4 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
8 sudo, sudoedit - execute a command as another user
10 S
\bSY
\bYN
\bNO
\bOP
\bPS
\bSI
\bIS
\bS
11 s
\bsu
\bud
\bdo
\bo -
\b-h
\bh | -
\b-K
\bK | -
\b-k
\bk | -
\b-L
\bL | -
\b-l
\bl | -
\b-V
\bV | -
\b-v
\bv
13 s
\bsu
\bud
\bdo
\bo [-
\b-b
\bbE
\bEH
\bHP
\bPS
\bS] [-
\b-a
\ba _
\ba_
\bu_
\bt_
\bh_
\b__
\bt_
\by_
\bp_
\be] [-
\b-c
\bc _
\bc_
\bl_
\ba_
\bs_
\bs|_
\b-] [-
\b-p
\bp _
\bp_
\br_
\bo_
\bm_
\bp_
\bt]
14 [-
\b-u
\bu _
\bu_
\bs_
\be_
\br_
\bn_
\ba_
\bm_
\be|_
\b#_
\bu_
\bi_
\bd] [V
\bVA
\bAR
\bR=_
\bv_
\ba_
\bl_
\bu_
\be] {-
\b-i
\bi | -
\b-s
\bs | _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd}
16 s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt [-
\b-S
\bS] [-
\b-a
\ba _
\ba_
\bu_
\bt_
\bh_
\b__
\bt_
\by_
\bp_
\be] [-
\b-c
\bc _
\bc_
\bl_
\ba_
\bs_
\bs|_
\b-] [-
\b-p
\bp _
\bp_
\br_
\bo_
\bm_
\bp_
\bt]
17 [-
\b-u
\bu _
\bu_
\bs_
\be_
\br_
\bn_
\ba_
\bm_
\be|_
\b#_
\bu_
\bi_
\bd] file ...
19 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
20 s
\bsu
\bud
\bdo
\bo allows a permitted user to execute a _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd as the
21 superuser or another user, as specified in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
22 file. The real and effective uid and gid are set to match
23 those of the target user as specified in the passwd file
24 and the group vector is initialized based on the group
25 file (unless the -
\b-P
\bP option was specified). If the invok
26 ing user is root or if the target user is the same as the
27 invoking user, no password is required. Otherwise, s
\bsu
\bud
\bdo
\bo
28 requires that users authenticate themselves with a pass
29 word by default (NOTE: in the default configuration this
30 is the user's password, not the root password). Once a
31 user has been authenticated, a timestamp is updated and
32 the user may then use sudo without a password for a short
33 period of time (5 minutes unless overridden in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs).
35 When invoked as s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt, the -
\b-e
\be option (described below),
38 s
\bsu
\bud
\bdo
\bo determines who is an authorized user by consulting
39 the file _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. By giving s
\bsu
\bud
\bdo
\bo the -
\b-v
\bv flag, a user
40 can update the time stamp without running a _
\bc_
\bo_
\bm_
\bm_
\ba_
\bn_
\bd. The
41 password prompt itself will also time out if the user's
42 password is not entered within 5 minutes (unless overrid
43 den via _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs).
45 If a user who is not listed in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file tries to
46 run a command via s
\bsu
\bud
\bdo
\bo, mail is sent to the proper author
47 ities, as defined at configure time or in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file
48 (defaults to root). Note that the mail will not be sent
49 if an unauthorized user tries to run sudo with the -
\b-l
\bl or
50 -
\b-v
\bv flags. This allows users to determine for themselves
51 whether or not they are allowed to use s
\bsu
\bud
\bdo
\bo.
53 If s
\bsu
\bud
\bdo
\bo is run by root and the SUDO_USER environment vari
54 able is set, s
\bsu
\bud
\bdo
\bo will use this value to determine who the
55 actual user is. This can be used by a user to log com
56 mands through sudo even when a root shell has been
57 invoked. It also allows the -
\b-e
\be flag to remain useful even
58 when being run via a sudo-run script or program. Note
59 however, that the sudoers lookup is still done for root,
60 not the user specified by SUDO_USER.
64 1.6.9p10 December 17, 2007 1
70 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
73 s
\bsu
\bud
\bdo
\bo can log both successful and unsuccessful attempts (as
74 well as errors) to _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3), a log file, or both. By
75 default s
\bsu
\bud
\bdo
\bo will log via _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3) but this is changeable
76 at configure time or via the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file.
78 O
\bOP
\bPT
\bTI
\bIO
\bON
\bNS
\bS
79 s
\bsu
\bud
\bdo
\bo accepts the following command line options:
81 -a The -
\b-a
\ba (_
\ba_
\bu_
\bt_
\bh_
\be_
\bn_
\bt_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn _
\bt_
\by_
\bp_
\be) option causes s
\bsu
\bud
\bdo
\bo to use
82 the specified authentication type when validating the
83 user, as allowed by _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf. The system
84 administrator may specify a list of sudo-specific
85 authentication methods by adding an "auth-sudo" entry
86 in _
\b/_
\be_
\bt_
\bc_
\b/_
\bl_
\bo_
\bg_
\bi_
\bn_
\b._
\bc_
\bo_
\bn_
\bf. This option is only available on
87 systems that support BSD authentication.
89 -b The -
\b-b
\bb (_
\bb_
\ba_
\bc_
\bk_
\bg_
\br_
\bo_
\bu_
\bn_
\bd) option tells s
\bsu
\bud
\bdo
\bo to run the given
90 command in the background. Note that if you use the
91 -
\b-b
\bb option you cannot use shell job control to manipu
94 -c The -
\b-c
\bc (_
\bc_
\bl_
\ba_
\bs_
\bs) option causes s
\bsu
\bud
\bdo
\bo to run the specified
95 command with resources limited by the specified login
96 class. The _
\bc_
\bl_
\ba_
\bs_
\bs argument can be either a class name
97 as defined in /etc/login.conf, or a single '-' charac
98 ter. Specifying a _
\bc_
\bl_
\ba_
\bs_
\bs of - indicates that the com
99 mand should be run restricted by the default login
100 capabilities for the user the command is run as. If
101 the _
\bc_
\bl_
\ba_
\bs_
\bs argument specifies an existing user class,
102 the command must be run as root, or the s
\bsu
\bud
\bdo
\bo command
103 must be run from a shell that is already root. This
104 option is only available on systems with BSD login
107 -E The -
\b-E
\bE (_
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be _
\be_
\bn_
\bv_
\bi_
\br_
\bo_
\bn_
\bm_
\be_
\bn_
\bt) option will override the
108 _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4)). It is only available
109 when either the matching command has the SETENV tag or
110 the _
\bs_
\be_
\bt_
\be_
\bn_
\bv option is set in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4).
112 -e The -
\b-e
\be (_
\be_
\bd_
\bi_
\bt) option indicates that, instead of run
113 ning a command, the user wishes to edit one or more
114 files. In lieu of a command, the string "sudoedit" is
115 used when consulting the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. If the user is
116 authorized by _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs the following steps are taken:
118 1. Temporary copies are made of the files to be
119 edited with the owner set to the invoking user.
121 2. The editor specified by the VISUAL or EDITOR envi
122 ronment variables is run to edit the temporary
123 files. If neither VISUAL nor EDITOR are set, the
124 program listed in the _
\be_
\bd_
\bi_
\bt_
\bo_
\br _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs variable is
130 1.6.9p10 December 17, 2007 2
136 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
139 3. If they have been modified, the temporary files
140 are copied back to their original location and the
141 temporary versions are removed.
143 If the specified file does not exist, it will be cre
144 ated. Note that unlike most commands run by s
\bsu
\bud
\bdo
\bo, the
145 editor is run with the invoking user's environment
146 unmodified. If, for some reason, s
\bsu
\bud
\bdo
\bo is unable to
147 update a file with its edited version, the user will
148 receive a warning and the edited copy will remain in a
151 -H The -
\b-H
\bH (_
\bH_
\bO_
\bM_
\bE) option sets the HOME environment vari
152 able to the homedir of the target user (root by
153 default) as specified in _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(4). By default, s
\bsu
\bud
\bdo
\bo
154 does not modify HOME (see _
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be and _
\ba_
\bl_
\bw_
\ba_
\by_
\bs_
\b__
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be
155 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4)).
157 -h The -
\b-h
\bh (_
\bh_
\be_
\bl_
\bp) option causes s
\bsu
\bud
\bdo
\bo to print a usage mes
160 -i The -
\b-i
\bi (_
\bs_
\bi_
\bm_
\bu_
\bl_
\ba_
\bt_
\be _
\bi_
\bn_
\bi_
\bt_
\bi_
\ba_
\bl _
\bl_
\bo_
\bg_
\bi_
\bn) option runs the shell
161 specified in the _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(4) entry of the user that the
162 command is being run as. The command name argument
163 given to the shell begins with a `-' to tell the shell
164 to run as a login shell. s
\bsu
\bud
\bdo
\bo attempts to change to
165 that user's home directory before running the shell.
166 It also initializes the environment, leaving _
\bT_
\bE_
\bR_
\bM
167 unchanged, setting _
\bH_
\bO_
\bM_
\bE, _
\bS_
\bH_
\bE_
\bL_
\bL, _
\bU_
\bS_
\bE_
\bR, _
\bL_
\bO_
\bG_
\bN_
\bA_
\bM_
\bE, and
168 _
\bP_
\bA_
\bT_
\bH, and unsetting all other environment variables.
169 Note that because the shell to use is determined
170 before the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file is parsed, a _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt
171 setting in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will specify the user to run the
172 shell as but will not affect which shell is actually
175 -K The -
\b-K
\bK (sure _
\bk_
\bi_
\bl_
\bl) option is like -
\b-k
\bk except that it
176 removes the user's timestamp entirely. Like -
\b-k
\bk, this
177 option does not require a password.
179 -k The -
\b-k
\bk (_
\bk_
\bi_
\bl_
\bl) option to s
\bsu
\bud
\bdo
\bo invalidates the user's
180 timestamp by setting the time on it to the Epoch. The
181 next time s
\bsu
\bud
\bdo
\bo is run a password will be required.
182 This option does not require a password and was added
183 to allow a user to revoke s
\bsu
\bud
\bdo
\bo permissions from a
186 -L The -
\b-L
\bL (_
\bl_
\bi_
\bs_
\bt defaults) option will list out the param
187 eters that may be set in a _
\bD_
\be_
\bf_
\ba_
\bu_
\bl_
\bt_
\bs line along with a
188 short description for each. This option is useful in
189 conjunction with _
\bg_
\br_
\be_
\bp(1).
191 -l The -
\b-l
\bl (_
\bl_
\bi_
\bs_
\bt) option will list out the allowed (and
192 forbidden) commands for the invoking user on the
196 1.6.9p10 December 17, 2007 3
202 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
207 -P The -
\b-P
\bP (_
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be _
\bg_
\br_
\bo_
\bu_
\bp _
\bv_
\be_
\bc_
\bt_
\bo_
\br) option causes s
\bsu
\bud
\bdo
\bo to
208 preserve the invoking user's group vector unaltered.
209 By default, s
\bsu
\bud
\bdo
\bo will initialize the group vector to
210 the list of groups the target user is in. The real
211 and effective group IDs, however, are still set to
212 match the target user.
214 -p The -
\b-p
\bp (_
\bp_
\br_
\bo_
\bm_
\bp_
\bt) option allows you to override the
215 default password prompt and use a custom one. The
216 following percent (`%') escapes are supported:
218 %H expanded to the local hostname including the
219 domain name (on if the machine's hostname is fully
220 qualified or the _
\bf_
\bq_
\bd_
\bn _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs option is set)
222 %h expanded to the local hostname without the domain
225 %U expanded to the login name of the user the command
226 will be run as (defaults to root)
228 %u expanded to the invoking user's login name
230 %% two consecutive % characters are collapsed into a
233 -S The -
\b-S
\bS (_
\bs_
\bt_
\bd_
\bi_
\bn) option causes s
\bsu
\bud
\bdo
\bo to read the password
234 from the standard input instead of the terminal
237 -s The -
\b-s
\bs (_
\bs_
\bh_
\be_
\bl_
\bl) option runs the shell specified by the
238 _
\bS_
\bH_
\bE_
\bL_
\bL environment variable if it is set or the shell
239 as specified in _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(4).
241 -u The -
\b-u
\bu (_
\bu_
\bs_
\be_
\br) option causes s
\bsu
\bud
\bdo
\bo to run the specified
242 command as a user other than _
\br_
\bo_
\bo_
\bt. To specify a _
\bu_
\bi_
\bd
243 instead of a _
\bu_
\bs_
\be_
\br_
\bn_
\ba_
\bm_
\be, use _
\b#_
\bu_
\bi_
\bd. When running com
244 mands as a _
\bu_
\bi_
\bd, many shells require that the '#' be
245 escaped with a backslash ('\'). Note that if the _
\bt_
\ba_
\br_
\b
246 _
\bg_
\be_
\bt_
\bp_
\bw Defaults option is set (see _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4)) it is
247 not possible to run commands with a uid not listed in
248 the password database.
250 -V The -
\b-V
\bV (_
\bv_
\be_
\br_
\bs_
\bi_
\bo_
\bn) option causes s
\bsu
\bud
\bdo
\bo to print the ver
251 sion number and exit. If the invoking user is already
252 root the -
\b-V
\bV option will print out a list of the
253 defaults s
\bsu
\bud
\bdo
\bo was compiled with as well as the
254 machine's local network addresses.
256 -v If given the -
\b-v
\bv (_
\bv_
\ba_
\bl_
\bi_
\bd_
\ba_
\bt_
\be) option, s
\bsu
\bud
\bdo
\bo will update
257 the user's timestamp, prompting for the user's pass
258 word if necessary. This extends the s
\bsu
\bud
\bdo
\bo timeout for
262 1.6.9p10 December 17, 2007 4
268 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
271 another 5 minutes (or whatever the timeout is set to
272 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs) but does not run a command.
274 -- The -
\b--
\b- flag indicates that s
\bsu
\bud
\bdo
\bo should stop processing
275 command line arguments. It is most useful in conjunc
276 tion with the -
\b-s
\bs flag.
278 Environment variables to be set for the command may also
279 be passed on the command line in the form of V
\bVA
\bAR
\bR=_
\bv_
\ba_
\bl_
\bu_
\be,
280 e.g. L
\bLD
\bD_
\b_L
\bLI
\bIB
\bBR
\bRA
\bAR
\bRY
\bY_
\b_P
\bPA
\bAT
\bTH
\bH=_
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bp_
\bk_
\bg_
\b/_
\bl_
\bi_
\bb. Variables
281 passed on the command line are subject to the same
282 restrictions as normal environment variables with one
283 important exception. If the _
\bs_
\be_
\bt_
\be_
\bn_
\bv option is set in _
\bs_
\bu_
\bd_
\bo_
\b
284 _
\be_
\br_
\bs, the command to be run has the SETENV tag set or the
285 command matched is ALL, the user may set variables that
286 would overwise be forbidden. See _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4) for more
289 R
\bRE
\bET
\bTU
\bUR
\bRN
\bN V
\bVA
\bAL
\bLU
\bUE
\bES
\bS
290 Upon successful execution of a program, the return value
291 from s
\bsu
\bud
\bdo
\bo will simply be the return value of the program
294 Otherwise, s
\bsu
\bud
\bdo
\bo quits with an exit value of 1 if there is
295 a configuration/permission problem or if s
\bsu
\bud
\bdo
\bo cannot exe
296 cute the given command. In the latter case the error
297 string is printed to stderr. If s
\bsu
\bud
\bdo
\bo cannot _
\bs_
\bt_
\ba_
\bt(2) one
298 or more entries in the user's PATH an error is printed on
299 stderr. (If the directory does not exist or if it is not
300 really a directory, the entry is ignored and no error is
301 printed.) This should not happen under normal circum
302 stances. The most common reason for _
\bs_
\bt_
\ba_
\bt(2) to return
303 "permission denied" is if you are running an automounter
304 and one of the directories in your PATH is on a machine
305 that is currently unreachable.
307 S
\bSE
\bEC
\bCU
\bUR
\bRI
\bIT
\bTY
\bY N
\bNO
\bOT
\bTE
\bES
\bS
308 s
\bsu
\bud
\bdo
\bo tries to be safe when executing external commands.
310 There are two distinct ways to deal with environment vari
311 ables. By default, the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs option is
312 enabled. This causes commands to be executed with a mini
313 mal environment containing TERM, PATH, HOME, SHELL, LOG
314 NAME, USER and USERNAME in addition to variables from the
315 invoking process permitted by the _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp
316 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs options. There is effectively a whitelist for
317 environment variables.
319 If, however, the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is disabled in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs,
320 any variables not explicitly denied by the _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and
321 _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be options are inherited from the invoking pro
322 cess. In this case, _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk and _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be behave like
323 a blacklist. Since it is not possible to blacklist all
324 potentially dangerous environment variables, use of the
328 1.6.9p10 December 17, 2007 5
334 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
337 default _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt behavior is encouraged.
339 In all cases, environment variables with a value beginning
340 with () are removed as they could be interpreted as b
\bba
\bas
\bsh
\bh
341 functions. The list of environment variables that s
\bsu
\bud
\bdo
\bo
342 allows or denies is contained in the output of sudo -V
345 Note that the dynamic linker on most operating systems
346 will remove variables that can control dynamic linking
347 from the environment of setuid executables, including
348 s
\bsu
\bud
\bdo
\bo. Depending on the operating system this may include
349 _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and oth
350 ers. These type of variables are removed from the envi
351 ronment before s
\bsu
\bud
\bdo
\bo even begins execution and, as such, it
352 is not possible for s
\bsu
\bud
\bdo
\bo to preserve them.
354 To prevent command spoofing, s
\bsu
\bud
\bdo
\bo checks "." and "" (both
355 denoting current directory) last when searching for a com
356 mand in the user's PATH (if one or both are in the PATH).
357 Note, however, that the actual PATH environment variable
358 is _
\bn_
\bo_
\bt modified and is passed unchanged to the program
359 that s
\bsu
\bud
\bdo
\bo executes.
361 s
\bsu
\bud
\bdo
\bo will check the ownership of its timestamp directory
362 (_
\b/_
\bv_
\ba_
\br_
\b/_
\br_
\bu_
\bn_
\b/_
\bs_
\bu_
\bd_
\bo by default) and ignore the directory's con
363 tents if it is not owned by root or if it is writable by a
364 user other than root. On systems that allow non-root
365 users to give away files via _
\bc_
\bh_
\bo_
\bw_
\bn(2), if the timestamp
366 directory is located in a directory writable by anyone
367 (e.g., _
\b/_
\bt_
\bm_
\bp), it is possible for a user to create the
368 timestamp directory before s
\bsu
\bud
\bdo
\bo is run. However, because
369 s
\bsu
\bud
\bdo
\bo checks the ownership and mode of the directory and
370 its contents, the only damage that can be done is to
371 "hide" files by putting them in the timestamp dir. This
372 is unlikely to happen since once the timestamp dir is
373 owned by root and inaccessible by any other user, the user
374 placing files there would be unable to get them back out.
375 To get around this issue you can use a directory that is
376 not world-writable for the timestamps (_
\b/_
\bv_
\ba_
\br_
\b/_
\ba_
\bd_
\bm_
\b/_
\bs_
\bu_
\bd_
\bo for
377 instance) or create _
\b/_
\bv_
\ba_
\br_
\b/_
\br_
\bu_
\bn_
\b/_
\bs_
\bu_
\bd_
\bo with the appropriate
378 owner (root) and permissions (0700) in the system startup
381 s
\bsu
\bud
\bdo
\bo will not honor timestamps set far in the future.
382 Timestamps with a date greater than current_time + 2 *
383 TIMEOUT will be ignored and sudo will log and complain.
384 This is done to keep a user from creating his/her own
385 timestamp with a bogus date on systems that allow users to
388 Please note that s
\bsu
\bud
\bdo
\bo will normally only log the command
389 it explicitly runs. If a user runs a command such as sudo
390 su or sudo sh, subsequent commands run from that shell
394 1.6.9p10 December 17, 2007 6
400 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
403 will _
\bn_
\bo_
\bt be logged, nor will s
\bsu
\bud
\bdo
\bo's access control affect
404 them. The same is true for commands that offer shell
405 escapes (including most editors). Because of this, care
406 must be taken when giving users access to commands via
407 s
\bsu
\bud
\bdo
\bo to verify that the command does not inadvertently
408 give the user an effective root shell. For more informa
409 tion, please see the PREVENTING SHELL ESCAPES section in
410 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4).
412 E
\bEN
\bNV
\bVI
\bIR
\bRO
\bON
\bNM
\bME
\bEN
\bNT
\bT
413 s
\bsu
\bud
\bdo
\bo utilizes the following environment variables:
415 EDITOR Default editor to use in -
\b-e
\be (sudoedit)
416 mode if VISUAL is not set
418 HOME In -
\b-s
\bs or -
\b-H
\bH mode (or if sudo was config
419 ured with the --enable-shell-sets-home
420 option), set to homedir of the target user
422 PATH Set to a sane value if the _
\bs_
\be_
\bc_
\bu_
\br_
\be_
\b__
\bp_
\ba_
\bt_
\bh
423 sudoers option is set.
425 SHELL Used to determine shell to run with -s
428 SUDO_PROMPT Used as the default password prompt
430 SUDO_COMMAND Set to the command run by sudo
432 SUDO_USER Set to the login of the user who invoked
435 SUDO_UID Set to the uid of the user who invoked
438 SUDO_GID Set to the gid of the user who invoked
441 SUDO_PS1 If set, PS1 will be set to its value
443 USER Set to the target user (root unless the -
\b-u
\bu
446 VISUAL Default editor to use in -
\b-e
\be (sudoedit)
450 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs List of who can run what
451 _
\b/_
\bv_
\ba_
\br_
\b/_
\br_
\bu_
\bn_
\b/_
\bs_
\bu_
\bd_
\bo Directory containing timestamps
453 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
454 Note: the following examples assume suitable _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4)
460 1.6.9p10 December 17, 2007 7
466 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
469 To get a file listing of an unreadable directory:
471 $ sudo ls /usr/local/protected
473 To list the home directory of user yazza on a machine
474 where the file system holding ~yazza is not exported as
477 $ sudo -u yazza ls ~yazza
479 To edit the _
\bi_
\bn_
\bd_
\be_
\bx_
\b._
\bh_
\bt_
\bm_
\bl file as user www:
481 $ sudo -u www vi ~www/htdocs/index.html
483 To shutdown a machine:
485 $ sudo shutdown -r +15 "quick reboot"
487 To make a usage listing of the directories in the /home
488 partition. Note that this runs the commands in a sub-
489 shell to make the cd and file redirection work.
491 $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
493 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
494 _
\bg_
\br_
\be_
\bp(1), _
\bs_
\bu(1), _
\bs_
\bt_
\ba_
\bt(2), _
\bl_
\bo_
\bg_
\bi_
\bn_
\b__
\bc_
\ba_
\bp(3), _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(4),
495 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4), _
\bv_
\bi_
\bs_
\bu_
\bd_
\bo(1m)
497 A
\bAU
\bUT
\bTH
\bHO
\bOR
\bRS
\bS
498 Many people have worked on s
\bsu
\bud
\bdo
\bo over the years; this ver
499 sion consists of code written primarily by:
504 See the HISTORY file in the s
\bsu
\bud
\bdo
\bo distribution or visit
505 http://www.sudo.ws/sudo/history.html for a short history
508 C
\bCA
\bAV
\bVE
\bEA
\bAT
\bTS
\bS
509 There is no easy way to prevent a user from gaining a root
510 shell if that user is allowed to run arbitrary commands
511 via s
\bsu
\bud
\bdo
\bo. Also, many programs (such as editors) allow the
512 user to run commands via shell escapes, thus avoiding
513 s
\bsu
\bud
\bdo
\bo's checks. However, on most systems it is possible to
514 prevent shell escapes with s
\bsu
\bud
\bdo
\bo's _
\bn_
\bo_
\be_
\bx_
\be_
\bc functionality.
515 See the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs(4) manual for details.
517 It is not meaningful to run the cd command directly via
520 $ sudo cd /usr/local/protected
522 since when the command exits the parent process (your
526 1.6.9p10 December 17, 2007 8
532 SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
535 shell) will still be the same. Please see the EXAMPLES
536 section for more information.
538 If users have sudo ALL there is nothing to prevent them
539 from creating their own program that gives them a root
540 shell regardless of any '!' elements in the user specifi
543 Running shell scripts via s
\bsu
\bud
\bdo
\bo can expose the same kernel
544 bugs that make setuid shell scripts unsafe on some operat
545 ing systems (if your OS has a /dev/fd/ directory, setuid
546 shell scripts are generally safe).
549 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a
550 bug report at http://www.sudo.ws/sudo/bugs/
552 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
553 Limited free support is available via the sudo-users mail
554 ing list, see http://www.sudo.ws/mail
555 man/listinfo/sudo-users to subscribe or search the
558 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
559 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied war
560 ranties, including, but not limited to, the implied war
561 ranties of merchantability and fitness for a particular
562 purpose are disclaimed. See the LICENSE file distributed
563 with s
\bsu
\bud
\bdo
\bo or http://www.sudo.ws/sudo/license.html for com
592 1.6.9p10 December 17, 2007 9
projects / debian / sudo / blob