Annotation of embedaddon/sudo/doc/sudo.cat, revision 1.1.1.3
1.1.1.3 ! misho 1: SUDO(1m) System Manager's Manual SUDO(1m)
1.1 misho 2:
3: N�NA�AM�ME�E
1.1.1.3 ! misho 4: s�su�ud�do�o, s�su�ud�do�oe�ed�di�it�t - execute a command as another user
1.1 misho 5:
6: S�SY�YN�NO�OP�PS�SI�IS�S
1.1.1.3 ! misho 7: s�su�ud�do�o -�-h�h | -�-K�K | -�-k�k | -�-V�V
! 8: s�su�ud�do�o -�-v�v [-�-A�Ak�kn�nS�S] [-�-a�a _�a_�u_�t_�h_�__�t_�y_�p_�e] [-�-g�g _�g_�r_�o_�u_�p _�n_�a_�m_�e | _�#_�g_�i_�d] [-�-p�p _�p_�r_�o_�m_�p_�t]
! 9: [-�-u�u _�u_�s_�e_�r _�n_�a_�m_�e | _�#_�u_�i_�d]
! 10: s�su�ud�do�o -�-l�l[_�l] [-�-A�Ak�kn�nS�S] [-�-a�a _�a_�u_�t_�h_�__�t_�y_�p_�e] [-�-g�g _�g_�r_�o_�u_�p _�n_�a_�m_�e | _�#_�g_�i_�d] [-�-p�p _�p_�r_�o_�m_�p_�t]
! 11: [-�-U�U _�u_�s_�e_�r _�n_�a_�m_�e] [-�-u�u _�u_�s_�e_�r _�n_�a_�m_�e | _�#_�u_�i_�d] [_�c_�o_�m_�m_�a_�n_�d]
! 12: s�su�ud�do�o [-�-A�Ab�bE�EH�Hn�nP�PS�S] [-�-a�a _�a_�u_�t_�h_�__�t_�y_�p_�e] [-�-C�C _�f_�d] [-�-c�c _�c_�l_�a_�s_�s | _�-]
! 13: [-�-g�g _�g_�r_�o_�u_�p _�n_�a_�m_�e | _�#_�g_�i_�d] [-�-p�p _�p_�r_�o_�m_�p_�t] [-�-r�r _�r_�o_�l_�e] [-�-t�t _�t_�y_�p_�e]
! 14: [-�-u�u _�u_�s_�e_�r _�n_�a_�m_�e | _�#_�u_�i_�d] [V�VA�AR�R=_�v_�a_�l_�u_�e] -�-i�i | -�-s�s [_�c_�o_�m_�m_�a_�n_�d]
! 15: s�su�ud�do�oe�ed�di�it�t [-�-A�An�nS�S] [-�-a�a _�a_�u_�t_�h_�__�t_�y_�p_�e] [-�-C�C _�f_�d] [-�-c�c _�c_�l_�a_�s_�s | _�-]
! 16: [-�-g�g _�g_�r_�o_�u_�p _�n_�a_�m_�e | _�#_�g_�i_�d] [-�-p�p _�p_�r_�o_�m_�p_�t] [-�-u�u _�u_�s_�e_�r _�n_�a_�m_�e | _�#_�u_�i_�d] file
! 17: ...
1.1 misho 18:
19: D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
1.1.1.3 ! misho 20: s�su�ud�do�o allows a permitted user to execute a _�c_�o_�m_�m_�a_�n_�d as the superuser or
! 21: another user, as specified by the security policy.
! 22:
! 23: s�su�ud�do�o supports a plugin architecture for security policies and
! 24: input/output logging. Third parties can develop and distribute their own
! 25: policy and I/O logging plugins to work seamlessly with the s�su�ud�do�o front
! 26: end. The default security policy is _�s_�u_�d_�o_�e_�r_�s, which is configured via the
! 27: file _�/_�e_�t_�c_�/_�s_�u_�d_�o_�e_�r_�s, or via LDAP. See the _�P_�L_�U_�G_�I_�N_�S section for more
! 28: information.
! 29:
! 30: The security policy determines what privileges, if any, a user has to run
! 31: s�su�ud�do�o. The policy may require that users authenticate themselves with a
! 32: password or another authentication mechanism. If authentication is
! 33: required, s�su�ud�do�o will exit if the user's password is not entered within a
! 34: configurable time limit. This limit is policy-specific; the default
! 35: password prompt timeout for the _�s_�u_�d_�o_�e_�r_�s security policy is 5 minutes.
! 36:
! 37: Security policies may support credential caching to allow the user to run
! 38: s�su�ud�do�o again for a period of time without requiring authentication. The
! 39: _�s_�u_�d_�o_�e_�r_�s policy caches credentials for 5 minutes, unless overridden in
! 40: sudoers(4). By running s�su�ud�do�o with the -�-v�v option, a user can update the
! 41: cached credentials without running a _�c_�o_�m_�m_�a_�n_�d.
! 42:
! 43: When invoked as s�su�ud�do�oe�ed�di�it�t, the -�-e�e option (described below), is implied.
! 44:
! 45: Security policies may log successful and failed attempts to use s�su�ud�do�o. If
! 46: an I/O plugin is configured, the running command's input and output may
! 47: be logged as well.
! 48:
! 49: The options are as follows:
! 50:
! 51: -�-A�A Normally, if s�su�ud�do�o requires a password, it will read it from
! 52: the user's terminal. If the -�-A�A (_�a_�s_�k_�p_�a_�s_�s) option is
! 53: specified, a (possibly graphical) helper program is executed
! 54: to read the user's password and output the password to the
! 55: standard output. If the SUDO_ASKPASS environment variable is
! 56: set, it specifies the path to the helper program. Otherwise,
! 57: if _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f contains a line specifying the askpass
! 58: program, that value will be used. For example:
! 59:
! 60: # Path to askpass helper program
! 61: Path askpass /usr/X11R6/bin/ssh-askpass
! 62:
! 63: If no askpass program is available, s�su�ud�do�o will exit with an
! 64: error.
