version 1.1.1.1, 2012/02/21 16:23:02
|
version 1.1.1.6, 2014/06/15 16:12:54
|
Line 1
|
Line 1
|
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) | SUDO(1m) System Manager's Manual SUDO(1m) |
|
|
|
|
|
|
NNAAMMEE |
NNAAMMEE |
sudo, sudoedit - execute a command as another user | ssuuddoo, ssuuddooeeddiitt - execute a command as another user |
|
|
SSYYNNOOPPSSIISS |
SSYYNNOOPPSSIISS |
ssuuddoo [--DD _l_e_v_e_l] --hh | --KK | --kk | --VV | ssuuddoo --hh | --KK | --kk | --VV |
| ssuuddoo --vv [--AAkknnSS] [--aa _t_y_p_e] [--gg _g_r_o_u_p] [--hh _h_o_s_t] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r] |
| ssuuddoo --ll [--AAkknnSS] [--aa _t_y_p_e] [--gg _g_r_o_u_p] [--hh _h_o_s_t] [--pp _p_r_o_m_p_t] [--UU _u_s_e_r] |
| [--uu _u_s_e_r] [_c_o_m_m_a_n_d] |
| ssuuddoo [--AAbbEEHHnnPPSS] [--aa _t_y_p_e] [--CC _n_u_m] [--cc _c_l_a_s_s] [--gg _g_r_o_u_p] [--hh _h_o_s_t] |
| [--pp _p_r_o_m_p_t] [--rr _r_o_l_e] [--tt _t_y_p_e] [--uu _u_s_e_r] [_V_A_R=_v_a_l_u_e] [--ii | --ss] |
| [_c_o_m_m_a_n_d] |
| ssuuddooeeddiitt [--AAkknnSS] [--aa _t_y_p_e] [--CC _n_u_m] [--cc _c_l_a_s_s] [--gg _g_r_o_u_p] [--hh _h_o_s_t] |
| [--pp _p_r_o_m_p_t] [--uu _u_s_e_r] _f_i_l_e _._._. |
|
|
ssuuddoo --vv [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--DD _l_e_v_e_l] [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] |
|
[--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] |
|
|
|
ssuuddoo --ll[[ll]] [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--DD _l_e_v_e_l] [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] |
|
[--pp _p_r_o_m_p_t] [--UU _u_s_e_r _n_a_m_e] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] [_c_o_m_m_a_n_d] |
|
|
|
ssuuddoo [--AAbbEEHHnnPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--DD _l_e_v_e_l] [--cc _c_l_a_s_s|_-] |
|
[--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--rr _r_o_l_e] [--tt _t_y_p_e] |
|
[--uu _u_s_e_r _n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e] [--ii | --ss] [_c_o_m_m_a_n_d] |
|
|
|
ssuuddooeeddiitt [--AAnnSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] [--DD _l_e_v_e_l] |
|
[--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] file ... |
|
|
|
DDEESSCCRRIIPPTTIIOONN |
DDEESSCCRRIIPPTTIIOONN |
ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the superuser or | ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the superuser or |
another user, as specified by the security policy. The real and | another user, as specified by the security policy. |
effective uid and gid are set to match those of the target user, as | |
specified in the password database, and the group vector is initialized | |
based on the group database (unless the --PP option was specified). | |
|
|
ssuuddoo supports a plugin architecture for security policies and | ssuuddoo supports a plugin architecture for security policies and |
input/output logging. Third parties can develop and distribute their | input/output logging. Third parties can develop and distribute their own |
own policy and I/O logging modules to work seemlessly with the ssuuddoo | policy and I/O logging plugins to work seamlessly with the ssuuddoo front |
front end. The default security policy is _s_u_d_o_e_r_s, which is configured | end. The default security policy is _s_u_d_o_e_r_s, which is configured via the |
via the file _/_e_t_c_/_s_u_d_o_e_r_s, or via LDAP. See the PLUGINS section for | file _/_e_t_c_/_s_u_d_o_e_r_s, or via LDAP. See the _P_l_u_g_i_n_s section for more |
more information. | information. |
|
|
The security policy determines what privileges, if any, a user has to | The security policy determines what privileges, if any, a user has to run |
run ssuuddoo. The policy may require that users authenticate themselves | ssuuddoo. The policy may require that users authenticate themselves with a |
with a password or another authentication mechanism. If authentication | password or another authentication mechanism. If authentication is |
is required, ssuuddoo will exit if the user's password is not entered | required, ssuuddoo will exit if the user's password is not entered within a |
within a configurable time limit. This limit is policy-specific; the | configurable time limit. This limit is policy-specific; the default |
default password prompt timeout for the _s_u_d_o_e_r_s security policy is 5 | password prompt timeout for the _s_u_d_o_e_r_s security policy is 5 minutes. |
minutes. | |
|
|
Security policies may support credential caching to allow the user to | Security policies may support credential caching to allow the user to run |
run ssuuddoo again for a period of time without requiring authentication. | ssuuddoo again for a period of time without requiring authentication. The |
The _s_u_d_o_e_r_s policy caches credentials for 5 minutes, unless overridden | _s_u_d_o_e_r_s policy caches credentials for 5 minutes, unless overridden in |
in _s_u_d_o_e_r_s(4). By running ssuuddoo with the --vv option, a user can update | sudoers(4). By running ssuuddoo with the --vv option, a user can update the |
the cached credentials without running a _c_o_m_m_a_n_d. | cached credentials without running a _c_o_m_m_a_n_d. |
|
|
When invoked as ssuuddooeeddiitt, the --ee option (described below), is implied. | When invoked as ssuuddooeeddiitt, the --ee option (described below), is implied. |
|
|
Security policies may log successful and failed attempts to use ssuuddoo. | Security policies may log successful and failed attempts to use ssuuddoo. If |
If an I/O plugin is configured, the running command's input and output | an I/O plugin is configured, the running command's input and output may |
may be logged as well. | be logged as well. |
|
|
OOPPTTIIOONNSS | The options are as follows: |
ssuuddoo accepts the following command line options: | |
|
|
-A Normally, if ssuuddoo requires a password, it will read it from | --AA, ----aasskkppaassss |
the user's terminal. If the --AA (_a_s_k_p_a_s_s) option is | Normally, if ssuuddoo requires a password, it will read it from |
specified, a (possibly graphical) helper program is | the user's terminal. If the --AA (_a_s_k_p_a_s_s) option is |
executed to read the user's password and output the | specified, a (possibly graphical) helper program is executed |
password to the standard output. If the SUDO_ASKPASS | to read the user's password and output the password to the |
environment variable is set, it specifies the path to the | standard output. If the SUDO_ASKPASS environment variable is |
