sudo, sudoedit - execute a command as another user
S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
- s\bsu\bud\bdo\bo -\b-h\bh | -\b-K\bK | -\b-k\bk | -\b-L\bL | -\b-l\bl | -\b-V\bV | -\b-v\bv
+ s\bsu\bud\bdo\bo -\b-h\bh | -\b-K\bK | -\b-k\bk | -\b-L\bL | -\b-V\bV
- s\bsu\bud\bdo\bo [-\b-b\bbE\bEH\bHP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
- [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be] {-\b-i\bi | -\b-s\bs | _\bc_\bo_\bm_\bm_\ba_\bn_\bd}
+ s\bsu\bud\bdo\bo -\b-v\bv [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
+ [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd]
- s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-S\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
- [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] file ...
+ s\bsu\bud\bdo\bo -\b-l\bl[\b[l\bl]\b] [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
+ [-\b-U\bU _\bu_\bs_\be_\br _\bn_\ba_\bm_\be] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+
+ s\bsu\bud\bdo\bo [-\b-A\bAb\bbE\bEH\bHn\bnP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
+ [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-r\br _\br_\bo_\bl_\be] [-\b-t\bt _\bt_\by_\bp_\be]
+ [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be] [-\b-i\bi | -\b-s\bs] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+
+ s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-A\bAn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
+ [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] file ...
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- s\bsu\bud\bdo\bo allows a permitted user to execute a _\bc_\bo_\bm_\bm_\ba_\bn_\bd as the
- superuser or another user, as specified in the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file. The real and effective uid and gid are set to match
- those of the target user as specified in the passwd file
- and the group vector is initialized based on the group
- file (unless the -\b-P\bP option was specified). If the invok
- ing user is root or if the target user is the same as the
- invoking user, no password is required. Otherwise, s\bsu\bud\bdo\bo
- requires that users authenticate themselves with a pass
- word by default (NOTE: in the default configuration this
- is the user's password, not the root password). Once a
- user has been authenticated, a timestamp is updated and
- the user may then use sudo without a password for a short
- period of time (5 minutes unless overridden in _\bs_\bu_\bd_\bo_\be_\br_\bs).
+ s\bsu\bud\bdo\bo allows a permitted user to execute a _\bc_\bo_\bm_\bm_\ba_\bn_\bd as the superuser or
+ another user, as specified in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. The real and effective
+ uid and gid are set to match those of the target user as specified in
+ the passwd file and the group vector is initialized based on the group
+ file (unless the -\b-P\bP option was specified). If the invoking user is
+ root or if the target user is the same as the invoking user, no
+ password is required. Otherwise, s\bsu\bud\bdo\bo requires that users authenticate
+ themselves with a password by default (NOTE: in the default
+ configuration this is the user's password, not the root password).
+ Once a user has been authenticated, a time stamp is updated and the
+ user may then use sudo without a password for a short period of time (5
+ minutes unless overridden in _\bs_\bu_\bd_\bo_\be_\br_\bs).
- When invoked as s\bsu\bud\bdo\boe\bed\bdi\bit\bt, the -\b-e\be option (described below),
- is implied.
+ When invoked as s\bsu\bud\bdo\boe\bed\bdi\bit\bt, the -\b-e\be option (described below), is implied.
- s\bsu\bud\bdo\bo determines who is an authorized user by consulting
- the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. By giving s\bsu\bud\bdo\bo the -\b-v\bv flag, a user
- can update the time stamp without running a _\bc_\bo_\bm_\bm_\ba_\bn_\bd. The
- password prompt itself will also time out if the user's
- password is not entered within 5 minutes (unless overrid
- den via _\bs_\bu_\bd_\bo_\be_\br_\bs).
+ s\bsu\bud\bdo\bo determines who is an authorized user by consulting the file
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. By running s\bsu\bud\bdo\bo with the -\b-v\bv option, a user can update
+ the time stamp without running a _\bc_\bo_\bm_\bm_\ba_\bn_\bd. If a password is required,
+ s\bsu\bud\bdo\bo will exit if the user's password is not entered within a
+ configurable time limit. The default password prompt timeout is 5
+ minutes.
- If a user who is not listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file tries to
- run a command via s\bsu\bud\bdo\bo, mail is sent to the proper author
- ities, as defined at configure time or in the _\bs_\bu_\bd_\bo_\be_\br_\bs file
- (defaults to root). Note that the mail will not be sent
- if an unauthorized user tries to run sudo with the -\b-l\bl or
- -\b-v\bv flags. This allows users to determine for themselves
- whether or not they are allowed to use s\bsu\bud\bdo\bo.
+ If a user who is not listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file tries to run a command
+ via s\bsu\bud\bdo\bo, mail is sent to the proper authorities, as defined at
+ configure time or in the _\bs_\bu_\bd_\bo_\be_\br_\bs file (defaults to root). Note that
+ the mail will not be sent if an unauthorized user tries to run sudo
+ with the -\b-l\bl or -\b-v\bv option. This allows users to determine for
+ themselves whether or not they are allowed to use s\bsu\bud\bdo\bo.
- If s\bsu\bud\bdo\bo is run by root and the SUDO_USER environment vari
- able is set, s\bsu\bud\bdo\bo will use this value to determine who the
- actual user is. This can be used by a user to log com
- mands through sudo even when a root shell has been
- invoked. It also allows the -\b-e\be flag to remain useful even
- when being run via a sudo-run script or program. Note
- however, that the sudoers lookup is still done for root,
- not the user specified by SUDO_USER.
+ If s\bsu\bud\bdo\bo is run by root and the SUDO_USER environment variable is set,
+ s\bsu\bud\bdo\bo will use this value to determine who the actual user is. This can
+ be used by a user to log commands through sudo even when a root shell
+ has been invoked. It also allows the -\b-e\be option to remain useful even
+ when being run via a sudo-run script or program. Note however, that
-1.6.9p14 February 19, 2008 1
+1.7.4 July 19, 2010 1
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- s\bsu\bud\bdo\bo can log both successful and unsuccessful attempts (as
- well as errors) to _\bs_\by_\bs_\bl_\bo_\bg(3), a log file, or both. By
- default s\bsu\bud\bdo\bo will log via _\bs_\by_\bs_\bl_\bo_\bg(3) but this is changeable
- at configure time or via the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+ the sudoers lookup is still done for root, not the user specified by
+ SUDO_USER.
+
+ s\bsu\bud\bdo\bo can log both successful and unsuccessful attempts (as well as
+ errors) to _\bs_\by_\bs_\bl_\bo_\bg(3), a log file, or both. By default s\bsu\bud\bdo\bo will log
+ via _\bs_\by_\bs_\bl_\bo_\bg(3) but this is changeable at configure time or via the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs file.
O\bOP\bPT\bTI\bIO\bON\bNS\bS
s\bsu\bud\bdo\bo accepts the following command line options:
- -a The -\b-a\ba (_\ba_\bu_\bt_\bh_\be_\bn_\bt_\bi_\bc_\ba_\bt_\bi_\bo_\bn _\bt_\by_\bp_\be) option causes s\bsu\bud\bdo\bo to use
- the specified authentication type when validating the
- user, as allowed by _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. The system
- administrator may specify a list of sudo-specific
- authentication methods by adding an "auth-sudo" entry
- in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. This option is only available on
- systems that support BSD authentication.
-
- -b The -\b-b\bb (_\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd) option tells s\bsu\bud\bdo\bo to run the given
- command in the background. Note that if you use the
- -\b-b\bb option you cannot use shell job control to manipu
- late the process.
-
- -c The -\b-c\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bsu\bud\bdo\bo to run the specified
- command with resources limited by the specified login
- class. The _\bc_\bl_\ba_\bs_\bs argument can be either a class name
- as defined in /etc/login.conf, or a single '-' charac
- ter. Specifying a _\bc_\bl_\ba_\bs_\bs of - indicates that the com
- mand should be run restricted by the default login
- capabilities for the user the command is run as. If
- the _\bc_\bl_\ba_\bs_\bs argument specifies an existing user class,
- the command must be run as root, or the s\bsu\bud\bdo\bo command
- must be run from a shell that is already root. This
- option is only available on systems with BSD login
- classes.
+ -A Normally, if s\bsu\bud\bdo\bo requires a password, it will read it from
+ the current terminal. If the -\b-A\bA (_\ba_\bs_\bk_\bp_\ba_\bs_\bs) option is
+ specified, a (possibly graphical) helper program is
+ executed to read the user's password and output the
+ password to the standard output. If the SUDO_ASKPASS
+ environment variable is set, it specifies the path to the
+ helper program. Otherwise, the value specified by the
+ _\ba_\bs_\bk_\bp_\ba_\bs_\bs option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4) is used.
- -E The -\b-E\bE (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt) option will override the
- _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4)). It is only available
- when either the matching command has the SETENV tag or
- the _\bs_\be_\bt_\be_\bn_\bv option is set in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
+ -a _\bt_\by_\bp_\be The -\b-a\ba (_\ba_\bu_\bt_\bh_\be_\bn_\bt_\bi_\bc_\ba_\bt_\bi_\bo_\bn _\bt_\by_\bp_\be) option causes s\bsu\bud\bdo\bo to use the
+ specified authentication type when validating the user, as
+ allowed by _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. The system administrator may
+ specify a list of sudo-specific authentication methods by
+ adding an "auth-sudo" entry in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. This
+ option is only available on systems that support BSD
+ authentication.
- -e The -\b-e\be (_\be_\bd_\bi_\bt) option indicates that, instead of run
- ning a command, the user wishes to edit one or more
- files. In lieu of a command, the string "sudoedit" is
- used when consulting the _\bs_\bu_\bd_\bo_\be_\br_\bs file. If the user is
- authorized by _\bs_\bu_\bd_\bo_\be_\br_\bs the following steps are taken:
+ -b The -\b-b\bb (_\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd) option tells s\bsu\bud\bdo\bo to run the given
+ command in the background. Note that if you use the -\b-b\bb
+ option you cannot use shell job control to manipulate the
+ process.
- 1. Temporary copies are made of the files to be
- edited with the owner set to the invoking user.
+ -C _\bf_\bd Normally, s\bsu\bud\bdo\bo will close all open file descriptors other
+ than standard input, standard output and standard error.
+ The -\b-C\bC (_\bc_\bl_\bo_\bs_\be _\bf_\br_\bo_\bm) option allows the user to specify a
+ starting point above the standard error (file descriptor
+ three). Values less than three are not permitted. This
+ option is only available if the administrator has enabled
+ the _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
- 2. The editor specified by the VISUAL or EDITOR envi
- ronment variables is run to edit the temporary
- files. If neither VISUAL nor EDITOR are set, the
- program listed in the _\be_\bd_\bi_\bt_\bo_\br _\bs_\bu_\bd_\bo_\be_\br_\bs variable is
- used.
+ -c _\bc_\bl_\ba_\bs_\bs The -\b-c\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bsu\bud\bdo\bo to run the specified
+ command with resources limited by the specified login
+ class. The _\bc_\bl_\ba_\bs_\bs argument can be either a class name as
+ defined in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf, or a single '-' character.
+ Specifying a _\bc_\bl_\ba_\bs_\bs of - indicates that the command should
+ be run restricted by the default login capabilities for the
+ user the command is run as. If the _\bc_\bl_\ba_\bs_\bs argument
+ specifies an existing user class, the command must be run
+ as root, or the s\bsu\bud\bdo\bo command must be run from a shell that
+ is already root. This option is only available on systems
+ with BSD login classes.
+ -E The -\b-E\bE (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt) option will override the
-1.6.9p14 February 19, 2008 2
+1.7.4 July 19, 2010 2
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- 3. If they have been modified, the temporary files
- are copied back to their original location and the
- temporary versions are removed.
+ _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4)). It is only available when
+ either the matching command has the SETENV tag or the
+ _\bs_\be_\bt_\be_\bn_\bv option is set in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
- If the specified file does not exist, it will be cre
- ated. Note that unlike most commands run by s\bsu\bud\bdo\bo, the
- editor is run with the invoking user's environment
- unmodified. If, for some reason, s\bsu\bud\bdo\bo is unable to
- update a file with its edited version, the user will
- receive a warning and the edited copy will remain in a
- temporary file.
+ -e The -\b-e\be (_\be_\bd_\bi_\bt) option indicates that, instead of running a
+ command, the user wishes to edit one or more files. In
+ lieu of a command, the string "sudoedit" is used when
+ consulting the _\bs_\bu_\bd_\bo_\be_\br_\bs file. If the user is authorized by
+ _\bs_\bu_\bd_\bo_\be_\br_\bs the following steps are taken:
- -H The -\b-H\bH (_\bH_\bO_\bM_\bE) option sets the HOME environment vari
- able to the homedir of the target user (root by
- default) as specified in _\bp_\ba_\bs_\bs_\bw_\bd(4). By default, s\bsu\bud\bdo\bo
- does not modify HOME (see _\bs_\be_\bt_\b__\bh_\bo_\bm_\be and _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be
- in _\bs_\bu_\bd_\bo_\be_\br_\bs(4)).
+ 1. Temporary copies are made of the files to be edited
+ with the owner set to the invoking user.
- -h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bo to print a usage mes
- sage and exit.
+ 2. The editor specified by the SUDO_EDITOR, VISUAL or
+ EDITOR environment variables is run to edit the
+ temporary files. If none of SUDO_EDITOR, VISUAL or
+ EDITOR are set, the first program listed in the _\be_\bd_\bi_\bt_\bo_\br
+ _\bs_\bu_\bd_\bo_\be_\br_\bs variable is used.
- -i The -\b-i\bi (_\bs_\bi_\bm_\bu_\bl_\ba_\bt_\be _\bi_\bn_\bi_\bt_\bi_\ba_\bl _\bl_\bo_\bg_\bi_\bn) option runs the shell
- specified in the _\bp_\ba_\bs_\bs_\bw_\bd(4) entry of the user that the
- command is being run as. The command name argument
- given to the shell begins with a `-' to tell the shell
- to run as a login shell. s\bsu\bud\bdo\bo attempts to change to
- that user's home directory before running the shell.
- It also initializes the environment, leaving _\bT_\bE_\bR_\bM
- unchanged, setting _\bH_\bO_\bM_\bE, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, _\bL_\bO_\bG_\bN_\bA_\bM_\bE, and
- _\bP_\bA_\bT_\bH, and unsetting all other environment variables.
- Note that because the shell to use is determined
- before the _\bs_\bu_\bd_\bo_\be_\br_\bs file is parsed, a _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt
- setting in _\bs_\bu_\bd_\bo_\be_\br_\bs will specify the user to run the
- shell as but will not affect which shell is actually
- run.
+ 3. If they have been modified, the temporary files are
+ copied back to their original location and the
+ temporary versions are removed.
- -K The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option is like -\b-k\bk except that it
- removes the user's timestamp entirely. Like -\b-k\bk, this
- option does not require a password.
+ If the specified file does not exist, it will be created.
+ Note that unlike most commands run by s\bsu\bud\bdo\bo, the editor is
+ run with the invoking user's environment unmodified. If,
+ for some reason, s\bsu\bud\bdo\bo is unable to update a file with its
+ edited version, the user will receive a warning and the
+ edited copy will remain in a temporary file.
- -k The -\b-k\bk (_\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo invalidates the user's
- timestamp by setting the time on it to the Epoch. The
- next time s\bsu\bud\bdo\bo is run a password will be required.
- This option does not require a password and was added
- to allow a user to revoke s\bsu\bud\bdo\bo permissions from a
- .logout file.
+ -g _\bg_\br_\bo_\bu_\bp Normally, s\bsu\bud\bdo\bo sets the primary group to the one specified
+ by the passwd database for the user the command is being
+ run as (by default, root). The -\b-g\bg (_\bg_\br_\bo_\bu_\bp) option causes
+ s\bsu\bud\bdo\bo to run the specified command with the primary group
+ set to _\bg_\br_\bo_\bu_\bp. To specify a _\bg_\bi_\bd instead of a _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be,
+ use _\b#_\bg_\bi_\bd. When running commands as a _\bg_\bi_\bd, many shells
+ require that the '#' be escaped with a backslash ('\'). If
+ no -\b-u\bu option is specified, the command will be run as the
+ invoking user (not root). In either case, the primary
+ group will be set to _\bg_\br_\bo_\bu_\bp.
- -L The -\b-L\bL (_\bl_\bi_\bs_\bt defaults) option will list out the param
- eters that may be set in a _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs line along with a
- short description for each. This option is useful in
- conjunction with _\bg_\br_\be_\bp(1).
+ -H The -\b-H\bH (_\bH_\bO_\bM_\bE) option sets the HOME environment variable to
+ the homedir of the target user (root by default) as
+ specified in _\bp_\ba_\bs_\bs_\bw_\bd(4). The default handling of the HOME
+ environment variable depends on _\bs_\bu_\bd_\bo_\be_\br_\bs(4) settings. By
+ default, s\bsu\bud\bdo\bo will set HOME if _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt or _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be
+ are set, or if _\bs_\be_\bt_\b__\bh_\bo_\bm_\be is set and the -\b-s\bs option is
+ specified on the command line.
- -l The -\b-l\bl (_\bl_\bi_\bs_\bt) option will list out the allowed (and
- forbidden) commands for the invoking user on the
+ -h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bo to print a usage message
+ and exit.
+ -i [command]
+ The -\b-i\bi (_\bs_\bi_\bm_\bu_\bl_\ba_\bt_\be _\bi_\bn_\bi_\bt_\bi_\ba_\bl _\bl_\bo_\bg_\bi_\bn) option runs the shell
-1.6.9p14 February 19, 2008 3
+
+1.7.4 July 19, 2010 3
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- current host.
+ specified in the _\bp_\ba_\bs_\bs_\bw_\bd(4) entry of the target user as a
+ login shell. This means that login-specific resource files
+ such as .profile or .login will be read by the shell. If a
+ command is specified, it is passed to the shell for
+ execution. Otherwise, an interactive shell is executed.
+ s\bsu\bud\bdo\bo attempts to change to that user's home directory
+ before running the shell. It also initializes the
+ environment, leaving _\bD_\bI_\bS_\bP_\bL_\bA_\bY and _\bT_\bE_\bR_\bM unchanged, setting
+ _\bH_\bO_\bM_\bE, _\bM_\bA_\bI_\bL, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, _\bL_\bO_\bG_\bN_\bA_\bM_\bE, and _\bP_\bA_\bT_\bH, as well as the
+ contents of _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt on Linux and AIX systems. All
+ other environment variables are removed.
- -P The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bsu\bud\bdo\bo to
- preserve the invoking user's group vector unaltered.
- By default, s\bsu\bud\bdo\bo will initialize the group vector to
- the list of groups the target user is in. The real
- and effective group IDs, however, are still set to
- match the target user.
+ -K The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option is like -\b-k\bk except that it removes
+ the user's time stamp entirely and may not be used in
+ conjunction with a command or other option. This option
+ does not require a password.
- -p The -\b-p\bp (_\bp_\br_\bo_\bm_\bp_\bt) option allows you to override the
- default password prompt and use a custom one. The
- following percent (`%') escapes are supported:
+ -k When used by itself, the -\b-k\bk (_\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo
+ invalidates the user's time stamp by setting the time on it
+ to the Epoch. The next time s\bsu\bud\bdo\bo is run a password will be
+ required. This option does not require a password and was
+ added to allow a user to revoke s\bsu\bud\bdo\bo permissions from a
+ .logout file.
- %H expanded to the local hostname including the
- domain name (on if the machine's hostname is fully
- qualified or the _\bf_\bq_\bd_\bn _\bs_\bu_\bd_\bo_\be_\br_\bs option is set)
+ When used in conjunction with a command or an option that
+ may require a password, the -\b-k\bk option will cause s\bsu\bud\bdo\bo to
+ ignore the user's time stamp file. As a result, s\bsu\bud\bdo\bo will
+ prompt for a password (if one is required by _\bs_\bu_\bd_\bo_\be_\br_\bs) and
+ will not update the user's time stamp file.
- %h expanded to the local hostname without the domain
- name
+ -L The -\b-L\bL (_\bl_\bi_\bs_\bt defaults) option will list the parameters that
+ may be set in a _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs line along with a short
+ description for each. This option will be removed from a
+ future version of s\bsu\bud\bdo\bo.
- %p expanded to the user whose password is being asked
- for (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw
- flags in _\bs_\bu_\bd_\bo_\be_\br_\bs)
+ -l[l] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ If no _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified, the -\b-l\bl (_\bl_\bi_\bs_\bt) option will list
+ the allowed (and forbidden) commands for the invoking user
+ (or the user specified by the -\b-U\bU option) on the current
+ host. If a _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified and is permitted by
+ _\bs_\bu_\bd_\bo_\be_\br_\bs, the fully-qualified path to the command is
+ displayed along with any command line arguments. If
+ _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified but not allowed, s\bsu\bud\bdo\bo will exit with a
+ status value of 1. If the -\b-l\bl option is specified with an l\bl
+ argument (i.e. -\b-l\bll\bl), or if -\b-l\bl is specified multiple times,
+ a longer list format is used.
- %U expanded to the login name of the user the command
- will be run as (defaults to root)
+ -n The -\b-n\bn (_\bn_\bo_\bn_\b-_\bi_\bn_\bt_\be_\br_\ba_\bc_\bt_\bi_\bv_\be) option prevents s\bsu\bud\bdo\bo from
+ prompting the user for a password. If a password is
+ required for the command to run, s\bsu\bud\bdo\bo will display an error
+ messages and exit.
- %u expanded to the invoking user's login name
+ -P The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bsu\bud\bdo\bo to
+ preserve the invoking user's group vector unaltered. By
- %% two consecutive % characters are collapsed into a
- single % character
- -S The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the password
- from the standard input instead of the terminal
- device.
- -s The -\b-s\bs (_\bs_\bh_\be_\bl_\bl) option runs the shell specified by the
- _\bS_\bH_\bE_\bL_\bL environment variable if it is set or the shell
- as specified in _\bp_\ba_\bs_\bs_\bw_\bd(4).
+1.7.4 July 19, 2010 4
- -u The -\b-u\bu (_\bu_\bs_\be_\br) option causes s\bsu\bud\bdo\bo to run the specified
- command as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd
- instead of a _\bu_\bs_\be_\br_\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd. When running com
- mands as a _\bu_\bi_\bd, many shells require that the '#' be
- escaped with a backslash ('\'). Note that if the _\bt_\ba_\br_\b
- _\bg_\be_\bt_\bp_\bw Defaults option is set (see _\bs_\bu_\bd_\bo_\be_\br_\bs(4)) it is
- not possible to run commands with a uid not listed in
- the password database.
- -V The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print the ver
- sion number and exit. If the invoking user is already
- root the -\b-V\bV option will print out a list of the
- defaults s\bsu\bud\bdo\bo was compiled with as well as the
- machine's local network addresses.
-1.6.9p14 February 19, 2008 4
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ default, s\bsu\bud\bdo\bo will initialize the group vector to the list
+ of groups the target user is in. The real and effective
+ group IDs, however, are still set to match the target user.
+ -p _\bp_\br_\bo_\bm_\bp_\bt The -\b-p\bp (_\bp_\br_\bo_\bm_\bp_\bt) option allows you to override the default
+ password prompt and use a custom one. The following
+ percent (`%') escapes are supported:
+ %H expanded to the local host name including the domain
+ name (on if the machine's host name is fully qualified
+ or the _\bf_\bq_\bd_\bn _\bs_\bu_\bd_\bo_\be_\br_\bs option is set)
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ %h expanded to the local host name without the domain name
+ %p expanded to the user whose password is being asked for
+ (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw flags in
+ _\bs_\bu_\bd_\bo_\be_\br_\bs)
- -v If given the -\b-v\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bsu\bud\bdo\bo will update
- the user's timestamp, prompting for the user's pass
- word if necessary. This extends the s\bsu\bud\bdo\bo timeout for
- another 5 minutes (or whatever the timeout is set to
- in _\bs_\bu_\bd_\bo_\be_\br_\bs) but does not run a command.
+ %U expanded to the login name of the user the command will
+ be run as (defaults to root)
- -- The -\b--\b- flag indicates that s\bsu\bud\bdo\bo should stop processing
- command line arguments. It is most useful in conjunc
- tion with the -\b-s\bs flag.
+ %u expanded to the invoking user's login name
- Environment variables to be set for the command may also
- be passed on the command line in the form of V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be,
- e.g. L\bLD\bD_\b_L\bLI\bIB\bBR\bRA\bAR\bRY\bY_\b_P\bPA\bAT\bTH\bH=_\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bp_\bk_\bg_\b/_\bl_\bi_\bb. Variables
- passed on the command line are subject to the same
- restrictions as normal environment variables with one
- important exception. If the _\bs_\be_\bt_\be_\bn_\bv option is set in _\bs_\bu_\bd_\bo_\b
- _\be_\br_\bs, the command to be run has the SETENV tag set or the
- command matched is ALL, the user may set variables that
- would overwise be forbidden. See _\bs_\bu_\bd_\bo_\be_\br_\bs(4) for more
- information.
+ %% two consecutive % characters are collapsed into a
+ single % character
-R\bRE\bET\bTU\bUR\bRN\bN V\bVA\bAL\bLU\bUE\bES\bS
- Upon successful execution of a program, the return value
- from s\bsu\bud\bdo\bo will simply be the return value of the program
- that was executed.
-
- Otherwise, s\bsu\bud\bdo\bo quits with an exit value of 1 if there is
- a configuration/permission problem or if s\bsu\bud\bdo\bo cannot exe
- cute the given command. In the latter case the error
- string is printed to stderr. If s\bsu\bud\bdo\bo cannot _\bs_\bt_\ba_\bt(2) one
- or more entries in the user's PATH an error is printed on
- stderr. (If the directory does not exist or if it is not
- really a directory, the entry is ignored and no error is
- printed.) This should not happen under normal circum
- stances. The most common reason for _\bs_\bt_\ba_\bt(2) to return
- "permission denied" is if you are running an automounter
- and one of the directories in your PATH is on a machine
- that is currently unreachable.
+ The prompt specified by the -\b-p\bp option will override the
+ system password prompt on systems that support PAM unless
+ the _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be flag is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs.
-S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
- s\bsu\bud\bdo\bo tries to be safe when executing external commands.
+ -r _\br_\bo_\bl_\be The -\b-r\br (_\br_\bo_\bl_\be) option causes the new (SELinux) security
+ context to have the role specified by _\br_\bo_\bl_\be.
+
+ -S The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the password from
+ the standard input instead of the terminal device. The
+ password must be followed by a newline character.
+
+ -s [command]
+ The -\b-s\bs (_\bs_\bh_\be_\bl_\bl) option runs the shell specified by the _\bS_\bH_\bE_\bL_\bL
+ environment variable if it is set or the shell as specified
+ in _\bp_\ba_\bs_\bs_\bw_\bd(4). If a command is specified, it is passed to
+ the shell for execution. Otherwise, an interactive shell
+ is executed.
+
+ -t _\bt_\by_\bp_\be The -\b-t\bt (_\bt_\by_\bp_\be) option causes the new (SELinux) security
+ context to have the type specified by _\bt_\by_\bp_\be. If no type is
+ specified, the default type is derived from the specified
+ role.
- There are two distinct ways to deal with environment vari
- ables. By default, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt _\bs_\bu_\bd_\bo_\be_\br_\bs option is
- enabled. This causes commands to be executed with a mini
- mal environment containing TERM, PATH, HOME, SHELL, LOG
- NAME, USER and USERNAME in addition to variables from the
- invoking process permitted by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bk_\be_\be_\bp
- _\bs_\bu_\bd_\bo_\be_\br_\bs options. There is effectively a whitelist for
- environment variables.
+ -U _\bu_\bs_\be_\br The -\b-U\bU (_\bo_\bt_\bh_\be_\br _\bu_\bs_\be_\br) option is used in conjunction with the
+ -\b-l\bl option to specify the user whose privileges should be
+ listed. Only root or a user with s\bsu\bud\bdo\bo ALL on the current
+ host may use this option.
- If, however, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs,
- any variables not explicitly denied by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and
- _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be options are inherited from the invoking
-1.6.9p14 February 19, 2008 5
+1.7.4 July 19, 2010 5
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- process. In this case, _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be behave
- like a blacklist. Since it is not possible to blacklist
- all potentially dangerous environment variables, use of
- the default _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt behavior is encouraged.
-
- In all cases, environment variables with a value beginning
- with () are removed as they could be interpreted as b\bba\bas\bsh\bh
- functions. The list of environment variables that s\bsu\bud\bdo\bo
- allows or denies is contained in the output of sudo -V
- when run as root.
-
- Note that the dynamic linker on most operating systems
- will remove variables that can control dynamic linking
- from the environment of setuid executables, including
- s\bsu\bud\bdo\bo. Depending on the operating system this may include
- _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and oth
- ers. These type of variables are removed from the envi
- ronment before s\bsu\bud\bdo\bo even begins execution and, as such, it
- is not possible for s\bsu\bud\bdo\bo to preserve them.
-
- To prevent command spoofing, s\bsu\bud\bdo\bo checks "." and "" (both
- denoting current directory) last when searching for a com
- mand in the user's PATH (if one or both are in the PATH).
- Note, however, that the actual PATH environment variable
- is _\bn_\bo_\bt modified and is passed unchanged to the program
- that s\bsu\bud\bdo\bo executes.
-
- s\bsu\bud\bdo\bo will check the ownership of its timestamp directory
- (_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's con
- tents if it is not owned by root or if it is writable by a
- user other than root. On systems that allow non-root
- users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if the timestamp
- directory is located in a directory writable by anyone
- (e.g., _\b/_\bt_\bm_\bp), it is possible for a user to create the
- timestamp directory before s\bsu\bud\bdo\bo is run. However, because
- s\bsu\bud\bdo\bo checks the ownership and mode of the directory and
- its contents, the only damage that can be done is to
- "hide" files by putting them in the timestamp dir. This
- is unlikely to happen since once the timestamp dir is
- owned by root and inaccessible by any other user, the user
- placing files there would be unable to get them back out.
- To get around this issue you can use a directory that is
- not world-writable for the timestamps (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for
- instance) or create _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo with the appropriate
- owner (root) and permissions (0700) in the system startup
- files.
+ -u _\bu_\bs_\be_\br The -\b-u\bu (_\bu_\bs_\be_\br) option causes s\bsu\bud\bdo\bo to run the specified
+ command as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd
+ instead of a _\bu_\bs_\be_\br _\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd. When running commands as
+ a _\bu_\bi_\bd, many shells require that the '#' be escaped with a
+ backslash ('\'). Note that if the _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw Defaults option
+ is set (see _\bs_\bu_\bd_\bo_\be_\br_\bs(4)) it is not possible to run commands
+ with a uid not listed in the password database.
+
+ -V The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print the version
+ number and exit. If the invoking user is already root the
+ -\b-V\bV option will print out a list of the defaults s\bsu\bud\bdo\bo was
+ compiled with as well as the machine's local network
+ addresses.
+
+ -v If given the -\b-v\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bsu\bud\bdo\bo will update the
+ user's time stamp, prompting for the user's password if
+ necessary. This extends the s\bsu\bud\bdo\bo timeout for another 5
+ minutes (or whatever the timeout is set to in _\bs_\bu_\bd_\bo_\be_\br_\bs) but
+ does not run a command.
+
+ -- The -\b--\b- option indicates that s\bsu\bud\bdo\bo should stop processing
+ command line arguments.
+
+ Environment variables to be set for the command may also be passed on
+ the command line in the form of V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be, e.g.
+ L\bLD\bD_\b_L\bLI\bIB\bBR\bRA\bAR\bRY\bY_\b_P\bPA\bAT\bTH\bH=_\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bp_\bk_\bg_\b/_\bl_\bi_\bb. Variables passed on the command
+ line are subject to the same restrictions as normal environment
+ variables with one important exception. If the _\bs_\be_\bt_\be_\bn_\bv option is set in
+ _\bs_\bu_\bd_\bo_\be_\br_\bs, the command to be run has the SETENV tag set or the command
+ matched is ALL, the user may set variables that would overwise be
+ forbidden. See _\bs_\bu_\bd_\bo_\be_\br_\bs(4) for more information.
- s\bsu\bud\bdo\bo will not honor timestamps set far in the future.
- Timestamps with a date greater than current_time + 2 *
- TIMEOUT will be ignored and sudo will log and complain.
- This is done to keep a user from creating his/her own
- timestamp with a bogus date on systems that allow users to
- give away files.
+R\bRE\bET\bTU\bUR\bRN\bN V\bVA\bAL\bLU\bUE\bES\bS
+ Upon successful execution of a program, the exit status from s\bsu\bud\bdo\bo will
+ simply be the exit status of the program that was executed.
+
+ Otherwise, s\bsu\bud\bdo\bo quits with an exit value of 1 if there is a
+ configuration/permission problem or if s\bsu\bud\bdo\bo cannot execute the given
+ command. In the latter case the error string is printed to stderr. If
+ s\bsu\bud\bdo\bo cannot _\bs_\bt_\ba_\bt(2) one or more entries in the user's PATH an error is
+ printed on stderr. (If the directory does not exist or if it is not
+ really a directory, the entry is ignored and no error is printed.)
+ This should not happen under normal circumstances. The most common
+ reason for _\bs_\bt_\ba_\bt(2) to return "permission denied" is if you are running
+ an automounter and one of the directories in your PATH is on a machine
+ that is currently unreachable.
+S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
+ s\bsu\bud\bdo\bo tries to be safe when executing external commands.
+
+ There are two distinct ways to deal with environment variables. By
+ default, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt _\bs_\bu_\bd_\bo_\be_\br_\bs option is enabled. This causes commands
+ to be executed with a minimal environment containing TERM, PATH, HOME,
+ SHELL, LOGNAME, USER and USERNAME in addition to variables from the
-1.6.9p14 February 19, 2008 6
+1.7.4 July 19, 2010 6
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- Please note that s\bsu\bud\bdo\bo will normally only log the command
- it explicitly runs. If a user runs a command such as sudo
- su or sudo sh, subsequent commands run from that shell
- will _\bn_\bo_\bt be logged, nor will s\bsu\bud\bdo\bo's access control affect
- them. The same is true for commands that offer shell
- escapes (including most editors). Because of this, care
- must be taken when giving users access to commands via
- s\bsu\bud\bdo\bo to verify that the command does not inadvertently
- give the user an effective root shell. For more informa
- tion, please see the PREVENTING SHELL ESCAPES section in
- _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
+ invoking process permitted by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bk_\be_\be_\bp _\bs_\bu_\bd_\bo_\be_\br_\bs
+ options. There is effectively a whitelist for environment variables.
+
+ If, however, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, any variables
+ not explicitly denied by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be options are
+ inherited from the invoking process. In this case, _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and
+ _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be behave like a blacklist. Since it is not possible to
+ blacklist all potentially dangerous environment variables, use of the
+ default _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt behavior is encouraged.
+
+ In all cases, environment variables with a value beginning with () are
+ removed as they could be interpreted as b\bba\bas\bsh\bh functions. The list of
+ environment variables that s\bsu\bud\bdo\bo allows or denies is contained in the
+ output of sudo -V when run as root.
+
+ Note that the dynamic linker on most operating systems will remove
+ variables that can control dynamic linking from the environment of
+ setuid executables, including s\bsu\bud\bdo\bo. Depending on the operating system
+ this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and
+ others. These type of variables are removed from the environment
+ before s\bsu\bud\bdo\bo even begins execution and, as such, it is not possible for
+ s\bsu\bud\bdo\bo to preserve them.
+
+ To prevent command spoofing, s\bsu\bud\bdo\bo checks "." and "" (both denoting
+ current directory) last when searching for a command in the user's PATH
+ (if one or both are in the PATH). Note, however, that the actual PATH
+ environment variable is _\bn_\bo_\bt modified and is passed unchanged to the
+ program that s\bsu\bud\bdo\bo executes.
+
+ s\bsu\bud\bdo\bo will check the ownership of its time stamp directory
+ (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's contents if it is
+ not owned by root or if it is writable by a user other than root. On
+ systems that allow non-root users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if
+ the time stamp directory is located in a directory writable by anyone
+ (e.g., _\b/_\bt_\bm_\bp), it is possible for a user to create the time stamp
+ directory before s\bsu\bud\bdo\bo is run. However, because s\bsu\bud\bdo\bo checks the
+ ownership and mode of the directory and its contents, the only damage
+ that can be done is to "hide" files by putting them in the time stamp
+ dir. This is unlikely to happen since once the time stamp dir is owned
+ by root and inaccessible by any other user, the user placing files
+ there would be unable to get them back out. To get around this issue
+ you can use a directory that is not world-writable for the time stamps
+ (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for instance) or create _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo with the
+ appropriate owner (root) and permissions (0700) in the system startup
+ files.
-E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
- s\bsu\bud\bdo\bo utilizes the following environment variables:
+ s\bsu\bud\bdo\bo will not honor time stamps set far in the future. Timestamps with
+ a date greater than current_time + 2 * TIMEOUT will be ignored and sudo
+ will log and complain. This is done to keep a user from creating
+ his/her own time stamp with a bogus date on systems that allow users to
+ give away files.
- EDITOR Default editor to use in -\b-e\be (sudoedit)
- mode if VISUAL is not set
+ On systems where the boot time is available, s\bsu\bud\bdo\bo will also not honor
+ time stamps from before the machine booted.
- HOME In -\b-s\bs or -\b-H\bH mode (or if sudo was config
- ured with the --enable-shell-sets-home
- option), set to homedir of the target user
- PATH Set to a sane value if the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh
- sudoers option is set.
- SHELL Used to determine shell to run with -s
- option
+1.7.4 July 19, 2010 7
- SUDO_PROMPT Used as the default password prompt
- SUDO_COMMAND Set to the command run by sudo
- SUDO_USER Set to the login of the user who invoked
- sudo
- SUDO_UID Set to the uid of the user who invoked
- sudo
- SUDO_GID Set to the gid of the user who invoked
- sudo
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- SUDO_PS1 If set, PS1 will be set to its value
- USER Set to the target user (root unless the -\b-u\bu
- option is specified)
+ Since time stamp files live in the file system, they can outlive a
+ user's login session. As a result, a user may be able to login, run a
+ command with s\bsu\bud\bdo\bo after authenticating, logout, login again, and run
+ s\bsu\bud\bdo\bo without authenticating so long as the time stamp file's
+ modification time is within 5 minutes (or whatever the timeout is set
+ to in _\bs_\bu_\bd_\bo_\be_\br_\bs). When the _\bt_\bt_\by_\b__\bt_\bi_\bc_\bk_\be_\bt_\bs option is enabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, the
+ time stamp has per-tty granularity but still may outlive the user's
+ session. On Linux systems where the devpts filesystem is used, Solaris
+ systems with the devices filesystem, as well as other systems that
+ utilize a devfs filesystem that monotonically increase the inode number
+ of devices as they are created (such as Mac OS X), s\bsu\bud\bdo\bo is able to
+ determine when a tty-based time stamp file is stale and will ignore it.
+ Administrators should not rely on this feature as it is not universally
+ available.
+
+ Please note that s\bsu\bud\bdo\bo will normally only log the command it explicitly
+ runs. If a user runs a command such as sudo su or sudo sh, subsequent
+ commands run from that shell will _\bn_\bo_\bt be logged, nor will s\bsu\bud\bdo\bo's access
+ control affect them. The same is true for commands that offer shell
+ escapes (including most editors). Because of this, care must be taken
+ when giving users access to commands via s\bsu\bud\bdo\bo to verify that the
+ command does not inadvertently give the user an effective root shell.
+ For more information, please see the PREVENTING SHELL ESCAPES section
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
- VISUAL Default editor to use in -\b-e\be (sudoedit)
- mode
+E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
+ s\bsu\bud\bdo\bo utilizes the following environment variables:
-F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+ EDITOR Default editor to use in -\b-e\be (sudoedit) mode if neither
+ SUDO_EDITOR nor VISUAL is set
- _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo Directory containing timestamps
+ MAIL In -\b-i\bi mode or when _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is enabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, set
+ to the mail spool of the target user
+ HOME Set to the home directory of the target user if -\b-i\bi or
+ -\b-H\bH are specified, _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt or _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be are set
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs, or when the -\b-s\bs option is specified and
+ _\bs_\be_\bt_\b__\bh_\bo_\bm_\be is set in _\bs_\bu_\bd_\bo_\be_\br_\bs
+ PATH Set to a sane value if the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh sudoers option
+ is set.
+ SHELL Used to determine shell to run with -s option
-1.6.9p14 February 19, 2008 7
+ SUDO_ASKPASS Specifies the path to a helper program used to read the
+ password if no terminal is available or if the -A
+ option is specified.
+ SUDO_COMMAND Set to the command run by sudo
+ SUDO_EDITOR Default editor to use in -\b-e\be (sudoedit) mode
+ SUDO_GID Set to the group ID of the user who invoked sudo
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- Note: the following examples assume suitable _\bs_\bu_\bd_\bo_\be_\br_\bs(4)
- entries.
+1.7.4 July 19, 2010 8
- To get a file listing of an unreadable directory:
- $ sudo ls /usr/local/protected
- To list the home directory of user yazza on a machine
- where the file system holding ~yazza is not exported as
- root:
- $ sudo -u yazza ls ~yazza
- To edit the _\bi_\bn_\bd_\be_\bx_\b._\bh_\bt_\bm_\bl file as user www:
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- $ sudo -u www vi ~www/htdocs/index.html
- To shutdown a machine:
+ SUDO_PROMPT Used as the default password prompt
- $ sudo shutdown -r +15 "quick reboot"
+ SUDO_PS1 If set, PS1 will be set to its value for the program
+ being run
- To make a usage listing of the directories in the /home
- partition. Note that this runs the commands in a sub-
- shell to make the cd and file redirection work.
+ SUDO_UID Set to the user ID of the user who invoked sudo
- $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
+ SUDO_USER Set to the login of the user who invoked sudo
-S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), _\bp_\ba_\bs_\bs_\bw_\bd(4),
- _\bs_\bu_\bd_\bo_\be_\br_\bs(5), _\bv_\bi_\bs_\bu_\bd_\bo(1m)
+ USER Set to the target user (root unless the -\b-u\bu option is
+ specified)
-A\bAU\bUT\bTH\bHO\bOR\bRS\bS
- Many people have worked on s\bsu\bud\bdo\bo over the years; this ver
- sion consists of code written primarily by:
+ VISUAL Default editor to use in -\b-e\be (sudoedit) mode if
+ SUDO_EDITOR is not set
- Todd C. Miller
- Chris Jepeway
+F\bFI\bIL\bLE\bES\bS
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
- See the HISTORY file in the s\bsu\bud\bdo\bo distribution or visit
- http://www.sudo.ws/sudo/history.html for a short history
- of s\bsu\bud\bdo\bo.
+ _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo Directory containing time stamps
-C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- There is no easy way to prevent a user from gaining a root
- shell if that user is allowed to run arbitrary commands
- via s\bsu\bud\bdo\bo. Also, many programs (such as editors) allow the
- user to run commands via shell escapes, thus avoiding
- s\bsu\bud\bdo\bo's checks. However, on most systems it is possible to
- prevent shell escapes with s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality.
- See the _\bs_\bu_\bd_\bo_\be_\br_\bs(4) manual for details.
+ _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt Initial environment for -\b-i\bi mode on Linux and
+ AIX
- It is not meaningful to run the cd command directly via
- sudo, e.g.,
+E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
+ Note: the following examples assume suitable _\bs_\bu_\bd_\bo_\be_\br_\bs(4) entries.
+ To get a file listing of an unreadable directory:
+ $ sudo ls /usr/local/protected
-1.6.9p14 February 19, 2008 8
+ To list the home directory of user yaz on a machine where the file
+ system holding ~yaz is not exported as root:
+ $ sudo -u yaz ls ~yaz
+ To edit the _\bi_\bn_\bd_\be_\bx_\b._\bh_\bt_\bm_\bl file as user www:
+ $ sudo -u www vi ~www/htdocs/index.html
+ To view system logs only accessible to root and users in the adm group:
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ $ sudo -g adm view /var/log/syslog
+ To run an editor as jim with a different primary group:
- $ sudo cd /usr/local/protected
+ $ sudo -u jim -g audio vi ~jim/sound.txt
- since when the command exits the parent process (your
- shell) will still be the same. Please see the EXAMPLES
- section for more information.
+ To shutdown a machine:
- If users have sudo ALL there is nothing to prevent them
- from creating their own program that gives them a root
- shell regardless of any '!' elements in the user specifi
- cation.
+ $ sudo shutdown -r +15 "quick reboot"
- Running shell scripts via s\bsu\bud\bdo\bo can expose the same kernel
- bugs that make setuid shell scripts unsafe on some operat
- ing systems (if your OS has a /dev/fd/ directory, setuid
- shell scripts are generally safe).
+ To make a usage listing of the directories in the /home partition.
+ Note that this runs the commands in a sub-shell to make the cd and file
+ redirection work.
-B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a
- bug report at http://www.sudo.ws/sudo/bugs/
-S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mail
- ing list, see http://www.sudo.ws/mail
- man/listinfo/sudo-users to subscribe or search the
- archives.
-D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied war
- ranties, including, but not limited to, the implied war
- ranties of merchantability and fitness for a particular
- purpose are disclaimed. See the LICENSE file distributed
- with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for com
- plete details.
+1.7.4 July 19, 2010 9
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
+S\bSE\bEE\bE A\bAL\bLS\bSO\bO
+ _\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), _\bp_\ba_\bs_\bs_\bw_\bd(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(5),
+ _\bv_\bi_\bs_\bu_\bd_\bo(1m)
+A\bAU\bUT\bTH\bHO\bOR\bRS\bS
+ Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists
+ of code written primarily by:
+ Todd C. Miller
+ See the HISTORY file in the s\bsu\bud\bdo\bo distribution or visit
+ http://www.sudo.ws/sudo/history.html for a short history of s\bsu\bud\bdo\bo.
+C\bCA\bAV\bVE\bEA\bAT\bTS\bS
+ There is no easy way to prevent a user from gaining a root shell if
+ that user is allowed to run arbitrary commands via s\bsu\bud\bdo\bo. Also, many
+ programs (such as editors) allow the user to run commands via shell
+ escapes, thus avoiding s\bsu\bud\bdo\bo's checks. However, on most systems it is
+ possible to prevent shell escapes with s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality.
+ See the _\bs_\bu_\bd_\bo_\be_\br_\bs(4) manual for details.
+ It is not meaningful to run the cd command directly via sudo, e.g.,
+ $ sudo cd /usr/local/protected
+ since when the command exits the parent process (your shell) will still
+ be the same. Please see the EXAMPLES section for more information.
+ If users have sudo ALL there is nothing to prevent them from creating
+ their own program that gives them a root shell regardless of any '!'
+ elements in the user specification.
+ Running shell scripts via s\bsu\bud\bdo\bo can expose the same kernel bugs that
+ make setuid shell scripts unsafe on some operating systems (if your OS
+ has a /dev/fd/ directory, setuid shell scripts are generally safe).
+B\bBU\bUG\bGS\bS
+ If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
+ http://www.sudo.ws/sudo/bugs/
+S\bSU\bUP\bPP\bPO\bOR\bRT\bT
+ Limited free support is available via the sudo-users mailing list, see
+ http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
+ the archives.
+D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
+ s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
+ including, but not limited to, the implied warranties of
+ merchantability and fitness for a particular purpose are disclaimed.
+ See the LICENSE file distributed with s\bsu\bud\bdo\bo or
+ http://www.sudo.ws/sudo/license.html for complete details.
-1.6.9p14 February 19, 2008 9
+1.7.4 July 19, 2010 10