! 65:
! 66: -�-a�a _�t_�y_�p_�e The -�-a�a (_�a_�u_�t_�h_�e_�n_�t_�i_�c_�a_�t_�i_�o_�n _�t_�y_�p_�e) option causes s�su�ud�do�o to use the
! 67: specified authentication type when validating the user, as
! 68: allowed by _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f. The system administrator may
! 69: specify a list of sudo-specific authentication methods by
! 70: adding an ``auth-sudo'' entry in _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f. This
! 71: option is only available on systems that support BSD
! 72: authentication.
! 73:
! 74: -�-b�b The -�-b�b (_�b_�a_�c_�k_�g_�r_�o_�u_�n_�d) option tells s�su�ud�do�o to run the given
! 75: command in the background. Note that if you use the -�-b�b
! 76: option you cannot use shell job control to manipulate the
! 77: process. Most interactive commands will fail to work
! 78: properly in background mode.
! 79:
! 80: -�-C�C _�f_�d Normally, s�su�ud�do�o will close all open file descriptors other
! 81: than standard input, standard output and standard error. The
! 82: -�-C�C (_�c_�l_�o_�s_�e _�f_�r_�o_�m) option allows the user to specify a starting
! 83: point above the standard error (file descriptor three).
! 84: Values less than three are not permitted. The security
! 85: policy may restrict the user's ability to use the -�-C�C option.
! 86: The _�s_�u_�d_�o_�e_�r_�s policy only permits use of the -�-C�C option when the
! 87: administrator has enabled the _�c_�l_�o_�s_�e_�f_�r_�o_�m_�__�o_�v_�e_�r_�r_�i_�d_�e option.
! 88:
! 89: -�-c�c _�c_�l_�a_�s_�s The -�-c�c (_�c_�l_�a_�s_�s) option causes s�su�ud�do�o to run the specified
! 90: command with resources limited by the specified login class.
! 91: The _�c_�l_�a_�s_�s argument can be either a class name as defined in
! 92: _�/_�e_�t_�c_�/_�l_�o_�g_�i_�n_�._�c_�o_�n_�f, or a single `-' character. Specifying a
! 93: _�c_�l_�a_�s_�s of - indicates that the command should be run
! 94: restricted by the default login capabilities for the user the
! 95: command is run as. If the _�c_�l_�a_�s_�s argument specifies an
! 96: existing user class, the command must be run as root, or the
! 97: s�su�ud�do�o command must be run from a shell that is already root.
! 98: This option is only available on systems with BSD login
! 99: classes.
! 100:
! 101: -�-E�E The -�-E�E (_�p_�r_�e_�s_�e_�r_�v_�e _�e_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t) option indicates to the
! 102: security policy that the user wishes to preserve their
! 103: existing environment variables. The security policy may
! 104: return an error if the -�-E�E option is specified and the user
! 105: does not have permission to preserve the environment.
! 106:
! 107: -�-e�e The -�-e�e (_�e_�d_�i_�t) option indicates that, instead of running a
! 108: command, the user wishes to edit one or more files. In lieu
! 109: of a command, the string "sudoedit" is used when consulting
! 110: the security policy. If the user is authorized by the
! 111: policy, the following steps are taken:
1.1 misho 112:
1.1.1.3 ! misho 113: 1. Temporary copies are made of the files to be edited
1.1 misho 114: with the owner set to the invoking user.
115:
1.1.1.3 ! misho 116: 2. The editor specified by the policy is run to edit the
1.1 misho 117: temporary files. The _�s_�u_�d_�o_�e_�r_�s policy uses the
118: SUDO_EDITOR, VISUAL and EDITOR environment variables
119: (in that order). If none of SUDO_EDITOR, VISUAL or
120: EDITOR are set, the first program listed in the _�e_�d_�i_�t_�o_�r
1.1.1.3 ! misho 121: sudoers(4) option is used.
1.1 misho 122:
1.1.1.3 ! misho 123: 3. If they have been modified, the temporary files are
1.1 misho 124: copied back to their original location and the
125: temporary versions are removed.
126:
1.1.1.3 ! misho 127: If the specified file does not exist, it will be created.
! 128: Note that unlike most commands run by _�s_�u_�d_�o, the editor is run
! 129: with the invoking user's environment unmodified. If, for
! 130: some reason, s�su�ud�do�o is unable to update a file with its edited
! 131: version, the user will receive a warning and the edited copy
! 132: will remain in a temporary file.
! 133:
! 134: -�-g�g _�g_�r_�o_�u_�p Normally, s�su�ud�do�o runs a command with the primary group set to
! 135: the one specified by the password database for the user the
! 136: command is being run as (by default, root). The -�-g�g (_�g_�r_�o_�u_�p)
! 137: option causes s�su�ud�do�o to run the command with the primary group
! 138: set to _�g_�r_�o_�u_�p instead. To specify a _�g_�i_�d instead of a _�g_�r_�o_�u_�p
! 139: _�n_�a_�m_�e, use _�#_�g_�i_�d. When running commands as a _�g_�i_�d, many shells
! 140: require that the `#' be escaped with a backslash (`\'). If
! 141: no -�-u�u option is specified, the command will be run as the
! 142: invoking user (not root). In either case, the primary group
! 143: will be set to _�g_�r_�o_�u_�p.
