|
version 1.1.1.4, 2013/07/22 10:46:11
|
version 1.1.1.6, 2014/06/15 16:12:54
|
|
Line 5 N�NA�AM�ME�E
|
Line 5 N�NA�AM�ME�E
|
| |
|
| S�SY�YN�NO�OP�PS�SI�IS�S |
S�SY�YN�NO�OP�PS�SI�IS�S |
| s�su�ud�do�o -�-h�h | -�-K�K | -�-k�k | -�-V�V |
s�su�ud�do�o -�-h�h | -�-K�K | -�-k�k | -�-V�V |
| s�su�ud�do�o -�-v�v [-�-A�Ak�kn�nS�S] [-�-a�a _�a_�u_�t_�h_�__�t_�y_�p_�e] [-�-g�g _�g_�r_�o_�u_�p _�n_�a_�m_�e | _�#_�g_�i_�d] [-�-p�p _�p_�r_�o_�m_�p_�t] | s�su�ud�do�o -�-v�v [-�-A�Ak�kn�nS�S] [-�-a�a _�t_�y_�p_�e] [-�-g�g _�g_�r_�o_�u_�p] [-�-h�h _�h_�o_�s_�t] [-�-p�p _�p_�r_�o_�m_�p_�t] [-�-u�u _�u_�s_�e_�r] |
| [-�-u�u _�u_�s_�e_�r _�n_�a_�m_�e | _�#_�u_�i_�d] | s�su�ud�do�o -�-l�l [-�-A�Ak�kn�nS�S] [-�-a�a _�t_�y_�p_�e] [-�-g�g _�g_�r_�o_�u_�p] [-�-h�h _�h_�o_�s_�t] [-�-p�p _�p_�r_�o_�m_�p_�t] [-�-U�U _�u_�s_�e_�r] |
| s�su�ud�do�o -�-l�l[_�l] [-�-A�Ak�kn�nS�S] [-�-a�a _�a_�u_�t_�h_�__�t_�y_�p_�e] [-�-g�g _�g_�r_�o_�u_�p _�n_�a_�m_�e | _�#_�g_�i_�d] [-�-p�p _�p_�r_�o_�m_�p_�t] | [-�-u�u _�u_�s_�e_�r] [_�c_�o_�m_�m_�a_�n_�d] |
| [-�-U�U _�u_�s_�e_�r _�n_�a_�m_�e] [-�-u�u _�u_�s_�e_�r _�n_�a_�m_�e | _�#_�u_�i_�d] [_�c_�o_�m_�m_�a_�n_�d] | s�su�ud�do�o [-�-A�Ab�bE�EH�Hn�nP�PS�S] [-�-a�a _�t_�y_�p_�e] [-�-C�C _�n_�u_�m] [-�-c�c _�c_�l_�a_�s_�s] [-�-g�g _�g_�r_�o_�u_�p] [-�-h�h _�h_�o_�s_�t] |
| s�su�ud�do�o [-�-A�Ab�bE�EH�Hn�nP�PS�S] [-�-a�a _�a_�u_�t_�h_�__�t_�y_�p_�e] [-�-C�C _�f_�d] [-�-c�c _�c_�l_�a_�s_�s | _�-] | [-�-p�p _�p_�r_�o_�m_�p_�t] [-�-r�r _�r_�o_�l_�e] [-�-t�t _�t_�y_�p_�e] [-�-u�u _�u_�s_�e_�r] [_�V_�A_�R=_�v_�a_�l_�u_�e] [-�-i�i | -�-s�s] |
| [-�-g�g _�g_�r_�o_�u_�p _�n_�a_�m_�e | _�#_�g_�i_�d] [-�-p�p _�p_�r_�o_�m_�p_�t] [-�-r�r _�r_�o_�l_�e] [-�-t�t _�t_�y_�p_�e] | [_�c_�o_�m_�m_�a_�n_�d] |
| [-�-u�u _�u_�s_�e_�r _�n_�a_�m_�e | _�#_�u_�i_�d] [V�VA�AR�R=_�v_�a_�l_�u_�e] -�-i�i | -�-s�s [_�c_�o_�m_�m_�a_�n_�d] | s�su�ud�do�oe�ed�di�it�t [-�-A�Ak�kn�nS�S] [-�-a�a _�t_�y_�p_�e] [-�-C�C _�n_�u_�m] [-�-c�c _�c_�l_�a_�s_�s] [-�-g�g _�g_�r_�o_�u_�p] [-�-h�h _�h_�o_�s_�t] |
| s�su�ud�do�oe�ed�di�it�t [-�-A�An�nS�S] [-�-a�a _�a_�u_�t_�h_�__�t_�y_�p_�e] [-�-C�C _�f_�d] [-�-c�c _�c_�l_�a_�s_�s | _�-] | [-�-p�p _�p_�r_�o_�m_�p_�t] [-�-u�u _�u_�s_�e_�r] _�f_�i_�l_�e _�._�._�. |
| [-�-g�g _�g_�r_�o_�u_�p _�n_�a_�m_�e | _�#_�g_�i_�d] [-�-p�p _�p_�r_�o_�m_�p_�t] [-�-u�u _�u_�s_�e_�r _�n_�a_�m_�e | _�#_�u_�i_�d] file | |
| ... | |
| |
|
| D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N |
D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N |
| s�su�ud�do�o allows a permitted user to execute a _�c_�o_�m_�m_�a_�n_�d as the superuser or |
s�su�ud�do�o allows a permitted user to execute a _�c_�o_�m_�m_�a_�n_�d as the superuser or |
|
Line 48 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
Line 46 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
| |
|
| The options are as follows: |
The options are as follows: |
| |
|
| -�-A�A Normally, if s�su�ud�do�o requires a password, it will read it from | -�-A�A, -�--�-a�as�sk�kp�pa�as�ss�s |
| | Normally, if s�su�ud�do�o requires a password, it will read it from |
| the user's terminal. If the -�-A�A (_�a_�s_�k_�p_�a_�s_�s) option is |
the user's terminal. If the -�-A�A (_�a_�s_�k_�p_�a_�s_�s) option is |
| specified, a (possibly graphical) helper program is executed |
specified, a (possibly graphical) helper program is executed |
| to read the user's password and output the password to the |
to read the user's password and output the password to the |
|
Line 63 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
Line 62 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
| If no askpass program is available, s�su�ud�do�o will exit with an |
If no askpass program is available, s�su�ud�do�o will exit with an |
| error. |
error. |
| |
|
| -�-a�a _�t_�y_�p_�e The -�-a�a (_�a_�u_�t_�h_�e_�n_�t_�i_�c_�a_�t_�i_�o_�n _�t_�y_�p_�e) option causes s�su�ud�do�o to use the | -�-a�a _�t_�y_�p_�e, -�--�-a�au�ut�th�h-�-t�ty�yp�pe�e=_�t_�y_�p_�e |
| specified authentication type when validating the user, as | Use the specified BSD authentication _�t_�y_�p_�e when validating the |
| allowed by _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f. The system administrator may | user, if allowed by _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f. The system |
| specify a list of sudo-specific authentication methods by | administrator may specify a list of sudo-specific |
| adding an ``auth-sudo'' entry in _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f. This | authentication methods by adding an ``auth-sudo'' entry in |
| option is only available on systems that support BSD | _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f. This option is only available on systems |
| authentication. | that support BSD authentication. |
| |
|
| -�-b�b The -�-b�b (_�b_�a_�c_�k_�g_�r_�o_�u_�n_�d) option tells s�su�ud�do�o to run the given | -�-b�b, -�--�-b�ba�ac�ck�kg�gr�ro�ou�un�nd�d |
| command in the background. Note that if you use the -�-b�b | Run the given command in the background. Note that it is not |
| option you cannot use shell job control to manipulate the | possible to use shell job control to manipulate background |
| process. Most interactive commands will fail to work | processes started by s�su�ud�do�o. Most interactive commands will |
| properly in background mode. | fail to work properly in background mode. |
| |
|
| -�-C�C _�f_�d Normally, s�su�ud�do�o will close all open file descriptors other | -�-C�C _�n_�u_�m, -�--�-c�cl�lo�os�se�e-�-f�fr�ro�om�m=_�n_�u_�m |
| than standard input, standard output and standard error. The | Close all file descriptors greater than or equal to _�n_�u_�m |
| -�-C�C (_�c_�l_�o_�s_�e _�f_�r_�o_�m) option allows the user to specify a starting | before executing a command. Values less than three are not |
| point above the standard error (file descriptor three). | permitted. By default, s�su�ud�do�o will close all open file |
| Values less than three are not permitted. The security | descriptors other than standard input, standard output and |
| policy may restrict the user's ability to use the -�-C�C option. | standard error when executing a command. The security policy |
| The _�s_�u_�d_�o_�e_�r_�s policy only permits use of the -�-C�C option when the | may restrict the user's ability to use this option. The |
| | _�s_�u_�d_�o_�e_�r_�s policy only permits use of the -�-C�C option when the |
| administrator has enabled the _�c_�l_�o_�s_�e_�f_�r_�o_�m_�__�o_�v_�e_�r_�r_�i_�d_�e option. |
administrator has enabled the _�c_�l_�o_�s_�e_�f_�r_�o_�m_�__�o_�v_�e_�r_�r_�i_�d_�e option. |
| |
|
| -�-c�c _�c_�l_�a_�s_�s The -�-c�c (_�c_�l_�a_�s_�s) option causes s�su�ud�do�o to run the specified | -�-c�c _�c_�l_�a_�s_�s, -�--�-l�lo�og�gi�in�n-�-c�cl�la�as�ss�s=_�c_�l_�a_�s_�s |
| command with resources limited by the specified login class. | Run the command with resource limits and scheduling priority |
| The _�c_�l_�a_�s_�s argument can be either a class name as defined in | of the specified login _�c_�l_�a_�s_�s. The _�c_�l_�a_�s_�s argument can be |
| _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f, or a single `-' character. Specifying a | either a class name as defined in _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f, or a |
| _�c_�l_�a_�s_�s of - indicates that the command should be run | single `-' character. If _�c_�l_�a_�s_�s is -�-, the default login class |
| restricted by the default login capabilities for the user the | of the target user will be used. Otherwise, the command must |
| command is run as. If the _�c_�l_�a_�s_�s argument specifies an | be run as the superuser (user ID 0), or s�su�ud�do�o must be run from |
| existing user class, the command must be run as root, or the | a shell that is already running as the superuser. If the |
| s�su�ud�do�o command must be run from a shell that is already root. | command is being run as a login shell, additional |
| This option is only available on systems with BSD login | _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f settings, such as the umask and environment |
| classes. | variables, will be applied, if present. This option is only |
| | available on systems with BSD login classes. |
| |
|
| -�-E�E The -�-E�E (_�p_�r_�e_�s_�e_�r_�v_�e _�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t) option indicates to the | -�-E�E, -�--�-p�pr�re�es�se�er�rv�ve�e-�-e�en�nv�v |
| security policy that the user wishes to preserve their | Indicates to the security policy that the user wishes to |
| existing environment variables. The security policy may | preserve their existing environment variables. The security |
| return an error if the -�-E�E option is specified and the user | policy may return an error if the user does not have |
| does not have permission to preserve the environment. | permission to preserve the environment. |
| |
|
| -�-e�e The -�-e�e (_�e_�d_�i_�t) option indicates that, instead of running a | -�-e�e, -�--�-e�ed�di�it�t Edit one or more files instead of running a command. In lieu |
| command, the user wishes to edit one or more files. In lieu | of a path name, the string "sudoedit" is used when consulting |
| of a command, the string "sudoedit" is used when consulting | |
| the security policy. If the user is authorized by the |
the security policy. If the user is authorized by the |
| policy, the following steps are taken: |
policy, the following steps are taken: |
| |
|
|
Line 131 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
Line 131 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
| version, the user will receive a warning and the edited copy |
version, the user will receive a warning and the edited copy |
| will remain in a temporary file. |
will remain in a temporary file. |
| |
|
| -�-g�g _�g_�r_�o_�u_�p Normally, s�su�ud�do�o runs a command with the primary group set to | -�-g�g _�g_�r_�o_�u_�p, -�--�-g�gr�ro�ou�up�p=_�g_�r_�o_�u_�p |
| the one specified by the password database for the user the | Run the command with the primary group set to _�g_�r_�o_�u_�p instead |
| command is being run as (by default, root). The -�-g�g (_�g_�r_�o_�u_�p) | of the primary group specified by the target user's password |
| option causes s�su�ud�do�o to run the command with the primary group | database entry. The _�g_�r_�o_�u_�p may be either a group name or a |
| set to _�g_�r_�o_�u_�p instead. To specify a _�g_�i_�d instead of a _�g_�r_�o_�u_�p | numeric group ID (GID) prefixed with the `#' character (e.g. |
| _�n_�a_�m_�e, use _�#_�g_�i_�d. When running commands as a _�g_�i_�d, many shells | #0 for GID 0). When running a command as a GID, many shells |
| require that the `#' be escaped with a backslash (`\'). If |
require that the `#' be escaped with a backslash (`\'). If |
| no -�-u�u option is specified, the command will be run as the |
no -�-u�u option is specified, the command will be run as the |
| invoking user (not root). In either case, the primary group | invoking user. In either case, the primary group will be set |
| will be set to _�g_�r_�o_�u_�p. | to _�g_�r_�o_�u_�p. |
| |
|
| -�-H�H The -�-H�H (_�H_�O_�M_�E) option requests that the security policy set | -�-H�H, -�--�-s�se�et�t-�-h�ho�om�me�e |
| the HOME environment variable to the home directory of the | Request that the security policy set the HOME environment |
| target user (root by default) as specified by the password | variable to the home directory specified by the target user's |
| database. Depending on the policy, this may be the default | password database entry. Depending on the policy, this may |
| behavior. | be the default behavior. |
| |
|
| -�-h�h The -�-h�h (_�h_�e_�l_�p) option causes s�su�ud�do�o to print a short help | -�-h�h, -�--�-h�he�el�lp�p Display a short help message to the standard output and exit. |
| message to the standard output and exit. | |
| |
|
| -�-i�i [_�c_�o_�m_�m_�a_�n_�d] | -�-h�h _�h_�o_�s_�t, -�--�-h�ho�os�st�t=_�h_�o_�s_�t |
| The -�-i�i (_�s_�i_�m_�u_�l_�a_�t_�e _�i_�n_�i_�t_�i_�a_�l _�l_�o_�g_�i_�n) option runs the shell | Run the command on the specified _�h_�o_�s_�t if the security policy |
| specified by the password database entry of the target user | plugin supports remote commands. Note that the _�s_�u_�d_�o_�e_�r_�s |
| as a login shell. This means that login-specific resource | plugin does not currently support running remote commands. |
| files such as _�._�p_�r_�o_�f_�i_�l_�e or _�._�l_�o_�g_�i_�n will be read by the shell. | This may also be used in conjunction with the -�-l�l option to |
| If a command is specified, it is passed to the shell for | list a user's privileges for the remote host. |
| execution via the shell's -�-c�c option. If no command is | |
| specified, an interactive shell is executed. s�su�ud�do�o attempts | |
| to change to that user's home directory before running the | |
| shell. The security policy shall initialize the environment | |
| to a minimal set of variables, similar to what is present | |
| when a user logs in. The _�C_�o_�m_�m_�a_�n_�d _�E_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t section in the | |
| sudoers(4) manual documents how the -�-i�i option affects the | |
| environment in which a command is run when the _�s_�u_�d_�o_�e_�r_�s policy | |
| is in use. | |
| |
|
| -�-K�K The -�-K�K (sure _�k_�i_�l_�l) option is like -�-k�k except that it removes | -�-i�i, -�--�-l�lo�og�gi�in�n |
| the user's cached credentials entirely and may not be used in | Run the shell specified by the target user's password |
| | database entry as a login shell. This means that login- |
| | specific resource files such as _�._�p_�r_�o_�f_�i_�l_�e or _�._�l_�o_�g_�i_�n will be |
| | read by the shell. If a command is specified, it is passed |
| | to the shell for execution via the shell's -�-c�c option. If no |
| | command is specified, an interactive shell is executed. s�su�ud�do�o |
| | attempts to change to that user's home directory before |
| | running the shell. The command is run with an environment |
| | similar to the one a user would receive at log in. The |
| | _�C_�o_�m_�m_�a_�n_�d _�E_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t section in the sudoers(4) manual |
| | documents how the -�-i�i option affects the environment in which |
| | a command is run when the _�s_�u_�d_�o_�e_�r_�s policy is in use. |
| | |
| | -�-K�K, -�--�-r�re�em�mo�ov�ve�e-�-t�ti�im�me�es�st�ta�am�mp�p |
| | Similar to the -�-k�k option, except that it removes the user's |
| | cached credentials entirely and may not be used in |
| conjunction with a command or other option. This option does |
conjunction with a command or other option. This option does |
| not require a password. Not all security policies support |
not require a password. Not all security policies support |
| credential caching. |
credential caching. |
| |
|
| -�-k�k [_�c_�o_�m_�m_�a_�n_�d] | -�-k�k, -�--�-r�re�es�se�et�t-�-t�ti�im�me�es�st�ta�am�mp�p |
| When used alone, the -�-k�k (_�k_�i_�l_�l) option to s�su�ud�do�o invalidates the | When used without a command, invalidates the user's cached |
| user's cached credentials. The next time s�su�ud�do�o is run a | credentials. In other words, the next time s�su�ud�do�o is run a |
| password will be required. This option does not require a |
password will be required. This option does not require a |
| password and was added to allow a user to revoke s�su�ud�do�o |
password and was added to allow a user to revoke s�su�ud�do�o |
| permissions from a _�._�l_�o_�g_�o_�u_�t file. Not all security policies | permissions from a _�._�l_�o_�g_�o_�u_�t file. |
| support credential caching. | |
| |
|
| When used in conjunction with a command or an option that may |
When used in conjunction with a command or an option that may |
| require a password, the -�-k�k option will cause s�su�ud�do�o to ignore | require a password, this option will cause s�su�ud�do�o to ignore the |
| the user's cached credentials. As a result, s�su�ud�do�o will prompt | user's cached credentials. As a result, s�su�ud�do�o will prompt for |
| for a password (if one is required by the security policy) | a password (if one is required by the security policy) and |
| and will not update the user's cached credentials. | will not update the user's cached credentials. |
| |
|
| -�-l�l[l�l] [_�c_�o_�m_�m_�a_�n_�d] | Not all security policies support credential caching. |
| If no _�c_�o_�m_�m_�a_�n_�d is specified, the -�-l�l (_�l_�i_�s_�t) option will list | |
| the allowed (and forbidden) commands for the invoking user | -�-l�l, -�--�-l�li�is�st�t If no _�c_�o_�m_�m_�a_�n_�d is specified, list the allowed (and forbidden) |
| (or the user specified by the -�-U�U option) on the current host. | commands for the invoking user (or the user specified by the |
| | -�-U�U option) on the current host. A longer list format is used |
| | if this option is specified multiple times and the security |
| | policy supports a verbose output format. |
| | |
| If a _�c_�o_�m_�m_�a_�n_�d is specified and is permitted by the security |
If a _�c_�o_�m_�m_�a_�n_�d is specified and is permitted by the security |
| policy, the fully-qualified path to the command is displayed |
policy, the fully-qualified path to the command is displayed |
| along with any command line arguments. If _�c_�o_�m_�m_�a_�n_�d is |
along with any command line arguments. If _�c_�o_�m_�m_�a_�n_�d is |
| specified but not allowed, s�su�ud�do�o will exit with a status value |
specified but not allowed, s�su�ud�do�o will exit with a status value |
| of 1. If the -�-l�l option is specified with an _�l argument (i.e. | of 1. |
| -�-l�ll�l), or if -�-l�l is specified multiple times, a longer list | |
| format is used. | |
| |
|
| -�-n�n The -�-n�n (_�n_�o_�n_�-_�i_�n_�t_�e_�r_�a_�c_�t_�i_�v_�e) option prevents s�su�ud�do�o from prompting | -�-n�n, -�--�-n�no�on�n-�-i�in�nt�te�er�ra�ac�ct�ti�iv�ve�e |
| the user for a password. If a password is required for the | Avoid prompting the user for input of any kind. If a |
| command to run, s�su�ud�do�o will display an error message and exit. | password is required for the command to run, s�su�ud�do�o will |
| | display an error message and exit. |
| |
|
| -�-P�P The -�-P�P (_�p_�r_�e_�s_�e_�r_�v_�e _�g_�r_�o_�u_�p _�v_�e_�c_�t_�o_�r) option causes s�su�ud�do�o to preserve | -�-P�P, -�--�-p�pr�re�es�se�er�rv�ve�e-�-g�gr�ro�ou�up�ps�s |
| the invoking user's group vector unaltered. By default, the | Preserve the invoking user's group vector unaltered. By |
| _�s_�u_�d_�o_�e_�r_�s policy will initialize the group vector to the list | default, the _�s_�u_�d_�o_�e_�r_�s policy will initialize the group vector |
| of groups the target user is in. The real and effective | to the list of groups the target user is a member of. The |
| group IDs, however, are still set to match the target user. | real and effective group IDs, however, are still set to match |
| | the target user. |
| |
|
| -�-p�p _�p_�r_�o_�m_�p_�t The -�-p�p (_�p_�r_�o_�m_�p_�t) option allows you to override the default | -�-p�p _�p_�r_�o_�m_�p_�t, -�--�-p�pr�ro�om�mp�pt�t=_�p_�r_�o_�m_�p_�t |
| password prompt and use a custom one. The following percent | Use a custom password prompt with optional escape sequences. |
| (`%') escapes are supported by the _�s_�u_�d_�o_�e_�r_�s policy: | The following percent (`%') escape sequences are supported by |
| | the _�s_�u_�d_�o_�e_�r_�s policy: |
| |
|
| %H expanded to the host name including the domain name (on |
%H expanded to the host name including the domain name (on |
| if the machine's host name is fully qualified or the _�f_�q_�d_�n |
if the machine's host name is fully qualified or the _�f_�q_�d_�n |
|
Line 232 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
Line 241 D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
|
| %% two consecutive `%' characters are collapsed into a |
%% two consecutive `%' characters are collapsed into a |
| single `%' character |
single `%' character |
| |
|
| The prompt specified by the -�-p�p option will override the | The custom prompt will override the system password prompt on |
| system password prompt on systems that support PAM unless the | systems that support PAM unless the _�p_�a_�s_�s_�p_�r_�o_�m_�p_�t_�__�o_�v_�e_�r_�r_�i_�d_�e flag |
| _�p_�a_�s_�s_�p_�r_�o_�m_�p_�t_�__�o_�v_�e_�r_�r_�i_�d_�e flag is disabled in _�s_�u_�d_�o_�e_�r_�s. | is disabled in _�s_�u_�d_�o_�e_�r_�s. |
| |
|
| -�-r�r _�r_�o_�l_�e The -�-r�r (_�r_�o_�l_�e) option causes the new (SELinux) security | -�-r�r _�r_�o_�l_�e, -�--�-r�ro�ol�le�e=_�r_�o_�l_�e |
| context to have the role specified by _�r_�o_�l_�e. | Run the command with an SELinux security context that |
| | includes the specified _�r_�o_�l_�e. |
| |
|
| -�-S�S The -�-S�S (_�s_�t_�d_�i_�n) option causes s�su�ud�do�o to read the password from | -�-S�S, -�--�-s�st�td�di�in�n |
| the standard input instead of the terminal device. The | Write the prompt to the standard error and read the password |
| password must be followed by a newline character. | from the standard input instead of using the terminal device. |
| | The password must be followed by a newline character. |
| |
|
| -�-s�s [_�c_�o_�m_�m_�a_�n_�d] | -�-s�s, -�--�-s�sh�he�el�ll�l |
| The -�-s�s (_�s_�h_�e_�l_�l) option runs the shell specified by the SHELL | Run the shell specified by the SHELL environment variable if |
| environment variable if it is set or the shell as specified | it is set or the shell specified by the invoking user's |
| in the password database. If a command is specified, it is | password database entry. If a command is specified, it is |
| passed to the shell for execution via the shell's -�-c�c option. |
passed to the shell for execution via the shell's -�-c�c option. |
| If no command is specified, an interactive shell is executed. |
If no command is specified, an interactive shell is executed. |
| |
|
| -�-t�t _�t_�y_�p_�e The -�-t�t (_�t_�y_�p_�e) option causes the new (SELinux) security | -�-t�t _�t_�y_�p_�e, -�--�-t�ty�yp�pe�e=_�t_�y_�p_�e |
| context to have the type specified by _�t_�y_�p_�e. If no type is | Run the command with an SELinux security context that |
| specified, the default type is derived from the specified | includes the specified _�t_�y_�p_�e. If no _�t_�y_�p_�e is specified, the |
| role. | default type is derived from the role. |
| |
|
| -�-U�U _�u_�s_�e_�r The -�-U�U (_�o_�t_�h_�e_�r _�u_�s_�e_�r) option is used in conjunction with the -�-l�l | -�-U�U _�u_�s_�e_�r, -�--�-o�ot�th�he�er�r-�-u�us�se�er�r=_�u_�s_�e_�r |
| option to specify the user whose privileges should be listed. | Used in conjunction with the -�-l�l option to list the privileges |
| The security policy may restrict listing other users' | for _�u_�s_�e_�r instead of for the invoking user. The security |
| privileges. The _�s_�u_�d_�o_�e_�r_�s policy only allows root or a user | policy may restrict listing other users' privileges. The |
| with the ALL privilege on the current host to use this | _�s_�u_�d_�o_�e_�r_�s policy only allows root or a user with the ALL |
| option. | privilege on the current host to use this option. |
| |
|
| -�-u�u _�u_�s_�e_�r The -�-u�u (_�u_�s_�e_�r) option causes s�su�ud�do�o to run the specified command | -�-u�u _�u_�s_�e_�r, -�--�-u�us�se�er�r=_�u_�s_�e_�r |
| as a user other than _�r_�o_�o_�t. To specify a _�u_�i_�d instead of a | Run the command as a user other than the default target user |
| _�u_�s_�e_�r _�n_�a_�m_�e, _�#_�u_�i_�d. When running commands as a _�u_�i_�d, many shells | (usually _�r_�o_�o_�t _�)_�. The _�u_�s_�e_�r may be either a user name or a |
| require that the `#' be escaped with a backslash (`\'). | numeric user ID (UID) prefixed with the `#' character (e.g. |
| Security policies may restrict _�u_�i_�ds to those listed in the | #0 for UID 0). When running commands as a UID, many shells |
| password database. The _�s_�u_�d_�o_�e_�r_�s policy allows _�u_�i_�ds that are | require that the `#' be escaped with a backslash (`\'). Some |
| | security policies may restrict UIDs to those listed in the |
| | password database. The _�s_�u_�d_�o_�e_�r_�s policy allows UIDs that are |
| not in the password database as long as the _�t_�a_�r_�g_�e_�t_�p_�w option |
not in the password database as long as the _�t_�a_�r_�g_�e_�t_�p_�w option |
| is not set. Other security policies may not support this. |
is not set. Other security policies may not support this. |
| |
|
| -�-V�V The -�-V�V (_�v_�e_�r_�s_�i_�o_�n) option causes s�su�ud�do�o to print its version | -�-V�V, -�--�-v�ve�er�rs�si�io�on�n |
| string and the version string of the security policy plugin | Print the s�su�ud�do�o version string as well as the version string |
| and any I/O plugins. If the invoking user is already root | of the security policy plugin and any I/O plugins. If the |
| the -�-V�V option will display the arguments passed to configure | invoking user is already root the -�-V�V option will display the |
| when s�su�ud�do�o was built and plugins may display more verbose | arguments passed to configure when s�su�ud�do�o was built and plugins |
| information such as default options. | may display more verbose information such as default options. |
| |
|
| -�-v�v When given the -�-v�v (_�v_�a_�l_�i_�d_�a_�t_�e) option, s�su�ud�do�o will update the | -�-v�v, -�--�-v�va�al�li�id�da�at�te�e |
| user's cached credentials, authenticating the user's password | Update the user's cached credentials, authenticating the user |
| if necessary. For the _�s_�u_�d_�o_�e_�r_�s plugin, this extends the s�su�ud�do�o |
if necessary. For the _�s_�u_�d_�o_�e_�r_�s plugin, this extends the s�su�ud�do�o |
| timeout for another 5 minutes (or whatever the timeout is set | timeout for another 5 minutes by default, but does not run a |
| to by the security policy) but does not run a command. Not | command. Not all security policies support cached |
| all security policies support cached credentials. | credentials. |
| |
|
| -�--�- The -�--�- option indicates that s�su�ud�do�o should stop processing |
-�--�- The -�--�- option indicates that s�su�ud�do�o should stop processing |
| command line arguments. |
command line arguments. |
| |
|
| Environment variables to be set for the command may also be passed on the |
Environment variables to be set for the command may also be passed on the |
| command line in the form of V�VA�AR�R=_�v_�a_�l_�u_�e, e.g. | command line in the form of _�V_�A_�R=_�v_�a_�l_�u_�e, e.g. |
| L�LD�D_�_L�LI�IB�BR�RA�AR�RY�Y_�_P�PA�AT�TH�H=_�/_�u_�s_�r_�/_�l_�o_�c_�a_�l_�/_�p_�k_�g_�/_�l_�i_�b. Variables passed on the command line | LD_LIBRARY_PATH=_�/_�u_�s_�r_�/_�l_�o_�c_�a_�l_�/_�p_�k_�g_�/_�l_�i_�b. Variables passed on the command line |
| are subject to the same restrictions as normal environment variables with | are subject to restrictions imposed by the security policy plugin. The |
| one important exception. If the _�s_�e_�t_�e_�n_�v option is set in _�s_�u_�d_�o_�e_�r_�s, the | _�s_�u_�d_�o_�e_�r_�s policy subjects variables passed on the command line to the same |
| command to be run has the SETENV tag set or the command matched is ALL, | restrictions as normal environment variables with one important |
| the user may set variables that would otherwise be forbidden. See | exception. If the _�s_�e_�t_�e_�n_�v option is set in _�s_�u_�d_�o_�e_�r_�s, the command to be run |
| sudoers(4) for more information. | has the SETENV tag set or the command matched is ALL, the user may set |
| | variables that would otherwise be forbidden. See sudoers(4) for more |
| | information. |
| |
|
| C�CO�OM�MM�MA�AN�ND�D E�EX�XE�EC�CU�UT�TI�IO�ON�N |
C�CO�OM�MM�MA�AN�ND�D E�EX�XE�EC�CU�UT�TI�IO�ON�N |
| When s�su�ud�do�o executes a command, the security policy specifies the execution |
When s�su�ud�do�o executes a command, the security policy specifies the execution |
| environment for the command. Typically, the real and effective uid and | environment for the command. Typically, the real and effective user and |
| gid are set to match those of the target user, as specified in the | group and IDs are set to match those of the target user, as specified in |
| password database, and the group vector is initialized based on the group | the password database, and the group vector is initialized based on the |
| database (unless the -�-P�P option was specified). | group database (unless the -�-P�P option was specified). |
| |
|
| The following parameters may be specified by security policy: |
The following parameters may be specified by security policy: |
| |
|
|
Line 342 C�CO�OM�MM�MA�AN�ND�D E�EX�XE�EC�CU�UT�TI�IO�ON�N
|
Line 357 C�CO�OM�MM�MA�AN�ND�D E�EX�XE�EC�CU�UT�TI�IO�ON�N
|
| be in what POSIX terms an ``orphaned process group'' and it would not |
be in what POSIX terms an ``orphaned process group'' and it would not |
| receive any job control signals. As a special case, if the policy plugin |
receive any job control signals. As a special case, if the policy plugin |
| does not define a close function and no pty is required, s�su�ud�do�o will |
does not define a close function and no pty is required, s�su�ud�do�o will |
| execute the command directly instead of calling fork(2) first. | execute the command directly instead of calling fork(2) first. The |
| | _�s_�u_�d_�o_�e_�r_�s policy plugin will only define a close function when I/O logging |
| | is enabled, a pty is required, or the _�p_�a_�m_�__�s_�e_�s_�s_�i_�o_�n or _�p_�a_�m_�__�s_�e_�t_�c_�r_�e_�d options |
| | are enabled. Note that _�p_�a_�m_�__�s_�e_�s_�s_�i_�o_�n and _�p_�a_�m_�__�s_�e_�t_�c_�r_�e_�d are enabled by |
| | default on systems using PAM. |
| |
|
| S�Si�ig�gn�na�al�l h�ha�an�nd�dl�li�in�ng�g |
S�Si�ig�gn�na�al�l h�ha�an�nd�dl�li�in�ng�g |
| Because the command is run as a child of the s�su�ud�do�o process, s�su�ud�do�o will | When the command is run as a child of the s�su�ud�do�o process, s�su�ud�do�o will relay |
| relay signals it receives to the command. Unless the command is being | signals it receives to the command. Unless the command is being run in a |
| run in a new pty, the SIGHUP, SIGINT and SIGQUIT signals are not relayed | new pty, the SIGHUP, SIGINT and SIGQUIT signals are not relayed unless |
| unless they are sent by a user process, not the kernel. Otherwise, the | they are sent by a user process, not the kernel. Otherwise, the command |
| command would receive SIGINT twice every time the user entered control-C. | would receive SIGINT twice every time the user entered control-C. Some |
| Some signals, such as SIGSTOP and SIGKILL, cannot be caught and thus will | signals, such as SIGSTOP and SIGKILL, cannot be caught and thus will not |
| not be relayed to the command. As a general rule, SIGTSTP should be used | be relayed to the command. As a general rule, SIGTSTP should be used |
| instead of SIGSTOP when you wish to suspend a command being run by s�su�ud�do�o. |
instead of SIGSTOP when you wish to suspend a command being run by s�su�ud�do�o. |
| |
|
| As a special case, s�su�ud�do�o will not relay signals that were sent by the |
As a special case, s�su�ud�do�o will not relay signals that were sent by the |
|
Line 374 C�CO�OM�MM�MA�AN�ND�D E�EX�XE�EC�CU�UT�TI�IO�ON�N
|
Line 393 C�CO�OM�MM�MA�AN�ND�D E�EX�XE�EC�CU�UT�TI�IO�ON�N
|
| instead of running it as a child process. |
instead of running it as a child process. |
| |
|
| P�Pl�lu�ug�gi�in�ns�s |
P�Pl�lu�ug�gi�in�ns�s |
| Plugins are dynamically loaded based on the contents of the sudo.conf(4) | Plugins may be specified via Plugin directives in the sudo.conf(4) file. |
| file. If no sudo.conf(4) file is present, or it contains no Plugin | They may be loaded as dynamic shared objects (on systems that support |
| lines, s�su�ud�do�o will use the traditional _�s_�u_�d_�o_�e_�r_�s security policy and I/O | them), or compiled directly into the s�su�ud�do�o binary. If no sudo.conf(4) |
| logging. See the sudo.conf(4) manual for details of the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f | file is present, or it contains no Plugin lines, s�su�ud�do�o will use the |
| file and the sudo_plugin(1m) manual for more information about the s�su�ud�do�o | traditional _�s_�u_�d_�o_�e_�r_�s security policy and I/O logging. See the |
| plugin architecture. | sudo.conf(4) manual for details of the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file and the |
| | sudo_plugin(1m) manual for more information about the s�su�ud�do�o plugin |
| | architecture. |
| |
|
| E�EX�XI�IT�T V�VA�AL�LU�UE�E |
E�EX�XI�IT�T V�VA�AL�LU�UE�E |
| Upon successful execution of a program, the exit status from _�s_�u_�d_�o will |
Upon successful execution of a program, the exit status from _�s_�u_�d_�o will |
|
Line 561 D�DI�IS�SC�CL�LA�AI�IM�ME�ER�R
|
Line 582 D�DI�IS�SC�CL�LA�AI�IM�ME�ER�R
|
| file distributed with s�su�ud�do�o or http://www.sudo.ws/sudo/license.html for |
file distributed with s�su�ud�do�o or http://www.sudo.ws/sudo/license.html for |
| complete details. |
complete details. |
| |
|
| Sudo 1.8.7 March 13, 2013 Sudo 1.8.7 | Sudo 1.8.10 February 15, 2014 Sudo 1.8.10 |
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudo.cat CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc