version 1.1.1.3, 2013/10/14 07:56:34
|
version 1.1.1.4, 2014/06/15 16:12:54
|
Line 1
|
Line 1
|
.\" |
.\" |
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2013 | .\" Copyright (c) 1994-1996, 1998-2005, 2007-2014 |
.\" Todd C. Miller <Todd.Miller@courtesan.com> |
.\" Todd C. Miller <Todd.Miller@courtesan.com> |
.\" |
.\" |
.\" Permission to use, copy, modify, and distribute this software for any |
.\" Permission to use, copy, modify, and distribute this software for any |
Line 19
|
Line 19
|
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force |
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force |
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. |
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. |
.\" |
.\" |
.Dd August 14, 2013 | .Dd February 15, 2014 |
.Dt SUDO @mansectsu@ |
.Dt SUDO @mansectsu@ |
.Os Sudo @PACKAGE_VERSION@ |
.Os Sudo @PACKAGE_VERSION@ |
.Sh NAME |
.Sh NAME |
Line 28
|
Line 28
|
.Nd execute a command as another user |
.Nd execute a command as another user |
.Sh SYNOPSIS |
.Sh SYNOPSIS |
.Nm sudo |
.Nm sudo |
.Fl h No | Fl K No | Fl k No | Fl V | .Fl h | K | k | V |
.Nm sudo |
.Nm sudo |
.Fl v |
.Fl v |
.Op Fl AknS |
.Op Fl AknS |
.Bk -words |
|
.Op Fl a Ar type |
.Op Fl a Ar type |
.Ek |
|
.Bk -words |
|
.Op Fl g Ar group |
.Op Fl g Ar group |
.Ek |
|
.Bk -words |
|
.Op Fl h Ar host |
.Op Fl h Ar host |
.Ek |
|
.Bk -words |
|
.Op Fl p Ar prompt |
.Op Fl p Ar prompt |
.Ek |
|
.Bk -words |
|
.Op Fl u Ar user |
.Op Fl u Ar user |
.Ek |
|
.Nm sudo |
.Nm sudo |
.Fl l |
.Fl l |
.Op Fl AknS |
.Op Fl AknS |
.Bk -words |
|
.Op Fl a Ar type |
.Op Fl a Ar type |
.Ek |
|
.Bk -words |
|
.Op Fl g Ar group |
.Op Fl g Ar group |
.Ek |
|
.Bk -words |
|
.Op Fl h Ar host |
.Op Fl h Ar host |
.Ek |
|
.Bk -words |
|
.Op Fl p Ar prompt |
.Op Fl p Ar prompt |
.Ek |
|
.Bk -words |
|
.Op Fl U Ar user |
.Op Fl U Ar user |
.Ek |
|
.Bk -words |
|
.Op Fl u Ar user |
.Op Fl u Ar user |
.Ek |
|
.Op Ar command |
.Op Ar command |
.Nm sudo |
.Nm sudo |
.Op Fl AbEHnPS |
.Op Fl AbEHnPS |
.Bk -words |
|
.Op Fl a Ar type |
.Op Fl a Ar type |
.Ek |
|
.Bk -words |
|
.Op Fl C Ar num |
.Op Fl C Ar num |
.Ek |
|
.Bk -words |
|
.Op Fl c Ar class |
.Op Fl c Ar class |
.Ek |
|
.Bk -words |
|
.Op Fl g Ar group |
.Op Fl g Ar group |
.Ek |
|
.Bk -words |
|
.Op Fl h Ar host |
.Op Fl h Ar host |
.Ek |
|
.Bk -words |
|
.Op Fl p Ar prompt |
.Op Fl p Ar prompt |
.Ek |
|
.Bk -words |
|
.Op Fl r Ar role |
.Op Fl r Ar role |
.Ek |
|
.Bk -words |
|
.Op Fl t Ar type |
.Op Fl t Ar type |
.Ek |
|
.Bk -words |
|
.Op Fl u Ar user |
.Op Fl u Ar user |
.Ek | .Op Ar VAR Ns = Ns Ar value |
.Bk -words | .Op Fl i | s |
.Op Sy VAR Ns = Ns Ar value | |
.Ek | |
.Bk -words | |
.Op Fl i No | Fl s | |
.Ek | |
.Op Ar command |
.Op Ar command |
.Nm sudoedit |
.Nm sudoedit |
.Op Fl AknS |
.Op Fl AknS |
.Bk -words |
|
.Op Fl a Ar type |
.Op Fl a Ar type |
.Ek |
|
.Bk -words |
|
.Op Fl C Ar num |
.Op Fl C Ar num |
.Ek |
|
.Bk -words |
|
.Op Fl c Ar class |
.Op Fl c Ar class |
.Ek |
|
.Bk -words |
|
.Op Fl g Ar group |
.Op Fl g Ar group |
.Ek |
|
.Bk -words |
|
.Op Fl h Ar host |
.Op Fl h Ar host |
.Ek |
|
.Bk -words |
|
.Op Fl p Ar prompt |
.Op Fl p Ar prompt |
.Ek |
|
.Bk -words |
|
.Op Fl u Ar user |
.Op Fl u Ar user |
.Ek | .Ar |
.Bk -words | |
file ... | |
.Ek | |
.Sh DESCRIPTION |
.Sh DESCRIPTION |
.Nm sudo |
.Nm sudo |
allows a permitted user to execute a |
allows a permitted user to execute a |
Line 205 Normally, if
|
Line 145 Normally, if
|
.Nm sudo |
.Nm sudo |
requires a password, it will read it from the user's terminal. |
requires a password, it will read it from the user's terminal. |
If the |
If the |
.Fl A No ( Em askpass Ns No ) | .Fl A Pq Em askpass |
option is specified, a (possibly graphical) helper program is |
option is specified, a (possibly graphical) helper program is |
executed to read the user's password and output the password to the |
executed to read the user's password and output the password to the |
standard output. |
standard output. |
Line 226 Path askpass /usr/X11R6/bin/ssh-askpass
|
Line 166 Path askpass /usr/X11R6/bin/ssh-askpass
|
If no askpass program is available, |
If no askpass program is available, |
.Nm sudo |
.Nm sudo |
will exit with an error. |
will exit with an error. |
.It Fl a Ar type , Fl -auth-type Ns No = Ns Ar type | .It Fl a Ar type , Fl -auth-type Ns = Ns Ar type |
Use the specified BSD authentication |
Use the specified BSD authentication |
.Ar type |
.Ar type |
when validating the user, if allowed by |
when validating the user, if allowed by |
Line 244 background processes started by
|
Line 184 background processes started by
|
.Nm sudo . |
.Nm sudo . |
Most interactive commands will fail to work properly in background |
Most interactive commands will fail to work properly in background |
mode. |
mode. |
.It Fl C Ar num , Fl -close-from Ns No = Ns Ar num | .It Fl C Ar num , Fl -close-from Ns = Ns Ar num |
Close all file descriptors greater than or equal to |
Close all file descriptors greater than or equal to |
.Ar num |
.Ar num |
before executing a command. |
before executing a command. |
Line 261 policy only permits use of the
|
Line 201 policy only permits use of the
|
option when the administrator has enabled the |
option when the administrator has enabled the |
.Em closefrom_override |
.Em closefrom_override |
option. |
option. |
.It Fl c Ar class , Fl -login-class Ns No = Ns Ar class | .It Fl c Ar class , Fl -login-class Ns = Ns Ar class |
Run the command with resource limits and scheduling priority of |
Run the command with resource limits and scheduling priority of |
the specified login |
the specified login |
.Ar class . |
.Ar class . |
Line 275 character.
|
Line 215 character.
|
If |
If |
.Ar class |
.Ar class |
is |
is |
.Li - , | .Cm - , |
the default login class of the target user will be used. |
the default login class of the target user will be used. |
Otherwise, the command must be run as root, or | Otherwise, the command must be run as the superuser (user ID 0), or |
.Nm sudo |
.Nm sudo |
must be run from a shell that is already root. | must be run from a shell that is already running as the superuser. |
If the command is being run as a login shell, additional |
If the command is being run as a login shell, additional |
.Pa /etc/login.conf |
.Pa /etc/login.conf |
settings, such as the umask and environment variables, will |
settings, such as the umask and environment variables, will |
be applied if present. | be applied, if present. |
This option is only available on systems with BSD login classes. |
This option is only available on systems with BSD login classes. |
.It Fl E , -preserve-env |
.It Fl E , -preserve-env |
Indicates to the security policy that the user wishes to |
Indicates to the security policy that the user wishes to |
Line 334 If, for some reason,
|
Line 274 If, for some reason,
|
is unable to update a file with its edited version, the user will |
is unable to update a file with its edited version, the user will |
receive a warning and the edited copy will remain in a temporary |
receive a warning and the edited copy will remain in a temporary |
file. |
file. |
.It Fl g Ar group , Fl -group Ns No = Ns Ar group | .It Fl g Ar group , Fl -group Ns = Ns Ar group |
Run the command with the primary group set to |
Run the command with the primary group set to |
.Ar group |
.Ar group |
instead of the primary group specified by the target |
instead of the primary group specified by the target |
Line 365 user's password database entry.
|
Line 305 user's password database entry.
|
Depending on the policy, this may be the default behavior. |
Depending on the policy, this may be the default behavior. |
.It Fl h , -help |
.It Fl h , -help |
Display a short help message to the standard output and exit. |
Display a short help message to the standard output and exit. |
.It Fl h Ar host , Fl -host Ns No = Ns Ar host | .It Fl h Ar host , Fl -host Ns = Ns Ar host |
Run the command on the specified |
Run the command on the specified |
.Ar host |
.Ar host |
if the security policy plugin supports remote commands. |
if the security policy plugin supports remote commands. |
Line 465 policy will initialize the group vector to the list of
|
Line 405 policy will initialize the group vector to the list of
|
target user is a member of. |
target user is a member of. |
The real and effective group IDs, however, are still set to match |
The real and effective group IDs, however, are still set to match |
the target user. |
the target user. |
.It Fl p Ar prompt , Fl -prompt Ns No = Ns Ar prompt | .It Fl p Ar prompt , Fl -prompt Ns = Ns Ar prompt |
Use a custom password prompt with optional escape sequences. |
Use a custom password prompt with optional escape sequences. |
The following percent |
The following percent |
.Pq Ql % |
.Pq Ql % |
Line 510 support PAM unless the
|
Line 450 support PAM unless the
|
.Em passprompt_override |
.Em passprompt_override |
flag is disabled in |
flag is disabled in |
.Em sudoers . |
.Em sudoers . |
.It Fl r Ar role , Fl -role Ns No = Ns Ar role | .It Fl r Ar role , Fl -role Ns = Ns Ar role |
Run the command with an SELinux security context that includes |
Run the command with an SELinux security context that includes |
the specified |
the specified |
.Ar role . |
.Ar role . |
Line 528 via the shell's
|
Line 468 via the shell's
|
.Fl c |
.Fl c |
option. |
option. |
If no command is specified, an interactive shell is executed. |
If no command is specified, an interactive shell is executed. |
.It Fl t Ar type , Fl -type Ns No = Ns Ar type | .It Fl t Ar type , Fl -type Ns = Ns Ar type |
Run the command with an SELinux security context that includes |
Run the command with an SELinux security context that includes |
the specified |
the specified |
.Ar type . |
.Ar type . |
If no |
If no |
.Ar type |
.Ar type |
is specified, the default type is derived from the role. |
is specified, the default type is derived from the role. |
.It Fl U Ar user , Fl -other-user Ns No = Ns Ar user | .It Fl U Ar user , Fl -other-user Ns = Ns Ar user |
Used in conjunction with the |
Used in conjunction with the |
.Fl l |
.Fl l |
option to list the privileges for |
option to list the privileges for |
Line 547 The
|
Line 487 The
|
policy only allows root or a user with the |
policy only allows root or a user with the |
.Li ALL |
.Li ALL |
privilege on the current host to use this option. |
privilege on the current host to use this option. |
.It Fl u Ar user , Fl -user Ns No = Ns Ar user | .It Fl u Ar user , Fl -user Ns = Ns Ar user |
Run the command as a user other than the default target user |
Run the command as a user other than the default target user |
(usually |
(usually |
.Em root ). |
.Em root ). |
Line 604 should stop processing command line arguments.
|
Line 544 should stop processing command line arguments.
|
.Pp |
.Pp |
Environment variables to be set for the command may also be passed |
Environment variables to be set for the command may also be passed |
on the command line in the form of |
on the command line in the form of |
.Sy VAR Ns No = Ns Em value , | .Ar VAR Ns = Ns Ar value , |
e.g.\& |
e.g.\& |
.Sy LD_LIBRARY_PATH Ns No = Ns Em /usr/local/pkg/lib . | .Ev LD_LIBRARY_PATH Ns = Ns Pa /usr/local/pkg/lib . |
Variables passed on the command line are subject to restrictions |
Variables passed on the command line are subject to restrictions |
imposed by the security policy plugin. |
imposed by the security policy plugin. |
The |
The |
Line 779 run in a new pty,
|
Line 719 run in a new pty,
|
.Nm sudo |
.Nm sudo |
may execute the command directly instead of running it as a child process. |
may execute the command directly instead of running it as a child process. |
.Ss Plugins |
.Ss Plugins |
Plugins are dynamically loaded based on the contents of the | Plugins may be specified via |
| .Li Plugin |
| directives in the |
.Xr sudo.conf @mansectform@ |
.Xr sudo.conf @mansectform@ |
file. |
file. |
|
They may be loaded as dynamic shared objects (on systems that support them), |
|
or compiled directly into the |
|
.Nm sudo |
|
binary. |
If no |
If no |
.Xr sudo.conf @mansectform@ |
.Xr sudo.conf @mansectform@ |
file is present, or it contains no |
file is present, or it contains no |
Line 857 If a user runs a command such as
|
Line 803 If a user runs a command such as
|
or |
or |
.Li sudo sh , |
.Li sudo sh , |
subsequent commands run from that shell are not subject to |
subsequent commands run from that shell are not subject to |
.Nm sudo Ns No 's | .Nm sudo Ns 's |
security policy. |
security policy. |
The same is true for commands that offer shell escapes (including |
The same is true for commands that offer shell escapes (including |
most editors). |
most editors). |
Line 1054 if that user is allowed to run arbitrary commands via
|
Line 1000 if that user is allowed to run arbitrary commands via
|
.Nm sudo . |
.Nm sudo . |
Also, many programs (such as editors) allow the user to run commands |
Also, many programs (such as editors) allow the user to run commands |
via shell escapes, thus avoiding |
via shell escapes, thus avoiding |
.Nm sudo Ns No 's | .Nm sudo Ns 's |
checks. |
checks. |
However, on most systems it is possible to prevent shell escapes with the |
However, on most systems it is possible to prevent shell escapes with the |
.Xr sudoers @mansectform@ |
.Xr sudoers @mansectform@ |