! 144:
! 145: -�-H�H The -�-H�H (_�H_�O_�M_�E) option requests that the security policy set
! 146: the HOME environment variable to the home directory of the
! 147: target user (root by default) as specified by the password
! 148: database. Depending on the policy, this may be the default
! 149: behavior.
! 150:
! 151: -�-h�h The -�-h�h (_�h_�e_�l_�p) option causes s�su�ud�do�o to print a short help
! 152: message to the standard output and exit.
! 153:
! 154: -�-i�i [_�c_�o_�m_�m_�a_�n_�d]
! 155: The -�-i�i (_�s_�i_�m_�u_�l_�a_�t_�e _�i_�n_�i_�t_�i_�a_�l _�l_�o_�g_�i_�n) option runs the shell
! 156: specified by the password database entry of the target user
! 157: as a login shell. This means that login-specific resource
! 158: files such as _�._�p_�r_�o_�f_�i_�l_�e or _�._�l_�o_�g_�i_�n will be read by the shell.
! 159: If a command is specified, it is passed to the shell for
! 160: execution via the shell's -�-c�c option. If no command is
! 161: specified, an interactive shell is executed. s�su�ud�do�o attempts
! 162: to change to that user's home directory before running the
! 163: shell. The security policy shall initialize the environment
! 164: to a minimal set of variables, similar to what is present
! 165: when a user logs in. The _�C_�o_�m_�m_�a_�n_�d _�E_�n_�v_�i_�r_�o_�n_�m_�e_�n_�t section in the
! 166: sudoers(4) manual documents how the -�-i�i option affects the
! 167: environment in which a command is run when the _�s_�u_�d_�o_�e_�r_�s policy
! 168: is in use.
! 169:
! 170: -�-K�K The -�-K�K (sure _�k_�i_�l_�l) option is like -�-k�k except that it removes
! 171: the user's cached credentials entirely and may not be used in
! 172: conjunction with a command or other option. This option does
! 173: not require a password. Not all security policies support
! 174: credential caching.
! 175:
! 176: -�-k�k [_�c_�o_�m_�m_�a_�n_�d]
! 177: When used alone, the -�-k�k (_�k_�i_�l_�l) option to s�su�ud�do�o invalidates the
! 178: user's cached credentials. The next time s�su�ud�do�o is run a
! 179: password will be required. This option does not require a
! 180: password and was added to allow a user to revoke s�su�ud�do�o
! 181: permissions from a _�._�l_�o_�g_�o_�u_�t file. Not all security policies
! 182: support credential caching.
! 183:
! 184: When used in conjunction with a command or an option that may
! 185: require a password, the -�-k�k option will cause s�su�ud�do�o to ignore
! 186: the user's cached credentials. As a result, s�su�ud�do�o will prompt
! 187: for a password (if one is required by the security policy)
! 188: and will not update the user's cached credentials.
! 189:
! 190: -�-l�l[l�l] [_�c_�o_�m_�m_�a_�n_�d]
! 191: If no _�c_�o_�m_�m_�a_�n_�d is specified, the -�-l�l (_�l_�i_�s_�t) option will list
! 192: the allowed (and forbidden) commands for the invoking user
! 193: (or the user specified by the -�-U�U option) on the current host.
! 194: If a _�c_�o_�m_�m_�a_�n_�d is specified and is permitted by the security
! 195: policy, the fully-qualified path to the command is displayed
! 196: along with any command line arguments. If _�c_�o_�m_�m_�a_�n_�d is
! 197: specified but not allowed, s�su�ud�do�o will exit with a status value
! 198: of 1. If the -�-l�l option is specified with an _�l argument (i.e.
! 199: -�-l�ll�l), or if -�-l�l is specified multiple times, a longer list
! 200: format is used.
! 201:
! 202: -�-n�n The -�-n�n (_�n_�o_�n_�-_�i_�n_�t_�e_�r_�a_�c_�t_�i_�v_�e) option prevents s�su�ud�do�o from prompting
! 203: the user for a password. If a password is required for the
! 204: command to run, s�su�ud�do�o will display an error message and exit.
! 205:
! 206: -�-P�P The -�-P�P (_�p_�r_�e_�s_�e_�r_�v_�e _�g_�r_�o_�u_�p _�v_�e_�c_�t_�o_�r) option causes s�su�ud�do�o to preserve
! 207: the invoking user's group vector unaltered. By default, the
! 208: _�s_�u_�d_�o_�e_�r_�s policy will initialize the group vector to the list
! 209: of groups the target user is in. The real and effective
! 210: group IDs, however, are still set to match the target user.
! 211:
! 212: -�-p�p _�p_�r_�o_�m_�p_�t The -�-p�p (_�p_�r_�o_�m_�p_�t) option allows you to override the default
! 213: password prompt and use a custom one. The following percent
! 214: (`%') escapes are supported by the _�s_�u_�d_�o_�e_�r_�s policy:
! 215:
! 216: %H expanded to the host name including the domain name (on
! 217: if the machine's host name is fully qualified or the _�f_�q_�d_�n
! 218: option is set in sudoers(4))
! 219:
! 220: %h expanded to the local host name without the domain name
! 221:
! 222: %p expanded to the name of the user whose password is being
! 223: requested (respects the _�r_�o_�o_�t_�p_�w, _�t_�a_�r_�g_�e_�t_�p_�w, and _�r_�u_�n_�a_�s_�p_�w
! 224: flags in sudoers(4))
! 225:
! 226: %U expanded to the login name of the user the command will
! 227: be run as (defaults to root unless the -�-u�u option is also
! 228: specified)
! 229:
! 230: %u expanded to the invoking user's login name
! 231:
! 232: %% two consecutive `%' characters are collapsed into a
! 233: single `%' character
! 234:
! 235: The prompt specified by the -�-p�p option will override the
! 236: system password prompt on systems that support PAM unless the
! 237: _�p_�a_�s_�s_�p_�r_�o_�m_�p_�t_�__�o_�v_�e_�r_�r_�i_�d_�e flag is disabled in _�s_�u_�d_�o_�e_�r_�s.
! 238:
! 239: -�-r�r _�r_�o_�l_�e The -�-r�r (_�r_�o_�l_�e) option causes the new (SELinux) security
! 240: context to have the role specified by _�r_�o_�l_�e.
! 241:
! 242: -�-S�S The -�-S�S (_�s_�t_�d_�i_�n) option causes s�su�ud�do�o to read the password from
! 243: the standard input instead of the terminal device. The
! 244: password must be followed by a newline character.
! 245:
! 246: -�-s�s [_�c_�o_�m_�m_�a_�n_�d]
! 247: The -�-s�s (_�s_�h_�e_�l_�l) option runs the shell specified by the SHELL
! 248: environment variable if it is set or the shell as specified
! 249: in the password database. If a command is specified, it is
! 250: passed to the shell for execution via the shell's -�-c�c option.
! 251: If no command is specified, an interactive shell is executed.
! 252:
! 253: -�-t�t _�t_�y_�p_�e The -�-t�t (_�t_�y_�p_�e) option causes the new (SELinux) security
! 254: context to have the type specified by _�t_�y_�p_�e. If no type is
! 255: specified, the default type is derived from the specified
! 256: role.
! 257:
! 258: -�-U�U _�u_�s_�e_�r The -�-U�U (_�o_�t_�h_�e_�r _�u_�s_�e_�r) option is used in conjunction with the -�-l�l
! 259: option to specify the user whose privileges should be listed.
! 260: The security policy may restrict listing other users'
! 261: privileges. The _�s_�u_�d_�o_�e_�r_�s policy only allows root or a user
! 262: with the ALL privilege on the current host to use this
! 263: option.
! 264:
! 265: -�-u�u _�u_�s_�e_�r The -�-u�u (_�u_�s_�e_�r) option causes s�su�ud�do�o to run the specified command
! 266: as a user other than _�r_�o_�o_�t. To specify a _�u_�i_�d instead of a
! 267: _�u_�s_�e_�r _�n_�a_�m_�e, _�#_�u_�i_�d. When running commands as a _�u_�i_�d, many shells
! 268: require that the `#' be escaped with a backslash (`\').
! 269: Security policies may restrict _�u_�i_�ds to those listed in the
! 270: password database. The _�s_�u_�d_�o_�e_�r_�s policy allows _�u_�i_�ds that are
! 271: not in the password database as long as the _�t_�a_�r_�g_�e_�t_�p_�w option
! 272: is not set. Other security policies may not support this.
! 273:
! 274: -�-V�V The -�-V�V (_�v_�e_�r_�s_�i_�o_�n) option causes s�su�ud�do�o to print its version
! 275: string and the version string of the security policy plugin
! 276: and any I/O plugins. If the invoking user is already root
! 277: the -�-V�V option will display the arguments passed to configure
! 278: when s�su�ud�do�o was built and plugins may display more verbose
! 279: information such as default options.
! 280:
! 281: -�-v�v When given the -�-v�v (_�v_�a_�l_�i_�d_�a_�t_�e) option, s�su�ud�do�o will update the
! 282: user's cached credentials, authenticating the user's password
! 283: if necessary. For the _�s_�u_�d_�o_�e_�r_�s plugin, this extends the s�su�ud�do�o
! 284: timeout for another 5 minutes (or whatever the timeout is set
! 285: to by the security policy) but does not run a command. Not
! 286: all security policies support cached credentials.
! 287:
! 288: -�--�- The -�--�- option indicates that s�su�ud�do�o should stop processing
! 289: command line arguments.
! 290:
! 291: Environment variables to be set for the command may also be passed on the
! 292: command line in the form of V�VA�AR�R=_�v_�a_�l_�u_�e, e.g.
! 293: L�LD�D_�_L�LI�IB�BR�RA�AR�RY�Y_�_P�PA�AT�TH�H=_�/_�u_�s_�r_�/_�l_�o_�c_�a_�l_�/_�p_�k_�g_�/_�l_�i_�b. Variables passed on the command line
! 294: are subject to the same restrictions as normal environment variables with
! 295: one important exception. If the _�s_�e_�t_�e_�n_�v option is set in _�s_�u_�d_�o_�e_�r_�s, the
! 296: command to be run has the SETENV tag set or the command matched is ALL,
! 297: the user may set variables that would otherwise be forbidden. See
! 298: sudoers(4) for more information.
! 299:
! 300: C�CO�OM�MM�MA�AN�ND�D E�EX�XE�EC�CU�UT�TI�IO�ON�N
! 301: When s�su�ud�do�o executes a command, the security policy specifies the execution
! 302: envionment for the command. Typically, the real and effective uid and
! 303: gid are set to match those of the target user, as specified in the
! 304: password database, and the group vector is initialized based on the group
! 305: database (unless the -�-P�P option was specified).
! 306:
! 307: The following parameters may be specified by security policy:
! 308:
! 309: o�o real and effective user ID
! 310:
! 311: o�o real and effective group ID
! 312:
! 313: o�o supplementary group IDs
! 314:
! 315: o�o the environment list
! 316:
! 317: o�o current working directory
! 318:
! 319: o�o file creation mode mask (umask)
! 320:
! 321: o�o SELinux role and type
! 322:
! 323: o�o Solaris project
! 324:
! 325: o�o Solaris privileges
! 326:
! 327: o�o BSD login class
! 328:
! 329: o�o scheduling priority (aka nice value)
! 330:
! 331: P�Pr�ro�oc�ce�es�ss�s m�mo�od�de�el�l
! 332: When s�su�ud�do�o runs a command, it calls fork(2), sets up the execution
! 333: environment as described above, and calls the execve system call in the
! 334: child process. The main s�su�ud�do�o process waits until the command has
! 335: completed, then passes the command's exit status to the security policy's
! 336: close method and exits. If an I/O logging plugin is configured, a new
! 337: pseudo-terminal (``pty'') is created and a second s�su�ud�do�o process is used to
! 338: relay job control signals between the user's existing pty and the new pty
! 339: the command is being run in. This extra process makes it possible to,
! 340: for example, suspend and resume the command. Without it, the command
! 341: would be in what POSIX terms an ``orphaned process group'' and it would
! 342: not receive any job control signals.
! 343:
! 344: S�Si�ig�gn�na�al�l h�ha�an�nd�dl�li�in�ng�g
! 345: Because the command is run as a child of the s�su�ud�do�o process, s�su�ud�do�o will
! 346: relay signals it receives to the command. Unless the command is being
! 347: run in a new pty, the SIGHUP, SIGINT and SIGQUIT signals are not relayed
! 348: unless they are sent by a user process, not the kernel. Otherwise, the
! 349: command would receive SIGINT twice every time the user entered control-C.
! 350: Some signals, such as SIGSTOP and SIGKILL, cannot be caught and thus will
! 351: not be relayed to the command. As a general rule, SIGTSTP should be used
! 352: instead of SIGSTOP when you wish to suspend a command being run by s�su�ud�do�o.
! 353:
! 354: As a special case, s�su�ud�do�o will not relay signals that were sent by the
! 355: command it is running. This prevents the command from accidentally
! 356: killing itself. On some systems, the reboot(1m) command sends SIGTERM to
! 357: all non-system processes other than itself before rebooting the systyem.
! 358: This prevents s�su�ud�do�o from relaying the SIGTERM signal it received back to
! 359: reboot(1m), which might then exit before the system was actually rebooted,
! 360: leaving it in a half-dead state similar to single user mode. Note,
! 361: however, that this check only applies to the command run by s�su�ud�do�o and not
! 362: any other processes that the command may create. As a result, running a
! 363: script that calls reboot(1m) or shutdown(1m) via s�su�ud�do�o may cause the system
! 364: to end up in this undefined state unless the reboot(1m) or shutdown(1m) are
! 365: run using the e�ex�xe�ec�c() family of functions instead of s�sy�ys�st�te�em�m() (which
! 366: interposes a shell between the command and the calling process).
1.1 misho 367:
368: P�PL�LU�UG�GI�IN�NS�S
1.1.1.3 ! misho 369: Plugins are dynamically loaded based on the contents of the
! 370: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file. If no _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file is present, or it
! 371: contains no Plugin lines, s�su�ud�do�o will use the traditional _�s_�u_�d_�o_�e_�r_�s security
! 372: policy and I/O logging, which corresponds to the following _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f
! 373: file.
! 374:
! 375: #
! 376: # Default /etc/sudo.conf file
! 377: #
! 378: # Format:
! 379: # Plugin plugin_name plugin_path plugin_options ...
! 380: # Path askpass /path/to/askpass
! 381: # Path noexec /path/to/sudo_noexec.so
! 382: # Debug sudo /var/log/sudo_debug all@warn
! 383: # Set disable_coredump true
! 384: #
! 385: # The plugin_path is relative to /usr/local/libexec unless
! 386: # fully qualified.
! 387: # The plugin_name corresponds to a global symbol in the plugin
! 388: # that contains the plugin interface structure.
! 389: # The plugin_options are optional.
! 390: #
! 391: Plugin policy_plugin sudoers.so
! 392: Plugin io_plugin sudoers.so
! 393:
! 394: A Plugin line consists of the Plugin keyword, followed by the _�s_�y_�m_�b_�o_�l_�__�n_�a_�m_�e
! 395: and the _�p_�a_�t_�h to the shared object containing the plugin. The _�s_�y_�m_�b_�o_�l_�__�n_�a_�m_�e
! 396: is the name of the struct policy_plugin or struct io_plugin in the plugin
! 397: shared object. The _�p_�a_�t_�h may be fully qualified or relative. If not
! 398: fully qualified it is relative to the _�/_�u_�s_�r_�/_�l_�o_�c_�a_�l_�/_�l_�i_�b_�e_�x_�e_�c directory. Any
! 399: additional parameters after the _�p_�a_�t_�h are passed as arguments to the
! 400: plugin's _�o_�p_�e_�n function. Lines that don't begin with Plugin, Path, Debug,
! 401: or Set are silently ignored.
1.1 misho 402:
1.1.1.3 ! misho 403: For more information, see the sudo_plugin(1m) manual.
1.1 misho 404:
405: P�PA�AT�TH�HS�S
1.1.1.3 ! misho 406: A Path line consists of the Path keyword, followed by the name of the
! 407: path to set and its value. E.g.
1.1 misho 408:
1.1.1.3 ! misho 409: Path noexec /usr/local/libexec/sudo_noexec.so
! 410: Path askpass /usr/X11R6/bin/ssh-askpass
1.1 misho 411:
1.1.1.3 ! misho 412: The following plugin-agnostic paths may be set in the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f
! 413: file:
1.1 misho 414:
1.1.1.3 ! misho 415: askpass The fully qualified path to a helper program used to read the
! 416: user's password when no terminal is available. This may be the
! 417: case when s�su�ud�do�o is executed from a graphical (as opposed to
! 418: text-based) application. The program specified by _�a_�s_�k_�p_�a_�s_�s
! 419: should display the argument passed to it as the prompt and
! 420: write the user's password to the standard output. The value of
! 421: _�a_�s_�k_�p_�a_�s_�s may be overridden by the SUDO_ASKPASS environment
! 422: variable.
! 423:
! 424: noexec The fully-qualified path to a shared library containing dummy
! 425: versions of the e�ex�xe�ec�cv�v(), e�ex�xe�ec�cv�ve�e() and f�fe�ex�xe�ec�cv�ve�e() library
! 426: functions that just return an error. This is used to implement
! 427: the _�n_�o_�e_�x_�e_�c functionality on systems that support LD_PRELOAD or
! 428: its equivalent. Defaults to _�/_�u_�s_�r_�/_�l_�o_�c_�a_�l_�/_�l_�i_�b_�e_�x_�e_�c_�/_�s_�u_�d_�o_�__�n_�o_�e_�x_�e_�c_�._�s_�o.
1.1 misho 429:
1.1.1.2 misho 430: D�DE�EB�BU�UG�G F�FL�LA�AG�GS�S
1.1.1.3 ! misho 431: s�su�ud�do�o versions 1.8.4 and higher support a flexible debugging framework
! 432: that can help track down what s�su�ud�do�o is doing internally if there is a
! 433: problem.
1.1.1.2 misho 434:
1.1.1.3 ! misho 435: A Debug line consists of the Debug keyword, followed by the name of the
! 436: program to debug (s�su�ud�do�o, v�vi�is�su�ud�do�o, s�su�ud�do�or�re�ep�pl�la�ay�y), the debug file name and a
! 437: comma-separated list of debug flags. The debug flag syntax used by s�su�ud�do�o
! 438: and the _�s_�u_�d_�o_�e_�r_�s plugin is _�s_�u_�b_�s_�y_�s_�t_�e_�m@_�p_�r_�i_�o_�r_�i_�t_�y but the plugin is free to
! 439: use a different format so long as it does not include a comma (`,').
1.1.1.2 misho 440:
1.1.1.3 ! misho 441: For instance:
1.1.1.2 misho 442:
1.1.1.3 ! misho 443: Debug sudo /var/log/sudo_debug all@warn,plugin@info
1.1.1.2 misho 444:
1.1.1.3 ! misho 445: would log all debugging statements at the _�w_�a_�r_�n level and higher in
! 446: addition to those at the _�i_�n_�f_�o level for the plugin subsystem.
1.1.1.2 misho 447:
1.1.1.3 ! misho 448: Currently, only one Debug entry per program is supported. The s�su�ud�do�o Debug
! 449: entry is shared by the s�su�ud�do�o front end, s�su�ud�do�oe�ed�di�it�t and the plugins. A
! 450: future release may add support for per-plugin Debug lines and/or support
! 451: for multiple debugging files for a single program.
1.1.1.2 misho 452:
1.1.1.3 ! misho 453: The priorities used by the s�su�ud�do�o front end, in order of decreasing
! 454: severity, are: _�c_�r_�i_�t, _�e_�r_�r, _�w_�a_�r_�n, _�n_�o_�t_�i_�c_�e, _�d_�i_�a_�g, _�i_�n_�f_�o, _�t_�r_�a_�c_�e and _�d_�e_�b_�u_�g.
! 455: Each priority, when specified, also includes all priorities higher than
! 456: it. For example, a priority of _�n_�o_�t_�i_�c_�e would include debug messages
! 457: logged at _�n_�o_�t_�i_�c_�e and higher.
1.1.1.2 misho 458:
1.1.1.3 ! misho 459: The following subsystems are used by the s�su�ud�do�o front-end:
1.1.1.2 misho 460:
1.1.1.3 ! misho 461: _�a_�l_�l matches every subsystem
1.1.1.2 misho 462:
1.1.1.3 ! misho 463: _�a_�r_�g_�s command line argument processing
1.1.1.2 misho 464:
1.1.1.3 ! misho 465: _�c_�o_�n_�v user conversation
1.1.1.2 misho 466:
1.1.1.3 ! misho 467: _�e_�d_�i_�t sudoedit
1.1.1.2 misho 468:
1.1.1.3 ! misho 469: _�e_�x_�e_�c command execution
1.1.1.2 misho 470:
1.1.1.3 ! misho 471: _�m_�a_�i_�n s�su�ud�do�o main function
1.1.1.2 misho 472:
1.1.1.3 ! misho 473: _�n_�e_�t_�i_�f network interface handling
1.1.1.2 misho 474:
1.1.1.3 ! misho 475: _�p_�c_�o_�m_�m communication with the plugin
1.1.1.2 misho 476:
1.1.1.3 ! misho 477: _�p_�l_�u_�g_�i_�n plugin configuration
1.1.1.2 misho 478:
1.1.1.3 ! misho 479: _�p_�t_�y pseudo-tty related code
1.1.1.2 misho 480:
1.1.1.3 ! misho 481: _�s_�e_�l_�i_�n_�u_�x SELinux-specific handling
1.1.1.2 misho 482:
1.1.1.3 ! misho 483: _�u_�t_�i_�l utility functions
1.1.1.2 misho 484:
1.1.1.3 ! misho 485: _�u_�t_�m_�p utmp handling
1.1.1.2 misho 486:
1.1.1.3 ! misho 487: E�EX�XI�IT�T V�VA�AL�LU�UE�E
! 488: Upon successful execution of a program, the exit status from _�s_�u_�d_�o will
! 489: simply be the exit status of the program that was executed.
1.1 misho 490:
1.1.1.3 ! misho 491: Otherwise, s�su�ud�do�o exits with a value of 1 if there is a
! 492: configuration/permission problem or if s�su�ud�do�o cannot execute the given
! 493: command. In the latter case the error string is printed to the standard
! 494: error. If s�su�ud�do�o cannot stat(2) one or more entries in the user's PATH, an
! 495: error is printed on stderr. (If the directory does not exist or if it is
! 496: not really a directory, the entry is ignored and no error is printed.)
! 497: This should not happen under normal circumstances. The most common
! 498: reason for stat(2) to return ``permission denied'' is if you are running
! 499: an automounter and one of the directories in your PATH is on a machine
! 500: that is currently unreachable.
1.1 misho 501:
502: S�SE�EC�CU�UR�RI�IT�TY�Y N�NO�OT�TE�ES�S
1.1.1.3 ! misho 503: s�su�ud�do�o tries to be safe when executing external commands.
1.1 misho 504:
1.1.1.3 ! misho 505: To prevent command spoofing, s�su�ud�do�o checks "." and "" (both denoting
! 506: current directory) last when searching for a command in the user's PATH
! 507: (if one or both are in the PATH). Note, however, that the actual PATH
! 508: environment variable is _�n_�o_�t modified and is passed unchanged to the
! 509: program that s�su�ud�do�o executes.
! 510:
! 511: Please note that s�su�ud�do�o will normally only log the command it explicitly
! 512: runs. If a user runs a command such as sudo su or sudo sh, subsequent
! 513: commands run from that shell are not subject to s�su�ud�do�o's security policy.
! 514: The same is true for commands that offer shell escapes (including most
! 515: editors). If I/O logging is enabled, subsequent commands will have their
! 516: input and/or output logged, but there will not be traditional logs for
! 517: those commands. Because of this, care must be taken when giving users
! 518: access to commands via s�su�ud�do�o to verify that the command does not
! 519: inadvertently give the user an effective root shell. For more
! 520: information, please see the _�P_�R_�E_�V_�E_�N_�T_�I_�N_�G _�S_�H_�E_�L_�L _�E_�S_�C_�A_�P_�E_�S section in
! 521: sudoers(4).
! 522:
! 523: To prevent the disclosure of potentially sensitive information, s�su�ud�do�o
! 524: disables core dumps by default while it is executing (they are re-enabled
! 525: for the command that is run). To aid in debugging s�su�ud�do�o crashes, you may
! 526: wish to re-enable core dumps by setting ``disable_coredump'' to false in
! 527: the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f file as follows:
! 528:
! 529: Set disable_coredump false
! 530:
! 531: Note that by default, most operating systems disable core dumps from
! 532: setuid programs, which includes s�su�ud�do�o. To actually get a s�su�ud�do�o core file
! 533: you may need to enable core dumps for setuid processes. On BSD and Linux
! 534: systems this is accomplished via the sysctl command, on Solaris the
! 535: coreadm command can be used.
1.1.1.2 misho 536:
1.1 misho 537: E�EN�NV�VI�IR�RO�ON�NM�ME�EN�NT�T
1.1.1.3 ! misho 538: s�su�ud�do�o utilizes the following environment variables. The security policy
! 539: has control over the actual content of the command's environment.
1.1 misho 540:
1.1.1.3 ! misho 541: EDITOR Default editor to use in -�-e�e (sudoedit) mode if neither
! 542: SUDO_EDITOR nor VISUAL is set.
1.1 misho 543:
1.1.1.3 ! misho 544: MAIL In -�-i�i mode or when _�e_�n_�v_�__�r_�e_�s_�e_�t is enabled in _�s_�u_�d_�o_�e_�r_�s, set
! 545: to the mail spool of the target user.
1.1 misho 546:
1.1.1.3 ! misho 547: HOME Set to the home directory of the target user if -�-i�i or -�-H�H
! 548: are specified, _�e_�n_�v_�__�r_�e_�s_�e_�t or _�a_�l_�w_�a_�y_�s_�__�s_�e_�t_�__�h_�o_�m_�e are set in
! 549: _�s_�u_�d_�o_�e_�r_�s, or when the -�-s�s option is specified and _�s_�e_�t_�__�h_�o_�m_�e
! 550: is set in _�s_�u_�d_�o_�e_�r_�s.
1.1 misho 551:
1.1.1.3 ! misho 552: PATH May be overridden by the security policy.
1.1 misho 553:
1.1.1.3 ! misho 554: SHELL Used to determine shell to run with -�-s�s option.
1.1 misho 555:
1.1.1.3 ! misho 556: SUDO_ASKPASS Specifies the path to a helper program used to read the
! 557: password if no terminal is available or if the -�-A�A option
! 558: is specified.
1.1 misho 559:
1.1.1.3 ! misho 560: SUDO_COMMAND Set to the command run by sudo.
1.1 misho 561:
1.1.1.3 ! misho 562: SUDO_EDITOR Default editor to use in -�-e�e (sudoedit) mode.
1.1 misho 563:
1.1.1.3 ! misho 564: SUDO_GID Set to the group ID of the user who invoked sudo.
1.1 misho 565:
1.1.1.3 ! misho 566: SUDO_PROMPT Used as the default password prompt.
1.1 misho 567:
1.1.1.3 ! misho 568: SUDO_PS1 If set, PS1 will be set to its value for the program
! 569: being run.
1.1 misho 570:
1.1.1.3 ! misho 571: SUDO_UID Set to the user ID of the user who invoked sudo.
1.1 misho 572:
1.1.1.3 ! misho 573: SUDO_USER Set to the login name of the user who invoked sudo.
1.1 misho 574:
1.1.1.3 ! misho 575: USER Set to the target user (root unless the -�-u�u option is
! 576: specified).
1.1 misho 577:
1.1.1.3 ! misho 578: VISUAL Default editor to use in -�-e�e (sudoedit) mode if
! 579: SUDO_EDITOR is not set.
1.1 misho 580:
581: F�FI�IL�LE�ES�S
1.1.1.3 ! misho 582: _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f s�su�ud�do�o front end configuration
1.1 misho 583:
584: E�EX�XA�AM�MP�PL�LE�ES�S
1.1.1.3 ! misho 585: Note: the following examples assume a properly configured security
! 586: policy.
1.1 misho 587:
1.1.1.3 ! misho 588: To get a file listing of an unreadable directory:
1.1 misho 589:
1.1.1.3 ! misho 590: $ sudo ls /usr/local/protected
1.1 misho 591:
1.1.1.3 ! misho 592: To list the home directory of user yaz on a machine where the file system
! 593: holding ~yaz is not exported as root:
1.1 misho 594:
1.1.1.3 ! misho 595: $ sudo -u yaz ls ~yaz
1.1 misho 596:
1.1.1.3 ! misho 597: To edit the _�i_�n_�d_�e_�x_�._�h_�t_�m_�l file as user www:
1.1 misho 598:
1.1.1.3 ! misho 599: $ sudo -u www vi ~www/htdocs/index.html
1.1 misho 600:
1.1.1.3 ! misho 601: To view system logs only accessible to root and users in the adm group:
1.1 misho 602:
1.1.1.3 ! misho 603: $ sudo -g adm view /var/log/syslog
1.1 misho 604:
1.1.1.3 ! misho 605: To run an editor as jim with a different primary group:
1.1 misho 606:
1.1.1.3 ! misho 607: $ sudo -u jim -g audio vi ~jim/sound.txt
1.1 misho 608:
1.1.1.3 ! misho 609: To shut down a machine:
1.1 misho 610:
1.1.1.3 ! misho 611: $ sudo shutdown -r +15 "quick reboot"
1.1 misho 612:
1.1.1.3 ! misho 613: To make a usage listing of the directories in the /home partition. Note
! 614: that this runs the commands in a sub-shell to make the cd and file
! 615: redirection work.
1.1 misho 616:
1.1.1.3 ! misho 617: $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
1.1 misho 618:
619: S�SE�EE�E A�AL�LS�SO�O
1.1.1.3 ! misho 620: grep(1), su(1), stat(2), login_cap(3), passwd(4), sudoers(4),
! 621: sudo_plugin(1m), sudoreplay(1m), visudo(1m)
1.1 misho 622:
1.1.1.3 ! misho 623: H�HI�IS�ST�TO�OR�RY�Y
! 624: See the HISTORY file in the s�su�ud�do�o distribution
! 625: (http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
1.1 misho 626:
1.1.1.3 ! misho 627: A�AU�UT�TH�HO�OR�RS�S
! 628: Many people have worked on s�su�ud�do�o over the years; this version consists of
! 629: code written primarily by:
1.1 misho 630:
1.1.1.3 ! misho 631: Todd C. Miller
1.1.1.2 misho 632:
1.1.1.3 ! misho 633: See the CONTRIBUTORS file in the s�su�ud�do�o distribution
! 634: (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of
! 635: people who have contributed to s�su�ud�do�o.
1.1 misho 636:
637: C�CA�AV�VE�EA�AT�TS�S
1.1.1.3 ! misho 638: There is no easy way to prevent a user from gaining a root shell if that
! 639: user is allowed to run arbitrary commands via s�su�ud�do�o. Also, many programs
! 640: (such as editors) allow the user to run commands via shell escapes, thus
! 641: avoiding s�su�ud�do�o's checks. However, on most systems it is possible to
! 642: prevent shell escapes with the sudoers(4) plugin's _�n_�o_�e_�x_�e_�c functionality.
! 643:
! 644: It is not meaningful to run the cd command directly via sudo, e.g.,
! 645:
! 646: $ sudo cd /usr/local/protected
! 647:
! 648: since when the command exits the parent process (your shell) will still
! 649: be the same. Please see the _�E_�X_�A_�M_�P_�L_�E_�S section for more information.
! 650:
! 651: Running shell scripts via s�su�ud�do�o can expose the same kernel bugs that make
! 652: setuid shell scripts unsafe on some operating systems (if your OS has a
! 653: /dev/fd/ directory, setuid shell scripts are generally safe).
1.1 misho 654:
655: B�BU�UG�GS�S
1.1.1.3 ! misho 656: If you feel you have found a bug in s�su�ud�do�o, please submit a bug report at
! 657: http://www.sudo.ws/sudo/bugs/
1.1 misho 658:
659: S�SU�UP�PP�PO�OR�RT�T
1.1.1.3 ! misho 660: Limited free support is available via the sudo-users mailing list, see
! 661: http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
! 662: archives.
1.1 misho 663:
664: D�DI�IS�SC�CL�LA�AI�IM�ME�ER�R
1.1.1.3 ! misho 665: s�su�ud�do�o is provided ``AS IS'' and any express or implied warranties,
! 666: including, but not limited to, the implied warranties of merchantability
! 667: and fitness for a particular purpose are disclaimed. See the LICENSE
! 668: file distributed with s�su�ud�do�o or http://www.sudo.ws/sudo/license.html for
! 669: complete details.
1.1 misho 670:
1.1.1.3 ! misho 671: Sudo 1.8.6 July 10, 2012 Sudo 1.8.6
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudo.cat CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc