superuser or another user, as specified in the _\bs_\bu_\bd_\bo_\be_\br_\bs
file. The real and effective uid and gid are set to match
those of the target user as specified in the passwd file
- (the group vector is also initialized when the target user
- is not root). By default, s\bsu\bud\bdo\bo requires that users
- authenticate themselves with a password (NOTE: by default
- this is the user's password, not the root password). Once
- a user has been authenticated, a timestamp is updated and
+ and the group vector is initialized based on the group
+ file (unless the -\b-P\bP option was specified). If the invok
+ ing user is root or if the target user is the same as the
+ invoking user, no password is required. Otherwise, s\bsu\bud\bdo\bo
+ requires that users authenticate themselves with a pass
+ word by default (NOTE: in the default configuration this
+ is the user's password, not the root password). Once a
+ user has been authenticated, a timestamp is updated and
the user may then use sudo without a password for a short
period of time (5 minutes unless overridden in _\bs_\bu_\bd_\bo_\be_\br_\bs).
If a user who is not listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file tries to
run a command via s\bsu\bud\bdo\bo, mail is sent to the proper author
- ities, as defined at configure time or the _\bs_\bu_\bd_\bo_\be_\br_\bs file
+ ities, as defined at configure time or in the _\bs_\bu_\bd_\bo_\be_\br_\bs file
(defaults to root). Note that the mail will not be sent
if an unauthorized user tries to run sudo with the -\b-l\bl or
-\b-v\bv flags. This allows users to determine for themselves
however, that the sudoers lookup is still done for root,
not the user specified by SUDO_USER.
- s\bsu\bud\bdo\bo can log both successful and unsuccessful attempts (as
- well as errors) to _\bs_\by_\bs_\bl_\bo_\bg(3), a log file, or both. By
-
-1.6.8 May 17, 2004 1
+1.6.8 June 10, 2004 1
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ s\bsu\bud\bdo\bo can log both successful and unsuccessful attempts (as
+ well as errors) to _\bs_\by_\bs_\bl_\bo_\bg(3), a log file, or both. By
default s\bsu\bud\bdo\bo will log via _\bs_\by_\bs_\bl_\bo_\bg(3) but this is changeable
at configure time or via the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
-H The -\b-H\bH (_\bH_\bO_\bM_\bE) option sets the HOME environment vari
able to the homedir of the target user (root by
default) as specified in passwd(4). By default, s\bsu\bud\bdo\bo
- does not modify HOME.
+ does not modify HOME (see _\bs_\be_\bt_\b__\bh_\bo_\bm_\be and _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be
+ in sudoers(4)).
- -K The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo removes the user's
- timestamp entirely. Likewise, this option does not
- require a password.
+ -K The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option is like -\b-k\bk except that it
+ removes the user's timestamp entirely. Like -\b-k\bk, this
+ option does not require a password.
-L The -\b-L\bL (_\bl_\bi_\bs_\bt defaults) option will list out the param
eters that may be set in a _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs line along with a
conjunction with _\bg_\br_\be_\bp(1).
-P The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bsu\bud\bdo\bo to
- preserve the user's group vector unaltered. By
- default, s\bsu\bud\bdo\bo will initialize the group vector to the
- list of groups the target user is in. The real and
- effective group IDs, however, are still set to match
- the target user.
+ preserve the invoking user's group vector unaltered.
+ By default, s\bsu\bud\bdo\bo will initialize the group vector to
+ the list of groups the target user is in. The real
+ and effective group IDs, however, are still set to
+ match the target user.
-S The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the password
- from standard input instead of the terminal device.
+ from the standard input instead of the terminal
+ device.
-V The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print the ver
sion number and exit. If the invoking user is already
-\b-b\bb option you cannot use shell job control to manipu
late the process.
- -c The -\b-c\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bsu\bud\bdo\bo to run the specified
- command with resources limited by the specified login
- class. The _\bc_\bl_\ba_\bs_\bs argument can be either a class name
- as defined in /etc/login.conf, or a single '-'
-1.6.8 May 17, 2004 2
+1.6.8 June 10, 2004 2
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- character. Specifying a _\bc_\bl_\ba_\bs_\bs of - indicates that the
- command should be run restricted by the default login
+ -c The -\b-c\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bsu\bud\bdo\bo to run the specified
+ command with resources limited by the specified login
+ class. The _\bc_\bl_\ba_\bs_\bs argument can be either a class name
+ as defined in /etc/login.conf, or a single '-' charac
+ ter. Specifying a _\bc_\bl_\ba_\bs_\bs of - indicates that the com
+ mand should be run restricted by the default login
capabilities for the user the command is run as. If
the _\bc_\bl_\ba_\bs_\bs argument specifies an existing user class,
the command must be run as root, or the s\bsu\bud\bdo\bo command
authorized by _\bs_\bu_\bd_\bo_\be_\br_\bs the following steps are taken:
1. Temporary copies are made of the files to be
- edited, owned by the invoking user.
+ edited with the owner set to the invoking
+ user.
2. The editor specified by the VISUAL or EDITOR
environment variables is run to edit the tem
It also initializes the environment, leaving _\bT_\bE_\bR_\bM
unchanged, setting _\bH_\bO_\bM_\bE, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, _\bL_\bO_\bG_\bN_\bA_\bM_\bE, and
_\bP_\bA_\bT_\bH, and unsetting all other environment variables.
- Note that because the shell to use is determined
- before the _\bs_\bu_\bd_\bo_\be_\br_\bs file is parsed, a _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt
- setting in _\bs_\bu_\bd_\bo_\be_\br_\bs will specify the user to run the
- shell as but will not affect which shell is actually
- run.
-1.6.8 May 17, 2004 3
+1.6.8 June 10, 2004 3
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ Note that because the shell to use is determined
+ before the _\bs_\bu_\bd_\bo_\be_\br_\bs file is parsed, a _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt
+ setting in _\bs_\bu_\bd_\bo_\be_\br_\bs will specify the user to run the
+ shell as but will not affect which shell is actually
+ run.
+
-k The -\b-k\bk (_\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo invalidates the user's
timestamp by setting the time on it to the epoch. The
next time s\bsu\bud\bdo\bo is run a password will be required.
command line arguments. It is most useful in conjunc
tion with the -\b-s\bs flag.
-R\bRE\bET\bTU\bUR\bRN\bN V\bVA\bAL\bLU\bUE\bES\bS
- Upon successful execution of a program, the return value
- from s\bsu\bud\bdo\bo will simply be the return value of the program
- that was executed.
- Otherwise, s\bsu\bud\bdo\bo quits with an exit value of 1 if there is
-
-1.6.8 May 17, 2004 4
+1.6.8 June 10, 2004 4
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+R\bRE\bET\bTU\bUR\bRN\bN V\bVA\bAL\bLU\bUE\bES\bS
+ Upon successful execution of a program, the return value
+ from s\bsu\bud\bdo\bo will simply be the return value of the program
+ that was executed.
+
+ Otherwise, s\bsu\bud\bdo\bo quits with an exit value of 1 if there is
a configuration/permission problem or if s\bsu\bud\bdo\bo cannot exe
cute the given command. In the latter case the error
string is printed to stderr. If s\bsu\bud\bdo\bo cannot _\bs_\bt_\ba_\bt(2) one
(_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's con
tents if it is not owned by root and only writable by
root. On systems that allow non-root users to give away
- files via _\bc_\bh_\bo_\bw_\bn(2), if the timestamp directory is located
- in a directory writable by anyone (e.g.: _\b/_\bt_\bm_\bp), it is pos
- sible for a user to create the timestamp directory before
- s\bsu\bud\bdo\bo is run. However, because s\bsu\bud\bdo\bo checks the ownership
- and mode of the directory and its contents, the only dam
- age that can be done is to "hide" files by putting them in
-1.6.8 May 17, 2004 5
+1.6.8 June 10, 2004 5
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ files via _\bc_\bh_\bo_\bw_\bn(2), if the timestamp directory is located
+ in a directory writable by anyone (e.g.: _\b/_\bt_\bm_\bp), it is pos
+ sible for a user to create the timestamp directory before
+ s\bsu\bud\bdo\bo is run. However, because s\bsu\bud\bdo\bo checks the ownership
+ and mode of the directory and its contents, the only dam
+ age that can be done is to "hide" files by putting them in
the timestamp dir. This is unlikely to happen since once
the timestamp dir is owned by root and inaccessible by any
other user the user placing files there would be unable to
To get a file listing of an unreadable directory:
- % sudo ls /usr/local/protected
+ $ sudo ls /usr/local/protected
To list the home directory of user yazza on a machine
where the file system holding ~yazza is not exported as
root:
- % sudo -u yazza ls ~yazza
+ $ sudo -u yazza ls ~yazza
To edit the _\bi_\bn_\bd_\be_\bx_\b._\bh_\bt_\bm_\bl file as user www:
- % sudo -u www vi ~www/htdocs/index.html
+ $ sudo -u www vi ~www/htdocs/index.html
To shutdown a machine:
- % sudo shutdown -r +15 "quick reboot"
+ $ sudo shutdown -r +15 "quick reboot"
- To make a usage listing of the directories in the /home
- partition. Note that this runs the commands in a sub-
- shell to make the cd and file redirection work.
- % sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
+1.6.8 June 10, 2004 6
-1.6.8 May 17, 2004 6
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ To make a usage listing of the directories in the /home
+ partition. Note that this runs the commands in a sub-
+ shell to make the cd and file redirection work.
+ $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
s\bsu\bud\bdo\bo utilizes the following environment variables:
B\bBU\bUG\bGS\bS
If you feel you have found a bug in sudo, please submit a
- bug report at http://www.sudo.ws/sudo/bugs/
-
-D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- S\bSu\bud\bdo\bo is provided ``AS IS'' and any express or implied war
- ranties, including, but not limited to, the implied war
- ranties of merchantability and fitness for a particular
-1.6.8 May 17, 2004 7
+1.6.8 June 10, 2004 7
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ bug report at http://www.sudo.ws/sudo/bugs/
+
+D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
+ S\bSu\bud\bdo\bo is provided ``AS IS'' and any express or implied war
+ ranties, including, but not limited to, the implied war
+ ranties of merchantability and fitness for a particular
purpose are disclaimed. See the LICENSE file distributed
with s\bsu\bud\bdo\bo for complete details.
prevent shell escapes with s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality.
See the sudoers(4) manual for details.
+ It is not meaningful to run the cd command directly via
+ sudo, e.g.
+
+ $ sudo cd /usr/local/protected
+
+ since when whe command exits the parent process (your
+ shell) will still be the same. Please see the EXAMPLES
+ section for more information.
+
If users have sudo ALL there is nothing to prevent them
from creating their own program that gives them a root
- shell regardless of any '!' elements in the user specifi
+ shell regardless of any '!' elements in the user specifi
cation.
Running shell scripts via s\bsu\bud\bdo\bo can expose the same kernel
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.6.8 May 17, 2004 8
+1.6.8 June 10, 2004 8
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "May 17, 2004" "1.6.8" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "June 10, 2004" "1.6.8" "MAINTENANCE COMMANDS"
.SH "NAME"
sudo, sudoedit \- execute a command as another user
.SH "SYNOPSIS"
\&\fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the
superuser or another user, as specified in the \fIsudoers\fR file.
The real and effective uid and gid are set to match those of the
-target user as specified in the passwd file (the group vector is
-also initialized when the target user is not root). By default,
+target user as specified in the passwd file and the group vector
+is initialized based on the group file (unless the \fB\-P\fR option was
+specified). If the invoking user is root or if the target user is
+the same as the invoking user, no password is required. Otherwise,
\&\fBsudo\fR requires that users authenticate themselves with a password
-(\s-1NOTE:\s0 by default this is the user's password, not the root password).
-Once a user has been authenticated, a timestamp is updated and the
-user may then use sudo without a password for a short period of
-time (\f(CW\*(C`@timeout@\*(C'\fR minutes unless overridden in \fIsudoers\fR).
+by default (\s-1NOTE:\s0 in the default configuration this is the user's
+password, not the root password). Once a user has been authenticated,
+a timestamp is updated and the user may then use sudo without a
+password for a short period of time (\f(CW\*(C`@timeout@\*(C'\fR minutes unless
+overridden in \fIsudoers\fR).
.PP
When invoked as \fBsudoedit\fR, the \fB\-e\fR option (described below),
is implied.
.PP
If a user who is not listed in the \fIsudoers\fR file tries to run a
command via \fBsudo\fR, mail is sent to the proper authorities, as
-defined at configure time or the \fIsudoers\fR file (defaults to root).
-Note that the mail will not be sent if an unauthorized user tries
-to run sudo with the \fB\-l\fR or \fB\-v\fR flags. This allows users to
-determine for themselves whether or not they are allowed to use
-\&\fBsudo\fR.
+defined at configure time or in the \fIsudoers\fR file (defaults to
+\&\f(CW\*(C`@mailto@\*(C'\fR). Note that the mail will not be sent if an unauthorized
+user tries to run sudo with the \fB\-l\fR or \fB\-v\fR flags. This allows
+users to determine for themselves whether or not they are allowed
+to use \fBsudo\fR.
.PP
If \fBsudo\fR is run by root and the \f(CW\*(C`SUDO_USER\*(C'\fR environment variable
is set, \fBsudo\fR will use this value to determine who the actual
.IX Item "-H"
The \fB\-H\fR (\fI\s-1HOME\s0\fR) option sets the \f(CW\*(C`HOME\*(C'\fR environment variable
to the homedir of the target user (root by default) as specified
-in passwd(@mansectform@). By default, \fBsudo\fR does not modify \f(CW\*(C`HOME\*(C'\fR.
+in passwd(@mansectform@). By default, \fBsudo\fR does not modify \f(CW\*(C`HOME\*(C'\fR
+(see \fIset_home\fR and \fIalways_set_home\fR in sudoers(@mansectform@)).
.IP "\-K" 4
.IX Item "-K"
-The \fB\-K\fR (sure \fIkill\fR) option to \fBsudo\fR removes the user's timestamp
-entirely. Likewise, this option does not require a password.
+The \fB\-K\fR (sure \fIkill\fR) option is like \fB\-k\fR except that it removes
+the user's timestamp entirely. Like \fB\-k\fR, this option does not
+require a password.
.IP "\-L" 4
.IX Item "-L"
The \fB\-L\fR (\fIlist\fR defaults) option will list out the parameters
for each. This option is useful in conjunction with \fIgrep\fR\|(1).
.IP "\-P" 4
.IX Item "-P"
-The \fB\-P\fR (\fIpreserve group vector\fR) option causes \fBsudo\fR to preserve
-the user's group vector unaltered. By default, \fBsudo\fR will initialize
-the group vector to the list of groups the target user is in.
-The real and effective group IDs, however, are still set to match
-the target user.
+The \fB\-P\fR (\fIpreserve group vector\fR) option causes \fBsudo\fR to
+preserve the invoking user's group vector unaltered. By default,
+\&\fBsudo\fR will initialize the group vector to the list of groups the
+target user is in. The real and effective group IDs, however, are
+still set to match the target user.
.IP "\-S" 4
.IX Item "-S"
The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from
-standard input instead of the terminal device.
+the standard input instead of the terminal device.
.IP "\-V" 4
.IX Item "-V"
-The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the
-version number and exit. If the invoking user is already root
-the \fB\-V\fR option will print out a list of the defaults \fBsudo\fR
-was compiled with as well as the machine's local network addresses.
+The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the version
+number and exit. If the invoking user is already root the \fB\-V\fR
+option will print out a list of the defaults \fBsudo\fR was compiled
+with as well as the machine's local network addresses.
.IP "\-a" 4
.IX Item "-a"
The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the
the following steps are taken:
.RS 4
.IP "1." 8
-Temporary copies are made of the files to be edited, owned by the
-invoking user.
+Temporary copies are made of the files to be edited with the owner
+set to the invoking user.
.IP "2." 8
The editor specified by the \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR environment
variables is run to edit the temporary files. If neither \f(CW\*(C`VISUAL\*(C'\fR
To get a file listing of an unreadable directory:
.PP
.Vb 1
-\& % sudo ls /usr/local/protected
+\& $ sudo ls /usr/local/protected
.Ve
.PP
To list the home directory of user yazza on a machine where the
file system holding ~yazza is not exported as root:
.PP
.Vb 1
-\& % sudo -u yazza ls ~yazza
+\& $ sudo -u yazza ls ~yazza
.Ve
.PP
To edit the \fIindex.html\fR file as user www:
.PP
.Vb 1
-\& % sudo -u www vi ~www/htdocs/index.html
+\& $ sudo -u www vi ~www/htdocs/index.html
.Ve
.PP
To shutdown a machine:
.PP
.Vb 1
-\& % sudo shutdown -r +15 "quick reboot"
+\& $ sudo shutdown -r +15 "quick reboot"
.Ve
.PP
To make a usage listing of the directories in the /home
to make the \f(CW\*(C`cd\*(C'\fR and file redirection work.
.PP
.Vb 1
-\& % sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
+\& $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
.Ve
.SH "ENVIRONMENT"
.IX Header "ENVIRONMENT"
Also, many programs (such as editors) allow the user to run commands
via shell escapes, thus avoiding \fBsudo\fR's checks. However, on
most systems it is possible to prevent shell escapes with \fBsudo\fR's
-\&\fInoexec\fR functionality. See the sudoers(@mansectform@) manual for details.
+\&\fInoexec\fR functionality. See the sudoers(@mansectform@) manual
+for details.
.PP
-If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from creating
-their own program that gives them a root shell regardless of any '!'
-elements in the user specification.
+It is not meaningful to run the \f(CW\*(C`cd\*(C'\fR command directly via sudo, e.g.
+.PP
+.Vb 1
+\& $ sudo cd /usr/local/protected
+.Ve
+.PP
+since when whe command exits the parent process (your shell) will
+still be the same. Please see the \s-1EXAMPLES\s0 section for more information.
+.PP
+If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from
+creating their own program that gives them a root shell regardless
+of any '!' elements in the user specification.
.PP
Running shell scripts via \fBsudo\fR can expose the same kernel bugs
that make setuid shell scripts unsafe on some operating systems
projects / sudo / commitdiff