Use "time stamp" instead of timestamp.
password is required. Otherwise, s\bsu\bud\bdo\bo requires that users authenticate
themselves with a password by default (NOTE: in the default
configuration this is the user's password, not the root password).
- Once a user has been authenticated, a timestamp is updated and the user
- may then use sudo without a password for a short period of time (5
+ Once a user has been authenticated, a time stamp is updated and the
+ user may then use sudo without a password for a short period of time (5
minutes unless overridden in _\bs_\bu_\bd_\bo_\be_\br_\bs).
When invoked as s\bsu\bud\bdo\boe\bed\bdi\bit\bt, the -\b-e\be option (described below), is implied.
-1.8.0a1 February 24, 2010 1
+1.8.0a1 May 11, 2010 1
-1.8.0a1 February 24, 2010 2
+1.8.0a1 May 11, 2010 2
-1.8.0a1 February 24, 2010 3
+1.8.0a1 May 11, 2010 3
other environment variables are removed.
-K The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option is like -\b-k\bk except that it removes
- the user's timestamp entirely and may not be used in
+ the user's time stamp entirely and may not be used in
conjunction with a command or other option. This option
does not require a password.
-k When used by itself, the -\b-k\bk (_\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo
- invalidates the user's timestamp by setting the time on it
+ invalidates the user's time stamp by setting the time on it
to the Epoch. The next time s\bsu\bud\bdo\bo is run a password will be
required. This option does not require a password and was
added to allow a user to revoke s\bsu\bud\bdo\bo permissions from a
When used in conjunction with a command or an option that
may require a password, the -\b-k\bk option will cause s\bsu\bud\bdo\bo to
- ignore the user's timestamp file. As a result, s\bsu\bud\bdo\bo will
+ ignore the user's time stamp file. As a result, s\bsu\bud\bdo\bo will
prompt for a password (if one is required by _\bs_\bu_\bd_\bo_\be_\br_\bs) and
- will not update the user's timestamp file.
+ will not update the user's time stamp file.
-L The -\b-L\bL (_\bl_\bi_\bs_\bt defaults) option will list the parameters that
may be set in a _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs line along with a short
-1.8.0a1 February 24, 2010 4
+1.8.0a1 May 11, 2010 4
-1.8.0a1 February 24, 2010 5
+1.8.0a1 May 11, 2010 5
addresses.
-v If given the -\b-v\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bsu\bud\bdo\bo will update the
- user's timestamp, prompting for the user's password if
+ user's time stamp, prompting for the user's password if
necessary. This extends the s\bsu\bud\bdo\bo timeout for another 5
minutes (or whatever the timeout is set to in _\bs_\bu_\bd_\bo_\be_\br_\bs) but
does not run a command.
-1.8.0a1 February 24, 2010 6
+1.8.0a1 May 11, 2010 6
environment variable is _\bn_\bo_\bt modified and is passed unchanged to the
program that s\bsu\bud\bdo\bo executes.
- s\bsu\bud\bdo\bo will check the ownership of its timestamp directory (_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo
- by default) and ignore the directory's contents if it is not owned by
- root or if it is writable by a user other than root. On systems that
- allow non-root users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if the timestamp
- directory is located in a directory writable by anyone (e.g., _\b/_\bt_\bm_\bp), it
- is possible for a user to create the timestamp directory before s\bsu\bud\bdo\bo is
- run. However, because s\bsu\bud\bdo\bo checks the ownership and mode of the
- directory and its contents, the only damage that can be done is to
- "hide" files by putting them in the timestamp dir. This is unlikely to
- happen since once the timestamp dir is owned by root and inaccessible
- by any other user, the user placing files there would be unable to get
- them back out. To get around this issue you can use a directory that
- is not world-writable for the timestamps (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for instance)
- or create _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo with the appropriate owner (root) and
- permissions (0700) in the system startup files.
-
- s\bsu\bud\bdo\bo will not honor timestamps set far in the future. Timestamps with
+ s\bsu\bud\bdo\bo will check the ownership of its time stamp directory
+ (_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's contents if it is
+ not owned by root or if it is writable by a user other than root. On
+ systems that allow non-root users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if
+ the time stamp directory is located in a directory writable by anyone
+ (e.g., _\b/_\bt_\bm_\bp), it is possible for a user to create the time stamp
+ directory before s\bsu\bud\bdo\bo is run. However, because s\bsu\bud\bdo\bo checks the
+ ownership and mode of the directory and its contents, the only damage
+ that can be done is to "hide" files by putting them in the time stamp
+ dir. This is unlikely to happen since once the time stamp dir is owned
+ by root and inaccessible by any other user, the user placing files
+ there would be unable to get them back out. To get around this issue
+ you can use a directory that is not world-writable for the time stamps
+ (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for instance) or create _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo with the
+ appropriate owner (root) and permissions (0700) in the system startup
+ files.
+
+ s\bsu\bud\bdo\bo will not honor time stamps set far in the future. Timestamps with
a date greater than current_time + 2 * TIMEOUT will be ignored and sudo
will log and complain. This is done to keep a user from creating
- his/her own timestamp with a bogus date on systems that allow users to
+ his/her own time stamp with a bogus date on systems that allow users to
give away files.
+ On systems where the boot time is available, s\bsu\bud\bdo\bo will also not honor
+ time stamps from before the machine booted.
+
+ Since time stamp files live in the file system, they can outlive a
+ user's login session. As a result, a user may be able to login, run a
+ command with s\bsu\bud\bdo\bo after authenticating, logout, login again, and run
+ s\bsu\bud\bdo\bo without authenticating so long as the time stamp file's
+ modification time is within 5 minutes (or whatever the timeout is set
+ to in _\bs_\bu_\bd_\bo_\be_\br_\bs). When the _\bt_\bt_\by_\b__\bt_\bi_\bc_\bk_\be_\bt_\bs option is enabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, the
+ time stamp has per-tty granularity but still may outlive the user's
+ session. On Linux systems where the devpts filesystem is used, as well
+ as other systems that utilize a devfs filesystem that monotonically
+
+
+
+1.8.0a1 May 11, 2010 7
+
+
+
+
+
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+
+
+ increase the inode number of devices as they are created (such as Mac
+ OS X), s\bsu\bud\bdo\bo is able to determine when a tty-based time stamp file is
+ stale and will ignore it. Administrators should not rely on this
+ feature as it is not universally available.
+
Please note that s\bsu\bud\bdo\bo will normally only log the command it explicitly
runs. If a user runs a command such as sudo su or sudo sh, subsequent
commands run from that shell will _\bn_\bo_\bt be logged, nor will s\bsu\bud\bdo\bo's access
E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
s\bsu\bud\bdo\bo utilizes the following environment variables:
-
-
-
-1.8.0a1 February 24, 2010 7
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
EDITOR Default editor to use in -\b-e\be (sudoedit) mode if neither
SUDO_EDITOR nor VISUAL is set
VISUAL Default editor to use in -\b-e\be (sudoedit) mode if
SUDO_EDITOR is not set
+
+
+1.8.0a1 May 11, 2010 8
+
+
+
+
+
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+
+
F\bFI\bIL\bLE\bES\bS
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
- _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo Directory containing timestamps
+ _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo Directory containing time stamps
_\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt Initial environment for -\b-i\bi mode on Linux and
AIX
To list the home directory of user yaz on a machine where the file
system holding ~yaz is not exported as root:
-
-
-1.8.0a1 February 24, 2010 8
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
$ sudo -u yaz ls ~yaz
To edit the _\bi_\bn_\bd_\be_\bx_\b._\bh_\bt_\bm_\bl file as user www:
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), _\bp_\ba_\bs_\bs_\bw_\bd(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(4), _\bv_\bi_\bs_\bu_\bd_\bo(1m)
+ _\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), _\bp_\ba_\bs_\bs_\bw_\bd(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(4),
+ _\bv_\bi_\bs_\bu_\bd_\bo(1m)
A\bAU\bUT\bTH\bHO\bOR\bRS\bS
Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists
See the HISTORY file in the s\bsu\bud\bdo\bo distribution or visit
http://www.sudo.ws/sudo/history.html for a short history of s\bsu\bud\bdo\bo.
+
+
+1.8.0a1 May 11, 2010 9
+
+
+
+
+
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+
+
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
There is no easy way to prevent a user from gaining a root shell if
that user is allowed to run arbitrary commands via s\bsu\bud\bdo\bo. Also, many
their own program that gives them a root shell regardless of any '!'
elements in the user specification.
-
-
-1.8.0a1 February 24, 2010 9
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
Running shell scripts via s\bsu\bud\bdo\bo can expose the same kernel bugs that
make setuid shell scripts unsafe on some operating systems (if your OS
has a /dev/fd/ directory, setuid shell scripts are generally safe).
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.8.0a1 February 24, 2010 10
+1.8.0a1 May 11, 2010 10
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "February 24, 2010" "1.8.0a1" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "May 11, 2010" "1.8.0a1" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
\&\fBsudo\fR requires that users authenticate themselves with a password
by default (\s-1NOTE:\s0 in the default configuration this is the user's
password, not the root password). Once a user has been authenticated,
-a timestamp is updated and the user may then use sudo without a
+a time stamp is updated and the user may then use sudo without a
password for a short period of time (\f(CW\*(C`@timeout@\*(C'\fR minutes unless
overridden in \fIsudoers\fR).
.PP
.IP "\-K" 12
.IX Item "-K"
The \fB\-K\fR (sure \fIkill\fR) option is like \fB\-k\fR except that it removes
-the user's timestamp entirely and may not be used in conjunction
+the user's time stamp entirely and may not be used in conjunction
with a command or other option. This option does not require a
password.
.IP "\-k" 12
.IX Item "-k"
When used by itself, the \fB\-k\fR (\fIkill\fR) option to \fBsudo\fR invalidates
-the user's timestamp by setting the time on it to the Epoch. The
+the user's time stamp by setting the time on it to the Epoch. The
next time \fBsudo\fR is run a password will be required. This option
does not require a password and was added to allow a user to revoke
\&\fBsudo\fR permissions from a .logout file.
.Sp
When used in conjunction with a command or an option that may require
a password, the \fB\-k\fR option will cause \fBsudo\fR to ignore the user's
-timestamp file. As a result, \fBsudo\fR will prompt for a password
+time stamp file. As a result, \fBsudo\fR will prompt for a password
(if one is required by \fIsudoers\fR) and will not update the user's
-timestamp file.
+time stamp file.
.IP "\-L" 12
.IX Item "-L"
The \fB\-L\fR (\fIlist\fR defaults) option will list the parameters that
.IP "\-v" 12
.IX Item "-v"
If given the \fB\-v\fR (\fIvalidate\fR) option, \fBsudo\fR will update the
-user's timestamp, prompting for the user's password if necessary.
+user's time stamp, prompting for the user's password if necessary.
This extends the \fBsudo\fR timeout for another \f(CW\*(C`@timeout@\*(C'\fR minutes
(or whatever the timeout is set to in \fIsudoers\fR) but does not run
a command.
actual \f(CW\*(C`PATH\*(C'\fR environment variable is \fInot\fR modified and is passed
unchanged to the program that \fBsudo\fR executes.
.PP
-\&\fBsudo\fR will check the ownership of its timestamp directory
+\&\fBsudo\fR will check the ownership of its time stamp directory
(\fI@timedir@\fR by default) and ignore the directory's contents if
it is not owned by root or if it is writable by a user other than
root. On systems that allow non-root users to give away files via
-\&\fIchown\fR\|(2), if the timestamp directory is located in a directory
+\&\fIchown\fR\|(2), if the time stamp directory is located in a directory
writable by anyone (e.g., \fI/tmp\fR), it is possible for a user to
-create the timestamp directory before \fBsudo\fR is run. However,
+create the time stamp directory before \fBsudo\fR is run. However,
because \fBsudo\fR checks the ownership and mode of the directory and
its contents, the only damage that can be done is to \*(L"hide\*(R" files
-by putting them in the timestamp dir. This is unlikely to happen
-since once the timestamp dir is owned by root and inaccessible by
+by putting them in the time stamp dir. This is unlikely to happen
+since once the time stamp dir is owned by root and inaccessible by
any other user, the user placing files there would be unable to get
them back out. To get around this issue you can use a directory
-that is not world-writable for the timestamps (\fI/var/adm/sudo\fR for
+that is not world-writable for the time stamps (\fI/var/adm/sudo\fR for
instance) or create \fI@timedir@\fR with the appropriate owner (root)
and permissions (0700) in the system startup files.
.PP
-\&\fBsudo\fR will not honor timestamps set far in the future.
+\&\fBsudo\fR will not honor time stamps set far in the future.
Timestamps with a date greater than current_time + 2 * \f(CW\*(C`TIMEOUT\*(C'\fR
will be ignored and sudo will log and complain. This is done to
-keep a user from creating his/her own timestamp with a bogus
+keep a user from creating his/her own time stamp with a bogus
date on systems that allow users to give away files.
.PP
+On systems where the boot time is available, \fBsudo\fR will also not
+honor time stamps from before the machine booted.
+.PP
+Since time stamp files live in the file system, they can outlive a
+user's login session. As a result, a user may be able to login,
+run a command with \fBsudo\fR after authenticating, logout, login
+again, and run \fBsudo\fR without authenticating so long as the time
+stamp file's modification time is within \f(CW\*(C`@timeout@\*(C'\fR minutes (or
+whatever the timeout is set to in \fIsudoers\fR). When the \fItty_tickets\fR
+option is enabled in \fIsudoers\fR, the time stamp has per-tty granularity
+but still may outlive the user's session. On Linux systems where
+the devpts filesystem is used, as well as other systems that utilize
+a devfs filesystem that monotonically increase the inode number of
+devices as they are created (such as Mac \s-1OS\s0 X), \fBsudo\fR is able to
+determine when a tty-based time stamp file is stale and will ignore
+it. Administrators should not rely on this feature as it is not
+universally available.
+.PP
Please note that \fBsudo\fR will normally only log the command it
explicitly runs. If a user runs a command such as \f(CW\*(C`sudo su\*(C'\fR or
\&\f(CW\*(C`sudo sh\*(C'\fR, subsequent commands run from that shell will \fInot\fR be
.ie n .IP "\fI@timedir@\fR" 24
.el .IP "\fI@timedir@\fR" 24
.IX Item "@timedir@"
-Directory containing timestamps
+Directory containing time stamps
.IP "\fI/etc/environment\fR" 24
.IX Item "/etc/environment"
Initial environment for \fB\-i\fR mode on Linux and \s-1AIX\s0
.IX Header "SEE ALSO"
\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2),
@LCMAN@\&\fIlogin_cap\fR\|(3),
-\&\fIpasswd\fR\|(@mansectform@), \fIsudoers\fR\|(5), \fIvisudo\fR\|(@mansectsu@)
+\&\fIpasswd\fR\|(@mansectform@), \fIsudoers\fR\|(@mansectform@), \fIvisudo\fR\|(@mansectsu@)
.SH "AUTHORS"
.IX Header "AUTHORS"
Many people have worked on \fBsudo\fR over the years; this
B<sudo> requires that users authenticate themselves with a password
by default (NOTE: in the default configuration this is the user's
password, not the root password). Once a user has been authenticated,
-a timestamp is updated and the user may then use sudo without a
+a time stamp is updated and the user may then use sudo without a
password for a short period of time (C<@timeout@> minutes unless
overridden in I<sudoers>).
=item -K
The B<-K> (sure I<kill>) option is like B<-k> except that it removes
-the user's timestamp entirely and may not be used in conjunction
+the user's time stamp entirely and may not be used in conjunction
with a command or other option. This option does not require a
password.
=item -k
When used by itself, the B<-k> (I<kill>) option to B<sudo> invalidates
-the user's timestamp by setting the time on it to the Epoch. The
+the user's time stamp by setting the time on it to the Epoch. The
next time B<sudo> is run a password will be required. This option
does not require a password and was added to allow a user to revoke
B<sudo> permissions from a .logout file.
When used in conjunction with a command or an option that may require
a password, the B<-k> option will cause B<sudo> to ignore the user's
-timestamp file. As a result, B<sudo> will prompt for a password
+time stamp file. As a result, B<sudo> will prompt for a password
(if one is required by I<sudoers>) and will not update the user's
-timestamp file.
+time stamp file.
=item -L
=item -v
If given the B<-v> (I<validate>) option, B<sudo> will update the
-user's timestamp, prompting for the user's password if necessary.
+user's time stamp, prompting for the user's password if necessary.
This extends the B<sudo> timeout for another C<@timeout@> minutes
(or whatever the timeout is set to in I<sudoers>) but does not run
a command.
actual C<PATH> environment variable is I<not> modified and is passed
unchanged to the program that B<sudo> executes.
-B<sudo> will check the ownership of its timestamp directory
+B<sudo> will check the ownership of its time stamp directory
(F<@timedir@> by default) and ignore the directory's contents if
it is not owned by root or if it is writable by a user other than
root. On systems that allow non-root users to give away files via
-L<chown(2)>, if the timestamp directory is located in a directory
+L<chown(2)>, if the time stamp directory is located in a directory
writable by anyone (e.g., F</tmp>), it is possible for a user to
-create the timestamp directory before B<sudo> is run. However,
+create the time stamp directory before B<sudo> is run. However,
because B<sudo> checks the ownership and mode of the directory and
its contents, the only damage that can be done is to "hide" files
-by putting them in the timestamp dir. This is unlikely to happen
-since once the timestamp dir is owned by root and inaccessible by
+by putting them in the time stamp dir. This is unlikely to happen
+since once the time stamp dir is owned by root and inaccessible by
any other user, the user placing files there would be unable to get
them back out. To get around this issue you can use a directory
-that is not world-writable for the timestamps (F</var/adm/sudo> for
+that is not world-writable for the time stamps (F</var/adm/sudo> for
instance) or create F<@timedir@> with the appropriate owner (root)
and permissions (0700) in the system startup files.
-B<sudo> will not honor timestamps set far in the future.
+B<sudo> will not honor time stamps set far in the future.
Timestamps with a date greater than current_time + 2 * C<TIMEOUT>
will be ignored and sudo will log and complain. This is done to
-keep a user from creating his/her own timestamp with a bogus
+keep a user from creating his/her own time stamp with a bogus
date on systems that allow users to give away files.
+On systems where the boot time is available, B<sudo> will also not
+honor time stamps from before the machine booted.
+
+Since time stamp files live in the file system, they can outlive a
+user's login session. As a result, a user may be able to login,
+run a command with B<sudo> after authenticating, logout, login
+again, and run B<sudo> without authenticating so long as the time
+stamp file's modification time is within C<@timeout@> minutes (or
+whatever the timeout is set to in I<sudoers>). When the I<tty_tickets>
+option is enabled in I<sudoers>, the time stamp has per-tty granularity
+but still may outlive the user's session. On Linux systems where
+the devpts filesystem is used, as well as other systems that utilize
+a devfs filesystem that monotonically increase the inode number of
+devices as they are created (such as Mac OS X), B<sudo> is able to
+determine when a tty-based time stamp file is stale and will ignore
+it. Administrators should not rely on this feature as it is not
+universally available.
+
Please note that B<sudo> will normally only log the command it
explicitly runs. If a user runs a command such as C<sudo su> or
C<sudo sh>, subsequent commands run from that shell will I<not> be
=item F<@timedir@>
-Directory containing timestamps
+Directory containing time stamps
=item F</etc/environment>
projects / sudo / commitdiff