1: SUDO(1m) System Manager's Manual SUDO(1m)
2:
3: NNAAMMEE
4: ssuuddoo, ssuuddooeeddiitt - execute a command as another user
5:
6: SSYYNNOOPPSSIISS
7: ssuuddoo --hh | --KK | --kk | --VV
8: ssuuddoo --vv [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t]
9: [--uu _u_s_e_r _n_a_m_e | _#_u_i_d]
10: ssuuddoo --ll[_l] [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t]
11: [--UU _u_s_e_r _n_a_m_e] [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] [_c_o_m_m_a_n_d]
12: ssuuddoo [--AAbbEEHHnnPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s | _-]
13: [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t] [--rr _r_o_l_e] [--tt _t_y_p_e]
14: [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] [VVAARR=_v_a_l_u_e] --ii | --ss [_c_o_m_m_a_n_d]
15: ssuuddooeeddiitt [--AAnnSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s | _-]
16: [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] file
17: ...
18:
19: DDEESSCCRRIIPPTTIIOONN
20: ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the superuser or
21: another user, as specified by the security policy.
22:
23: ssuuddoo supports a plugin architecture for security policies and
24: input/output logging. Third parties can develop and distribute their own
25: policy and I/O logging plugins to work seamlessly with the ssuuddoo front
26: end. The default security policy is _s_u_d_o_e_r_s, which is configured via the
27: file _/_e_t_c_/_s_u_d_o_e_r_s, or via LDAP. See the _P_L_U_G_I_N_S section for more
28: information.
29:
30: The security policy determines what privileges, if any, a user has to run
31: ssuuddoo. The policy may require that users authenticate themselves with a
32: password or another authentication mechanism. If authentication is
33: required, ssuuddoo will exit if the user's password is not entered within a
34: configurable time limit. This limit is policy-specific; the default
35: password prompt timeout for the _s_u_d_o_e_r_s security policy is 5 minutes.
36:
37: Security policies may support credential caching to allow the user to run
38: ssuuddoo again for a period of time without requiring authentication. The
39: _s_u_d_o_e_r_s policy caches credentials for 5 minutes, unless overridden in
40: sudoers(4). By running ssuuddoo with the --vv option, a user can update the
41: cached credentials without running a _c_o_m_m_a_n_d.
42:
43: When invoked as ssuuddooeeddiitt, the --ee option (described below), is implied.
44:
45: Security policies may log successful and failed attempts to use ssuuddoo. If
46: an I/O plugin is configured, the running command's input and output may
47: be logged as well.
48:
49: The options are as follows:
50:
51: --AA Normally, if ssuuddoo requires a password, it will read it from
52: the user's terminal. If the --AA (_a_s_k_p_a_s_s) option is
53: specified, a (possibly graphical) helper program is executed
54: to read the user's password and output the password to the
55: standard output. If the SUDO_ASKPASS environment variable is
56: set, it specifies the path to the helper program. Otherwise,
57: if _/_e_t_c_/_s_u_d_o_._c_o_n_f contains a line specifying the askpass
58: program, that value will be used. For example:
59:
60: # Path to askpass helper program
61: Path askpass /usr/X11R6/bin/ssh-askpass
62:
63: If no askpass program is available, ssuuddoo will exit with an
64: error.
65:
66: --aa _t_y_p_e The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use the
67: specified authentication type when validating the user, as
68: allowed by _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system administrator may
69: specify a list of sudo-specific authentication methods by
70: adding an ``auth-sudo'' entry in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This
71: option is only available on systems that support BSD
72: authentication.
73:
74: --bb The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run the given
75: command in the background. Note that if you use the --bb
76: option you cannot use shell job control to manipulate the
77: process. Most interactive commands will fail to work
78: properly in background mode.
79:
80: --CC _f_d Normally, ssuuddoo will close all open file descriptors other
81: than standard input, standard output and standard error. The
82: --CC (_c_l_o_s_e _f_r_o_m) option allows the user to specify a starting
83: point above the standard error (file descriptor three).
84: Values less than three are not permitted. The security
85: policy may restrict the user's ability to use the --CC option.
86: The _s_u_d_o_e_r_s policy only permits use of the --CC option when the
87: administrator has enabled the _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option.
88:
89: --cc _c_l_a_s_s The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified
90: command with resources limited by the specified login class.
91: The _c_l_a_s_s argument can be either a class name as defined in
92: _/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a single `-' character. Specifying a
93: _c_l_a_s_s of - indicates that the command should be run
94: restricted by the default login capabilities for the user the
95: command is run as. If the _c_l_a_s_s argument specifies an
96: existing user class, the command must be run as root, or the
97: ssuuddoo command must be run from a shell that is already root.
98: This option is only available on systems with BSD login
99: classes.
100:
101: --EE The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option indicates to the
102: security policy that the user wishes to preserve their
103: existing environment variables. The security policy may
104: return an error if the --EE option is specified and the user
105: does not have permission to preserve the environment.
106:
107: --ee The --ee (_e_d_i_t) option indicates that, instead of running a
108: command, the user wishes to edit one or more files. In lieu
109: of a command, the string "sudoedit" is used when consulting
110: the security policy. If the user is authorized by the
111: policy, the following steps are taken:
112:
113: 1. Temporary copies are made of the files to be edited
114: with the owner set to the invoking user.
115:
116: 2. The editor specified by the policy is run to edit the
117: temporary files. The _s_u_d_o_e_r_s policy uses the
118: SUDO_EDITOR, VISUAL and EDITOR environment variables
119: (in that order). If none of SUDO_EDITOR, VISUAL or
120: EDITOR are set, the first program listed in the _e_d_i_t_o_r
121: sudoers(4) option is used.
122:
123: 3. If they have been modified, the temporary files are
124: copied back to their original location and the
125: temporary versions are removed.
126:
127: If the specified file does not exist, it will be created.
128: Note that unlike most commands run by _s_u_d_o, the editor is run
129: with the invoking user's environment unmodified. If, for
130: some reason, ssuuddoo is unable to update a file with its edited
131: version, the user will receive a warning and the edited copy
132: will remain in a temporary file.
133:
134: --gg _g_r_o_u_p Normally, ssuuddoo runs a command with the primary group set to
135: the one specified by the password database for the user the
136: command is being run as (by default, root). The --gg (_g_r_o_u_p)
137: option causes ssuuddoo to run the command with the primary group
138: set to _g_r_o_u_p instead. To specify a _g_i_d instead of a _g_r_o_u_p
139: _n_a_m_e, use _#_g_i_d. When running commands as a _g_i_d, many shells
140: require that the `#' be escaped with a backslash (`\'). If
141: no --uu option is specified, the command will be run as the
142: invoking user (not root). In either case, the primary group
143: will be set to _g_r_o_u_p.
144:
145: --HH The --HH (_H_O_M_E) option requests that the security policy set
146: the HOME environment variable to the home directory of the
147: target user (root by default) as specified by the password
148: database. Depending on the policy, this may be the default
149: behavior.
150:
151: --hh The --hh (_h_e_l_p) option causes ssuuddoo to print a short help
152: message to the standard output and exit.
153:
154: --ii [_c_o_m_m_a_n_d]
155: The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell
156: specified by the password database entry of the target user
157: as a login shell. This means that login-specific resource
158: files such as _._p_r_o_f_i_l_e or _._l_o_g_i_n will be read by the shell.
159: If a command is specified, it is passed to the shell for
160: execution via the shell's --cc option. If no command is
161: specified, an interactive shell is executed. ssuuddoo attempts
162: to change to that user's home directory before running the
163: shell. The security policy shall initialize the environment
164: to a minimal set of variables, similar to what is present
165: when a user logs in. The _C_o_m_m_a_n_d _E_n_v_i_r_o_n_m_e_n_t section in the
166: sudoers(4) manual documents how the --ii option affects the
167: environment in which a command is run when the _s_u_d_o_e_r_s policy
168: is in use.
169:
170: --KK The --KK (sure _k_i_l_l) option is like --kk except that it removes
171: the user's cached credentials entirely and may not be used in
172: conjunction with a command or other option. This option does
173: not require a password. Not all security policies support
174: credential caching.
175:
176: --kk [_c_o_m_m_a_n_d]
177: When used alone, the --kk (_k_i_l_l) option to ssuuddoo invalidates the
178: user's cached credentials. The next time ssuuddoo is run a
179: password will be required. This option does not require a
180: password and was added to allow a user to revoke ssuuddoo
181: permissions from a _._l_o_g_o_u_t file. Not all security policies
182: support credential caching.
183:
184: When used in conjunction with a command or an option that may
185: require a password, the --kk option will cause ssuuddoo to ignore
186: the user's cached credentials. As a result, ssuuddoo will prompt
187: for a password (if one is required by the security policy)
188: and will not update the user's cached credentials.
189:
190: --ll[ll] [_c_o_m_m_a_n_d]
191: If no _c_o_m_m_a_n_d is specified, the --ll (_l_i_s_t) option will list
192: the allowed (and forbidden) commands for the invoking user
193: (or the user specified by the --UU option) on the current host.
194: If a _c_o_m_m_a_n_d is specified and is permitted by the security
195: policy, the fully-qualified path to the command is displayed
196: along with any command line arguments. If _c_o_m_m_a_n_d is
197: specified but not allowed, ssuuddoo will exit with a status value
198: of 1. If the --ll option is specified with an _l argument (i.e.
199: --llll), or if --ll is specified multiple times, a longer list
200: format is used.
201:
202: --nn The --nn (_n_o_n_-_i_n_t_e_r_a_c_t_i_v_e) option prevents ssuuddoo from prompting
203: the user for a password. If a password is required for the
204: command to run, ssuuddoo will display an error message and exit.
205:
206: --PP The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to preserve
207: the invoking user's group vector unaltered. By default, the
208: _s_u_d_o_e_r_s policy will initialize the group vector to the list
209: of groups the target user is in. The real and effective
210: group IDs, however, are still set to match the target user.
211:
212: --pp _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default
213: password prompt and use a custom one. The following percent
214: (`%') escapes are supported by the _s_u_d_o_e_r_s policy:
215:
216: %H expanded to the host name including the domain name (on
217: if the machine's host name is fully qualified or the _f_q_d_n
218: option is set in sudoers(4))
219:
220: %h expanded to the local host name without the domain name
221:
222: %p expanded to the name of the user whose password is being
223: requested (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w, and _r_u_n_a_s_p_w
224: flags in sudoers(4))
225:
226: %U expanded to the login name of the user the command will
227: be run as (defaults to root unless the --uu option is also
228: specified)
229:
230: %u expanded to the invoking user's login name
231:
232: %% two consecutive `%' characters are collapsed into a
233: single `%' character
234:
235: The prompt specified by the --pp option will override the
236: system password prompt on systems that support PAM unless the
237: _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s.
238:
239: --rr _r_o_l_e The --rr (_r_o_l_e) option causes the new (SELinux) security
240: context to have the role specified by _r_o_l_e.
241:
242: --SS The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from
243: the standard input instead of the terminal device. The
244: password must be followed by a newline character.
245:
246: --ss [_c_o_m_m_a_n_d]
247: The --ss (_s_h_e_l_l) option runs the shell specified by the SHELL
248: environment variable if it is set or the shell as specified
249: in the password database. If a command is specified, it is
250: passed to the shell for execution via the shell's --cc option.
251: If no command is specified, an interactive shell is executed.
252:
253: --tt _t_y_p_e The --tt (_t_y_p_e) option causes the new (SELinux) security
254: context to have the type specified by _t_y_p_e. If no type is
255: specified, the default type is derived from the specified
256: role.
257:
258: --UU _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the --ll
259: option to specify the user whose privileges should be listed.
260: The security policy may restrict listing other users'
261: privileges. The _s_u_d_o_e_r_s policy only allows root or a user
262: with the ALL privilege on the current host to use this
263: option.
264:
265: --uu _u_s_e_r The --uu (_u_s_e_r) option causes ssuuddoo to run the specified command
266: as a user other than _r_o_o_t. To specify a _u_i_d instead of a
267: _u_s_e_r _n_a_m_e, _#_u_i_d. When running commands as a _u_i_d, many shells
268: require that the `#' be escaped with a backslash (`\').
269: Security policies may restrict _u_i_ds to those listed in the
270: password database. The _s_u_d_o_e_r_s policy allows _u_i_ds that are
271: not in the password database as long as the _t_a_r_g_e_t_p_w option
272: is not set. Other security policies may not support this.
273:
274: --VV The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print its version
275: string and the version string of the security policy plugin
276: and any I/O plugins. If the invoking user is already root
277: the --VV option will display the arguments passed to configure
278: when ssuuddoo was built and plugins may display more verbose
279: information such as default options.
280:
281: --vv When given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the
282: user's cached credentials, authenticating the user's password
283: if necessary. For the _s_u_d_o_e_r_s plugin, this extends the ssuuddoo
284: timeout for another 5 minutes (or whatever the timeout is set
285: to by the security policy) but does not run a command. Not
286: all security policies support cached credentials.
287:
288: ---- The ---- option indicates that ssuuddoo should stop processing
289: command line arguments.
290:
291: Environment variables to be set for the command may also be passed on the
292: command line in the form of VVAARR=_v_a_l_u_e, e.g.
293: LLDD__LLIIBBRRAARRYY__PPAATTHH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. Variables passed on the command line
294: are subject to the same restrictions as normal environment variables with
295: one important exception. If the _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s, the
296: command to be run has the SETENV tag set or the command matched is ALL,
297: the user may set variables that would otherwise be forbidden. See
298: sudoers(4) for more information.
299:
300: CCOOMMMMAANNDD EEXXEECCUUTTIIOONN
301: When ssuuddoo executes a command, the security policy specifies the execution
302: envionment for the command. Typically, the real and effective uid and
303: gid are set to match those of the target user, as specified in the
304: password database, and the group vector is initialized based on the group
305: database (unless the --PP option was specified).
306:
307: The following parameters may be specified by security policy:
308:
309: oo real and effective user ID
310:
311: oo real and effective group ID
312:
313: oo supplementary group IDs
314:
315: oo the environment list
316:
317: oo current working directory
318:
319: oo file creation mode mask (umask)
320:
321: oo SELinux role and type
322:
323: oo Solaris project
324:
325: oo Solaris privileges
326:
327: oo BSD login class
328:
329: oo scheduling priority (aka nice value)
330:
331: PPrroocceessss mmooddeell
332: When ssuuddoo runs a command, it calls fork(2), sets up the execution
333: environment as described above, and calls the execve system call in the
334: child process. The main ssuuddoo process waits until the command has
335: completed, then passes the command's exit status to the security policy's
336: close method and exits. If an I/O logging plugin is configured, a new
337: pseudo-terminal (``pty'') is created and a second ssuuddoo process is used to
338: relay job control signals between the user's existing pty and the new pty
339: the command is being run in. This extra process makes it possible to,
340: for example, suspend and resume the command. Without it, the command
341: would be in what POSIX terms an ``orphaned process group'' and it would
342: not receive any job control signals.
343:
344: SSiiggnnaall hhaannddlliinngg
345: Because the command is run as a child of the ssuuddoo process, ssuuddoo will
346: relay signals it receives to the command. Unless the command is being
347: run in a new pty, the SIGHUP, SIGINT and SIGQUIT signals are not relayed
348: unless they are sent by a user process, not the kernel. Otherwise, the
349: command would receive SIGINT twice every time the user entered control-C.
350: Some signals, such as SIGSTOP and SIGKILL, cannot be caught and thus will
351: not be relayed to the command. As a general rule, SIGTSTP should be used
352: instead of SIGSTOP when you wish to suspend a command being run by ssuuddoo.
353:
354: As a special case, ssuuddoo will not relay signals that were sent by the
355: command it is running. This prevents the command from accidentally
356: killing itself. On some systems, the reboot(1m) command sends SIGTERM to
357: all non-system processes other than itself before rebooting the systyem.
358: This prevents ssuuddoo from relaying the SIGTERM signal it received back to
359: reboot(1m), which might then exit before the system was actually rebooted,
360: leaving it in a half-dead state similar to single user mode. Note,
361: however, that this check only applies to the command run by ssuuddoo and not
362: any other processes that the command may create. As a result, running a
363: script that calls reboot(1m) or shutdown(1m) via ssuuddoo may cause the system
364: to end up in this undefined state unless the reboot(1m) or shutdown(1m) are
365: run using the eexxeecc() family of functions instead of ssyysstteemm() (which
366: interposes a shell between the command and the calling process).
367:
368: PPLLUUGGIINNSS
369: Plugins are dynamically loaded based on the contents of the
370: _/_e_t_c_/_s_u_d_o_._c_o_n_f file. If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it
371: contains no Plugin lines, ssuuddoo will use the traditional _s_u_d_o_e_r_s security
372: policy and I/O logging, which corresponds to the following _/_e_t_c_/_s_u_d_o_._c_o_n_f
373: file.
374:
375: #
376: # Default /etc/sudo.conf file
377: #
378: # Format:
379: # Plugin plugin_name plugin_path plugin_options ...
380: # Path askpass /path/to/askpass
381: # Path noexec /path/to/sudo_noexec.so
382: # Debug sudo /var/log/sudo_debug all@warn
383: # Set disable_coredump true
384: #
385: # The plugin_path is relative to /usr/local/libexec unless
386: # fully qualified.
387: # The plugin_name corresponds to a global symbol in the plugin
388: # that contains the plugin interface structure.
389: # The plugin_options are optional.
390: #
391: Plugin policy_plugin sudoers.so
392: Plugin io_plugin sudoers.so
393:
394: A Plugin line consists of the Plugin keyword, followed by the _s_y_m_b_o_l___n_a_m_e
395: and the _p_a_t_h to the shared object containing the plugin. The _s_y_m_b_o_l___n_a_m_e
396: is the name of the struct policy_plugin or struct io_plugin in the plugin
397: shared object. The _p_a_t_h may be fully qualified or relative. If not
398: fully qualified it is relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory. Any
399: additional parameters after the _p_a_t_h are passed as arguments to the
400: plugin's _o_p_e_n function. Lines that don't begin with Plugin, Path, Debug,
401: or Set are silently ignored.
402:
403: For more information, see the sudo_plugin(1m) manual.
404:
405: PPAATTHHSS
406: A Path line consists of the Path keyword, followed by the name of the
407: path to set and its value. E.g.
408:
409: Path noexec /usr/local/libexec/sudo_noexec.so
410: Path askpass /usr/X11R6/bin/ssh-askpass
411:
412: The following plugin-agnostic paths may be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f
413: file:
414:
415: askpass The fully qualified path to a helper program used to read the
416: user's password when no terminal is available. This may be the
417: case when ssuuddoo is executed from a graphical (as opposed to
418: text-based) application. The program specified by _a_s_k_p_a_s_s
419: should display the argument passed to it as the prompt and
420: write the user's password to the standard output. The value of
421: _a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS environment
422: variable.
423:
424: noexec The fully-qualified path to a shared library containing dummy
425: versions of the eexxeeccvv(), eexxeeccvvee() and ffeexxeeccvvee() library
426: functions that just return an error. This is used to implement
427: the _n_o_e_x_e_c functionality on systems that support LD_PRELOAD or
428: its equivalent. Defaults to _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o.
429:
430: DDEEBBUUGG FFLLAAGGSS
431: ssuuddoo versions 1.8.4 and higher support a flexible debugging framework
432: that can help track down what ssuuddoo is doing internally if there is a
433: problem.
434:
435: A Debug line consists of the Debug keyword, followed by the name of the
436: program to debug (ssuuddoo, vviissuuddoo, ssuuddoorreeppllaayy), the debug file name and a
437: comma-separated list of debug flags. The debug flag syntax used by ssuuddoo
438: and the _s_u_d_o_e_r_s plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but the plugin is free to
439: use a different format so long as it does not include a comma (`,').
440:
441: For instance:
442:
443: Debug sudo /var/log/sudo_debug all@warn,plugin@info
444:
445: would log all debugging statements at the _w_a_r_n level and higher in
446: addition to those at the _i_n_f_o level for the plugin subsystem.
447:
448: Currently, only one Debug entry per program is supported. The ssuuddoo Debug
449: entry is shared by the ssuuddoo front end, ssuuddooeeddiitt and the plugins. A
450: future release may add support for per-plugin Debug lines and/or support
451: for multiple debugging files for a single program.
452:
453: The priorities used by the ssuuddoo front end, in order of decreasing
454: severity, are: _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g.
455: Each priority, when specified, also includes all priorities higher than
456: it. For example, a priority of _n_o_t_i_c_e would include debug messages
457: logged at _n_o_t_i_c_e and higher.
458:
459: The following subsystems are used by the ssuuddoo front-end:
460:
461: _a_l_l matches every subsystem
462:
463: _a_r_g_s command line argument processing
464:
465: _c_o_n_v user conversation
466:
467: _e_d_i_t sudoedit
468:
469: _e_x_e_c command execution
470:
471: _m_a_i_n ssuuddoo main function
472:
473: _n_e_t_i_f network interface handling
474:
475: _p_c_o_m_m communication with the plugin
476:
477: _p_l_u_g_i_n plugin configuration
478:
479: _p_t_y pseudo-tty related code
480:
481: _s_e_l_i_n_u_x SELinux-specific handling
482:
483: _u_t_i_l utility functions
484:
485: _u_t_m_p utmp handling
486:
487: EEXXIITT VVAALLUUEE
488: Upon successful execution of a program, the exit status from _s_u_d_o will
489: simply be the exit status of the program that was executed.
490:
491: Otherwise, ssuuddoo exits with a value of 1 if there is a
492: configuration/permission problem or if ssuuddoo cannot execute the given
493: command. In the latter case the error string is printed to the standard
494: error. If ssuuddoo cannot stat(2) one or more entries in the user's PATH, an
495: error is printed on stderr. (If the directory does not exist or if it is
496: not really a directory, the entry is ignored and no error is printed.)
497: This should not happen under normal circumstances. The most common
498: reason for stat(2) to return ``permission denied'' is if you are running
499: an automounter and one of the directories in your PATH is on a machine
500: that is currently unreachable.
501:
502: SSEECCUURRIITTYY NNOOTTEESS
503: ssuuddoo tries to be safe when executing external commands.
504:
505: To prevent command spoofing, ssuuddoo checks "." and "" (both denoting
506: current directory) last when searching for a command in the user's PATH
507: (if one or both are in the PATH). Note, however, that the actual PATH
508: environment variable is _n_o_t modified and is passed unchanged to the
509: program that ssuuddoo executes.
510:
511: Please note that ssuuddoo will normally only log the command it explicitly
512: runs. If a user runs a command such as sudo su or sudo sh, subsequent
513: commands run from that shell are not subject to ssuuddoo's security policy.
514: The same is true for commands that offer shell escapes (including most
515: editors). If I/O logging is enabled, subsequent commands will have their
516: input and/or output logged, but there will not be traditional logs for
517: those commands. Because of this, care must be taken when giving users
518: access to commands via ssuuddoo to verify that the command does not
519: inadvertently give the user an effective root shell. For more
520: information, please see the _P_R_E_V_E_N_T_I_N_G _S_H_E_L_L _E_S_C_A_P_E_S section in
521: sudoers(4).
522:
523: To prevent the disclosure of potentially sensitive information, ssuuddoo
524: disables core dumps by default while it is executing (they are re-enabled
525: for the command that is run). To aid in debugging ssuuddoo crashes, you may
526: wish to re-enable core dumps by setting ``disable_coredump'' to false in
527: the _/_e_t_c_/_s_u_d_o_._c_o_n_f file as follows:
528:
529: Set disable_coredump false
530:
531: Note that by default, most operating systems disable core dumps from
532: setuid programs, which includes ssuuddoo. To actually get a ssuuddoo core file
533: you may need to enable core dumps for setuid processes. On BSD and Linux
534: systems this is accomplished via the sysctl command, on Solaris the
535: coreadm command can be used.
536:
537: EENNVVIIRROONNMMEENNTT
538: ssuuddoo utilizes the following environment variables. The security policy
539: has control over the actual content of the command's environment.
540:
541: EDITOR Default editor to use in --ee (sudoedit) mode if neither
542: SUDO_EDITOR nor VISUAL is set.
543:
544: MAIL In --ii mode or when _e_n_v___r_e_s_e_t is enabled in _s_u_d_o_e_r_s, set
545: to the mail spool of the target user.
546:
547: HOME Set to the home directory of the target user if --ii or --HH
548: are specified, _e_n_v___r_e_s_e_t or _a_l_w_a_y_s___s_e_t___h_o_m_e are set in
549: _s_u_d_o_e_r_s, or when the --ss option is specified and _s_e_t___h_o_m_e
550: is set in _s_u_d_o_e_r_s.
551:
552: PATH May be overridden by the security policy.
553:
554: SHELL Used to determine shell to run with --ss option.
555:
556: SUDO_ASKPASS Specifies the path to a helper program used to read the
557: password if no terminal is available or if the --AA option
558: is specified.
559:
560: SUDO_COMMAND Set to the command run by sudo.
561:
562: SUDO_EDITOR Default editor to use in --ee (sudoedit) mode.
563:
564: SUDO_GID Set to the group ID of the user who invoked sudo.
565:
566: SUDO_PROMPT Used as the default password prompt.
567:
568: SUDO_PS1 If set, PS1 will be set to its value for the program
569: being run.
570:
571: SUDO_UID Set to the user ID of the user who invoked sudo.
572:
573: SUDO_USER Set to the login name of the user who invoked sudo.
574:
575: USER Set to the target user (root unless the --uu option is
576: specified).
577:
578: VISUAL Default editor to use in --ee (sudoedit) mode if
579: SUDO_EDITOR is not set.
580:
581: FFIILLEESS
582: _/_e_t_c_/_s_u_d_o_._c_o_n_f ssuuddoo front end configuration
583:
584: EEXXAAMMPPLLEESS
585: Note: the following examples assume a properly configured security
586: policy.
587:
588: To get a file listing of an unreadable directory:
589:
590: $ sudo ls /usr/local/protected
591:
592: To list the home directory of user yaz on a machine where the file system
593: holding ~yaz is not exported as root:
594:
595: $ sudo -u yaz ls ~yaz
596:
597: To edit the _i_n_d_e_x_._h_t_m_l file as user www:
598:
599: $ sudo -u www vi ~www/htdocs/index.html
600:
601: To view system logs only accessible to root and users in the adm group:
602:
603: $ sudo -g adm view /var/log/syslog
604:
605: To run an editor as jim with a different primary group:
606:
607: $ sudo -u jim -g audio vi ~jim/sound.txt
608:
609: To shut down a machine:
610:
611: $ sudo shutdown -r +15 "quick reboot"
612:
613: To make a usage listing of the directories in the /home partition. Note
614: that this runs the commands in a sub-shell to make the cd and file
615: redirection work.
616:
617: $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
618:
619: SSEEEE AALLSSOO
620: grep(1), su(1), stat(2), login_cap(3), passwd(4), sudoers(4),
621: sudo_plugin(1m), sudoreplay(1m), visudo(1m)
622:
623: HHIISSTTOORRYY
624: See the HISTORY file in the ssuuddoo distribution
625: (http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
626:
627: AAUUTTHHOORRSS
628: Many people have worked on ssuuddoo over the years; this version consists of
629: code written primarily by:
630:
631: Todd C. Miller
632:
633: See the CONTRIBUTORS file in the ssuuddoo distribution
634: (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of
635: people who have contributed to ssuuddoo.
636:
637: CCAAVVEEAATTSS
638: There is no easy way to prevent a user from gaining a root shell if that
639: user is allowed to run arbitrary commands via ssuuddoo. Also, many programs
640: (such as editors) allow the user to run commands via shell escapes, thus
641: avoiding ssuuddoo's checks. However, on most systems it is possible to
642: prevent shell escapes with the sudoers(4) plugin's _n_o_e_x_e_c functionality.
643:
644: It is not meaningful to run the cd command directly via sudo, e.g.,
645:
646: $ sudo cd /usr/local/protected
647:
648: since when the command exits the parent process (your shell) will still
649: be the same. Please see the _E_X_A_M_P_L_E_S section for more information.
650:
651: Running shell scripts via ssuuddoo can expose the same kernel bugs that make
652: setuid shell scripts unsafe on some operating systems (if your OS has a
653: /dev/fd/ directory, setuid shell scripts are generally safe).
654:
655: BBUUGGSS
656: If you feel you have found a bug in ssuuddoo, please submit a bug report at
657: http://www.sudo.ws/sudo/bugs/
658:
659: SSUUPPPPOORRTT
660: Limited free support is available via the sudo-users mailing list, see
661: http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
662: archives.
663:
664: DDIISSCCLLAAIIMMEERR
665: ssuuddoo is provided ``AS IS'' and any express or implied warranties,
666: including, but not limited to, the implied warranties of merchantability
667: and fitness for a particular purpose are disclaimed. See the LICENSE
668: file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
669: complete details.
670:
671: Sudo 1.8.6 July 10, 2012 Sudo 1.8.6
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>