Annotation of embedaddon/sudo/doc/sudo.pod, revision 1.1.1.2
1.1.1.2 ! misho 1: Copyright (c) 1994-1996, 1998-2005, 2007-2012
1.1 misho 2: Todd C. Miller <Todd.Miller@courtesan.com>
3:
4: Permission to use, copy, modify, and distribute this software for any
5: purpose with or without fee is hereby granted, provided that the above
6: copyright notice and this permission notice appear in all copies.
7:
8: THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9: WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10: MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11: ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12: WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13: ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14: OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15: ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
16:
17: Sponsored in part by the Defense Advanced Research Projects
18: Agency (DARPA) and Air Force Research Laboratory, Air Force
19: Materiel Command, USAF, under agreement number F39502-99-1-0512.
20:
21: =pod
22:
23: =head1 NAME
24:
25: sudo, sudoedit - execute a command as another user
26:
27: =head1 SYNOPSIS
28:
1.1.1.2 ! misho 29: B<sudo> B<-h> | B<-K> | B<-k> | B<-V>
1.1 misho 30:
31: B<sudo> B<-v> [B<-AknS>]
32: S<[B<-a> I<auth_type>]>
33: S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
34: S<[B<-u> I<user name>|I<#uid>]>
35:
36: B<sudo> B<-l[l]> [B<-AknS>]
37: S<[B<-a> I<auth_type>]>
38: S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
39: S<[B<-U> I<user name>]> S<[B<-u> I<user name>|I<#uid>]> [I<command>]
40:
41: B<sudo> [B<-AbEHnPS>]
42: S<[B<-a> I<auth_type>]>
43: S<[B<-C> I<fd>]>
44: S<[B<-c> I<class>|I<->]>
45: S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
46: S<[B<-r> I<role>]> S<[B<-t> I<type>]>
47: S<[B<-u> I<user name>|I<#uid>]>
48: S<[B<VAR>=I<value>]> S<[B<-i> | B<-s>]> [I<command>]
49:
50: B<sudoedit> [B<-AnS>]
51: S<[B<-a> I<auth_type>]>
52: S<[B<-C> I<fd>]>
53: S<[B<-c> I<class>|I<->]>
54: S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
55: S<[B<-u> I<user name>|I<#uid>]> file ...
56:
57: =head1 DESCRIPTION
58:
59: B<sudo> allows a permitted user to execute a I<command> as the
60: superuser or another user, as specified by the security policy.
61: The real and effective uid and gid are set to match those of the
62: target user, as specified in the password database, and the group
63: vector is initialized based on the group database (unless the B<-P>
64: option was specified).
65:
66: B<sudo> supports a plugin architecture for security policies and
67: input/output logging. Third parties can develop and distribute
1.1.1.2 ! misho 68: their own policy and I/O logging modules to work seamlessly with
1.1 misho 69: the B<sudo> front end. The default security policy is I<sudoers>,
70: which is configured via the file F<@sysconfdir@/sudoers>, or via
71: LDAP. See the L<PLUGINS> section for more information.
72:
73: The security policy determines what privileges, if any, a user has
74: to run B<sudo>. The policy may require that users authenticate
75: themselves with a password or another authentication mechanism. If
76: authentication is required, B<sudo> will exit if the user's password
77: is not entered within a configurable time limit. This limit is
78: policy-specific; the default password prompt timeout for the
79: I<sudoers> security policy is C<@password_timeout@> minutes.
80:
81: Security policies may support credential caching to allow the user
82: to run B<sudo> again for a period of time without requiring
83: authentication. The I<sudoers> policy caches credentials for
84: C<@timeout@> minutes, unless overridden in L<sudoers(5)>. By
85: running B<sudo> with the B<-v> option, a user can update the cached
86: credentials without running a I<command>.
87:
88: When invoked as B<sudoedit>, the B<-e> option (described below),
89: is implied.
90:
91: Security policies may log successful and failed attempts to use
92: B<sudo>. If an I/O plugin is configured, the running command's
93: input and output may be logged as well.
94:
95: =head1 OPTIONS
96:
97: B<sudo> accepts the following command line options:
98:
99: =over 12
100:
101: =item -A
102:
103: Normally, if B<sudo> requires a password, it will read it from the
104: user's terminal. If the B<-A> (I<askpass>) option is specified,
105: a (possibly graphical) helper program is executed to read the user's
106: password and output the password to the standard output. If the
107: C<SUDO_ASKPASS> environment variable is set, it specifies the path
108: to the helper program. Otherwise, if F<@sysconfdir@/sudo.conf>
109: contains a line specifying the askpass program, that value will be
110: used. For example:
111:
112: # Path to askpass helper program
113: Path askpass /usr/X11R6/bin/ssh-askpass
114:
115: If no askpass program is available, sudo will exit with an error.
116:
117: =item -a I<type>
118:
119: The B<-a> (I<authentication type>) option causes B<sudo> to use the
120: specified authentication type when validating the user, as allowed
121: by F</etc/login.conf>. The system administrator may specify a list
122: of sudo-specific authentication methods by adding an "auth-sudo"
123: entry in F</etc/login.conf>. This option is only available on systems
124: that support BSD authentication.
125:
126: =item -b
127:
128: The B<-b> (I<background>) option tells B<sudo> to run the given
129: command in the background. Note that if you use the B<-b>
130: option you cannot use shell job control to manipulate the process.
131: Most interactive commands will fail to work properly in background
132: mode.
133:
134: =item -C I<fd>
135:
136: Normally, B<sudo> will close all open file descriptors other than
137: standard input, standard output and standard error. The B<-C>
138: (I<close from>) option allows the user to specify a starting point
139: above the standard error (file descriptor three). Values less than
140: three are not permitted. The security policy may restrict the
141: user's ability to use the B<-C> option. The I<sudoers> policy only
142: permits use of the B<-C> option when the administrator has enabled
143: the I<closefrom_override> option.
144:
145: =item -c I<class>
146:
147: The B<-c> (I<class>) option causes B<sudo> to run the specified command
148: with resources limited by the specified login class. The I<class>
149: argument can be either a class name as defined in F</etc/login.conf>,
150: or a single '-' character. Specifying a I<class> of C<-> indicates
151: that the command should be run restricted by the default login
152: capabilities for the user the command is run as. If the I<class>
153: argument specifies an existing user class, the command must be run
154: as root, or the B<sudo> command must be run from a shell that is already
155: root. This option is only available on systems with BSD login classes.
156:
157: =item -E
158:
159: The B<-E> (I<preserve> I<environment>) option indicates to the
160: security policy that the user wishes to preserve their existing
161: environment variables. The security policy may return an error if
162: the B<-E> option is specified and the user does not have permission
163: to preserve the environment.
164:
165: =item -e
166:
167: The B<-e> (I<edit>) option indicates that, instead of running a
168: command, the user wishes to edit one or more files. In lieu of a
169: command, the string "sudoedit" is used when consulting the security
170: policy. If the user is authorized by the policy, the following
171: steps are taken:
172:
173: =over 4
174:
175: =item 1.
176:
177: Temporary copies are made of the files to be edited with the owner
178: set to the invoking user.
179:
180: =item 2.
181:
182: The editor specified by the policy is run to edit the temporary files.
183: The I<sudoers> policy uses the C<SUDO_EDITOR>, C<VISUAL> and C<EDITOR>
184: environment variables (in that order). If none of C<SUDO_EDITOR>,
185: C<VISUAL> or C<EDITOR> are set, the first program listed in the
186: I<editor> L<sudoers(5)> option is used.
187:
188: =item 3.
189:
190: If they have been modified, the temporary files are copied back to
191: their original location and the temporary versions are removed.
192:
193: =back
194:
195: If the specified file does not exist, it will be created. Note
196: that unlike most commands run by B<sudo>, the editor is run with
197: the invoking user's environment unmodified. If, for some reason,
198: B<sudo> is unable to update a file with its edited version, the
199: user will receive a warning and the edited copy will remain in a
200: temporary file.
201:
202: =item -g I<group>
203:
204: Normally, B<sudo> runs a command with the primary group set to the
205: one specified by the password database for the user the command is
206: being run as (by default, root). The B<-g> (I<group>) option causes
207: B<sudo> to run the command with the primary group set to I<group>
208: instead. To specify a I<gid> instead of a I<group name>, use
209: I<#gid>. When running commands as a I<gid>, many shells require
210: that the '#' be escaped with a backslash ('\'). If no B<-u> option
211: is specified, the command will be run as the invoking user (not
212: root). In either case, the primary group will be set to I<group>.
213:
214: =item -H
215:
216: The B<-H> (I<HOME>) option requests that the security policy set
217: the C<HOME> environment variable to the home directory of the target
218: user (root by default) as specified by the password database.
219: Depending on the policy, this may be the default behavior.
220:
221: =item -h
222:
223: The B<-h> (I<help>) option causes B<sudo> to print a short help message
224: to the standard output and exit.
225:
226: =item -i [command]
227:
228: The B<-i> (I<simulate initial login>) option runs the shell specified
229: by the password database entry of the target user as a login shell.
230: This means that login-specific resource files such as C<.profile>
231: or C<.login> will be read by the shell. If a command is specified,
232: it is passed to the shell for execution via the shell's B<-c> option.
233: If no command is specified, an interactive shell is executed.
234: B<sudo> attempts to change to that user's home directory before
235: running the shell. The security policy shall initialize the
236: environment to a minimal set of variables, similar to what is present
237: when a user logs in. The I<Command Environment> section in the
238: L<sudoers(5)> manual documents how the B<-i> option affects the
239: environment in which a command is run when the I<sudoers> policy
240: is in use.
241:
242: =item -K
243:
244: The B<-K> (sure I<kill>) option is like B<-k> except that it removes
245: the user's cached credentials entirely and may not be used in
246: conjunction with a command or other option. This option does not
247: require a password. Not all security policies support credential
248: caching.
249:
250: =item -k [command]
251:
252: When used alone, the B<-k> (I<kill>) option to B<sudo> invalidates
253: the user's cached credentials. The next time B<sudo> is run a
254: password will be required. This option does not require a password
255: and was added to allow a user to revoke B<sudo> permissions from a
256: .logout file. Not all security policies support credential
257: caching.
258:
259: When used in conjunction with a command or an option that may require
260: a password, the B<-k> option will cause B<sudo> to ignore the user's
261: cached credentials. As a result, B<sudo> will prompt for a password
262: (if one is required by the security policy) and will not update the
263: user's cached credentials.
264:
265: =item -l[l] [I<command>]
266:
267: If no I<command> is specified, the B<-l> (I<list>) option will list
268: the allowed (and forbidden) commands for the invoking user (or the
269: user specified by the B<-U> option) on the current host. If a
270: I<command> is specified and is permitted by the security policy,
271: the fully-qualified path to the command is displayed along with any
272: command line arguments. If I<command> is specified but not allowed,
273: B<sudo> will exit with a status value of 1. If the B<-l> option
274: is specified with an B<l> argument (i.e. B<-ll>), or if B<-l> is
275: specified multiple times, a longer list format is used.
276:
277: =item -n
278:
279: The B<-n> (I<non-interactive>) option prevents B<sudo> from prompting
280: the user for a password. If a password is required for the command
281: to run, B<sudo> will display an error messages and exit.
282:
283: =item -P
284:
285: The B<-P> (I<preserve> I<group vector>) option causes B<sudo> to
286: preserve the invoking user's group vector unaltered. By default,
287: the I<sudoers> policy will initialize the group vector to the list
288: of groups the target user is in. The real and effective group IDs,
289: however, are still set to match the target user.
290:
291: =item -p I<prompt>
292:
293: The B<-p> (I<prompt>) option allows you to override the default
294: password prompt and use a custom one. The following percent (`C<%>')
295: escapes are supported by the I<sudoers> policy:
296:
297: =over 4
298:
299: =item C<%H>
300:
301: expanded to the host name including the domain name (on if
302: the machine's host name is fully qualified or the I<fqdn> option
303: is set in L<sudoers(5)>)
304:
305: =item C<%h>
306:
307: expanded to the local host name without the domain name
308:
309: =item C<%p>
310:
311: expanded to the name of the user whose password is being requested
312: (respects the I<rootpw>, I<targetpw> and I<runaspw> flags in
313: L<sudoers(5)>)
314:
315: =item C<%U>
316:
317: expanded to the login name of the user the command will be run as
318: (defaults to root unless the C<-u> option is also specified)
319:
320: =item C<%u>
321:
322: expanded to the invoking user's login name
323:
324: =item C<%%>
325:
326: two consecutive C<%> characters are collapsed into a single C<%> character
327:
328: =back
329:
330: The prompt specified by the B<-p> option will override the system
331: password prompt on systems that support PAM unless the
332: I<passprompt_override> flag is disabled in I<sudoers>.
333:
334: =item -r I<role>
335:
336: The B<-r> (I<role>) option causes the new (SELinux) security context to
337: have the role specified by I<role>.
338:
339: =item -S
340:
341: The B<-S> (I<stdin>) option causes B<sudo> to read the password from
342: the standard input instead of the terminal device. The password must
343: be followed by a newline character.
344:
345: =item -s [command]
346:
347: The B<-s> (I<shell>) option runs the shell specified by the I<SHELL>
348: environment variable if it is set or the shell as specified in the
349: password database. If a command is specified, it is passed to the
350: shell for execution via the shell's B<-c> option. If no command
351: is specified, an interactive shell is executed.
352:
353: =item -t I<type>
354:
355: The B<-t> (I<type>) option causes the new (SELinux) security context to
356: have the type specified by I<type>. If no type is specified, the default
357: type is derived from the specified role.
358:
359: =item -U I<user>
360:
361: The B<-U> (I<other user>) option is used in conjunction with the
362: B<-l> option to specify the user whose privileges should be listed.
363: The security policy may restrict listing other users' privileges.
364: The I<sudoers> policy only allows root or a user with the C<ALL>
365: privilege on the current host to use this option.
366:
367: =item -u I<user>
368:
369: The B<-u> (I<user>) option causes B<sudo> to run the specified
370: command as a user other than I<root>. To specify a I<uid> instead
371: of a I<user name>, use I<#uid>. When running commands as a I<uid>,
372: many shells require that the '#' be escaped with a backslash ('\').
373: Security policies may restrict I<uid>s to those listed in the
374: password database. The I<sudoers> policy allows I<uid>s that are
375: not in the password database as long as the I<targetpw> option is
376: not set. Other security policies may not support this.
377:
378: =item -V
379:
380: The B<-V> (I<version>) option causes B<sudo> to print its version
381: string and the version string of the security policy plugin and any
382: I/O plugins. If the invoking user is already root the B<-V> option
383: will display the arguments passed to configure when I<sudo> was
384: built and plugins may display more verbose information such as
385: default options.
386:
387: =item -v
388:
389: When given the B<-v> (I<validate>) option, B<sudo> will update the
390: user's cached credentials, authenticating the user's password if
391: necessary. For the I<sudoers> plugin, this extends the B<sudo>
392: timeout for another C<@timeout@> minutes (or whatever the timeout
393: is set to in I<sudoers>) but does not run a command. Not all
394: security policies support cached credentials.
395:
396: =item --
397:
398: The B<--> option indicates that B<sudo> should stop processing command
399: line arguments.
400:
401: =back
402:
403: Environment variables to be set for the command may also be passed
404: on the command line in the form of B<VAR>=I<value>, e.g.
405: B<LD_LIBRARY_PATH>=I</usr/local/pkg/lib>. Variables passed on the
406: command line are subject to the same restrictions as normal environment
407: variables with one important exception. If the I<setenv> option
408: is set in I<sudoers>, the command to be run has the C<SETENV> tag
409: set or the command matched is C<ALL>, the user may set variables
1.1.1.2 ! misho 410: that would otherwise be forbidden. See L<sudoers(5)> for more information.
1.1 misho 411:
412: =head1 PLUGINS
413:
414: Plugins are dynamically loaded based on the contents of the
415: F<@sysconfdir@/sudo.conf> file. If no F<@sysconfdir@/sudo.conf>
416: file is present, or it contains no C<Plugin> lines, B<sudo>
417: will use the traditional I<sudoers> security policy and I/O logging,
418: which corresponds to the following F<@sysconfdir@/sudo.conf> file.
419:
420: #
421: # Default @sysconfdir@/sudo.conf file
422: #
423: # Format:
1.1.1.2 ! misho 424: # Plugin plugin_name plugin_path plugin_options ...
1.1 misho 425: # Path askpass /path/to/askpass
1.1.1.2 ! misho 426: # Path noexec /path/to/sudo_noexec.so
! 427: # Debug sudo /var/log/sudo_debug all@warn
! 428: # Set disable_coredump true
1.1 misho 429: #
430: # The plugin_path is relative to @prefix@/libexec unless
431: # fully qualified.
432: # The plugin_name corresponds to a global symbol in the plugin
433: # that contains the plugin interface structure.
1.1.1.2 ! misho 434: # The plugin_options are optional.
1.1 misho 435: #
436: Plugin policy_plugin sudoers.so
437: Plugin io_plugin sudoers.so
438:
439: A C<Plugin> line consists of the C<Plugin> keyword, followed by the
440: I<symbol_name> and the I<path> to the shared object containing the
441: plugin. The I<symbol_name> is the name of the C<struct policy_plugin>
442: or C<struct io_plugin> in the plugin shared object. The I<path>
443: may be fully qualified or relative. If not fully qualified it is
444: relative to the F<@prefix@/libexec> directory. Any additional
1.1.1.2 ! misho 445: parameters after the I<path> are passed as arguments to the plugin's
! 446: I<open> function. Lines that don't begin with C<Plugin>, C<Path>,
! 447: C<Debug> or C<Set> are silently ignored.
1.1 misho 448:
449: For more information, see the L<sudo_plugin(8)> manual.
450:
451: =head1 PATHS
452:
453: A C<Path> line consists of the C<Path> keyword, followed by the
454: name of the path to set and its value. E.g.
455:
456: Path noexec @noexec_file@
457: Path askpass /usr/X11R6/bin/ssh-askpass
458:
459: The following plugin-agnostic paths may be set in the
460: F<@sysconfdir@/sudo.conf> file.
461:
462: =over 16
463:
464: =item askpass
465:
466: The fully qualified path to a helper program used to read the user's
467: password when no terminal is available. This may be the case when
468: B<sudo> is executed from a graphical (as opposed to text-based)
469: application. The program specified by I<askpass> should display
470: the argument passed to it as the prompt and write the user's password
471: to the standard output. The value of I<askpass> may be overridden
472: by the C<SUDO_ASKPASS> environment variable.
473:
474: =item noexec
475:
476: The fully-qualified path to a shared library containing dummy
477: versions of the execv(), execve() and fexecve() library functions
478: that just return an error. This is used to implement the I<noexec>
479: functionality on systems that support C<LD_PRELOAD> or its equivalent.
480: Defaults to F<@noexec_file@>.
481:
482: =back
483:
1.1.1.2 ! misho 484: =head1 DEBUG FLAGS
! 485:
! 486: B<sudo> versions 1.8.4 and higher support a flexible debugging
! 487: framework that can help track down what B<sudo> is doing internally
! 488: if there is a problem.
! 489:
! 490: A C<Debug> line consists of the C<Debug> keyword, followed by the
! 491: name of the program to debug (B<sudo>, B<visudo>, B<sudoreplay>),
! 492: the debug file name and a comma-separated list of debug flags.
! 493: The debug flag syntax used by B<sudo> and the I<sudoers> plugin is
! 494: I<subsystem>@I<priority> but the plugin is free to use a different
! 495: format so long as it does not include a command C<,>.
! 496:
! 497: For instance:
! 498:
! 499: Debug sudo /var/log/sudo_debug all@warn,plugin@info
! 500:
! 501: would log all debugging statements at the I<warn> level and higher
! 502: in addition to those at the I<info> level for the plugin subsystem.
! 503:
! 504: Currently, only one C<Debug> entry per program is supported. The
! 505: C<sudo> C<Debug> entry is shared by the B<sudo> front end, B<sudoedit>
! 506: and the plugins. A future release may add support for per-plugin
! 507: C<Debug> lines and/or support for multiple debugging files for a
! 508: single program.
! 509:
! 510: The priorities used by the B<sudo> front end, in order of decreasing
! 511: severity, are: I<crit>, I<err>, I<warn>, I<notice>, I<diag>, I<info>,
! 512: I<trace> and I<debug>. Each priority, when specified, also includes
! 513: all priorities higher than it. For example, a priority of I<notice>
! 514: would include debug messages logged at I<notice> and higher.
! 515:
! 516: The following subsystems are used by B<sudo>:
! 517:
! 518: =over 10
! 519:
! 520: =item I<all>
! 521:
! 522: matches every subsystem
! 523:
! 524: =item I<args>
! 525:
! 526: command line argument processing
! 527:
! 528: =item I<conv>
! 529:
! 530: user conversation
! 531:
! 532: =item I<edit>
! 533:
! 534: sudoedit
! 535:
! 536: =item I<exec>
! 537:
! 538: command execution
! 539:
! 540: =item I<main>
! 541:
! 542: B<sudo> main function
! 543:
! 544: =item I<netif>
! 545:
! 546: network interface handling
! 547:
! 548: =item I<pcomm>
! 549:
! 550: communication with the plugin
! 551:
! 552: =item I<plugin>
! 553:
! 554: plugin configuration
! 555:
! 556: =item I<pty>
! 557:
! 558: pseudo-tty related code
! 559:
! 560: =item I<selinux>
! 561:
! 562: SELinux-specific handling
! 563:
! 564: =item I<util>
! 565:
! 566: utility functions
! 567:
! 568: =item I<utmp>
! 569:
! 570: utmp handling
! 571:
! 572: =back
! 573:
1.1 misho 574: =head1 RETURN VALUES
575:
576: Upon successful execution of a program, the exit status from B<sudo>
577: will simply be the exit status of the program that was executed.
578:
579: Otherwise, B<sudo> exits with a value of 1 if there is a
580: configuration/permission problem or if B<sudo> cannot execute the
581: given command. In the latter case the error string is printed to
582: the standard error. If B<sudo> cannot L<stat(2)> one or more entries
583: in the user's C<PATH>, an error is printed on stderr. (If the
584: directory does not exist or if it is not really a directory, the
585: entry is ignored and no error is printed.) This should not happen
586: under normal circumstances. The most common reason for L<stat(2)>
587: to return "permission denied" is if you are running an automounter
588: and one of the directories in your C<PATH> is on a machine that is
589: currently unreachable.
590:
591: =head1 SECURITY NOTES
592:
593: B<sudo> tries to be safe when executing external commands.
594:
595: To prevent command spoofing, B<sudo> checks "." and "" (both denoting
596: current directory) last when searching for a command in the user's
597: PATH (if one or both are in the PATH). Note, however, that the
598: actual C<PATH> environment variable is I<not> modified and is passed
599: unchanged to the program that B<sudo> executes.
600:
601: Please note that B<sudo> will normally only log the command it
602: explicitly runs. If a user runs a command such as C<sudo su> or
603: C<sudo sh>, subsequent commands run from that shell are not subject
604: to B<sudo>'s security policy. The same is true for commands that
605: offer shell escapes (including most editors). If I/O logging is
606: enabled, subsequent commands will have their input and/or output
607: logged, but there will not be traditional logs for those commands.
608: Because of this, care must be taken when giving users access to
609: commands via B<sudo> to verify that the command does not inadvertently
610: give the user an effective root shell. For more information, please
611: see the C<PREVENTING SHELL ESCAPES> section in L<sudoers(5)>.
612:
1.1.1.2 ! misho 613: To prevent the disclosure of potentially sensitive information,
! 614: B<sudo> disables core dumps by default while it is executing (they
! 615: are re-enabled for the command that is run). To aid in debugging
! 616: B<sudo> crashes, you may wish to re-enable core dumps by setting
! 617: "disable_coredump" to false in the F<@sysconfdir@/sudo.conf> file.
! 618:
! 619: Set disable_coredump false
! 620:
! 621: Note that by default, most operating systems disable core dumps
! 622: from setuid programs, which includes B<sudo>. To actually get a
! 623: B<sudo> core file you may need to enable core dumps for setuid
! 624: processes. On BSD and Linux systems this is accomplished via the
! 625: sysctl command, on Solaris the coreadm command can be used.
! 626:
1.1 misho 627: =head1 ENVIRONMENT
628:
629: B<sudo> utilizes the following environment variables. The security
630: policy has control over the content of the command's environment.
631:
632: =over 16
633:
634: =item C<EDITOR>
635:
636: Default editor to use in B<-e> (sudoedit) mode if neither C<SUDO_EDITOR>
637: nor C<VISUAL> is set
638:
639: =item C<MAIL>
640:
641: In B<-i> mode or when I<env_reset> is enabled in I<sudoers>, set
642: to the mail spool of the target user
643:
644: =item C<HOME>
645:
646: Set to the home directory of the target user if B<-i> or B<-H> are
647: specified, I<env_reset> or I<always_set_home> are set in I<sudoers>,
648: or when the B<-s> option is specified and I<set_home> is set in
649: I<sudoers>
650:
651: =item C<PATH>
652:
653: May be overridden by the security policy.
654:
655: =item C<SHELL>
656:
657: Used to determine shell to run with C<-s> option
658:
659: =item C<SUDO_ASKPASS>
660:
661: Specifies the path to a helper program used to read the password
662: if no terminal is available or if the C<-A> option is specified.
663:
664: =item C<SUDO_COMMAND>
665:
666: Set to the command run by sudo
667:
668: =item C<SUDO_EDITOR>
669:
670: Default editor to use in B<-e> (sudoedit) mode
671:
672: =item C<SUDO_GID>
673:
674: Set to the group ID of the user who invoked sudo
675:
676: =item C<SUDO_PROMPT>
677:
678: Used as the default password prompt
679:
680: =item C<SUDO_PS1>
681:
682: If set, C<PS1> will be set to its value for the program being run
683:
684: =item C<SUDO_UID>
685:
686: Set to the user ID of the user who invoked sudo
687:
688: =item C<SUDO_USER>
689:
690: Set to the login of the user who invoked sudo
691:
692: =item C<USER>
693:
694: Set to the target user (root unless the B<-u> option is specified)
695:
696: =item C<VISUAL>
697:
698: Default editor to use in B<-e> (sudoedit) mode if C<SUDO_EDITOR>
699: is not set
700:
701: =back
702:
703: =head1 FILES
704:
705: =over 24
706:
707: =item F<@sysconfdir@/sudo.conf>
708:
1.1.1.2 ! misho 709: B<sudo> front end configuration
1.1 misho 710:
711: =back
712:
713: =head1 EXAMPLES
714:
715: Note: the following examples assume a properly configured security policy.
716:
717: To get a file listing of an unreadable directory:
718:
719: $ sudo ls /usr/local/protected
720:
721: To list the home directory of user yaz on a machine where the
722: file system holding ~yaz is not exported as root:
723:
724: $ sudo -u yaz ls ~yaz
725:
726: To edit the F<index.html> file as user www:
727:
728: $ sudo -u www vi ~www/htdocs/index.html
729:
730: To view system logs only accessible to root and users in the adm group:
731:
732: $ sudo -g adm view /var/log/syslog
733:
734: To run an editor as jim with a different primary group:
735:
736: $ sudo -u jim -g audio vi ~jim/sound.txt
737:
738: To shutdown a machine:
739:
740: $ sudo shutdown -r +15 "quick reboot"
741:
742: To make a usage listing of the directories in the /home
743: partition. Note that this runs the commands in a sub-shell
744: to make the C<cd> and file redirection work.
745:
746: $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
747:
748: =head1 SEE ALSO
749:
750: L<grep(1)>, L<su(1)>, L<stat(2)>,
751: L<login_cap(3)>,
752: L<passwd(5)>, L<sudoers(5)>, L<sudo_plugin(8)>, L<sudoreplay(8)>, L<visudo(8)>
753:
754: =head1 AUTHORS
755:
756: Many people have worked on B<sudo> over the years; this
757: version consists of code written primarily by:
758:
759: Todd C. Miller
760:
1.1.1.2 ! misho 761: See the CONTRIBUTORS file in the B<sudo> distribution
! 762: (http://www.sudo.ws/sudo/contributors.html) for a list of people
! 763: who have contributed to B<sudo>.
! 764:
! 765: =head1 HISTORY
! 766:
! 767: See the HISTORY file in the B<sudo> distribution
! 768: (http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
1.1 misho 769:
770: =head1 CAVEATS
771:
772: There is no easy way to prevent a user from gaining a root shell
773: if that user is allowed to run arbitrary commands via B<sudo>.
774: Also, many programs (such as editors) allow the user to run commands
775: via shell escapes, thus avoiding B<sudo>'s checks. However, on
776: most systems it is possible to prevent shell escapes with the
777: L<sudoers(5)> module's I<noexec> functionality.
778:
779: It is not meaningful to run the C<cd> command directly via sudo, e.g.,
780:
781: $ sudo cd /usr/local/protected
782:
783: since when the command exits the parent process (your shell) will
784: still be the same. Please see the EXAMPLES section for more information.
785:
786: Running shell scripts via B<sudo> can expose the same kernel bugs that
787: make setuid shell scripts unsafe on some operating systems (if your OS
788: has a /dev/fd/ directory, setuid shell scripts are generally safe).
789:
790: =head1 BUGS
791:
792: If you feel you have found a bug in B<sudo>, please submit a bug report
793: at http://www.sudo.ws/sudo/bugs/
794:
795: =head1 SUPPORT
796:
797: Limited free support is available via the sudo-users mailing list,
798: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
799: search the archives.
800:
801: =head1 DISCLAIMER
802:
803: B<sudo> is provided ``AS IS'' and any express or implied warranties,
804: including, but not limited to, the implied warranties of merchantability
805: and fitness for a particular purpose are disclaimed. See the LICENSE
806: file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
807: for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>