Annotation of embedaddon/sudo/doc/sudo.man.in, revision 1.1.1.2
1.1.1.2 ! misho 1: .\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
1.1 misho 2: .\" Todd C. Miller <Todd.Miller@courtesan.com>
3: .\"
4: .\" Permission to use, copy, modify, and distribute this software for any
5: .\" purpose with or without fee is hereby granted, provided that the above
6: .\" copyright notice and this permission notice appear in all copies.
7: .\"
8: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
16: .\"
17: .\" Sponsored in part by the Defense Advanced Research Projects
18: .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
19: .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
20: .\"
21: .nr SL @SEMAN@
22: .nr BA @BAMAN@
23: .nr LC @LCMAN@
24: .nr PT @password_timeout@
25: .\"
26: .\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
27: .\"
28: .\" Standard preamble:
29: .\" ========================================================================
30: .de Sp \" Vertical space (when we can't use .PP)
31: .if t .sp .5v
32: .if n .sp
33: ..
34: .de Vb \" Begin verbatim text
35: .ft CW
36: .nf
37: .ne \\$1
38: ..
39: .de Ve \" End verbatim text
40: .ft R
41: .fi
42: ..
43: .\" Set up some character translations and predefined strings. \*(-- will
44: .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
45: .\" double quote, and \*(R" will give a right double quote. \*(C+ will
46: .\" give a nicer C++. Capital omega is used to do unbreakable dashes and
47: .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
48: .\" nothing in troff, for use with C<>.
49: .tr \(*W-
50: .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
51: .ie n \{\
52: . ds -- \(*W-
53: . ds PI pi
54: . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
55: . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
56: . ds L" ""
57: . ds R" ""
58: . ds C`
59: . ds C'
60: 'br\}
61: .el\{\
62: . ds -- \|\(em\|
63: . ds PI \(*p
64: . ds L" ``
65: . ds R" ''
66: 'br\}
67: .\"
68: .\" Escape single quotes in literal strings from groff's Unicode transform.
69: .ie \n(.g .ds Aq \(aq
70: .el .ds Aq '
71: .\"
72: .\" If the F register is turned on, we'll generate index entries on stderr for
73: .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
74: .\" entries marked with X<> in POD. Of course, you'll have to process the
75: .\" output yourself in some meaningful fashion.
76: .ie \nF \{\
77: . de IX
78: . tm Index:\\$1\t\\n%\t"\\$2"
79: ..
80: . nr % 0
81: . rr F
82: .\}
83: .el \{\
84: . de IX
85: ..
86: .\}
87: .\"
88: .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
89: .\" Fear. Run. Save yourself. No user-serviceable parts.
90: . \" fudge factors for nroff and troff
91: .if n \{\
92: . ds #H 0
93: . ds #V .8m
94: . ds #F .3m
95: . ds #[ \f1
96: . ds #] \fP
97: .\}
98: .if t \{\
99: . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
100: . ds #V .6m
101: . ds #F 0
102: . ds #[ \&
103: . ds #] \&
104: .\}
105: . \" simple accents for nroff and troff
106: .if n \{\
107: . ds ' \&
108: . ds ` \&
109: . ds ^ \&
110: . ds , \&
111: . ds ~ ~
112: . ds /
113: .\}
114: .if t \{\
115: . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
116: . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
117: . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
118: . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
119: . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
120: . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
121: .\}
122: . \" troff and (daisy-wheel) nroff accents
123: .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
124: .ds 8 \h'\*(#H'\(*b\h'-\*(#H'
125: .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
126: .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
127: .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
128: .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
129: .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
130: .ds ae a\h'-(\w'a'u*4/10)'e
131: .ds Ae A\h'-(\w'A'u*4/10)'E
132: . \" corrections for vroff
133: .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
134: .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
135: . \" for low resolution devices (crt and lpr)
136: .if \n(.H>23 .if \n(.V>19 \
137: \{\
138: . ds : e
139: . ds 8 ss
140: . ds o a
141: . ds d- d\h'-1'\(ga
142: . ds D- D\h'-1'\(hy
143: . ds th \o'bp'
144: . ds Th \o'LP'
145: . ds ae ae
146: . ds Ae AE
147: .\}
148: .rm #[ #] #H #V #F C
149: .\" ========================================================================
150: .\"
151: .IX Title "SUDO @mansectsu@"
1.1.1.2 ! misho 152: .TH SUDO @mansectsu@ "March 15, 2012" "1.8.5" "MAINTENANCE COMMANDS"
1.1 misho 153: .\" For nroff, turn off justification. Always turn off hyphenation; it makes
154: .\" way too many mistakes in technical documents.
155: .if n .ad l
156: .nh
157: .SH "NAME"
158: sudo, sudoedit \- execute a command as another user
159: .SH "SYNOPSIS"
160: .IX Header "SYNOPSIS"
1.1.1.2 ! misho 161: \&\fBsudo\fR \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-V\fR
1.1 misho 162: .PP
163: \&\fBsudo\fR \fB\-v\fR [\fB\-AknS\fR]
164: .if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
165: [\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
166: [\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR]
167: .PP
168: \&\fBsudo\fR \fB\-l[l]\fR [\fB\-AknS\fR]
169: .if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
170: [\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
171: [\fB\-U\fR\ \fIuser\ name\fR] [\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] [\fIcommand\fR]
172: .PP
173: \&\fBsudo\fR [\fB\-AbEHnPS\fR]
174: .if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
175: [\fB\-C\fR\ \fIfd\fR]
176: .if \n(LC [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
177: [\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
178: .if \n(SL [\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR]
179: [\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR]
180: [\fB\s-1VAR\s0\fR=\fIvalue\fR] [\fB\-i\fR\ |\ \fB\-s\fR] [\fIcommand\fR]
181: .PP
182: \&\fBsudoedit\fR [\fB\-AnS\fR]
183: .if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
184: [\fB\-C\fR\ \fIfd\fR]
185: .if \n(LC [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
186: [\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
187: [\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] file ...
188: .SH "DESCRIPTION"
189: .IX Header "DESCRIPTION"
190: \&\fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the
191: superuser or another user, as specified by the security policy.
192: The real and effective uid and gid are set to match those of the
193: target user, as specified in the password database, and the group
194: vector is initialized based on the group database (unless the \fB\-P\fR
195: option was specified).
196: .PP
197: \&\fBsudo\fR supports a plugin architecture for security policies and
198: input/output logging. Third parties can develop and distribute
1.1.1.2 ! misho 199: their own policy and I/O logging modules to work seamlessly with
1.1 misho 200: the \fBsudo\fR front end. The default security policy is \fIsudoers\fR,
201: which is configured via the file \fI@sysconfdir@/sudoers\fR, or via
202: \&\s-1LDAP\s0. See the \s-1PLUGINS\s0 section for more information.
203: .PP
204: The security policy determines what privileges, if any, a user has
205: to run \fBsudo\fR. The policy may require that users authenticate
206: themselves with a password or another authentication mechanism. If
207: authentication is required, \fBsudo\fR will exit if the user's password
208: is not entered within a configurable time limit. This limit is
209: policy-specific; the default password prompt timeout for the
210: \&\fIsudoers\fR security policy is
211: .ie \n(PT \f(CW\*(C`@password_timeout@\*(C'\fR minutes.
212: .el unlimited.
213: .PP
214: Security policies may support credential caching to allow the user
215: to run \fBsudo\fR again for a period of time without requiring
216: authentication. The \fIsudoers\fR policy caches credentials for
217: \&\f(CW\*(C`@timeout@\*(C'\fR minutes, unless overridden in \fIsudoers\fR\|(@mansectform@). By
218: running \fBsudo\fR with the \fB\-v\fR option, a user can update the cached
219: credentials without running a \fIcommand\fR.
220: .PP
221: When invoked as \fBsudoedit\fR, the \fB\-e\fR option (described below),
222: is implied.
223: .PP
224: Security policies may log successful and failed attempts to use
225: \&\fBsudo\fR. If an I/O plugin is configured, the running command's
226: input and output may be logged as well.
227: .SH "OPTIONS"
228: .IX Header "OPTIONS"
229: \&\fBsudo\fR accepts the following command line options:
230: .IP "\-A" 12
231: .IX Item "-A"
232: Normally, if \fBsudo\fR requires a password, it will read it from the
233: user's terminal. If the \fB\-A\fR (\fIaskpass\fR) option is specified,
234: a (possibly graphical) helper program is executed to read the user's
235: password and output the password to the standard output. If the
236: \&\f(CW\*(C`SUDO_ASKPASS\*(C'\fR environment variable is set, it specifies the path
237: to the helper program. Otherwise, if \fI@sysconfdir@/sudo.conf\fR
238: contains a line specifying the askpass program, that value will be
239: used. For example:
240: .Sp
241: .Vb 2
242: \& # Path to askpass helper program
243: \& Path askpass /usr/X11R6/bin/ssh\-askpass
244: .Ve
245: .Sp
246: If no askpass program is available, sudo will exit with an error.
247: .if \n(BA \{\
248: .IP "\-a \fItype\fR" 12
249: .IX Item "-a type"
250: The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the
251: specified authentication type when validating the user, as allowed
252: by \fI/etc/login.conf\fR. The system administrator may specify a list
253: of sudo-specific authentication methods by adding an \*(L"auth-sudo\*(R"
254: entry in \fI/etc/login.conf\fR. This option is only available on systems
255: that support \s-1BSD\s0 authentication.
256: \}
257: .IP "\-b" 12
258: .IX Item "-b"
259: The \fB\-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given
260: command in the background. Note that if you use the \fB\-b\fR
261: option you cannot use shell job control to manipulate the process.
262: Most interactive commands will fail to work properly in background
263: mode.
264: .IP "\-C \fIfd\fR" 12
265: .IX Item "-C fd"
266: Normally, \fBsudo\fR will close all open file descriptors other than
267: standard input, standard output and standard error. The \fB\-C\fR
268: (\fIclose from\fR) option allows the user to specify a starting point
269: above the standard error (file descriptor three). Values less than
270: three are not permitted. The security policy may restrict the
271: user's ability to use the \fB\-C\fR option. The \fIsudoers\fR policy only
272: permits use of the \fB\-C\fR option when the administrator has enabled
273: the \fIclosefrom_override\fR option.
274: .if \n(LC \{\
275: .IP "\-c \fIclass\fR" 12
276: .IX Item "-c class"
277: The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command
278: with resources limited by the specified login class. The \fIclass\fR
279: argument can be either a class name as defined in \fI/etc/login.conf\fR,
280: or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates
281: that the command should be run restricted by the default login
282: capabilities for the user the command is run as. If the \fIclass\fR
283: argument specifies an existing user class, the command must be run
284: as root, or the \fBsudo\fR command must be run from a shell that is already
285: root. This option is only available on systems with \s-1BSD\s0 login classes.
