-sudo(1m) MAINTENANCE COMMANDS sudo(1m)
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-N\bN\bN\bNA\bA\bA\bAM\bM\bM\bME\bE\bE\bE
- sudo - execute a command as another user
+N\bNA\bAM\bME\bE
+ sudo, sudoedit - execute a command as another user
-S\bS\bS\bSY\bY\bY\bYN\bN\bN\bNO\bO\bO\bOP\bP\bP\bPS\bS\bS\bSI\bI\bI\bIS\bS\bS\bS
- s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo -\b-\b-\b-V\bV\bV\bV | -\b-\b-\b-h\bh\bh\bh | -\b-\b-\b-l\bl\bl\bl | -\b-\b-\b-L\bL\bL\bL | -\b-\b-\b-v\bv\bv\bv | -\b-\b-\b-k\bk\bk\bk | -\b-\b-\b-K\bK\bK\bK | -\b-\b-\b-s\bs\bs\bs | [ -\b-\b-\b-H\bH\bH\bH ] [-\b-\b-\b-P\bP\bP\bP ]
- [-\b-\b-\b-S\bS\bS\bS ] [ -\b-\b-\b-b\bb\bb\bb ] | [ -\b-\b-\b-p\bp\bp\bp _\bp_\br_\bo_\bm_\bp_\bt ] [ -\b-\b-\b-c\bc\bc\bc _\bc_\bl_\ba_\bs_\bs|_\b- ] [ -\b-\b-\b-a\ba\ba\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be
- ] [ -\b-\b-\b-u\bu\bu\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd ] _\bc_\bo_\bm_\bm_\ba_\bn_\bd
+S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
+ s\bsu\bud\bdo\bo -\b-h\bh | -\b-K\bK | -\b-k\bk | -\b-L\bL | -\b-V\bV
-D\bD\bD\bDE\bE\bE\bES\bS\bS\bSC\bC\bC\bCR\bR\bR\bRI\bI\bI\bIP\bP\bP\bPT\bT\bT\bTI\bI\bI\bIO\bO\bO\bON\bN\bN\bN
- s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo allows a permitted user to execute a _\bc_\bo_\bm_\bm_\ba_\bn_\bd as the
- superuser or another user, as specified in the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file. The real and effective uid and gid are set to match
- those of the target user as specified in the passwd file
- (the group vector is also initialized when the target user
- is not root). By default, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo requires that users
- authenticate themselves with a password (NOTE: by default
- this is the user's password, not the root password). Once
- a user has been authenticated, a timestamp is updated and
- the user may then use sudo without a password for a short
- period of time (5 minutes unless overridden in _\bs_\bu_\bd_\bo_\be_\br_\bs).
+ s\bsu\bud\bdo\bo -\b-v\bv [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
+ [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd]
- s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo determines who is an authorized user by consulting
- the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. By giving s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo the -\b-\b-\b-v\bv\bv\bv flag a user
- can update the time stamp without running a _\bc_\bo_\bm_\bm_\ba_\bn_\bd_\b. The
- password prompt itself will also time out if the user's
- password is not entered within 5 minutes (unless overrid
- den via _\bs_\bu_\bd_\bo_\be_\br_\bs).
+ s\bsu\bud\bdo\bo -\b-l\bl[\b[l\bl]\b] [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
+ [-\b-U\bU _\bu_\bs_\be_\br _\bn_\ba_\bm_\be] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
- If a user who is not listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file tries to
- run a command via s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo, mail is sent to the proper author
- ities, as defined at configure time or the _\bs_\bu_\bd_\bo_\be_\br_\bs file
- (defaults to root). Note that the mail will not be sent
- if an unauthorized user tries to run sudo with the -\b-\b-\b-l\bl\bl\bl or
- -\b-\b-\b-v\bv\bv\bv flags. This allows users to determine for themselves
- whether or not they are allowed to use s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo.
+ s\bsu\bud\bdo\bo [-\b-A\bAb\bbE\bEH\bHn\bnP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
+ [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-r\br _\br_\bo_\bl_\be] [-\b-t\bt _\bt_\by_\bp_\be]
+ [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be] [-\b-i\bi | -\b-s\bs] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
- s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo can log both successful and unsuccessful attempts (as
- well as errors) to _\bs_\by_\bs_\bl_\bo_\bg(3), a log file, or both. By
- default s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will log via _\bs_\by_\bs_\bl_\bo_\bg(3) but this is changeable
- at configure time or via the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+ s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-A\bAn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
+ [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] file ...
-O\bO\bO\bOP\bP\bP\bPT\bT\bT\bTI\bI\bI\bIO\bO\bO\bON\bN\bN\bNS\bS\bS\bS
- s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo accepts the following command line options:
+D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
+ s\bsu\bud\bdo\bo allows a permitted user to execute a _\bc_\bo_\bm_\bm_\ba_\bn_\bd as the superuser or
+ another user, as specified in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. The real and effective
+ uid and gid are set to match those of the target user as specified in
+ the passwd file and the group vector is initialized based on the group
+ file (unless the -\b-P\bP option was specified). If the invoking user is
+ root or if the target user is the same as the invoking user, no
+ password is required. Otherwise, s\bsu\bud\bdo\bo requires that users authenticate
+ themselves with a password by default (NOTE: in the default
+ configuration this is the user's password, not the root password).
+ Once a user has been authenticated, a time stamp is updated and the
+ user may then use sudo without a password for a short period of time (5
+ minutes unless overridden in _\bs_\bu_\bd_\bo_\be_\br_\bs).
- -V The -\b-\b-\b-V\bV\bV\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to print the ver
- sion number and exit. If the invoking user is already
- root the -\b-\b-\b-V\bV\bV\bV option will print out a list of the
- defaults s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo was compiled with as well as the
- machine's local network addresses.
+ When invoked as s\bsu\bud\bdo\boe\bed\bdi\bit\bt, the -\b-e\be option (described below), is implied.
- -l The -\b-\b-\b-l\bl\bl\bl (_\bl_\bi_\bs_\bt) option will list out the allowed (and
- forbidden) commands for the user on the current host.
+ s\bsu\bud\bdo\bo determines who is an authorized user by consulting the file
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. By running s\bsu\bud\bdo\bo with the -\b-v\bv option, a user can update
+ the time stamp without running a _\bc_\bo_\bm_\bm_\ba_\bn_\bd. If a password is required,
+ s\bsu\bud\bdo\bo will exit if the user's password is not entered within a
+ configurable time limit. The default password prompt timeout is 5
+ minutes.
+ If a user who is not listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file tries to run a command
+ via s\bsu\bud\bdo\bo, mail is sent to the proper authorities, as defined at
+ configure time or in the _\bs_\bu_\bd_\bo_\be_\br_\bs file (defaults to root). Note that
+ the mail will not be sent if an unauthorized user tries to run sudo
+ with the -\b-l\bl or -\b-v\bv option. This allows users to determine for
+ themselves whether or not they are allowed to use s\bsu\bud\bdo\bo.
+ If s\bsu\bud\bdo\bo is run by root and the SUDO_USER environment variable is set,
+ s\bsu\bud\bdo\bo will use this value to determine who the actual user is. This can
+ be used by a user to log commands through sudo even when a root shell
+ has been invoked. It also allows the -\b-e\be option to remain useful even
+ when being run via a sudo-run script or program. Note however, that
-April 25, 2002 1.6.6 1
+1.7.4 July 19, 2010 1
-sudo(1m) MAINTENANCE COMMANDS sudo(1m)
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- -L The -\b-\b-\b-L\bL\bL\bL (_\bl_\bi_\bs_\bt defaults) option will list out the param
- eters that may be set in a _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs line along with a
- short description for each. This option is useful in
- conjunction with _\bg_\br_\be_\bp(1).
+ the sudoers lookup is still done for root, not the user specified by
+ SUDO_USER.
- -h The -\b-\b-\b-h\bh\bh\bh (_\bh_\be_\bl_\bp) option causes s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to print a usage mes
- sage and exit.
+ s\bsu\bud\bdo\bo can log both successful and unsuccessful attempts (as well as
+ errors) to _\bs_\by_\bs_\bl_\bo_\bg(3), a log file, or both. By default s\bsu\bud\bdo\bo will log
+ via _\bs_\by_\bs_\bl_\bo_\bg(3) but this is changeable at configure time or via the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs file.
- -v If given the -\b-\b-\b-v\bv\bv\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will update
- the user's timestamp, prompting for the user's pass
- word if necessary. This extends the s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo timeout for
- another 5 minutes (or whatever the timeout is set to
- in _\bs_\bu_\bd_\bo_\be_\br_\bs) but does not run a command.
+O\bOP\bPT\bTI\bIO\bON\bNS\bS
+ s\bsu\bud\bdo\bo accepts the following command line options:
- -k The -\b-\b-\b-k\bk\bk\bk (_\bk_\bi_\bl_\bl) option to s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo invalidates the user's
- timestamp by setting the time on it to the epoch. The
- next time s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo is run a password will be required.
- This option does not require a password and was added
- to allow a user to revoke s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo permissions from a
- .logout file.
+ -A Normally, if s\bsu\bud\bdo\bo requires a password, it will read it from
+ the current terminal. If the -\b-A\bA (_\ba_\bs_\bk_\bp_\ba_\bs_\bs) option is
+ specified, a (possibly graphical) helper program is
+ executed to read the user's password and output the
+ password to the standard output. If the SUDO_ASKPASS
+ environment variable is set, it specifies the path to the
+ helper program. Otherwise, the value specified by the
+ _\ba_\bs_\bk_\bp_\ba_\bs_\bs option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4) is used.
- -K The -\b-\b-\b-K\bK\bK\bK (sure _\bk_\bi_\bl_\bl) option to s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo removes the user's
- timestamp entirely. Likewise, this option does not
- require a password.
+ -a _\bt_\by_\bp_\be The -\b-a\ba (_\ba_\bu_\bt_\bh_\be_\bn_\bt_\bi_\bc_\ba_\bt_\bi_\bo_\bn _\bt_\by_\bp_\be) option causes s\bsu\bud\bdo\bo to use the
+ specified authentication type when validating the user, as
+ allowed by _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. The system administrator may
+ specify a list of sudo-specific authentication methods by
+ adding an "auth-sudo" entry in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. This
+ option is only available on systems that support BSD
+ authentication.
- -b The -\b-\b-\b-b\bb\bb\bb (_\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd) option tells s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to run the given
- command in the background. Note that if you use the
- -\b-\b-\b-b\bb\bb\bb option you cannot use shell job control to manipu
- late the process.
+ -b The -\b-b\bb (_\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd) option tells s\bsu\bud\bdo\bo to run the given
+ command in the background. Note that if you use the -\b-b\bb
+ option you cannot use shell job control to manipulate the
+ process.
- -p The -\b-\b-\b-p\bp\bp\bp (_\bp_\br_\bo_\bm_\bp_\bt) option allows you to override the
- default password prompt and use a custom one. If the
- password prompt contains the %u escape, %u will be
- replaced with the user's login name. Similarly, %h
- will be replaced with the local hostname.
+ -C _\bf_\bd Normally, s\bsu\bud\bdo\bo will close all open file descriptors other
+ than standard input, standard output and standard error.
+ The -\b-C\bC (_\bc_\bl_\bo_\bs_\be _\bf_\br_\bo_\bm) option allows the user to specify a
+ starting point above the standard error (file descriptor
+ three). Values less than three are not permitted. This
+ option is only available if the administrator has enabled
+ the _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
- -c The -\b-\b-\b-c\bc\bc\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to run the specified
- command with resources limited by the specified login
- class. The _\bc_\bl_\ba_\bs_\bs argument can be either a class name
- as defined in /etc/login.conf, or a single '-' charac
- ter. Specifying a _\bc_\bl_\ba_\bs_\bs of - indicates that the com
- mand should be run restricted by the default login
- capabilities for the user the command is run as. If
- the _\bc_\bl_\ba_\bs_\bs argument specifies an existing user class,
- the command must be run as root, or the s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo command
- must be run from a shell that is already root. This
- option is only available on systems with BSD login
- classes where s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo has been configured with the
- --with-logincap option.
+ -c _\bc_\bl_\ba_\bs_\bs The -\b-c\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bsu\bud\bdo\bo to run the specified
+ command with resources limited by the specified login
+ class. The _\bc_\bl_\ba_\bs_\bs argument can be either a class name as
+ defined in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf, or a single '-' character.
+ Specifying a _\bc_\bl_\ba_\bs_\bs of - indicates that the command should
+ be run restricted by the default login capabilities for the
+ user the command is run as. If the _\bc_\bl_\ba_\bs_\bs argument
+ specifies an existing user class, the command must be run
+ as root, or the s\bsu\bud\bdo\bo command must be run from a shell that
+ is already root. This option is only available on systems
+ with BSD login classes.
- -a The -\b-\b-\b-a\ba\ba\ba (_\ba_\bu_\bt_\bh_\be_\bn_\bt_\bi_\bc_\ba_\bt_\bi_\bo_\bn _\bt_\by_\bp_\be) option causes s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to use
- the specified authentication type when validating the
- user, as allowed by /etc/login.conf. The system
- administrator may specify a list of sudo-specific
+ -E The -\b-E\bE (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt) option will override the
-April 25, 2002 1.6.6 2
+1.7.4 July 19, 2010 2
-sudo(1m) MAINTENANCE COMMANDS sudo(1m)
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- authentication methods by adding an "auth-sudo" entry
- in /etc/login.conf. This option is only available on
- systems that support BSD authentication where s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo has
- been configured with the --with-bsdauth option.
+ _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4)). It is only available when
+ either the matching command has the SETENV tag or the
+ _\bs_\be_\bt_\be_\bn_\bv option is set in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
- -u The -\b-\b-\b-u\bu\bu\bu (_\bu_\bs_\be_\br) option causes s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to run the specified
- command as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd
- instead of a _\bu_\bs_\be_\br_\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd.
+ -e The -\b-e\be (_\be_\bd_\bi_\bt) option indicates that, instead of running a
+ command, the user wishes to edit one or more files. In
+ lieu of a command, the string "sudoedit" is used when
+ consulting the _\bs_\bu_\bd_\bo_\be_\br_\bs file. If the user is authorized by
+ _\bs_\bu_\bd_\bo_\be_\br_\bs the following steps are taken:
- -s The -\b-\b-\b-s\bs\bs\bs (_\bs_\bh_\be_\bl_\bl) option runs the shell specified by the
- _\bS_\bH_\bE_\bL_\bL environment variable if it is set or the shell
- as specified in _\bp_\ba_\bs_\bs_\bw_\bd(4).
+ 1. Temporary copies are made of the files to be edited
+ with the owner set to the invoking user.
- -H The -\b-\b-\b-H\bH\bH\bH (_\bH_\bO_\bM_\bE) option sets the HOME environment vari
- able to the homedir of the target user (root by
- default) as specified in _\bp_\ba_\bs_\bs_\bw_\bd(4). By default, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo
- does not modify HOME.
+ 2. The editor specified by the SUDO_EDITOR, VISUAL or
+ EDITOR environment variables is run to edit the
+ temporary files. If none of SUDO_EDITOR, VISUAL or
+ EDITOR are set, the first program listed in the _\be_\bd_\bi_\bt_\bo_\br
+ _\bs_\bu_\bd_\bo_\be_\br_\bs variable is used.
- -P The -\b-\b-\b-P\bP\bP\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to
- preserve the user's group vector unaltered. By
- default, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will initialize the group vector to the
- list of groups the target user is in. The real and
- effective group IDs, however, are still set to match
- the target user.
+ 3. If they have been modified, the temporary files are
+ copied back to their original location and the
+ temporary versions are removed.
- -S The -\b-\b-\b-S\bS\bS\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to read the password
- from standard input instead of the terminal device.
+ If the specified file does not exist, it will be created.
+ Note that unlike most commands run by s\bsu\bud\bdo\bo, the editor is
+ run with the invoking user's environment unmodified. If,
+ for some reason, s\bsu\bud\bdo\bo is unable to update a file with its
+ edited version, the user will receive a warning and the
+ edited copy will remain in a temporary file.
- -- The -\b-\b-\b--\b-\b-\b- flag indicates that s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo should stop processing
- command line arguments. It is most useful in conjunc
- tion with the -\b-\b-\b-s\bs\bs\bs flag.
-
-R\bR\bR\bRE\bE\bE\bET\bT\bT\bTU\bU\bU\bUR\bR\bR\bRN\bN\bN\bN V\bV\bV\bVA\bA\bA\bAL\bL\bL\bLU\bU\bU\bUE\bE\bE\bES\bS\bS\bS
- Upon successful execution of a program, the return value
- from s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will simply be the return value of the program
- that was executed.
-
- Otherwise, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo quits with an exit value of 1 if there is
- a configuration/permission problem or if s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo cannot exe
- cute the given command. In the latter case the error
- string is printed to stderr. If s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo cannot _\bs_\bt_\ba_\bt(2) one
- or more entries in the user's PATH an error is printed on
- stderr. (If the directory does not exist or if it is not
- really a directory, the entry is ignored and no error is
- printed.) This should not happen under normal circum
- stances. The most common reason for _\bs_\bt_\ba_\bt(2) to return
- "permission denied" is if you are running an automounter
- and one of the directories in your PATH is on a machine
- that is currently unreachable.
+ -g _\bg_\br_\bo_\bu_\bp Normally, s\bsu\bud\bdo\bo sets the primary group to the one specified
+ by the passwd database for the user the command is being
+ run as (by default, root). The -\b-g\bg (_\bg_\br_\bo_\bu_\bp) option causes
+ s\bsu\bud\bdo\bo to run the specified command with the primary group
+ set to _\bg_\br_\bo_\bu_\bp. To specify a _\bg_\bi_\bd instead of a _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be,
+ use _\b#_\bg_\bi_\bd. When running commands as a _\bg_\bi_\bd, many shells
+ require that the '#' be escaped with a backslash ('\'). If
+ no -\b-u\bu option is specified, the command will be run as the
+ invoking user (not root). In either case, the primary
+ group will be set to _\bg_\br_\bo_\bu_\bp.
-S\bS\bS\bSE\bE\bE\bEC\bC\bC\bCU\bU\bU\bUR\bR\bR\bRI\bI\bI\bIT\bT\bT\bTY\bY\bY\bY N\bN\bN\bNO\bO\bO\bOT\bT\bT\bTE\bE\bE\bES\bS\bS\bS
- s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo tries to be safe when executing external commands.
- Variables that control how dynamic loading and binding is
- done can be used to subvert the program that s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo runs.
-
-
-
-April 25, 2002 1.6.6 3
-
-
-
-
-
-sudo(1m) MAINTENANCE COMMANDS sudo(1m)
-
-
- To combat this the LD_*, _RLD_*, SHLIB_PATH (HP-UX only),
- and LIBPATH (AIX only) environment variables are removed
- from the environment passed on to all commands executed.
- s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will also remove the IFS, ENV, BASH_ENV, KRB_CONF,
- KRBCONFDIR, KRBTKFILE, KRB5_CONFIG, LOCALDOMAIN,
- RES_OPTIONS, HOSTALIASES, NLSPATH, PATH_LOCALE, TERMINFO,
- TERMINFO_DIRS and TERMPATH variables as they too can pose
- a threat. If the TERMCAP variable is set and is a path
- name, it too is ignored. Additionally, if the LC_* or
- LANGUAGE variables contain the / or % characters, they are
- ignored. If s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo has been compiled with SecurID support,
- the VAR_ACE, USR_ACE and DLC_ACE variables are cleared as
- well. The list of environment variables that s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo clears
- is contained in the output of sudo -V when run as root.
-
- To prevent command spoofing, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo checks "." and "" (both
- denoting current directory) last when searching for a com
- mand in the user's PATH (if one or both are in the PATH).
- Note, however, that the actual PATH environment variable
- is _\bn_\bo_\bt modified and is passed unchanged to the program
- that s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo executes.
-
- For security reasons, if your OS supports shared libraries
- and does not disable user-defined library search paths for
- setuid programs (most do), you should either use a linker
- option that disables this behavior or link s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo stati
- cally.
-
- s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will check the ownership of its timestamp directory
- (_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's con
- tents if it is not owned by root and only writable by
- root. On systems that allow non-root users to give away
- files via _\bc_\bh_\bo_\bw_\bn(2), if the timestamp directory is located
- in a directory writable by anyone (e.g.: _\b/_\bt_\bm_\bp), it is pos
- sible for a user to create the timestamp directory before
- s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo is run. However, because s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo checks the ownership
- and mode of the directory and its contents, the only dam
- age that can be done is to "hide" files by putting them in
- the timestamp dir. This is unlikely to happen since once
- the timestamp dir is owned by root and inaccessible by any
- other user the user placing files there would be unable to
- get them back out. To get around this issue you can use a
- directory that is not world-writable for the timestamps
- (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for instance) or create _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo with
- the appropriate owner (root) and permissions (0700) in the
- system startup files.
-
- s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will not honor timestamps set far in the future.
- Timestamps with a date greater than current_time + 2 *
- TIMEOUT will be ignored and sudo will log and complain.
- This is done to keep a user from creating his/her own
- timestamp with a bogus date on systems that allow users to
- give away files.
+ -H The -\b-H\bH (_\bH_\bO_\bM_\bE) option sets the HOME environment variable to
+ the homedir of the target user (root by default) as
+ specified in _\bp_\ba_\bs_\bs_\bw_\bd(4). The default handling of the HOME
+ environment variable depends on _\bs_\bu_\bd_\bo_\be_\br_\bs(4) settings. By
+ default, s\bsu\bud\bdo\bo will set HOME if _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt or _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be
+ are set, or if _\bs_\be_\bt_\b__\bh_\bo_\bm_\be is set and the -\b-s\bs option is
+ specified on the command line.
+ -h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bo to print a usage message
+ and exit.
+ -i [command]
+ The -\b-i\bi (_\bs_\bi_\bm_\bu_\bl_\ba_\bt_\be _\bi_\bn_\bi_\bt_\bi_\ba_\bl _\bl_\bo_\bg_\bi_\bn) option runs the shell
-April 25, 2002 1.6.6 4
+1.7.4 July 19, 2010 3
-sudo(1m) MAINTENANCE COMMANDS sudo(1m)
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- Please note that s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will only log the command it explic
- itly runs. If a user runs a command such as sudo su or
- sudo sh, subsequent commands run from that shell will _\bn_\bo_\bt
- be logged, nor will s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo's access control affect them.
- The same is true for commands that offer shell escapes
- (including most editors). Because of this, care must be
- taken when giving users access to commands via s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to
- verify that the command does not inadvertantly give the
- user an effective root shell.
-E\bE\bE\bEX\bX\bX\bXA\bA\bA\bAM\bM\bM\bMP\bP\bP\bPL\bL\bL\bLE\bE\bE\bES\bS\bS\bS
- Note: the following examples assume suitable _\bs_\bu_\bd_\bo_\be_\br_\bs(4)
- entries.
+ specified in the _\bp_\ba_\bs_\bs_\bw_\bd(4) entry of the target user as a
+ login shell. This means that login-specific resource files
+ such as .profile or .login will be read by the shell. If a
+ command is specified, it is passed to the shell for
+ execution. Otherwise, an interactive shell is executed.
+ s\bsu\bud\bdo\bo attempts to change to that user's home directory
+ before running the shell. It also initializes the
+ environment, leaving _\bD_\bI_\bS_\bP_\bL_\bA_\bY and _\bT_\bE_\bR_\bM unchanged, setting
+ _\bH_\bO_\bM_\bE, _\bM_\bA_\bI_\bL, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, _\bL_\bO_\bG_\bN_\bA_\bM_\bE, and _\bP_\bA_\bT_\bH, as well as the
+ contents of _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt on Linux and AIX systems. All
+ other environment variables are removed.
- To get a file listing of an unreadable directory:
+ -K The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option is like -\b-k\bk except that it removes
+ the user's time stamp entirely and may not be used in
+ conjunction with a command or other option. This option
+ does not require a password.
- % sudo ls /usr/local/protected
+ -k When used by itself, the -\b-k\bk (_\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo
+ invalidates the user's time stamp by setting the time on it
+ to the Epoch. The next time s\bsu\bud\bdo\bo is run a password will be
+ required. This option does not require a password and was
+ added to allow a user to revoke s\bsu\bud\bdo\bo permissions from a
+ .logout file.
- To list the home directory of user yazza on a machine
- where the filesystem holding ~yazza is not exported as
- root:
+ When used in conjunction with a command or an option that
+ may require a password, the -\b-k\bk option will cause s\bsu\bud\bdo\bo to
+ ignore the user's time stamp file. As a result, s\bsu\bud\bdo\bo will
+ prompt for a password (if one is required by _\bs_\bu_\bd_\bo_\be_\br_\bs) and
+ will not update the user's time stamp file.
- % sudo -u yazza ls ~yazza
+ -L The -\b-L\bL (_\bl_\bi_\bs_\bt defaults) option will list the parameters that
+ may be set in a _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs line along with a short
+ description for each. This option will be removed from a
+ future version of s\bsu\bud\bdo\bo.
- To edit the _\bi_\bn_\bd_\be_\bx_\b._\bh_\bt_\bm_\bl file as user www:
+ -l[l] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ If no _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified, the -\b-l\bl (_\bl_\bi_\bs_\bt) option will list
+ the allowed (and forbidden) commands for the invoking user
+ (or the user specified by the -\b-U\bU option) on the current
+ host. If a _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified and is permitted by
+ _\bs_\bu_\bd_\bo_\be_\br_\bs, the fully-qualified path to the command is
+ displayed along with any command line arguments. If
+ _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified but not allowed, s\bsu\bud\bdo\bo will exit with a
+ status value of 1. If the -\b-l\bl option is specified with an l\bl
+ argument (i.e. -\b-l\bll\bl), or if -\b-l\bl is specified multiple times,
+ a longer list format is used.
+
+ -n The -\b-n\bn (_\bn_\bo_\bn_\b-_\bi_\bn_\bt_\be_\br_\ba_\bc_\bt_\bi_\bv_\be) option prevents s\bsu\bud\bdo\bo from
+ prompting the user for a password. If a password is
+ required for the command to run, s\bsu\bud\bdo\bo will display an error
+ messages and exit.
+
+ -P The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bsu\bud\bdo\bo to
+ preserve the invoking user's group vector unaltered. By
- % sudo -u www vi ~www/htdocs/index.html
- To shutdown a machine:
- % sudo shutdown -r +15 "quick reboot"
+1.7.4 July 19, 2010 4
- To make a usage listing of the directories in the /home
- partition. Note that this runs the commands in a sub-
- shell to make the cd and file redirection work.
- % sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
-E\bE\bE\bEN\bN\bN\bNV\bV\bV\bVI\bI\bI\bIR\bR\bR\bRO\bO\bO\bON\bN\bN\bNM\bM\bM\bME\bE\bE\bEN\bN\bN\bNT\bT\bT\bT
- s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo utilizes the following environment variables:
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ default, s\bsu\bud\bdo\bo will initialize the group vector to the list
+ of groups the target user is in. The real and effective
+ group IDs, however, are still set to match the target user.
+ -p _\bp_\br_\bo_\bm_\bp_\bt The -\b-p\bp (_\bp_\br_\bo_\bm_\bp_\bt) option allows you to override the default
+ password prompt and use a custom one. The following
+ percent (`%') escapes are supported:
+ %H expanded to the local host name including the domain
+ name (on if the machine's host name is fully qualified
+ or the _\bf_\bq_\bd_\bn _\bs_\bu_\bd_\bo_\be_\br_\bs option is set)
+ %h expanded to the local host name without the domain name
+ %p expanded to the user whose password is being asked for
+ (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw flags in
+ _\bs_\bu_\bd_\bo_\be_\br_\bs)
+ %U expanded to the login name of the user the command will
+ be run as (defaults to root)
+ %u expanded to the invoking user's login name
+ %% two consecutive % characters are collapsed into a
+ single % character
+ The prompt specified by the -\b-p\bp option will override the
+ system password prompt on systems that support PAM unless
+ the _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be flag is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+ -r _\br_\bo_\bl_\be The -\b-r\br (_\br_\bo_\bl_\be) option causes the new (SELinux) security
+ context to have the role specified by _\br_\bo_\bl_\be.
+ -S The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the password from
+ the standard input instead of the terminal device. The
+ password must be followed by a newline character.
+ -s [command]
+ The -\b-s\bs (_\bs_\bh_\be_\bl_\bl) option runs the shell specified by the _\bS_\bH_\bE_\bL_\bL
+ environment variable if it is set or the shell as specified
+ in _\bp_\ba_\bs_\bs_\bw_\bd(4). If a command is specified, it is passed to
+ the shell for execution. Otherwise, an interactive shell
+ is executed.
+ -t _\bt_\by_\bp_\be The -\b-t\bt (_\bt_\by_\bp_\be) option causes the new (SELinux) security
+ context to have the type specified by _\bt_\by_\bp_\be. If no type is
+ specified, the default type is derived from the specified
+ role.
-April 25, 2002 1.6.6 5
+ -U _\bu_\bs_\be_\br The -\b-U\bU (_\bo_\bt_\bh_\be_\br _\bu_\bs_\be_\br) option is used in conjunction with the
+ -\b-l\bl option to specify the user whose privileges should be
+ listed. Only root or a user with s\bsu\bud\bdo\bo ALL on the current
+ host may use this option.
+1.7.4 July 19, 2010 5
-sudo(1m) MAINTENANCE COMMANDS sudo(1m)
- PATH Set to a sane value if SECURE_PATH is set
- SHELL Used to determine shell to run with -s option
- USER Set to the target user (root unless the -u option
- is specified)
- HOME In -s or -H mode (or if sudo was configured with
- the --enable-shell-sets-home option), set to
- homedir of the target user.
- SUDO_PROMPT Used as the default password prompt
- SUDO_COMMAND Set to the command run by sudo
- SUDO_USER Set to the login of the user who invoked sudo
- SUDO_UID Set to the uid of the user who invoked sudo
- SUDO_GID Set to the gid of the user who invoked sudo
- SUDO_PS1 If set, PS1 will be set to its value
-F\bF\bF\bFI\bI\bI\bIL\bL\bL\bLE\bE\bE\bES\bS\bS\bS
- /etc/sudoers List of who can run what
- /var/run/sudo Directory containing timestamps
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-A\bA\bA\bAU\bU\bU\bUT\bT\bT\bTH\bH\bH\bHO\bO\bO\bOR\bR\bR\bRS\bS\bS\bS
- Many people have worked on s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo over the years; this ver
- sion consists of code written primarily by:
+ -u _\bu_\bs_\be_\br The -\b-u\bu (_\bu_\bs_\be_\br) option causes s\bsu\bud\bdo\bo to run the specified
+ command as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd
+ instead of a _\bu_\bs_\be_\br _\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd. When running commands as
+ a _\bu_\bi_\bd, many shells require that the '#' be escaped with a
+ backslash ('\'). Note that if the _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw Defaults option
+ is set (see _\bs_\bu_\bd_\bo_\be_\br_\bs(4)) it is not possible to run commands
+ with a uid not listed in the password database.
- Todd Miller
- Chris Jepeway
+ -V The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print the version
+ number and exit. If the invoking user is already root the
+ -\b-V\bV option will print out a list of the defaults s\bsu\bud\bdo\bo was
+ compiled with as well as the machine's local network
+ addresses.
+
+ -v If given the -\b-v\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bsu\bud\bdo\bo will update the
+ user's time stamp, prompting for the user's password if
+ necessary. This extends the s\bsu\bud\bdo\bo timeout for another 5
+ minutes (or whatever the timeout is set to in _\bs_\bu_\bd_\bo_\be_\br_\bs) but
+ does not run a command.
+
+ -- The -\b--\b- option indicates that s\bsu\bud\bdo\bo should stop processing
+ command line arguments.
+
+ Environment variables to be set for the command may also be passed on
+ the command line in the form of V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be, e.g.
+ L\bLD\bD_\b_L\bLI\bIB\bBR\bRA\bAR\bRY\bY_\b_P\bPA\bAT\bTH\bH=_\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bp_\bk_\bg_\b/_\bl_\bi_\bb. Variables passed on the command
+ line are subject to the same restrictions as normal environment
+ variables with one important exception. If the _\bs_\be_\bt_\be_\bn_\bv option is set in
+ _\bs_\bu_\bd_\bo_\be_\br_\bs, the command to be run has the SETENV tag set or the command
+ matched is ALL, the user may set variables that would overwise be
+ forbidden. See _\bs_\bu_\bd_\bo_\be_\br_\bs(4) for more information.
+
+R\bRE\bET\bTU\bUR\bRN\bN V\bVA\bAL\bLU\bUE\bES\bS
+ Upon successful execution of a program, the exit status from s\bsu\bud\bdo\bo will
+ simply be the exit status of the program that was executed.
+
+ Otherwise, s\bsu\bud\bdo\bo quits with an exit value of 1 if there is a
+ configuration/permission problem or if s\bsu\bud\bdo\bo cannot execute the given
+ command. In the latter case the error string is printed to stderr. If
+ s\bsu\bud\bdo\bo cannot _\bs_\bt_\ba_\bt(2) one or more entries in the user's PATH an error is
+ printed on stderr. (If the directory does not exist or if it is not
+ really a directory, the entry is ignored and no error is printed.)
+ This should not happen under normal circumstances. The most common
+ reason for _\bs_\bt_\ba_\bt(2) to return "permission denied" is if you are running
+ an automounter and one of the directories in your PATH is on a machine
+ that is currently unreachable.
- See the HISTORY file in the s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo distribution or visit
- http://www.sudo.ws/sudo/history.html for a short history
- of s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo.
+S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
+ s\bsu\bud\bdo\bo tries to be safe when executing external commands.
-B\bB\bB\bBU\bU\bU\bUG\bG\bG\bGS\bS\bS\bS
- If you feel you have found a bug in sudo, please submit a
- bug report at http://www.sudo.ws/sudo/bugs/
+ There are two distinct ways to deal with environment variables. By
+ default, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt _\bs_\bu_\bd_\bo_\be_\br_\bs option is enabled. This causes commands
+ to be executed with a minimal environment containing TERM, PATH, HOME,
+ SHELL, LOGNAME, USER and USERNAME in addition to variables from the
-D\bD\bD\bDI\bI\bI\bIS\bS\bS\bSC\bC\bC\bCL\bL\bL\bLA\bA\bA\bAI\bI\bI\bIM\bM\bM\bME\bE\bE\bER\bR\bR\bR
- S\bS\bS\bSu\bu\bu\bud\bd\bd\bdo\bo\bo\bo is provided ``AS IS'' and any express or implied war
- ranties, including, but not limited to, the implied war
- ranties of merchantability and fitness for a particular
- purpose are disclaimed. See the LICENSE file distributed
- with s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo for complete details.
-C\bC\bC\bCA\bA\bA\bAV\bV\bV\bVE\bE\bE\bEA\bA\bA\bAT\bT\bT\bTS\bS\bS\bS
- There is no easy way to prevent a user from gaining a root
- shell if that user has access to commands allowing shell
- escapes.
- If users have sudo ALL there is nothing to prevent them
- from creating their own program that gives them a root
- shell regardless of any '!' elements in the user specifi
- cation.
+1.7.4 July 19, 2010 6
- Running shell scripts via s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo can expose the same kernel
- bugs that make setuid shell scripts unsafe on some
-April 25, 2002 1.6.6 6
+
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+
+
+ invoking process permitted by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bk_\be_\be_\bp _\bs_\bu_\bd_\bo_\be_\br_\bs
+ options. There is effectively a whitelist for environment variables.
+
+ If, however, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, any variables
+ not explicitly denied by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be options are
+ inherited from the invoking process. In this case, _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and
+ _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be behave like a blacklist. Since it is not possible to
+ blacklist all potentially dangerous environment variables, use of the
+ default _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt behavior is encouraged.
+
+ In all cases, environment variables with a value beginning with () are
+ removed as they could be interpreted as b\bba\bas\bsh\bh functions. The list of
+ environment variables that s\bsu\bud\bdo\bo allows or denies is contained in the
+ output of sudo -V when run as root.
+
+ Note that the dynamic linker on most operating systems will remove
+ variables that can control dynamic linking from the environment of
+ setuid executables, including s\bsu\bud\bdo\bo. Depending on the operating system
+ this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and
+ others. These type of variables are removed from the environment
+ before s\bsu\bud\bdo\bo even begins execution and, as such, it is not possible for
+ s\bsu\bud\bdo\bo to preserve them.
+
+ To prevent command spoofing, s\bsu\bud\bdo\bo checks "." and "" (both denoting
+ current directory) last when searching for a command in the user's PATH
+ (if one or both are in the PATH). Note, however, that the actual PATH
+ environment variable is _\bn_\bo_\bt modified and is passed unchanged to the
+ program that s\bsu\bud\bdo\bo executes.
+
+ s\bsu\bud\bdo\bo will check the ownership of its time stamp directory
+ (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's contents if it is
+ not owned by root or if it is writable by a user other than root. On
+ systems that allow non-root users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if
+ the time stamp directory is located in a directory writable by anyone
+ (e.g., _\b/_\bt_\bm_\bp), it is possible for a user to create the time stamp
+ directory before s\bsu\bud\bdo\bo is run. However, because s\bsu\bud\bdo\bo checks the
+ ownership and mode of the directory and its contents, the only damage
+ that can be done is to "hide" files by putting them in the time stamp
+ dir. This is unlikely to happen since once the time stamp dir is owned
+ by root and inaccessible by any other user, the user placing files
+ there would be unable to get them back out. To get around this issue
+ you can use a directory that is not world-writable for the time stamps
+ (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for instance) or create _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo with the
+ appropriate owner (root) and permissions (0700) in the system startup
+ files.
+
+ s\bsu\bud\bdo\bo will not honor time stamps set far in the future. Timestamps with
+ a date greater than current_time + 2 * TIMEOUT will be ignored and sudo
+ will log and complain. This is done to keep a user from creating
+ his/her own time stamp with a bogus date on systems that allow users to
+ give away files.
+
+ On systems where the boot time is available, s\bsu\bud\bdo\bo will also not honor
+ time stamps from before the machine booted.
+
+1.7.4 July 19, 2010 7
-sudo(1m) MAINTENANCE COMMANDS sudo(1m)
- operating systems (if your OS supports the /dev/fd/ direc
- tory, setuid shell scripts are generally safe).
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-S\bS\bS\bSE\bE\bE\bEE\bE\bE\bE A\bA\bA\bAL\bL\bL\bLS\bS\bS\bSO\bO\bO\bO
- _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), _\bs_\bu_\bd_\bo_\be_\br_\bs(4), _\bp_\ba_\bs_\bs_\bw_\bd(5), _\bv_\bi_\bs_\bu_\bd_\bo(1m),
- _\bg_\br_\be_\bp(1), _\bs_\bu(1).
+ Since time stamp files live in the file system, they can outlive a
+ user's login session. As a result, a user may be able to login, run a
+ command with s\bsu\bud\bdo\bo after authenticating, logout, login again, and run
+ s\bsu\bud\bdo\bo without authenticating so long as the time stamp file's
+ modification time is within 5 minutes (or whatever the timeout is set
+ to in _\bs_\bu_\bd_\bo_\be_\br_\bs). When the _\bt_\bt_\by_\b__\bt_\bi_\bc_\bk_\be_\bt_\bs option is enabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, the
+ time stamp has per-tty granularity but still may outlive the user's
+ session. On Linux systems where the devpts filesystem is used, Solaris
+ systems with the devices filesystem, as well as other systems that
+ utilize a devfs filesystem that monotonically increase the inode number
+ of devices as they are created (such as Mac OS X), s\bsu\bud\bdo\bo is able to
+ determine when a tty-based time stamp file is stale and will ignore it.
+ Administrators should not rely on this feature as it is not universally
+ available.
+ Please note that s\bsu\bud\bdo\bo will normally only log the command it explicitly
+ runs. If a user runs a command such as sudo su or sudo sh, subsequent
+ commands run from that shell will _\bn_\bo_\bt be logged, nor will s\bsu\bud\bdo\bo's access
+ control affect them. The same is true for commands that offer shell
+ escapes (including most editors). Because of this, care must be taken
+ when giving users access to commands via s\bsu\bud\bdo\bo to verify that the
+ command does not inadvertently give the user an effective root shell.
+ For more information, please see the PREVENTING SHELL ESCAPES section
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
+E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
+ s\bsu\bud\bdo\bo utilizes the following environment variables:
+ EDITOR Default editor to use in -\b-e\be (sudoedit) mode if neither
+ SUDO_EDITOR nor VISUAL is set
+ MAIL In -\b-i\bi mode or when _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is enabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, set
+ to the mail spool of the target user
+ HOME Set to the home directory of the target user if -\b-i\bi or
+ -\b-H\bH are specified, _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt or _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be are set
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs, or when the -\b-s\bs option is specified and
+ _\bs_\be_\bt_\b__\bh_\bo_\bm_\be is set in _\bs_\bu_\bd_\bo_\be_\br_\bs
+ PATH Set to a sane value if the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh sudoers option
+ is set.
+ SHELL Used to determine shell to run with -s option
+ SUDO_ASKPASS Specifies the path to a helper program used to read the
+ password if no terminal is available or if the -A
+ option is specified.
+ SUDO_COMMAND Set to the command run by sudo
+ SUDO_EDITOR Default editor to use in -\b-e\be (sudoedit) mode
+ SUDO_GID Set to the group ID of the user who invoked sudo
+1.7.4 July 19, 2010 8
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ SUDO_PROMPT Used as the default password prompt
+
+ SUDO_PS1 If set, PS1 will be set to its value for the program
+ being run
+
+ SUDO_UID Set to the user ID of the user who invoked sudo
+
+ SUDO_USER Set to the login of the user who invoked sudo
+
+ USER Set to the target user (root unless the -\b-u\bu option is
+ specified)
+
+ VISUAL Default editor to use in -\b-e\be (sudoedit) mode if
+ SUDO_EDITOR is not set
+
+F\bFI\bIL\bLE\bES\bS
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+
+ _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo Directory containing time stamps
+
+ _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt Initial environment for -\b-i\bi mode on Linux and
+ AIX
+
+E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
+ Note: the following examples assume suitable _\bs_\bu_\bd_\bo_\be_\br_\bs(4) entries.
+
+ To get a file listing of an unreadable directory:
+
+ $ sudo ls /usr/local/protected
+
+ To list the home directory of user yaz on a machine where the file
+ system holding ~yaz is not exported as root:
+
+ $ sudo -u yaz ls ~yaz
+
+ To edit the _\bi_\bn_\bd_\be_\bx_\b._\bh_\bt_\bm_\bl file as user www:
+
+ $ sudo -u www vi ~www/htdocs/index.html
+
+ To view system logs only accessible to root and users in the adm group:
+
+ $ sudo -g adm view /var/log/syslog
+
+ To run an editor as jim with a different primary group:
+
+ $ sudo -u jim -g audio vi ~jim/sound.txt
+
+ To shutdown a machine:
+
+ $ sudo shutdown -r +15 "quick reboot"
+ To make a usage listing of the directories in the /home partition.
+ Note that this runs the commands in a sub-shell to make the cd and file
+ redirection work.
+1.7.4 July 19, 2010 9
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
+S\bSE\bEE\bE A\bAL\bLS\bSO\bO
+ _\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), _\bp_\ba_\bs_\bs_\bw_\bd(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(5),
+ _\bv_\bi_\bs_\bu_\bd_\bo(1m)
+A\bAU\bUT\bTH\bHO\bOR\bRS\bS
+ Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists
+ of code written primarily by:
+ Todd C. Miller
+ See the HISTORY file in the s\bsu\bud\bdo\bo distribution or visit
+ http://www.sudo.ws/sudo/history.html for a short history of s\bsu\bud\bdo\bo.
+C\bCA\bAV\bVE\bEA\bAT\bTS\bS
+ There is no easy way to prevent a user from gaining a root shell if
+ that user is allowed to run arbitrary commands via s\bsu\bud\bdo\bo. Also, many
+ programs (such as editors) allow the user to run commands via shell
+ escapes, thus avoiding s\bsu\bud\bdo\bo's checks. However, on most systems it is
+ possible to prevent shell escapes with s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality.
+ See the _\bs_\bu_\bd_\bo_\be_\br_\bs(4) manual for details.
+ It is not meaningful to run the cd command directly via sudo, e.g.,
+ $ sudo cd /usr/local/protected
+ since when the command exits the parent process (your shell) will still
+ be the same. Please see the EXAMPLES section for more information.
+ If users have sudo ALL there is nothing to prevent them from creating
+ their own program that gives them a root shell regardless of any '!'
+ elements in the user specification.
+ Running shell scripts via s\bsu\bud\bdo\bo can expose the same kernel bugs that
+ make setuid shell scripts unsafe on some operating systems (if your OS
+ has a /dev/fd/ directory, setuid shell scripts are generally safe).
+B\bBU\bUG\bGS\bS
+ If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
+ http://www.sudo.ws/sudo/bugs/
+S\bSU\bUP\bPP\bPO\bOR\bRT\bT
+ Limited free support is available via the sudo-users mailing list, see
+ http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
+ the archives.
+D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
+ s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
+ including, but not limited to, the implied warranties of
+ merchantability and fitness for a particular purpose are disclaimed.
+ See the LICENSE file distributed with s\bsu\bud\bdo\bo or
+ http://www.sudo.ws/sudo/license.html for complete details.
-April 25, 2002 1.6.6 7
+1.7.4 July 19, 2010 10