-sudo(1m) MAINTENANCE COMMANDS sudo(1m)
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-N\bN\bN\bNA\bA\bA\bAM\bM\bM\bME\bE\bE\bE
- sudo - execute a command as another user
+N\bNA\bAM\bME\bE
+ sudo, sudoedit - execute a command as another user
-S\bS\bS\bSY\bY\bY\bYN\bN\bN\bNO\bO\bO\bOP\bP\bP\bPS\bS\bS\bSI\bI\bI\bIS\bS\bS\bS
- s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo -\b-\b-\b-V\bV\bV\bV | -\b-\b-\b-h\bh\bh\bh | -\b-\b-\b-l\bl\bl\bl | -\b-\b-\b-L\bL\bL\bL | -\b-\b-\b-v\bv\bv\bv | -\b-\b-\b-k\bk\bk\bk | -\b-\b-\b-K\bK\bK\bK | -\b-\b-\b-s\bs\bs\bs | [ -\b-\b-\b-H\bH\bH\bH ] [-\b-\b-\b-P\bP\bP\bP ]
- [-\b-\b-\b-S\bS\bS\bS ] [ -\b-\b-\b-b\bb\bb\bb ] | [ -\b-\b-\b-p\bp\bp\bp _\bp_\br_\bo_\bm_\bp_\bt ] [ -\b-\b-\b-c\bc\bc\bc _\bc_\bl_\ba_\bs_\bs|_\b- ] [ -\b-\b-\b-a\ba\ba\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be
- ] [ -\b-\b-\b-u\bu\bu\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd ] _\bc_\bo_\bm_\bm_\ba_\bn_\bd
+S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
+ s\bsu\bud\bdo\bo -\b-h\bh | -\b-K\bK | -\b-k\bk | -\b-L\bL | -\b-l\bl | -\b-V\bV | -\b-v\bv
-D\bD\bD\bDE\bE\bE\bES\bS\bS\bSC\bC\bC\bCR\bR\bR\bRI\bI\bI\bIP\bP\bP\bPT\bT\bT\bTI\bI\bI\bIO\bO\bO\bON\bN\bN\bN
- s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo allows a permitted user to execute a _\bc_\bo_\bm_\bm_\ba_\bn_\bd as the
+ s\bsu\bud\bdo\bo [-\b-b\bbE\bEH\bHP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
+ [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be] {-\b-i\bi | -\b-s\bs | _\bc_\bo_\bm_\bm_\ba_\bn_\bd}
+
+ s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-S\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
+ [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] file ...
+
+D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
+ s\bsu\bud\bdo\bo allows a permitted user to execute a _\bc_\bo_\bm_\bm_\ba_\bn_\bd as the
superuser or another user, as specified in the _\bs_\bu_\bd_\bo_\be_\br_\bs
file. The real and effective uid and gid are set to match
those of the target user as specified in the passwd file
- (the group vector is also initialized when the target user
- is not root). By default, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo requires that users
- authenticate themselves with a password (NOTE: by default
- this is the user's password, not the root password). Once
- a user has been authenticated, a timestamp is updated and
+ and the group vector is initialized based on the group
+ file (unless the -\b-P\bP option was specified). If the invok
+ ing user is root or if the target user is the same as the
+ invoking user, no password is required. Otherwise, s\bsu\bud\bdo\bo
+ requires that users authenticate themselves with a pass
+ word by default (NOTE: in the default configuration this
+ is the user's password, not the root password). Once a
+ user has been authenticated, a timestamp is updated and
the user may then use sudo without a password for a short
period of time (5 minutes unless overridden in _\bs_\bu_\bd_\bo_\be_\br_\bs).
- s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo determines who is an authorized user by consulting
- the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. By giving s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo the -\b-\b-\b-v\bv\bv\bv flag a user
- can update the time stamp without running a _\bc_\bo_\bm_\bm_\ba_\bn_\bd_\b. The
+ When invoked as s\bsu\bud\bdo\boe\bed\bdi\bit\bt, the -\b-e\be option (described below),
+ is implied.
+
+ s\bsu\bud\bdo\bo determines who is an authorized user by consulting
+ the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. By giving s\bsu\bud\bdo\bo the -\b-v\bv flag, a user
+ can update the time stamp without running a _\bc_\bo_\bm_\bm_\ba_\bn_\bd. The
password prompt itself will also time out if the user's
password is not entered within 5 minutes (unless overrid
den via _\bs_\bu_\bd_\bo_\be_\br_\bs).
If a user who is not listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file tries to
- run a command via s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo, mail is sent to the proper author
- ities, as defined at configure time or the _\bs_\bu_\bd_\bo_\be_\br_\bs file
+ run a command via s\bsu\bud\bdo\bo, mail is sent to the proper author
+ ities, as defined at configure time or in the _\bs_\bu_\bd_\bo_\be_\br_\bs file
(defaults to root). Note that the mail will not be sent
- if an unauthorized user tries to run sudo with the -\b-\b-\b-l\bl\bl\bl or
- -\b-\b-\b-v\bv\bv\bv flags. This allows users to determine for themselves
- whether or not they are allowed to use s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo.
-
- s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo can log both successful and unsuccessful attempts (as
- well as errors) to _\bs_\by_\bs_\bl_\bo_\bg(3), a log file, or both. By
- default s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will log via _\bs_\by_\bs_\bl_\bo_\bg(3) but this is changeable
- at configure time or via the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
-
-O\bO\bO\bOP\bP\bP\bPT\bT\bT\bTI\bI\bI\bIO\bO\bO\bON\bN\bN\bNS\bS\bS\bS
- s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo accepts the following command line options:
-
- -V The -\b-\b-\b-V\bV\bV\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to print the ver
- sion number and exit. If the invoking user is already
- root the -\b-\b-\b-V\bV\bV\bV option will print out a list of the
- defaults s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo was compiled with as well as the
- machine's local network addresses.
+ if an unauthorized user tries to run sudo with the -\b-l\bl or
+ -\b-v\bv flags. This allows users to determine for themselves
+ whether or not they are allowed to use s\bsu\bud\bdo\bo.
- -l The -\b-\b-\b-l\bl\bl\bl (_\bl_\bi_\bs_\bt) option will list out the allowed (and
- forbidden) commands for the user on the current host.
+ If s\bsu\bud\bdo\bo is run by root and the SUDO_USER environment vari
+ able is set, s\bsu\bud\bdo\bo will use this value to determine who the
+ actual user is. This can be used by a user to log com
+ mands through sudo even when a root shell has been
+ invoked. It also allows the -\b-e\be flag to remain useful even
+ when being run via a sudo-run script or program. Note
+ however, that the sudoers lookup is still done for root,
+ not the user specified by SUDO_USER.
+1.6.9p14 February 19, 2008 1
-April 25, 2002 1.6.6 1
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-sudo(1m) MAINTENANCE COMMANDS sudo(1m)
-
-
- -L The -\b-\b-\b-L\bL\bL\bL (_\bl_\bi_\bs_\bt defaults) option will list out the param
- eters that may be set in a _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs line along with a
- short description for each. This option is useful in
- conjunction with _\bg_\br_\be_\bp(1).
-
- -h The -\b-\b-\b-h\bh\bh\bh (_\bh_\be_\bl_\bp) option causes s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to print a usage mes
- sage and exit.
-
- -v If given the -\b-\b-\b-v\bv\bv\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will update
- the user's timestamp, prompting for the user's pass
- word if necessary. This extends the s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo timeout for
- another 5 minutes (or whatever the timeout is set to
- in _\bs_\bu_\bd_\bo_\be_\br_\bs) but does not run a command.
+ s\bsu\bud\bdo\bo can log both successful and unsuccessful attempts (as
+ well as errors) to _\bs_\by_\bs_\bl_\bo_\bg(3), a log file, or both. By
+ default s\bsu\bud\bdo\bo will log via _\bs_\by_\bs_\bl_\bo_\bg(3) but this is changeable
+ at configure time or via the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
- -k The -\b-\b-\b-k\bk\bk\bk (_\bk_\bi_\bl_\bl) option to s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo invalidates the user's
- timestamp by setting the time on it to the epoch. The
- next time s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo is run a password will be required.
- This option does not require a password and was added
- to allow a user to revoke s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo permissions from a
- .logout file.
+O\bOP\bPT\bTI\bIO\bON\bNS\bS
+ s\bsu\bud\bdo\bo accepts the following command line options:
- -K The -\b-\b-\b-K\bK\bK\bK (sure _\bk_\bi_\bl_\bl) option to s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo removes the user's
- timestamp entirely. Likewise, this option does not
- require a password.
+ -a The -\b-a\ba (_\ba_\bu_\bt_\bh_\be_\bn_\bt_\bi_\bc_\ba_\bt_\bi_\bo_\bn _\bt_\by_\bp_\be) option causes s\bsu\bud\bdo\bo to use
+ the specified authentication type when validating the
+ user, as allowed by _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. The system
+ administrator may specify a list of sudo-specific
+ authentication methods by adding an "auth-sudo" entry
+ in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. This option is only available on
+ systems that support BSD authentication.
- -b The -\b-\b-\b-b\bb\bb\bb (_\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd) option tells s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to run the given
+ -b The -\b-b\bb (_\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd) option tells s\bsu\bud\bdo\bo to run the given
command in the background. Note that if you use the
- -\b-\b-\b-b\bb\bb\bb option you cannot use shell job control to manipu
+ -\b-b\bb option you cannot use shell job control to manipu
late the process.
- -p The -\b-\b-\b-p\bp\bp\bp (_\bp_\br_\bo_\bm_\bp_\bt) option allows you to override the
- default password prompt and use a custom one. If the
- password prompt contains the %u escape, %u will be
- replaced with the user's login name. Similarly, %h
- will be replaced with the local hostname.
-
- -c The -\b-\b-\b-c\bc\bc\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to run the specified
+ -c The -\b-c\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bsu\bud\bdo\bo to run the specified
command with resources limited by the specified login
class. The _\bc_\bl_\ba_\bs_\bs argument can be either a class name
as defined in /etc/login.conf, or a single '-' charac
mand should be run restricted by the default login
capabilities for the user the command is run as. If
the _\bc_\bl_\ba_\bs_\bs argument specifies an existing user class,
- the command must be run as root, or the s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo command
+ the command must be run as root, or the s\bsu\bud\bdo\bo command
must be run from a shell that is already root. This
option is only available on systems with BSD login
- classes where s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo has been configured with the
- --with-logincap option.
+ classes.
- -a The -\b-\b-\b-a\ba\ba\ba (_\ba_\bu_\bt_\bh_\be_\bn_\bt_\bi_\bc_\ba_\bt_\bi_\bo_\bn _\bt_\by_\bp_\be) option causes s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to use
- the specified authentication type when validating the
- user, as allowed by /etc/login.conf. The system
- administrator may specify a list of sudo-specific
+ -E The -\b-E\bE (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt) option will override the
+ _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4)). It is only available
+ when either the matching command has the SETENV tag or
+ the _\bs_\be_\bt_\be_\bn_\bv option is set in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
+ -e The -\b-e\be (_\be_\bd_\bi_\bt) option indicates that, instead of run
+ ning a command, the user wishes to edit one or more
+ files. In lieu of a command, the string "sudoedit" is
+ used when consulting the _\bs_\bu_\bd_\bo_\be_\br_\bs file. If the user is
+ authorized by _\bs_\bu_\bd_\bo_\be_\br_\bs the following steps are taken:
+ 1. Temporary copies are made of the files to be
+ edited with the owner set to the invoking user.
-April 25, 2002 1.6.6 2
+ 2. The editor specified by the VISUAL or EDITOR envi
+ ronment variables is run to edit the temporary
+ files. If neither VISUAL nor EDITOR are set, the
+ program listed in the _\be_\bd_\bi_\bt_\bo_\br _\bs_\bu_\bd_\bo_\be_\br_\bs variable is
+ used.
+1.6.9p14 February 19, 2008 2
-sudo(1m) MAINTENANCE COMMANDS sudo(1m)
- authentication methods by adding an "auth-sudo" entry
- in /etc/login.conf. This option is only available on
- systems that support BSD authentication where s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo has
- been configured with the --with-bsdauth option.
- -u The -\b-\b-\b-u\bu\bu\bu (_\bu_\bs_\be_\br) option causes s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to run the specified
- command as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd
- instead of a _\bu_\bs_\be_\br_\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd.
- -s The -\b-\b-\b-s\bs\bs\bs (_\bs_\bh_\be_\bl_\bl) option runs the shell specified by the
- _\bS_\bH_\bE_\bL_\bL environment variable if it is set or the shell
- as specified in _\bp_\ba_\bs_\bs_\bw_\bd(4).
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+
+
+ 3. If they have been modified, the temporary files
+ are copied back to their original location and the
+ temporary versions are removed.
- -H The -\b-\b-\b-H\bH\bH\bH (_\bH_\bO_\bM_\bE) option sets the HOME environment vari
+ If the specified file does not exist, it will be cre
+ ated. Note that unlike most commands run by s\bsu\bud\bdo\bo, the
+ editor is run with the invoking user's environment
+ unmodified. If, for some reason, s\bsu\bud\bdo\bo is unable to
+ update a file with its edited version, the user will
+ receive a warning and the edited copy will remain in a
+ temporary file.
+
+ -H The -\b-H\bH (_\bH_\bO_\bM_\bE) option sets the HOME environment vari
able to the homedir of the target user (root by
- default) as specified in _\bp_\ba_\bs_\bs_\bw_\bd(4). By default, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo
- does not modify HOME.
+ default) as specified in _\bp_\ba_\bs_\bs_\bw_\bd(4). By default, s\bsu\bud\bdo\bo
+ does not modify HOME (see _\bs_\be_\bt_\b__\bh_\bo_\bm_\be and _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs(4)).
- -P The -\b-\b-\b-P\bP\bP\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to
- preserve the user's group vector unaltered. By
- default, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will initialize the group vector to the
- list of groups the target user is in. The real and
- effective group IDs, however, are still set to match
- the target user.
+ -h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bo to print a usage mes
+ sage and exit.
- -S The -\b-\b-\b-S\bS\bS\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to read the password
- from standard input instead of the terminal device.
+ -i The -\b-i\bi (_\bs_\bi_\bm_\bu_\bl_\ba_\bt_\be _\bi_\bn_\bi_\bt_\bi_\ba_\bl _\bl_\bo_\bg_\bi_\bn) option runs the shell
+ specified in the _\bp_\ba_\bs_\bs_\bw_\bd(4) entry of the user that the
+ command is being run as. The command name argument
+ given to the shell begins with a `-' to tell the shell
+ to run as a login shell. s\bsu\bud\bdo\bo attempts to change to
+ that user's home directory before running the shell.
+ It also initializes the environment, leaving _\bT_\bE_\bR_\bM
+ unchanged, setting _\bH_\bO_\bM_\bE, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, _\bL_\bO_\bG_\bN_\bA_\bM_\bE, and
+ _\bP_\bA_\bT_\bH, and unsetting all other environment variables.
+ Note that because the shell to use is determined
+ before the _\bs_\bu_\bd_\bo_\be_\br_\bs file is parsed, a _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt
+ setting in _\bs_\bu_\bd_\bo_\be_\br_\bs will specify the user to run the
+ shell as but will not affect which shell is actually
+ run.
+
+ -K The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option is like -\b-k\bk except that it
+ removes the user's timestamp entirely. Like -\b-k\bk, this
+ option does not require a password.
+
+ -k The -\b-k\bk (_\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo invalidates the user's
+ timestamp by setting the time on it to the Epoch. The
+ next time s\bsu\bud\bdo\bo is run a password will be required.
+ This option does not require a password and was added
+ to allow a user to revoke s\bsu\bud\bdo\bo permissions from a
+ .logout file.
- -- The -\b-\b-\b--\b-\b-\b- flag indicates that s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo should stop processing
- command line arguments. It is most useful in conjunc
- tion with the -\b-\b-\b-s\bs\bs\bs flag.
+ -L The -\b-L\bL (_\bl_\bi_\bs_\bt defaults) option will list out the param
+ eters that may be set in a _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs line along with a
+ short description for each. This option is useful in
+ conjunction with _\bg_\br_\be_\bp(1).
-R\bR\bR\bRE\bE\bE\bET\bT\bT\bTU\bU\bU\bUR\bR\bR\bRN\bN\bN\bN V\bV\bV\bVA\bA\bA\bAL\bL\bL\bLU\bU\bU\bUE\bE\bE\bES\bS\bS\bS
- Upon successful execution of a program, the return value
- from s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will simply be the return value of the program
- that was executed.
+ -l The -\b-l\bl (_\bl_\bi_\bs_\bt) option will list out the allowed (and
+ forbidden) commands for the invoking user on the
- Otherwise, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo quits with an exit value of 1 if there is
- a configuration/permission problem or if s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo cannot exe
- cute the given command. In the latter case the error
- string is printed to stderr. If s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo cannot _\bs_\bt_\ba_\bt(2) one
- or more entries in the user's PATH an error is printed on
- stderr. (If the directory does not exist or if it is not
- really a directory, the entry is ignored and no error is
- printed.) This should not happen under normal circum
- stances. The most common reason for _\bs_\bt_\ba_\bt(2) to return
- "permission denied" is if you are running an automounter
- and one of the directories in your PATH is on a machine
- that is currently unreachable.
-S\bS\bS\bSE\bE\bE\bEC\bC\bC\bCU\bU\bU\bUR\bR\bR\bRI\bI\bI\bIT\bT\bT\bTY\bY\bY\bY N\bN\bN\bNO\bO\bO\bOT\bT\bT\bTE\bE\bE\bES\bS\bS\bS
- s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo tries to be safe when executing external commands.
- Variables that control how dynamic loading and binding is
- done can be used to subvert the program that s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo runs.
+1.6.9p14 February 19, 2008 3
-April 25, 2002 1.6.6 3
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-sudo(1m) MAINTENANCE COMMANDS sudo(1m)
+ current host.
+ -P The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bsu\bud\bdo\bo to
+ preserve the invoking user's group vector unaltered.
+ By default, s\bsu\bud\bdo\bo will initialize the group vector to
+ the list of groups the target user is in. The real
+ and effective group IDs, however, are still set to
+ match the target user.
- To combat this the LD_*, _RLD_*, SHLIB_PATH (HP-UX only),
- and LIBPATH (AIX only) environment variables are removed
- from the environment passed on to all commands executed.
- s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will also remove the IFS, ENV, BASH_ENV, KRB_CONF,
- KRBCONFDIR, KRBTKFILE, KRB5_CONFIG, LOCALDOMAIN,
- RES_OPTIONS, HOSTALIASES, NLSPATH, PATH_LOCALE, TERMINFO,
- TERMINFO_DIRS and TERMPATH variables as they too can pose
- a threat. If the TERMCAP variable is set and is a path
- name, it too is ignored. Additionally, if the LC_* or
- LANGUAGE variables contain the / or % characters, they are
- ignored. If s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo has been compiled with SecurID support,
- the VAR_ACE, USR_ACE and DLC_ACE variables are cleared as
- well. The list of environment variables that s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo clears
- is contained in the output of sudo -V when run as root.
+ -p The -\b-p\bp (_\bp_\br_\bo_\bm_\bp_\bt) option allows you to override the
+ default password prompt and use a custom one. The
+ following percent (`%') escapes are supported:
- To prevent command spoofing, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo checks "." and "" (both
- denoting current directory) last when searching for a com
- mand in the user's PATH (if one or both are in the PATH).
- Note, however, that the actual PATH environment variable
- is _\bn_\bo_\bt modified and is passed unchanged to the program
- that s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo executes.
+ %H expanded to the local hostname including the
+ domain name (on if the machine's hostname is fully
+ qualified or the _\bf_\bq_\bd_\bn _\bs_\bu_\bd_\bo_\be_\br_\bs option is set)
- For security reasons, if your OS supports shared libraries
- and does not disable user-defined library search paths for
- setuid programs (most do), you should either use a linker
- option that disables this behavior or link s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo stati
- cally.
+ %h expanded to the local hostname without the domain
+ name
- s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will check the ownership of its timestamp directory
- (_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's con
- tents if it is not owned by root and only writable by
- root. On systems that allow non-root users to give away
- files via _\bc_\bh_\bo_\bw_\bn(2), if the timestamp directory is located
- in a directory writable by anyone (e.g.: _\b/_\bt_\bm_\bp), it is pos
- sible for a user to create the timestamp directory before
- s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo is run. However, because s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo checks the ownership
- and mode of the directory and its contents, the only dam
- age that can be done is to "hide" files by putting them in
- the timestamp dir. This is unlikely to happen since once
- the timestamp dir is owned by root and inaccessible by any
- other user the user placing files there would be unable to
- get them back out. To get around this issue you can use a
- directory that is not world-writable for the timestamps
- (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for instance) or create _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo with
- the appropriate owner (root) and permissions (0700) in the
- system startup files.
-
- s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will not honor timestamps set far in the future.
- Timestamps with a date greater than current_time + 2 *
- TIMEOUT will be ignored and sudo will log and complain.
- This is done to keep a user from creating his/her own
- timestamp with a bogus date on systems that allow users to
- give away files.
+ %p expanded to the user whose password is being asked
+ for (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw
+ flags in _\bs_\bu_\bd_\bo_\be_\br_\bs)
+ %U expanded to the login name of the user the command
+ will be run as (defaults to root)
+ %u expanded to the invoking user's login name
+ %% two consecutive % characters are collapsed into a
+ single % character
-April 25, 2002 1.6.6 4
+ -S The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the password
+ from the standard input instead of the terminal
+ device.
+ -s The -\b-s\bs (_\bs_\bh_\be_\bl_\bl) option runs the shell specified by the
+ _\bS_\bH_\bE_\bL_\bL environment variable if it is set or the shell
+ as specified in _\bp_\ba_\bs_\bs_\bw_\bd(4).
+ -u The -\b-u\bu (_\bu_\bs_\be_\br) option causes s\bsu\bud\bdo\bo to run the specified
+ command as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd
+ instead of a _\bu_\bs_\be_\br_\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd. When running com
+ mands as a _\bu_\bi_\bd, many shells require that the '#' be
+ escaped with a backslash ('\'). Note that if the _\bt_\ba_\br_\b
+ _\bg_\be_\bt_\bp_\bw Defaults option is set (see _\bs_\bu_\bd_\bo_\be_\br_\bs(4)) it is
+ not possible to run commands with a uid not listed in
+ the password database.
+
+ -V The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print the ver
+ sion number and exit. If the invoking user is already
+ root the -\b-V\bV option will print out a list of the
+ defaults s\bsu\bud\bdo\bo was compiled with as well as the
+ machine's local network addresses.
-sudo(1m) MAINTENANCE COMMANDS sudo(1m)
+1.6.9p14 February 19, 2008 4
- Please note that s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will only log the command it explic
- itly runs. If a user runs a command such as sudo su or
- sudo sh, subsequent commands run from that shell will _\bn_\bo_\bt
- be logged, nor will s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo's access control affect them.
- The same is true for commands that offer shell escapes
- (including most editors). Because of this, care must be
- taken when giving users access to commands via s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to
- verify that the command does not inadvertantly give the
- user an effective root shell.
-E\bE\bE\bEX\bX\bX\bXA\bA\bA\bAM\bM\bM\bMP\bP\bP\bPL\bL\bL\bLE\bE\bE\bES\bS\bS\bS
- Note: the following examples assume suitable _\bs_\bu_\bd_\bo_\be_\br_\bs(4)
- entries.
- To get a file listing of an unreadable directory:
- % sudo ls /usr/local/protected
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- To list the home directory of user yazza on a machine
- where the filesystem holding ~yazza is not exported as
- root:
- % sudo -u yazza ls ~yazza
+ -v If given the -\b-v\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bsu\bud\bdo\bo will update
+ the user's timestamp, prompting for the user's pass
+ word if necessary. This extends the s\bsu\bud\bdo\bo timeout for
+ another 5 minutes (or whatever the timeout is set to
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs) but does not run a command.
- To edit the _\bi_\bn_\bd_\be_\bx_\b._\bh_\bt_\bm_\bl file as user www:
+ -- The -\b--\b- flag indicates that s\bsu\bud\bdo\bo should stop processing
+ command line arguments. It is most useful in conjunc
+ tion with the -\b-s\bs flag.
+
+ Environment variables to be set for the command may also
+ be passed on the command line in the form of V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be,
+ e.g. L\bLD\bD_\b_L\bLI\bIB\bBR\bRA\bAR\bRY\bY_\b_P\bPA\bAT\bTH\bH=_\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bp_\bk_\bg_\b/_\bl_\bi_\bb. Variables
+ passed on the command line are subject to the same
+ restrictions as normal environment variables with one
+ important exception. If the _\bs_\be_\bt_\be_\bn_\bv option is set in _\bs_\bu_\bd_\bo_\b
+ _\be_\br_\bs, the command to be run has the SETENV tag set or the
+ command matched is ALL, the user may set variables that
+ would overwise be forbidden. See _\bs_\bu_\bd_\bo_\be_\br_\bs(4) for more
+ information.
+
+R\bRE\bET\bTU\bUR\bRN\bN V\bVA\bAL\bLU\bUE\bES\bS
+ Upon successful execution of a program, the return value
+ from s\bsu\bud\bdo\bo will simply be the return value of the program
+ that was executed.
- % sudo -u www vi ~www/htdocs/index.html
+ Otherwise, s\bsu\bud\bdo\bo quits with an exit value of 1 if there is
+ a configuration/permission problem or if s\bsu\bud\bdo\bo cannot exe
+ cute the given command. In the latter case the error
+ string is printed to stderr. If s\bsu\bud\bdo\bo cannot _\bs_\bt_\ba_\bt(2) one
+ or more entries in the user's PATH an error is printed on
+ stderr. (If the directory does not exist or if it is not
+ really a directory, the entry is ignored and no error is
+ printed.) This should not happen under normal circum
+ stances. The most common reason for _\bs_\bt_\ba_\bt(2) to return
+ "permission denied" is if you are running an automounter
+ and one of the directories in your PATH is on a machine
+ that is currently unreachable.
- To shutdown a machine:
+S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
+ s\bsu\bud\bdo\bo tries to be safe when executing external commands.
- % sudo shutdown -r +15 "quick reboot"
+ There are two distinct ways to deal with environment vari
+ ables. By default, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt _\bs_\bu_\bd_\bo_\be_\br_\bs option is
+ enabled. This causes commands to be executed with a mini
+ mal environment containing TERM, PATH, HOME, SHELL, LOG
+ NAME, USER and USERNAME in addition to variables from the
+ invoking process permitted by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bk_\be_\be_\bp
+ _\bs_\bu_\bd_\bo_\be_\br_\bs options. There is effectively a whitelist for
+ environment variables.
- To make a usage listing of the directories in the /home
- partition. Note that this runs the commands in a sub-
- shell to make the cd and file redirection work.
+ If, however, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs,
+ any variables not explicitly denied by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and
+ _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be options are inherited from the invoking
- % sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
-E\bE\bE\bEN\bN\bN\bNV\bV\bV\bVI\bI\bI\bIR\bR\bR\bRO\bO\bO\bON\bN\bN\bNM\bM\bM\bME\bE\bE\bEN\bN\bN\bNT\bT\bT\bT
- s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo utilizes the following environment variables:
+1.6.9p14 February 19, 2008 5
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ process. In this case, _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be behave
+ like a blacklist. Since it is not possible to blacklist
+ all potentially dangerous environment variables, use of
+ the default _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt behavior is encouraged.
+ In all cases, environment variables with a value beginning
+ with () are removed as they could be interpreted as b\bba\bas\bsh\bh
+ functions. The list of environment variables that s\bsu\bud\bdo\bo
+ allows or denies is contained in the output of sudo -V
+ when run as root.
+ Note that the dynamic linker on most operating systems
+ will remove variables that can control dynamic linking
+ from the environment of setuid executables, including
+ s\bsu\bud\bdo\bo. Depending on the operating system this may include
+ _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and oth
+ ers. These type of variables are removed from the envi
+ ronment before s\bsu\bud\bdo\bo even begins execution and, as such, it
+ is not possible for s\bsu\bud\bdo\bo to preserve them.
+ To prevent command spoofing, s\bsu\bud\bdo\bo checks "." and "" (both
+ denoting current directory) last when searching for a com
+ mand in the user's PATH (if one or both are in the PATH).
+ Note, however, that the actual PATH environment variable
+ is _\bn_\bo_\bt modified and is passed unchanged to the program
+ that s\bsu\bud\bdo\bo executes.
+ s\bsu\bud\bdo\bo will check the ownership of its timestamp directory
+ (_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's con
+ tents if it is not owned by root or if it is writable by a
+ user other than root. On systems that allow non-root
+ users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if the timestamp
+ directory is located in a directory writable by anyone
+ (e.g., _\b/_\bt_\bm_\bp), it is possible for a user to create the
+ timestamp directory before s\bsu\bud\bdo\bo is run. However, because
+ s\bsu\bud\bdo\bo checks the ownership and mode of the directory and
+ its contents, the only damage that can be done is to
+ "hide" files by putting them in the timestamp dir. This
+ is unlikely to happen since once the timestamp dir is
+ owned by root and inaccessible by any other user, the user
+ placing files there would be unable to get them back out.
+ To get around this issue you can use a directory that is
+ not world-writable for the timestamps (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for
+ instance) or create _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo with the appropriate
+ owner (root) and permissions (0700) in the system startup
+ files.
+
+ s\bsu\bud\bdo\bo will not honor timestamps set far in the future.
+ Timestamps with a date greater than current_time + 2 *
+ TIMEOUT will be ignored and sudo will log and complain.
+ This is done to keep a user from creating his/her own
+ timestamp with a bogus date on systems that allow users to
+ give away files.
+1.6.9p14 February 19, 2008 6
-April 25, 2002 1.6.6 5
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-sudo(1m) MAINTENANCE COMMANDS sudo(1m)
+ Please note that s\bsu\bud\bdo\bo will normally only log the command
+ it explicitly runs. If a user runs a command such as sudo
+ su or sudo sh, subsequent commands run from that shell
+ will _\bn_\bo_\bt be logged, nor will s\bsu\bud\bdo\bo's access control affect
+ them. The same is true for commands that offer shell
+ escapes (including most editors). Because of this, care
+ must be taken when giving users access to commands via
+ s\bsu\bud\bdo\bo to verify that the command does not inadvertently
+ give the user an effective root shell. For more informa
+ tion, please see the PREVENTING SHELL ESCAPES section in
+ _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
- PATH Set to a sane value if SECURE_PATH is set
- SHELL Used to determine shell to run with -s option
- USER Set to the target user (root unless the -u option
- is specified)
- HOME In -s or -H mode (or if sudo was configured with
- the --enable-shell-sets-home option), set to
- homedir of the target user.
- SUDO_PROMPT Used as the default password prompt
- SUDO_COMMAND Set to the command run by sudo
- SUDO_USER Set to the login of the user who invoked sudo
- SUDO_UID Set to the uid of the user who invoked sudo
- SUDO_GID Set to the gid of the user who invoked sudo
- SUDO_PS1 If set, PS1 will be set to its value
+E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
+ s\bsu\bud\bdo\bo utilizes the following environment variables:
+ EDITOR Default editor to use in -\b-e\be (sudoedit)
+ mode if VISUAL is not set
-F\bF\bF\bFI\bI\bI\bIL\bL\bL\bLE\bE\bE\bES\bS\bS\bS
- /etc/sudoers List of who can run what
- /var/run/sudo Directory containing timestamps
+ HOME In -\b-s\bs or -\b-H\bH mode (or if sudo was config
+ ured with the --enable-shell-sets-home
+ option), set to homedir of the target user
+ PATH Set to a sane value if the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh
+ sudoers option is set.
-A\bA\bA\bAU\bU\bU\bUT\bT\bT\bTH\bH\bH\bHO\bO\bO\bOR\bR\bR\bRS\bS\bS\bS
- Many people have worked on s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo over the years; this ver
- sion consists of code written primarily by:
+ SHELL Used to determine shell to run with -s
+ option
- Todd Miller
- Chris Jepeway
+ SUDO_PROMPT Used as the default password prompt
- See the HISTORY file in the s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo distribution or visit
- http://www.sudo.ws/sudo/history.html for a short history
- of s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo.
+ SUDO_COMMAND Set to the command run by sudo
-B\bB\bB\bBU\bU\bU\bUG\bG\bG\bGS\bS\bS\bS
- If you feel you have found a bug in sudo, please submit a
- bug report at http://www.sudo.ws/sudo/bugs/
+ SUDO_USER Set to the login of the user who invoked
+ sudo
-D\bD\bD\bDI\bI\bI\bIS\bS\bS\bSC\bC\bC\bCL\bL\bL\bLA\bA\bA\bAI\bI\bI\bIM\bM\bM\bME\bE\bE\bER\bR\bR\bR
- S\bS\bS\bSu\bu\bu\bud\bd\bd\bdo\bo\bo\bo is provided ``AS IS'' and any express or implied war
- ranties, including, but not limited to, the implied war
- ranties of merchantability and fitness for a particular
- purpose are disclaimed. See the LICENSE file distributed
- with s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo for complete details.
+ SUDO_UID Set to the uid of the user who invoked
+ sudo
-C\bC\bC\bCA\bA\bA\bAV\bV\bV\bVE\bE\bE\bEA\bA\bA\bAT\bT\bT\bTS\bS\bS\bS
- There is no easy way to prevent a user from gaining a root
- shell if that user has access to commands allowing shell
- escapes.
+ SUDO_GID Set to the gid of the user who invoked
+ sudo
- If users have sudo ALL there is nothing to prevent them
- from creating their own program that gives them a root
- shell regardless of any '!' elements in the user specifi
- cation.
+ SUDO_PS1 If set, PS1 will be set to its value
+
+ USER Set to the target user (root unless the -\b-u\bu
+ option is specified)
+
+ VISUAL Default editor to use in -\b-e\be (sudoedit)
+ mode
- Running shell scripts via s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo can expose the same kernel
- bugs that make setuid shell scripts unsafe on some
+F\bFI\bIL\bLE\bES\bS
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+ _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo Directory containing timestamps
-April 25, 2002 1.6.6 6
+1.6.9p14 February 19, 2008 7
-sudo(1m) MAINTENANCE COMMANDS sudo(1m)
- operating systems (if your OS supports the /dev/fd/ direc
- tory, setuid shell scripts are generally safe).
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+
+
+E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
+ Note: the following examples assume suitable _\bs_\bu_\bd_\bo_\be_\br_\bs(4)
+ entries.
+
+ To get a file listing of an unreadable directory:
+
+ $ sudo ls /usr/local/protected
+
+ To list the home directory of user yazza on a machine
+ where the file system holding ~yazza is not exported as
+ root:
+
+ $ sudo -u yazza ls ~yazza
-S\bS\bS\bSE\bE\bE\bEE\bE\bE\bE A\bA\bA\bAL\bL\bL\bLS\bS\bS\bSO\bO\bO\bO
- _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), _\bs_\bu_\bd_\bo_\be_\br_\bs(4), _\bp_\ba_\bs_\bs_\bw_\bd(5), _\bv_\bi_\bs_\bu_\bd_\bo(1m),
- _\bg_\br_\be_\bp(1), _\bs_\bu(1).
+ To edit the _\bi_\bn_\bd_\be_\bx_\b._\bh_\bt_\bm_\bl file as user www:
+ $ sudo -u www vi ~www/htdocs/index.html
+ To shutdown a machine:
+ $ sudo shutdown -r +15 "quick reboot"
+ To make a usage listing of the directories in the /home
+ partition. Note that this runs the commands in a sub-
+ shell to make the cd and file redirection work.
+ $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
+S\bSE\bEE\bE A\bAL\bLS\bSO\bO
+ _\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), _\bp_\ba_\bs_\bs_\bw_\bd(4),
+ _\bs_\bu_\bd_\bo_\be_\br_\bs(5), _\bv_\bi_\bs_\bu_\bd_\bo(1m)
+A\bAU\bUT\bTH\bHO\bOR\bRS\bS
+ Many people have worked on s\bsu\bud\bdo\bo over the years; this ver
+ sion consists of code written primarily by:
+ Todd C. Miller
+ Chris Jepeway
+ See the HISTORY file in the s\bsu\bud\bdo\bo distribution or visit
+ http://www.sudo.ws/sudo/history.html for a short history
+ of s\bsu\bud\bdo\bo.
+C\bCA\bAV\bVE\bEA\bAT\bTS\bS
+ There is no easy way to prevent a user from gaining a root
+ shell if that user is allowed to run arbitrary commands
+ via s\bsu\bud\bdo\bo. Also, many programs (such as editors) allow the
+ user to run commands via shell escapes, thus avoiding
+ s\bsu\bud\bdo\bo's checks. However, on most systems it is possible to
+ prevent shell escapes with s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality.
+ See the _\bs_\bu_\bd_\bo_\be_\br_\bs(4) manual for details.
+ It is not meaningful to run the cd command directly via
+ sudo, e.g.,
+1.6.9p14 February 19, 2008 8
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ $ sudo cd /usr/local/protected
+ since when the command exits the parent process (your
+ shell) will still be the same. Please see the EXAMPLES
+ section for more information.
+ If users have sudo ALL there is nothing to prevent them
+ from creating their own program that gives them a root
+ shell regardless of any '!' elements in the user specifi
+ cation.
+ Running shell scripts via s\bsu\bud\bdo\bo can expose the same kernel
+ bugs that make setuid shell scripts unsafe on some operat
+ ing systems (if your OS has a /dev/fd/ directory, setuid
+ shell scripts are generally safe).
+B\bBU\bUG\bGS\bS
+ If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a
+ bug report at http://www.sudo.ws/sudo/bugs/
+S\bSU\bUP\bPP\bPO\bOR\bRT\bT
+ Limited free support is available via the sudo-users mail
+ ing list, see http://www.sudo.ws/mail
+ man/listinfo/sudo-users to subscribe or search the
+ archives.
+D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
+ s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied war
+ ranties, including, but not limited to, the implied war
+ ranties of merchantability and fitness for a particular
+ purpose are disclaimed. See the LICENSE file distributed
+ with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for com
+ plete details.
-April 25, 2002 1.6.6 7
+1.6.9p14 February 19, 2008 9