helper program. Otherwise, if _/_e_t_c_/_s_u_d_o_._c_o_n_f contains a | set, it specifies the path to the helper program. Otherwise, |
line specifying the askpass program, that value will be | if sudo.conf(4) contains a line specifying the askpass |
used. For example: | program, that value will be used. For example: |
|
|
# Path to askpass helper program | # Path to askpass helper program |
Path askpass /usr/X11R6/bin/ssh-askpass | Path askpass /usr/X11R6/bin/ssh-askpass |
|
|
If no askpass program is available, sudo will exit with an | If no askpass program is available, ssuuddoo will exit with an |
error. | error. |
|
|
-a _t_y_p_e The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use the | --aa _t_y_p_e, ----aauutthh--ttyyppee=_t_y_p_e |
specified authentication type when validating the user, as | Use the specified BSD authentication _t_y_p_e when validating the |
allowed by _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system administrator may | user, if allowed by _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system |
specify a list of sudo-specific authentication methods by | administrator may specify a list of sudo-specific |
adding an "auth-sudo" entry in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This | authentication methods by adding an ``auth-sudo'' entry in |
option is only available on systems that support BSD | _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This option is only available on systems |
authentication. | that support BSD authentication. |
|
|
-b The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run the given | --bb, ----bbaacckkggrroouunndd |
command in the background. Note that if you use the --bb | Run the given command in the background. Note that it is not |
option you cannot use shell job control to manipulate the | possible to use shell job control to manipulate background |
process. Most interactive commands will fail to work | processes started by ssuuddoo. Most interactive commands will |
properly in background mode. | fail to work properly in background mode. |
|
|
-C _f_d Normally, ssuuddoo will close all open file descriptors other | --CC _n_u_m, ----cclloossee--ffrroomm=_n_u_m |
than standard input, standard output and standard error. | Close all file descriptors greater than or equal to _n_u_m |
The --CC (_c_l_o_s_e _f_r_o_m) option allows the user to specify a | before executing a command. Values less than three are not |
starting point above the standard error (file descriptor | permitted. By default, ssuuddoo will close all open file |
three). Values less than three are not permitted. The | descriptors other than standard input, standard output and |
security policy may restrict the user's ability to use the | standard error when executing a command. The security policy |
--CC option. The _s_u_d_o_e_r_s policy only permits use of the --CC | may restrict the user's ability to use this option. The |
option when the administrator has enabled the | _s_u_d_o_e_r_s policy only permits use of the --CC option when the |
_c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option. | administrator has enabled the _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option. |
|
|
-c _c_l_a_s_s The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified | --cc _c_l_a_s_s, ----llooggiinn--ccllaassss=_c_l_a_s_s |
command with resources limited by the specified login | Run the command with resource limits and scheduling priority |
class. The _c_l_a_s_s argument can be either a class name as | of the specified login _c_l_a_s_s. The _c_l_a_s_s argument can be |
defined in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a single '-' character. | either a class name as defined in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a |
Specifying a _c_l_a_s_s of - indicates that the command should | single `-' character. If _c_l_a_s_s is --, the default login class |
be run restricted by the default login capabilities for the | of the target user will be used. Otherwise, the command must |
user the command is run as. If the _c_l_a_s_s argument | be run as the superuser (user ID 0), or ssuuddoo must be run from |
specifies an existing user class, the command must be run | a shell that is already running as the superuser. If the |
as root, or the ssuuddoo command must be run from a shell that | command is being run as a login shell, additional |
is already root. This option is only available on systems | _/_e_t_c_/_l_o_g_i_n_._c_o_n_f settings, such as the umask and environment |
with BSD login classes. | variables, will be applied, if present. This option is only |
| available on systems with BSD login classes. |
|
|
-D _l_e_v_e_l Enable debugging of ssuuddoo plugins and ssuuddoo itself. The | --EE, ----pprreesseerrvvee--eennvv |
_l_e_v_e_l may be a value from 1 through 9. | Indicates to the security policy that the user wishes to |
| preserve their existing environment variables. The security |
| policy may return an error if the user does not have |
| permission to preserve the environment. |
|
|
-E The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option indicates to the | --ee, ----eeddiitt Edit one or more files instead of running a command. In lieu |
security policy that the user wishes to preserve their | of a path name, the string "sudoedit" is used when consulting |
existing environment variables. The security policy may | the security policy. If the user is authorized by the |
return an error if the --EE option is specified and the user | policy, the following steps are taken: |
does not have permission to preserve the environment. | |
|
|
-e The --ee (_e_d_i_t) option indicates that, instead of running a | 1. Temporary copies are made of the files to be edited |
command, the user wishes to edit one or more files. In | |
lieu of a command, the string "sudoedit" is used when | |
consulting the security policy. If the user is authorized | |
by the policy, the following steps are taken: | |
| |
1. Temporary copies are made of the files to be edited | |
with the owner set to the invoking user. |
with the owner set to the invoking user. |
|
|
2. The editor specified by the policy is run to edit the | 2. The editor specified by the policy is run to edit the |
temporary files. The _s_u_d_o_e_r_s policy uses the |
temporary files. The _s_u_d_o_e_r_s policy uses the |
SUDO_EDITOR, VISUAL and EDITOR environment variables |
SUDO_EDITOR, VISUAL and EDITOR environment variables |
(in that order). If none of SUDO_EDITOR, VISUAL or |
(in that order). If none of SUDO_EDITOR, VISUAL or |
EDITOR are set, the first program listed in the _e_d_i_t_o_r |
EDITOR are set, the first program listed in the _e_d_i_t_o_r |
_s_u_d_o_e_r_s(4) option is used. | sudoers(4) option is used. |
|
|
3. If they have been modified, the temporary files are | 3. If they have been modified, the temporary files are |
copied back to their original location and the |
copied back to their original location and the |
temporary versions are removed. |
temporary versions are removed. |
|
|
If the specified file does not exist, it will be created. | If the specified file does not exist, it will be created. |
Note that unlike most commands run by ssuuddoo, the editor is | Note that unlike most commands run by _s_u_d_o, the editor is run |
run with the invoking user's environment unmodified. If, | with the invoking user's environment unmodified. If, for |
for some reason, ssuuddoo is unable to update a file with its | some reason, ssuuddoo is unable to update a file with its edited |
edited version, the user will receive a warning and the | version, the user will receive a warning and the edited copy |
edited copy will remain in a temporary file. | will remain in a temporary file. |
|
|
-g _g_r_o_u_p Normally, ssuuddoo runs a command with the primary group set to | --gg _g_r_o_u_p, ----ggrroouupp=_g_r_o_u_p |
the one specified by the password database for the user the | Run the command with the primary group set to _g_r_o_u_p instead |
command is being run as (by default, root). The --gg (_g_r_o_u_p) | of the primary group specified by the target user's password |
option causes ssuuddoo to run the command with the primary | database entry. The _g_r_o_u_p may be either a group name or a |
group set to _g_r_o_u_p instead. To specify a _g_i_d instead of a | numeric group ID (GID) prefixed with the `#' character (e.g. |
_g_r_o_u_p _n_a_m_e, use _#_g_i_d. When running commands as a _g_i_d, many | #0 for GID 0). When running a command as a GID, many shells |
shells require that the '#' be escaped with a backslash | require that the `#' be escaped with a backslash (`\'). If |
('\'). If no --uu option is specified, the command will be | no --uu option is specified, the command will be run as the |
run as the invoking user (not root). In either case, the | invoking user. In either case, the primary group will be set |
primary group will be set to _g_r_o_u_p. | to _g_r_o_u_p. |
|
|
-H The --HH (_H_O_M_E) option requests that the security policy set | --HH, ----sseett--hhoommee |
the HOME environment variable to the home directory of the | Request that the security policy set the HOME environment |
target user (root by default) as specified by the password | variable to the home directory specified by the target user's |
database. Depending on the policy, this may be the default | password database entry. Depending on the policy, this may |
behavior. | be the default behavior. |
|
|
-h The --hh (_h_e_l_p) option causes ssuuddoo to print a short help | --hh, ----hheellpp Display a short help message to the standard output and exit. |
message to the standard output and exit. | |
|
|
-i [command] | --hh _h_o_s_t, ----hhoosstt=_h_o_s_t |
The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell | Run the command on the specified _h_o_s_t if the security policy |
specified by the password database entry of the target user | plugin supports remote commands. Note that the _s_u_d_o_e_r_s |
as a login shell. This means that login-specific resource | plugin does not currently support running remote commands. |
files such as .profile or .login will be read by the shell. | This may also be used in conjunction with the --ll option to |
If a command is specified, it is passed to the shell for | list a user's privileges for the remote host. |
execution via the shell's --cc option. If no command is | |
specified, an interactive shell is executed. ssuuddoo attempts | |
to change to that user's home directory before running the | |
shell. The security policy shall initialize the | |
environment to a minimal set of variables, similar to what | |
is present when a user logs in. The _C_o_m_m_a_n_d _E_n_v_i_r_o_n_m_e_n_t | |
section in the _s_u_d_o_e_r_s(4) manual documents how the --ii | |
option affects the environment in which a command is run | |
when the _s_u_d_o_e_r_s policy is in use. | |
|
|
-K The --KK (sure _k_i_l_l) option is like --kk except that it removes | --ii, ----llooggiinn |
the user's cached credentials entirely and may not be used | Run the shell specified by the target user's password |
in conjunction with a command or other option. This option | database entry as a login shell. This means that login- |
does not require a password. Not all security policies | specific resource files such as _._p_r_o_f_i_l_e or _._l_o_g_i_n will be |
support credential caching. | read by the shell. If a command is specified, it is passed |
| to the shell for execution via the shell's --cc option. If no |
| command is specified, an interactive shell is executed. ssuuddoo |
| attempts to change to that user's home directory before |
| running the shell. The command is run with an environment |
| similar to the one a user would receive at log in. The |
| _C_o_m_m_a_n_d _E_n_v_i_r_o_n_m_e_n_t section in the sudoers(4) manual |
| documents how the --ii option affects the environment in which |
| a command is run when the _s_u_d_o_e_r_s policy is in use. |
|
|
-k [command] | --KK, ----rreemmoovvee--ttiimmeessttaammpp |
When used alone, the --kk (_k_i_l_l) option to ssuuddoo invalidates | Similar to the --kk option, except that it removes the user's |
the user's cached credentials. The next time ssuuddoo is run a | cached credentials entirely and may not be used in |
password will be required. This option does not require a | conjunction with a command or other option. This option does |
password and was added to allow a user to revoke ssuuddoo | not require a password. Not all security policies support |
permissions from a .logout file. Not all security policies | credential caching. |
support credential caching. | |
|
|
When used in conjunction with a command or an option that | --kk, ----rreesseett--ttiimmeessttaammpp |
may require a password, the --kk option will cause ssuuddoo to | When used without a command, invalidates the user's cached |
ignore the user's cached credentials. As a result, ssuuddoo | credentials. In other words, the next time ssuuddoo is run a |
will prompt for a password (if one is required by the | password will be required. This option does not require a |
security policy) and will not update the user's cached | password and was added to allow a user to revoke ssuuddoo |
credentials. | permissions from a _._l_o_g_o_u_t file. |
|
|
-l[l] [_c_o_m_m_a_n_d] | When used in conjunction with a command or an option that may |
If no _c_o_m_m_a_n_d is specified, the --ll (_l_i_s_t) option will list | require a password, this option will cause ssuuddoo to ignore the |
the allowed (and forbidden) commands for the invoking user | user's cached credentials. As a result, ssuuddoo will prompt for |
(or the user specified by the --UU option) on the current | a password (if one is required by the security policy) and |
host. If a _c_o_m_m_a_n_d is specified and is permitted by the | will not update the user's cached credentials. |
security policy, the fully-qualified path to the command is | |
displayed along with any command line arguments. If | |
_c_o_m_m_a_n_d is specified but not allowed, ssuuddoo will exit with a | |
status value of 1. If the --ll option is specified with an ll | |
argument (i.e. --llll), or if --ll is specified multiple times, | |
a longer list format is used. | |
|
|
-n The --nn (_n_o_n_-_i_n_t_e_r_a_c_t_i_v_e) option prevents ssuuddoo from | Not all security policies support credential caching. |
prompting the user for a password. If a password is | |
required for the command to run, ssuuddoo will display an error | |
messages and exit. | |
|
|
-P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to | --ll, ----lliisstt If no _c_o_m_m_a_n_d is specified, list the allowed (and forbidden) |
preserve the invoking user's group vector unaltered. By | commands for the invoking user (or the user specified by the |
default, the _s_u_d_o_e_r_s policy will initialize the group | --UU option) on the current host. A longer list format is used |
vector to the list of groups the target user is in. The | if this option is specified multiple times and the security |
real and effective group IDs, however, are still set to | policy supports a verbose output format. |
match the target user. | |
|
|
-p _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default | If a _c_o_m_m_a_n_d is specified and is permitted by the security |
password prompt and use a custom one. The following | policy, the fully-qualified path to the command is displayed |
percent (`%') escapes are supported by the _s_u_d_o_e_r_s policy: | along with any command line arguments. If _c_o_m_m_a_n_d is |
| specified but not allowed, ssuuddoo will exit with a status value |
| of 1. |
|
|
%H expanded to the host name including the domain name (on | --nn, ----nnoonn--iinntteerraaccttiivvee |
if the machine's host name is fully qualified or the | Avoid prompting the user for input of any kind. If a |
_f_q_d_n option is set in _s_u_d_o_e_r_s(4)) | password is required for the command to run, ssuuddoo will |
| display an error message and exit. |
|
|
%h expanded to the local host name without the domain name | --PP, ----pprreesseerrvvee--ggrroouuppss |
| Preserve the invoking user's group vector unaltered. By |
| default, the _s_u_d_o_e_r_s policy will initialize the group vector |
| to the list of groups the target user is a member of. The |
| real and effective group IDs, however, are still set to match |
| the target user. |
|
|
%p expanded to the name of the user whose password is | --pp _p_r_o_m_p_t, ----pprroommpptt=_p_r_o_m_p_t |
being requested (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and | Use a custom password prompt with optional escape sequences. |
_r_u_n_a_s_p_w flags in _s_u_d_o_e_r_s(4)) | The following percent (`%') escape sequences are supported by |
| the _s_u_d_o_e_r_s policy: |
|
|
%U expanded to the login name of the user the command will | %H expanded to the host name including the domain name (on |
be run as (defaults to root unless the -u option is | if the machine's host name is fully qualified or the _f_q_d_n |
also specified) | option is set in sudoers(4)) |
|
|
%u expanded to the invoking user's login name | %h expanded to the local host name without the domain name |
|
|
%% two consecutive % characters are collapsed into a | %p expanded to the name of the user whose password is being |
single % character | requested (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w, and _r_u_n_a_s_p_w |
| flags in sudoers(4)) |
|
|
The prompt specified by the --pp option will override the | %U expanded to the login name of the user the command will |
system password prompt on systems that support PAM unless | be run as (defaults to root unless the --uu option is also |
the _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s. | specified) |
|
|
-r _r_o_l_e The --rr (_r_o_l_e) option causes the new (SELinux) security | %u expanded to the invoking user's login name |
context to have the role specified by _r_o_l_e. | |
|
|
-S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from | %% two consecutive `%' characters are collapsed into a |
the standard input instead of the terminal device. The | single `%' character |
password must be followed by a newline character. | |
|
|
-s [command] | The custom prompt will override the system password prompt on |
The --ss (_s_h_e_l_l) option runs the shell specified by the _S_H_E_L_L | systems that support PAM unless the _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag |
environment variable if it is set or the shell as specified | is disabled in _s_u_d_o_e_r_s. |
in the password database. If a command is specified, it is | |
passed to the shell for execution via the shell's --cc | |
option. If no command is specified, an interactive shell | |
is executed. | |
|
|
-t _t_y_p_e The --tt (_t_y_p_e) option causes the new (SELinux) security | --rr _r_o_l_e, ----rroollee=_r_o_l_e |
context to have the type specified by _t_y_p_e. If no type is | Run the command with an SELinux security context that |
specified, the default type is derived from the specified | includes the specified _r_o_l_e. |
role. | |
|
|
-U _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the | --SS, ----ssttddiinn |
--ll option to specify the user whose privileges should be | Write the prompt to the standard error and read the password |
listed. The security policy may restrict listing other | from the standard input instead of using the terminal device. |
users' privileges. The _s_u_d_o_e_r_s policy only allows root or | The password must be followed by a newline character. |
a user with the ALL privilege on the current host to use | |
this option. | |
|
|
-u _u_s_e_r The --uu (_u_s_e_r) option causes ssuuddoo to run the specified | --ss, ----sshheellll |
command as a user other than _r_o_o_t. To specify a _u_i_d | Run the shell specified by the SHELL environment variable if |
instead of a _u_s_e_r _n_a_m_e, use _#_u_i_d. When running commands as | it is set or the shell specified by the invoking user's |
a _u_i_d, many shells require that the '#' be escaped with a | password database entry. If a command is specified, it is |
backslash ('\'). Security policies may restrict _u_i_ds to | passed to the shell for execution via the shell's --cc option. |
those listed in the password database. The _s_u_d_o_e_r_s policy | If no command is specified, an interactive shell is executed. |
allows _u_i_ds that are not in the password database as long | |
as the _t_a_r_g_e_t_p_w option is not set. Other security policies | |
may not support this. | |
|
|
-V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print its version | --tt _t_y_p_e, ----ttyyppee=_t_y_p_e |
string and the version string of the security policy plugin | Run the command with an SELinux security context that |
and any I/O plugins. If the invoking user is already root | includes the specified _t_y_p_e. If no _t_y_p_e is specified, the |
the --VV option will display the arguments passed to | default type is derived from the role. |
configure when _s_u_d_o was built and plugins may display more | |
verbose information such as default options. | |
|
|
-v When given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the | --UU _u_s_e_r, ----ootthheerr--uusseerr=_u_s_e_r |
user's cached credentials, authenticating the user's | Used in conjunction with the --ll option to list the privileges |
password if necessary. For the _s_u_d_o_e_r_s plugin, this | for _u_s_e_r instead of for the invoking user. The security |
extends the ssuuddoo timeout for another 5 minutes (or whatever | policy may restrict listing other users' privileges. The |
the timeout is set to in _s_u_d_o_e_r_s) but does not run a | _s_u_d_o_e_r_s policy only allows root or a user with the ALL |
command. Not all security policies support cached | privilege on the current host to use this option. |
credentials. | |
|
|
-- The ---- option indicates that ssuuddoo should stop processing | --uu _u_s_e_r, ----uusseerr=_u_s_e_r |
command line arguments. | Run the command as a user other than the default target user |
| (usually _r_o_o_t _)_. The _u_s_e_r may be either a user name or a |
| numeric user ID (UID) prefixed with the `#' character (e.g. |
| #0 for UID 0). When running commands as a UID, many shells |
| require that the `#' be escaped with a backslash (`\'). Some |
| security policies may restrict UIDs to those listed in the |
| password database. The _s_u_d_o_e_r_s policy allows UIDs that are |
| not in the password database as long as the _t_a_r_g_e_t_p_w option |
| is not set. Other security policies may not support this. |
|
|
Environment variables to be set for the command may also be passed on | --VV, ----vveerrssiioonn |
the command line in the form of VVAARR=_v_a_l_u_e, e.g. | Print the ssuuddoo version string as well as the version string |
LLDD__LLIIBBRRAARRYY__PPAATTHH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. Variables passed on the command | of the security policy plugin and any I/O plugins. If the |
line are subject to the same restrictions as normal environment | invoking user is already root the --VV option will display the |
variables with one important exception. If the _s_e_t_e_n_v option is set in | arguments passed to configure when ssuuddoo was built and plugins |
_s_u_d_o_e_r_s, the command to be run has the SETENV tag set or the command | may display more verbose information such as default options. |
matched is ALL, the user may set variables that would overwise be | |
forbidden. See _s_u_d_o_e_r_s(4) for more information. | |
|
|
PPLLUUGGIINNSS | --vv, ----vvaalliiddaattee |
Plugins are dynamically loaded based on the contents of the | Update the user's cached credentials, authenticating the user |
_/_e_t_c_/_s_u_d_o_._c_o_n_f file. If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it | if necessary. For the _s_u_d_o_e_r_s plugin, this extends the ssuuddoo |
contains no Plugin lines, ssuuddoo will use the traditional _s_u_d_o_e_r_s | timeout for another 5 minutes by default, but does not run a |
security policy and I/O logging, which corresponds to the following | command. Not all security policies support cached |
_/_e_t_c_/_s_u_d_o_._c_o_n_f file. | credentials. |
|
|
# | ---- The ---- option indicates that ssuuddoo should stop processing |
# Default /etc/sudo.conf file | command line arguments. |
# | |
# Format: | |
# Plugin plugin_name plugin_path | |
# Path askpass /path/to/askpass | |
# Path noexec /path/to/noexec.so | |
# | |
# The plugin_path is relative to /usr/local/libexec unless | |
# fully qualified. | |
# The plugin_name corresponds to a global symbol in the plugin | |
# that contains the plugin interface structure. | |
# | |
Plugin policy_plugin sudoers.so | |
Plugin io_plugin sudoers.so | |
|
|
A Plugin line consists of the Plugin keyword, followed by the | Environment variables to be set for the command may also be passed on the |
_s_y_m_b_o_l___n_a_m_e and the _p_a_t_h to the shared object containing the plugin. | command line in the form of _V_A_R=_v_a_l_u_e, e.g. |
The _s_y_m_b_o_l___n_a_m_e is the name of the struct policy_plugin or struct | LD_LIBRARY_PATH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. Variables passed on the command line |
io_plugin in the plugin shared object. The _p_a_t_h may be fully qualified | are subject to restrictions imposed by the security policy plugin. The |
or relative. If not fully qualified it is relative to the | _s_u_d_o_e_r_s policy subjects variables passed on the command line to the same |
_/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory. Any additional parameters after the _p_a_t_h | restrictions as normal environment variables with one important |
are ignored. Lines that don't begin with Plugin or Path are silently | exception. If the _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s, the command to be run |
ignored | has the SETENV tag set or the command matched is ALL, the user may set |
| variables that would otherwise be forbidden. See sudoers(4) for more |
| information. |
|
|
For more information, see the _s_u_d_o___p_l_u_g_i_n(1m) manual. | CCOOMMMMAANNDD EEXXEECCUUTTIIOONN |
| When ssuuddoo executes a command, the security policy specifies the execution |
| environment for the command. Typically, the real and effective user and |
| group and IDs are set to match those of the target user, as specified in |
| the password database, and the group vector is initialized based on the |
| group database (unless the --PP option was specified). |
|
|
PPAATTHHSS | The following parameters may be specified by security policy: |
A Path line consists of the Path keyword, followed by the name of the | |
path to set and its value. E.g. | |
|
|
Path noexec /usr/local/libexec/sudo_noexec.so | oo real and effective user ID |
Path askpass /usr/X11R6/bin/ssh-askpass | |
|
|
The following plugin-agnostic paths may be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f | oo real and effective group ID |
file. | |
|
|
askpass The fully qualified path to a helper program used to | oo supplementary group IDs |
read the user's password when no terminal is available. | |
This may be the case when ssuuddoo is executed from a | |
graphical (as opposed to text-based) application. The | |
program specified by _a_s_k_p_a_s_s should display the | |
argument passed to it as the prompt and write the | |
user's password to the standard output. The value of | |
_a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS | |
environment variable. | |
|
|
noexec The fully-qualified path to a shared library containing | oo the environment list |
dummy versions of the _e_x_e_c_v_(_), _e_x_e_c_v_e_(_) and _f_e_x_e_c_v_e_(_) | |
library functions that just return an error. This is | |
used to implement the _n_o_e_x_e_c functionality on systems | |
that support LD_PRELOAD or its equivalent. Defaults to | |
_/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o. | |
|
|
RREETTUURRNN VVAALLUUEESS | oo current working directory |
Upon successful execution of a program, the exit status from ssuuddoo will | |
simply be the exit status of the program that was executed. | |
|
|
Otherwise, ssuuddoo exits with a value of 1 if there is a | oo file creation mode mask (umask) |
configuration/permission problem or if ssuuddoo cannot execute the given | |
command. In the latter case the error string is printed to the | |
standard error. If ssuuddoo cannot _s_t_a_t(2) one or more entries in the | |
user's PATH, an error is printed on stderr. (If the directory does not | |
exist or if it is not really a directory, the entry is ignored and no | |
error is printed.) This should not happen under normal circumstances. | |
The most common reason for _s_t_a_t(2) to return "permission denied" is if | |
you are running an automounter and one of the directories in your PATH | |
is on a machine that is currently unreachable. | |
|
|
|
oo SELinux role and type |
|
|
|
oo Solaris project |
|
|
|
oo Solaris privileges |
|
|
|
oo BSD login class |
|
|
|
oo scheduling priority (aka nice value) |
|
|
|
PPrroocceessss mmooddeell |
|
When ssuuddoo runs a command, it calls fork(2), sets up the execution |
|
environment as described above, and calls the execve system call in the |
|
child process. The main ssuuddoo process waits until the command has |
|
completed, then passes the command's exit status to the security policy's |
|
close function and exits. If an I/O logging plugin is configured or if |
|
the security policy explicitly requests it, a new pseudo-terminal |
|
(``pty'') is created and a second ssuuddoo process is used to relay job |
|
control signals between the user's existing pty and the new pty the |
|
command is being run in. This extra process makes it possible to, for |
|
example, suspend and resume the command. Without it, the command would |
|
be in what POSIX terms an ``orphaned process group'' and it would not |
|
receive any job control signals. As a special case, if the policy plugin |
|
does not define a close function and no pty is required, ssuuddoo will |
|
execute the command directly instead of calling fork(2) first. The |
|
_s_u_d_o_e_r_s policy plugin will only define a close function when I/O logging |
|
is enabled, a pty is required, or the _p_a_m___s_e_s_s_i_o_n or _p_a_m___s_e_t_c_r_e_d options |
|
are enabled. Note that _p_a_m___s_e_s_s_i_o_n and _p_a_m___s_e_t_c_r_e_d are enabled by |
|
default on systems using PAM. |
|
|
|
SSiiggnnaall hhaannddlliinngg |
|
When the command is run as a child of the ssuuddoo process, ssuuddoo will relay |
|
signals it receives to the command. Unless the command is being run in a |
|
new pty, the SIGHUP, SIGINT and SIGQUIT signals are not relayed unless |
|
they are sent by a user process, not the kernel. Otherwise, the command |
|
would receive SIGINT twice every time the user entered control-C. Some |
|
signals, such as SIGSTOP and SIGKILL, cannot be caught and thus will not |
|
be relayed to the command. As a general rule, SIGTSTP should be used |
|
instead of SIGSTOP when you wish to suspend a command being run by ssuuddoo. |
|
|
|
As a special case, ssuuddoo will not relay signals that were sent by the |
|
command it is running. This prevents the command from accidentally |
|
killing itself. On some systems, the reboot(1m) command sends SIGTERM to |
|
all non-system processes other than itself before rebooting the system. |
|
This prevents ssuuddoo from relaying the SIGTERM signal it received back to |
|
reboot(1m), which might then exit before the system was actually rebooted, |
|
leaving it in a half-dead state similar to single user mode. Note, |
|
however, that this check only applies to the command run by ssuuddoo and not |
|
any other processes that the command may create. As a result, running a |
|
script that calls reboot(1m) or shutdown(1m) via ssuuddoo may cause the system |
|
to end up in this undefined state unless the reboot(1m) or shutdown(1m) are |
|
run using the eexxeecc() family of functions instead of ssyysstteemm() (which |
|
interposes a shell between the command and the calling process). |
|
|
|
If no I/O logging plugins are loaded and the policy plugin has not |
|
defined a cclloossee() function, set a command timeout or required that the |
|
command be run in a new pty, ssuuddoo may execute the command directly |
|
instead of running it as a child process. |
|
|
|
PPlluuggiinnss |
|
Plugins may be specified via Plugin directives in the sudo.conf(4) file. |
|
They may be loaded as dynamic shared objects (on systems that support |
|
them), or compiled directly into the ssuuddoo binary. If no sudo.conf(4) |
|
file is present, or it contains no Plugin lines, ssuuddoo will use the |
|
traditional _s_u_d_o_e_r_s security policy and I/O logging. See the |
|
sudo.conf(4) manual for details of the _/_e_t_c_/_s_u_d_o_._c_o_n_f file and the |
|
sudo_plugin(1m) manual for more information about the ssuuddoo plugin |
|
architecture. |
|
|
|
EEXXIITT VVAALLUUEE |
|
Upon successful execution of a program, the exit status from _s_u_d_o will |
|
simply be the exit status of the program that was executed. |
|
|
|
Otherwise, ssuuddoo exits with a value of 1 if there is a |
|
configuration/permission problem or if ssuuddoo cannot execute the given |
|
command. In the latter case the error string is printed to the standard |
|
error. If ssuuddoo cannot stat(2) one or more entries in the user's PATH, an |
|
error is printed on stderr. (If the directory does not exist or if it is |
|
not really a directory, the entry is ignored and no error is printed.) |
|
This should not happen under normal circumstances. The most common |
|
reason for stat(2) to return ``permission denied'' is if you are running |
|
an automounter and one of the directories in your PATH is on a machine |
|
that is currently unreachable. |
|
|
SSEECCUURRIITTYY NNOOTTEESS |
SSEECCUURRIITTYY NNOOTTEESS |
ssuuddoo tries to be safe when executing external commands. | ssuuddoo tries to be safe when executing external commands. |
|
|
To prevent command spoofing, ssuuddoo checks "." and "" (both denoting | To prevent command spoofing, ssuuddoo checks "." and "" (both denoting |
current directory) last when searching for a command in the user's PATH | current directory) last when searching for a command in the user's PATH |
(if one or both are in the PATH). Note, however, that the actual PATH | (if one or both are in the PATH). Note, however, that the actual PATH |
environment variable is _n_o_t modified and is passed unchanged to the | environment variable is _n_o_t modified and is passed unchanged to the |
program that ssuuddoo executes. | program that ssuuddoo executes. |
|
|
Please note that ssuuddoo will normally only log the command it explicitly | Please note that ssuuddoo will normally only log the command it explicitly |
runs. If a user runs a command such as sudo su or sudo sh, subsequent | runs. If a user runs a command such as sudo su or sudo sh, subsequent |
commands run from that shell are not subject to ssuuddoo's security policy. | commands run from that shell are not subject to ssuuddoo's security policy. |
The same is true for commands that offer shell escapes (including most | The same is true for commands that offer shell escapes (including most |
editors). If I/O logging is enabled, subsequent commands will have | editors). If I/O logging is enabled, subsequent commands will have their |
their input and/or output logged, but there will not be traditional | input and/or output logged, but there will not be traditional logs for |
logs for those commands. Because of this, care must be taken when | those commands. Because of this, care must be taken when giving users |
giving users access to commands via ssuuddoo to verify that the command | access to commands via ssuuddoo to verify that the command does not |
does not inadvertently give the user an effective root shell. For more | inadvertently give the user an effective root shell. For more |
information, please see the PREVENTING SHELL ESCAPES section in | information, please see the _P_R_E_V_E_N_T_I_N_G _S_H_E_L_L _E_S_C_A_P_E_S section in |
_s_u_d_o_e_r_s(4). | sudoers(4). |
|
|
|
To prevent the disclosure of potentially sensitive information, ssuuddoo |
|
disables core dumps by default while it is executing (they are re-enabled |
|
for the command that is run). To aid in debugging ssuuddoo crashes, you may |
|
wish to re-enable core dumps by setting ``disable_coredump'' to false in |
|
the sudo.conf(4) file as follows: |
|
|
|
Set disable_coredump false |
|
|
|
See the sudo.conf(4) manual for more information. |
|
|
EENNVVIIRROONNMMEENNTT |
EENNVVIIRROONNMMEENNTT |
ssuuddoo utilizes the following environment variables. The security policy | ssuuddoo utilizes the following environment variables. The security policy |
has control over the content of the command's environment. | has control over the actual content of the command's environment. |
|
|
EDITOR Default editor to use in --ee (sudoedit) mode if neither | EDITOR Default editor to use in --ee (sudoedit) mode if neither |
SUDO_EDITOR nor VISUAL is set | SUDO_EDITOR nor VISUAL is set. |
|
|
MAIL In --ii mode or when _e_n_v___r_e_s_e_t is enabled in _s_u_d_o_e_r_s, set | MAIL In --ii mode or when _e_n_v___r_e_s_e_t is enabled in _s_u_d_o_e_r_s, set |
to the mail spool of the target user | to the mail spool of the target user. |
|
|
HOME Set to the home directory of the target user if --ii or | HOME Set to the home directory of the target user if --ii or --HH |
--HH are specified, _e_n_v___r_e_s_e_t or _a_l_w_a_y_s___s_e_t___h_o_m_e are set | are specified, _e_n_v___r_e_s_e_t or _a_l_w_a_y_s___s_e_t___h_o_m_e are set in |
in _s_u_d_o_e_r_s, or when the --ss option is specified and | _s_u_d_o_e_r_s, or when the --ss option is specified and _s_e_t___h_o_m_e |
_s_e_t___h_o_m_e is set in _s_u_d_o_e_r_s | is set in _s_u_d_o_e_r_s. |
|
|
PATH May be overridden by the security policy. | PATH May be overridden by the security policy. |
|
|
SHELL Used to determine shell to run with -s option | SHELL Used to determine shell to run with --ss option. |
|
|
SUDO_ASKPASS Specifies the path to a helper program used to read the | SUDO_ASKPASS Specifies the path to a helper program used to read the |
password if no terminal is available or if the -A | password if no terminal is available or if the --AA option |
option is specified. | is specified. |
|
|
SUDO_COMMAND Set to the command run by sudo | SUDO_COMMAND Set to the command run by sudo. |
|
|
SUDO_EDITOR Default editor to use in --ee (sudoedit) mode | SUDO_EDITOR Default editor to use in --ee (sudoedit) mode. |
|
|
SUDO_GID Set to the group ID of the user who invoked sudo | SUDO_GID Set to the group ID of the user who invoked sudo. |
|
|
SUDO_PROMPT Used as the default password prompt | SUDO_PROMPT Used as the default password prompt. |
|
|
SUDO_PS1 If set, PS1 will be set to its value for the program | SUDO_PS1 If set, PS1 will be set to its value for the program |
being run | being run. |
|
|
SUDO_UID Set to the user ID of the user who invoked sudo | SUDO_UID Set to the user ID of the user who invoked sudo. |
|
|
SUDO_USER Set to the login of the user who invoked sudo | SUDO_USER Set to the login name of the user who invoked sudo. |
|
|
USER Set to the target user (root unless the --uu option is | USER Set to the target user (root unless the --uu option is |
specified) | specified). |
|
|
VISUAL Default editor to use in --ee (sudoedit) mode if | VISUAL Default editor to use in --ee (sudoedit) mode if |
SUDO_EDITOR is not set | SUDO_EDITOR is not set. |
|
|
FFIILLEESS |
FFIILLEESS |
_/_e_t_c_/_s_u_d_o_._c_o_n_f ssuuddoo plugin and path configuration | _/_e_t_c_/_s_u_d_o_._c_o_n_f ssuuddoo front end configuration |
|
|
EEXXAAMMPPLLEESS |
EEXXAAMMPPLLEESS |
Note: the following examples assume a properly configured security | Note: the following examples assume a properly configured security |
policy. | policy. |
|
|
To get a file listing of an unreadable directory: | To get a file listing of an unreadable directory: |
|
|
$ sudo ls /usr/local/protected | $ sudo ls /usr/local/protected |
|
|
To list the home directory of user yaz on a machine where the file | To list the home directory of user yaz on a machine where the file system |
system holding ~yaz is not exported as root: | holding ~yaz is not exported as root: |
|
|
$ sudo -u yaz ls ~yaz | $ sudo -u yaz ls ~yaz |
|
|
To edit the _i_n_d_e_x_._h_t_m_l file as user www: | To edit the _i_n_d_e_x_._h_t_m_l file as user www: |
|
|
$ sudo -u www vi ~www/htdocs/index.html | $ sudo -u www vi ~www/htdocs/index.html |
|
|
To view system logs only accessible to root and users in the adm group: | To view system logs only accessible to root and users in the adm group: |
|
|
$ sudo -g adm view /var/log/syslog | $ sudo -g adm view /var/log/syslog |
|
|
To run an editor as jim with a different primary group: | To run an editor as jim with a different primary group: |
|
|
$ sudo -u jim -g audio vi ~jim/sound.txt | $ sudo -u jim -g audio vi ~jim/sound.txt |
|
|
To shutdown a machine: | To shut down a machine: |
|
|
$ sudo shutdown -r +15 "quick reboot" | $ sudo shutdown -r +15 "quick reboot" |
|
|
To make a usage listing of the directories in the /home partition. | To make a usage listing of the directories in the /home partition. Note |
Note that this runs the commands in a sub-shell to make the cd and file | that this runs the commands in a sub-shell to make the cd and file |
redirection work. | redirection work. |
|
|
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" | $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" |
|
|
SSEEEE AALLSSOO |
SSEEEE AALLSSOO |
_g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), _p_a_s_s_w_d(4), _s_u_d_o_e_r_s(4), | su(1), stat(2), login_cap(3), passwd(4), sudo.conf(4), sudoers(4), |
_s_u_d_o___p_l_u_g_i_n(1m), _s_u_d_o_r_e_p_l_a_y(1m), _v_i_s_u_d_o(1m) | sudo_plugin(1m), sudoreplay(1m), visudo(1m) |
|
|
|
HHIISSTTOORRYY |
|
See the HISTORY file in the ssuuddoo distribution |
|
(http://www.sudo.ws/sudo/history.html) for a brief history of sudo. |
|
|
AAUUTTHHOORRSS |
AAUUTTHHOORRSS |
Many people have worked on ssuuddoo over the years; this version consists | Many people have worked on ssuuddoo over the years; this version consists of |
of code written primarily by: | code written primarily by: |
|
|
Todd C. Miller | Todd C. Miller |
|
|
See the HISTORY file in the ssuuddoo distribution or visit | See the CONTRIBUTORS file in the ssuuddoo distribution |
http://www.sudo.ws/sudo/history.html for a short history of ssuuddoo. | (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of |
| people who have contributed to ssuuddoo. |
|
|
CCAAVVEEAATTSS |
CCAAVVEEAATTSS |
There is no easy way to prevent a user from gaining a root shell if | There is no easy way to prevent a user from gaining a root shell if that |
that user is allowed to run arbitrary commands via ssuuddoo. Also, many | user is allowed to run arbitrary commands via ssuuddoo. Also, many programs |
programs (such as editors) allow the user to run commands via shell | (such as editors) allow the user to run commands via shell escapes, thus |
escapes, thus avoiding ssuuddoo's checks. However, on most systems it is | avoiding ssuuddoo's checks. However, on most systems it is possible to |
possible to prevent shell escapes with the _s_u_d_o_e_r_s(4) module's _n_o_e_x_e_c | prevent shell escapes with the sudoers(4) plugin's _n_o_e_x_e_c functionality. |
functionality. | |
|
|
It is not meaningful to run the cd command directly via sudo, e.g., | It is not meaningful to run the cd command directly via sudo, e.g., |
|
|
$ sudo cd /usr/local/protected | $ sudo cd /usr/local/protected |
|
|
since when the command exits the parent process (your shell) will still | since when the command exits the parent process (your shell) will still |
be the same. Please see the EXAMPLES section for more information. | be the same. Please see the _E_X_A_M_P_L_E_S section for more information. |
|
|
Running shell scripts via ssuuddoo can expose the same kernel bugs that | Running shell scripts via ssuuddoo can expose the same kernel bugs that make |
make setuid shell scripts unsafe on some operating systems (if your OS | setuid shell scripts unsafe on some operating systems (if your OS has a |
has a /dev/fd/ directory, setuid shell scripts are generally safe). | /dev/fd/ directory, setuid shell scripts are generally safe). |
|
|
BBUUGGSS |
BBUUGGSS |
If you feel you have found a bug in ssuuddoo, please submit a bug report at | If you feel you have found a bug in ssuuddoo, please submit a bug report at |
http://www.sudo.ws/sudo/bugs/ | http://www.sudo.ws/sudo/bugs/ |
|
|
SSUUPPPPOORRTT |
SSUUPPPPOORRTT |
Limited free support is available via the sudo-users mailing list, see | Limited free support is available via the sudo-users mailing list, see |
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search | http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the |
the archives. | archives. |
|
|
DDIISSCCLLAAIIMMEERR |
DDIISSCCLLAAIIMMEERR |
ssuuddoo is provided ``AS IS'' and any express or implied warranties, | ssuuddoo is provided ``AS IS'' and any express or implied warranties, |
including, but not limited to, the implied warranties of | including, but not limited to, the implied warranties of merchantability |
merchantability and fitness for a particular purpose are disclaimed. | and fitness for a particular purpose are disclaimed. See the LICENSE |
See the LICENSE file distributed with ssuuddoo or | file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for |
http://www.sudo.ws/sudo/license.html for complete details. | complete details. |
|
|
| Sudo 1.8.10 February 15, 2014 Sudo 1.8.10 |
| |
1.8.3 September 16, 2011 SUDO(1m) | |