|
version 1.1.1.3, 2013/10/14 07:56:34
|
version 1.1.1.4, 2014/06/15 16:12:54
|
|
Line 1
|
Line 1
|
| .\" |
.\" |
| .\" Copyright (c) 1994-1996, 1998-2005, 2007-2013 | .\" Copyright (c) 1994-1996, 1998-2005, 2007-2014 |
| .\" Todd C. Miller <Todd.Miller@courtesan.com> |
.\" Todd C. Miller <Todd.Miller@courtesan.com> |
| .\" |
.\" |
| .\" Permission to use, copy, modify, and distribute this software for any |
.\" Permission to use, copy, modify, and distribute this software for any |
|
Line 19
|
Line 19
|
| .\" Agency (DARPA) and Air Force Research Laboratory, Air Force |
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force |
| .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. |
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. |
| .\" |
.\" |
| .Dd August 14, 2013 | .Dd February 15, 2014 |
| .Dt SUDO @mansectsu@ |
.Dt SUDO @mansectsu@ |
| .Os Sudo @PACKAGE_VERSION@ |
.Os Sudo @PACKAGE_VERSION@ |
| .Sh NAME |
.Sh NAME |
|
Line 28
|
Line 28
|
| .Nd execute a command as another user |
.Nd execute a command as another user |
| .Sh SYNOPSIS |
.Sh SYNOPSIS |
| .Nm sudo |
.Nm sudo |
| .Fl h No | Fl K No | Fl k No | Fl V | .Fl h | K | k | V |
| .Nm sudo |
.Nm sudo |
| .Fl v |
.Fl v |
| .Op Fl AknS |
.Op Fl AknS |
| .Bk -words |
|
| .Op Fl a Ar type |
.Op Fl a Ar type |
| .Ek |
|
| .Bk -words |
|
| .Op Fl g Ar group |
.Op Fl g Ar group |
| .Ek |
|
| .Bk -words |
|
| .Op Fl h Ar host |
.Op Fl h Ar host |
| .Ek |
|
| .Bk -words |
|
| .Op Fl p Ar prompt |
.Op Fl p Ar prompt |
| .Ek |
|
| .Bk -words |
|
| .Op Fl u Ar user |
.Op Fl u Ar user |
| .Ek |
|
| .Nm sudo |
.Nm sudo |
| .Fl l |
.Fl l |
| .Op Fl AknS |
.Op Fl AknS |
| .Bk -words |
|
| .Op Fl a Ar type |
.Op Fl a Ar type |
| .Ek |
|
| .Bk -words |
|
| .Op Fl g Ar group |
.Op Fl g Ar group |
| .Ek |
|
| .Bk -words |
|
| .Op Fl h Ar host |
.Op Fl h Ar host |
| .Ek |
|
| .Bk -words |
|
| .Op Fl p Ar prompt |
.Op Fl p Ar prompt |
| .Ek |
|
| .Bk -words |
|
| .Op Fl U Ar user |
.Op Fl U Ar user |
| .Ek |
|
| .Bk -words |
|
| .Op Fl u Ar user |
.Op Fl u Ar user |
| .Ek |
|
| .Op Ar command |
.Op Ar command |
| .Nm sudo |
.Nm sudo |
| .Op Fl AbEHnPS |
.Op Fl AbEHnPS |
| .Bk -words |
|
| .Op Fl a Ar type |
.Op Fl a Ar type |
| .Ek |
|
| .Bk -words |
|
| .Op Fl C Ar num |
.Op Fl C Ar num |
| .Ek |
|
| .Bk -words |
|
| .Op Fl c Ar class |
.Op Fl c Ar class |
| .Ek |
|
| .Bk -words |
|
| .Op Fl g Ar group |
.Op Fl g Ar group |
| .Ek |
|
| .Bk -words |
|
| .Op Fl h Ar host |
.Op Fl h Ar host |
| .Ek |
|
| .Bk -words |
|
| .Op Fl p Ar prompt |
.Op Fl p Ar prompt |
| .Ek |
|
| .Bk -words |
|
| .Op Fl r Ar role |
.Op Fl r Ar role |
| .Ek |
|
| .Bk -words |
|
| .Op Fl t Ar type |
.Op Fl t Ar type |
| .Ek |
|
| .Bk -words |
|
| .Op Fl u Ar user |
.Op Fl u Ar user |
| .Ek | .Op Ar VAR Ns = Ns Ar value |
| .Bk -words | .Op Fl i | s |
| .Op Sy VAR Ns = Ns Ar value | |
| .Ek | |
| .Bk -words | |
| .Op Fl i No | Fl s | |
| .Ek | |
| .Op Ar command |
.Op Ar command |
| .Nm sudoedit |
.Nm sudoedit |
| .Op Fl AknS |
.Op Fl AknS |
| .Bk -words |
|
| .Op Fl a Ar type |
.Op Fl a Ar type |
| .Ek |
|
| .Bk -words |
|
| .Op Fl C Ar num |
.Op Fl C Ar num |
| .Ek |
|
| .Bk -words |
|
| .Op Fl c Ar class |
.Op Fl c Ar class |
| .Ek |
|
| .Bk -words |
|
| .Op Fl g Ar group |
.Op Fl g Ar group |
| .Ek |
|
| .Bk -words |
|
| .Op Fl h Ar host |
.Op Fl h Ar host |
| .Ek |
|
| .Bk -words |
|
| .Op Fl p Ar prompt |
.Op Fl p Ar prompt |
| .Ek |
|
| .Bk -words |
|
| .Op Fl u Ar user |
.Op Fl u Ar user |
| .Ek | .Ar |
| .Bk -words | |
| file ... | |
| .Ek | |
| .Sh DESCRIPTION |
.Sh DESCRIPTION |
| .Nm sudo |
.Nm sudo |
| allows a permitted user to execute a |
allows a permitted user to execute a |
|
Line 205 Normally, if
|
Line 145 Normally, if
|
| .Nm sudo |
.Nm sudo |
| requires a password, it will read it from the user's terminal. |
requires a password, it will read it from the user's terminal. |
| If the |
If the |
| .Fl A No ( Em askpass Ns No ) | .Fl A Pq Em askpass |
| option is specified, a (possibly graphical) helper program is |
option is specified, a (possibly graphical) helper program is |
| executed to read the user's password and output the password to the |
executed to read the user's password and output the password to the |
| standard output. |
standard output. |
|
Line 226 Path askpass /usr/X11R6/bin/ssh-askpass
|
Line 166 Path askpass /usr/X11R6/bin/ssh-askpass
|
| If no askpass program is available, |
If no askpass program is available, |
| .Nm sudo |
.Nm sudo |
| will exit with an error. |
will exit with an error. |
| .It Fl a Ar type , Fl -auth-type Ns No = Ns Ar type | .It Fl a Ar type , Fl -auth-type Ns = Ns Ar type |
| Use the specified BSD authentication |
Use the specified BSD authentication |
| .Ar type |
.Ar type |
| when validating the user, if allowed by |
when validating the user, if allowed by |
|
Line 244 background processes started by
|
Line 184 background processes started by
|
| .Nm sudo . |
.Nm sudo . |
| Most interactive commands will fail to work properly in background |
Most interactive commands will fail to work properly in background |
| mode. |
mode. |
| .It Fl C Ar num , Fl -close-from Ns No = Ns Ar num | .It Fl C Ar num , Fl -close-from Ns = Ns Ar num |
| Close all file descriptors greater than or equal to |
Close all file descriptors greater than or equal to |
| .Ar num |
.Ar num |
| before executing a command. |
before executing a command. |
|
Line 261 policy only permits use of the
|
Line 201 policy only permits use of the
|
| option when the administrator has enabled the |
option when the administrator has enabled the |
| .Em closefrom_override |
.Em closefrom_override |
| option. |
option. |
| .It Fl c Ar class , Fl -login-class Ns No = Ns Ar class | .It Fl c Ar class , Fl -login-class Ns = Ns Ar class |
| Run the command with resource limits and scheduling priority of |
Run the command with resource limits and scheduling priority of |
| the specified login |
the specified login |
| .Ar class . |
.Ar class . |
|
Line 275 character.
|
Line 215 character.
|
| If |
If |
| .Ar class |
.Ar class |
| is |
is |
| .Li - , | .Cm - , |
| the default login class of the target user will be used. |
the default login class of the target user will be used. |
| Otherwise, the command must be run as root, or | Otherwise, the command must be run as the superuser (user ID 0), or |
| .Nm sudo |
.Nm sudo |
| must be run from a shell that is already root. | must be run from a shell that is already running as the superuser. |
| If the command is being run as a login shell, additional |
If the command is being run as a login shell, additional |
| .Pa /etc/login.conf |
.Pa /etc/login.conf |
| settings, such as the umask and environment variables, will |
settings, such as the umask and environment variables, will |
| be applied if present. | be applied, if present. |
| This option is only available on systems with BSD login classes. |
This option is only available on systems with BSD login classes. |
| .It Fl E , -preserve-env |
.It Fl E , -preserve-env |
| Indicates to the security policy that the user wishes to |
Indicates to the security policy that the user wishes to |
|
Line 334 If, for some reason,
|
Line 274 If, for some reason,
|
| is unable to update a file with its edited version, the user will |
is unable to update a file with its edited version, the user will |
| receive a warning and the edited copy will remain in a temporary |
receive a warning and the edited copy will remain in a temporary |
| file. |
file. |
| .It Fl g Ar group , Fl -group Ns No = Ns Ar group | .It Fl g Ar group , Fl -group Ns = Ns Ar group |
| Run the command with the primary group set to |
Run the command with the primary group set to |
| .Ar group |
.Ar group |
| instead of the primary group specified by the target |
instead of the primary group specified by the target |
|
Line 365 user's password database entry.
|
Line 305 user's password database entry.
|
| Depending on the policy, this may be the default behavior. |
Depending on the policy, this may be the default behavior. |
| .It Fl h , -help |
.It Fl h , -help |
| Display a short help message to the standard output and exit. |
Display a short help message to the standard output and exit. |
| .It Fl h Ar host , Fl -host Ns No = Ns Ar host | .It Fl h Ar host , Fl -host Ns = Ns Ar host |
| Run the command on the specified |
Run the command on the specified |
| .Ar host |
.Ar host |
| if the security policy plugin supports remote commands. |
if the security policy plugin supports remote commands. |
|
Line 465 policy will initialize the group vector to the list of
|
Line 405 policy will initialize the group vector to the list of
|
| target user is a member of. |
target user is a member of. |
| The real and effective group IDs, however, are still set to match |
The real and effective group IDs, however, are still set to match |
| the target user. |
the target user. |
| .It Fl p Ar prompt , Fl -prompt Ns No = Ns Ar prompt | .It Fl p Ar prompt , Fl -prompt Ns = Ns Ar prompt |
| Use a custom password prompt with optional escape sequences. |
Use a custom password prompt with optional escape sequences. |
| The following percent |
The following percent |
| .Pq Ql % |
.Pq Ql % |
|
Line 510 support PAM unless the
|
Line 450 support PAM unless the
|
| .Em passprompt_override |
.Em passprompt_override |
| flag is disabled in |
flag is disabled in |
| .Em sudoers . |
.Em sudoers . |
| .It Fl r Ar role , Fl -role Ns No = Ns Ar role | .It Fl r Ar role , Fl -role Ns = Ns Ar role |
| Run the command with an SELinux security context that includes |
Run the command with an SELinux security context that includes |
| the specified |
the specified |
| .Ar role . |
.Ar role . |
|
Line 528 via the shell's
|
Line 468 via the shell's
|
| .Fl c |
.Fl c |
| option. |
option. |
| If no command is specified, an interactive shell is executed. |
If no command is specified, an interactive shell is executed. |
| .It Fl t Ar type , Fl -type Ns No = Ns Ar type | .It Fl t Ar type , Fl -type Ns = Ns Ar type |
| Run the command with an SELinux security context that includes |
Run the command with an SELinux security context that includes |
| the specified |
the specified |
| .Ar type . |
.Ar type . |
| If no |
If no |
| .Ar type |
.Ar type |
| is specified, the default type is derived from the role. |
is specified, the default type is derived from the role. |
| .It Fl U Ar user , Fl -other-user Ns No = Ns Ar user | .It Fl U Ar user , Fl -other-user Ns = Ns Ar user |
| Used in conjunction with the |
Used in conjunction with the |
| .Fl l |
.Fl l |
| option to list the privileges for |
option to list the privileges for |
|
Line 547 The
|
Line 487 The
|
| policy only allows root or a user with the |
policy only allows root or a user with the |
| .Li ALL |
.Li ALL |
| privilege on the current host to use this option. |
privilege on the current host to use this option. |
| .It Fl u Ar user , Fl -user Ns No = Ns Ar user | .It Fl u Ar user , Fl -user Ns = Ns Ar user |
| Run the command as a user other than the default target user |
Run the command as a user other than the default target user |
| (usually |
(usually |
| .Em root ). |
.Em root ). |
|
Line 604 should stop processing command line arguments.
