version 1.1.1.3, 2012/10/09 09:29:52
|
version 1.1.1.6, 2014/06/15 16:12:54
|
Line 5 NNAAMMEE
|
Line 5 NNAAMMEE
|
|
|
SSYYNNOOPPSSIISS |
SSYYNNOOPPSSIISS |
ssuuddoo --hh | --KK | --kk | --VV |
ssuuddoo --hh | --KK | --kk | --VV |
ssuuddoo --vv [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t] | ssuuddoo --vv [--AAkknnSS] [--aa _t_y_p_e] [--gg _g_r_o_u_p] [--hh _h_o_s_t] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r] |
[--uu _u_s_e_r _n_a_m_e | _#_u_i_d] | ssuuddoo --ll [--AAkknnSS] [--aa _t_y_p_e] [--gg _g_r_o_u_p] [--hh _h_o_s_t] [--pp _p_r_o_m_p_t] [--UU _u_s_e_r] |
ssuuddoo --ll[_l] [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t] | [--uu _u_s_e_r] [_c_o_m_m_a_n_d] |
[--UU _u_s_e_r _n_a_m_e] [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] [_c_o_m_m_a_n_d] | ssuuddoo [--AAbbEEHHnnPPSS] [--aa _t_y_p_e] [--CC _n_u_m] [--cc _c_l_a_s_s] [--gg _g_r_o_u_p] [--hh _h_o_s_t] |
ssuuddoo [--AAbbEEHHnnPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s | _-] | [--pp _p_r_o_m_p_t] [--rr _r_o_l_e] [--tt _t_y_p_e] [--uu _u_s_e_r] [_V_A_R=_v_a_l_u_e] [--ii | --ss] |
[--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t] [--rr _r_o_l_e] [--tt _t_y_p_e] | [_c_o_m_m_a_n_d] |
[--uu _u_s_e_r _n_a_m_e | _#_u_i_d] [VVAARR=_v_a_l_u_e] --ii | --ss [_c_o_m_m_a_n_d] | ssuuddooeeddiitt [--AAkknnSS] [--aa _t_y_p_e] [--CC _n_u_m] [--cc _c_l_a_s_s] [--gg _g_r_o_u_p] [--hh _h_o_s_t] |
ssuuddooeeddiitt [--AAnnSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s | _-] | [--pp _p_r_o_m_p_t] [--uu _u_s_e_r] _f_i_l_e _._._. |
[--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] file | |
... | |
|
|
DDEESSCCRRIIPPTTIIOONN |
DDEESSCCRRIIPPTTIIOONN |
ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the superuser or |
ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the superuser or |
Line 24 DDEESSCCRRIIPPTTIIOONN
|
Line 22 DDEESSCCRRIIPPTTIIOONN
|
input/output logging. Third parties can develop and distribute their own |
input/output logging. Third parties can develop and distribute their own |
policy and I/O logging plugins to work seamlessly with the ssuuddoo front |
policy and I/O logging plugins to work seamlessly with the ssuuddoo front |
end. The default security policy is _s_u_d_o_e_r_s, which is configured via the |
end. The default security policy is _s_u_d_o_e_r_s, which is configured via the |
file _/_e_t_c_/_s_u_d_o_e_r_s, or via LDAP. See the _P_L_U_G_I_N_S section for more | file _/_e_t_c_/_s_u_d_o_e_r_s, or via LDAP. See the _P_l_u_g_i_n_s section for more |
information. |
information. |
|
|
The security policy determines what privileges, if any, a user has to run |
The security policy determines what privileges, if any, a user has to run |
Line 48 DDEESSCCRRIIPPTTIIOONN
|
Line 46 DDEESSCCRRIIPPTTIIOONN
|
|
|
The options are as follows: |
The options are as follows: |
|
|
--AA Normally, if ssuuddoo requires a password, it will read it from | --AA, ----aasskkppaassss |
| Normally, if ssuuddoo requires a password, it will read it from |
the user's terminal. If the --AA (_a_s_k_p_a_s_s) option is |
the user's terminal. If the --AA (_a_s_k_p_a_s_s) option is |
specified, a (possibly graphical) helper program is executed |
specified, a (possibly graphical) helper program is executed |
to read the user's password and output the password to the |
to read the user's password and output the password to the |
standard output. If the SUDO_ASKPASS environment variable is |
standard output. If the SUDO_ASKPASS environment variable is |
set, it specifies the path to the helper program. Otherwise, |
set, it specifies the path to the helper program. Otherwise, |
if _/_e_t_c_/_s_u_d_o_._c_o_n_f contains a line specifying the askpass | if sudo.conf(4) contains a line specifying the askpass |
program, that value will be used. For example: |
program, that value will be used. For example: |
|
|
# Path to askpass helper program |
# Path to askpass helper program |
Line 63 DDEESSCCRRIIPPTTIIOONN
|
Line 62 DDEESSCCRRIIPPTTIIOONN
|
If no askpass program is available, ssuuddoo will exit with an |
If no askpass program is available, ssuuddoo will exit with an |
error. |
error. |
|
|
--aa _t_y_p_e The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use the | --aa _t_y_p_e, ----aauutthh--ttyyppee=_t_y_p_e |
specified authentication type when validating the user, as | Use the specified BSD authentication _t_y_p_e when validating the |
allowed by _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system administrator may | user, if allowed by _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system |
specify a list of sudo-specific authentication methods by | administrator may specify a list of sudo-specific |
adding an ``auth-sudo'' entry in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This | authentication methods by adding an ``auth-sudo'' entry in |
option is only available on systems that support BSD | _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This option is only available on systems |
authentication. | that support BSD authentication. |
|
|
--bb The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run the given | --bb, ----bbaacckkggrroouunndd |
command in the background. Note that if you use the --bb | Run the given command in the background. Note that it is not |
option you cannot use shell job control to manipulate the | possible to use shell job control to manipulate background |
process. Most interactive commands will fail to work | processes started by ssuuddoo. Most interactive commands will |
properly in background mode. | fail to work properly in background mode. |
|
|
--CC _f_d Normally, ssuuddoo will close all open file descriptors other | --CC _n_u_m, ----cclloossee--ffrroomm=_n_u_m |
than standard input, standard output and standard error. The | Close all file descriptors greater than or equal to _n_u_m |
--CC (_c_l_o_s_e _f_r_o_m) option allows the user to specify a starting | before executing a command. Values less than three are not |
point above the standard error (file descriptor three). | permitted. By default, ssuuddoo will close all open file |
Values less than three are not permitted. The security | descriptors other than standard input, standard output and |
policy may restrict the user's ability to use the --CC option. | standard error when executing a command. The security policy |
The _s_u_d_o_e_r_s policy only permits use of the --CC option when the | may restrict the user's ability to use this option. The |
| _s_u_d_o_e_r_s policy only permits use of the --CC option when the |
administrator has enabled the _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option. |
administrator has enabled the _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option. |
|
|
--cc _c_l_a_s_s The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified | --cc _c_l_a_s_s, ----llooggiinn--ccllaassss=_c_l_a_s_s |
command with resources limited by the specified login class. | Run the command with resource limits and scheduling priority |
The _c_l_a_s_s argument can be either a class name as defined in | of the specified login _c_l_a_s_s. The _c_l_a_s_s argument can be |
_/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a single `-' character. Specifying a | either a class name as defined in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a |
_c_l_a_s_s of - indicates that the command should be run | single `-' character. If _c_l_a_s_s is --, the default login class |
restricted by the default login capabilities for the user the | of the target user will be used. Otherwise, the command must |
command is run as. If the _c_l_a_s_s argument specifies an | be run as the superuser (user ID 0), or ssuuddoo must be run from |
existing user class, the command must be run as root, or the | a shell that is already running as the superuser. If the |
ssuuddoo command must be run from a shell that is already root. | command is being run as a login shell, additional |
This option is only available on systems with BSD login | _/_e_t_c_/_l_o_g_i_n_._c_o_n_f settings, such as the umask and environment |
classes. | variables, will be applied, if present. This option is only |
| available on systems with BSD login classes. |
|
|
--EE The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option indicates to the | --EE, ----pprreesseerrvvee--eennvv |
security policy that the user wishes to preserve their | Indicates to the security policy that the user wishes to |
existing environment variables. The security policy may | preserve their existing environment variables. The security |
return an error if the --EE option is specified and the user | policy may return an error if the user does not have |
does not have permission to preserve the environment. | permission to preserve the environment. |
|
|
--ee The --ee (_e_d_i_t) option indicates that, instead of running a | --ee, ----eeddiitt Edit one or more files instead of running a command. In lieu |
command, the user wishes to edit one or more files. In lieu | of a path name, the string "sudoedit" is used when consulting |
of a command, the string "sudoedit" is used when consulting | |
the security policy. If the user is authorized by the |
the security policy. If the user is authorized by the |
policy, the following steps are taken: |
policy, the following steps are taken: |
|
|
Line 131 DDEESSCCRRIIPPTTIIOONN
|
Line 131 DDEESSCCRRIIPPTTIIOONN
|
version, the user will receive a warning and the edited copy |
version, the user will receive a warning and the edited copy |
will remain in a temporary file. |
will remain in a temporary file. |
|
|
--gg _g_r_o_u_p Normally, ssuuddoo runs a command with the primary group set to | --gg _g_r_o_u_p, ----ggrroouupp=_g_r_o_u_p |
the one specified by the password database for the user the | Run the command with the primary group set to _g_r_o_u_p instead |
command is being run as (by default, root). The --gg (_g_r_o_u_p) | of the primary group specified by the target user's password |
option causes ssuuddoo to run the command with the primary group | database entry. The _g_r_o_u_p may be either a group name or a |
set to _g_r_o_u_p instead. To specify a _g_i_d instead of a _g_r_o_u_p | numeric group ID (GID) prefixed with the `#' character (e.g. |
_n_a_m_e, use _#_g_i_d. When running commands as a _g_i_d, many shells | #0 for GID 0). When running a command as a GID, many shells |
require that the `#' be escaped with a backslash (`\'). If |
require that the `#' be escaped with a backslash (`\'). If |
no --uu option is specified, the command will be run as the |
no --uu option is specified, the command will be run as the |
invoking user (not root). In either case, the primary group | invoking user. In either case, the primary group will be set |
will be set to _g_r_o_u_p. | to _g_r_o_u_p. |
|
|
--HH The --HH (_H_O_M_E) option requests that the security policy set | --HH, ----sseett--hhoommee |
the HOME environment variable to the home directory of the | Request that the security policy set the HOME environment |
target user (root by default) as specified by the password | variable to the home directory specified by the target user's |
database. Depending on the policy, this may be the default | password database entry. Depending on the policy, this may |
behavior. | be the default behavior. |
|
|
--hh The --hh (_h_e_l_p) option causes ssuuddoo to print a short help | --hh, ----hheellpp Display a short help message to the standard output and exit. |
message to the standard output and exit. | |
|
|
--ii [_c_o_m_m_a_n_d] | --hh _h_o_s_t, ----hhoosstt=_h_o_s_t |
The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell | Run the command on the specified _h_o_s_t if the security policy |
specified by the password database entry of the target user | plugin supports remote commands. Note that the _s_u_d_o_e_r_s |
as a login shell. This means that login-specific resource | plugin does not currently support running remote commands. |
files such as _._p_r_o_f_i_l_e or _._l_o_g_i_n will be read by the shell. | This may also be used in conjunction with the --ll option to |
If a command is specified, it is passed to the shell for | list a user's privileges for the remote host. |
execution via the shell's --cc option. If no command is | |
specified, an interactive shell is executed. ssuuddoo attempts | |
to change to that user's home directory before running the | |
shell. The security policy shall initialize the environment | |
to a minimal set of variables, similar to what is present | |
when a user logs in. The _C_o_m_m_a_n_d _E_n_v_i_r_o_n_m_e_n_t section in the | |
sudoers(4) manual documents how the --ii option affects the | |
environment in which a command is run when the _s_u_d_o_e_r_s policy | |
is in use. | |
|
|
--KK The --KK (sure _k_i_l_l) option is like --kk except that it removes | --ii, ----llooggiinn |
the user's cached credentials entirely and may not be used in | Run the shell specified by the target user's password |
| database entry as a login shell. This means that login- |
| specific resource files such as _._p_r_o_f_i_l_e or _._l_o_g_i_n will be |
| read by the shell. If a command is specified, it is passed |
| to the shell for execution via the shell's --cc option. If no |
| command is specified, an interactive shell is executed. ssuuddoo |
| attempts to change to that user's home directory before |
| running the shell. The command is run with an environment |
| similar to the one a user would receive at log in. The |
| _C_o_m_m_a_n_d _E_n_v_i_r_o_n_m_e_n_t section in the sudoers(4) manual |
| documents how the --ii option affects the environment in which |
| a command is run when the _s_u_d_o_e_r_s policy is in use. |
| |
| --KK, ----rreemmoovvee--ttiimmeessttaammpp |
| Similar to the --kk option, except that it removes the user's |
| cached credentials entirely and may not be used in |
conjunction with a command or other option. This option does |
conjunction with a command or other option. This option does |
not require a password. Not all security policies support |
not require a password. Not all security policies support |
credential caching. |
credential caching. |
|
|
--kk [_c_o_m_m_a_n_d] | --kk, ----rreesseett--ttiimmeessttaammpp |
When used alone, the --kk (_k_i_l_l) option to ssuuddoo invalidates the | When used without a command, invalidates the user's cached |
user's cached credentials. The next time ssuuddoo is run a | credentials. In other words, the next time ssuuddoo is run a |
password will be required. This option does not require a |
password will be required. This option does not require a |
password and was added to allow a user to revoke ssuuddoo |
password and was added to allow a user to revoke ssuuddoo |
permissions from a _._l_o_g_o_u_t file. Not all security policies | permissions from a _._l_o_g_o_u_t file. |
support credential caching. | |
|
|
When used in conjunction with a command or an option that may |
When used in conjunction with a command or an option that may |
require a password, the --kk option will cause ssuuddoo to ignore | require a password, this option will cause ssuuddoo to ignore the |
the user's cached credentials. As a result, ssuuddoo will prompt | user's cached credentials. As a result, ssuuddoo will prompt for |
for a password (if one is required by the security policy) | a password (if one is required by the security policy) and |
and will not update the user's cached credentials. | will not update the user's cached credentials. |
|
|
--ll[ll] [_c_o_m_m_a_n_d] | Not all security policies support credential caching. |
If no _c_o_m_m_a_n_d is specified, the --ll (_l_i_s_t) option will list | |
the allowed (and forbidden) commands for the invoking user | --ll, ----lliisstt If no _c_o_m_m_a_n_d is specified, list the allowed (and forbidden) |
(or the user specified by the --UU option) on the current host. | commands for the invoking user (or the user specified by the |
| --UU option) on the current host. A longer list format is used |
| if this option is specified multiple times and the security |
| policy supports a verbose output format. |
| |
If a _c_o_m_m_a_n_d is specified and is permitted by the security |
If a _c_o_m_m_a_n_d is specified and is permitted by the security |
policy, the fully-qualified path to the command is displayed |
policy, the fully-qualified path to the command is displayed |
along with any command line arguments. If _c_o_m_m_a_n_d is |
along with any command line arguments. If _c_o_m_m_a_n_d is |
specified but not allowed, ssuuddoo will exit with a status value |
specified but not allowed, ssuuddoo will exit with a status value |
of 1. If the --ll option is specified with an _l argument (i.e. | of 1. |
--llll), or if --ll is specified multiple times, a longer list | |
format is used. | |
|
|
--nn The --nn (_n_o_n_-_i_n_t_e_r_a_c_t_i_v_e) option prevents ssuuddoo from prompting | --nn, ----nnoonn--iinntteerraaccttiivvee |
the user for a password. If a password is required for the | Avoid prompting the user for input of any kind. If a |
command to run, ssuuddoo will display an error message and exit. | password is required for the command to run, ssuuddoo will |
| display an error message and exit. |
|
|
--PP The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to preserve | --PP, ----pprreesseerrvvee--ggrroouuppss |
the invoking user's group vector unaltered. By default, the | Preserve the invoking user's group vector unaltered. By |
_s_u_d_o_e_r_s policy will initialize the group vector to the list | default, the _s_u_d_o_e_r_s policy will initialize the group vector |
of groups the target user is in. The real and effective | to the list of groups the target user is a member of. The |
group IDs, however, are still set to match the target user. | real and effective group IDs, however, are still set to match |
| the target user. |
|
|
--pp _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default | --pp _p_r_o_m_p_t, ----pprroommpptt=_p_r_o_m_p_t |
password prompt and use a custom one. The following percent | Use a custom password prompt with optional escape sequences. |
(`%') escapes are supported by the _s_u_d_o_e_r_s policy: | The following percent (`%') escape sequences are supported by |
| the _s_u_d_o_e_r_s policy: |
|
|
%H expanded to the host name including the domain name (on |
%H expanded to the host name including the domain name (on |
if the machine's host name is fully qualified or the _f_q_d_n |
if the machine's host name is fully qualified or the _f_q_d_n |
Line 232 DDEESSCCRRIIPPTTIIOONN
|
Line 241 DDEESSCCRRIIPPTTIIOONN
|
%% two consecutive `%' characters are collapsed into a |
%% two consecutive `%' characters are collapsed into a |
single `%' character |
single `%' character |
|
|
The prompt specified by the --pp option will override the | The custom prompt will override the system password prompt on |
system password prompt on systems that support PAM unless the | systems that support PAM unless the _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag |
_p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s. | is disabled in _s_u_d_o_e_r_s. |
|
|
--rr _r_o_l_e The --rr (_r_o_l_e) option causes the new (SELinux) security | --rr _r_o_l_e, ----rroollee=_r_o_l_e |
context to have the role specified by _r_o_l_e. | Run the command with an SELinux security context that |
| includes the specified _r_o_l_e. |
|
|
--SS The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from | --SS, ----ssttddiinn |
the standard input instead of the terminal device. The | Write the prompt to the standard error and read the password |
password must be followed by a newline character. | from the standard input instead of using the terminal device. |
| The password must be followed by a newline character. |
|
|
--ss [_c_o_m_m_a_n_d] | --ss, ----sshheellll |
The --ss (_s_h_e_l_l) option runs the shell specified by the SHELL | Run the shell specified by the SHELL environment variable if |
environment variable if it is set or the shell as specified | it is set or the shell specified by the invoking user's |
in the password database. If a command is specified, it is | password database entry. If a command is specified, it is |
passed to the shell for execution via the shell's --cc option. |
passed to the shell for execution via the shell's --cc option. |
If no command is specified, an interactive shell is executed. |
If no command is specified, an interactive shell is executed. |
|
|
--tt _t_y_p_e The --tt (_t_y_p_e) option causes the new (SELinux) security | --tt _t_y_p_e, ----ttyyppee=_t_y_p_e |
context to have the type specified by _t_y_p_e. If no type is | Run the command with an SELinux security context that |
specified, the default type is derived from the specified | includes the specified _t_y_p_e. If no _t_y_p_e is specified, the |
role. | default type is derived from the role. |
|
|
--UU _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the --ll | --UU _u_s_e_r, ----ootthheerr--uusseerr=_u_s_e_r |
option to specify the user whose privileges should be listed. | Used in conjunction with the --ll option to list the privileges |
The security policy may restrict listing other users' | for _u_s_e_r instead of for the invoking user. The security |
privileges. The _s_u_d_o_e_r_s policy only allows root or a user | policy may restrict listing other users' privileges. The |
with the ALL privilege on the current host to use this | _s_u_d_o_e_r_s policy only allows root or a user with the ALL |
option. | privilege on the current host to use this option. |
|
|
--uu _u_s_e_r The --uu (_u_s_e_r) option causes ssuuddoo to run the specified command | --uu _u_s_e_r, ----uusseerr=_u_s_e_r |
as a user other than _r_o_o_t. To specify a _u_i_d instead of a | Run the command as a user other than the default target user |
_u_s_e_r _n_a_m_e, _#_u_i_d. When running commands as a _u_i_d, many shells | (usually _r_o_o_t _)_. The _u_s_e_r may be either a user name or a |
require that the `#' be escaped with a backslash (`\'). | numeric user ID (UID) prefixed with the `#' character (e.g. |
Security policies may restrict _u_i_ds to those listed in the | #0 for UID 0). When running commands as a UID, many shells |
password database. The _s_u_d_o_e_r_s policy allows _u_i_ds that are | require that the `#' be escaped with a backslash (`\'). Some |
| security policies may restrict UIDs to those listed in the |
| password database. The _s_u_d_o_e_r_s policy allows UIDs that are |
not in the password database as long as the _t_a_r_g_e_t_p_w option |
not in the password database as long as the _t_a_r_g_e_t_p_w option |
is not set. Other security policies may not support this. |
is not set. Other security policies may not support this. |
|
|
--VV The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print its version | --VV, ----vveerrssiioonn |
string and the version string of the security policy plugin | Print the ssuuddoo version string as well as the version string |
and any I/O plugins. If the invoking user is already root | of the security policy plugin and any I/O plugins. If the |
the --VV option will display the arguments passed to configure | invoking user is already root the --VV option will display the |
when ssuuddoo was built and plugins may display more verbose | arguments passed to configure when ssuuddoo was built and plugins |
information such as default options. | may display more verbose information such as default options. |
|
|
--vv When given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the | --vv, ----vvaalliiddaattee |
user's cached credentials, authenticating the user's password | Update the user's cached credentials, authenticating the user |
if necessary. For the _s_u_d_o_e_r_s plugin, this extends the ssuuddoo |
if necessary. For the _s_u_d_o_e_r_s plugin, this extends the ssuuddoo |
timeout for another 5 minutes (or whatever the timeout is set | timeout for another 5 minutes by default, but does not run a |
to by the security policy) but does not run a command. Not | command. Not all security policies support cached |
all security policies support cached credentials. | credentials. |
|
|
---- The ---- option indicates that ssuuddoo should stop processing |
---- The ---- option indicates that ssuuddoo should stop processing |
command line arguments. |
command line arguments. |
|
|
Environment variables to be set for the command may also be passed on the |
Environment variables to be set for the command may also be passed on the |
command line in the form of VVAARR=_v_a_l_u_e, e.g. | command line in the form of _V_A_R=_v_a_l_u_e, e.g. |
LLDD__LLIIBBRRAARRYY__PPAATTHH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. Variables passed on the command line | LD_LIBRARY_PATH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. Variables passed on the command line |
are subject to the same restrictions as normal environment variables with | are subject to restrictions imposed by the security policy plugin. The |
one important exception. If the _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s, the | _s_u_d_o_e_r_s policy subjects variables passed on the command line to the same |
command to be run has the SETENV tag set or the command matched is ALL, | restrictions as normal environment variables with one important |
the user may set variables that would otherwise be forbidden. See | exception. If the _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s, the command to be run |
sudoers(4) for more information. | has the SETENV tag set or the command matched is ALL, the user may set |
| variables that would otherwise be forbidden. See sudoers(4) for more |
| information. |
|
|
CCOOMMMMAANNDD EEXXEECCUUTTIIOONN |
CCOOMMMMAANNDD EEXXEECCUUTTIIOONN |
When ssuuddoo executes a command, the security policy specifies the execution |
When ssuuddoo executes a command, the security policy specifies the execution |
envionment for the command. Typically, the real and effective uid and | environment for the command. Typically, the real and effective user and |
gid are set to match those of the target user, as specified in the | group and IDs are set to match those of the target user, as specified in |
password database, and the group vector is initialized based on the group | the password database, and the group vector is initialized based on the |
database (unless the --PP option was specified). | group database (unless the --PP option was specified). |
|
|
The following parameters may be specified by security policy: |
The following parameters may be specified by security policy: |
|
|
Line 333 CCOOMMMMAANNDD EEXXEECCUUTTIIOONN
|
Line 348 CCOOMMMMAANNDD EEXXEECCUUTTIIOONN
|
environment as described above, and calls the execve system call in the |
environment as described above, and calls the execve system call in the |
child process. The main ssuuddoo process waits until the command has |
child process. The main ssuuddoo process waits until the command has |
completed, then passes the command's exit status to the security policy's |
completed, then passes the command's exit status to the security policy's |
close method and exits. If an I/O logging plugin is configured, a new | close function and exits. If an I/O logging plugin is configured or if |
pseudo-terminal (``pty'') is created and a second ssuuddoo process is used to | the security policy explicitly requests it, a new pseudo-terminal |
relay job control signals between the user's existing pty and the new pty | (``pty'') is created and a second ssuuddoo process is used to relay job |
the command is being run in. This extra process makes it possible to, | control signals between the user's existing pty and the new pty the |
for example, suspend and resume the command. Without it, the command | command is being run in. This extra process makes it possible to, for |
would be in what POSIX terms an ``orphaned process group'' and it would | example, suspend and resume the command. Without it, the command would |
not receive any job control signals. | be in what POSIX terms an ``orphaned process group'' and it would not |
| receive any job control signals. As a special case, if the policy plugin |
| does not define a close function and no pty is required, ssuuddoo will |
| execute the command directly instead of calling fork(2) first. The |
| _s_u_d_o_e_r_s policy plugin will only define a close function when I/O logging |
| is enabled, a pty is required, or the _p_a_m___s_e_s_s_i_o_n or _p_a_m___s_e_t_c_r_e_d options |
| are enabled. Note that _p_a_m___s_e_s_s_i_o_n and _p_a_m___s_e_t_c_r_e_d are enabled by |
| default on systems using PAM. |
|
|
SSiiggnnaall hhaannddlliinngg |
SSiiggnnaall hhaannddlliinngg |
Because the command is run as a child of the ssuuddoo process, ssuuddoo will | When the command is run as a child of the ssuuddoo process, ssuuddoo will relay |
relay signals it receives to the command. Unless the command is being | signals it receives to the command. Unless the command is being run in a |
run in a new pty, the SIGHUP, SIGINT and SIGQUIT signals are not relayed | new pty, the SIGHUP, SIGINT and SIGQUIT signals are not relayed unless |
unless they are sent by a user process, not the kernel. Otherwise, the | they are sent by a user process, not the kernel. Otherwise, the command |
command would receive SIGINT twice every time the user entered control-C. | would receive SIGINT twice every time the user entered control-C. Some |
Some signals, such as SIGSTOP and SIGKILL, cannot be caught and thus will | signals, such as SIGSTOP and SIGKILL, cannot be caught and thus will not |
not be relayed to the command. As a general rule, SIGTSTP should be used | be relayed to the command. As a general rule, SIGTSTP should be used |
instead of SIGSTOP when you wish to suspend a command being run by ssuuddoo. |
instead of SIGSTOP when you wish to suspend a command being run by ssuuddoo. |
|
|
As a special case, ssuuddoo will not relay signals that were sent by the |
As a special case, ssuuddoo will not relay signals that were sent by the |
command it is running. This prevents the command from accidentally |
command it is running. This prevents the command from accidentally |
killing itself. On some systems, the reboot(1m) command sends SIGTERM to |
killing itself. On some systems, the reboot(1m) command sends SIGTERM to |
all non-system processes other than itself before rebooting the systyem. | all non-system processes other than itself before rebooting the system. |
This prevents ssuuddoo from relaying the SIGTERM signal it received back to |
This prevents ssuuddoo from relaying the SIGTERM signal it received back to |
reboot(1m), which might then exit before the system was actually rebooted, |
reboot(1m), which might then exit before the system was actually rebooted, |
leaving it in a half-dead state similar to single user mode. Note, |
leaving it in a half-dead state similar to single user mode. Note, |
Line 365 CCOOMMMMAANNDD EEXXEECCUUTTIIOONN
|
Line 387 CCOOMMMMAANNDD EEXXEECCUUTTIIOONN
|
run using the eexxeecc() family of functions instead of ssyysstteemm() (which |
run using the eexxeecc() family of functions instead of ssyysstteemm() (which |
interposes a shell between the command and the calling process). |
interposes a shell between the command and the calling process). |
|
|
PPLLUUGGIINNSS | If no I/O logging plugins are loaded and the policy plugin has not |
Plugins are dynamically loaded based on the contents of the | defined a cclloossee() function, set a command timeout or required that the |
_/_e_t_c_/_s_u_d_o_._c_o_n_f file. If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it | command be run in a new pty, ssuuddoo may execute the command directly |
contains no Plugin lines, ssuuddoo will use the traditional _s_u_d_o_e_r_s security | instead of running it as a child process. |
policy and I/O logging, which corresponds to the following _/_e_t_c_/_s_u_d_o_._c_o_n_f | |
file. | |
|
|
# | PPlluuggiinnss |
# Default /etc/sudo.conf file | Plugins may be specified via Plugin directives in the sudo.conf(4) file. |
# | They may be loaded as dynamic shared objects (on systems that support |
# Format: | them), or compiled directly into the ssuuddoo binary. If no sudo.conf(4) |
# Plugin plugin_name plugin_path plugin_options ... | file is present, or it contains no Plugin lines, ssuuddoo will use the |
# Path askpass /path/to/askpass | traditional _s_u_d_o_e_r_s security policy and I/O logging. See the |
# Path noexec /path/to/sudo_noexec.so | sudo.conf(4) manual for details of the _/_e_t_c_/_s_u_d_o_._c_o_n_f file and the |
# Debug sudo /var/log/sudo_debug all@warn | sudo_plugin(1m) manual for more information about the ssuuddoo plugin |
# Set disable_coredump true | architecture. |
# | |
# The plugin_path is relative to /usr/local/libexec unless | |
# fully qualified. | |
# The plugin_name corresponds to a global symbol in the plugin | |
# that contains the plugin interface structure. | |
# The plugin_options are optional. | |
# | |
Plugin policy_plugin sudoers.so | |
Plugin io_plugin sudoers.so | |
|
|
A Plugin line consists of the Plugin keyword, followed by the _s_y_m_b_o_l___n_a_m_e |
|
and the _p_a_t_h to the shared object containing the plugin. The _s_y_m_b_o_l___n_a_m_e |
|
is the name of the struct policy_plugin or struct io_plugin in the plugin |
|
shared object. The _p_a_t_h may be fully qualified or relative. If not |
|
fully qualified it is relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory. Any |
|
additional parameters after the _p_a_t_h are passed as arguments to the |
|
plugin's _o_p_e_n function. Lines that don't begin with Plugin, Path, Debug, |
|
or Set are silently ignored. |
|
|
|
For more information, see the sudo_plugin(1m) manual. |
|
|
|
PPAATTHHSS |
|
A Path line consists of the Path keyword, followed by the name of the |
|
path to set and its value. E.g. |
|
|
|
Path noexec /usr/local/libexec/sudo_noexec.so |
|
Path askpass /usr/X11R6/bin/ssh-askpass |
|
|
|
The following plugin-agnostic paths may be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f |
|
file: |
|
|
|
askpass The fully qualified path to a helper program used to read the |
|
user's password when no terminal is available. This may be the |
|
case when ssuuddoo is executed from a graphical (as opposed to |
|
text-based) application. The program specified by _a_s_k_p_a_s_s |
|
should display the argument passed to it as the prompt and |
|
write the user's password to the standard output. The value of |
|
_a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS environment |
|
variable. |
|
|
|
noexec The fully-qualified path to a shared library containing dummy |
|
versions of the eexxeeccvv(), eexxeeccvvee() and ffeexxeeccvvee() library |
|
functions that just return an error. This is used to implement |
|
the _n_o_e_x_e_c functionality on systems that support LD_PRELOAD or |
|
its equivalent. Defaults to _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o. |
|
|
|
DDEEBBUUGG FFLLAAGGSS |
|
ssuuddoo versions 1.8.4 and higher support a flexible debugging framework |
|
that can help track down what ssuuddoo is doing internally if there is a |
|
problem. |
|
|
|
A Debug line consists of the Debug keyword, followed by the name of the |
|
program to debug (ssuuddoo, vviissuuddoo, ssuuddoorreeppllaayy), the debug file name and a |
|
comma-separated list of debug flags. The debug flag syntax used by ssuuddoo |
|
and the _s_u_d_o_e_r_s plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but the plugin is free to |
|
use a different format so long as it does not include a comma (`,'). |
|
|
|
For instance: |
|
|
|
Debug sudo /var/log/sudo_debug all@warn,plugin@info |
|
|
|
would log all debugging statements at the _w_a_r_n level and higher in |
|
addition to those at the _i_n_f_o level for the plugin subsystem. |
|
|
|
Currently, only one Debug entry per program is supported. The ssuuddoo Debug |
|
entry is shared by the ssuuddoo front end, ssuuddooeeddiitt and the plugins. A |
|
future release may add support for per-plugin Debug lines and/or support |
|
for multiple debugging files for a single program. |
|
|
|
The priorities used by the ssuuddoo front end, in order of decreasing |
|
severity, are: _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. |
|
Each priority, when specified, also includes all priorities higher than |
|
it. For example, a priority of _n_o_t_i_c_e would include debug messages |
|
logged at _n_o_t_i_c_e and higher. |
|
|
|
The following subsystems are used by the ssuuddoo front-end: |
|
|
|
_a_l_l matches every subsystem |
|
|
|
_a_r_g_s command line argument processing |
|
|
|
_c_o_n_v user conversation |
|
|
|
_e_d_i_t sudoedit |
|
|
|
_e_x_e_c command execution |
|
|
|
_m_a_i_n ssuuddoo main function |
|
|
|
_n_e_t_i_f network interface handling |
|
|
|
_p_c_o_m_m communication with the plugin |
|
|
|
_p_l_u_g_i_n plugin configuration |
|
|
|
_p_t_y pseudo-tty related code |
|
|
|
_s_e_l_i_n_u_x SELinux-specific handling |
|
|
|
_u_t_i_l utility functions |
|
|
|
_u_t_m_p utmp handling |
|
|
|
EEXXIITT VVAALLUUEE |
EEXXIITT VVAALLUUEE |
Upon successful execution of a program, the exit status from _s_u_d_o will |
Upon successful execution of a program, the exit status from _s_u_d_o will |
simply be the exit status of the program that was executed. |
simply be the exit status of the program that was executed. |
Line 524 SSEECCUURRIITTYY NNOOTTEESS
|
Line 442 SSEECCUURRIITTYY NNOOTTEESS
|
disables core dumps by default while it is executing (they are re-enabled |
disables core dumps by default while it is executing (they are re-enabled |
for the command that is run). To aid in debugging ssuuddoo crashes, you may |
for the command that is run). To aid in debugging ssuuddoo crashes, you may |
wish to re-enable core dumps by setting ``disable_coredump'' to false in |
wish to re-enable core dumps by setting ``disable_coredump'' to false in |
the _/_e_t_c_/_s_u_d_o_._c_o_n_f file as follows: | the sudo.conf(4) file as follows: |
|
|
Set disable_coredump false |
Set disable_coredump false |
|
|
Note that by default, most operating systems disable core dumps from | See the sudo.conf(4) manual for more information. |
setuid programs, which includes ssuuddoo. To actually get a ssuuddoo core file | |
you may need to enable core dumps for setuid processes. On BSD and Linux | |
systems this is accomplished via the sysctl command, on Solaris the | |
coreadm command can be used. | |
|
|
EENNVVIIRROONNMMEENNTT |
EENNVVIIRROONNMMEENNTT |
ssuuddoo utilizes the following environment variables. The security policy |
ssuuddoo utilizes the following environment variables. The security policy |
Line 617 EEXXAAMMPPLLEESS
|
Line 531 EEXXAAMMPPLLEESS
|
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" |
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" |
|
|
SSEEEE AALLSSOO |
SSEEEE AALLSSOO |
grep(1), su(1), stat(2), login_cap(3), passwd(4), sudoers(4), | su(1), stat(2), login_cap(3), passwd(4), sudo.conf(4), sudoers(4), |
sudo_plugin(1m), sudoreplay(1m), visudo(1m) |
sudo_plugin(1m), sudoreplay(1m), visudo(1m) |
|
|
HHIISSTTOORRYY |
HHIISSTTOORRYY |
Line 668 DDIISSCCLLAAIIMMEERR
|
Line 582 DDIISSCCLLAAIIMMEERR
|
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for |
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for |
complete details. |
complete details. |
|
|
Sudo 1.8.6 July 10, 2012 Sudo 1.8.6 | Sudo 1.8.10 February 15, 2014 Sudo 1.8.10 |