X-Git-Url: https://git.gag.com/?a=blobdiff_plain;f=sudo.man.in;h=01e33e6f7ea2ff05204f552b1fdd36e5eb1b44a7;hb=f8f72d870699b2da5d4fff5415f1b8102827e987;hp=838af38483899f6814d8d9c557a4fdea87015806;hpb=ca3ab12a66fc683cabf546fd405cfbf39ef9fb6f;p=debian%2Fsudo diff --git a/sudo.man.in b/sudo.man.in index 838af38..01e33e6 100644 --- a/sudo.man.in +++ b/sudo.man.in @@ -1,8 +1,28 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Thu Apr 25 09:34:52 2002 +.\" Copyright (c) 1994-1996, 1998-2005, 2007-2008 +.\" Todd C. Miller +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" Sponsored in part by the Defense Advanced Research Projects +.\" Agency (DARPA) and Air Force Research Laboratory, Air Force +.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. +.\" +.\" $Sudo: sudo.man.in,v 1.53 2008/11/15 18:34:26 millert Exp $ +.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05) .\" .\" Standard preamble: -.\" ====================================================================== +.\" ======================================================================== .de Sh \" Subsection heading .br .if t .Sp @@ -15,12 +35,6 @@ .if t .sp .5v .if n .sp .. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. .de Vb \" Begin verbatim text .ft CW .nf @@ -28,16 +42,15 @@ .. .de Ve \" End verbatim text .ft R - .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- @@ -56,26 +69,28 @@ . ds R" '' 'br\} .\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is turned on, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.ie \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . nr % 0 . rr F .\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na +.el \{\ +. de IX +.. +.\} .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 @@ -135,46 +150,79 @@ . ds Ae AE .\} .rm #[ #] #H #V #F C -.\" ====================================================================== +.\" ======================================================================== .\" -.IX Title "sudo @mansectsu@" -.TH sudo @mansectsu@ "1.6.6" "April 25, 2002" "MAINTENANCE COMMANDS" -.UC +.IX Title "SUDO @mansectsu@" +.TH SUDO @mansectsu@ "November 15, 2008" "1.7.0" "MAINTENANCE COMMANDS" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh .SH "NAME" -sudo \- execute a command as another user +sudo, sudoedit \- execute a command as another user .SH "SYNOPSIS" .IX Header "SYNOPSIS" -\&\fBsudo\fR \fB\-V\fR | \fB\-h\fR | \fB\-l\fR | \fB\-L\fR | \fB\-v\fR | \fB\-k\fR | \fB\-K\fR | \fB\-s\fR | -[ \fB\-H\fR ] [\fB\-P\fR ] [\fB\-S\fR ] [ \fB\-b\fR ] | [ \fB\-p\fR \fIprompt\fR ] -[ \fB\-c\fR \fIclass\fR|\fI-\fR ] [ \fB\-a\fR \fIauth_type\fR ] -[ \fB\-u\fR \fIusername\fR|\fI#uid\fR ] \fIcommand\fR +\&\fBsudo\fR [\fB\-n\fR] \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-L\fR | \fB\-V\fR | \fB\-v\fR +.PP +\&\fBsudo\fR \fB\-l[l]\fR [\fB\-AnS\fR] [\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-U\fR\ \fIusername\fR] +[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fIcommand\fR] +.PP +\&\fBsudo\fR [\fB\-AbEHnPS\fR] +@BAMAN@[\fB\-a\fR\ \fIauth_type\fR] +[\fB\-C\fR\ \fIfd\fR] +@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR] +[\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] +@SEMAN@[\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR] +[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] +[\fB\s-1VAR\s0\fR=\fIvalue\fR] [\fB\-i\fR\ |\ \fB\-s\fR] [\fIcommand\fR] +.PP +\&\fBsudoedit\fR [\fB\-AnS\fR] +@BAMAN@[\fB\-a\fR\ \fIauth_type\fR] +[\fB\-C\fR\ \fIfd\fR] +@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR] +[\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] +[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] file ... .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the superuser or another user, as specified in the \fIsudoers\fR file. The real and effective uid and gid are set to match those of the -target user as specified in the passwd file (the group vector is -also initialized when the target user is not root). By default, +target user as specified in the passwd file and the group vector +is initialized based on the group file (unless the \fB\-P\fR option was +specified). If the invoking user is root or if the target user is +the same as the invoking user, no password is required. Otherwise, \&\fBsudo\fR requires that users authenticate themselves with a password -(\s-1NOTE:\s0 by default this is the user's password, not the root password). -Once a user has been authenticated, a timestamp is updated and the -user may then use sudo without a password for a short period of -time (\f(CW\*(C`@timeout@\*(C'\fR minutes unless overridden in \fIsudoers\fR). +by default (\s-1NOTE:\s0 in the default configuration this is the user's +password, not the root password). Once a user has been authenticated, +a timestamp is updated and the user may then use sudo without a +password for a short period of time (\f(CW\*(C`@timeout@\*(C'\fR minutes unless +overridden in \fIsudoers\fR). +.PP +When invoked as \fBsudoedit\fR, the \fB\-e\fR option (described below), +is implied. .PP \&\fBsudo\fR determines who is an authorized user by consulting the file -\&\fI@sysconfdir@/sudoers\fR. By giving \fBsudo\fR the \fB\-v\fR flag a user -can update the time stamp without running a \fIcommand.\fR The password -prompt itself will also time out if the user's password is not -entered within \f(CW\*(C`@password_timeout@\*(C'\fR minutes (unless overridden via -\&\fIsudoers\fR). +\&\fI@sysconfdir@/sudoers\fR. By running \fBsudo\fR with the \fB\-v\fR option, +a user can update the time stamp without running a \fIcommand\fR. The +password prompt itself will also time out if the user's password +is not entered within \f(CW\*(C`@password_timeout@\*(C'\fR minutes (unless overridden +via \fIsudoers\fR). .PP If a user who is not listed in the \fIsudoers\fR file tries to run a command via \fBsudo\fR, mail is sent to the proper authorities, as -defined at configure time or the \fIsudoers\fR file (defaults to root). -Note that the mail will not be sent if an unauthorized user tries -to run sudo with the \fB\-l\fR or \fB\-v\fR flags. This allows users to -determine for themselves whether or not they are allowed to use -\&\fBsudo\fR. +defined at configure time or in the \fIsudoers\fR file (defaults to +\&\f(CW\*(C`@mailto@\*(C'\fR). Note that the mail will not be sent if an unauthorized +user tries to run sudo with the \fB\-l\fR or \fB\-v\fR option. This allows +users to determine for themselves whether or not they are allowed +to use \fBsudo\fR. +.PP +If \fBsudo\fR is run by root and the \f(CW\*(C`SUDO_USER\*(C'\fR environment variable +is set, \fBsudo\fR will use this value to determine who the actual +user is. This can be used by a user to log commands through sudo +even when a root shell has been invoked. It also allows the \fB\-e\fR +option to remain useful even when being run via a sudo-run script or +program. Note however, that the sudoers lookup is still done for +root, not the user specified by \f(CW\*(C`SUDO_USER\*(C'\fR. .PP \&\fBsudo\fR can log both successful and unsuccessful attempts (as well as errors) to \fIsyslog\fR\|(3), a log file, or both. By default \fBsudo\fR @@ -183,108 +231,260 @@ or via the \fIsudoers\fR file. .SH "OPTIONS" .IX Header "OPTIONS" \&\fBsudo\fR accepts the following command line options: -.Ip "\-V" 4 -.IX Item "-V" -The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the -version number and exit. If the invoking user is already root -the \fB\-V\fR option will print out a list of the defaults \fBsudo\fR -was compiled with as well as the machine's local network addresses. -.Ip "\-l" 4 -.IX Item "-l" -The \fB\-l\fR (\fIlist\fR) option will list out the allowed (and -forbidden) commands for the user on the current host. -.Ip "\-L" 4 -.IX Item "-L" -The \fB\-L\fR (\fIlist\fR defaults) option will list out the parameters -that may be set in a \fIDefaults\fR line along with a short description -for each. This option is useful in conjunction with \fIgrep\fR\|(1). -.Ip "\-h" 4 -.IX Item "-h" -The \fB\-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a usage message and exit. -.Ip "\-v" 4 -.IX Item "-v" -If given the \fB\-v\fR (\fIvalidate\fR) option, \fBsudo\fR will update the -user's timestamp, prompting for the user's password if necessary. -This extends the \fBsudo\fR timeout for another \f(CW\*(C`@timeout@\*(C'\fR minutes -(or whatever the timeout is set to in \fIsudoers\fR) but does not run -a command. -.Ip "\-k" 4 -.IX Item "-k" -The \fB\-k\fR (\fIkill\fR) option to \fBsudo\fR invalidates the user's timestamp -by setting the time on it to the epoch. The next time \fBsudo\fR is -run a password will be required. This option does not require a password -and was added to allow a user to revoke \fBsudo\fR permissions from a .logout -file. -.Ip "\-K" 4 -.IX Item "-K" -The \fB\-K\fR (sure \fIkill\fR) option to \fBsudo\fR removes the user's timestamp -entirely. Likewise, this option does not require a password. -.Ip "\-b" 4 +.IP "\-A" 12 +.IX Item "-A" +Normally, if \fBsudo\fR requires a password, it will read it from the +current terminal. If the \fB\-A\fR (\fIaskpass\fR) option is specified, +a helper program is executed to read the user's password and output +the password to the standard output. If the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR +environment variable is set, it specifies the path to the helper +program. Otherwise, the value specified by the \fIaskpass\fR option +in \fIsudoers\fR\|(@mansectform@) is used. +@BAMAN@.IP "\-a \fItype\fR" 12 +@BAMAN@.IX Item "-a type" +@BAMAN@The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the +@BAMAN@specified authentication type when validating the user, as allowed +@BAMAN@by \fI/etc/login.conf\fR. The system administrator may specify a list +@BAMAN@of sudo-specific authentication methods by adding an \*(L"auth-sudo\*(R" +@BAMAN@entry in \fI/etc/login.conf\fR. This option is only available on systems +@BAMAN@that support \s-1BSD\s0 authentication. +.IP "\-b" 12 .IX Item "-b" The \fB\-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given command in the background. Note that if you use the \fB\-b\fR option you cannot use shell job control to manipulate the process. -.Ip "\-p" 4 -.IX Item "-p" -The \fB\-p\fR (\fIprompt\fR) option allows you to override the default -password prompt and use a custom one. If the password prompt -contains the \f(CW\*(C`%u\*(C'\fR escape, \f(CW\*(C`%u\*(C'\fR will be replaced with the user's -login name. Similarly, \f(CW\*(C`%h\*(C'\fR will be replaced with the local -hostname. -.Ip "\-c" 4 -.IX Item "-c" -The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command -with resources limited by the specified login class. The \fIclass\fR -argument can be either a class name as defined in /etc/login.conf, -or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates -that the command should be run restricted by the default login -capabilities for the user the command is run as. If the \fIclass\fR -argument specifies an existing user class, the command must be run -as root, or the \fBsudo\fR command must be run from a shell that is already -root. This option is only available on systems with \s-1BSD\s0 login classes -where \fBsudo\fR has been configured with the \-\-with-logincap option. -.Ip "\-a" 4 -.IX Item "-a" -The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the -specified authentication type when validating the user, as allowed -by /etc/login.conf. The system administrator may specify a list -of sudo-specific authentication methods by adding an \*(L"auth-sudo\*(R" -entry in /etc/login.conf. This option is only available on systems -that support \s-1BSD\s0 authentication where \fBsudo\fR has been configured -with the \-\-with-bsdauth option. -.Ip "\-u" 4 -.IX Item "-u" -The \fB\-u\fR (\fIuser\fR) option causes \fBsudo\fR to run the specified command -as a user other than \fIroot\fR. To specify a \fIuid\fR instead of a -\&\fIusername\fR, use \fI#uid\fR. -.Ip "\-s" 4 -.IX Item "-s" -The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\s0\fR -environment variable if it is set or the shell as specified -in \fIpasswd\fR\|(@mansectform@). -.Ip "\-H" 4 +.IP "\-C \fIfd\fR" 12 +.IX Item "-C fd" +Normally, \fBsudo\fR will close all open file descriptors other than +standard input, standard output and standard error. The \fB\-C\fR +(\fIclose from\fR) option allows the user to specify a starting point +above the standard error (file descriptor three). Values less than +three are not permitted. This option is only available if the +administrator has enabled the \fIclosefrom_override\fR option in +\&\fIsudoers\fR\|(@mansectform@). +@LCMAN@.IP "\-c \fIclass\fR" 12 +@LCMAN@.IX Item "-c class" +@LCMAN@The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command +@LCMAN@with resources limited by the specified login class. The \fIclass\fR +@LCMAN@argument can be either a class name as defined in \fI/etc/login.conf\fR, +@LCMAN@or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates +@LCMAN@that the command should be run restricted by the default login +@LCMAN@capabilities for the user the command is run as. If the \fIclass\fR +@LCMAN@argument specifies an existing user class, the command must be run +@LCMAN@as root, or the \fBsudo\fR command must be run from a shell that is already +@LCMAN@root. This option is only available on systems with \s-1BSD\s0 login classes. +.IP "\-E" 12 +.IX Item "-E" +The \fB\-E\fR (\fIpreserve\fR \fIenvironment\fR) option will override the +\&\fIenv_reset\fR option in \fIsudoers\fR\|(@mansectform@)). It is only +available when either the matching command has the \f(CW\*(C`SETENV\*(C'\fR tag +or the \fIsetenv\fR option is set in \fIsudoers\fR\|(@mansectform@). +.IP "\-e" 12 +.IX Item "-e" +The \fB\-e\fR (\fIedit\fR) option indicates that, instead of running +a command, the user wishes to edit one or more files. In lieu +of a command, the string \*(L"sudoedit\*(R" is used when consulting +the \fIsudoers\fR file. If the user is authorized by \fIsudoers\fR +the following steps are taken: +.RS 12 +.IP "1." 4 +Temporary copies are made of the files to be edited with the owner +set to the invoking user. +.IP "2." 4 +The editor specified by the \f(CW\*(C`SUDO_EDITOR\*(C'\fR, \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR +environment variables is run to edit the temporary files. If none +of \f(CW\*(C`SUDO_EDITOR\*(C'\fR, \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR are set, the first program +listed in the \fIeditor\fR \fIsudoers\fR variable is used. +.IP "3." 4 +If they have been modified, the temporary files are copied back to +their original location and the temporary versions are removed. +.RE +.RS 12 +.Sp +If the specified file does not exist, it will be created. Note +that unlike most commands run by \fBsudo\fR, the editor is run with +the invoking user's environment unmodified. If, for some reason, +\&\fBsudo\fR is unable to update a file with its edited version, the +user will receive a warning and the edited copy will remain in a +temporary file. +.RE +.IP "\-g \fIgroup\fR" 12 +.IX Item "-g group" +Normally, \fBsudo\fR sets the primary group to the one specified by +the passwd database for the user the command is being run as (by +default, root). The \fB\-g\fR (\fIgroup\fR) option causes \fBsudo\fR to run +the specified command with the primary group set to \fIgroup\fR. To +specify a \fIgid\fR instead of a \fIgroup name\fR, use \fI#gid\fR. When +running commands as a \fIgid\fR, many shells require that the '#' be +escaped with a backslash ('\e'). If no \fB\-u\fR option is specified, +the command will be run as the invoking user (not root). In either +case, the primary group will be set to \fIgroup\fR. +.IP "\-H" 12 .IX Item "-H" The \fB\-H\fR (\fI\s-1HOME\s0\fR) option sets the \f(CW\*(C`HOME\*(C'\fR environment variable to the homedir of the target user (root by default) as specified -in \fIpasswd\fR\|(@mansectform@). By default, \fBsudo\fR does not modify \f(CW\*(C`HOME\*(C'\fR. -.Ip "\-P" 4 +in \fIpasswd\fR\|(@mansectform@). By default, \fBsudo\fR does not modify \f(CW\*(C`HOME\*(C'\fR +(see \fIset_home\fR and \fIalways_set_home\fR in \fIsudoers\fR\|(@mansectform@)). +.IP "\-h" 12 +.IX Item "-h" +The \fB\-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a usage message and exit. +.IP "\-i [command]" 12 +.IX Item "-i [command]" +The \fB\-i\fR (\fIsimulate initial login\fR) option runs the shell specified +in the \fIpasswd\fR\|(@mansectform@) entry of the target user as a login shell. This +means that login-specific resource files such as \f(CW\*(C`.profile\*(C'\fR or +\&\f(CW\*(C`.login\*(C'\fR will be read by the shell. If a command is specified, +it is passed to the shell for execution. Otherwise, an interactive +shell is executed. \fBsudo\fR attempts to change to that user's home +directory before running the shell. It also initializes the +environment, leaving \fI\s-1DISPLAY\s0\fR and \fI\s-1TERM\s0\fR unchanged, setting +\&\fI\s-1HOME\s0\fR, \fI\s-1SHELL\s0\fR, \fI\s-1USER\s0\fR, \fI\s-1LOGNAME\s0\fR, and \fI\s-1PATH\s0\fR, as well as +the contents of \fI/etc/environment\fR on Linux and \s-1AIX\s0 systems. +All other environment variables are removed. +.IP "\-K" 12 +.IX Item "-K" +The \fB\-K\fR (sure \fIkill\fR) option is like \fB\-k\fR except that it removes +the user's timestamp entirely. Like \fB\-k\fR, this option does not +require a password. +.IP "\-k" 12 +.IX Item "-k" +The \fB\-k\fR (\fIkill\fR) option to \fBsudo\fR invalidates the user's timestamp +by setting the time on it to the Epoch. The next time \fBsudo\fR is +run a password will be required. This option does not require a password +and was added to allow a user to revoke \fBsudo\fR permissions from a .logout +file. +.IP "\-L" 12 +.IX Item "-L" +The \fB\-L\fR (\fIlist\fR defaults) option will list out the parameters +that may be set in a \fIDefaults\fR line along with a short description +for each. This option is useful in conjunction with \fIgrep\fR\|(1). +.IP "\-l[l] [\fIcommand\fR]" 12 +.IX Item "-l[l] [command]" +If no \fIcommand\fR is specified, the \fB\-l\fR (\fIlist\fR) option will list +the allowed (and forbidden) commands for the invoking user (or the +user specified by the \fB\-U\fR option) on the current host. If a +\&\fIcommand\fR is specified and is permitted by \fIsudoers\fR, the +fully-qualified path to the command is displayed along with any +command line arguments. If \fIcommand\fR is specified but not allowed, +\&\fBsudo\fR will exit with a status value of 1. If the \fB\-l\fR option is +specified with an \fBl\fR argument (i.e. \fB\-ll\fR), or if \fB\-l\fR +is specified multiple times, a longer list format is used. +.IP "\-n" 12 +.IX Item "-n" +The \fB\-n\fR (\fInon-interactive\fR) option prevents \fBsudo\fR from prompting +the user for a password. If a password is required for the command +to run, \fBsudo\fR will display an error messages and exit. +.IP "\-P" 12 .IX Item "-P" -The \fB\-P\fR (\fIpreserve group vector\fR) option causes \fBsudo\fR to preserve -the user's group vector unaltered. By default, \fBsudo\fR will initialize -the group vector to the list of groups the target user is in. -The real and effective group IDs, however, are still set to match -the target user. -.Ip "\-S" 4 +The \fB\-P\fR (\fIpreserve\fR \fIgroup vector\fR) option causes \fBsudo\fR to +preserve the invoking user's group vector unaltered. By default, +\&\fBsudo\fR will initialize the group vector to the list of groups the +target user is in. The real and effective group IDs, however, are +still set to match the target user. +.IP "\-p \fIprompt\fR" 12 +.IX Item "-p prompt" +The \fB\-p\fR (\fIprompt\fR) option allows you to override the default +password prompt and use a custom one. The following percent (`\f(CW\*(C`%\*(C'\fR') +escapes are supported: +.RS 12 +.ie n .IP "%H" 4 +.el .IP "\f(CW%H\fR" 4 +.IX Item "%H" +expanded to the local hostname including the domain name +(on if the machine's hostname is fully qualified or the \fIfqdn\fR +\&\fIsudoers\fR option is set) +.ie n .IP "%h" 4 +.el .IP "\f(CW%h\fR" 4 +.IX Item "%h" +expanded to the local hostname without the domain name +.ie n .IP "%p" 4 +.el .IP "\f(CW%p\fR" 4 +.IX Item "%p" +expanded to the user whose password is being asked for (respects the +\&\fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags in \fIsudoers\fR) +.ie n .IP "%U" 4 +.el .IP "\f(CW%U\fR" 4 +.IX Item "%U" +expanded to the login name of the user the command will +be run as (defaults to root) +.ie n .IP "%u" 4 +.el .IP "\f(CW%u\fR" 4 +.IX Item "%u" +expanded to the invoking user's login name +.ie n .IP "\*(C`%%\*(C'" 4 +.el .IP "\f(CW\*(C`%%\*(C'\fR" 4 +.IX Item "%%" +two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character +.RE +.RS 12 +.Sp +The prompt specified by the \fB\-p\fR option will override the system +password prompt on systems that support \s-1PAM\s0 unless the +\&\fIpassprompt_override\fR flag is disabled in \fIsudoers\fR. +.RE +@SEMAN@.IP "\-r \fIrole\fR" 12 +@SEMAN@.IX Item "-r role" +@SEMAN@The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to +@SEMAN@have the role specified by \fIrole\fR. +.IP "\-S" 12 .IX Item "-S" The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from -standard input instead of the terminal device. -.Ip "\-\-" 4 -The \fB\--\fR flag indicates that \fBsudo\fR should stop processing command -line arguments. It is most useful in conjunction with the \fB\-s\fR flag. +the standard input instead of the terminal device. +.IP "\-s [command]" 12 +.IX Item "-s [command]" +The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\s0\fR +environment variable if it is set or the shell as specified in +\&\fIpasswd\fR\|(@mansectform@). If a command is specified, it is passed to the shell +for execution. Otherwise, an interactive shell is executed. +@SEMAN@.IP "\-t \fItype\fR" 12 +@SEMAN@.IX Item "-t type" +@SEMAN@The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to +@SEMAN@have the type specified by \fItype\fR. If no type is specified, the default +@SEMAN@type is derived from the specified role. +.IP "\-U \fIuser\fR" 12 +.IX Item "-U user" +The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the \fB\-l\fR +option to specify the user whose privileges should be listed. Only +root or a user with \fBsudo\fR \f(CW\*(C`ALL\*(C'\fR on the current host may use this +option. +.IP "\-u \fIuser\fR" 12 +.IX Item "-u user" +The \fB\-u\fR (\fIuser\fR) option causes \fBsudo\fR to run the specified +command as a user other than \fIroot\fR. To specify a \fIuid\fR instead +of a \fIuser name\fR, use \fI#uid\fR. When running commands as a \fIuid\fR, +many shells require that the '#' be escaped with a backslash ('\e'). +Note that if the \fItargetpw\fR Defaults option is set (see \fIsudoers\fR\|(@mansectform@)) +it is not possible to run commands with a uid not listed in the +password database. +.IP "\-V" 12 +.IX Item "-V" +The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the version +number and exit. If the invoking user is already root the \fB\-V\fR +option will print out a list of the defaults \fBsudo\fR was compiled +with as well as the machine's local network addresses. +.IP "\-v" 12 +.IX Item "-v" +If given the \fB\-v\fR (\fIvalidate\fR) option, \fBsudo\fR will update the +user's timestamp, prompting for the user's password if necessary. +This extends the \fBsudo\fR timeout for another \f(CW\*(C`@timeout@\*(C'\fR minutes +(or whatever the timeout is set to in \fIsudoers\fR) but does not run +a command. +.IP "\-\-" 12 +The \fB\-\-\fR option indicates that \fBsudo\fR should stop processing command +line arguments. It is most useful in conjunction with the \fB\-s\fR option. +.PP +Environment variables to be set for the command may also be passed +on the command line in the form of \fB\s-1VAR\s0\fR=\fIvalue\fR, e.g. +\&\fB\s-1LD_LIBRARY_PATH\s0\fR=\fI/usr/local/pkg/lib\fR. Variables passed on the +command line are subject to the same restrictions as normal environment +variables with one important exception. If the \fIsetenv\fR option +is set in \fIsudoers\fR, the command to be run has the \f(CW\*(C`SETENV\*(C'\fR tag +set or the command matched is \f(CW\*(C`ALL\*(C'\fR, the user may set variables +that would overwise be forbidden. See \fIsudoers\fR\|(@mansectform@) for more information. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -Upon successful execution of a program, the return value from \fBsudo\fR -will simply be the return value of the program that was executed. +Upon successful execution of a program, the exit status from \fBsudo\fR +will simply be the exit status of the program that was executed. .PP Otherwise, \fBsudo\fR quits with an exit value of 1 if there is a configuration/permission problem or if \fBsudo\fR cannot execute the @@ -299,51 +499,58 @@ of the directories in your \f(CW\*(C`PATH\*(C'\fR is on a machine that is curren unreachable. .SH "SECURITY NOTES" .IX Header "SECURITY NOTES" -\&\fBsudo\fR tries to be safe when executing external commands. Variables -that control how dynamic loading and binding is done can be used -to subvert the program that \fBsudo\fR runs. To combat this the -\&\f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`_RLD_*\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR (\s-1HP-UX\s0 only), and \f(CW\*(C`LIBPATH\*(C'\fR (\s-1AIX\s0 -only) environment variables are removed from the environment passed -on to all commands executed. \fBsudo\fR will also remove the \f(CW\*(C`IFS\*(C'\fR, -\&\f(CW\*(C`ENV\*(C'\fR, \f(CW\*(C`BASH_ENV\*(C'\fR, \f(CW\*(C`KRB_CONF\*(C'\fR, \f(CW\*(C`KRBCONFDIR\*(C'\fR, \f(CW\*(C`KRBTKFILE\*(C'\fR, -\&\f(CW\*(C`KRB5_CONFIG\*(C'\fR, \f(CW\*(C`LOCALDOMAIN\*(C'\fR, \f(CW\*(C`RES_OPTIONS\*(C'\fR, \f(CW\*(C`HOSTALIASES\*(C'\fR, -\&\f(CW\*(C`NLSPATH\*(C'\fR, \f(CW\*(C`PATH_LOCALE\*(C'\fR, \f(CW\*(C`TERMINFO\*(C'\fR, \f(CW\*(C`TERMINFO_DIRS\*(C'\fR and -\&\f(CW\*(C`TERMPATH\*(C'\fR variables as they too can pose a threat. If the -\&\f(CW\*(C`TERMCAP\*(C'\fR variable is set and is a pathname, it too is ignored. -Additionally, if the \f(CW\*(C`LC_*\*(C'\fR or \f(CW\*(C`LANGUAGE\*(C'\fR variables contain the -\&\f(CW\*(C`/\*(C'\fR or \f(CW\*(C`%\*(C'\fR characters, they are ignored. If \fBsudo\fR has been -compiled with SecurID support, the \f(CW\*(C`VAR_ACE\*(C'\fR, \f(CW\*(C`USR_ACE\*(C'\fR and -\&\f(CW\*(C`DLC_ACE\*(C'\fR variables are cleared as well. The list of environment -variables that \fBsudo\fR clears is contained in the output of -\&\f(CW\*(C`sudo \-V\*(C'\fR when run as root. +\&\fBsudo\fR tries to be safe when executing external commands. +.PP +There are two distinct ways to deal with environment variables. +By default, the \fIenv_reset\fR \fIsudoers\fR option is enabled. +This causes commands to be executed with a minimal environment +containing \f(CW\*(C`TERM\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR +and \f(CW\*(C`USERNAME\*(C'\fR in addition to variables from the invoking process +permitted by the \fIenv_check\fR and \fIenv_keep\fR \fIsudoers\fR options. +There is effectively a whitelist for environment variables. +.PP +If, however, the \fIenv_reset\fR option is disabled in \fIsudoers\fR, any +variables not explicitly denied by the \fIenv_check\fR and \fIenv_delete\fR +options are inherited from the invoking process. In this case, +\&\fIenv_check\fR and \fIenv_delete\fR behave like a blacklist. Since it +is not possible to blacklist all potentially dangerous environment +variables, use of the default \fIenv_reset\fR behavior is encouraged. +.PP +In all cases, environment variables with a value beginning with +\&\f(CW\*(C`()\*(C'\fR are removed as they could be interpreted as \fBbash\fR functions. +The list of environment variables that \fBsudo\fR allows or denies is +contained in the output of \f(CW\*(C`sudo \-V\*(C'\fR when run as root. +.PP +Note that the dynamic linker on most operating systems will remove +variables that can control dynamic linking from the environment of +setuid executables, including \fBsudo\fR. Depending on the operating +system this may include \f(CW\*(C`_RLD*\*(C'\fR, \f(CW\*(C`DYLD_*\*(C'\fR, \f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`LDR_*\*(C'\fR, +\&\f(CW\*(C`LIBPATH\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR, and others. These type of variables are +removed from the environment before \fBsudo\fR even begins execution +and, as such, it is not possible for \fBsudo\fR to preserve them. .PP To prevent command spoofing, \fBsudo\fR checks \*(L".\*(R" and "" (both denoting current directory) last when searching for a command in the user's \&\s-1PATH\s0 (if one or both are in the \s-1PATH\s0). Note, however, that the -actual \f(CW\*(C`PATH\*(C'\fR environment variable is \fInot\fR modified and is passed -unchanged to the program that \fBsudo\fR executes. -.PP -For security reasons, if your \s-1OS\s0 supports shared libraries and does -not disable user-defined library search paths for setuid programs -(most do), you should either use a linker option that disables this -behavior or link \fBsudo\fR statically. +\&\f(CW\*(C`PATH\*(C'\fR environment variable is further modified in Debian because of +the use of the \fI\s-1SECURE_PATH\s0\fR build option. .PP \&\fBsudo\fR will check the ownership of its timestamp directory (\fI@timedir@\fR by default) and ignore the directory's contents if -it is not owned by root and only writable by root. On systems that -allow non-root users to give away files via \fIchown\fR\|(2), if the timestamp -directory is located in a directory writable by anyone (e.g.: \fI/tmp\fR), -it is possible for a user to create the timestamp directory before -\&\fBsudo\fR is run. However, because \fBsudo\fR checks the ownership and -mode of the directory and its contents, the only damage that can -be done is to \*(L"hide\*(R" files by putting them in the timestamp dir. -This is unlikely to happen since once the timestamp dir is owned -by root and inaccessible by any other user the user placing files -there would be unable to get them back out. To get around this -issue you can use a directory that is not world-writable for the -timestamps (\fI/var/adm/sudo\fR for instance) or create \fI@timedir@\fR -with the appropriate owner (root) and permissions (0700) in the -system startup files. +it is not owned by root or if it is writable by a user other than +root. On systems that allow non-root users to give away files via +\&\fIchown\fR\|(2), if the timestamp directory is located in a directory +writable by anyone (e.g., \fI/tmp\fR), it is possible for a user to +create the timestamp directory before \fBsudo\fR is run. However, +because \fBsudo\fR checks the ownership and mode of the directory and +its contents, the only damage that can be done is to \*(L"hide\*(R" files +by putting them in the timestamp dir. This is unlikely to happen +since once the timestamp dir is owned by root and inaccessible by +any other user, the user placing files there would be unable to get +them back out. To get around this issue you can use a directory +that is not world-writable for the timestamps (\fI/var/adm/sudo\fR for +instance) or create \fI@timedir@\fR with the appropriate owner (root) +and permissions (0700) in the system startup files. .PP \&\fBsudo\fR will not honor timestamps set far in the future. Timestamps with a date greater than current_time + 2 * \f(CW\*(C`TIMEOUT\*(C'\fR @@ -351,14 +558,92 @@ will be ignored and sudo will log and complain. This is done to keep a user from creating his/her own timestamp with a bogus date on systems that allow users to give away files. .PP -Please note that \fBsudo\fR will only log the command it explicitly -runs. If a user runs a command such as \f(CW\*(C`sudo su\*(C'\fR or \f(CW\*(C`sudo sh\*(C'\fR, -subsequent commands run from that shell will \fInot\fR be logged, nor -will \fBsudo\fR's access control affect them. The same is true for -commands that offer shell escapes (including most editors). Because -of this, care must be taken when giving users access to commands -via \fBsudo\fR to verify that the command does not inadvertantly give -the user an effective root shell. +Please note that \fBsudo\fR will normally only log the command it +explicitly runs. If a user runs a command such as \f(CW\*(C`sudo su\*(C'\fR or +\&\f(CW\*(C`sudo sh\*(C'\fR, subsequent commands run from that shell will \fInot\fR be +logged, nor will \fBsudo\fR's access control affect them. The same +is true for commands that offer shell escapes (including most +editors). Because of this, care must be taken when giving users +access to commands via \fBsudo\fR to verify that the command does not +inadvertently give the user an effective root shell. For more +information, please see the \f(CW\*(C`PREVENTING SHELL ESCAPES\*(C'\fR section in +\&\fIsudoers\fR\|(@mansectform@). +.SH "ENVIRONMENT" +.IX Header "ENVIRONMENT" +\&\fBsudo\fR utilizes the following environment variables: +.ie n .IP "\*(C`EDITOR\*(C'" 16 +.el .IP "\f(CW\*(C`EDITOR\*(C'\fR" 16 +.IX Item "EDITOR" +Default editor to use in \fB\-e\fR (sudoedit) mode if neither \f(CW\*(C`SUDO_EDITOR\*(C'\fR +nor \f(CW\*(C`VISUAL\*(C'\fR is set +.ie n .IP "\*(C`HOME\*(C'" 16 +.el .IP "\f(CW\*(C`HOME\*(C'\fR" 16 +.IX Item "HOME" +In \fB\-s\fR or \fB\-H\fR mode (or if sudo was configured with the +\&\-\-enable\-shell\-sets\-home option), set to homedir of the target user +.ie n .IP "\*(C`PATH\*(C'" 16 +.el .IP "\f(CW\*(C`PATH\*(C'\fR" 16 +.IX Item "PATH" +Set to a sane value if the \fIsecure_path\fR sudoers option is set. +.ie n .IP "\*(C`SHELL\*(C'" 16 +.el .IP "\f(CW\*(C`SHELL\*(C'\fR" 16 +.IX Item "SHELL" +Used to determine shell to run with \f(CW\*(C`\-s\*(C'\fR option +.ie n .IP "\*(C`SUDO_ASKPASS\*(C'" 16 +.el .IP "\f(CW\*(C`SUDO_ASKPASS\*(C'\fR" 16 +.IX Item "SUDO_ASKPASS" +Specifies the path to a helper program used to read the password +if no terminal is available or if the \f(CW\*(C`\-A\*(C'\fR option is specified. +.ie n .IP "\*(C`SUDO_COMMAND\*(C'" 16 +.el .IP "\f(CW\*(C`SUDO_COMMAND\*(C'\fR" 16 +.IX Item "SUDO_COMMAND" +Set to the command run by sudo +.ie n .IP "\*(C`SUDO_EDITOR\*(C'" 16 +.el .IP "\f(CW\*(C`SUDO_EDITOR\*(C'\fR" 16 +.IX Item "SUDO_EDITOR" +Default editor to use in \fB\-e\fR (sudoedit) mode +.ie n .IP "\*(C`SUDO_GID\*(C'" 16 +.el .IP "\f(CW\*(C`SUDO_GID\*(C'\fR" 16 +.IX Item "SUDO_GID" +Set to the group \s-1ID\s0 of the user who invoked sudo +.ie n .IP "\*(C`SUDO_PROMPT\*(C'" 16 +.el .IP "\f(CW\*(C`SUDO_PROMPT\*(C'\fR" 16 +.IX Item "SUDO_PROMPT" +Used as the default password prompt +.ie n .IP "\*(C`SUDO_PS1\*(C'" 16 +.el .IP "\f(CW\*(C`SUDO_PS1\*(C'\fR" 16 +.IX Item "SUDO_PS1" +If set, \f(CW\*(C`PS1\*(C'\fR will be set to its value for the program being run +.ie n .IP "\*(C`SUDO_UID\*(C'" 16 +.el .IP "\f(CW\*(C`SUDO_UID\*(C'\fR" 16 +.IX Item "SUDO_UID" +Set to the user \s-1ID\s0 of the user who invoked sudo +.ie n .IP "\*(C`SUDO_USER\*(C'" 16 +.el .IP "\f(CW\*(C`SUDO_USER\*(C'\fR" 16 +.IX Item "SUDO_USER" +Set to the login of the user who invoked sudo +.ie n .IP "\*(C`USER\*(C'" 16 +.el .IP "\f(CW\*(C`USER\*(C'\fR" 16 +.IX Item "USER" +Set to the target user (root unless the \fB\-u\fR option is specified) +.ie n .IP "\*(C`VISUAL\*(C'" 16 +.el .IP "\f(CW\*(C`VISUAL\*(C'\fR" 16 +.IX Item "VISUAL" +Default editor to use in \fB\-e\fR (sudoedit) mode if \f(CW\*(C`SUDO_EDITOR\*(C'\fR +is not set +.SH "FILES" +.IX Header "FILES" +.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24 +.el .IP "\fI@sysconfdir@/sudoers\fR" 24 +.IX Item "@sysconfdir@/sudoers" +List of who can run what +.ie n .IP "\fI@timedir@\fR" 24 +.el .IP "\fI@timedir@\fR" 24 +.IX Item "@timedir@" +Directory containing timestamps +.IP "\fI/etc/environment\fR" 24 +.IX Item "/etc/environment" +Initial environment for \fB\-i\fR mode on Linux and \s-1AIX\s0 .SH "EXAMPLES" .IX Header "EXAMPLES" Note: the following examples assume suitable \fIsudoers\fR\|(@mansectform@) entries. @@ -366,91 +651,95 @@ Note: the following examples assume suitable \fIsudoers\fR\|(@mansectform@) entr To get a file listing of an unreadable directory: .PP .Vb 1 -\& % sudo ls /usr/local/protected +\& $ sudo ls /usr/local/protected .Ve +.PP To list the home directory of user yazza on a machine where the -filesystem holding ~yazza is not exported as root: +file system holding ~yazza is not exported as root: .PP .Vb 1 -\& % sudo -u yazza ls ~yazza +\& $ sudo \-u yazza ls ~yazza .Ve +.PP To edit the \fIindex.html\fR file as user www: .PP .Vb 1 -\& % sudo -u www vi ~www/htdocs/index.html +\& $ sudo \-u www vi ~www/htdocs/index.html .Ve +.PP To shutdown a machine: .PP .Vb 1 -\& % sudo shutdown -r +15 "quick reboot" +\& $ sudo shutdown \-r +15 "quick reboot" .Ve +.PP To make a usage listing of the directories in the /home partition. Note that this runs the commands in a sub-shell to make the \f(CW\*(C`cd\*(C'\fR and file redirection work. .PP .Vb 1 -\& % sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" +\& $ sudo sh \-c "cd /home ; du \-s * | sort \-rn > USAGE" .Ve -.SH "ENVIRONMENT" -.IX Header "ENVIRONMENT" -\&\fBsudo\fR utilizes the following environment variables: +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2), +@LCMAN@\&\fIlogin_cap\fR\|(3), +\&\fIpasswd\fR\|(@mansectform@), \fIsudoers\fR\|(5), \fIvisudo\fR\|(@mansectsu@) .PP -.Vb 13 -\& PATH Set to a sane value if SECURE_PATH is set -\& SHELL Used to determine shell to run with -s option -\& USER Set to the target user (root unless the -u option -\& is specified) -\& HOME In -s or -H mode (or if sudo was configured with -\& the --enable-shell-sets-home option), set to -\& homedir of the target user. -\& SUDO_PROMPT Used as the default password prompt -\& SUDO_COMMAND Set to the command run by sudo -\& SUDO_USER Set to the login of the user who invoked sudo -\& SUDO_UID Set to the uid of the user who invoked sudo -\& SUDO_GID Set to the gid of the user who invoked sudo -\& SUDO_PS1 If set, PS1 will be set to its value -.Ve -.SH "FILES" -.IX Header "FILES" -.Vb 2 -\& @sysconfdir@/sudoers List of who can run what -\& @timedir@ Directory containing timestamps -.Ve +The file /usr/share/doc/sudo/OPTIONS describes the options used for building +the Debian version of sudo, some of which change default behaviors documented +elsewhere in this document. .SH "AUTHORS" .IX Header "AUTHORS" Many people have worked on \fBsudo\fR over the years; this version consists of code written primarily by: .PP -.Vb 2 -\& Todd Miller -\& Chris Jepeway +.Vb 1 +\& Todd C. Miller .Ve +.PP See the \s-1HISTORY\s0 file in the \fBsudo\fR distribution or visit http://www.sudo.ws/sudo/history.html for a short history of \fBsudo\fR. +.SH "CAVEATS" +.IX Header "CAVEATS" +There is no easy way to prevent a user from gaining a root shell +if that user is allowed to run arbitrary commands via \fBsudo\fR. +Also, many programs (such as editors) allow the user to run commands +via shell escapes, thus avoiding \fBsudo\fR's checks. However, on +most systems it is possible to prevent shell escapes with \fBsudo\fR's +\&\fInoexec\fR functionality. See the \fIsudoers\fR\|(@mansectform@) manual +for details. +.PP +It is not meaningful to run the \f(CW\*(C`cd\*(C'\fR command directly via sudo, e.g., +.PP +.Vb 1 +\& $ sudo cd /usr/local/protected +.Ve +.PP +since when the command exits the parent process (your shell) will +still be the same. Please see the \s-1EXAMPLES\s0 section for more information. +.PP +If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from +creating their own program that gives them a root shell regardless +of any '!' elements in the user specification. +.PP +Running shell scripts via \fBsudo\fR can expose the same kernel bugs that +make setuid shell scripts unsafe on some operating systems (if your \s-1OS\s0 +has a /dev/fd/ directory, setuid shell scripts are generally safe). .SH "BUGS" .IX Header "BUGS" -If you feel you have found a bug in sudo, please submit a bug report +If you feel you have found a bug in \fBsudo\fR, please submit a bug report at http://www.sudo.ws/sudo/bugs/ +.SH "SUPPORT" +.IX Header "SUPPORT" +Limited free support is available via the sudo-users mailing list, +see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or +search the archives. .SH "DISCLAIMER" .IX Header "DISCLAIMER" -\&\fBSudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, +\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, including, but not limited to, the implied warranties of merchantability -and fitness for a particular purpose are disclaimed. -See the \s-1LICENSE\s0 file distributed with \fBsudo\fR for complete details. -.SH "CAVEATS" -.IX Header "CAVEATS" -There is no easy way to prevent a user from gaining a root shell if -that user has access to commands allowing shell escapes. -.PP -If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from creating -their own program that gives them a root shell regardless of any '!' -elements in the user specification. -.PP -Running shell scripts via \fBsudo\fR can expose the same kernel bugs -that make setuid shell scripts unsafe on some operating systems -(if your \s-1OS\s0 supports the /dev/fd/ directory, setuid shell scripts -are generally safe). -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIstat\fR\|(2), \fIlogin_cap\fR\|(3), \fIsudoers\fR\|(@mansectform@), \fIpasswd\fR\|(5), \fIvisudo\fR\|(@mansectsu@), \fIgrep\fR\|(1), \fIsu\fR\|(1). +and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 +file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html +for complete details.