
\b-k
\bk (_
\bk_
\bi_
\bl_
\bl) option to s
\bsu
\bud
\bdo
\bo invalidates the user's
180 timestamp by setting the time on it to the Epoch. The
181 next time s
\bsu
\bud
\bdo
\bo is run a password will be required.
182 This option does not require a password and was added
183 to allow a user to revoke s
\bsu
\bud
\bdo
\bo permissions from a
186 -L The -
\b-L
\bL (_
\bl_
\bi_
\bs_
\bt defaults) option will list out the param
187 eters that may be set in a _
\bD_
\be_
\bf_
\ba_
\bu_
\bl_
\bt_
\bs line along with a
188 short description for each. This option is useful in
189 conjunction with _
\bg_
\br_
\be_
\bp(1).
191 -l The -
\b-l
\bl (_
\bl_
\bi_
\bs_
\bt) option will list out the allowed (and
192 forbidden) commands for the invoking user on the
196 1.6.9p15 March 23, 2008 3
202 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
207 -P The -
\b-P
\bP (_
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be _
\bg_
\br_
\bo_
\bu_
\bp _
\bv_
\be_
\bc_
\bt_
\bo_
\br) option causes s
\bsu
\bud
\bdo
\bo to
208 preserve the invoking user's group vector unaltered.
209 By default, s
\bsu
\bud
\bdo
\bo will initialize the group vector to
210 the list of groups the target user is in. The real
211 and effective group IDs, however, are still set to
212 match the target user.
214 -p The -
\b-p
\bp (_
\bp_
\br_
\bo_
\bm_
\bp_
\bt) option allows you to override the
215 default password prompt and use a custom one. The
216 following percent (`%') escapes are supported:
218 %H expanded to the local hostname including the
219 domain name (on if the machine's hostname is fully
220 qualified or the _
\bf_
\bq_
\bd_
\bn _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs option is set)
222 %h expanded to the local hostname without the domain
225 %p expanded to the user whose password is being asked
226 for (respects the _
\br_
\bo_
\bo_
\bt_
\bp_
\bw, _
\bt_
\ba_
\br_
\bg_
\be_
\bt_
\bp_
\bw and _
\br_
\bu_
\bn_
\ba_
\bs_
\bp_
\bw
227 flags in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs)
229 %U expanded to the login name of the user the command
230 will be run as (defaults to root)
232 %u expanded to the invoking user's login name
234 %% two consecutive % characters are collapsed into a
237 -S The -
\b-S
\bS (_
\bs_
\bt_
\bd_
\bi_
\bn) option causes s
\bsu
\bud
\bdo
\bo to read the password
238 from the standard input instead of the terminal
241 -s The -
\b-s
\bs (_
\bs_
\bh_
\be_
\bl_
\bl) option runs the shell specified by the
242 _
\bS_
\bH_
\bE_
\bL_
\bL environment variable if it is set or the shell
243 as specified in _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(4).
245 -u The -
\b-u
\bu (_
\bu_
\bs_
\be_
\br) option causes s
\bsu
\bud
\bdo
\bo to run the specified
246 command as a user other than _
\br_
\bo_
\bo_
\bt. To specify a _
\bu_
\bi_
\bd
247 instead of a _
\bu_
\bs_
\be_
\br_
\bn_
\ba_
\bm_
\be, use _
\b#_
\bu_
\bi_
\bd. When running com
248 mands as a _
\bu_
\bi_
\bd, many shells require that the '#' be
249 escaped with a backslash ('\'). Note that if the _
\bt_
\ba_
\br_
\b
250 _
\bg_
\be_
\bt_
\bp_
\bw Defaults option is set (see _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4)) it is
251 not possible to run commands with a uid not listed in
252 the password database.
254 -V The -
\b-V
\bV (_
\bv_
\be_
\br_
\bs_
\bi_
\bo_
\bn) option causes s
\bsu
\bud
\bdo
\bo to print the ver
255 sion number and exit. If the invoking user is already
256 root the -
\b-V
\bV option will print out a list of the
257 defaults s
\bsu
\bud
\bdo
\bo was compiled with as well as the
258 machine's local network addresses.
262 1.6.9p15 March 23, 2008 4
268 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
271 -v If given the -
\b-v
\bv (_
\bv_
\ba_
\bl_
\bi_
\bd_
\ba_
\bt_
\be) option, s
\bsu
\bud
\bdo
\bo will update
272 the user's timestamp, prompting for the user's pass
273 word if necessary. This extends the s
\bsu
\bud
\bdo
\bo timeout for
274 another 5 minutes (or whatever the timeout is set to
275 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs) but does not run a command.
277 -- The -
\b--
\b- flag indicates that s
\bsu
\bud
\bdo
\bo should stop processing
278 command line arguments. It is most useful in conjunc
279 tion with the -
\b-s
\bs flag.
281 Environment variables to be set for the command may also
282 be passed on the command line in the form of V
\bVA
\bAR
\bR=_
\bv_
\ba_
\bl_
\bu_
\be,
283 e.g. L
\bLD
\bD_
\b_L
\bLI
\bIB
\bBR
\bRA
\bAR
\bRY
\bY_
\b_P
\bPA
\bAT
\bTH
\bH=_
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bp_
\bk_
\bg_
\b/_
\bl_
\bi_
\bb. Variables
284 passed on the command line are subject to the same
285 restrictions as normal environment variables with one
286 important exception. If the _
\bs_
\be_
\bt_
\be_
\bn_
\bv option is set in _
\bs_
\bu_
\bd_
\bo_
\b
287 _
\be_
\br_
\bs, the command to be run has the SETENV tag set or the
288 command matched is ALL, the user may set variables that
289 would overwise be forbidden. See _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4) for more
292 R
\bRE
\bET
\bTU
\bUR
\bRN
\bN V
\bVA
\bAL
\bLU
\bUE
\bES
\bS
293 Upon successful execution of a program, the return value
294 from s
\bsu
\bud
\bdo
\bo will simply be the return value of the program
297 Otherwise, s
\bsu
\bud
\bdo
\bo quits with an exit value of 1 if there is
298 a configuration/permission problem or if s
\bsu
\bud
\bdo
\bo cannot exe
299 cute the given command. In the latter case the error
300 string is printed to stderr. If s
\bsu
\bud
\bdo
\bo cannot _
\bs_
\bt_
\ba_
\bt(2) one
301 or more entries in the user's PATH an error is printed on
302 stderr. (If the directory does not exist or if it is not
303 really a directory, the entry is ignored and no error is
304 printed.) This should not happen under normal circum
305 stances. The most common reason for _
\bs_
\bt_
\ba_
\bt(2) to return
306 "permission denied" is if you are running an automounter
307 and one of the directories in your PATH is on a machine
308 that is currently unreachable.
310 S
\bSE
\bEC
\bCU
\bUR
\bRI
\bIT
\bTY
\bY N
\bNO
\bOT
\bTE
\bES
\bS
311 s
\bsu
\bud
\bdo
\bo tries to be safe when executing external commands.
313 There are two distinct ways to deal with environment vari
314 ables. By default, the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs option is
315 enabled. This causes commands to be executed with a mini
316 mal environment containing TERM, PATH, HOME, SHELL, LOG
317 NAME, USER and USERNAME in addition to variables from the
318 invoking process permitted by the _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp
319 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs options. There is effectively a whitelist for
320 environment variables.
322 If, however, the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is disabled in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs,
323 any variables not explicitly denied by the _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and
324 _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be options are inherited from the invoking
328 1.6.9p15 March 23, 2008 5
334 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
337 process. In this case, _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be behave
338 like a blacklist. Since it is not possible to blacklist
339 all potentially dangerous environment variables, use of
340 the default _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt behavior is encouraged.
342 In all cases, environment variables with a value beginning
343 with () are removed as they could be interpreted as b
\bba
\bas
\bsh
\bh
344 functions. The list of environment variables that s
\bsu
\bud
\bdo
\bo
345 allows or denies is contained in the output of sudo -V
348 Note that the dynamic linker on most operating systems
349 will remove variables that can control dynamic linking
350 from the environment of setuid executables, including
351 s
\bsu
\bud
\bdo
\bo. Depending on the operating system this may include
352 _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and oth
353 ers. These type of variables are removed from the envi
354 ronment before s
\bsu
\bud
\bdo
\bo even begins execution and, as such, it
355 is not possible for s
\bsu
\bud
\bdo
\bo to preserve them.
357 To prevent command spoofing, s
\bsu
\bud
\bdo
\bo checks "." and "" (both
358 denoting current directory) last when searching for a com
359 mand in the user's PATH (if one or both are in the PATH).
360 Note, however, that the actual PATH environment variable
361 is _
\bn_
\bo_
\bt modified and is passed unchanged to the program
362 that s
\bsu
\bud
\bdo
\bo executes.
364 s
\bsu
\bud
\bdo
\bo will check the ownership of its timestamp directory
365 (_
\b/_
\bv_
\ba_
\br_
\b/_
\br_
\bu_
\bn_
\b/_
\bs_
\bu_
\bd_
\bo by default) and ignore the directory's con
366 tents if it is not owned by root or if it is writable by a
367 user other than root. On systems that allow non-root
368 users to give away files via _
\bc_
\bh_
\bo_
\bw_
\bn(2), if the timestamp
369 directory is located in a directory writable by anyone
370 (e.g., _
\b/_
\bt_
\bm_
\bp), it is possible for a user to create the
371 timestamp directory before s
\bsu
\bud
\bdo
\bo is run. However, because
372 s
\bsu
\bud
\bdo
\bo checks the ownership and mode of the directory and
373 its contents, the only damage that can be done is to
374 "hide" files by putting them in the timestamp dir. This
375 is unlikely to happen since once the timestamp dir is
376 owned by root and inaccessible by any other user, the user
377 placing files there would be unable to get them back out.
378 To get around this issue you can use a directory that is
379 not world-writable for the timestamps (_
\b/_
\bv_
\ba_
\br_
\b/_
\ba_
\bd_
\bm_
\b/_
\bs_
\bu_
\bd_
\bo for
380 instance) or create _
\b/_
\bv_
\ba_
\br_
\b/_
\br_
\bu_
\bn_
\b/_
\bs_
\bu_
\bd_
\bo with the appropriate
381 owner (root) and permissions (0700) in the system startup
384 s
\bsu
\bud
\bdo
\bo will not honor timestamps set far in the future.
385 Timestamps with a date greater than current_time + 2 *
386 TIMEOUT will be ignored and sudo will log and complain.
387 This is done to keep a user from creating his/her own
388 timestamp with a bogus date on systems that allow users to
394 1.6.9p15 March 23, 2008 6
400 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
403 Please note that s
\bsu
\bud
\bdo
\bo will normally only log the command
404 it explicitly runs. If a user runs a command such as sudo
405 su or sudo sh, subsequent commands run from that shell
406 will _
\bn_
\bo_
\bt be logged, nor will s
\bsu
\bud
\bdo
\bo's access control affect
407 them. The same is true for commands that offer shell
408 escapes (including most editors). Because of this, care
409 must be taken when giving users access to commands via
410 s
\bsu
\bud
\bdo
\bo to verify that the command does not inadvertently
411 give the user an effective root shell. For more informa
412 tion, please see the PREVENTING SHELL ESCAPES section in
413 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4).
415 E
\bEN
\bNV
\bVI
\bIR
\bRO
\bON
\bNM
\bME
\bEN
\bNT
\bT
416 s
\bsu
\bud
\bdo
\bo utilizes the following environment variables:
418 EDITOR Default editor to use in -
\b-e
\be (sudoedit)
419 mode if VISUAL is not set
421 HOME In -
\b-s
\bs or -
\b-H
\bH mode (or if sudo was config
422 ured with the --enable-shell-sets-home
423 option), set to homedir of the target user
425 PATH Set to a sane value if the _
\bs_
\be_
\bc_
\bu_
\br_
\be_
\b__
\bp_
\ba_
\bt_
\bh
426 sudoers option is set.
428 SHELL Used to determine shell to run with -s
431 SUDO_PROMPT Used as the default password prompt
433 SUDO_COMMAND Set to the command run by sudo
435 SUDO_USER Set to the login of the user who invoked
438 SUDO_UID Set to the uid of the user who invoked
441 SUDO_GID Set to the gid of the user who invoked
444 SUDO_PS1 If set, PS1 will be set to its value
446 USER Set to the target user (root unless the -
\b-u
\bu
449 VISUAL Default editor to use in -
\b-e
\be (sudoedit)
453 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs List of who can run what
455 _
\b/_
\bv_
\ba_
\br_
\b/_
\br_
\bu_
\bn_
\b/_
\bs_
\bu_
\bd_
\bo Directory containing timestamps
460 1.6.9p15 March 23, 2008 7
466 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
469 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
470 Note: the following examples assume suitable _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4)
473 To get a file listing of an unreadable directory:
475 $ sudo ls /usr/local/protected
477 To list the home directory of user yazza on a machine
478 where the file system holding ~yazza is not exported as
481 $ sudo -u yazza ls ~yazza
483 To edit the _
\bi_
\bn_
\bd_
\be_
\bx_
\b._
\bh_
\bt_
\bm_
\bl file as user www:
485 $ sudo -u www vi ~www/htdocs/index.html
487 To shutdown a machine:
489 $ sudo shutdown -r +15 "quick reboot"
491 To make a usage listing of the directories in the /home
492 partition. Note that this runs the commands in a sub-
493 shell to make the cd and file redirection work.
495 $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
497 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
498 _
\bg_
\br_
\be_
\bp(1), _
\bs_
\bu(1), _
\bs_
\bt_
\ba_
\bt(2), _
\bl_
\bo_
\bg_
\bi_
\bn_
\b__
\bc_
\ba_
\bp(3), _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(4),
499 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(5), _
\bv_
\bi_
\bs_
\bu_
\bd_
\bo(1m)
501 A
\bAU
\bUT
\bTH
\bHO
\bOR
\bRS
\bS
502 Many people have worked on s
\bsu
\bud
\bdo
\bo over the years; this ver
503 sion consists of code written primarily by:
508 See the HISTORY file in the s
\bsu
\bud
\bdo
\bo distribution or visit
509 http://www.sudo.ws/sudo/history.html for a short history
512 C
\bCA
\bAV
\bVE
\bEA
\bAT
\bTS
\bS
513 There is no easy way to prevent a user from gaining a root
514 shell if that user is allowed to run arbitrary commands
515 via s
\bsu
\bud
\bdo
\bo. Also, many programs (such as editors) allow the
516 user to run commands via shell escapes, thus avoiding
517 s
\bsu
\bud
\bdo
\bo's checks. However, on most systems it is possible to
518 prevent shell escapes with s
\bsu
\bud
\bdo
\bo's _
\bn_
\bo_
\be_
\bx_
\be_
\bc functionality.
519 See the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4) manual for details.
521 It is not meaningful to run the cd command directly via
526 1.6.9p15 March 23, 2008 8
532 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
535 $ sudo cd /usr/local/protected
537 since when the command exits the parent process (your
538 shell) will still be the same. Please see the EXAMPLES
539 section for more information.
541 If users have sudo ALL there is nothing to prevent them
542 from creating their own program that gives them a root
543 shell regardless of any '!' elements in the user specifi
546 Running shell scripts via s
\bsu
\bud
\bdo
\bo can expose the same kernel
547 bugs that make setuid shell scripts unsafe on some operat
548 ing systems (if your OS has a /dev/fd/ directory, setuid
549 shell scripts are generally safe).
552 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a
553 bug report at http://www.sudo.ws/sudo/bugs/
555 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
556 Limited free support is available via the sudo-users mail
557 ing list, see http://www.sudo.ws/mail
558 man/listinfo/sudo-users to subscribe or search the
561 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
562 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied war
563 ranties, including, but not limited to, the implied war
564 ranties of merchantability and fitness for a particular
565 purpose are disclaimed. See the LICENSE file distributed
566 with s
\bsu
\bud
\bdo
\bo or http://www.sudo.ws/sudo/license.html for com
592 1.6.9p15 March 23, 2008 9
projects / debian / sudo / blob