-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2009
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2010
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.\" $Sudo: sudo.pod,v 1.125 2009/09/25 00:31:35 millert Exp $
+.nr SL @SEMAN@
+.nr BA @BAMAN@
+.nr LC @LCMAN@
+.nr PT @password_timeout@
+.\"
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "February 22, 2010" "1.7.2p5" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "July 19, 2010" "1.7.4" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
\&\fBsudo\fR \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-L\fR | \fB\-V\fR
.PP
\&\fBsudo\fR \fB\-v\fR [\fB\-AknS\fR]
-@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
-[\fB\-p\fR\ \fIprompt\fR]
+.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
+[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
+[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
.PP
\&\fBsudo\fR \fB\-l[l]\fR [\fB\-AknS\fR]
-@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
-[\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
-[\fB\-U\fR\ \fIusername\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fIcommand\fR]
+.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
+[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
+[\fB\-U\fR\ \fIuser\ name\fR] [\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] [\fIcommand\fR]
.PP
\&\fBsudo\fR [\fB\-AbEHnPS\fR]
-@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
+.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR]
-@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
-[\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
-@SEMAN@[\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR]
-[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
+.if \n(LC [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
+[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
+.if \n(SL [\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR]
+[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR]
[\fB\s-1VAR\s0\fR=\fIvalue\fR] [\fB\-i\fR\ |\ \fB\-s\fR] [\fIcommand\fR]
.PP
\&\fBsudoedit\fR [\fB\-AnS\fR]
-@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
+.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR]
-@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
-[\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
-[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] file ...
+.if \n(LC [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
+[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
+[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] file ...
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the
\&\fBsudo\fR requires that users authenticate themselves with a password
by default (\s-1NOTE:\s0 in the default configuration this is the user's
password, not the root password). Once a user has been authenticated,
-a timestamp is updated and the user may then use sudo without a
+a time stamp is updated and the user may then use sudo without a
password for a short period of time (\f(CW\*(C`@timeout@\*(C'\fR minutes unless
overridden in \fIsudoers\fR).
.PP
.PP
\&\fBsudo\fR determines who is an authorized user by consulting the file
\&\fI@sysconfdir@/sudoers\fR. By running \fBsudo\fR with the \fB\-v\fR option,
-a user can update the time stamp without running a \fIcommand\fR. The
-password prompt itself will also time out if the user's password
-is not entered within \f(CW\*(C`@password_timeout@\*(C'\fR minutes (unless overridden
-via \fIsudoers\fR).
+a user can update the time stamp without running a \fIcommand\fR. If
+a password is required, \fBsudo\fR will exit if the user's password
+is not entered within a configurable time limit. The default
+password prompt timeout is
+.ie \n(PT \f(CW\*(C`@password_timeout@\*(C'\fR minutes.
+.el unlimited.
.PP
If a user who is not listed in the \fIsudoers\fR file tries to run a
command via \fBsudo\fR, mail is sent to the proper authorities, as
the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR environment variable is set, it specifies the
path to the helper program. Otherwise, the value specified by the
\&\fIaskpass\fR option in \fIsudoers\fR\|(@mansectform@) is used.
-@BAMAN@.IP "\-a \fItype\fR" 12
-@BAMAN@.IX Item "-a type"
-@BAMAN@The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the
-@BAMAN@specified authentication type when validating the user, as allowed
-@BAMAN@by \fI/etc/login.conf\fR. The system administrator may specify a list
-@BAMAN@of sudo-specific authentication methods by adding an \*(L"auth-sudo\*(R"
-@BAMAN@entry in \fI/etc/login.conf\fR. This option is only available on systems
-@BAMAN@that support \s-1BSD\s0 authentication.
+.if \n(BA \{\
+.IP "\-a \fItype\fR" 12
+.IX Item "-a type"
+The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the
+specified authentication type when validating the user, as allowed
+by \fI/etc/login.conf\fR. The system administrator may specify a list
+of sudo-specific authentication methods by adding an \*(L"auth-sudo\*(R"
+entry in \fI/etc/login.conf\fR. This option is only available on systems
+that support \s-1BSD\s0 authentication.
+\}
.IP "\-b" 12
.IX Item "-b"
The \fB\-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given
three are not permitted. This option is only available if the
administrator has enabled the \fIclosefrom_override\fR option in
\&\fIsudoers\fR\|(@mansectform@).
-@LCMAN@.IP "\-c \fIclass\fR" 12
-@LCMAN@.IX Item "-c class"
-@LCMAN@The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command
-@LCMAN@with resources limited by the specified login class. The \fIclass\fR
-@LCMAN@argument can be either a class name as defined in \fI/etc/login.conf\fR,
-@LCMAN@or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates
-@LCMAN@that the command should be run restricted by the default login
-@LCMAN@capabilities for the user the command is run as. If the \fIclass\fR
-@LCMAN@argument specifies an existing user class, the command must be run
-@LCMAN@as root, or the \fBsudo\fR command must be run from a shell that is already
-@LCMAN@root. This option is only available on systems with \s-1BSD\s0 login classes.
+.if \n(LC \{\
+.IP "\-c \fIclass\fR" 12
+.IX Item "-c class"
+The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command
+with resources limited by the specified login class. The \fIclass\fR
+argument can be either a class name as defined in \fI/etc/login.conf\fR,
+or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates
+that the command should be run restricted by the default login
+capabilities for the user the command is run as. If the \fIclass\fR
+argument specifies an existing user class, the command must be run
+as root, or the \fBsudo\fR command must be run from a shell that is already
+root. This option is only available on systems with \s-1BSD\s0 login classes.
+\}
.IP "\-E" 12
.IX Item "-E"
The \fB\-E\fR (\fIpreserve\fR \fIenvironment\fR) option will override the
.IX Item "-H"
The \fB\-H\fR (\fI\s-1HOME\s0\fR) option sets the \f(CW\*(C`HOME\*(C'\fR environment variable
to the homedir of the target user (root by default) as specified
-in \fIpasswd\fR\|(@mansectform@). By default, \fBsudo\fR does not modify \f(CW\*(C`HOME\*(C'\fR
-(see \fIset_home\fR and \fIalways_set_home\fR in \fIsudoers\fR\|(@mansectform@)).
+in \fIpasswd\fR\|(@mansectform@). The default handling of the \f(CW\*(C`HOME\*(C'\fR environment
+variable depends on \fIsudoers\fR\|(@mansectform@) settings. By default, \fBsudo\fR
+will set \f(CW\*(C`HOME\*(C'\fR if \fIenv_reset\fR or \fIalways_set_home\fR are set, or
+if \fIset_home\fR is set and the \fB\-s\fR option is specified on the
+command line.
.IP "\-h" 12
.IX Item "-h"
The \fB\-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a usage message and exit.
shell is executed. \fBsudo\fR attempts to change to that user's home
directory before running the shell. It also initializes the
environment, leaving \fI\s-1DISPLAY\s0\fR and \fI\s-1TERM\s0\fR unchanged, setting
-\&\fI\s-1HOME\s0\fR, \fI\s-1SHELL\s0\fR, \fI\s-1USER\s0\fR, \fI\s-1LOGNAME\s0\fR, and \fI\s-1PATH\s0\fR, as well as
+\&\fI\s-1HOME\s0\fR, \fI\s-1MAIL\s0\fR, \fI\s-1SHELL\s0\fR, \fI\s-1USER\s0\fR, \fI\s-1LOGNAME\s0\fR, and \fI\s-1PATH\s0\fR, as well as
the contents of \fI/etc/environment\fR on Linux and \s-1AIX\s0 systems.
All other environment variables are removed.
.IP "\-K" 12
.IX Item "-K"
The \fB\-K\fR (sure \fIkill\fR) option is like \fB\-k\fR except that it removes
-the user's timestamp entirely and may not be used in conjunction
+the user's time stamp entirely and may not be used in conjunction
with a command or other option. This option does not require a
password.
.IP "\-k" 12
.IX Item "-k"
When used by itself, the \fB\-k\fR (\fIkill\fR) option to \fBsudo\fR invalidates
-the user's timestamp by setting the time on it to the Epoch. The
+the user's time stamp by setting the time on it to the Epoch. The
next time \fBsudo\fR is run a password will be required. This option
does not require a password and was added to allow a user to revoke
\&\fBsudo\fR permissions from a .logout file.
.Sp
When used in conjunction with a command or an option that may require
a password, the \fB\-k\fR option will cause \fBsudo\fR to ignore the user's
-timestamp file. As a result, \fBsudo\fR will prompt for a password
+time stamp file. As a result, \fBsudo\fR will prompt for a password
(if one is required by \fIsudoers\fR) and will not update the user's
-timestamp file.
+time stamp file.
.IP "\-L" 12
.IX Item "-L"
-The \fB\-L\fR (\fIlist\fR defaults) option will list out the parameters
-that may be set in a \fIDefaults\fR line along with a short description
-for each. This option is useful in conjunction with \fIgrep\fR\|(1).
+The \fB\-L\fR (\fIlist\fR defaults) option will list the parameters that
+may be set in a \fIDefaults\fR line along with a short description for
+each. This option will be removed from a future version of \fBsudo\fR.
.IP "\-l[l] [\fIcommand\fR]" 12
.IX Item "-l[l] [command]"
If no \fIcommand\fR is specified, the \fB\-l\fR (\fIlist\fR) option will list
.ie n .IP "%H" 4
.el .IP "\f(CW%H\fR" 4
.IX Item "%H"
-expanded to the local hostname including the domain name
-(on if the machine's hostname is fully qualified or the \fIfqdn\fR
+expanded to the local host name including the domain name
+(on if the machine's host name is fully qualified or the \fIfqdn\fR
\&\fIsudoers\fR option is set)
.ie n .IP "%h" 4
.el .IP "\f(CW%h\fR" 4
.IX Item "%h"
-expanded to the local hostname without the domain name
+expanded to the local host name without the domain name
.ie n .IP "%p" 4
.el .IP "\f(CW%p\fR" 4
.IX Item "%p"
password prompt on systems that support \s-1PAM\s0 unless the
\&\fIpassprompt_override\fR flag is disabled in \fIsudoers\fR.
.RE
-@SEMAN@.IP "\-r \fIrole\fR" 12
-@SEMAN@.IX Item "-r role"
-@SEMAN@The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to
-@SEMAN@have the role specified by \fIrole\fR.
+.if \n(SL \{\
+.IP "\-r \fIrole\fR" 12
+.IX Item "-r role"
+The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to
+have the role specified by \fIrole\fR.
+\}
.IP "\-S" 12
.IX Item "-S"
The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from
environment variable if it is set or the shell as specified in
\&\fIpasswd\fR\|(@mansectform@). If a command is specified, it is passed to the shell
for execution. Otherwise, an interactive shell is executed.
-@SEMAN@.IP "\-t \fItype\fR" 12
-@SEMAN@.IX Item "-t type"
-@SEMAN@The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to
-@SEMAN@have the type specified by \fItype\fR. If no type is specified, the default
-@SEMAN@type is derived from the specified role.
+.if \n(SL \{\
+.IP "\-t \fItype\fR" 12
+.IX Item "-t type"
+The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to
+have the type specified by \fItype\fR. If no type is specified, the default
+type is derived from the specified role.
+\}
.IP "\-U \fIuser\fR" 12
.IX Item "-U user"
The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the \fB\-l\fR
.IP "\-v" 12
.IX Item "-v"
If given the \fB\-v\fR (\fIvalidate\fR) option, \fBsudo\fR will update the
-user's timestamp, prompting for the user's password if necessary.
+user's time stamp, prompting for the user's password if necessary.
This extends the \fBsudo\fR timeout for another \f(CW\*(C`@timeout@\*(C'\fR minutes
(or whatever the timeout is set to in \fIsudoers\fR) but does not run
a command.
.IP "\-\-" 12
The \fB\-\-\fR option indicates that \fBsudo\fR should stop processing command
-line arguments. It is most useful in conjunction with the \fB\-s\fR option.
+line arguments.
.PP
Environment variables to be set for the command may also be passed
on the command line in the form of \fB\s-1VAR\s0\fR=\fIvalue\fR, e.g.
actual \f(CW\*(C`PATH\*(C'\fR environment variable is \fInot\fR modified and is passed
unchanged to the program that \fBsudo\fR executes.
.PP
-\&\fBsudo\fR will check the ownership of its timestamp directory
+\&\fBsudo\fR will check the ownership of its time stamp directory
(\fI@timedir@\fR by default) and ignore the directory's contents if
it is not owned by root or if it is writable by a user other than
root. On systems that allow non-root users to give away files via
-\&\fIchown\fR\|(2), if the timestamp directory is located in a directory
+\&\fIchown\fR\|(2), if the time stamp directory is located in a directory
writable by anyone (e.g., \fI/tmp\fR), it is possible for a user to
-create the timestamp directory before \fBsudo\fR is run. However,
+create the time stamp directory before \fBsudo\fR is run. However,
because \fBsudo\fR checks the ownership and mode of the directory and
its contents, the only damage that can be done is to \*(L"hide\*(R" files
-by putting them in the timestamp dir. This is unlikely to happen
-since once the timestamp dir is owned by root and inaccessible by
+by putting them in the time stamp dir. This is unlikely to happen
+since once the time stamp dir is owned by root and inaccessible by
any other user, the user placing files there would be unable to get
them back out. To get around this issue you can use a directory
-that is not world-writable for the timestamps (\fI/var/adm/sudo\fR for
+that is not world-writable for the time stamps (\fI/var/adm/sudo\fR for
instance) or create \fI@timedir@\fR with the appropriate owner (root)
and permissions (0700) in the system startup files.
.PP
-\&\fBsudo\fR will not honor timestamps set far in the future.
+\&\fBsudo\fR will not honor time stamps set far in the future.
Timestamps with a date greater than current_time + 2 * \f(CW\*(C`TIMEOUT\*(C'\fR
will be ignored and sudo will log and complain. This is done to
-keep a user from creating his/her own timestamp with a bogus
+keep a user from creating his/her own time stamp with a bogus
date on systems that allow users to give away files.
.PP
+On systems where the boot time is available, \fBsudo\fR will also not
+honor time stamps from before the machine booted.
+.PP
+Since time stamp files live in the file system, they can outlive a
+user's login session. As a result, a user may be able to login,
+run a command with \fBsudo\fR after authenticating, logout, login
+again, and run \fBsudo\fR without authenticating so long as the time
+stamp file's modification time is within \f(CW\*(C`@timeout@\*(C'\fR minutes (or
+whatever the timeout is set to in \fIsudoers\fR). When the \fItty_tickets\fR
+option is enabled in \fIsudoers\fR, the time stamp has per-tty granularity
+but still may outlive the user's session. On Linux systems where
+the devpts filesystem is used, Solaris systems with the devices
+filesystem, as well as other systems that utilize a devfs filesystem
+that monotonically increase the inode number of devices as they are
+created (such as Mac \s-1OS\s0 X), \fBsudo\fR is able to determine when a
+tty-based time stamp file is stale and will ignore it. Administrators
+should not rely on this feature as it is not universally available.
+.PP
Please note that \fBsudo\fR will normally only log the command it
explicitly runs. If a user runs a command such as \f(CW\*(C`sudo su\*(C'\fR or
\&\f(CW\*(C`sudo sh\*(C'\fR, subsequent commands run from that shell will \fInot\fR be
.IX Item "EDITOR"
Default editor to use in \fB\-e\fR (sudoedit) mode if neither \f(CW\*(C`SUDO_EDITOR\*(C'\fR
nor \f(CW\*(C`VISUAL\*(C'\fR is set
+.ie n .IP "\*(C`MAIL\*(C'" 16
+.el .IP "\f(CW\*(C`MAIL\*(C'\fR" 16
+.IX Item "MAIL"
+In \fB\-i\fR mode or when \fIenv_reset\fR is enabled in \fIsudoers\fR, set
+to the mail spool of the target user
.ie n .IP "\*(C`HOME\*(C'" 16
.el .IP "\f(CW\*(C`HOME\*(C'\fR" 16
.IX Item "HOME"
-In \fB\-s\fR or \fB\-H\fR mode (or if sudo was configured with the
-\&\-\-enable\-shell\-sets\-home option), set to homedir of the target user
+Set to the home directory of the target user if \fB\-i\fR or \fB\-H\fR are
+specified, \fIenv_reset\fR or \fIalways_set_home\fR are set in \fIsudoers\fR,
+or when the \fB\-s\fR option is specified and \fIset_home\fR is set in
+\&\fIsudoers\fR
.ie n .IP "\*(C`PATH\*(C'" 16
.el .IP "\f(CW\*(C`PATH\*(C'\fR" 16
.IX Item "PATH"
.ie n .IP "\fI@timedir@\fR" 24
.el .IP "\fI@timedir@\fR" 24
.IX Item "@timedir@"
-Directory containing timestamps
+Directory containing time stamps
.IP "\fI/etc/environment\fR" 24
.IX Item "/etc/environment"
Initial environment for \fB\-i\fR mode on Linux and \s-1AIX\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2),
-@LCMAN@\&\fIlogin_cap\fR\|(3),
+.if \n(LC \&\fIlogin_cap\fR\|(3),
\&\fIpasswd\fR\|(@mansectform@), \fIsudoers\fR\|(5), \fIvisudo\fR\|(@mansectsu@)
.SH "AUTHORS"
.IX Header "AUTHORS"
projects / debian / sudo / blobdiff