|
version 1.1.1.1, 2012/02/21 16:23:02
|
version 1.1.1.3, 2012/10/09 09:29:52
|
|
Line 1
|
Line 1
|
| SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) | SUDO(1m) System Manager's Manual SUDO(1m) |
| |
|
| |
|
| |
|
| N�NA�AM�ME�E |
N�NA�AM�ME�E |
| sudo, sudoedit - execute a command as another user | s�su�ud�do�o, s�su�ud�do�oe�ed�di�it�t - execute a command as another user |
| |
|
| S�SY�YN�NO�OP�PS�SI�IS�S |
S�SY�YN�NO�OP�PS�SI�IS�S |
| s�su�ud�do�o [-�-D�D _�l_�e_�v_�e_�l] -�-h�h | -�-K�K | -�-k�k | -�-V�V | s�su�ud�do�o -�-h�h | -�-K�K | -�-k�k | -�-V�V |
| | s�su�ud�do�o -�-v�v [-�-A�Ak�kn�nS�S] [-�-a�a _�a_�u_�t_�h_�__�t_�y_�p_�e] [-�-g�g _�g_�r_�o_�u_�p _�n_�a_�m_�e | _�#_�g_�i_�d] [-�-p�p _�p_�r_�o_�m_�p_�t] |
| | [-�-u�u _�u_�s_�e_�r _�n_�a_�m_�e | _�#_�u_�i_�d] |
| | s�su�ud�do�o -�-l�l[_�l] [-�-A�Ak�kn�nS�S] [-�-a�a _�a_�u_�t_�h_�__�t_�y_�p_�e] [-�-g�g _�g_�r_�o_�u_�p _�n_�a_�m_�e | _�#_�g_�i_�d] [-�-p�p _�p_�r_�o_�m_�p_�t] |
| | [-�-U�U _�u_�s_�e_�r _�n_�a_�m_�e] [-�-u�u _�u_�s_�e_�r _�n_�a_�m_�e | _�#_�u_�i_�d] [_�c_�o_�m_�m_�a_�n_�d] |
| | s�su�ud�do�o [-�-A�Ab�bE�EH�Hn�nP�PS�S] [-�-a�a _�a_�u_�t_�h_�__�t_�y_�p_�e] [-�-C�C _�f_�d] [-�-c�c _�c_�l_�a_�s_�s | _�-] |
| | [-�-g�g _�g_�r_�o_�u_�p _�n_�a_�m_�e | _�#_�g_�i_�d] [-�-p�p _�p_�r_�o_�m_�p_�t] [-�-r�r _�r_�o_�l_�e] [-�-t�t _�t_�y_�p_�e] |
| | [-�-u�u _�u_�s_�e_�r _�n_�a_�m_�e | _�#_�u_�i_�d] [V�VA�AR�R=_�v_�a_�l_�u_�e] -�-i�i | -�-s�s [_�c_�o_�m_�m_�a_�n_�d] |
| | s�su�ud�do�oe�ed�di�it�t [-�-A�An�nS�S] [-�-a�a _�a_�u_�t_�h_�__�t_�y_�p_�e] [-�-C�C _�f_�d] [-�-c�c _�c_�l_�a_�s_�s | _�-] |
| | [-�-g�g _�g_�r_�o_�u_�p _�n_�a_�m_�e | _�#_�g_�i_�d] [-�-p�p _�p_�r_�o_�m_�p_�t] [-�-u�u _�u_�s_�e_�r _�n_�a_�m_�e | _�#_�u_�i_�d] file |
| | ... |
| |
|
| s�su�ud�do�o -�-v�v [-�-A�Ak�kn�nS�S] [-�-a�a _�a_�u_�t_�h_�__�t_�y_�p_�e] [-�-D�D _�l_�e_�v_�e_�l] [-�-g�g _�g_�r_�o_�u_�p _�n_�a_�m_�e|_�#_�g_�i_�d] |
|
| [-�-p�p _�p_�r_�o_�m_�p_�t] [-�-u�u _�u_�s_�e_�r _�n_�a_�m_�e|_�#_�u_�i_�d] |
|
| |
|
| s�su�ud�do�o -�-l�l[�[l�l]�] [-�-A�Ak�kn�nS�S] [-�-a�a _�a_�u_�t_�h_�__�t_�y_�p_�e] [-�-D�D _�l_�e_�v_�e_�l] [-�-g�g _�g_�r_�o_�u_�p _�n_�a_�m_�e|_�#_�g_�i_�d] |
|
| [-�-p�p _�p_�r_�o_�m_�p_�t] [-�-U�U _�u_�s_�e_�r _�n_�a_�m_�e] [-�-u�u _�u_�s_�e_�r _�n_�a_�m_�e|_�#_�u_�i_�d] [_�c_�o_�m_�m_�a_�n_�d] |
|
| |
|
| s�su�ud�do�o [-�-A�Ab�bE�EH�Hn�nP�PS�S] [-�-a�a _�a_�u_�t_�h_�__�t_�y_�p_�e] [-�-C�C _�f_�d] [-�-D�D _�l_�e_�v_�e_�l] [-�-c�c _�c_�l_�a_�s_�s|_�-] |
|
| [-�-g�g _�g_�r_�o_�u_�p _�n_�a_�m_�e|_�#_�g_�i_�d] [-�-p�p _�p_�r_�o_�m_�p_�t] [-�-r�r _�r_�o_�l_�e] [-�-t�t _�t_�y_�p_�e] |
|
| [-�-u�u _�u_�s_�e_�r _�n_�a_�m_�e|_�#_�u_�i_�d] [V�VA�AR�R=_�v_�a_�l_�u_�e] [-�-i�i | -�-s�s] [_�c_�o_�m_�m_�a_�n_�d] |
|
| |
|
| s�su�ud�do�oe�ed�di�it�t [-�-A�An�nS�S] [-�-a�a _�a_�u_�t_�h_�__�t_�y_�p_�e] [-�-C�C _�f_�d] [-�-c�c _�c_�l_�a_�s_�s|_�-] [-�-D�D _�l_�e_�v_�e_�l] |
|
| [-�-g�g _�g_�r_�o_�u_�p _�n_�a_�m_�e|_�#_�g_�i_�d] [-�-p�p _�p_�r_�o_�m_�p_�t] [-�-u�u _�u_�s_�e_�r _�n_�a_�m_�e|_�#_�u_�i_�d] file ... |
|
| |
|
| D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N |
D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N |
| s�su�ud�do�o allows a permitted user to execute a _�c_�o_�m_�m_�a_�n_�d as the superuser or | s�su�ud�do�o allows a permitted user to execute a _�c_�o_�m_�m_�a_�n_�d as the superuser or |
| another user, as specified by the security policy. The real and | another user, as specified by the security policy. |
| effective uid and gid are set to match those of the target user, as | |
| specified in the password database, and the group vector is initialized | |
| based on the group database (unless the -�-P�P option was specified). | |
| |
|
| s�su�ud�do�o supports a plugin architecture for security policies and | s�su�ud�do�o supports a plugin architecture for security policies and |
| input/output logging. Third parties can develop and distribute their | input/output logging. Third parties can develop and distribute their own |
| own policy and I/O logging modules to work seemlessly with the s�su�ud�do�o | policy and I/O logging plugins to work seamlessly with the s�su�ud�do�o front |
| front end. The default security policy is _�s_�u_�d_�o_�e_�r_�s, which is configured | end. The default security policy is _�s_�u_�d_�o_�e_�r_�s, which is configured via the |
| via the file _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s, or via LDAP. See the PLUGINS section for | file _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s, or via LDAP. See the _�P_�L_�U_�G_�I_�N_�S section for more |
| more information. | information. |
| |
|
| The security policy determines what privileges, if any, a user has to | The security policy determines what privileges, if any, a user has to run |
| run s�su�ud�do�o. The policy may require that users authenticate themselves | s�su�ud�do�o. The policy may require that users authenticate themselves with a |
| with a password or another authentication mechanism. If authentication | password or another authentication mechanism. If authentication is |
| is required, s�su�ud�do�o will exit if the user's password is not entered | required, s�su�ud�do�o will exit if the user's password is not entered within a |
| within a configurable time limit. This limit is policy-specific; the | configurable time limit. This limit is policy-specific; the default |
| default password prompt timeout for the _�s_�u_�d_�o_�e_�r_�s security policy is 5 | password prompt timeout for the _�s_�u_�d_�o_�e_�r_�s security policy is 5 minutes. |
| minutes. | |
| |
|
| Security policies may support credential caching to allow the user to | Security policies may support credential caching to allow the user to run |
| run s�su�ud�do�o again for a period of time without requiring authentication. | s�su�ud�do�o again for a period of time without requiring authentication. The |
| The _�s_�u_�d_�o_�e_�r_�s policy caches credentials for 5 minutes, unless overridden | _�s_�u_�d_�o_�e_�r_�s policy caches credentials for 5 minutes, unless overridden in |
| in _�s_�u_�d_�o_�e_�r_�s(4). By running s�su�ud�do�o with the -�-v�v option, a user can update | sudoers(4). By running s�su�ud�do�o with the -�-v�v option, a user can update the |
| the cached credentials without running a _�c_�o_�m_�m_�a_�n_�d. | cached credentials without running a _�c_�o_�m_�m_�a_�n_�d. |
| |
|
| When invoked as s�su�ud�do�oe�ed�di�it�t, the -�-e�e option (described below), is implied. | When invoked as s�su�ud�do�oe�ed�di�it�t, the -�-e�e option (described below), is implied. |
| |
|
| Security policies may log successful and failed attempts to use s�su�ud�do�o. | Security policies may log successful and failed attempts to use s�su�ud�do�o. If |
| If an I/O plugin is configured, the running command's input and output | an I/O plugin is configured, the running command's input and output may |
| may be logged as well. | be logged as well. |
| |
|
| O�OP�PT�TI�IO�ON�NS�S | The options are as follows: |
| s�su�ud�do�o accepts the following command line options: | |
| |
|
| -A Normally, if s�su�ud�do�o requires a password, it will read it from | -�-A�A Normally, if s�su�ud�do�o requires a password, it will read it from |
| the user's terminal. If the -�-A�A (_�a_�s_�k_�p_�a_�s_�s) option is | the user's terminal. If the -�-A�A (_�a_�s_�k_�p_�a_�s_�s) option is |
| specified, a (possibly graphical) helper program is | specified, a (possibly graphical) helper program is executed |
| executed to read the user's password and output the | to read the user's password and output the password to the |
| password to the standard output. If the SUDO_ASKPASS | standard output. If the SUDO_ASKPASS environment variable is |
| environment variable is set, it specifies the path to the | set, it specifies the path to the helper program. Otherwise, |
| helper program. Otherwise, if _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f contains a | if _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f contains a line specifying the askpass |
| line specifying the askpass program, that value will be | program, that value will be used. For example: |
| used. For example: | |
| |
|
| # Path to askpass helper program | # Path to askpass helper program |
| Path askpass /usr/X11R6/bin/ssh-askpass | Path askpass /usr/X11R6/bin/ssh-askpass |
| |
|
| If no askpass program is available, sudo will exit with an | If no askpass program is available, s�su�ud�do�o will exit with an |
| error. | error. |
| |
|
| -a _�t_�y_�p_�e The -�-a�a (_�a_�u_�t_�h_�e_�n_�t_�i_�c_�a_�t_�i_�o_�n _�t_�y_�p_�e) option causes s�su�ud�do�o to use the | -�-a�a _�t_�y_�p_�e The -�-a�a (_�a_�u_�t_�h_�e_�n_�t_�i_�c_�a_�t_�i_�o_�n _�t_�y_�p_�e) option causes s�su�ud�do�o to use the |
| specified authentication type when validating the user, as | specified authentication type when validating the user, as |
| allowed by _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f. The system administrator may | allowed by _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f. The system administrator may |
| specify a list of sudo-specific authentication methods by | specify a list of sudo-specific authentication methods by |
| adding an "auth-sudo" entry in _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f. This | adding an ``auth-sudo'' entry in _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f. This |
| option is only available on systems that support BSD | option is only available on systems that support BSD |
| authentication. | authentication. |
| |
|
| -b The -�-b�b (_�b_�a_�c_�k_�g_�r_�o_�u_�n_�d) option tells s�su�ud�do�o to run the given | -�-b�b The -�-b�b (_�b_�a_�c_�k_�g_�r_�o_�u_�n_�d) option tells s�su�ud�do�o to run the given |
| command in the background. Note that if you use the -�-b�b | command in the background. Note that if you use the -�-b�b |
| option you cannot use shell job control to manipulate the | option you cannot use shell job control to manipulate the |
| process. Most interactive commands will fail to work | process. Most interactive commands will fail to work |
| properly in background mode. | properly in background mode. |
| |
|
| -C _�f_�d Normally, s�su�ud�do�o will close all open file descriptors other | -�-C�C _�f_�d Normally, s�su�ud�do�o will close all open file descriptors other |
| than standard input, standard output and standard error. | than standard input, standard output and standard error. The |
| The -�-C�C (_�c_�l_�o_�s_�e _�f_�r_�o_�m) option allows the user to specify a | -�-C�C (_�c_�l_�o_�s_�e _�f_�r_�o_�m) option allows the user to specify a starting |
| starting point above the standard error (file descriptor | point above the standard error (file descriptor three). |
| three). Values less than three are not permitted. The | Values less than three are not permitted. The security |
| security policy may restrict the user's ability to use the | policy may restrict the user's ability to use the -�-C�C option. |
| -�-C�C option. The _�s_�u_�d_�o_�e_�r_�s policy only permits use of the -�-C�C | The _�s_�u_�d_�o_�e_�r_�s policy only permits use of the -�-C�C option when the |
| option when the administrator has enabled the | administrator has enabled the _�c_�l_�o_�s_�e_�f_�r_�o_�m_�__�o_�v_�e_�r_�r_�i_�d_�e option. |
| _�c_�l_�o_�s_�e_�f_�r_�o_�m_�__�o_�v_�e_�r_�r_�i_�d_�e option. | |
| |
|
| -c _�c_�l_�a_�s_�s The -�-c�c (_�c_�l_�a_�s_�s) option causes s�su�ud�do�o to run the specified | -�-c�c _�c_�l_�a_�s_�s The -�-c�c (_�c_�l_�a_�s_�s) option causes s�su�ud�do�o to run the specified |
| command with resources limited by the specified login | command with resources limited by the specified login class. |
| class. The _�c_�l_�a_�s_�s argument can be either a class name as | The _�c_�l_�a_�s_�s argument can be either a class name as defined in |
| defined in _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f, or a single '-' character. | _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f, or a single `-' character. Specifying a |
| Specifying a _�c_�l_�a_�s_�s of - indicates that the command should | _�c_�l_�a_�s_�s of - indicates that the command should be run |
| be run restricted by the default login capabilities for the | restricted by the default login capabilities for the user the |
| user the command is run as. If the _�c_�l_�a_�s_�s argument | command is run as. If the _�c_�l_�a_�s_�s argument specifies an |
| specifies an existing user class, the command must be run | existing user class, the command must be run as root, or the |
| as root, or the s�su�ud�do�o command must be run from a shell that | s�su�ud�do�o command must be run from a shell that is already root. |
| is already root. This option is only available on systems | This option is only available on systems with BSD login |
| with BSD login classes. | classes. |
| |
|
| -D _�l_�e_�v_�e_�l Enable debugging of s�su�ud�do�o plugins and s�su�ud�do�o itself. The | -�-E�E The -�-E�E (_�p_�r_�e_�s_�e_�r_�v_�e _�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t) option indicates to the |
| _�l_�e_�v_�e_�l may be a value from 1 through 9. | security policy that the user wishes to preserve their |
| | existing environment variables. The security policy may |
| | return an error if the -�-E�E option is specified and the user |
| | does not have permission to preserve the environment. |
| |
|
| -E The -�-E�E (_�p_�r_�e_�s_�e_�r_�v_�e _�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t) option indicates to the | -�-e�e The -�-e�e (_�e_�d_�i_�t) option indicates that, instead of running a |
| security policy that the user wishes to preserve their | command, the user wishes to edit one or more files. In lieu |
| existing environment variables. The security policy may | of a command, the string "sudoedit" is used when consulting |
| return an error if the -�-E�E option is specified and the user | the security policy. If the user is authorized by the |
| does not have permission to preserve the environment. | policy, the following steps are taken: |
| |
|
| -e The -�-e�e (_�e_�d_�i_�t) option indicates that, instead of running a | 1. Temporary copies are made of the files to be edited |
| command, the user wishes to edit one or more files. In | |
| lieu of a command, the string "sudoedit" is used when | |
| consulting the security policy. If the user is authorized | |
| by the policy, the following steps are taken: | |
| |
| 1. Temporary copies are made of the files to be edited | |
| with the owner set to the invoking user. |
with the owner set to the invoking user. |
| |
|
| 2. The editor specified by the policy is run to edit the | 2. The editor specified by the policy is run to edit the |
| temporary files. The _�s_�u_�d_�o_�e_�r_�s policy uses the |
temporary files. The _�s_�u_�d_�o_�e_�r_�s policy uses the |
| SUDO_EDITOR, VISUAL and EDITOR environment variables |
SUDO_EDITOR, VISUAL and EDITOR environment variables |
| (in that order). If none of SUDO_EDITOR, VISUAL or |
(in that order). If none of SUDO_EDITOR, VISUAL or |
| EDITOR are set, the first program listed in the _�e_�d_�i_�t_�o_�r |
EDITOR are set, the first program listed in the _�e_�d_�i_�t_�o_�r |
| _�s_�u_�d_�o_�e_�r_�s(4) option is used. | sudoers(4) option is used. |
| |
|
| 3. If they have been modified, the temporary files are | 3. If they have been modified, the temporary files are |
| copied back to their original location and the |
copied back to their original location and the |
| temporary versions are removed. |