|
Line 544 should stop processing command line arguments.
|
| .Pp |
.Pp |
| Environment variables to be set for the command may also be passed |
Environment variables to be set for the command may also be passed |
| on the command line in the form of |
on the command line in the form of |
| .Sy VAR Ns No = Ns Em value , | .Ar VAR Ns = Ns Ar value , |
| e.g.\& |
e.g.\& |
| .Sy LD_LIBRARY_PATH Ns No = Ns Em /usr/local/pkg/lib . | .Ev LD_LIBRARY_PATH Ns = Ns Pa /usr/local/pkg/lib . |
| Variables passed on the command line are subject to restrictions |
Variables passed on the command line are subject to restrictions |
| imposed by the security policy plugin. |
imposed by the security policy plugin. |
| The |
The |
|
Line 779 run in a new pty,
|
Line 719 run in a new pty,
|
| .Nm sudo |
.Nm sudo |
| may execute the command directly instead of running it as a child process. |
may execute the command directly instead of running it as a child process. |
| .Ss Plugins |
.Ss Plugins |
| Plugins are dynamically loaded based on the contents of the | Plugins may be specified via |
| | .Li Plugin |
| | directives in the |
| .Xr sudo.conf @mansectform@ |
.Xr sudo.conf @mansectform@ |
| file. |
file. |
| |
They may be loaded as dynamic shared objects (on systems that support them), |
| |
or compiled directly into the |
| |
.Nm sudo |
| |
binary. |
| If no |
If no |
| .Xr sudo.conf @mansectform@ |
.Xr sudo.conf @mansectform@ |
| file is present, or it contains no |
file is present, or it contains no |
|
Line 857 If a user runs a command such as
|
Line 803 If a user runs a command such as
|
| or |
or |
| .Li sudo sh , |
.Li sudo sh , |
| subsequent commands run from that shell are not subject to |
subsequent commands run from that shell are not subject to |
| .Nm sudo Ns No 's | .Nm sudo Ns 's |
| security policy. |
security policy. |
| The same is true for commands that offer shell escapes (including |
The same is true for commands that offer shell escapes (including |
| most editors). |
most editors). |
|
Line 1054 if that user is allowed to run arbitrary commands via
|
Line 1000 if that user is allowed to run arbitrary commands via
|
| .Nm sudo . |
.Nm sudo . |
| Also, many programs (such as editors) allow the user to run commands |
Also, many programs (such as editors) allow the user to run commands |
| via shell escapes, thus avoiding |
via shell escapes, thus avoiding |
| .Nm sudo Ns No 's | .Nm sudo Ns 's |
| checks. |
checks. |
| However, on most systems it is possible to prevent shell escapes with the |
However, on most systems it is possible to prevent shell escapes with the |
| .Xr sudoers @mansectform@ |
.Xr sudoers @mansectform@ |
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudo.mdoc.in CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc