|
version 1.1.1.2, 2013/07/22 10:46:12
|
version 1.1.1.3, 2013/10/14 07:56:34
|
|
Line 19
|
Line 19
|
| .\" Agency (DARPA) and Air Force Research Laboratory, Air Force |
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force |
| .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. |
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. |
| .\" |
.\" |
| .Dd March 13, 2013 | .Dd August 14, 2013 |
| .Dt SUDO @mansectsu@ |
.Dt SUDO @mansectsu@ |
| .Os Sudo @PACKAGE_VERSION@ |
.Os Sudo @PACKAGE_VERSION@ |
| .Sh NAME |
.Sh NAME |
|
Line 33
|
Line 33
|
| .Fl v |
.Fl v |
| .Op Fl AknS |
.Op Fl AknS |
| .Bk -words |
.Bk -words |
| .Op Fl a Ar auth_type | .Op Fl a Ar type |
| .Ek |
.Ek |
| .Bk -words |
.Bk -words |
| .Op Fl g Ar group name No | Ar #gid | .Op Fl g Ar group |
| .Ek |
.Ek |
| .Bk -words |
.Bk -words |
| |
.Op Fl h Ar host |
| |
.Ek |
| |
.Bk -words |
| .Op Fl p Ar prompt |
.Op Fl p Ar prompt |
| .Ek |
.Ek |
| .Bk -words |
.Bk -words |
| .Op Fl u Ar user name No | Ar #uid | .Op Fl u Ar user |
| .Ek |
.Ek |
| .Nm sudo |
.Nm sudo |
| .Fl l Ns Op Ar l | .Fl l |
| .Op Fl AknS |
.Op Fl AknS |
| .Bk -words |
.Bk -words |
| .Op Fl a Ar auth_type | .Op Fl a Ar type |
| .Ek |
.Ek |
| .Bk -words |
.Bk -words |
| .Op Fl g Ar group name No | Ar #gid | .Op Fl g Ar group |
| .Ek |
.Ek |
| .Bk -words |
.Bk -words |
| |
.Op Fl h Ar host |
| |
.Ek |
| |
.Bk -words |
| .Op Fl p Ar prompt |
.Op Fl p Ar prompt |
| .Ek |
.Ek |
| .Bk -words |
.Bk -words |
| .Op Fl U Ar user name | .Op Fl U Ar user |
| .Ek |
.Ek |
| .Bk -words |
.Bk -words |
| .Op Fl u Ar user name No | Ar #uid | .Op Fl u Ar user |
| .Ek |
.Ek |
| .Op Ar command |
.Op Ar command |
| .Nm sudo |
.Nm sudo |
| .Op Fl AbEHnPS |
.Op Fl AbEHnPS |
| .Bk -words |
.Bk -words |
| .Op Fl a Ar auth_type | .Op Fl a Ar type |
| .Ek |
.Ek |
| .Bk -words |
.Bk -words |
| .Op Fl C Ar fd | .Op Fl C Ar num |
| .Ek |
.Ek |
| .Bk -words |
.Bk -words |
| .Op Fl c Ar class No | Ar - | .Op Fl c Ar class |
| .Ek |
.Ek |
| .Bk -words |
.Bk -words |
| .Op Fl g Ar group name No | Ar #gid | .Op Fl g Ar group |
| .Ek |
.Ek |
| .Bk -words |
.Bk -words |
| |
.Op Fl h Ar host |
| |
.Ek |
| |
.Bk -words |
| .Op Fl p Ar prompt |
.Op Fl p Ar prompt |
| .Ek |
.Ek |
| .Bk -words |
.Bk -words |
|
Line 87
|
Line 96
|
| .Op Fl t Ar type |
.Op Fl t Ar type |
| .Ek |
.Ek |
| .Bk -words |
.Bk -words |
| .Op Fl u Ar user name No | Ar #uid | .Op Fl u Ar user |
| .Ek |
.Ek |
| .Bk -words |
.Bk -words |
| .Op Sy VAR Ns = Ns Ar value |
.Op Sy VAR Ns = Ns Ar value |
| .Ek |
.Ek |
| .Bk -words |
.Bk -words |
| .Fl i No | Fl s | .Op Fl i No | Fl s |
| .Ek |
.Ek |
| .Op Ar command |
.Op Ar command |
| .Nm sudoedit |
.Nm sudoedit |
| .Op Fl AnS | .Op Fl AknS |
| .Bk -words |
.Bk -words |
| .Op Fl a Ar auth_type | .Op Fl a Ar type |
| .Ek |
.Ek |
| .Bk -words |
.Bk -words |
| .Op Fl C Ar fd | .Op Fl C Ar num |
| .Ek |
.Ek |
| .Bk -words |
.Bk -words |
| .Op Fl c Ar class No | Ar - | .Op Fl c Ar class |
| .Ek |
.Ek |
| .Bk -words |
.Bk -words |
| .Op Fl g Ar group name No | Ar #gid | .Op Fl g Ar group |
| .Ek |
.Ek |
| .Bk -words |
.Bk -words |
| |
.Op Fl h Ar host |
| |
.Ek |
| |
.Bk -words |
| .Op Fl p Ar prompt |
.Op Fl p Ar prompt |
| .Ek |
.Ek |
| .Bk -words |
.Bk -words |
| .Op Fl u Ar user name No | Ar #uid | .Op Fl u Ar user |
| .Ek |
.Ek |
| .Bk -words |
.Bk -words |
| file ... |
file ... |
|
Line 188 output may be logged as well.
|
Line 200 output may be logged as well.
|
| .Pp |
.Pp |
| The options are as follows: |
The options are as follows: |
| .Bl -tag -width Fl |
.Bl -tag -width Fl |
| .It Fl A | .It Fl A , -askpass |
| Normally, if |
Normally, if |
| .Nm sudo |
.Nm sudo |
| requires a password, it will read it from the user's terminal. |
requires a password, it will read it from the user's terminal. |
|
Line 214 Path askpass /usr/X11R6/bin/ssh-askpass
|
Line 226 Path askpass /usr/X11R6/bin/ssh-askpass
|
| If no askpass program is available, |
If no askpass program is available, |
| .Nm sudo |
.Nm sudo |
| will exit with an error. |
will exit with an error. |
| .It Fl a Ar type | .It Fl a Ar type , Fl -auth-type Ns No = Ns Ar type |
| The | Use the specified BSD authentication |
| .Fl a No ( Em "authentication type" Ns No ) | .Ar type |
| option causes | when validating the user, if allowed by |
| .Nm sudo | |
| to use the specified authentication type when validating the user, | |
| as allowed by | |
| .Pa /etc/login.conf . |
.Pa /etc/login.conf . |
| The system administrator may specify a list of sudo-specific |
The system administrator may specify a list of sudo-specific |
| authentication methods by adding an |
authentication methods by adding an |
|
Line 228 authentication methods by adding an
|
Line 237 authentication methods by adding an
|
| entry in |
entry in |
| .Pa /etc/login.conf . |
.Pa /etc/login.conf . |
| This option is only available on systems that support BSD authentication. |
This option is only available on systems that support BSD authentication. |
| .It Fl b | .It Fl b , -background |
| The | Run the given command in the background. |
| .Fl b No ( Em background Ns No ) | Note that it is not possible to use shell job control to manipulate |
| option tells | background processes started by |
| .Nm sudo | .Nm sudo . |
| to run the given command in the background. | |
| Note that if you use the | |
| .Fl b | |
| option you cannot use shell job control to manipulate the process. | |
| Most interactive commands will fail to work properly in background |
Most interactive commands will fail to work properly in background |
| mode. |
mode. |
| .It Fl C Ar fd | .It Fl C Ar num , Fl -close-from Ns No = Ns Ar num |
| Normally, | Close all file descriptors greater than or equal to |
| | .Ar num |
| | before executing a command. |
| | Values less than three are not permitted. |
| | By default, |
| .Nm sudo |
.Nm sudo |
| will close all open file descriptors other than standard input, |
will close all open file descriptors other than standard input, |
| standard output and standard error. | standard output and standard error when executing a command. |
| | The security policy may restrict the user's ability to use this option. |
| The |
The |
| .Fl C No ( Em close from Ns No ) |
|
| option allows the user to specify a starting point above the standard |
|
| error (file descriptor three). |
|
| Values less than three are not permitted. |
|
| The security policy may restrict the user's ability to use the |
|
| .Fl C |
|
| option. |
|
| The |
|
| .Em sudoers |
.Em sudoers |
| policy only permits use of the |
policy only permits use of the |
| .Fl C |
.Fl C |
| option when the administrator has enabled the |
option when the administrator has enabled the |
| .Em closefrom_override |
.Em closefrom_override |
| option. |
option. |
| .It Fl c Ar class | .It Fl c Ar class , Fl -login-class Ns No = Ns Ar class |
| | Run the command with resource limits and scheduling priority of |
| | the specified login |
| | .Ar class . |
| The |
The |
| .Fl c No ( Em class Ns No ) | .Ar class |
| option causes | |
| .Nm sudo | |
| to run the specified command with resources limited by the specified | |
| login class. | |
| The | |
| .Em class | |
| argument can be either a class name as defined in |
argument can be either a class name as defined in |
| .Pa /etc/login.conf , |
.Pa /etc/login.conf , |
| or a single |
or a single |
| .Ql \- |
.Ql \- |
| character. |
character. |
| Specifying a | If |
| .Ar class |
.Ar class |
| of | is |
| .Li - | .Li - , |
| indicates that the command should be run restricted by the default | the default login class of the target user will be used. |
| login capabilities for the user the command is run as. | Otherwise, the command must be run as root, or |
| If the | |
| .Ar class | |
| argument specifies an existing user class, the command must be run | |
| as root, or the | |
| .Nm sudo |
.Nm sudo |
| command must be run from a shell that is already root. | must be run from a shell that is already root. |
| | If the command is being run as a login shell, additional |
| | .Pa /etc/login.conf |
| | settings, such as the umask and environment variables, will |
| | be applied if present. |
| This option is only available on systems with BSD login classes. |
This option is only available on systems with BSD login classes. |
| .It Fl E | .It Fl E , -preserve-env |
| The | Indicates to the security policy that the user wishes to |
| .Fl E No ( Em preserve environment Ns No ) | |
| option indicates to the security policy that the user wishes to | |
| preserve their existing environment variables. |
preserve their existing environment variables. |
| The security policy may return an error if the | The security policy may return an error if the user does not have |
| .Fl E | permission to preserve the environment. |
| option is specified and the user does not have permission to preserve | .It Fl e , -edit |
| the environment. | Edit one or more files instead of running a command. |
| .It Fl e | In lieu of a path name, the string "sudoedit" is used when consulting |
| The | |
| .Fl e No ( Em edit Ns No ) | |
| option indicates that, instead of running a command, the user wishes | |
| to edit one or more files. | |
| In lieu of a command, the string "sudoedit" is used when consulting | |
| the security policy. |
the security policy. |
| If the user is authorized by the policy, the following steps are |
If the user is authorized by the policy, the following steps are |
| taken: |
taken: |
|
Line 342 If, for some reason,
|
Line 334 If, for some reason,
|
| is unable to update a file with its edited version, the user will |
is unable to update a file with its edited version, the user will |
| receive a warning and the edited copy will remain in a temporary |
receive a warning and the edited copy will remain in a temporary |
| file. |
file. |
| .It Fl g Ar group | .It Fl g Ar group , Fl -group Ns No = Ns Ar group |
| Normally, | Run the command with the primary group set to |
| .Nm sudo | .Ar group |
| runs a command with the primary group set to the one specified by | instead of the primary group specified by the target |
| the password database for the user the command is being run as (by | user's password database entry. |
| default, root). | |
| The |
The |
| .Fl g No ( Em group Ns No ) |
|
| option causes |
|
| .Nm sudo |
|
| to run the command with the primary group set to |
|
| .Ar group |
.Ar group |
| instead. | may be either a group name or a numeric group ID |
| To specify a | .Pq GID |
| .Em gid | prefixed with the |
| instead of a | |
| .Em "group name" , | |
| use | |
| .Em #gid . | |
| When running commands as a | |
| .Em gid , | |
| many shells require that the | |
| .Ql # |
.Ql # |
| |
character (e.g. |
| |
.Li #0 |
| |
for GID 0). |
| |
When running a command as a GID, many shells require that the |
| |
.Ql # |
| be escaped with a backslash |
be escaped with a backslash |
| .Pq Ql \e . |
.Pq Ql \e . |
| If no |
If no |
| .Fl u |
.Fl u |
| option is specified, the command will be run as the invoking user | option is specified, the command will be run as the invoking user. |
| (not root). | |
| In either case, the primary group will be set to |
In either case, the primary group will be set to |
| .Em group . | .Ar group . |
| .It Fl H | .It Fl H , -set-home |
| The | Request that the security policy set the |
| .Fl H No ( Em HOME Ns No ) | |
| option requests that the security policy set the | |
| .Ev HOME |
.Ev HOME |
| environment variable to the home directory of the target user (root | environment variable to the home directory specified by the target |
| by default) as specified by the password database. | user's password database entry. |
| Depending on the policy, this may be the default behavior. |
Depending on the policy, this may be the default behavior. |
| .It Fl h | .It Fl h , -help |
| The | Display a short help message to the standard output and exit. |
| .Fl h No ( Em help Ns No ) | .It Fl h Ar host , Fl -host Ns No = Ns Ar host |
| option causes | Run the command on the specified |
| .Nm sudo | .Ar host |
| to print a short help message to the standard output and exit. | if the security policy plugin supports remote commands. |
| .It Fl i Op Ar command | Note that the |
| The | .Em sudoers |
| .Fl i No ( Em simulate initial login Ns No ) | plugin does not currently support running remote commands. |
| option runs the shell specified by the password database entry of | This may also be used in conjunction with the |
| the target user as a login shell. | .Fl l |
| | option to list a user's privileges for the remote host. |
| | .It Fl i , -login |
| | Run the shell specified by the target user's password database entry |
| | as a login shell. |
| This means that login-specific resource files such as |
This means that login-specific resource files such as |
| .Pa .profile |
.Pa .profile |
| or |
or |
|
Line 405 If no command is specified, an interactive shell is ex
|
Line 391 If no command is specified, an interactive shell is ex
|
| .Nm sudo |
.Nm sudo |
| attempts to change to that user's home directory before running the |
attempts to change to that user's home directory before running the |
| shell. |
shell. |
| The security policy shall initialize the environment to a minimal | The command is run with an environment similar to the one |
| set of variables, similar to what is present when a user logs in. | a user would receive at log in. |
| The |
The |
| .Em Command Environment |
.Em Command Environment |
| section in the |
section in the |
|
Line 416 manual documents how the
|
Line 402 manual documents how the
|
| option affects the environment in which a command is run when the |
option affects the environment in which a command is run when the |
| .Em sudoers |
.Em sudoers |
| policy is in use. |
policy is in use. |
| .It Fl K | .It Fl K , -remove-timestamp |
| The | Similar to the |
| .Fl K No ( sure Em kill Ns No ) | |
| option is like | |
| .Fl k |
.Fl k |
| except that it removes the user's cached credentials entirely and | option, except that it removes the user's cached credentials entirely |
| may not be used in conjunction with a command or other option. | and may not be used in conjunction with a command or other option. |
| This option does not require a password. |
This option does not require a password. |
| Not all security policies support credential caching. |
Not all security policies support credential caching. |
| .It Fl k Op Ar command | .It Fl k , -reset-timestamp |
| When used alone, the | When used without a command, invalidates the user's cached credentials. |
| .Fl k No ( Em kill Ns No ) | In other words, the next time |
| option to | |
| .Nm sudo |
.Nm sudo |
| invalidates the user's cached credentials. |
|
| The next time |
|
| .Nm sudo |
|
| is run a password will be required. |
is run a password will be required. |
| This option does not require a password and was added to allow a |
This option does not require a password and was added to allow a |
| user to revoke |
user to revoke |
|
Line 440 user to revoke
|
Line 420 user to revoke
|
| permissions from a |
permissions from a |
| .Pa .logout |
.Pa .logout |
| file. |
file. |
| Not all security policies support credential caching. |
|
| .Pp |
.Pp |
| When used in conjunction with a command or an option that may require |
When used in conjunction with a command or an option that may require |
| a password, the | a password, this option will cause |
| .Fl k | |
| option will cause | |
| .Nm sudo |
.Nm sudo |
| to ignore the user's cached credentials. |
to ignore the user's cached credentials. |
| As a result, |
As a result, |
| .Nm sudo |
.Nm sudo |
| will prompt for a password (if one is required by the security |
will prompt for a password (if one is required by the security |
| policy) and will not update the user's cached credentials. |
policy) and will not update the user's cached credentials. |
| .It Fl l Ns Oo Sy l Oc Op Ar command | .Pp |
| | Not all security policies support credential caching. |
| | .It Fl l , Fl -list |
| If no |
If no |
| .Ar command |
.Ar command |
| is specified, the | is specified, |
| .Fl l No ( Em list Ns No ) | list the allowed (and forbidden) commands for the |
| option will list the allowed (and forbidden) commands for the | |
| invoking user (or the user specified by the |
invoking user (or the user specified by the |
| .Fl U |
.Fl U |
| option) on the current host. |
option) on the current host. |
| |
A longer list format is used if this option is specified multiple times |
| |
and the security policy supports a verbose output format. |
| |
.Pp |
| If a |
If a |
| .Ar command |
.Ar command |
| is specified and is permitted by the security policy, the fully-qualified |
is specified and is permitted by the security policy, the fully-qualified |
|
Line 471 If
|
Line 452 If
|
| is specified but not allowed, |
is specified but not allowed, |
| .Nm sudo |
.Nm sudo |
| will exit with a status value of 1. |
will exit with a status value of 1. |
| If the | .It Fl n , -non-interactive |
| .Fl l | Avoid prompting the user for input of any kind. |
| option is specified with an | |
| .Ar l | |
| argument | |
| .Pq i.e.\& Fl ll , | |
| or if | |
| .Fl l | |
| is specified multiple times, a longer list format is used. | |
| .It Fl n | |
| The | |
| .Fl n No ( Em non-interactive Ns No ) | |
| option prevents | |
| .Nm sudo | |
| from prompting the user for a password. | |
| If a password is required for the command to run, |
If a password is required for the command to run, |
| .Nm sudo |
.Nm sudo |
| will display an error message and exit. |
will display an error message and exit. |
| .It Fl P | .It Fl P , -preserve-groups |
| The | Preserve the invoking user's group vector unaltered. |
| .Fl P No ( Em preserve group vector Ns No ) | |
| option causes | |
| .Nm sudo | |
| to preserve the invoking user's group vector unaltered. | |
| By default, the |
By default, the |
| .Em sudoers |
.Em sudoers |
| policy will initialize the group vector to the list of groups the |
policy will initialize the group vector to the list of groups the |
| target user is in. | target user is a member of. |
| The real and effective group IDs, however, are still set to match |
The real and effective group IDs, however, are still set to match |
| the target user. |
the target user. |
| .It Fl p Ar prompt | .It Fl p Ar prompt , Fl -prompt Ns No = Ns Ar prompt |
| The | Use a custom password prompt with optional escape sequences. |
| .Fl p No ( Em prompt Ns No ) | |
| option allows you to override the default password prompt and use | |
| a custom one. | |
| The following percent |
The following percent |
| .Pq Ql % |
.Pq Ql % |
| escapes are supported by the | escape sequences are supported by the |
| .Em sudoers |
.Em sudoers |
| policy: |
policy: |
| .Bl -tag -width 2n |
.Bl -tag -width 2n |
|
Line 544 characters are collapsed into a single
|
Line 505 characters are collapsed into a single
|
| character |
character |
| .El |
.El |
| .Pp |
.Pp |
| The prompt specified by the | The custom prompt will override the system password prompt on systems that |
| .Fl p | |
| option will override the system password prompt on systems that | |
| support PAM unless the |
support PAM unless the |
| .Em passprompt_override |
.Em passprompt_override |
| flag is disabled in |
flag is disabled in |
| .Em sudoers . |
.Em sudoers . |
| .It Fl r Ar role | .It Fl r Ar role , Fl -role Ns No = Ns Ar role |
| The | Run the command with an SELinux security context that includes |
| .Fl r No ( Em role Ns No ) | the specified |
| option causes the new (SELinux) security context to have the role | |
| specified by | |
| .Ar role . |
.Ar role . |
| .It Fl S | .It Fl S , -stdin |
| The | Write the prompt to the standard error and read the password from the |
| .Fl S ( Em stdin Ns No ) | standard input instead of using the terminal device. |
| option causes | |
| .Nm sudo | |
| to read the password from the standard input instead of the terminal | |
| device. | |
| The password must be followed by a newline character. |
The password must be followed by a newline character. |
| .It Fl s Op Ar command | .It Fl s , -shell |
| The | Run the shell specified by the |
| .Fl s ( Em shell Ns No ) | |
| option runs the shell specified by the | |
| .Ev SHELL |
.Ev SHELL |
| environment variable if it is set or the shell as specified in the | environment variable if it is set or the shell specified by the |
| password database. | invoking user's password database entry. |
| If a command is specified, it is passed to the shell for execution |
If a command is specified, it is passed to the shell for execution |
| via the shell's |
via the shell's |
| .Fl c |
.Fl c |
| option. |
option. |
| If no command is specified, an interactive shell is executed. |
If no command is specified, an interactive shell is executed. |
| .It Fl t Ar type | .It Fl t Ar type , Fl -type Ns No = Ns Ar type |
| The | Run the command with an SELinux security context that includes |
| .Fl t ( Em type Ns No ) | the specified |
| option causes the new (SELinux) security context to have the type | |
| specified by | |
| .Ar type . |
.Ar type . |
| If no type is specified, the default type is derived from the | If no |
| specified role. | .Ar type |
| .It Fl U Ar user | is specified, the default type is derived from the role. |
| The | .It Fl U Ar user , Fl -other-user Ns No = Ns Ar user |
| .Fl U ( Em other user Ns No ) | Used in conjunction with the |
| option is used in conjunction with the | |
| .Fl l |
.Fl l |
| option to specify the user whose privileges should be listed. | option to list the privileges for |
| | .Ar user |
| | instead of for the invoking user. |
| The security policy may restrict listing other users' privileges. |
The security policy may restrict listing other users' privileges. |
| The |
The |
| .Em sudoers |
.Em sudoers |
| policy only allows root or a user with the |
policy only allows root or a user with the |
| .Li ALL |
.Li ALL |
| privilege on the current host to use this option. |
privilege on the current host to use this option. |
| .It Fl u Ar user | .It Fl u Ar user , Fl -user Ns No = Ns Ar user |
| | Run the command as a user other than the default target user |
| | (usually |
| | .Em root ). |
| The |
The |
| .Fl u ( Em user Ns No ) | .Ar user |
| option causes | may be either a user name or a numeric user ID |
| .Nm sudo | .Pq UID |
| to run the specified command as a user other than | prefixed with the |
| .Em root . | |
| To specify a | |
| .Em uid | |
| instead of a | |
| .Em user name , | |
| .Em #uid . | |
| When running commands as a | |
| .Em uid , | |
| many shells require that the | |
| .Ql # |
.Ql # |
| |
character (e.g. |
| |
.Li #0 |
| |
for UID 0). |
| |
When running commands as a UID, many shells require that the |
| |
.Ql # |
| be escaped with a backslash |
be escaped with a backslash |
| .Pq Ql \e . |
.Pq Ql \e . |
| Security policies may restrict | Some security policies may restrict UIDs |
| .Em uid Ns No s | |
| to those listed in the password database. |
to those listed in the password database. |
| The |
The |
| .Em sudoers |
.Em sudoers |
| policy allows | policy allows UIDs that are not in the password database as long as the |
| .Em uid Ns No s | |
| that are not in the password database as long as the | |
| .Em targetpw |
.Em targetpw |
| option is not set. |
option is not set. |
| Other security policies may not support this. |
Other security policies may not support this. |
| .It Fl V | .It Fl V , -version |
| The | Print the |
| .Fl V ( Em version Ns No ) | |
| option causes | |
| .Nm sudo |
.Nm sudo |
| to print its version string and the version string of the security | version string as well as the version string of the security |
| policy plugin and any I/O plugins. |
policy plugin and any I/O plugins. |
| If the invoking user is already root the |
If the invoking user is already root the |
| .Fl V |
.Fl V |
|
Line 639 option will display the arguments passed to configure
|
Line 583 option will display the arguments passed to configure
|
| .Nm sudo |
.Nm sudo |
| was built and plugins may display more verbose information such as |
was built and plugins may display more verbose information such as |
| default options. |
default options. |
| .It Fl v | .It Fl v , -validate |
| When given the | Update the user's cached credentials, authenticating the user |
| .Fl v ( Em validate Ns No ) | if necessary. |
| option, | |
| .Nm sudo | |
| will update the user's cached credentials, authenticating the user's | |
| password if necessary. | |
| For the |
For the |
| .Em sudoers |
.Em sudoers |
| plugin, this extends the |
plugin, this extends the |
| .Nm sudo |
.Nm sudo |
| timeout for another |
timeout for another |
| .Li @timeout@ |
.Li @timeout@ |
| minutes (or whatever the timeout is set to by the security policy) | minutes by default, but does not run a command. |
| but does not run a command. | |
| Not all security policies support cached credentials. |
Not all security policies support cached credentials. |
| .It Fl - |
.It Fl - |
| The |
The |
|
Line 668 on the command line in the form of
|
Line 607 on the command line in the form of
|
| .Sy VAR Ns No = Ns Em value , |
.Sy VAR Ns No = Ns Em value , |
| e.g.\& |
e.g.\& |
| .Sy LD_LIBRARY_PATH Ns No = Ns Em /usr/local/pkg/lib . |
.Sy LD_LIBRARY_PATH Ns No = Ns Em /usr/local/pkg/lib . |
| Variables passed on the command line are subject to the same | Variables passed on the command line are subject to restrictions |
| | imposed by the security policy plugin. |
| | The |
| | .Em sudoers |
| | policy subjects variables passed on the command line to the same |
| restrictions as normal environment variables with one important |
restrictions as normal environment variables with one important |
| exception. |
exception. |
| If the |
If the |
|
Line 688 When
|
Line 631 When
|
| .Nm sudo |
.Nm sudo |
| executes a command, the security policy specifies the execution |
executes a command, the security policy specifies the execution |
| environment for the command. |
environment for the command. |
| Typically, the real and effective uid and gid are set to | Typically, the real and effective user and group and IDs are set to |
| match those of the target user, as specified in the password database, |
match those of the target user, as specified in the password database, |
| and the group vector is initialized based on the group database |
and the group vector is initialized based on the group database |
| (unless the |
(unless the |
|
Line 750 function and no pty is required,
|
Line 693 function and no pty is required,
|
| will execute the command directly instead of calling |
will execute the command directly instead of calling |
| .Xr fork 2 |
.Xr fork 2 |
| first. |
first. |
| |
The |
| |
.Em sudoers |
| |
policy plugin will only define a close function when I/O logging |
| |
is enabled, a pty is required, or the |
| |
.Em pam_session |
| |
or |
| |
.Em pam_setcred |
| |
options are enabled. |
| |
Note that |
| |
.Em pam_session |
| |
and |
| |
.Em pam_setcred |
| |
are enabled by default on systems using PAM. |
| .Ss Signal handling |
.Ss Signal handling |
| Because the command is run as a child of the | When the command is run as a child of the |
| .Nm sudo |
.Nm sudo |
| process, |
process, |
| .Nm sudo |
.Nm sudo |
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudo.mdoc.in CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc