_\bl_\be_\bv_\be_\bl may be a value from 1 through 9.
-E The -\b-E\bE (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt) option indicates to the
- security policy that the uses wishes to preserve their
+ security policy that the user wishes to preserve their
existing environment variables. The security policy may
return an error if the -\b-E\bE option is specified and the user
does not have permission to preserve the environment.
to change to that user's home directory before running the
shell. The security policy shall initialize the
environment to a minimal set of variables, similar to what
- is present when a user logs in.
+ is present when a user logs in. The _\bC_\bo_\bm_\bm_\ba_\bn_\bd _\bE_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt
+ section in the _\bs_\bu_\bd_\bo_\be_\br_\bs(4) manual documents how the -\b-i\bi
+ option affects the environment in which a command is run
+ when the _\bs_\bu_\bd_\bo_\be_\br_\bs policy is in use.
-K The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option is like -\b-k\bk except that it removes
the user's cached credentials entirely and may not be used
-1.8.2 May 22, 2011 SUDO(1m)
+1.8.2 August 17, 2011 SUDO(1m)
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "May 22, 2011" "1.8.2" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "August 17, 2011" "1.8.2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.IP "\-E" 12
.IX Item "-E"
The \fB\-E\fR (\fIpreserve\fR \fIenvironment\fR) option indicates to the
-security policy that the uses wishes to preserve their existing
+security policy that the user wishes to preserve their existing
environment variables. The security policy may return an error if
the \fB\-E\fR option is specified and the user does not have permission
to preserve the environment.
\&\fBsudo\fR attempts to change to that user's home directory before
running the shell. The security policy shall initialize the
environment to a minimal set of variables, similar to what is present
-when a user logs in.
+when a user logs in. The \fICommand Environment\fR section in the
+\&\fIsudoers\fR\|(@mansectform@) manual documents how the \fB\-i\fR option affects the
+environment in which a command is run when the \fIsudoers\fR policy
+is in use.
.IP "\-K" 12
.IX Item "-K"
The \fB\-K\fR (sure \fIkill\fR) option is like \fB\-k\fR except that it removes
before s\bsu\bud\bdo\bo even begins execution and, as such, it is not possible for
s\bsu\bud\bdo\bo to preserve them.
- As a special case, If s\bsu\bud\bdo\bo's -\b-i\bi option (initial login) is specified,
+ As a special case, if s\bsu\bud\bdo\bo's -\b-i\bi option (initial login) is specified,
_\bs_\bu_\bd_\bo_\be_\br_\bs will initialize the environment regardless of the value of
_\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt. The _\bD_\bI_\bS_\bP_\bL_\bA_\bY, _\bP_\bA_\bT_\bH and _\bT_\bE_\bR_\bM variables remain unchanged;
_\bH_\bO_\bM_\bE, _\bM_\bA_\bI_\bL, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, and _\bL_\bO_\bG_\bN_\bA_\bM_\bE are set based on the target user.
log_year If set, the four-digit year will be logged in the (non-
syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
- long_otp_prompt When validating with a One Time Password (OPT) scheme
+ long_otp_prompt When validating with a One Time Password (OTP) scheme
such as S\bS/\b/K\bKe\bey\by or O\bOP\bPI\bIE\bE, a two-line prompt is used to
make it easier to cut and paste the challenge to a
local window. It's not as pretty as the default but
escape sequences are supported:
%H expanded to the local host name including the
- domain name (on if the machine's host name is fully
- qualified or the _\bf_\bq_\bd_\bn option is set)
+ domain name (only if the machine's host name is
+ fully qualified or the _\bf_\bq_\bd_\bn option is set)
%h expanded to the local host name without the domain
name
exempt_group
Users in this group are exempt from password and PATH
- requirements. This is not set by default.
+ requirements. The group name specified should not include
+ a % prefix. This is not set by default.
group_plugin
A string containing a _\bs_\bu_\bd_\bo_\be_\br_\bs group plugin with optional
For example, given _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b-_\bg_\br_\bo_\bu_\bp, a group file in Unix
group format, the sample group plugin can be used:
- Defaults sudo_plugin="sample_group.so /etc/sudo-group"
+ Defaults group_plugin="sample_group.so /etc/sudo-group"
For more information see _\bs_\bu_\bd_\bo_\b__\bp_\bl_\bu_\bg_\bi_\bn(4).
-1.8.2 May 22, 2011 SUDOERS(4)
+1.8.2 August 17, 2011 SUDOERS(4)
1.7.0 and higher.
s\bsu\bud\bdo\boN\bNo\bot\btB\bBe\bef\bfo\bor\bre\be
- A timestamp in the form yyyymmddHHMMZ that can be used to provide a
- start date/time for when the sudoRole will be valid. If multiple
+ A timestamp in the form yyyymmddHHMMSSZ that can be used to provide
+ a start date/time for when the sudoRole will be valid. If multiple
sudoNotBefore entries are present, the earliest is used. Note that
timestamps must be in Coordinated Universal Time (UTC), not the
- local timezone.
+ local timezone. The minute and seconds portions are optional, but
+ some LDAP servers require that they be present (contrary to the
+ RFC).
The sudoNotBefore attribute is only available in s\bsu\bud\bdo\bo versions
1.7.5 and higher and must be explicitly enabled via the
S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD option in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf.
s\bsu\bud\bdo\boN\bNo\bot\btA\bAf\bft\bte\ber\br
- A timestamp in the form yyyymmddHHMMZ that indicates an expiration
- date/time, after which the sudoRole will no longer be valid. If
- multiple sudoNotBefore entries are present, the last one is used.
- Note that timestamps must be in Coordinated Universal Time (UTC),
- not the local timezone.
+ A timestamp in the form yyyymmddHHMMSSZ that indicates an
+ expiration date/time, after which the sudoRole will no longer be
+ valid. If multiple sudoNotBefore entries are present, the last one
+ is used. Note that timestamps must be in Coordinated Universal
+ Time (UTC), not the local timezone. The minute and seconds
+ portions are optional, but some LDAP servers require that they be
+ present (contrary to the RFC).
The sudoNotAfter attribute is only available in s\bsu\bud\bdo\bo versions 1.7.5
and higher and must be explicitly enabled via the S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD
-1.8.2 May 22, 2011 SUDOERS.LDAP(4)
+1.8.2 August 17, 2011 SUDOERS.LDAP(4)
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
-.TH SUDOERS.LDAP @mansectform@ "May 22, 2011" "1.8.2" "MAINTENANCE COMMANDS"
+.TH SUDOERS.LDAP @mansectform@ "August 17, 2011" "1.8.2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
1.7.0 and higher.
.IP "\fBsudoNotBefore\fR" 4
.IX Item "sudoNotBefore"
-A timestamp in the form \f(CW\*(C`yyyymmddHHMMZ\*(C'\fR that can be used to provide
+A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that can be used to provide
a start date/time for when the \f(CW\*(C`sudoRole\*(C'\fR will be valid. If
multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the earliest is used.
Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0),
-not the local timezone.
+not the local timezone. The minute and seconds portions are optional,
+but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0).
.Sp
The \f(CW\*(C`sudoNotBefore\*(C'\fR attribute is only available in \fBsudo\fR versions
1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR
option in \fI@ldap_conf@\fR.
.IP "\fBsudoNotAfter\fR" 4
.IX Item "sudoNotAfter"
-A timestamp in the form \f(CW\*(C`yyyymmddHHMMZ\*(C'\fR that indicates an expiration
+A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that indicates an expiration
date/time, after which the \f(CW\*(C`sudoRole\*(C'\fR will no longer be valid. If
multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the last one is used.
Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0),
-not the local timezone.
+not the local timezone. The minute and seconds portions are optional,
+but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0).
.Sp
The \f(CW\*(C`sudoNotAfter\*(C'\fR attribute is only available in \fBsudo\fR versions
1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "May 22, 2011" "1.8.2" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "August 17, 2011" "1.8.2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
removed from the environment before \fBsudo\fR even begins execution
and, as such, it is not possible for \fBsudo\fR to preserve them.
.PP
-As a special case, If \fBsudo\fR's \fB\-i\fR option (initial login) is
+As a special case, if \fBsudo\fR's \fB\-i\fR option (initial login) is
specified, \fIsudoers\fR will initialize the environment regardless
of the value of \fIenv_reset\fR. The \fI\s-1DISPLAY\s0\fR, \fI\s-1PATH\s0\fR and \fI\s-1TERM\s0\fR
variables remain unchanged; \fI\s-1HOME\s0\fR, \fI\s-1MAIL\s0\fR, \fI\s-1SHELL\s0\fR, \fI\s-1USER\s0\fR,
This flag is \fIoff\fR by default.
.IP "long_otp_prompt" 16
.IX Item "long_otp_prompt"
-When validating with a One Time Password (\s-1OPT\s0) scheme such as
+When validating with a One Time Password (\s-1OTP\s0) scheme such as
\&\fBS/Key\fR or \fB\s-1OPIE\s0\fR, a two-line prompt is used to make it easier
to cut and paste the challenge to a local window. It's not as
pretty as the default but some people find it more convenient. This
.el .IP "\f(CW%H\fR" 4
.IX Item "%H"
expanded to the local host name including the domain name
-(on if the machine's host name is fully qualified or the \fIfqdn\fR
+(only if the machine's host name is fully qualified or the \fIfqdn\fR
option is set)
.ie n .IP "%h" 4
.el .IP "\f(CW%h\fR" 4
.IP "exempt_group" 12
.IX Item "exempt_group"
Users in this group are exempt from password and \s-1PATH\s0 requirements.
+The group name specified should not include a \f(CW\*(C`%\*(C'\fR prefix.
This is not set by default.
.IP "group_plugin" 12
.IX Item "group_plugin"
format, the sample group plugin can be used:
.Sp
.Vb 1
-\& Defaults sudo_plugin="sample_group.so /etc/sudo\-group"
+\& Defaults group_plugin="sample_group.so /etc/sudo\-group"
.Ve
.Sp
For more information see \fIsudo_plugin\fR\|(@mansectform@).
used. You may wish to comment out or remove the unused alias. In
-\b-s\bs (strict) mode this is an error, not a warning.
+ Warning: cycle in {User,Runas,Host,Cmnd}_Alias
+ The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
+ itself, either directly or through an alias it includes. This is
+ only a warning by default as s\bsu\bud\bdo\bo will ignore cycles when parsing
+ the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
_\bv_\bi(1), _\bs_\bu_\bd_\bo_\be_\br_\bs(4), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bp_\bw(1m)
-1.8.2 May 22, 2011 VISUDO(1m)
+1.8.2 August 17, 2011 VISUDO(1m)
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
-.TH VISUDO @mansectsu@ "May 22, 2011" "1.8.2" "MAINTENANCE COMMANDS"
+.TH VISUDO @mansectsu@ "August 17, 2011" "1.8.2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
The specified {User,Runas,Host,Cmnd}_Alias was defined but never
used. You may wish to comment out or remove the unused alias. In
\&\fB\-s\fR (strict) mode this is an error, not a warning.
+.IP "Warning: cycle in {User,Runas,Host,Cmnd}_Alias" 4
+.IX Item "Warning: cycle in {User,Runas,Host,Cmnd}_Alias"
+The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
+itself, either directly or through an alias it includes. This is
+only a warning by default as \fBsudo\fR will ignore cycles when parsing
+the \fIsudoers\fR file.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIvi\fR\|(1), \fIsudoers\fR\|(@mansectform@), \fIsudo\fR\|(@mansectsu@), \fIvipw\fR\|(@mansectsu@)