286: \}
287: .IP "\-E" 12
288: .IX Item "-E"
289: The \fB\-E\fR (\fIpreserve\fR \fIenvironment\fR) option indicates to the
290: security policy that the user wishes to preserve their existing
291: environment variables. The security policy may return an error if
292: the \fB\-E\fR option is specified and the user does not have permission
293: to preserve the environment.
294: .IP "\-e" 12
295: .IX Item "-e"
296: The \fB\-e\fR (\fIedit\fR) option indicates that, instead of running a
297: command, the user wishes to edit one or more files. In lieu of a
298: command, the string \*(L"sudoedit\*(R" is used when consulting the security
299: policy. If the user is authorized by the policy, the following
300: steps are taken:
301: .RS 12
302: .IP "1." 4
303: Temporary copies are made of the files to be edited with the owner
304: set to the invoking user.
305: .IP "2." 4
306: The editor specified by the policy is run to edit the temporary files.
307: The \fIsudoers\fR policy uses the \f(CW\*(C`SUDO_EDITOR\*(C'\fR, \f(CW\*(C`VISUAL\*(C'\fR and \f(CW\*(C`EDITOR\*(C'\fR
308: environment variables (in that order). If none of \f(CW\*(C`SUDO_EDITOR\*(C'\fR,
309: \&\f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR are set, the first program listed in the
310: \&\fIeditor\fR \fIsudoers\fR\|(@mansectform@) option is used.
311: .IP "3." 4
312: If they have been modified, the temporary files are copied back to
313: their original location and the temporary versions are removed.
314: .RE
315: .RS 12
316: .Sp
317: If the specified file does not exist, it will be created. Note
318: that unlike most commands run by \fBsudo\fR, the editor is run with
319: the invoking user's environment unmodified. If, for some reason,
320: \&\fBsudo\fR is unable to update a file with its edited version, the
321: user will receive a warning and the edited copy will remain in a
322: temporary file.
323: .RE
324: .IP "\-g \fIgroup\fR" 12
325: .IX Item "-g group"
326: Normally, \fBsudo\fR runs a command with the primary group set to the
327: one specified by the password database for the user the command is
328: being run as (by default, root). The \fB\-g\fR (\fIgroup\fR) option causes
329: \&\fBsudo\fR to run the command with the primary group set to \fIgroup\fR
330: instead. To specify a \fIgid\fR instead of a \fIgroup name\fR, use
331: \&\fI#gid\fR. When running commands as a \fIgid\fR, many shells require
332: that the '#' be escaped with a backslash ('\e'). If no \fB\-u\fR option
333: is specified, the command will be run as the invoking user (not
334: root). In either case, the primary group will be set to \fIgroup\fR.
335: .IP "\-H" 12
336: .IX Item "-H"
337: The \fB\-H\fR (\fI\s-1HOME\s0\fR) option requests that the security policy set
338: the \f(CW\*(C`HOME\*(C'\fR environment variable to the home directory of the target
339: user (root by default) as specified by the password database.
340: Depending on the policy, this may be the default behavior.
341: .IP "\-h" 12
342: .IX Item "-h"
343: The \fB\-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a short help message
344: to the standard output and exit.
345: .IP "\-i [command]" 12
346: .IX Item "-i [command]"
347: The \fB\-i\fR (\fIsimulate initial login\fR) option runs the shell specified
348: by the password database entry of the target user as a login shell.
349: This means that login-specific resource files such as \f(CW\*(C`.profile\*(C'\fR
350: or \f(CW\*(C`.login\*(C'\fR will be read by the shell. If a command is specified,
351: it is passed to the shell for execution via the shell's \fB\-c\fR option.
352: If no command is specified, an interactive shell is executed.
353: \&\fBsudo\fR attempts to change to that user's home directory before
354: running the shell. The security policy shall initialize the
355: environment to a minimal set of variables, similar to what is present
356: when a user logs in. The \fICommand Environment\fR section in the
357: \&\fIsudoers\fR\|(@mansectform@) manual documents how the \fB\-i\fR option affects the
358: environment in which a command is run when the \fIsudoers\fR policy
359: is in use.
360: .IP "\-K" 12
361: .IX Item "-K"
362: The \fB\-K\fR (sure \fIkill\fR) option is like \fB\-k\fR except that it removes
363: the user's cached credentials entirely and may not be used in
364: conjunction with a command or other option. This option does not
365: require a password. Not all security policies support credential
366: caching.
367: .IP "\-k [command]" 12
368: .IX Item "-k [command]"
369: When used alone, the \fB\-k\fR (\fIkill\fR) option to \fBsudo\fR invalidates
370: the user's cached credentials. The next time \fBsudo\fR is run a
371: password will be required. This option does not require a password
372: and was added to allow a user to revoke \fBsudo\fR permissions from a
373: \&.logout file. Not all security policies support credential
374: caching.
375: .Sp
376: When used in conjunction with a command or an option that may require
377: a password, the \fB\-k\fR option will cause \fBsudo\fR to ignore the user's
378: cached credentials. As a result, \fBsudo\fR will prompt for a password
379: (if one is required by the security policy) and will not update the
380: user's cached credentials.
381: .IP "\-l[l] [\fIcommand\fR]" 12
382: .IX Item "-l[l] [command]"
383: If no \fIcommand\fR is specified, the \fB\-l\fR (\fIlist\fR) option will list
384: the allowed (and forbidden) commands for the invoking user (or the
385: user specified by the \fB\-U\fR option) on the current host. If a
386: \&\fIcommand\fR is specified and is permitted by the security policy,
387: the fully-qualified path to the command is displayed along with any
388: command line arguments. If \fIcommand\fR is specified but not allowed,
389: \&\fBsudo\fR will exit with a status value of 1. If the \fB\-l\fR option
390: is specified with an \fBl\fR argument (i.e. \fB\-ll\fR), or if \fB\-l\fR is
391: specified multiple times, a longer list format is used.
392: .IP "\-n" 12
393: .IX Item "-n"
394: The \fB\-n\fR (\fInon-interactive\fR) option prevents \fBsudo\fR from prompting
395: the user for a password. If a password is required for the command
396: to run, \fBsudo\fR will display an error messages and exit.
397: .IP "\-P" 12
398: .IX Item "-P"
399: The \fB\-P\fR (\fIpreserve\fR \fIgroup vector\fR) option causes \fBsudo\fR to
400: preserve the invoking user's group vector unaltered. By default,
401: the \fIsudoers\fR policy will initialize the group vector to the list
402: of groups the target user is in. The real and effective group IDs,
403: however, are still set to match the target user.
404: .IP "\-p \fIprompt\fR" 12
405: .IX Item "-p prompt"
406: The \fB\-p\fR (\fIprompt\fR) option allows you to override the default
407: password prompt and use a custom one. The following percent (`\f(CW\*(C`%\*(C'\fR')
408: escapes are supported by the \fIsudoers\fR policy:
409: .RS 12
410: .ie n .IP "%H" 4
411: .el .IP "\f(CW%H\fR" 4
412: .IX Item "%H"
413: expanded to the host name including the domain name (on if
414: the machine's host name is fully qualified or the \fIfqdn\fR option
415: is set in \fIsudoers\fR\|(@mansectform@))
416: .ie n .IP "%h" 4
417: .el .IP "\f(CW%h\fR" 4
418: .IX Item "%h"
419: expanded to the local host name without the domain name
420: .ie n .IP "%p" 4
421: .el .IP "\f(CW%p\fR" 4
422: .IX Item "%p"
423: expanded to the name of the user whose password is being requested
424: (respects the \fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags in
425: \&\fIsudoers\fR\|(@mansectform@))
426: .ie n .IP "%U" 4
427: .el .IP "\f(CW%U\fR" 4
428: .IX Item "%U"
429: expanded to the login name of the user the command will be run as
430: (defaults to root unless the \f(CW\*(C`\-u\*(C'\fR option is also specified)
431: .ie n .IP "%u" 4
432: .el .IP "\f(CW%u\fR" 4
433: .IX Item "%u"
434: expanded to the invoking user's login name
435: .ie n .IP "\*(C`%%\*(C'" 4
436: .el .IP "\f(CW\*(C`%%\*(C'\fR" 4
437: .IX Item "%%"
438: two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character
439: .RE
440: .RS 12
441: .Sp
442: The prompt specified by the \fB\-p\fR option will override the system
443: password prompt on systems that support \s-1PAM\s0 unless the
444: \&\fIpassprompt_override\fR flag is disabled in \fIsudoers\fR.
445: .RE
446: .if \n(SL \{\
447: .IP "\-r \fIrole\fR" 12
448: .IX Item "-r role"
449: The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to
450: have the role specified by \fIrole\fR.
451: \}
452: .IP "\-S" 12
453: .IX Item "-S"
454: The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from
455: the standard input instead of the terminal device. The password must
456: be followed by a newline character.
457: .IP "\-s [command]" 12
458: .IX Item "-s [command]"
459: The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\s0\fR
460: environment variable if it is set or the shell as specified in the
461: password database. If a command is specified, it is passed to the
462: shell for execution via the shell's \fB\-c\fR option. If no command
463: is specified, an interactive shell is executed.
464: .if \n(SL \{\
465: .IP "\-t \fItype\fR" 12
466: .IX Item "-t type"
467: The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to
468: have the type specified by \fItype\fR. If no type is specified, the default
469: type is derived from the specified role.
470: \}
471: .IP "\-U \fIuser\fR" 12
472: .IX Item "-U user"
473: The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the
474: \&\fB\-l\fR option to specify the user whose privileges should be listed.
475: The security policy may restrict listing other users' privileges.
476: The \fIsudoers\fR policy only allows root or a user with the \f(CW\*(C`ALL\*(C'\fR
477: privilege on the current host to use this option.
478: .IP "\-u \fIuser\fR" 12
479: .IX Item "-u user"
480: The \fB\-u\fR (\fIuser\fR) option causes \fBsudo\fR to run the specified
481: command as a user other than \fIroot\fR. To specify a \fIuid\fR instead
482: of a \fIuser name\fR, use \fI#uid\fR. When running commands as a \fIuid\fR,
483: many shells require that the '#' be escaped with a backslash ('\e').
484: Security policies may restrict \fIuid\fRs to those listed in the
485: password database. The \fIsudoers\fR policy allows \fIuid\fRs that are
486: not in the password database as long as the \fItargetpw\fR option is
487: not set. Other security policies may not support this.
488: .IP "\-V" 12
489: .IX Item "-V"
490: The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print its version
491: string and the version string of the security policy plugin and any
492: I/O plugins. If the invoking user is already root the \fB\-V\fR option
493: will display the arguments passed to configure when \fIsudo\fR was
494: built and plugins may display more verbose information such as
495: default options.
496: .IP "\-v" 12
497: .IX Item "-v"
498: When given the \fB\-v\fR (\fIvalidate\fR) option, \fBsudo\fR will update the
499: user's cached credentials, authenticating the user's password if
500: necessary. For the \fIsudoers\fR plugin, this extends the \fBsudo\fR
501: timeout for another \f(CW\*(C`@timeout@\*(C'\fR minutes (or whatever the timeout
502: is set to in \fIsudoers\fR) but does not run a command. Not all
503: security policies support cached credentials.
504: .IP "\-\-" 12
505: The \fB\-\-\fR option indicates that \fBsudo\fR should stop processing command
506: line arguments.
507: .PP
508: Environment variables to be set for the command may also be passed
509: on the command line in the form of \fB\s-1VAR\s0\fR=\fIvalue\fR, e.g.
510: \&\fB\s-1LD_LIBRARY_PATH\s0\fR=\fI/usr/local/pkg/lib\fR. Variables passed on the
511: command line are subject to the same restrictions as normal environment
512: variables with one important exception. If the \fIsetenv\fR option
513: is set in \fIsudoers\fR, the command to be run has the \f(CW\*(C`SETENV\*(C'\fR tag
514: set or the command matched is \f(CW\*(C`ALL\*(C'\fR, the user may set variables
1.1.1.2 ! misho 515: that would otherwise be forbidden. See \fIsudoers\fR\|(@mansectform@) for more information.
1.1 misho 516: .SH "PLUGINS"
517: .IX Header "PLUGINS"
518: Plugins are dynamically loaded based on the contents of the
519: \&\fI@sysconfdir@/sudo.conf\fR file. If no \fI@sysconfdir@/sudo.conf\fR
520: file is present, or it contains no \f(CW\*(C`Plugin\*(C'\fR lines, \fBsudo\fR
521: will use the traditional \fIsudoers\fR security policy and I/O logging,
522: which corresponds to the following \fI@sysconfdir@/sudo.conf\fR file.
523: .PP
524: .Vb 10
525: \& #
526: \& # Default @sysconfdir@/sudo.conf file
527: \& #
528: \& # Format:
1.1.1.2 ! misho 529: \& # Plugin plugin_name plugin_path plugin_options ...
1.1 misho 530: \& # Path askpass /path/to/askpass
1.1.1.2 ! misho 531: \& # Path noexec /path/to/sudo_noexec.so
! 532: \& # Debug sudo /var/log/sudo_debug all@warn
! 533: \& # Set disable_coredump true
1.1 misho 534: \& #
535: \& # The plugin_path is relative to @prefix@/libexec unless
536: \& # fully qualified.
537: \& # The plugin_name corresponds to a global symbol in the plugin
538: \& # that contains the plugin interface structure.
1.1.1.2 ! misho 539: \& # The plugin_options are optional.
1.1 misho 540: \& #
541: \& Plugin policy_plugin sudoers.so
542: \& Plugin io_plugin sudoers.so
543: .Ve
544: .PP
545: A \f(CW\*(C`Plugin\*(C'\fR line consists of the \f(CW\*(C`Plugin\*(C'\fR keyword, followed by the
546: \&\fIsymbol_name\fR and the \fIpath\fR to the shared object containing the
547: plugin. The \fIsymbol_name\fR is the name of the \f(CW\*(C`struct policy_plugin\*(C'\fR
548: or \f(CW\*(C`struct io_plugin\*(C'\fR in the plugin shared object. The \fIpath\fR
549: may be fully qualified or relative. If not fully qualified it is
550: relative to the \fI@prefix@/libexec\fR directory. Any additional
1.1.1.2 ! misho 551: parameters after the \fIpath\fR are passed as arguments to the plugin's
! 552: \&\fIopen\fR function. Lines that don't begin with \f(CW\*(C`Plugin\*(C'\fR, \f(CW\*(C`Path\*(C'\fR,
! 553: \&\f(CW\*(C`Debug\*(C'\fR or \f(CW\*(C`Set\*(C'\fR are silently ignored.
1.1 misho 554: .PP
555: For more information, see the \fIsudo_plugin\fR\|(@mansectsu@) manual.
556: .SH "PATHS"
557: .IX Header "PATHS"
558: A \f(CW\*(C`Path\*(C'\fR line consists of the \f(CW\*(C`Path\*(C'\fR keyword, followed by the
559: name of the path to set and its value. E.g.
560: .PP
561: .Vb 2
562: \& Path noexec @noexec_file@
563: \& Path askpass /usr/X11R6/bin/ssh\-askpass
564: .Ve
565: .PP
566: The following plugin-agnostic paths may be set in the
567: \&\fI@sysconfdir@/sudo.conf\fR file.
568: .IP "askpass" 16
569: .IX Item "askpass"
570: The fully qualified path to a helper program used to read the user's
571: password when no terminal is available. This may be the case when
572: \&\fBsudo\fR is executed from a graphical (as opposed to text-based)
573: application. The program specified by \fIaskpass\fR should display
574: the argument passed to it as the prompt and write the user's password
575: to the standard output. The value of \fIaskpass\fR may be overridden
576: by the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR environment variable.
577: .IP "noexec" 16
578: .IX Item "noexec"
579: The fully-qualified path to a shared library containing dummy
580: versions of the \fIexecv()\fR, \fIexecve()\fR and \fIfexecve()\fR library functions
581: that just return an error. This is used to implement the \fInoexec\fR
582: functionality on systems that support \f(CW\*(C`LD_PRELOAD\*(C'\fR or its equivalent.
583: Defaults to \fI@noexec_file@\fR.
1.1.1.2 ! misho 584: .SH "DEBUG FLAGS"
! 585: .IX Header "DEBUG FLAGS"
! 586: \&\fBsudo\fR versions 1.8.4 and higher support a flexible debugging
! 587: framework that can help track down what \fBsudo\fR is doing internally
! 588: if there is a problem.
! 589: .PP
! 590: A \f(CW\*(C`Debug\*(C'\fR line consists of the \f(CW\*(C`Debug\*(C'\fR keyword, followed by the
! 591: name of the program to debug (\fBsudo\fR, \fBvisudo\fR, \fBsudoreplay\fR),
! 592: the debug file name and a comma-separated list of debug flags.
! 593: The debug flag syntax used by \fBsudo\fR and the \fIsudoers\fR plugin is
! 594: \&\fIsubsystem\fR@\fIpriority\fR but the plugin is free to use a different
! 595: format so long as it does not include a command \f(CW\*(C`,\*(C'\fR.
! 596: .PP
! 597: For instance:
! 598: .PP
! 599: .Vb 1
! 600: \& Debug sudo /var/log/sudo_debug all@warn,plugin@info
! 601: .Ve
! 602: .PP
! 603: would log all debugging statements at the \fIwarn\fR level and higher
! 604: in addition to those at the \fIinfo\fR level for the plugin subsystem.
! 605: .PP
! 606: Currently, only one \f(CW\*(C`Debug\*(C'\fR entry per program is supported. The
! 607: \&\f(CW\*(C`sudo\*(C'\fR \f(CW\*(C`Debug\*(C'\fR entry is shared by the \fBsudo\fR front end, \fBsudoedit\fR
! 608: and the plugins. A future release may add support for per-plugin
! 609: \&\f(CW\*(C`Debug\*(C'\fR lines and/or support for multiple debugging files for a
! 610: single program.
! 611: .PP
! 612: The priorities used by the \fBsudo\fR front end, in order of decreasing
! 613: severity, are: \fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR,
! 614: \&\fItrace\fR and \fIdebug\fR. Each priority, when specified, also includes
! 615: all priorities higher than it. For example, a priority of \fInotice\fR
! 616: would include debug messages logged at \fInotice\fR and higher.
! 617: .PP
! 618: The following subsystems are used by \fBsudo\fR:
! 619: .IP "\fIall\fR" 10
! 620: .IX Item "all"
! 621: matches every subsystem
! 622: .IP "\fIargs\fR" 10
! 623: .IX Item "args"
! 624: command line argument processing
! 625: .IP "\fIconv\fR" 10
! 626: .IX Item "conv"
! 627: user conversation
! 628: .IP "\fIedit\fR" 10
! 629: .IX Item "edit"
! 630: sudoedit
! 631: .IP "\fIexec\fR" 10
! 632: .IX Item "exec"
! 633: command execution
! 634: .IP "\fImain\fR" 10
! 635: .IX Item "main"
! 636: \&\fBsudo\fR main function
! 637: .IP "\fInetif\fR" 10
! 638: .IX Item "netif"
! 639: network interface handling
! 640: .IP "\fIpcomm\fR" 10
! 641: .IX Item "pcomm"
! 642: communication with the plugin
! 643: .IP "\fIplugin\fR" 10
! 644: .IX Item "plugin"
! 645: plugin configuration
! 646: .IP "\fIpty\fR" 10
! 647: .IX Item "pty"
! 648: pseudo-tty related code
! 649: .IP "\fIselinux\fR" 10
! 650: .IX Item "selinux"
! 651: SELinux-specific handling
! 652: .IP "\fIutil\fR" 10
! 653: .IX Item "util"
! 654: utility functions
! 655: .IP "\fIutmp\fR" 10
! 656: .IX Item "utmp"
! 657: utmp handling
1.1 misho 658: .SH "RETURN VALUES"
659: .IX Header "RETURN VALUES"
660: Upon successful execution of a program, the exit status from \fBsudo\fR
661: will simply be the exit status of the program that was executed.
662: .PP
663: Otherwise, \fBsudo\fR exits with a value of 1 if there is a
664: configuration/permission problem or if \fBsudo\fR cannot execute the
665: given command. In the latter case the error string is printed to
666: the standard error. If \fBsudo\fR cannot \fIstat\fR\|(2) one or more entries
667: in the user's \f(CW\*(C`PATH\*(C'\fR, an error is printed on stderr. (If the
668: directory does not exist or if it is not really a directory, the
669: entry is ignored and no error is printed.) This should not happen
670: under normal circumstances. The most common reason for \fIstat\fR\|(2)
671: to return \*(L"permission denied\*(R" is if you are running an automounter
672: and one of the directories in your \f(CW\*(C`PATH\*(C'\fR is on a machine that is
673: currently unreachable.
674: .SH "SECURITY NOTES"
675: .IX Header "SECURITY NOTES"
676: \&\fBsudo\fR tries to be safe when executing external commands.
677: .PP
678: To prevent command spoofing, \fBsudo\fR checks \*(L".\*(R" and "" (both denoting
679: current directory) last when searching for a command in the user's
680: \&\s-1PATH\s0 (if one or both are in the \s-1PATH\s0). Note, however, that the
681: actual \f(CW\*(C`PATH\*(C'\fR environment variable is \fInot\fR modified and is passed
682: unchanged to the program that \fBsudo\fR executes.
683: .PP
684: Please note that \fBsudo\fR will normally only log the command it
685: explicitly runs. If a user runs a command such as \f(CW\*(C`sudo su\*(C'\fR or
686: \&\f(CW\*(C`sudo sh\*(C'\fR, subsequent commands run from that shell are not subject
687: to \fBsudo\fR's security policy. The same is true for commands that
688: offer shell escapes (including most editors). If I/O logging is
689: enabled, subsequent commands will have their input and/or output
690: logged, but there will not be traditional logs for those commands.
691: Because of this, care must be taken when giving users access to
692: commands via \fBsudo\fR to verify that the command does not inadvertently
693: give the user an effective root shell. For more information, please
694: see the \f(CW\*(C`PREVENTING SHELL ESCAPES\*(C'\fR section in \fIsudoers\fR\|(@mansectform@).
1.1.1.2 ! misho 695: .PP
! 696: To prevent the disclosure of potentially sensitive information,
! 697: \&\fBsudo\fR disables core dumps by default while it is executing (they
! 698: are re-enabled for the command that is run). To aid in debugging
! 699: \&\fBsudo\fR crashes, you may wish to re-enable core dumps by setting
! 700: \&\*(L"disable_coredump\*(R" to false in the \fI@sysconfdir@/sudo.conf\fR file.
! 701: .PP
! 702: .Vb 1
! 703: \& Set disable_coredump false
! 704: .Ve
! 705: .PP
! 706: Note that by default, most operating systems disable core dumps
! 707: from setuid programs, which includes \fBsudo\fR. To actually get a
! 708: \&\fBsudo\fR core file you may need to enable core dumps for setuid
! 709: processes. On \s-1BSD\s0 and Linux systems this is accomplished via the
! 710: sysctl command, on Solaris the coreadm command can be used.
1.1 misho 711: .SH "ENVIRONMENT"
712: .IX Header "ENVIRONMENT"
713: \&\fBsudo\fR utilizes the following environment variables. The security
714: policy has control over the content of the command's environment.
715: .ie n .IP "\*(C`EDITOR\*(C'" 16
716: .el .IP "\f(CW\*(C`EDITOR\*(C'\fR" 16
717: .IX Item "EDITOR"
718: Default editor to use in \fB\-e\fR (sudoedit) mode if neither \f(CW\*(C`SUDO_EDITOR\*(C'\fR
719: nor \f(CW\*(C`VISUAL\*(C'\fR is set
720: .ie n .IP "\*(C`MAIL\*(C'" 16
721: .el .IP "\f(CW\*(C`MAIL\*(C'\fR" 16
722: .IX Item "MAIL"
723: In \fB\-i\fR mode or when \fIenv_reset\fR is enabled in \fIsudoers\fR, set
724: to the mail spool of the target user
725: .ie n .IP "\*(C`HOME\*(C'" 16
726: .el .IP "\f(CW\*(C`HOME\*(C'\fR" 16
727: .IX Item "HOME"
728: Set to the home directory of the target user if \fB\-i\fR or \fB\-H\fR are
729: specified, \fIenv_reset\fR or \fIalways_set_home\fR are set in \fIsudoers\fR,
730: or when the \fB\-s\fR option is specified and \fIset_home\fR is set in
731: \&\fIsudoers\fR
732: .ie n .IP "\*(C`PATH\*(C'" 16
733: .el .IP "\f(CW\*(C`PATH\*(C'\fR" 16
734: .IX Item "PATH"
735: May be overridden by the security policy.
736: .ie n .IP "\*(C`SHELL\*(C'" 16
737: .el .IP "\f(CW\*(C`SHELL\*(C'\fR" 16
738: .IX Item "SHELL"
739: Used to determine shell to run with \f(CW\*(C`\-s\*(C'\fR option
740: .ie n .IP "\*(C`SUDO_ASKPASS\*(C'" 16
741: .el .IP "\f(CW\*(C`SUDO_ASKPASS\*(C'\fR" 16
742: .IX Item "SUDO_ASKPASS"
743: Specifies the path to a helper program used to read the password
744: if no terminal is available or if the \f(CW\*(C`\-A\*(C'\fR option is specified.
745: .ie n .IP "\*(C`SUDO_COMMAND\*(C'" 16
746: .el .IP "\f(CW\*(C`SUDO_COMMAND\*(C'\fR" 16
747: .IX Item "SUDO_COMMAND"
748: Set to the command run by sudo
749: .ie n .IP "\*(C`SUDO_EDITOR\*(C'" 16
750: .el .IP "\f(CW\*(C`SUDO_EDITOR\*(C'\fR" 16
751: .IX Item "SUDO_EDITOR"
752: Default editor to use in \fB\-e\fR (sudoedit) mode
753: .ie n .IP "\*(C`SUDO_GID\*(C'" 16
754: .el .IP "\f(CW\*(C`SUDO_GID\*(C'\fR" 16
755: .IX Item "SUDO_GID"
756: Set to the group \s-1ID\s0 of the user who invoked sudo
757: .ie n .IP "\*(C`SUDO_PROMPT\*(C'" 16
758: .el .IP "\f(CW\*(C`SUDO_PROMPT\*(C'\fR" 16
759: .IX Item "SUDO_PROMPT"
760: Used as the default password prompt
761: .ie n .IP "\*(C`SUDO_PS1\*(C'" 16
762: .el .IP "\f(CW\*(C`SUDO_PS1\*(C'\fR" 16
763: .IX Item "SUDO_PS1"
764: If set, \f(CW\*(C`PS1\*(C'\fR will be set to its value for the program being run
765: .ie n .IP "\*(C`SUDO_UID\*(C'" 16
766: .el .IP "\f(CW\*(C`SUDO_UID\*(C'\fR" 16
767: .IX Item "SUDO_UID"
768: Set to the user \s-1ID\s0 of the user who invoked sudo
769: .ie n .IP "\*(C`SUDO_USER\*(C'" 16
770: .el .IP "\f(CW\*(C`SUDO_USER\*(C'\fR" 16
771: .IX Item "SUDO_USER"
772: Set to the login of the user who invoked sudo
773: .ie n .IP "\*(C`USER\*(C'" 16
774: .el .IP "\f(CW\*(C`USER\*(C'\fR" 16
775: .IX Item "USER"
776: Set to the target user (root unless the \fB\-u\fR option is specified)
777: .ie n .IP "\*(C`VISUAL\*(C'" 16
778: .el .IP "\f(CW\*(C`VISUAL\*(C'\fR" 16
779: .IX Item "VISUAL"
780: Default editor to use in \fB\-e\fR (sudoedit) mode if \f(CW\*(C`SUDO_EDITOR\*(C'\fR
781: is not set
782: .SH "FILES"
783: .IX Header "FILES"
784: .ie n .IP "\fI@sysconfdir@/sudo.conf\fR" 24
785: .el .IP "\fI@sysconfdir@/sudo.conf\fR" 24
786: .IX Item "@sysconfdir@/sudo.conf"
1.1.1.2 ! misho 787: \&\fBsudo\fR front end configuration
1.1 misho 788: .SH "EXAMPLES"
789: .IX Header "EXAMPLES"
790: Note: the following examples assume a properly configured security policy.
791: .PP
792: To get a file listing of an unreadable directory:
793: .PP
794: .Vb 1
795: \& $ sudo ls /usr/local/protected
796: .Ve
797: .PP
798: To list the home directory of user yaz on a machine where the
799: file system holding ~yaz is not exported as root:
800: .PP
801: .Vb 1
802: \& $ sudo \-u yaz ls ~yaz
803: .Ve
804: .PP
805: To edit the \fIindex.html\fR file as user www:
806: .PP
807: .Vb 1
808: \& $ sudo \-u www vi ~www/htdocs/index.html
809: .Ve
810: .PP
811: To view system logs only accessible to root and users in the adm group:
812: .PP
813: .Vb 1
814: \& $ sudo \-g adm view /var/log/syslog
815: .Ve
816: .PP
817: To run an editor as jim with a different primary group:
818: .PP
819: .Vb 1
820: \& $ sudo \-u jim \-g audio vi ~jim/sound.txt
821: .Ve
822: .PP
823: To shutdown a machine:
824: .PP
825: .Vb 1
826: \& $ sudo shutdown \-r +15 "quick reboot"
827: .Ve
828: .PP
829: To make a usage listing of the directories in the /home
830: partition. Note that this runs the commands in a sub-shell
831: to make the \f(CW\*(C`cd\*(C'\fR and file redirection work.
832: .PP
833: .Vb 1
834: \& $ sudo sh \-c "cd /home ; du \-s * | sort \-rn > USAGE"
835: .Ve
836: .SH "SEE ALSO"
837: .IX Header "SEE ALSO"
838: \&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2),
839: .if \n(LC \&\fIlogin_cap\fR\|(3),
840: \&\fIpasswd\fR\|(@mansectform@), \fIsudoers\fR\|(@mansectform@), \fIsudo_plugin\fR\|(@mansectsu@), \fIsudoreplay\fR\|(@mansectsu@), \fIvisudo\fR\|(@mansectsu@)
841: .SH "AUTHORS"
842: .IX Header "AUTHORS"
843: Many people have worked on \fBsudo\fR over the years; this
844: version consists of code written primarily by:
845: .PP
846: .Vb 1
847: \& Todd C. Miller
848: .Ve
849: .PP
1.1.1.2 ! misho 850: See the \s-1CONTRIBUTORS\s0 file in the \fBsudo\fR distribution
! 851: (http://www.sudo.ws/sudo/contributors.html) for a list of people
! 852: who have contributed to \fBsudo\fR.
! 853: .SH "HISTORY"
! 854: .IX Header "HISTORY"
! 855: See the \s-1HISTORY\s0 file in the \fBsudo\fR distribution
! 856: (http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
1.1 misho 857: .SH "CAVEATS"
858: .IX Header "CAVEATS"
859: There is no easy way to prevent a user from gaining a root shell
860: if that user is allowed to run arbitrary commands via \fBsudo\fR.
861: Also, many programs (such as editors) allow the user to run commands
862: via shell escapes, thus avoiding \fBsudo\fR's checks. However, on
863: most systems it is possible to prevent shell escapes with the
864: \&\fIsudoers\fR\|(@mansectform@) module's \fInoexec\fR functionality.
865: .PP
866: It is not meaningful to run the \f(CW\*(C`cd\*(C'\fR command directly via sudo, e.g.,
867: .PP
868: .Vb 1
869: \& $ sudo cd /usr/local/protected
870: .Ve
871: .PP
872: since when the command exits the parent process (your shell) will
873: still be the same. Please see the \s-1EXAMPLES\s0 section for more information.
874: .PP
875: Running shell scripts via \fBsudo\fR can expose the same kernel bugs that
876: make setuid shell scripts unsafe on some operating systems (if your \s-1OS\s0
877: has a /dev/fd/ directory, setuid shell scripts are generally safe).
878: .SH "BUGS"
879: .IX Header "BUGS"
880: If you feel you have found a bug in \fBsudo\fR, please submit a bug report
881: at http://www.sudo.ws/sudo/bugs/
882: .SH "SUPPORT"
883: .IX Header "SUPPORT"
884: Limited free support is available via the sudo-users mailing list,
885: see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
886: search the archives.
887: .SH "DISCLAIMER"
888: .IX Header "DISCLAIMER"
889: \&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
890: including, but not limited to, the implied warranties of merchantability
891: and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
892: file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
893: for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>