+++ /dev/null
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
-N\bNA\bAM\bME\bE
- sudo, sudoedit - execute a command as another user
-
-S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
- s\bsu\bud\bdo\bo -\b-h\bh | -\b-K\bK | -\b-k\bk | -\b-L\bL | -\b-V\bV
-
- s\bsu\bud\bdo\bo -\b-v\bv [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
- [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd]
-
- s\bsu\bud\bdo\bo -\b-l\bl[\b[l\bl]\b] [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
- [-\b-U\bU _\bu_\bs_\be_\br _\bn_\ba_\bm_\be] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
-
- s\bsu\bud\bdo\bo [-\b-A\bAb\bbE\bEH\bHn\bnP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
- [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-r\br _\br_\bo_\bl_\be] [-\b-t\bt _\bt_\by_\bp_\be]
- [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be] [-\b-i\bi | -\b-s\bs] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
-
- s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-A\bAn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
- [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] file ...
-
-D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- s\bsu\bud\bdo\bo allows a permitted user to execute a _\bc_\bo_\bm_\bm_\ba_\bn_\bd as the superuser or
- another user, as specified in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. The real and effective
- uid and gid are set to match those of the target user as specified in
- the passwd file and the group vector is initialized based on the group
- file (unless the -\b-P\bP option was specified). If the invoking user is
- root or if the target user is the same as the invoking user, no
- password is required. Otherwise, s\bsu\bud\bdo\bo requires that users authenticate
- themselves with a password by default (NOTE: in the default
- configuration this is the user's password, not the root password).
- Once a user has been authenticated, a time stamp is updated and the
- user may then use sudo without a password for a short period of time (5
- minutes unless overridden in _\bs_\bu_\bd_\bo_\be_\br_\bs).
-
- When invoked as s\bsu\bud\bdo\boe\bed\bdi\bit\bt, the -\b-e\be option (described below), is implied.
-
- s\bsu\bud\bdo\bo determines who is an authorized user by consulting the file
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. By running s\bsu\bud\bdo\bo with the -\b-v\bv option, a user can update
- the time stamp without running a _\bc_\bo_\bm_\bm_\ba_\bn_\bd. If a password is required,
- s\bsu\bud\bdo\bo will exit if the user's password is not entered within a
- configurable time limit. The default password prompt timeout is 5
- minutes.
-
- If a user who is not listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file tries to run a command
- via s\bsu\bud\bdo\bo, mail is sent to the proper authorities, as defined at
- configure time or in the _\bs_\bu_\bd_\bo_\be_\br_\bs file (defaults to root). Note that
- the mail will not be sent if an unauthorized user tries to run sudo
- with the -\b-l\bl or -\b-v\bv option. This allows users to determine for
- themselves whether or not they are allowed to use s\bsu\bud\bdo\bo.
-
- If s\bsu\bud\bdo\bo is run by root and the SUDO_USER environment variable is set,
- s\bsu\bud\bdo\bo will use this value to determine who the actual user is. This can
- be used by a user to log commands through sudo even when a root shell
- has been invoked. It also allows the -\b-e\be option to remain useful even
- when being run via a sudo-run script or program. Note however, that
-
-
-
-1.7.4 July 19, 2010 1
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
- the sudoers lookup is still done for root, not the user specified by
- SUDO_USER.
-
- s\bsu\bud\bdo\bo can log both successful and unsuccessful attempts (as well as
- errors) to _\bs_\by_\bs_\bl_\bo_\bg(3), a log file, or both. By default s\bsu\bud\bdo\bo will log
- via _\bs_\by_\bs_\bl_\bo_\bg(3) but this is changeable at configure time or via the
- _\bs_\bu_\bd_\bo_\be_\br_\bs file.
-
-O\bOP\bPT\bTI\bIO\bON\bNS\bS
- s\bsu\bud\bdo\bo accepts the following command line options:
-
- -A Normally, if s\bsu\bud\bdo\bo requires a password, it will read it from
- the current terminal. If the -\b-A\bA (_\ba_\bs_\bk_\bp_\ba_\bs_\bs) option is
- specified, a (possibly graphical) helper program is
- executed to read the user's password and output the
- password to the standard output. If the SUDO_ASKPASS
- environment variable is set, it specifies the path to the
- helper program. Otherwise, the value specified by the
- _\ba_\bs_\bk_\bp_\ba_\bs_\bs option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4) is used.
-
- -a _\bt_\by_\bp_\be The -\b-a\ba (_\ba_\bu_\bt_\bh_\be_\bn_\bt_\bi_\bc_\ba_\bt_\bi_\bo_\bn _\bt_\by_\bp_\be) option causes s\bsu\bud\bdo\bo to use the
- specified authentication type when validating the user, as
- allowed by _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. The system administrator may
- specify a list of sudo-specific authentication methods by
- adding an "auth-sudo" entry in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. This
- option is only available on systems that support BSD
- authentication.
-
- -b The -\b-b\bb (_\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd) option tells s\bsu\bud\bdo\bo to run the given
- command in the background. Note that if you use the -\b-b\bb
- option you cannot use shell job control to manipulate the
- process.
-
- -C _\bf_\bd Normally, s\bsu\bud\bdo\bo will close all open file descriptors other
- than standard input, standard output and standard error.
- The -\b-C\bC (_\bc_\bl_\bo_\bs_\be _\bf_\br_\bo_\bm) option allows the user to specify a
- starting point above the standard error (file descriptor
- three). Values less than three are not permitted. This
- option is only available if the administrator has enabled
- the _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
-
- -c _\bc_\bl_\ba_\bs_\bs The -\b-c\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bsu\bud\bdo\bo to run the specified
- command with resources limited by the specified login
- class. The _\bc_\bl_\ba_\bs_\bs argument can be either a class name as
- defined in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf, or a single '-' character.
- Specifying a _\bc_\bl_\ba_\bs_\bs of - indicates that the command should
- be run restricted by the default login capabilities for the
- user the command is run as. If the _\bc_\bl_\ba_\bs_\bs argument
- specifies an existing user class, the command must be run
- as root, or the s\bsu\bud\bdo\bo command must be run from a shell that
- is already root. This option is only available on systems
- with BSD login classes.
-
- -E The -\b-E\bE (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt) option will override the
-
-
-
-1.7.4 July 19, 2010 2
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
- _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4)). It is only available when
- either the matching command has the SETENV tag or the
- _\bs_\be_\bt_\be_\bn_\bv option is set in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
-
- -e The -\b-e\be (_\be_\bd_\bi_\bt) option indicates that, instead of running a
- command, the user wishes to edit one or more files. In
- lieu of a command, the string "sudoedit" is used when
- consulting the _\bs_\bu_\bd_\bo_\be_\br_\bs file. If the user is authorized by
- _\bs_\bu_\bd_\bo_\be_\br_\bs the following steps are taken:
-
- 1. Temporary copies are made of the files to be edited
- with the owner set to the invoking user.
-
- 2. The editor specified by the SUDO_EDITOR, VISUAL or
- EDITOR environment variables is run to edit the
- temporary files. If none of SUDO_EDITOR, VISUAL or
- EDITOR are set, the first program listed in the _\be_\bd_\bi_\bt_\bo_\br
- _\bs_\bu_\bd_\bo_\be_\br_\bs variable is used.
-
- 3. If they have been modified, the temporary files are
- copied back to their original location and the
- temporary versions are removed.
-
- If the specified file does not exist, it will be created.
- Note that unlike most commands run by s\bsu\bud\bdo\bo, the editor is
- run with the invoking user's environment unmodified. If,
- for some reason, s\bsu\bud\bdo\bo is unable to update a file with its
- edited version, the user will receive a warning and the
- edited copy will remain in a temporary file.
-
- -g _\bg_\br_\bo_\bu_\bp Normally, s\bsu\bud\bdo\bo sets the primary group to the one specified
- by the passwd database for the user the command is being
- run as (by default, root). The -\b-g\bg (_\bg_\br_\bo_\bu_\bp) option causes
- s\bsu\bud\bdo\bo to run the specified command with the primary group
- set to _\bg_\br_\bo_\bu_\bp. To specify a _\bg_\bi_\bd instead of a _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be,
- use _\b#_\bg_\bi_\bd. When running commands as a _\bg_\bi_\bd, many shells
- require that the '#' be escaped with a backslash ('\'). If
- no -\b-u\bu option is specified, the command will be run as the
- invoking user (not root). In either case, the primary
- group will be set to _\bg_\br_\bo_\bu_\bp.
-
- -H The -\b-H\bH (_\bH_\bO_\bM_\bE) option sets the HOME environment variable to
- the homedir of the target user (root by default) as
- specified in _\bp_\ba_\bs_\bs_\bw_\bd(4). The default handling of the HOME
- environment variable depends on _\bs_\bu_\bd_\bo_\be_\br_\bs(4) settings. By
- default, s\bsu\bud\bdo\bo will set HOME if _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt or _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be
- are set, or if _\bs_\be_\bt_\b__\bh_\bo_\bm_\be is set and the -\b-s\bs option is
- specified on the command line.
-
- -h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bo to print a usage message
- and exit.
-
- -i [command]
- The -\b-i\bi (_\bs_\bi_\bm_\bu_\bl_\ba_\bt_\be _\bi_\bn_\bi_\bt_\bi_\ba_\bl _\bl_\bo_\bg_\bi_\bn) option runs the shell
-
-
-
-1.7.4 July 19, 2010 3
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
- specified in the _\bp_\ba_\bs_\bs_\bw_\bd(4) entry of the target user as a
- login shell. This means that login-specific resource files
- such as .profile or .login will be read by the shell. If a
- command is specified, it is passed to the shell for
- execution. Otherwise, an interactive shell is executed.
- s\bsu\bud\bdo\bo attempts to change to that user's home directory
- before running the shell. It also initializes the
- environment, leaving _\bD_\bI_\bS_\bP_\bL_\bA_\bY and _\bT_\bE_\bR_\bM unchanged, setting
- _\bH_\bO_\bM_\bE, _\bM_\bA_\bI_\bL, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, _\bL_\bO_\bG_\bN_\bA_\bM_\bE, and _\bP_\bA_\bT_\bH, as well as the
- contents of _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt on Linux and AIX systems. All
- other environment variables are removed.
-
- -K The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option is like -\b-k\bk except that it removes
- the user's time stamp entirely and may not be used in
- conjunction with a command or other option. This option
- does not require a password.
-
- -k When used by itself, the -\b-k\bk (_\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo
- invalidates the user's time stamp by setting the time on it
- to the Epoch. The next time s\bsu\bud\bdo\bo is run a password will be
- required. This option does not require a password and was
- added to allow a user to revoke s\bsu\bud\bdo\bo permissions from a
- .logout file.
-
- When used in conjunction with a command or an option that
- may require a password, the -\b-k\bk option will cause s\bsu\bud\bdo\bo to
- ignore the user's time stamp file. As a result, s\bsu\bud\bdo\bo will
- prompt for a password (if one is required by _\bs_\bu_\bd_\bo_\be_\br_\bs) and
- will not update the user's time stamp file.
-
- -L The -\b-L\bL (_\bl_\bi_\bs_\bt defaults) option will list the parameters that
- may be set in a _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs line along with a short
- description for each. This option will be removed from a
- future version of s\bsu\bud\bdo\bo.
-
- -l[l] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
- If no _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified, the -\b-l\bl (_\bl_\bi_\bs_\bt) option will list
- the allowed (and forbidden) commands for the invoking user
- (or the user specified by the -\b-U\bU option) on the current
- host. If a _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified and is permitted by
- _\bs_\bu_\bd_\bo_\be_\br_\bs, the fully-qualified path to the command is
- displayed along with any command line arguments. If
- _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified but not allowed, s\bsu\bud\bdo\bo will exit with a
- status value of 1. If the -\b-l\bl option is specified with an l\bl
- argument (i.e. -\b-l\bll\bl), or if -\b-l\bl is specified multiple times,
- a longer list format is used.
-
- -n The -\b-n\bn (_\bn_\bo_\bn_\b-_\bi_\bn_\bt_\be_\br_\ba_\bc_\bt_\bi_\bv_\be) option prevents s\bsu\bud\bdo\bo from
- prompting the user for a password. If a password is
- required for the command to run, s\bsu\bud\bdo\bo will display an error
- messages and exit.
-
- -P The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bsu\bud\bdo\bo to
- preserve the invoking user's group vector unaltered. By
-
-
-
-1.7.4 July 19, 2010 4
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
- default, s\bsu\bud\bdo\bo will initialize the group vector to the list
- of groups the target user is in. The real and effective
- group IDs, however, are still set to match the target user.
-
- -p _\bp_\br_\bo_\bm_\bp_\bt The -\b-p\bp (_\bp_\br_\bo_\bm_\bp_\bt) option allows you to override the default
- password prompt and use a custom one. The following
- percent (`%') escapes are supported:
-
- %H expanded to the local host name including the domain
- name (on if the machine's host name is fully qualified
- or the _\bf_\bq_\bd_\bn _\bs_\bu_\bd_\bo_\be_\br_\bs option is set)
-
- %h expanded to the local host name without the domain name
-
- %p expanded to the user whose password is being asked for
- (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw flags in
- _\bs_\bu_\bd_\bo_\be_\br_\bs)
-
- %U expanded to the login name of the user the command will
- be run as (defaults to root)
-
- %u expanded to the invoking user's login name
-
- %% two consecutive % characters are collapsed into a
- single % character
-
- The prompt specified by the -\b-p\bp option will override the
- system password prompt on systems that support PAM unless
- the _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be flag is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs.
-
- -r _\br_\bo_\bl_\be The -\b-r\br (_\br_\bo_\bl_\be) option causes the new (SELinux) security
- context to have the role specified by _\br_\bo_\bl_\be.
-
- -S The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the password from
- the standard input instead of the terminal device. The
- password must be followed by a newline character.
-
- -s [command]
- The -\b-s\bs (_\bs_\bh_\be_\bl_\bl) option runs the shell specified by the _\bS_\bH_\bE_\bL_\bL
- environment variable if it is set or the shell as specified
- in _\bp_\ba_\bs_\bs_\bw_\bd(4). If a command is specified, it is passed to
- the shell for execution. Otherwise, an interactive shell
- is executed.
-
- -t _\bt_\by_\bp_\be The -\b-t\bt (_\bt_\by_\bp_\be) option causes the new (SELinux) security
- context to have the type specified by _\bt_\by_\bp_\be. If no type is
- specified, the default type is derived from the specified
- role.
-
- -U _\bu_\bs_\be_\br The -\b-U\bU (_\bo_\bt_\bh_\be_\br _\bu_\bs_\be_\br) option is used in conjunction with the
- -\b-l\bl option to specify the user whose privileges should be
- listed. Only root or a user with s\bsu\bud\bdo\bo ALL on the current
- host may use this option.
-
-
-
-
-1.7.4 July 19, 2010 5
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
- -u _\bu_\bs_\be_\br The -\b-u\bu (_\bu_\bs_\be_\br) option causes s\bsu\bud\bdo\bo to run the specified
- command as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd
- instead of a _\bu_\bs_\be_\br _\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd. When running commands as
- a _\bu_\bi_\bd, many shells require that the '#' be escaped with a
- backslash ('\'). Note that if the _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw Defaults option
- is set (see _\bs_\bu_\bd_\bo_\be_\br_\bs(4)) it is not possible to run commands
- with a uid not listed in the password database.
-
- -V The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print the version
- number and exit. If the invoking user is already root the
- -\b-V\bV option will print out a list of the defaults s\bsu\bud\bdo\bo was
- compiled with as well as the machine's local network
- addresses.
-
- -v If given the -\b-v\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bsu\bud\bdo\bo will update the
- user's time stamp, prompting for the user's password if
- necessary. This extends the s\bsu\bud\bdo\bo timeout for another 5
- minutes (or whatever the timeout is set to in _\bs_\bu_\bd_\bo_\be_\br_\bs) but
- does not run a command.
-
- -- The -\b--\b- option indicates that s\bsu\bud\bdo\bo should stop processing
- command line arguments.
-
- Environment variables to be set for the command may also be passed on
- the command line in the form of V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be, e.g.
- L\bLD\bD_\b_L\bLI\bIB\bBR\bRA\bAR\bRY\bY_\b_P\bPA\bAT\bTH\bH=_\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bp_\bk_\bg_\b/_\bl_\bi_\bb. Variables passed on the command
- line are subject to the same restrictions as normal environment
- variables with one important exception. If the _\bs_\be_\bt_\be_\bn_\bv option is set in
- _\bs_\bu_\bd_\bo_\be_\br_\bs, the command to be run has the SETENV tag set or the command
- matched is ALL, the user may set variables that would overwise be
- forbidden. See _\bs_\bu_\bd_\bo_\be_\br_\bs(4) for more information.
-
-R\bRE\bET\bTU\bUR\bRN\bN V\bVA\bAL\bLU\bUE\bES\bS
- Upon successful execution of a program, the exit status from s\bsu\bud\bdo\bo will
- simply be the exit status of the program that was executed.
-
- Otherwise, s\bsu\bud\bdo\bo quits with an exit value of 1 if there is a
- configuration/permission problem or if s\bsu\bud\bdo\bo cannot execute the given
- command. In the latter case the error string is printed to stderr. If
- s\bsu\bud\bdo\bo cannot _\bs_\bt_\ba_\bt(2) one or more entries in the user's PATH an error is
- printed on stderr. (If the directory does not exist or if it is not
- really a directory, the entry is ignored and no error is printed.)
- This should not happen under normal circumstances. The most common
- reason for _\bs_\bt_\ba_\bt(2) to return "permission denied" is if you are running
- an automounter and one of the directories in your PATH is on a machine
- that is currently unreachable.
-
-S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
- s\bsu\bud\bdo\bo tries to be safe when executing external commands.
-
- There are two distinct ways to deal with environment variables. By
- default, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt _\bs_\bu_\bd_\bo_\be_\br_\bs option is enabled. This causes commands
- to be executed with a minimal environment containing TERM, PATH, HOME,
- SHELL, LOGNAME, USER and USERNAME in addition to variables from the
-
-
-
-1.7.4 July 19, 2010 6
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
- invoking process permitted by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bk_\be_\be_\bp _\bs_\bu_\bd_\bo_\be_\br_\bs
- options. There is effectively a whitelist for environment variables.
-
- If, however, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, any variables
- not explicitly denied by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be options are
- inherited from the invoking process. In this case, _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and
- _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be behave like a blacklist. Since it is not possible to
- blacklist all potentially dangerous environment variables, use of the
- default _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt behavior is encouraged.
-
- In all cases, environment variables with a value beginning with () are
- removed as they could be interpreted as b\bba\bas\bsh\bh functions. The list of
- environment variables that s\bsu\bud\bdo\bo allows or denies is contained in the
- output of sudo -V when run as root.
-
- Note that the dynamic linker on most operating systems will remove
- variables that can control dynamic linking from the environment of
- setuid executables, including s\bsu\bud\bdo\bo. Depending on the operating system
- this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and
- others. These type of variables are removed from the environment
- before s\bsu\bud\bdo\bo even begins execution and, as such, it is not possible for
- s\bsu\bud\bdo\bo to preserve them.
-
- To prevent command spoofing, s\bsu\bud\bdo\bo checks "." and "" (both denoting
- current directory) last when searching for a command in the user's PATH
- (if one or both are in the PATH). Note, however, that the actual PATH
- environment variable is _\bn_\bo_\bt modified and is passed unchanged to the
- program that s\bsu\bud\bdo\bo executes.
-
- s\bsu\bud\bdo\bo will check the ownership of its time stamp directory
- (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's contents if it is
- not owned by root or if it is writable by a user other than root. On
- systems that allow non-root users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if
- the time stamp directory is located in a directory writable by anyone
- (e.g., _\b/_\bt_\bm_\bp), it is possible for a user to create the time stamp
- directory before s\bsu\bud\bdo\bo is run. However, because s\bsu\bud\bdo\bo checks the
- ownership and mode of the directory and its contents, the only damage
- that can be done is to "hide" files by putting them in the time stamp
- dir. This is unlikely to happen since once the time stamp dir is owned
- by root and inaccessible by any other user, the user placing files
- there would be unable to get them back out. To get around this issue
- you can use a directory that is not world-writable for the time stamps
- (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for instance) or create _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo with the
- appropriate owner (root) and permissions (0700) in the system startup
- files.
-
- s\bsu\bud\bdo\bo will not honor time stamps set far in the future. Timestamps with
- a date greater than current_time + 2 * TIMEOUT will be ignored and sudo
- will log and complain. This is done to keep a user from creating
- his/her own time stamp with a bogus date on systems that allow users to
- give away files.
-
- On systems where the boot time is available, s\bsu\bud\bdo\bo will also not honor
- time stamps from before the machine booted.
-
-
-
-1.7.4 July 19, 2010 7
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
- Since time stamp files live in the file system, they can outlive a
- user's login session. As a result, a user may be able to login, run a
- command with s\bsu\bud\bdo\bo after authenticating, logout, login again, and run
- s\bsu\bud\bdo\bo without authenticating so long as the time stamp file's
- modification time is within 5 minutes (or whatever the timeout is set
- to in _\bs_\bu_\bd_\bo_\be_\br_\bs). When the _\bt_\bt_\by_\b__\bt_\bi_\bc_\bk_\be_\bt_\bs option is enabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, the
- time stamp has per-tty granularity but still may outlive the user's
- session. On Linux systems where the devpts filesystem is used, Solaris
- systems with the devices filesystem, as well as other systems that
- utilize a devfs filesystem that monotonically increase the inode number
- of devices as they are created (such as Mac OS X), s\bsu\bud\bdo\bo is able to
- determine when a tty-based time stamp file is stale and will ignore it.
- Administrators should not rely on this feature as it is not universally
- available.
-
- Please note that s\bsu\bud\bdo\bo will normally only log the command it explicitly
- runs. If a user runs a command such as sudo su or sudo sh, subsequent
- commands run from that shell will _\bn_\bo_\bt be logged, nor will s\bsu\bud\bdo\bo's access
- control affect them. The same is true for commands that offer shell
- escapes (including most editors). Because of this, care must be taken
- when giving users access to commands via s\bsu\bud\bdo\bo to verify that the
- command does not inadvertently give the user an effective root shell.
- For more information, please see the PREVENTING SHELL ESCAPES section
- in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
-
-E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
- s\bsu\bud\bdo\bo utilizes the following environment variables:
-
- EDITOR Default editor to use in -\b-e\be (sudoedit) mode if neither
- SUDO_EDITOR nor VISUAL is set
-
- MAIL In -\b-i\bi mode or when _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is enabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, set
- to the mail spool of the target user
-
- HOME Set to the home directory of the target user if -\b-i\bi or
- -\b-H\bH are specified, _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt or _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be are set
- in _\bs_\bu_\bd_\bo_\be_\br_\bs, or when the -\b-s\bs option is specified and
- _\bs_\be_\bt_\b__\bh_\bo_\bm_\be is set in _\bs_\bu_\bd_\bo_\be_\br_\bs
-
- PATH Set to a sane value if the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh sudoers option
- is set.
-
- SHELL Used to determine shell to run with -s option
-
- SUDO_ASKPASS Specifies the path to a helper program used to read the
- password if no terminal is available or if the -A
- option is specified.
-
- SUDO_COMMAND Set to the command run by sudo
-
- SUDO_EDITOR Default editor to use in -\b-e\be (sudoedit) mode
-
- SUDO_GID Set to the group ID of the user who invoked sudo
-
-
-
-
-1.7.4 July 19, 2010 8
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
- SUDO_PROMPT Used as the default password prompt
-
- SUDO_PS1 If set, PS1 will be set to its value for the program
- being run
-
- SUDO_UID Set to the user ID of the user who invoked sudo
-
- SUDO_USER Set to the login of the user who invoked sudo
-
- USER Set to the target user (root unless the -\b-u\bu option is
- specified)
-
- VISUAL Default editor to use in -\b-e\be (sudoedit) mode if
- SUDO_EDITOR is not set
-
-F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
-
- _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo Directory containing time stamps
-
- _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt Initial environment for -\b-i\bi mode on Linux and
- AIX
-
-E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- Note: the following examples assume suitable _\bs_\bu_\bd_\bo_\be_\br_\bs(4) entries.
-
- To get a file listing of an unreadable directory:
-
- $ sudo ls /usr/local/protected
-
- To list the home directory of user yaz on a machine where the file
- system holding ~yaz is not exported as root:
-
- $ sudo -u yaz ls ~yaz
-
- To edit the _\bi_\bn_\bd_\be_\bx_\b._\bh_\bt_\bm_\bl file as user www:
-
- $ sudo -u www vi ~www/htdocs/index.html
-
- To view system logs only accessible to root and users in the adm group:
-
- $ sudo -g adm view /var/log/syslog
-
- To run an editor as jim with a different primary group:
-
- $ sudo -u jim -g audio vi ~jim/sound.txt
-
- To shutdown a machine:
-
- $ sudo shutdown -r +15 "quick reboot"
-
- To make a usage listing of the directories in the /home partition.
- Note that this runs the commands in a sub-shell to make the cd and file
- redirection work.
-
-
-
-1.7.4 July 19, 2010 9
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
- $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
-
-S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), _\bp_\ba_\bs_\bs_\bw_\bd(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(5),
- _\bv_\bi_\bs_\bu_\bd_\bo(1m)
-
-A\bAU\bUT\bTH\bHO\bOR\bRS\bS
- Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists
- of code written primarily by:
-
- Todd C. Miller
-
- See the HISTORY file in the s\bsu\bud\bdo\bo distribution or visit
- http://www.sudo.ws/sudo/history.html for a short history of s\bsu\bud\bdo\bo.
-
-C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- There is no easy way to prevent a user from gaining a root shell if
- that user is allowed to run arbitrary commands via s\bsu\bud\bdo\bo. Also, many
- programs (such as editors) allow the user to run commands via shell
- escapes, thus avoiding s\bsu\bud\bdo\bo's checks. However, on most systems it is
- possible to prevent shell escapes with s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality.
- See the _\bs_\bu_\bd_\bo_\be_\br_\bs(4) manual for details.
-
- It is not meaningful to run the cd command directly via sudo, e.g.,
-
- $ sudo cd /usr/local/protected
-
- since when the command exits the parent process (your shell) will still
- be the same. Please see the EXAMPLES section for more information.
-
- If users have sudo ALL there is nothing to prevent them from creating
- their own program that gives them a root shell regardless of any '!'
- elements in the user specification.
-
- Running shell scripts via s\bsu\bud\bdo\bo can expose the same kernel bugs that
- make setuid shell scripts unsafe on some operating systems (if your OS
- has a /dev/fd/ directory, setuid shell scripts are generally safe).
-
-B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
- http://www.sudo.ws/sudo/bugs/
-
-S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mailing list, see
- http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
- the archives.
-
-D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
- including, but not limited to, the implied warranties of
- merchantability and fitness for a particular purpose are disclaimed.
- See the LICENSE file distributed with s\bsu\bud\bdo\bo or
- http://www.sudo.ws/sudo/license.html for complete details.
-
-
-
-
-1.7.4 July 19, 2010 10
-
-
projects / debian / sudo / blobdiff