-=cut
Copyright (c) 1994-1996, 1998-2005, 2007
Todd C. Miller <Todd.Miller@courtesan.com>
Agency (DARPA) and Air Force Research Laboratory, Air Force
Materiel Command, USAF, under agreement number F39502-99-1-0512.
-$Sudo: sudo.pod,v 1.70.2.19 2007/11/21 19:26:10 millert Exp $
+$Sudo: sudo.pod,v 1.70.2.24 2008/02/19 18:22:11 millert Exp $
=pod
=head1 NAME
B<sudo> B<-h> | B<-K> | B<-k> | B<-L> | B<-l> | B<-V> | B<-v>
-B<sudo> [B<-bEHPS>] S<[B<-a> I<auth_type>]>
-S<[B<-c> I<class>|I<->]> S<[B<-p> I<prompt>]> S<[B<-u> I<username>|I<#uid>]>
+B<sudo> [B<-bEHPS>]
+S<[B<-a> I<auth_type>]>
+S<[B<-c> I<class>|I<->]>
+S<[B<-p> I<prompt>]>
+S<[B<-r> I<role>]> S<[B<-t> I<type>]>
+S<[B<-u> I<username>|I<#uid>]>
S<[B<VAR>=I<value>]> S<{B<-i> | B<-s> | I<command>}>
-B<sudoedit> [B<-S>] S<[B<-a> I<auth_type>]> S<[B<-c> I<class>|I<->]>
+B<sudoedit> [B<-S>]
+S<[B<-a> I<auth_type>]>
+S<[B<-c> I<class>|I<->]>
S<[B<-p> I<prompt>]> S<[B<-u> I<username>|I<#uid>]>
file ...
expanded to the local hostname without the domain name
+=item C<%p>
+
+expanded to the user whose password is being asked for (respects the
+I<rootpw>, I<targetpw> and I<runaspw> flags in I<sudoers>)
+
=item C<%U>
expanded to the login name of the user the command will
=back
+=item -r
+
+The B<-r> (I<role>) option causes the new (SELinux) security context to
+have the role specified by I<role>.
+
=item -S
The B<-S> (I<stdin>) option causes B<sudo> to read the password from
environment variable if it is set or the shell as specified
in L<passwd(5)>.
+=item -t
+
+The B<-t> (I<type>) option causes the new (SELinux) security context to
+have the type specified by I<type>. If no type is specified, the default
+type is derived from the specified role.
+
=item -u
The B<-u> (I<user>) option causes B<sudo> to run the specified
To prevent command spoofing, B<sudo> checks "." and "" (both denoting
current directory) last when searching for a command in the user's
PATH (if one or both are in the PATH). Note, however, that the
-actual C<PATH> environment variable is I<not> modified and is passed
-unchanged to the program that B<sudo> executes.
+C<PATH> environment variable is further modified in Debian because of
+the use of the I<SECURE_PATH> build option.
B<sudo> will check the ownership of its timestamp directory
(F<@timedir@> by default) and ignore the directory's contents if
=head1 FILES
-=over 4
+=over 24
+
+=item F<@sysconfdir@/sudoers>
-=item F<@sysconfdir@/sudoers>C< >List of who can run what
+List of who can run what
-=item F<@timedir@>C< >Directory containing timestamps
+=item F<@timedir@>
+
+Directory containing timestamps
=back
=head1 SEE ALSO
-L<grep(1)>, L<su(1)>, L<stat(2)>, L<login_cap(3)>, L<passwd(5)>,
-L<sudoers(5)>, L<visudo(8)>
+L<grep(1)>, L<su(1)>, L<stat(2)>,
+L<login_cap(3)>,
+L<passwd(5)>, L<sudoers(5)>, L<visudo(8)>
+
+The file /usr/share/doc/sudo/OPTIONS describes the options used for building
+the Debian version of sudo, some of which change default behaviors documented
+elsewhere in this document.
=head1 AUTHORS