temporary versions are removed. |
| |
|
| If the specified file does not exist, it will be created. | If the specified file does not exist, it will be created. |
| Note that unlike most commands run by s�su�ud�do�o, the editor is | Note that unlike most commands run by _�s_�u_�d_�o, the editor is run |
| run with the invoking user's environment unmodified. If, | with the invoking user's environment unmodified. If, for |
| for some reason, s�su�ud�do�o is unable to update a file with its | some reason, s�su�ud�do�o is unable to update a file with its edited |
| edited version, the user will receive a warning and the | version, the user will receive a warning and the edited copy |
| edited copy will remain in a temporary file. | will remain in a temporary file. |
| |
|
| -g _�g_�r_�o_�u_�p Normally, s�su�ud�do�o runs a command with the primary group set to | -�-g�g _�g_�r_�o_�u_�p Normally, s�su�ud�do�o runs a command with the primary group set to |
| the one specified by the password database for the user the | the one specified by the password database for the user the |
| command is being run as (by default, root). The -�-g�g (_�g_�r_�o_�u_�p) | command is being run as (by default, root). The -�-g�g (_�g_�r_�o_�u_�p) |
| option causes s�su�ud�do�o to run the command with the primary | option causes s�su�ud�do�o to run the command with the primary group |
| group set to _�g_�r_�o_�u_�p instead. To specify a _�g_�i_�d instead of a | set to _�g_�r_�o_�u_�p instead. To specify a _�g_�i_�d instead of a _�g_�r_�o_�u_�p |
| _�g_�r_�o_�u_�p _�n_�a_�m_�e, use _�#_�g_�i_�d. When running commands as a _�g_�i_�d, many | _�n_�a_�m_�e, use _�#_�g_�i_�d. When running commands as a _�g_�i_�d, many shells |
| shells require that the '#' be escaped with a backslash | require that the `#' be escaped with a backslash (`\'). If |
| ('\'). If no -�-u�u option is specified, the command will be | no -�-u�u option is specified, the command will be run as the |
| run as the invoking user (not root). In either case, the | invoking user (not root). In either case, the primary group |
| primary group will be set to _�g_�r_�o_�u_�p. | will be set to _�g_�r_�o_�u_�p. |
| |
|
| -H The -�-H�H (_�H_�O_�M_�E) option requests that the security policy set | -�-H�H The -�-H�H (_�H_�O_�M_�E) option requests that the security policy set |
| the HOME environment variable to the home directory of the | the HOME environment variable to the home directory of the |
| target user (root by default) as specified by the password | target user (root by default) as specified by the password |
| database. Depending on the policy, this may be the default | database. Depending on the policy, this may be the default |
| behavior. | behavior. |
| |
|
| -h The -�-h�h (_�h_�e_�l_�p) option causes s�su�ud�do�o to print a short help | -�-h�h The -�-h�h (_�h_�e_�l_�p) option causes s�su�ud�do�o to print a short help |
| message to the standard output and exit. | message to the standard output and exit. |
| |
|
| -i [command] | -�-i�i [_�c_�o_�m_�m_�a_�n_�d] |
| The -�-i�i (_�s_�i_�m_�u_�l_�a_�t_�e _�i_�n_�i_�t_�i_�a_�l _�l_�o_�g_�i_�n) option runs the shell | The -�-i�i (_�s_�i_�m_�u_�l_�a_�t_�e _�i_�n_�i_�t_�i_�a_�l _�l_�o_�g_�i_�n) option runs the shell |
| specified by the password database entry of the target user | specified by the password database entry of the target user |
| as a login shell. This means that login-specific resource | as a login shell. This means that login-specific resource |
| files such as .profile or .login will be read by the shell. | files such as _�._�p_�r_�o_�f_�i_�l_�e or _�._�l_�o_�g_�i_�n will be read by the shell. |
| If a command is specified, it is passed to the shell for | If a command is specified, it is passed to the shell for |
| execution via the shell's -�-c�c option. If no command is | execution via the shell's -�-c�c option. If no command is |
| specified, an interactive shell is executed. s�su�ud�do�o attempts | specified, an interactive shell is executed. s�su�ud�do�o attempts |
| to change to that user's home directory before running the | to change to that user's home directory before running the |
| shell. The security policy shall initialize the | shell. The security policy shall initialize the environment |
| environment to a minimal set of variables, similar to what | to a minimal set of variables, similar to what is present |
| is present when a user logs in. The _�C_�o_�m_�m_�a_�n_�d _�E_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t | when a user logs in. The _�C_�o_�m_�m_�a_�n_�d _�E_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t section in the |
| section in the _�s_�u_�d_�o_�e_�r_�s(4) manual documents how the -�-i�i | sudoers(4) manual documents how the -�-i�i option affects the |
| option affects the environment in which a command is run | environment in which a command is run when the _�s_�u_�d_�o_�e_�r_�s policy |
| when the _�s_�u_�d_�o_�e_�r_�s policy is in use. | is in use. |
| |
|
| -K The -�-K�K (sure _�k_�i_�l_�l) option is like -�-k�k except that it removes | -�-K�K The -�-K�K (sure _�k_�i_�l_�l) option is like -�-k�k except that it removes |
| the user's cached credentials entirely and may not be used | the user's cached credentials entirely and may not be used in |
| in conjunction with a command or other option. This option | conjunction with a command or other option. This option does |
| does not require a password. Not all security policies | not require a password. Not all security policies support |
| support credential caching. | credential caching. |
| |
|
| -k [command] | -�-k�k [_�c_�o_�m_�m_�a_�n_�d] |
| When used alone, the -�-k�k (_�k_�i_�l_�l) option to s�su�ud�do�o invalidates | When used alone, the -�-k�k (_�k_�i_�l_�l) option to s�su�ud�do�o invalidates the |
| the user's cached credentials. The next time s�su�ud�do�o is run a | user's cached credentials. The next time s�su�ud�do�o is run a |
| password will be required. This option does not require a | password will be required. This option does not require a |
| password and was added to allow a user to revoke s�su�ud�do�o | password and was added to allow a user to revoke s�su�ud�do�o |
| permissions from a .logout file. Not all security policies | permissions from a _�._�l_�o_�g_�o_�u_�t file. Not all security policies |
| support credential caching. | support credential caching. |
| |
|
| When used in conjunction with a command or an option that | When used in conjunction with a command or an option that may |
| may require a password, the -�-k�k option will cause s�su�ud�do�o to | require a password, the -�-k�k option will cause s�su�ud�do�o to ignore |
| ignore the user's cached credentials. As a result, s�su�ud�do�o | the user's cached credentials. As a result, s�su�ud�do�o will prompt |
| will prompt for a password (if one is required by the | for a password (if one is required by the security policy) |
| security policy) and will not update the user's cached | and will not update the user's cached credentials. |
| credentials. | |
| |
|
| -l[l] [_�c_�o_�m_�m_�a_�n_�d] | -�-l�l[l�l] [_�c_�o_�m_�m_�a_�n_�d] |
| If no _�c_�o_�m_�m_�a_�n_�d is specified, the -�-l�l (_�l_�i_�s_�t) option will list | If no _�c_�o_�m_�m_�a_�n_�d is specified, the -�-l�l (_�l_�i_�s_�t) option will list |
| the allowed (and forbidden) commands for the invoking user | the allowed (and forbidden) commands for the invoking user |
| (or the user specified by the -�-U�U option) on the current | (or the user specified by the -�-U�U option) on the current host. |
| host. If a _�c_�o_�m_�m_�a_�n_�d is specified and is permitted by the | If a _�c_�o_�m_�m_�a_�n_�d is specified and is permitted by the security |
| security policy, the fully-qualified path to the command is | policy, the fully-qualified path to the command is displayed |
| displayed along with any command line arguments. If | along with any command line arguments. If _�c_�o_�m_�m_�a_�n_�d is |
| _�c_�o_�m_�m_�a_�n_�d is specified but not allowed, s�su�ud�do�o will exit with a | specified but not allowed, s�su�ud�do�o will exit with a status value |
| status value of 1. If the -�-l�l option is specified with an l�l | of 1. If the -�-l�l option is specified with an _�l argument (i.e. |
| argument (i.e. -�-l�ll�l), or if -�-l�l is specified multiple times, | -�-l�ll�l), or if -�-l�l is specified multiple times, a longer list |
| a longer list format is used. | format is used. |
| |
|
| -n The -�-n�n (_�n_�o_�n_�-_�i_�n_�t_�e_�r_�a_�c_�t_�i_�v_�e) option prevents s�su�ud�do�o from | -�-n�n The -�-n�n (_�n_�o_�n_�-_�i_�n_�t_�e_�r_�a_�c_�t_�i_�v_�e) option prevents s�su�ud�do�o from prompting |
| prompting the user for a password. If a password is | the user for a password. If a password is required for the |
| required for the command to run, s�su�ud�do�o will display an error | command to run, s�su�ud�do�o will display an error message and exit. |
| messages and exit. | |
| |
|
| -P The -�-P�P (_�p_�r_�e_�s_�e_�r_�v_�e _�g_�r_�o_�u_�p _�v_�e_�c_�t_�o_�r) option causes s�su�ud�do�o to | -�-P�P The -�-P�P (_�p_�r_�e_�s_�e_�r_�v_�e _�g_�r_�o_�u_�p _�v_�e_�c_�t_�o_�r) option causes s�su�ud�do�o to preserve |
| preserve the invoking user's group vector unaltered. By | the invoking user's group vector unaltered. By default, the |
| default, the _�s_�u_�d_�o_�e_�r_�s policy will initialize the group | _�s_�u_�d_�o_�e_�r_�s policy will initialize the group vector to the list |
| vector to the list of groups the target user is in. The | of groups the target user is in. The real and effective |
| real and effective group IDs, however, are still set to | group IDs, however, are still set to match the target user. |
| match the target user. | |
| |
|
| -p _�p_�r_�o_�m_�p_�t The -�-p�p (_�p_�r_�o_�m_�p_�t) option allows you to override the default | -�-p�p _�p_�r_�o_�m_�p_�t The -�-p�p (_�p_�r_�o_�m_�p_�t) option allows you to override the default |
| password prompt and use a custom one. The following | password prompt and use a custom one. The following percent |
| percent (`%') escapes are supported by the _�s_�u_�d_�o_�e_�r_�s policy: | (`%') escapes are supported by the _�s_�u_�d_�o_�e_�r_�s policy: |
| |
|
| %H expanded to the host name including the domain name (on | %H expanded to the host name including the domain name (on |
| if the machine's host name is fully qualified or the | if the machine's host name is fully qualified or the _�f_�q_�d_�n |
| _�f_�q_�d_�n option is set in _�s_�u_�d_�o_�e_�r_�s(4)) | option is set in sudoers(4)) |
| |
|
| %h expanded to the local host name without the domain name | %h expanded to the local host name without the domain name |
| |
|
| %p expanded to the name of the user whose password is | %p expanded to the name of the user whose password is being |
| being requested (respects the _�r_�o_�o_�t_�p_�w, _�t_�a_�r_�g_�e_�t_�p_�w and | requested (respects the _�r_�o_�o_�t_�p_�w, _�t_�a_�r_�g_�e_�t_�p_�w, and _�r_�u_�n_�a_�s_�p_�w |
| _�r_�u_�n_�a_�s_�p_�w flags in _�s_�u_�d_�o_�e_�r_�s(4)) | flags in sudoers(4)) |
| |
|
| %U expanded to the login name of the user the command will | %U expanded to the login name of the user the command will |
| be run as (defaults to root unless the -u option is | be run as (defaults to root unless the -�-u�u option is also |
| also specified) | specified) |
| |
|
| %u expanded to the invoking user's login name | %u expanded to the invoking user's login name |
| |
|
| %% two consecutive % characters are collapsed into a | %% two consecutive `%' characters are collapsed into a |
| single % character | single `%' character |
| |
|
| The prompt specified by the -�-p�p option will override the | The prompt specified by the -�-p�p option will override the |
| system password prompt on systems that support PAM unless | system password prompt on systems that support PAM unless the |
| the _�p_�a_�s_�s_�p_�r_�o_�m_�p_�t_�__�o_�v_�e_�r_�r_�i_�d_�e flag is disabled in _�s_�u_�d_�o_�e_�r_�s. | _�p_�a_�s_�s_�p_�r_�o_�m_�p_�t_�__�o_�v_�e_�r_�r_�i_�d_�e flag is disabled in _�s_�u_�d_�o_�e_�r_�s. |
| |
|
| -r _�r_�o_�l_�e The -�-r�r (_�r_�o_�l_�e) option causes the new (SELinux) security | -�-r�r _�r_�o_�l_�e The -�-r�r (_�r_�o_�l_�e) option causes the new (SELinux) security |
| context to have the role specified by _�r_�o_�l_�e. | context to have the role specified by _�r_�o_�l_�e. |
| |
|
| -S The -�-S�S (_�s_�t_�d_�i_�n) option causes s�su�ud�do�o to read the password from | -�-S�S The -�-S�S (_�s_�t_�d_�i_�n) option causes s�su�ud�do�o to read the password from |
| the standard input instead of the terminal device. The | the standard input instead of the terminal device. The |
| password must be followed by a newline character. | password must be followed by a newline character. |
| |
|
| -s [command] | -�-s�s [_�c_�o_�m_�m_�a_�n_�d] |
| The -�-s�s (_�s_�h_�e_�l_�l) option runs the shell specified by the _�S_�H_�E_�L_�L | The -�-s�s (_�s_�h_�e_�l_�l) option runs the shell specified by the SHELL |
| environment variable if it is set or the shell as specified | environment variable if it is set or the shell as specified |
| in the password database. If a command is specified, it is | in the password database. If a command is specified, it is |
| passed to the shell for execution via the shell's -�-c�c | passed to the shell for execution via the shell's -�-c�c option. |
| option. If no command is specified, an interactive shell | If no command is specified, an interactive shell is executed. |
| is executed. | |
| |
|
| -t _�t_�y_�p_�e The -�-t�t (_�t_�y_�p_�e) option causes the new (SELinux) security | -�-t�t _�t_�y_�p_�e The -�-t�t (_�t_�y_�p_�e) option causes the new (SELinux) security |
| context to have the type specified by _�t_�y_�p_�e. If no type is | context to have the type specified by _�t_�y_�p_�e. If no type is |
| specified, the default type is derived from the specified | specified, the default type is derived from the specified |
| role. | role. |
| |
|
| -U _�u_�s_�e_�r The -�-U�U (_�o_�t_�h_�e_�r _�u_�s_�e_�r) option is used in conjunction with the | -�-U�U _�u_�s_�e_�r The -�-U�U (_�o_�t_�h_�e_�r _�u_�s_�e_�r) option is used in conjunction with the -�-l�l |
| -�-l�l option to specify the user whose privileges should be | option to specify the user whose privileges should be listed. |
| listed. The security policy may restrict listing other | The security policy may restrict listing other users' |
| users' privileges. The _�s_�u_�d_�o_�e_�r_�s policy only allows root or | privileges. The _�s_�u_�d_�o_�e_�r_�s policy only allows root or a user |
| a user with the ALL privilege on the current host to use | with the ALL privilege on the current host to use this |
| this option. | option. |
| |
|
| -u _�u_�s_�e_�r The -�-u�u (_�u_�s_�e_�r) option causes s�su�ud�do�o to run the specified | -�-u�u _�u_�s_�e_�r The -�-u�u (_�u_�s_�e_�r) option causes s�su�ud�do�o to run the specified command |
| command as a user other than _�r_�o_�o_�t. To specify a _�u_�i_�d | as a user other than _�r_�o_�o_�t. To specify a _�u_�i_�d instead of a |
| instead of a _�u_�s_�e_�r _�n_�a_�m_�e, use _�#_�u_�i_�d. When running commands as | _�u_�s_�e_�r _�n_�a_�m_�e, _�#_�u_�i_�d. When running commands as a _�u_�i_�d, many shells |
| a _�u_�i_�d, many shells require that the '#' be escaped with a | require that the `#' be escaped with a backslash (`\'). |
| backslash ('\'). Security policies may restrict _�u_�i_�ds to | Security policies may restrict _�u_�i_�ds to those listed in the |
| those listed in the password database. The _�s_�u_�d_�o_�e_�r_�s policy | password database. The _�s_�u_�d_�o_�e_�r_�s policy allows _�u_�i_�ds that are |
| allows _�u_�i_�ds that are not in the password database as long | not in the password database as long as the _�t_�a_�r_�g_�e_�t_�p_�w option |
| as the _�t_�a_�r_�g_�e_�t_�p_�w option is not set. Other security policies | is not set. Other security policies may not support this. |
| may not support this. | |
| |
|
| -V The -�-V�V (_�v_�e_�r_�s_�i_�o_�n) option causes s�su�ud�do�o to print its version | -�-V�V The -�-V�V (_�v_�e_�r_�s_�i_�o_�n) option causes s�su�ud�do�o to print its version |
| string and the version string of the security policy plugin | string and the version string of the security policy plugin |
| and any I/O plugins. If the invoking user is already root | and any I/O plugins. If the invoking user is already root |
| the -�-V�V option will display the arguments passed to | the -�-V�V option will display the arguments passed to configure |
| configure when _�s_�u_�d_�o was built and plugins may display more | when s�su�ud�do�o was built and plugins may display more verbose |
| verbose information such as default options. | information such as default options. |
| |
|
| -v When given the -�-v�v (_�v_�a_�l_�i_�d_�a_�t_�e) option, s�su�ud�do�o will update the | -�-v�v When given the -�-v�v (_�v_�a_�l_�i_�d_�a_�t_�e) option, s�su�ud�do�o will update the |
| user's cached credentials, authenticating the user's | user's cached credentials, authenticating the user's password |
| password if necessary. For the _�s_�u_�d_�o_�e_�r_�s plugin, this | if necessary. For the _�s_�u_�d_�o_�e_�r_�s plugin, this extends the s�su�ud�do�o |
| extends the s�su�ud�do�o timeout for another 5 minutes (or whatever | timeout for another 5 minutes (or whatever the timeout is set |
| the timeout is set to in _�s_�u_�d_�o_�e_�r_�s) but does not run a | to by the security policy) but does not run a command. Not |
| command. Not all security policies support cached | all security policies support cached credentials. |
| credentials. | |
| |
|
| -- The -�--�- option indicates that s�su�ud�do�o should stop processing | -�--�- The -�--�- option indicates that s�su�ud�do�o should stop processing |
| command line arguments. | command line arguments. |
| |
|
| Environment variables to be set for the command may also be passed on | Environment variables to be set for the command may also be passed on the |
| the command line in the form of V�VA�AR�R=_�v_�a_�l_�u_�e, e.g. | command line in the form of V�VA�AR�R=_�v_�a_�l_�u_�e, e.g. |
| L�LD�D_�_L�LI�IB�BR�RA�AR�RY�Y_�_P�PA�AT�TH�H=_�/_�u_�s_�r_�/_�l_�o_�c_�a_�l_�/_�p_�k_�g_�/_�l_�i_�b. Variables passed on the command | L�LD�D_�_L�LI�IB�BR�RA�AR�RY�Y_�_P�PA�AT�TH�H=_�/_�u_�s_�r_�/_�l_�o_�c_�a_�l_�/_�p_�k_�g_�/_�l_�i_�b. Variables passed on the command line |
| line are subject to the same restrictions as normal environment | are subject to the same restrictions as normal environment variables with |
| variables with one important exception. If the _�s_�e_�t_�e_�n_�v option is set in | one important exception. If the _�s_�e_�t_�e_�n_�v option is set in _�s_�u_�d_�o_�e_�r_�s, the |
| _�s_�u_�d_�o_�e_�r_�s, the command to be run has the SETENV tag set or the command | command to be run has the SETENV tag set or the command matched is ALL, |
| matched is ALL, the user may set variables that would overwise be | the user may set variables that would otherwise be forbidden. See |
| forbidden. See _�s_�u_�d_�o_�e_�r_�s(4) for more information. | sudoers(4) for more information. |
| |
|
| |
C�CO�OM�MM�MA�AN�ND�D E�EX�XE�EC�CU�UT�TI�IO�ON�N |
| |
When s�su�ud�do�o executes a command, the security policy specifies the execution |
| |
envionment for the command. Typically, the real and effective uid and |
| |
gid are set to match those of the target user, as specified in the |
| |
password database, and the group vector is initialized based on the group |
| |
database (unless the -�-P�P option was specified). |
| |
|
| |
The following parameters may be specified by security policy: |
| |
|
| |
o�o real and effective user ID |
| |
|
| |
o�o real and effective group ID |
| |
|
| |
o�o supplementary group IDs |
| |
|
| |
o�o the environment list |
| |
|
| |
o�o current working directory |
| |
|
| |
o�o file creation mode mask (umask) |
| |
|
| |
o�o SELinux role and type |
| |
|
| |
o�o Solaris project |
| |
|
| |
o�o Solaris privileges |
| |
|
| |
o�o BSD login class |
| |
|
| |
o�o scheduling priority (aka nice value) |
| |
|
| |
P�Pr�ro�oc�ce�es�ss�s m�mo�od�de�el�l |
| |
When s�su�ud�do�o runs a command, it calls fork(2), sets up the execution |
| |
environment as described above, and calls the execve system call in the |
| |
child process. The main s�su�ud�do�o process waits until the command has |
| |
completed, then passes the command's exit status to the security policy's |
| |
close method and exits. If an I/O logging plugin is configured, a new |
| |
pseudo-terminal (``pty'') is created and a second s�su�ud�do�o process is used to |
| |
relay job control signals between the user's existing pty and the new pty |
| |
the command is being run in. This extra process makes it possible to, |
| |
for example, suspend and resume the command. Without it, the command |
| |
would be in what POSIX terms an ``orphaned process group'' and it would |
| |
not receive any job control signals. |
| |
|
| |
S�Si�ig�gn�na�al�l h�ha�an�nd�dl�li�in�ng�g |
| |
Because the command is run as a child of the s�su�ud�do�o process, s�su�ud�do�o will |
| |
relay signals it receives to the command. Unless the command is being |
| |
run in a new pty, the SIGHUP, SIGINT and SIGQUIT signals are not relayed |
| |
unless they are sent by a user process, not the kernel. Otherwise, the |
| |
command would receive SIGINT twice every time the user entered control-C. |
| |
Some signals, such as SIGSTOP and SIGKILL, cannot be caught and thus will |
| |
not be relayed to the command. As a general rule, SIGTSTP should be used |
| |
instead of SIGSTOP when you wish to suspend a command being run by s�su�ud�do�o. |
| |
|
| |
As a special case, s�su�ud�do�o will not relay signals that were sent by the |
| |
command it is running. This prevents the command from accidentally |
| |
killing itself. On some systems, the reboot(1m) command sends SIGTERM to |
| |
all non-system processes other than itself before rebooting the systyem. |
| |
This prevents s�su�ud�do�o from relaying the SIGTERM signal it received back to |
| |
reboot(1m), which might then exit before the system was actually rebooted, |
| |
leaving it in a half-dead state similar to single user mode. Note, |
| |
however, that this check only applies to the command run by s�su�ud�do�o and not |
| |
any other processes that the command may create. As a result, running a |
| |
script that calls reboot(1m) or shutdown(1m) via s�su�ud�do�o may cause the system |
| |
to end up in this undefined state unless the reboot(1m) or shutdown(1m) are |
| |
run using the e�ex�xe�ec�c() family of functions instead of s�sy�ys�st�te�em�m() (which |
| |
interposes a shell between the command and the calling process). |
| |
|
| P�PL�LU�UG�GI�IN�NS�S |
P�PL�LU�UG�GI�IN�NS�S |
| Plugins are dynamically loaded based on the contents of the | Plugins are dynamically loaded based on the contents of the |
| _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file. If no _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file is present, or it | _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file. If no _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file is present, or it |
| contains no Plugin lines, s�su�ud�do�o will use the traditional _�s_�u_�d_�o_�e_�r_�s | contains no Plugin lines, s�su�ud�do�o will use the traditional _�s_�u_�d_�o_�e_�r_�s security |
| security policy and I/O logging, which corresponds to the following | policy and I/O logging, which corresponds to the following _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f |
| _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file. | file. |
| |
|
| # | # |
| # Default /etc/sudo.conf file | # Default /etc/sudo.conf file |
| # | # |
| # Format: | # Format: |
| # Plugin plugin_name plugin_path | # Plugin plugin_name plugin_path plugin_options ... |
| # Path askpass /path/to/askpass | # Path askpass /path/to/askpass |
| # Path noexec /path/to/noexec.so | # Path noexec /path/to/sudo_noexec.so |
| # | # Debug sudo /var/log/sudo_debug all@warn |
| # The plugin_path is relative to /usr/local/libexec unless | # Set disable_coredump true |
| # fully qualified. | # |
| # The plugin_name corresponds to a global symbol in the plugin | # The plugin_path is relative to /usr/local/libexec unless |
| # that contains the plugin interface structure. | # fully qualified. |
| # | # The plugin_name corresponds to a global symbol in the plugin |
| Plugin policy_plugin sudoers.so | # that contains the plugin interface structure. |
| Plugin io_plugin sudoers.so | # The plugin_options are optional. |
| | # |
| | Plugin policy_plugin sudoers.so |
| | Plugin io_plugin sudoers.so |
| |
|
| A Plugin line consists of the Plugin keyword, followed by the | A Plugin line consists of the Plugin keyword, followed by the _�s_�y_�m_�b_�o_�l_�__�n_�a_�m_�e |
| _�s_�y_�m_�b_�o_�l_�__�n_�a_�m_�e and the _�p_�a_�t_�h to the shared object containing the plugin. | and the _�p_�a_�t_�h to the shared object containing the plugin. The _�s_�y_�m_�b_�o_�l_�__�n_�a_�m_�e |
| The _�s_�y_�m_�b_�o_�l_�__�n_�a_�m_�e is the name of the struct policy_plugin or struct | is the name of the struct policy_plugin or struct io_plugin in the plugin |
| io_plugin in the plugin shared object. The _�p_�a_�t_�h may be fully qualified | shared object. The _�p_�a_�t_�h may be fully qualified or relative. If not |
| or relative. If not fully qualified it is relative to the | fully qualified it is relative to the _�/_�u_�s_�r_�/_�l_�o_�c_�a_�l_�/_�l_�i_�b_�e_�x_�e_�c directory. Any |
| _�/_�u_�s_�r_�/_�l_�o_�c_�a_�l_�/_�l_�i_�b_�e_�x_�e_�c directory. Any additional parameters after the _�p_�a_�t_�h | additional parameters after the _�p_�a_�t_�h are passed as arguments to the |
| are ignored. Lines that don't begin with Plugin or Path are silently | plugin's _�o_�p_�e_�n function. Lines that don't begin with Plugin, Path, Debug, |
| ignored | or Set are silently ignored. |
| |
|
| For more information, see the _�s_�u_�d_�o_�__�p_�l_�u_�g_�i_�n(1m) manual. | For more information, see the sudo_plugin(1m) manual. |
| |
|
| P�PA�AT�TH�HS�S |
P�PA�AT�TH�HS�S |
| A Path line consists of the Path keyword, followed by the name of the | A Path line consists of the Path keyword, followed by the name of the |
| path to set and its value. E.g. | path to set and its value. E.g. |
| |
|
| Path noexec /usr/local/libexec/sudo_noexec.so | Path noexec /usr/local/libexec/sudo_noexec.so |
| Path askpass /usr/X11R6/bin/ssh-askpass | Path askpass /usr/X11R6/bin/ssh-askpass |
| |
|
| The following plugin-agnostic paths may be set in the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f | The following plugin-agnostic paths may be set in the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f |
| file. | file: |
| |
|
| askpass The fully qualified path to a helper program used to | askpass The fully qualified path to a helper program used to read the |
| read the user's password when no terminal is available. | user's password when no terminal is available. This may be the |
| This may be the case when s�su�ud�do�o is executed from a | case when s�su�ud�do�o is executed from a graphical (as opposed to |
| graphical (as opposed to text-based) application. The | text-based) application. The program specified by _�a_�s_�k_�p_�a_�s_�s |
| program specified by _�a_�s_�k_�p_�a_�s_�s should display the | should display the argument passed to it as the prompt and |
| argument passed to it as the prompt and write the | write the user's password to the standard output. The value of |
| user's password to the standard output. The value of | _�a_�s_�k_�p_�a_�s_�s may be overridden by the SUDO_ASKPASS environment |
| _�a_�s_�k_�p_�a_�s_�s may be overridden by the SUDO_ASKPASS | variable. |
| environment variable. | |
| |
|
| noexec The fully-qualified path to a shared library containing | noexec The fully-qualified path to a shared library containing dummy |
| dummy versions of the _�e_�x_�e_�c_�v_�(_�), _�e_�x_�e_�c_�v_�e_�(_�) and _�f_�e_�x_�e_�c_�v_�e_�(_�) | versions of the e�ex�xe�ec�cv�v(), e�ex�xe�ec�cv�ve�e() and f�fe�ex�xe�ec�cv�ve�e() library |
| library functions that just return an error. This is | functions that just return an error. This is used to implement |
| used to implement the _�n_�o_�e_�x_�e_�c functionality on systems | the _�n_�o_�e_�x_�e_�c functionality on systems that support LD_PRELOAD or |
| that support LD_PRELOAD or its equivalent. Defaults to | its equivalent. Defaults to _�/_�u_�s_�r_�/_�l_�o_�c_�a_�l_�/_�l_�i_�b_�e_�x_�e_�c_�/_�s_�u_�d_�o_�__�n_�o_�e_�x_�e_�c_�._�s_�o. |
| _�/_�u_�s_�r_�/_�l_�o_�c_�a_�l_�/_�l_�i_�b_�e_�x_�e_�c_�/_�s_�u_�d_�o_�__�n_�o_�e_�x_�e_�c_�._�s_�o. | |
| |
|
| R�RE�ET�TU�UR�RN�N V�VA�AL�LU�UE�ES�S | D�DE�EB�BU�UG�G F�FL�LA�AG�GS�S |
| Upon successful execution of a program, the exit status from s�su�ud�do�o will | s�su�ud�do�o versions 1.8.4 and higher support a flexible debugging framework |
| simply be the exit status of the program that was executed. | that can help track down what s�su�ud�do�o is doing internally if there is a |
| | problem. |
| |
|
| Otherwise, s�su�ud�do�o exits with a value of 1 if there is a | A Debug line consists of the Debug keyword, followed by the name of the |
| configuration/permission problem or if s�su�ud�do�o cannot execute the given | program to debug (s�su�ud�do�o, v�vi�is�su�ud�do�o, s�su�ud�do�or�re�ep�pl�la�ay�y), the debug file name and a |
| command. In the latter case the error string is printed to the | comma-separated list of debug flags. The debug flag syntax used by s�su�ud�do�o |
| standard error. If s�su�ud�do�o cannot _�s_�t_�a_�t(2) one or more entries in the | and the _�s_�u_�d_�o_�e_�r_�s plugin is _�s_�u_�b_�s_�y_�s_�t_�e_�m@_�p_�r_�i_�o_�r_�i_�t_�y but the plugin is free to |
| user's PATH, an error is printed on stderr. (If the directory does not | use a different format so long as it does not include a comma (`,'). |
| exist or if it is not really a directory, the entry is ignored and no | |
| error is printed.) This should not happen under normal circumstances. | |
| The most common reason for _�s_�t_�a_�t(2) to return "permission denied" is if | |
| you are running an automounter and one of the directories in your PATH | |
| is on a machine that is currently unreachable. | |
| |
|
| |
For instance: |
| |
|
| |
Debug sudo /var/log/sudo_debug all@warn,plugin@info |
| |
|
| |
would log all debugging statements at the _�w_�a_�r_�n level and higher in |
| |
addition to those at the _�i_�n_�f_�o level for the plugin subsystem. |
| |
|
| |
Currently, only one Debug entry per program is supported. The s�su�ud�do�o Debug |
| |
entry is shared by the s�su�ud�do�o front end, s�su�ud�do�oe�ed�di�it�t and the plugins. A |
| |
future release may add support for per-plugin Debug lines and/or support |
| |
for multiple debugging files for a single program. |
| |
|
| |
The priorities used by the s�su�ud�do�o front end, in order of decreasing |
| |
severity, are: _�c_�r_�i_�t, _�e_�r_�r, _�w_�a_�r_�n, _�n_�o_�t_�i_�c_�e, _�d_�i_�a_�g, _�i_�n_�f_�o, _�t_�r_�a_�c_�e and _�d_�e_�b_�u_�g. |
| |
Each priority, when specified, also includes all priorities higher than |
| |
it. For example, a priority of _�n_�o_�t_�i_�c_�e would include debug messages |
| |
logged at _�n_�o_�t_�i_�c_�e and higher. |
| |
|
| |
The following subsystems are used by the s�su�ud�do�o front-end: |
| |
|
| |
_�a_�l_�l matches every subsystem |
| |
|
| |
_�a_�r_�g_�s command line argument processing |
| |
|
| |
_�c_�o_�n_�v user conversation |
| |
|
| |
_�e_�d_�i_�t sudoedit |
| |
|
| |
_�e_�x_�e_�c command execution |
| |
|
| |
_�m_�a_�i_�n s�su�ud�do�o main function |
| |
|
| |
_�n_�e_�t_�i_�f network interface handling |
| |
|
| |
_�p_�c_�o_�m_�m communication with the plugin |
| |
|
| |
_�p_�l_�u_�g_�i_�n plugin configuration |
| |
|
| |
_�p_�t_�y pseudo-tty related code |
| |
|
| |
_�s_�e_�l_�i_�n_�u_�x SELinux-specific handling |
| |
|
| |
_�u_�t_�i_�l utility functions |
| |
|
| |
_�u_�t_�m_�p utmp handling |
| |
|
| |
E�EX�XI�IT�T V�VA�AL�LU�UE�E |
| |
Upon successful execution of a program, the exit status from _�s_�u_�d_�o will |
| |
simply be the exit status of the program that was executed. |
| |
|
| |
Otherwise, s�su�ud�do�o exits with a value of 1 if there is a |
| |
configuration/permission problem or if s�su�ud�do�o cannot execute the given |
| |
command. In the latter case the error string is printed to the standard |
| |
error. If s�su�ud�do�o cannot stat(2) one or more entries in the user's PATH, an |
| |
error is printed on stderr. (If the directory does not exist or if it is |
| |
not really a directory, the entry is ignored and no error is printed.) |
| |
This should not happen under normal circumstances. The most common |
| |
reason for stat(2) to return ``permission denied'' is if you are running |
| |
an automounter and one of the directories in your PATH is on a machine |
| |
that is currently unreachable. |
| |
|
| S�SE�EC�CU�UR�RI�IT�TY�Y N�NO�OT�TE�ES�S |
S�SE�EC�CU�UR�RI�IT�TY�Y N�NO�OT�TE�ES�S |
| s�su�ud�do�o tries to be safe when executing external commands. | s�su�ud�do�o tries to be safe when executing external commands. |
| |
|
| To prevent command spoofing, s�su�ud�do�o checks "." and "" (both denoting | To prevent command spoofing, s�su�ud�do�o checks "." and "" (both denoting |
| current directory) last when searching for a command in the user's PATH | current directory) last when searching for a command in the user's PATH |
| (if one or both are in the PATH). Note, however, that the actual PATH | (if one or both are in the PATH). Note, however, that the actual PATH |
| environment variable is _�n_�o_�t modified and is passed unchanged to the | environment variable is _�n_�o_�t modified and is passed unchanged to the |
| program that s�su�ud�do�o executes. | program that s�su�ud�do�o executes. |
| |
|
| Please note that s�su�ud�do�o will normally only log the command it explicitly | Please note that s�su�ud�do�o will normally only log the command it explicitly |
| runs. If a user runs a command such as sudo su or sudo sh, subsequent | runs. If a user runs a command such as sudo su or sudo sh, subsequent |
| commands run from that shell are not subject to s�su�ud�do�o's security policy. | commands run from that shell are not subject to s�su�ud�do�o's security policy. |
| The same is true for commands that offer shell escapes (including most | The same is true for commands that offer shell escapes (including most |
| editors). If I/O logging is enabled, subsequent commands will have | editors). If I/O logging is enabled, subsequent commands will have their |
| their input and/or output logged, but there will not be traditional | input and/or output logged, but there will not be traditional logs for |
| logs for those commands. Because of this, care must be taken when | those commands. Because of this, care must be taken when giving users |
| giving users access to commands via s�su�ud�do�o to verify that the command | access to commands via s�su�ud�do�o to verify that the command does not |
| does not inadvertently give the user an effective root shell. For more | inadvertently give the user an effective root shell. For more |
| information, please see the PREVENTING SHELL ESCAPES section in | information, please see the _�P_�R_�E_�V_�E_�N_�T_�I_�N_�G _�S_�H_�E_�L_�L _�E_�S_�C_�A_�P_�E_�S section in |
| _�s_�u_�d_�o_�e_�r_�s(4). | sudoers(4). |
| |
|
| |
To prevent the disclosure of potentially sensitive information, s�su�ud�do�o |
| |
disables core dumps by default while it is executing (they are re-enabled |
| |
for the command that is run). To aid in debugging s�su�ud�do�o crashes, you may |
| |
wish to re-enable core dumps by setting ``disable_coredump'' to false in |
| |
the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file as follows: |
| |
|
| |
Set disable_coredump false |
| |
|
| |
Note that by default, most operating systems disable core dumps from |
| |
setuid programs, which includes s�su�ud�do�o. To actually get a s�su�ud�do�o core file |
| |
you may need to enable core dumps for setuid processes. On BSD and Linux |
| |
systems this is accomplished via the sysctl command, on Solaris the |
| |
coreadm command can be used. |
| |
|
| E�EN�NV�VI�IR�RO�ON�NM�ME�EN�NT�T |
E�EN�NV�VI�IR�RO�ON�NM�ME�EN�NT�T |
| s�su�ud�do�o utilizes the following environment variables. The security policy | s�su�ud�do�o utilizes the following environment variables. The security policy |
| has control over the content of the command's environment. | has control over the actual content of the command's environment. |
| |
|
| EDITOR Default editor to use in -�-e�e (sudoedit) mode if neither | EDITOR Default editor to use in -�-e�e (sudoedit) mode if neither |
| SUDO_EDITOR nor VISUAL is set | SUDO_EDITOR nor VISUAL is set. |
| |
|
| MAIL In -�-i�i mode or when _�e_�n_�v_�__�r_�e_�s_�e_�t is enabled in _�s_�u_�d_�o_�e_�r_�s, set | MAIL In -�-i�i mode or when _�e_�n_�v_�__�r_�e_�s_�e_�t is enabled in _�s_�u_�d_�o_�e_�r_�s, set |
| to the mail spool of the target user | to the mail spool of the target user. |
| |
|
| HOME Set to the home directory of the target user if -�-i�i or | HOME Set to the home directory of the target user if -�-i�i or -�-H�H |
| -�-H�H are specified, _�e_�n_�v_�__�r_�e_�s_�e_�t or _�a_�l_�w_�a_�y_�s_�__�s_�e_�t_�__�h_�o_�m_�e are set | are specified, _�e_�n_�v_�__�r_�e_�s_�e_�t or _�a_�l_�w_�a_�y_�s_�__�s_�e_�t_�__�h_�o_�m_�e are set in |
| in _�s_�u_�d_�o_�e_�r_�s, or when the -�-s�s option is specified and | _�s_�u_�d_�o_�e_�r_�s, or when the -�-s�s option is specified and _�s_�e_�t_�__�h_�o_�m_�e |
| _�s_�e_�t_�__�h_�o_�m_�e is set in _�s_�u_�d_�o_�e_�r_�s | is set in _�s_�u_�d_�o_�e_�r_�s. |
| |
|
| PATH May be overridden by the security policy. | PATH May be overridden by the security policy. |
| |
|
| SHELL Used to determine shell to run with -s option | SHELL Used to determine shell to run with -�-s�s option. |
| |
|
| SUDO_ASKPASS Specifies the path to a helper program used to read the | SUDO_ASKPASS Specifies the path to a helper program used to read the |
| password if no terminal is available or if the -A | password if no terminal is available or if the -�-A�A option |
| option is specified. | is specified. |
| |
|
| SUDO_COMMAND Set to the command run by sudo | SUDO_COMMAND Set to the command run by sudo. |
| |
|
| SUDO_EDITOR Default editor to use in -�-e�e (sudoedit) mode | SUDO_EDITOR Default editor to use in -�-e�e (sudoedit) mode. |
| |
|
| SUDO_GID Set to the group ID of the user who invoked sudo | SUDO_GID Set to the group ID of the user who invoked sudo. |
| |
|
| SUDO_PROMPT Used as the default password prompt | SUDO_PROMPT Used as the default password prompt. |
| |
|
| SUDO_PS1 If set, PS1 will be set to its value for the program | SUDO_PS1 If set, PS1 will be set to its value for the program |
| being run | being run. |
| |
|
| SUDO_UID Set to the user ID of the user who invoked sudo | SUDO_UID Set to the user ID of the user who invoked sudo. |
| |
|
| SUDO_USER Set to the login of the user who invoked sudo | SUDO_USER Set to the login name of the user who invoked sudo. |
| |
|
| USER Set to the target user (root unless the -�-u�u option is | USER Set to the target user (root unless the -�-u�u option is |
| specified) | specified). |
| |
|
| VISUAL Default editor to use in -�-e�e (sudoedit) mode if | VISUAL Default editor to use in -�-e�e (sudoedit) mode if |
| SUDO_EDITOR is not set | SUDO_EDITOR is not set. |
| |
|
| F�FI�IL�LE�ES�S |
F�FI�IL�LE�ES�S |
| _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f s�su�ud�do�o plugin and path configuration | _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f s�su�ud�do�o front end configuration |
| |
|
| E�EX�XA�AM�MP�PL�LE�ES�S |
E�EX�XA�AM�MP�PL�LE�ES�S |
| Note: the following examples assume a properly configured security | Note: the following examples assume a properly configured security |
| policy. | policy. |
| |
|
| To get a file listing of an unreadable directory: | To get a file listing of an unreadable directory: |
| |
|
| $ sudo ls /usr/local/protected | $ sudo ls /usr/local/protected |
| |
|
| To list the home directory of user yaz on a machine where the file | To list the home directory of user yaz on a machine where the file system |
| system holding ~yaz is not exported as root: | holding ~yaz is not exported as root: |
| |
|
| $ sudo -u yaz ls ~yaz | $ sudo -u yaz ls ~yaz |
| |
|
| To edit the _�i_�n_�d_�e_�x_�._�h_�t_�m_�l file as user www: | To edit the _�i_�n_�d_�e_�x_�._�h_�t_�m_�l file as user www: |
| |
|
| $ sudo -u www vi ~www/htdocs/index.html | $ sudo -u www vi ~www/htdocs/index.html |
| |
|
| To view system logs only accessible to root and users in the adm group: | To view system logs only accessible to root and users in the adm group: |
| |
|
| $ sudo -g adm view /var/log/syslog | $ sudo -g adm view /var/log/syslog |
| |
|
| To run an editor as jim with a different primary group: | To run an editor as jim with a different primary group: |
| |
|
| $ sudo -u jim -g audio vi ~jim/sound.txt | $ sudo -u jim -g audio vi ~jim/sound.txt |
| |
|
| To shutdown a machine: | To shut down a machine: |
| |
|
| $ sudo shutdown -r +15 "quick reboot" | $ sudo shutdown -r +15 "quick reboot" |
| |
|
| To make a usage listing of the directories in the /home partition. | To make a usage listing of the directories in the /home partition. Note |
| Note that this runs the commands in a sub-shell to make the cd and file | that this runs the commands in a sub-shell to make the cd and file |
| redirection work. | redirection work. |
| |
|
| $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" | $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" |
| |
|
| S�SE�EE�E A�AL�LS�SO�O |
S�SE�EE�E A�AL�LS�SO�O |
| _�g_�r_�e_�p(1), _�s_�u(1), _�s_�t_�a_�t(2), _�l_�o_�g_�i_�n_�__�c_�a_�p(3), _�p_�a_�s_�s_�w_�d(4), _�s_�u_�d_�o_�e_�r_�s(4), | grep(1), su(1), stat(2), login_cap(3), passwd(4), sudoers(4), |
| _�s_�u_�d_�o_�__�p_�l_�u_�g_�i_�n(1m), _�s_�u_�d_�o_�r_�e_�p_�l_�a_�y(1m), _�v_�i_�s_�u_�d_�o(1m) | sudo_plugin(1m), sudoreplay(1m), visudo(1m) |
| |
|
| |
H�HI�IS�ST�TO�OR�RY�Y |
| |
See the HISTORY file in the s�su�ud�do�o distribution |
| |
(http://www.sudo.ws/sudo/history.html) for a brief history of sudo. |
| |
|
| A�AU�UT�TH�HO�OR�RS�S |
A�AU�UT�TH�HO�OR�RS�S |
| Many people have worked on s�su�ud�do�o over the years; this version consists | Many people have worked on s�su�ud�do�o over the years; this version consists of |
| of code written primarily by: | code written primarily by: |
| |
|
| Todd C. Miller | Todd C. Miller |
| |
|
| See the HISTORY file in the s�su�ud�do�o distribution or visit | See the CONTRIBUTORS file in the s�su�ud�do�o distribution |
| http://www.sudo.ws/sudo/history.html for a short history of s�su�ud�do�o. | (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of |
| | people who have contributed to s�su�ud�do�o. |
| |
|
| C�CA�AV�VE�EA�AT�TS�S |
C�CA�AV�VE�EA�AT�TS�S |
| There is no easy way to prevent a user from gaining a root shell if | There is no easy way to prevent a user from gaining a root shell if that |
| that user is allowed to run arbitrary commands via s�su�ud�do�o. Also, many | user is allowed to run arbitrary commands via s�su�ud�do�o. Also, many programs |
| programs (such as editors) allow the user to run commands via shell | (such as editors) allow the user to run commands via shell escapes, thus |
| escapes, thus avoiding s�su�ud�do�o's checks. However, on most systems it is | avoiding s�su�ud�do�o's checks. However, on most systems it is possible to |
| possible to prevent shell escapes with the _�s_�u_�d_�o_�e_�r_�s(4) module's _�n_�o_�e_�x_�e_�c | prevent shell escapes with the sudoers(4) plugin's _�n_�o_�e_�x_�e_�c functionality. |
| functionality. | |
| |
|
| It is not meaningful to run the cd command directly via sudo, e.g., | It is not meaningful to run the cd command directly via sudo, e.g., |
| |
|
| $ sudo cd /usr/local/protected | $ sudo cd /usr/local/protected |
| |
|
| since when the command exits the parent process (your shell) will still | since when the command exits the parent process (your shell) will still |
| be the same. Please see the EXAMPLES section for more information. | be the same. Please see the _�E_�X_�A_�M_�P_�L_�E_�S section for more information. |
| |
|
| Running shell scripts via s�su�ud�do�o can expose the same kernel bugs that | Running shell scripts via s�su�ud�do�o can expose the same kernel bugs that make |
| make setuid shell scripts unsafe on some operating systems (if your OS | setuid shell scripts unsafe on some operating systems (if your OS has a |
| has a /dev/fd/ directory, setuid shell scripts are generally safe). | /dev/fd/ directory, setuid shell scripts are generally safe). |
| |
|
| B�BU�UG�GS�S |
B�BU�UG�GS�S |
| If you feel you have found a bug in s�su�ud�do�o, please submit a bug report at | If you feel you have found a bug in s�su�ud�do�o, please submit a bug report at |
| http://www.sudo.ws/sudo/bugs/ | http://www.sudo.ws/sudo/bugs/ |
| |
|
| S�SU�UP�PP�PO�OR�RT�T |
S�SU�UP�PP�PO�OR�RT�T |
| Limited free support is available via the sudo-users mailing list, see | Limited free support is available via the sudo-users mailing list, see |
| http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search | http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the |
| the archives. | archives. |
| |
|
| D�DI�IS�SC�CL�LA�AI�IM�ME�ER�R |
D�DI�IS�SC�CL�LA�AI�IM�ME�ER�R |
| s�su�ud�do�o is provided ``AS IS'' and any express or implied warranties, | s�su�ud�do�o is provided ``AS IS'' and any express or implied warranties, |
| including, but not limited to, the implied warranties of | including, but not limited to, the implied warranties of merchantability |
| merchantability and fitness for a particular purpose are disclaimed. | and fitness for a particular purpose are disclaimed. See the LICENSE |
| See the LICENSE file distributed with s�su�ud�do�o or | file distributed with s�su�ud�do�o or http://www.sudo.ws/sudo/license.html for |
| http://www.sudo.ws/sudo/license.html for complete details. | complete details. |
| |
|
| Sudo 1.8.6 July 10, 2012 Sudo 1.8.6 |
| |
| 1.8.3 September 16, 2011 SUDO(1m) | |
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudo.cat CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc