-1.6.8 August 17, 2004 1
+1.6.8 September 6, 2004 1
-1.6.8 August 17, 2004 2
+1.6.8 September 6, 2004 2
receive a warning and the edited copy will remain in a
temporary file.
+ Please note that the editor used must make its changes
+ to the original file (really the original inode). If
+ the editor makes changes to a temporary file and then
+ just renames this to the original file name it will
+ not work with s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
+
-h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bo to print a usage mes
sage and exit.
-i The -\b-i\bi (_\bs_\bi_\bm_\bu_\bl_\ba_\bt_\be _\bi_\bn_\bi_\bt_\bi_\ba_\bl _\bl_\bo_\bg_\bi_\bn) option runs the shell
specified in the passwd(4) entry of the user that the
command is being run as. The command name argument
- given to the shell begins with a - to tell the shell
- to run as a login shell. s\bsu\bud\bdo\bo attempts to change to
- that user's home directory before running the shell.
- It also initializes the environment, leaving _\bT_\bE_\bR_\bM
- unchanged, setting _\bH_\bO_\bM_\bE, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, _\bL_\bO_\bG_\bN_\bA_\bM_\bE, and
- _\bP_\bA_\bT_\bH, and unsetting all other environment variables.
-1.6.8 August 17, 2004 3
+1.6.8 September 6, 2004 3
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ given to the shell begins with a - to tell the shell
+ to run as a login shell. s\bsu\bud\bdo\bo attempts to change to
+ that user's home directory before running the shell.
+ It also initializes the environment, leaving _\bT_\bE_\bR_\bM
+ unchanged, setting _\bH_\bO_\bM_\bE, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, _\bL_\bO_\bG_\bN_\bA_\bM_\bE, and
+ _\bP_\bA_\bT_\bH, and unsetting all other environment variables.
Note that because the shell to use is determined
before the _\bs_\bu_\bd_\bo_\be_\br_\bs file is parsed, a _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt
setting in _\bs_\bu_\bd_\bo_\be_\br_\bs will specify the user to run the
the password database.
-v If given the -\b-v\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bsu\bud\bdo\bo will update
- the user's timestamp, prompting for the user's pass
- word if necessary. This extends the s\bsu\bud\bdo\bo timeout for
- another 5 minutes (or whatever the timeout is set to
- in _\bs_\bu_\bd_\bo_\be_\br_\bs) but does not run a command.
-
- -- The -\b--\b- flag indicates that s\bsu\bud\bdo\bo should stop processing
-1.6.8 August 17, 2004 4
+1.6.8 September 6, 2004 4
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ the user's timestamp, prompting for the user's pass
+ word if necessary. This extends the s\bsu\bud\bdo\bo timeout for
+ another 5 minutes (or whatever the timeout is set to
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs) but does not run a command.
+
+ -- The -\b--\b- flag indicates that s\bsu\bud\bdo\bo should stop processing
command line arguments. It is most useful in conjunc
tion with the -\b-s\bs flag.
that s\bsu\bud\bdo\bo executes.
For security reasons, if your OS supports shared libraries
- and does not disable user-defined library search paths for
- setuid programs (most do), you should either use a linker
- option that disables this behavior or link s\bsu\bud\bdo\bo stati
- cally.
-
- s\bsu\bud\bdo\bo will check the ownership of its timestamp directory
-1.6.8 August 17, 2004 5
+1.6.8 September 6, 2004 5
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ and does not disable user-defined library search paths for
+ setuid programs (most do), you should either use a linker
+ option that disables this behavior or link s\bsu\bud\bdo\bo stati
+ cally.
+
+ s\bsu\bud\bdo\bo will check the ownership of its timestamp directory
(_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's con
tents if it is not owned by root and only writable by
root. On systems that allow non-root users to give away
verify that the command does not inadvertently give the
user an effective root shell.
-E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- Note: the following examples assume suitable sudoers(4)
- entries.
-
- To get a file listing of an unreadable directory:
-
- $ sudo ls /usr/local/protected
-
- To list the home directory of user yazza on a machine
- where the file system holding ~yazza is not exported as
- root:
+E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
+ s\bsu\bud\bdo\bo utilizes the following environment variables:
- $ sudo -u yazza ls ~yazza
+ EDITOR Default editor to use in -e (sudoedit) mode if
+ VISUAL is not set
- To edit the _\bi_\bn_\bd_\be_\bx_\b._\bh_\bt_\bm_\bl file as user www:
+ HOME In -s or -H mode (or if sudo was configured with
+ the --enable-shell-sets-home option), set to
+ homedir of the target user
- $ sudo -u www vi ~www/htdocs/index.html
+ PATH Set to a sane value if sudo was configured with
+ the --with-secure-path option
- To shutdown a machine:
-1.6.8 August 17, 2004 6
+1.6.8 September 6, 2004 6
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- $ sudo shutdown -r +15 "quick reboot"
-
- To make a usage listing of the directories in the /home
- partition. Note that this runs the commands in a sub-
- shell to make the cd and file redirection work.
-
- $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
-
-E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
- s\bsu\bud\bdo\bo utilizes the following environment variables:
-
- EDITOR Default editor to use in -e (sudoedit) mode if
- VISUAL is not set
-
- HOME In -s or -H mode (or if sudo was configured with
- the --enable-shell-sets-home option), set to
- homedir of the target user
-
- PATH Set to a sane value if sudo was configured with
- the --with-secure-path option
-
SHELL Used to determine shell to run with -s option
SUDO_PROMPT Used as the default password prompt
/etc/sudoers List of who can run what
/var/run/sudo Directory containing timestamps
-A\bAU\bUT\bTH\bHO\bOR\bRS\bS
- Many people have worked on s\bsu\bud\bdo\bo over the years; this ver
- sion consists of code written primarily by:
+E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
+ Note: the following examples assume suitable sudoers(4)
+ entries.
- Todd Miller
- Chris Jepeway
+ To get a file listing of an unreadable directory:
- See the HISTORY file in the s\bsu\bud\bdo\bo distribution or visit
- http://www.sudo.ws/sudo/history.html for a short history
- of s\bsu\bud\bdo\bo.
+ $ sudo ls /usr/local/protected
+
+ To list the home directory of user yazza on a machine
+ where the file system holding ~yazza is not exported as
+ root:
+
+ $ sudo -u yazza ls ~yazza
+
+ To edit the _\bi_\bn_\bd_\be_\bx_\b._\bh_\bt_\bm_\bl file as user www:
+
+ $ sudo -u www vi ~www/htdocs/index.html
+
+ To shutdown a machine:
+
+ $ sudo shutdown -r +15 "quick reboot"
+
+ To make a usage listing of the directories in the /home
+ partition. Note that this runs the commands in a sub-
+ shell to make the cd and file redirection work.
+
+ $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
+
+S\bSE\bEE\bE A\bAL\bLS\bSO\bO
+ _\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), sudoers(4),
+ passwd(4), visudo(1m)
-1.6.8 August 17, 2004 7
+1.6.8 September 6, 2004 7
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-B\bBU\bUG\bGS\bS
- If you feel you have found a bug in sudo, please submit a
- bug report at http://www.sudo.ws/sudo/bugs/
+A\bAU\bUT\bTH\bHO\bOR\bRS\bS
+ Many people have worked on s\bsu\bud\bdo\bo over the years; this ver
+ sion consists of code written primarily by:
-D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- S\bSu\bud\bdo\bo is provided ``AS IS'' and any express or implied war
- ranties, including, but not limited to, the implied war
- ranties of merchantability and fitness for a particular
- purpose are disclaimed. See the LICENSE file distributed
- with s\bsu\bud\bdo\bo for complete details.
+ Todd Miller
+ Chris Jepeway
+
+ See the HISTORY file in the s\bsu\bud\bdo\bo distribution or visit
+ http://www.sudo.ws/sudo/history.html for a short history
+ of s\bsu\bud\bdo\bo.
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
There is no easy way to prevent a user from gaining a root
Running shell scripts via s\bsu\bud\bdo\bo can expose the same kernel
bugs that make setuid shell scripts unsafe on some operat
- ing systems (if your OS supports the /dev/fd/ directory,
- setuid shell scripts are generally safe).
+ ing systems (if your OS has a /dev/fd/ directory, setuid
+ shell scripts are generally safe).
+
+B\bBU\bUG\bGS\bS
+ If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a
+ bug report at http://www.sudo.ws/sudo/bugs/
+
+S\bSU\bUP\bPP\bPO\bOR\bRT\bT
+ Commercial support is available for s\bsu\bud\bdo\bo, see
+ http://www.sudo.ws/sudo/support.html for details.
+
+ Limited free support is available via the sudo-users mail
+ ing list, see http://www.sudo.ws/mail
+ man/listinfo/sudo-users to subscribe or search the
+ archives.
+
+D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
+ S\bSu\bud\bdo\bo is provided ``AS IS'' and any express or implied
+
+
+
+1.6.8 September 6, 2004 8
+
+
+
+
+
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+
+
+ warranties, including, but not limited to, the implied
+ warranties of merchantability and fitness for a particular
+ purpose are disclaimed. See the LICENSE file distributed
+ with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for com
+ plete details.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), sudoers(4),
- passwd(4), visudo(1m)
-1.6.8 August 17, 2004 8
+1.6.8 September 6, 2004 9
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "August 17, 2004" "1.6.8" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "September 6, 2004" "1.6.8" "MAINTENANCE COMMANDS"
.SH "NAME"
sudo, sudoedit \- execute a command as another user
.SH "SYNOPSIS"
\&\fBsudo\fR is unable to update a file with its edited version, the
user will receive a warning and the edited copy will remain in a
temporary file.
+.Sp
+Please note that the editor used must make its changes to the
+original file (really the original inode). If the editor makes
+changes to a temporary file and then just renames this to the
+original file name it will not work with \fBsudoedit\fR.
.RE
.IP "\-h" 4
.IX Item "-h"
of this, care must be taken when giving users access to commands
via \fBsudo\fR to verify that the command does not inadvertently give
the user an effective root shell.
-.SH "EXAMPLES"
-.IX Header "EXAMPLES"
-Note: the following examples assume suitable sudoers(@mansectform@) entries.
-.PP
-To get a file listing of an unreadable directory:
-.PP
-.Vb 1
-\& $ sudo ls /usr/local/protected
-.Ve
-.PP
-To list the home directory of user yazza on a machine where the
-file system holding ~yazza is not exported as root:
-.PP
-.Vb 1
-\& $ sudo -u yazza ls ~yazza
-.Ve
-.PP
-To edit the \fIindex.html\fR file as user www:
-.PP
-.Vb 1
-\& $ sudo -u www vi ~www/htdocs/index.html
-.Ve
-.PP
-To shutdown a machine:
-.PP
-.Vb 1
-\& $ sudo shutdown -r +15 "quick reboot"
-.Ve
-.PP
-To make a usage listing of the directories in the /home
-partition. Note that this runs the commands in a sub-shell
-to make the \f(CW\*(C`cd\*(C'\fR and file redirection work.
-.PP
-.Vb 1
-\& $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
-.Ve
.SH "ENVIRONMENT"
.IX Header "ENVIRONMENT"
\&\fBsudo\fR utilizes the following environment variables:
\& @sysconfdir@/sudoers List of who can run what
\& @timedir@ Directory containing timestamps
.Ve
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Note: the following examples assume suitable sudoers(@mansectform@) entries.
+.PP
+To get a file listing of an unreadable directory:
+.PP
+.Vb 1
+\& $ sudo ls /usr/local/protected
+.Ve
+.PP
+To list the home directory of user yazza on a machine where the
+file system holding ~yazza is not exported as root:
+.PP
+.Vb 1
+\& $ sudo -u yazza ls ~yazza
+.Ve
+.PP
+To edit the \fIindex.html\fR file as user www:
+.PP
+.Vb 1
+\& $ sudo -u www vi ~www/htdocs/index.html
+.Ve
+.PP
+To shutdown a machine:
+.PP
+.Vb 1
+\& $ sudo shutdown -r +15 "quick reboot"
+.Ve
+.PP
+To make a usage listing of the directories in the /home
+partition. Note that this runs the commands in a sub-shell
+to make the \f(CW\*(C`cd\*(C'\fR and file redirection work.
+.PP
+.Vb 1
+\& $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
+.Ve
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2), \fIlogin_cap\fR\|(3), sudoers(@mansectform@),
+passwd(@mansectform@), visudo(@mansectsu@)
.SH "AUTHORS"
.IX Header "AUTHORS"
Many people have worked on \fBsudo\fR over the years; this
See the \s-1HISTORY\s0 file in the \fBsudo\fR distribution or visit
http://www.sudo.ws/sudo/history.html for a short history
of \fBsudo\fR.
-.SH "BUGS"
-.IX Header "BUGS"
-If you feel you have found a bug in sudo, please submit a bug report
-at http://www.sudo.ws/sudo/bugs/
-.SH "DISCLAIMER"
-.IX Header "DISCLAIMER"
-\&\fBSudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
-including, but not limited to, the implied warranties of merchantability
-and fitness for a particular purpose are disclaimed.
-See the \s-1LICENSE\s0 file distributed with \fBsudo\fR for complete details.
.SH "CAVEATS"
.IX Header "CAVEATS"
There is no easy way to prevent a user from gaining a root shell
creating their own program that gives them a root shell regardless
of any '!' elements in the user specification.
.PP
-Running shell scripts via \fBsudo\fR can expose the same kernel bugs
-that make setuid shell scripts unsafe on some operating systems
-(if your \s-1OS\s0 supports the /dev/fd/ directory, setuid shell scripts
-are generally safe).
-.SH "SEE ALSO"
-.IX Header "SEE ALSO"
-\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2), \fIlogin_cap\fR\|(3), sudoers(@mansectform@),
-passwd(@mansectform@), visudo(@mansectsu@)
+Running shell scripts via \fBsudo\fR can expose the same kernel bugs that
+make setuid shell scripts unsafe on some operating systems (if your \s-1OS\s0
+has a /dev/fd/ directory, setuid shell scripts are generally safe).
+.SH "BUGS"
+.IX Header "BUGS"
+If you feel you have found a bug in \fBsudo\fR, please submit a bug report
+at http://www.sudo.ws/sudo/bugs/
+.SH "SUPPORT"
+.IX Header "SUPPORT"
+Commercial support is available for \fBsudo\fR, see
+http://www.sudo.ws/sudo/support.html for details.
+.PP
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
+search the archives.
+.SH "DISCLAIMER"
+.IX Header "DISCLAIMER"
+\&\fBSudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
+including, but not limited to, the implied warranties of merchantability
+and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
+file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
+for complete details.
-1.6.8 August 6, 2004 1
+1.6.8 September 6, 2004 1
-1.6.8 August 6, 2004 2
+1.6.8 September 6, 2004 2
-1.6.8 August 6, 2004 3
+1.6.8 September 6, 2004 3
-1.6.8 August 6, 2004 4
+1.6.8 September 6, 2004 4
-1.6.8 August 6, 2004 5
+1.6.8 September 6, 2004 5
-1.6.8 August 6, 2004 6
+1.6.8 September 6, 2004 6
-1.6.8 August 6, 2004 7
+1.6.8 September 6, 2004 7
-1.6.8 August 6, 2004 8
+1.6.8 September 6, 2004 8
-1.6.8 August 6, 2004 9
+1.6.8 September 6, 2004 9
-1.6.8 August 6, 2004 10
+1.6.8 September 6, 2004 10
-1.6.8 August 6, 2004 11
+1.6.8 September 6, 2004 11
-1.6.8 August 6, 2004 12
+1.6.8 September 6, 2004 12
-1.6.8 August 6, 2004 13
+1.6.8 September 6, 2004 13
-1.6.8 August 6, 2004 14
+1.6.8 September 6, 2004 14
-1.6.8 August 6, 2004 15
+1.6.8 September 6, 2004 15
-1.6.8 August 6, 2004 16
+1.6.8 September 6, 2004 16
('\') when used as part of a word (e.g. a username or
hostname): '@', '!', '=', ':', ',', '(', ')', '\'.
+F\bFI\bIL\bLE\bES\bS
+ /etc/sudoers List of who can run what
+ /etc/group Local groups file
+ /etc/netgroup List of network groups
+
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
Since the _\bs_\bu_\bd_\bo_\be_\br_\bs file is parsed in a single pass, order
is important. In general, you should structure _\bs_\bu_\bd_\bo_\be_\br_\bs
such that the Host_Alias, User_Alias, and Cmnd_Alias spec
ifications come first, followed by any Default_Entry
- lines, and finally the Runas_Alias and user specifica
- tions. The basic rule of thumb is you cannot reference an
- Alias that has not already been defined.
+ lines, and finally the Runas_Alias and user
- Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of
- these are a bit contrived. First, we define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
-
-1.6.8 August 6, 2004 17
+1.6.8 September 6, 2004 17
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ specifications. The basic rule of thumb is you cannot
+ reference an Alias that has not already been defined.
+
+ Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of
+ these are a bit contrived. First, we define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
+
# User alias specification
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
the year in each log line since the log entries will be
kept around for several years.
- # Override built-in defaults
- Defaults syslog=auth
- Defaults>root !set_logname
- Defaults:FULLTIMERS !lecture
- Defaults:millert !authenticate
- Defaults@SERVERS log_year, logfile=/var/log/sudo.log
- The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually deter
- mines who may run what.
-1.6.8 August 6, 2004 18
+
+
+1.6.8 September 6, 2004 18
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ # Override built-in defaults
+ Defaults syslog=auth
+ Defaults>root !set_logname
+ Defaults:FULLTIMERS !lecture
+ Defaults:millert !authenticate
+ Defaults@SERVERS log_year, logfile=/var/log/sudo.log
+
+ The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually deter
+ mines who may run what.
+
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
- The user p\bpe\bet\bte\be is allowed to change anyone's password
- except for root on the _\bH_\bP_\bP_\bA machines. Note that this
- assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take multiple usernames on the
- command line.
-
- bob SPARC = (OP) ALL : SGI = (OP) ALL
- The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI
- machines as any user listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt
+1.6.8 September 6, 2004 19
-1.6.8 August 6, 2004 19
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ The user p\bpe\bet\bte\be is allowed to change anyone's password
+ except for root on the _\bH_\bP_\bP_\bA machines. Note that this
+ assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take multiple usernames on the
+ command line.
+ bob SPARC = (OP) ALL : SGI = (OP) ALL
+ The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI
+ machines as any user listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt
and o\bop\bpe\ber\bra\bat\bto\bor\br).
jim +biglab = ALL
On his personal workstation, valkyrie, m\bma\bat\btt\bt needs to be
able to kill hung processes.
- WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
- On the host www, any user in the _\bW_\bE_\bB_\bM_\bA_\bS_\bT_\bE_\bR_\bS User_Alias
- (will, wendy, and wim), may run any command as user www
- (which owns the web pages) or simply _\bs_\bu(1) to www.
- ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
- /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
+1.6.8 September 6, 2004 20
-1.6.8 August 6, 2004 20
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ On the host www, any user in the _\bW_\bE_\bB_\bM_\bA_\bS_\bT_\bE_\bR_\bS User_Alias
+ (will, wendy, and wim), may run any command as user www
+ (which owns the web pages) or simply _\bs_\bu(1) to www.
+ ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
+ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
Any user may mount or unmount a CD-ROM on the machines in
the CDROM Host_Alias (orion, perseus, hercules) without
sudo -V | grep "dummy exec"
- If the resulting output contains a line that begins with:
- File containing dummy exec functions:
- then s\bsu\bud\bdo\bo may be able to replace the exec family of func
- tions in the standard library with its own that simply
- return an error. Unfortunately, there is no foolproof way
- to know whether or not _\bn_\bo_\be_\bx_\be_\bc will work at compile-time.
- _\bN_\bo_\be_\bx_\be_\bc should work on SunOS, Solaris, *BSD, Linux, IRIX,
+1.6.8 September 6, 2004 21
-1.6.8 August 6, 2004 21
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ If the resulting output contains a line that begins with:
+ File containing dummy exec functions:
+ then s\bsu\bud\bdo\bo may be able to replace the exec family of func
+ tions in the standard library with its own that simply
+ return an error. Unfortunately, there is no foolproof way
+ to know whether or not _\bn_\bo_\be_\bx_\be_\bc will work at compile-time.
+ _\bN_\bo_\be_\bx_\be_\bc should work on SunOS, Solaris, *BSD, Linux, IRIX,
Tru64 UNIX, MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt to
work on AIX and UnixWare. _\bN_\bo_\be_\bx_\be_\bc is expected to work on
most operating systems that support the LD_PRELOAD envi
tion. In the specific case of an editor, a safer approach
is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
+S\bSE\bEE\bE A\bAL\bLS\bSO\bO
+ _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), sudo(1m), visudo(1m)
+
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo
command which locks the file and does grammatical check
hostname be fully qualified as returned by the hostname
command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
-F\bFI\bIL\bLE\bES\bS
- /etc/sudoers List of who can run what
- /etc/group Local groups file
- /etc/netgroup List of network groups
-S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), sudo(1m), visudo(1m)
+
+
+
+1.6.8 September 6, 2004 22
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
+B\bBU\bUG\bGS\bS
+ If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a
+ bug report at http://www.sudo.ws/sudo/bugs/
+
+S\bSU\bUP\bPP\bPO\bOR\bRT\bT
+ Commercial support is available for s\bsu\bud\bdo\bo, see
+ http://www.sudo.ws/sudo/support.html for details.
+
+ Limited free support is available via the sudo-users mail
+ ing list, see http://www.sudo.ws/mail
+ man/listinfo/sudo-users to subscribe or search the
+ archives.
+
+D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
+ S\bSu\bud\bdo\bo is provided ``AS IS'' and any express or implied war
+ ranties, including, but not limited to, the implied war
+ ranties of merchantability and fitness for a particular
+ purpose are disclaimed. See the LICENSE file distributed
+ with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for com
+ plete details.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-1.6.8 August 6, 2004 22
+1.6.8 September 6, 2004 23
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "August 6, 2004" "1.6.8" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "September 6, 2004" "1.6.8" "MAINTENANCE COMMANDS"
.SH "NAME"
sudoers \- list of which users may execute what
.SH "DESCRIPTION"
The following characters must be escaped with a backslash ('\e') when
used as part of a word (e.g. a username or hostname):
\&'@', '!', '=', ':', ',', '(', ')', '\e'.
+.SH "FILES"
+.IX Header "FILES"
+.Vb 3
+\& @sysconfdir@/sudoers List of who can run what
+\& /etc/group Local groups file
+\& /etc/netgroup List of network groups
+.Ve
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Since the \fIsudoers\fR file is parsed in a single pass, order is
(such as changing or overwriting files) that could lead to unintended
privilege escalation. In the specific case of an editor, a safer
approach is to give the user permission to run \fBsudoedit\fR.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), sudo(@mansectsu@), visudo(@mansectsu@)
.SH "CAVEATS"
.IX Header "CAVEATS"
The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR
case), you either need to have the machine's hostname be fully qualified
as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in
\&\fIsudoers\fR.
-.SH "FILES"
-.IX Header "FILES"
-.Vb 3
-\& @sysconfdir@/sudoers List of who can run what
-\& /etc/group Local groups file
-\& /etc/netgroup List of network groups
-.Ve
-.SH "SEE ALSO"
-.IX Header "SEE ALSO"
-\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), sudo(@mansectsu@), visudo(@mansectsu@)
+.SH "BUGS"
+.IX Header "BUGS"
+If you feel you have found a bug in \fBsudo\fR, please submit a bug report
+at http://www.sudo.ws/sudo/bugs/
+.SH "SUPPORT"
+.IX Header "SUPPORT"
+Commercial support is available for \fBsudo\fR, see
+http://www.sudo.ws/sudo/support.html for details.
+.PP
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
+search the archives.
+.SH "DISCLAIMER"
+.IX Header "DISCLAIMER"
+\&\fBSudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
+including, but not limited to, the implied warranties of merchantability
+and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
+file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
+for complete details.
-1.6.8 June 8, 2004 1
+1.6.8 September 6, 2004 1
-V The -\b-V\bV (version) option causes v\bvi\bis\bsu\bud\bdo\bo to print its
version number and exit.
-E\bER\bRR\bRO\bOR\bRS\bS
+E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
+ The following environment variables are used only if
+ v\bvi\bis\bsu\bud\bdo\bo was configured with the _\b-_\b-_\bw_\bi_\bt_\bh_\b-_\be_\bn_\bv_\b-_\be_\bd_\bi_\bt_\bo_\br option:
+
+ VISUAL Invoked by visudo as the editor to use
+ EDITOR Used by visudo if VISUAL is not set
+
+F\bFI\bIL\bLE\bES\bS
+ /etc/sudoers List of who can run what
+ /etc/sudoers.tmp Lock file for visudo
+
+D\bDI\bIA\bAG\bGN\bNO\bOS\bST\bTI\bIC\bCS\bS
sudoers file busy, try again later.
Someone else is currently editing the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
used. This means that entries prior to the
_\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt setting will match based on the default
value of _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt (root) whereas entries a\baf\bft\bte\ber\br
- the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt setting will match based on the new
- value. This is usually unintentional and in most
- cases the <runas_default> setting should be placed
- before any Runas_Alias or User specifications. In -\b-s\bs
- (strict) mode this is an error, not a warning.
-
-E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
- The following environment variables are used only if
- v\bvi\bis\bsu\bud\bdo\bo was configured with the _\b-_\b-_\bw_\bi_\bt_\bh_\b-_\be_\bn_\bv_\b-_\be_\bd_\bi_\bt_\bo_\br option:
-
-
-1.6.8 June 8, 2004 2
+1.6.8 September 6, 2004 2
VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
- VISUAL Invoked by visudo as the editor to use
- EDITOR Used by visudo if VISUAL is not set
+ the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt setting will match based on the new
+ value. This is usually unintentional and in most
+ cases the <runas_default> setting should be placed
+ before any Runas_Alias or User specifications. In -\b-s\bs
+ (strict) mode this is an error, not a warning.
-F\bFI\bIL\bLE\bES\bS
- /etc/sudoers List of who can run what
- /etc/sudoers.tmp Lock file for visudo
+S\bSE\bEE\bE A\bAL\bLS\bSO\bO
+ _\bv_\bi(1), sudoers(4), sudo(1m), vipw(1m)
A\bAU\bUT\bTH\bHO\bOR\bR
Many people have worked on _\bs_\bu_\bd_\bo over the years; this ver
See the HISTORY file in the sudo distribution or visit
http://www.sudo.ws/sudo/history.html for more details.
-B\bBU\bUG\bGS\bS
- If you feel you have found a bug in sudo, please submit a
- bug report at http://www.sudo.ws/sudo/bugs/
-
-D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- V\bVi\bis\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied
- warranties, including, but not limited to, the implied
- warranties of merchantability and fitness for a particular
- purpose are disclaimed. See the LICENSE file distributed
- with s\bsu\bud\bdo\bo for complete details.
-
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
There is no easy way to prevent a user from gaining a root
shell if the editor used by v\bvi\bis\bsu\bud\bdo\bo allows shell escapes.
-S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bv_\bi(1), sudoers(4), sudo(1m), vipw(1m)
-
-
-
-
-
-
+B\bBU\bUG\bGS\bS
+ If you feel you have found a bug in v\bvi\bis\bsu\bud\bdo\bo, please submit
+ a bug report at http://www.sudo.ws/sudo/bugs/
+S\bSU\bUP\bPP\bPO\bOR\bRT\bT
+ Commercial support is available for s\bsu\bud\bdo\bo, see
+ http://www.sudo.ws/sudo/support.html for details.
+ Limited free support is available via the sudo-users mail
+ ing list, see http://www.sudo.ws/mail
+ man/listinfo/sudo-users to subscribe or search the
+ archives.
+D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
+ V\bVi\bis\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied
+ warranties, including, but not limited to, the implied
+ warranties of merchantability and fitness for a particular
+ purpose are disclaimed. See the LICENSE file distributed
+ with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for com
+ plete details.
-1.6.8 June 8, 2004 3
+1.6.8 September 6, 2004 3
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
-.TH VISUDO @mansectsu@ "June 8, 2004" "1.6.8" "MAINTENANCE COMMANDS"
+.TH VISUDO @mansectsu@ "September 6, 2004" "1.6.8" "MAINTENANCE COMMANDS"
.SH "NAME"
visudo \- edit the sudoers file
.SH "SYNOPSIS"
.IX Item "-V"
The \fB\-V\fR (version) option causes \fBvisudo\fR to print its version number
and exit.
-.SH "ERRORS"
-.IX Header "ERRORS"
+.SH "ENVIRONMENT"
+.IX Header "ENVIRONMENT"
+The following environment variables are used only if \fBvisudo\fR
+was configured with the \fI\-\-with\-env\-editor\fR option:
+.PP
+.Vb 2
+\& VISUAL Invoked by visudo as the editor to use
+\& EDITOR Used by visudo if VISUAL is not set
+.Ve
+.SH "FILES"
+.IX Header "FILES"
+.Vb 2
+\& @sysconfdir@/sudoers List of who can run what
+\& @sysconfdir@/sudoers.tmp Lock file for visudo
+.Ve
+.SH "DIAGNOSTICS"
+.IX Header "DIAGNOSTICS"
.IP "sudoers file busy, try again later." 4
.IX Item "sudoers file busy, try again later."
Someone else is currently editing the \fIsudoers\fR file.
<runas_default> setting should be placed before any \f(CW\*(C`Runas_Alias\*(C'\fR
or User specifications. In \fB\-s\fR (strict) mode this is an error,
not a warning.
-.SH "ENVIRONMENT"
-.IX Header "ENVIRONMENT"
-The following environment variables are used only if \fBvisudo\fR
-was configured with the \fI\-\-with\-env\-editor\fR option:
-.PP
-.Vb 2
-\& VISUAL Invoked by visudo as the editor to use
-\& EDITOR Used by visudo if VISUAL is not set
-.Ve
-.SH "FILES"
-.IX Header "FILES"
-.Vb 2
-\& @sysconfdir@/sudoers List of who can run what
-\& @sysconfdir@/sudoers.tmp Lock file for visudo
-.Ve
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIvi\fR\|(1), sudoers(@mansectform@), sudo(@mansectsu@), vipw(@mansectsu@)
.SH "AUTHOR"
.IX Header "AUTHOR"
Many people have worked on \fIsudo\fR over the years; this version of
.PP
See the \s-1HISTORY\s0 file in the sudo distribution or visit
http://www.sudo.ws/sudo/history.html for more details.
+.SH "CAVEATS"
+.IX Header "CAVEATS"
+There is no easy way to prevent a user from gaining a root shell if
+the editor used by \fBvisudo\fR allows shell escapes.
.SH "BUGS"
.IX Header "BUGS"
-If you feel you have found a bug in sudo, please submit a bug report
+If you feel you have found a bug in \fBvisudo\fR, please submit a bug report
at http://www.sudo.ws/sudo/bugs/
+.SH "SUPPORT"
+.IX Header "SUPPORT"
+Commercial support is available for \fBsudo\fR, see
+http://www.sudo.ws/sudo/support.html for details.
+.PP
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
+search the archives.
.SH "DISCLAIMER"
.IX Header "DISCLAIMER"
\&\fBVisudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
including, but not limited to, the implied warranties of merchantability
-and fitness for a particular purpose are disclaimed.
-See the \s-1LICENSE\s0 file distributed with \fBsudo\fR for complete details.
-.SH "CAVEATS"
-.IX Header "CAVEATS"
-There is no easy way to prevent a user from gaining a root shell if
-the editor used by \fBvisudo\fR allows shell escapes.
-.SH "SEE ALSO"
-.IX Header "SEE ALSO"
-\&\fIvi\fR\|(1), sudoers(@mansectform@), sudo(@mansectsu@), vipw(@mansectsu@)
+and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
+file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
+for complete details.
projects / sudo / commitdiff