S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
s\bsu\bud\bdo\bo -\b-h\bh | -\b-K\bK | -\b-k\bk | -\b-V\bV
- s\bsu\bud\bdo\bo -\b-v\bv [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be | _\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
- [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be | _\b#_\bu_\bi_\bd]
- s\bsu\bud\bdo\bo -\b-l\bl[_\bl] [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be | _\b#_\bg_\bi_\bd] [-\b-h\bh _\bh_\bo_\bs_\bt _\bn_\ba_\bm_\be]
+ s\bsu\bud\bdo\bo -\b-v\bv [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be | _\b#_\bg_\bi_\bd] [-\b-h\bh _\br_\be_\bm_\bo_\bt_\be _\bh_\bo_\bs_\bt]
+ [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be | _\b#_\bu_\bi_\bd]
+ s\bsu\bud\bdo\bo -\b-l\bl[_\bl] [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be | _\b#_\bg_\bi_\bd] [-\b-h\bh _\br_\be_\bm_\bo_\bt_\be _\bh_\bo_\bs_\bt]
[-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-U\bU _\bu_\bs_\be_\br _\bn_\ba_\bm_\be] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be | _\b#_\bu_\bi_\bd] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
s\bsu\bud\bdo\bo [-\b-A\bAb\bbE\bEH\bHn\bnP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs | _\b-]
- [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be | _\b#_\bg_\bi_\bd] [-\b-h\bh _\bh_\bo_\bs_\bt _\bn_\ba_\bm_\be] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-r\br _\br_\bo_\bl_\be]
+ [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be | _\b#_\bg_\bi_\bd] [-\b-h\bh _\br_\be_\bm_\bo_\bt_\be _\bh_\bo_\bs_\bt] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-r\br _\br_\bo_\bl_\be]
[-\b-t\bt _\bt_\by_\bp_\be] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be | _\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be] -\b-i\bi | -\b-s\bs [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-A\bAn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs | _\b-]
- [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be | _\b#_\bg_\bi_\bd] [-\b-h\bh _\bh_\bo_\bs_\bt _\bn_\ba_\bm_\be] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
+ [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be | _\b#_\bg_\bi_\bd] [-\b-h\bh _\br_\be_\bm_\bo_\bt_\be _\bh_\bo_\bs_\bt] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
[-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be | _\b#_\bu_\bi_\bd] file ...
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
The options are as follows:
- -\b-A\bA Normally, if s\bsu\bud\bdo\bo requires a password, it will read it from
+ -\b-A\bA, -\b--\b-a\bas\bsk\bkp\bpa\bas\bss\bs
+ Normally, if s\bsu\bud\bdo\bo requires a password, it will read it from
the user's terminal. If the -\b-A\bA (_\ba_\bs_\bk_\bp_\ba_\bs_\bs) option is
specified, a (possibly graphical) helper program is executed
to read the user's password and output the password to the
If no askpass program is available, s\bsu\bud\bdo\bo will exit with an
error.
- -\b-a\ba _\bt_\by_\bp_\be The -\b-a\ba (_\ba_\bu_\bt_\bh_\be_\bn_\bt_\bi_\bc_\ba_\bt_\bi_\bo_\bn _\bt_\by_\bp_\be) option causes s\bsu\bud\bdo\bo to use the
+ -\b-a\ba, -\b--\b-a\bau\but\bth\bh-\b-t\bty\byp\bpe\be _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be
+ The -\b-a\ba (_\ba_\bu_\bt_\bh_\be_\bn_\bt_\bi_\bc_\ba_\bt_\bi_\bo_\bn _\bt_\by_\bp_\be) option causes s\bsu\bud\bdo\bo to use the
specified authentication type when validating the user, as
allowed by _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. The system administrator may
specify a list of sudo-specific authentication methods by
option is only available on systems that support BSD
authentication.
- -\b-b\bb The -\b-b\bb (_\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd) option tells s\bsu\bud\bdo\bo to run the given
+ -\b-b\bb, -\b--\b-b\bba\bac\bck\bkg\bgr\bro\bou\bun\bnd\bd
+ The -\b-b\bb (_\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd) option tells s\bsu\bud\bdo\bo to run the given
command in the background. Note that if you use the -\b-b\bb
option you cannot use shell job control to manipulate the
process. Most interactive commands will fail to work
properly in background mode.
- -\b-C\bC _\bf_\bd Normally, s\bsu\bud\bdo\bo will close all open file descriptors other
+ -\b-C\bC, -\b--\b-c\bcl\blo\bos\bse\be-\b-f\bfr\bro\bom\bm _\bf_\bd
+ Normally, s\bsu\bud\bdo\bo will close all open file descriptors other
than standard input, standard output and standard error. The
-\b-C\bC (_\bc_\bl_\bo_\bs_\be _\bf_\br_\bo_\bm) option allows the user to specify a starting
point above the standard error (file descriptor three).
The _\bs_\bu_\bd_\bo_\be_\br_\bs policy only permits use of the -\b-C\bC option when the
administrator has enabled the _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be option.
- -\b-c\bc _\bc_\bl_\ba_\bs_\bs The -\b-c\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bsu\bud\bdo\bo to run the specified
+ -\b-c\bc, -\b--\b-l\blo\bog\bgi\bin\bn-\b-c\bcl\bla\bas\bss\bs _\bc_\bl_\ba_\bs_\bs
+ The -\b-c\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bsu\bud\bdo\bo to run the specified
command with resources limited by the specified login class.
The _\bc_\bl_\ba_\bs_\bs argument can be either a class name as defined in
_\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf, or a single `-' character. Specifying a
This option is only available on systems with BSD login
classes.
- -\b-E\bE The -\b-E\bE (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt) option indicates to the
+ -\b-E\bE, -\b--\b-p\bpr\bre\bes\bse\ber\brv\bve\be-\b-e\ben\bnv\bv
+ The -\b-E\bE (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt) option indicates to the
security policy that the user wishes to preserve their
existing environment variables. The security policy may
return an error if the -\b-E\bE option is specified and the user
does not have permission to preserve the environment.
- -\b-e\be The -\b-e\be (_\be_\bd_\bi_\bt) option indicates that, instead of running a
+ -\b-e\be, -\b--\b-e\bed\bdi\bit\bt The -\b-e\be (_\be_\bd_\bi_\bt) option indicates that, instead of running a
command, the user wishes to edit one or more files. In lieu
of a command, the string "sudoedit" is used when consulting
the security policy. If the user is authorized by the
version, the user will receive a warning and the edited copy
will remain in a temporary file.
- -\b-g\bg _\bg_\br_\bo_\bu_\bp Normally, s\bsu\bud\bdo\bo runs a command with the primary group set to
+ -\b-g\bg, -\b--\b-g\bgr\bro\bou\bup\bp _\bg_\br_\bo_\bu_\bp
+ Normally, s\bsu\bud\bdo\bo runs a command with the primary group set to
the one specified by the password database for the user the
command is being run as (by default, root). The -\b-g\bg (_\bg_\br_\bo_\bu_\bp)
option causes s\bsu\bud\bdo\bo to run the command with the primary group
- set to _\bg_\br_\bo_\bu_\bp instead. To specify a _\bg_\bi_\bd instead of a _\bg_\br_\bo_\bu_\bp
- _\bn_\ba_\bm_\be, use _\b#_\bg_\bi_\bd. When running commands as a _\bg_\bi_\bd, many shells
- require that the `#' be escaped with a backslash (`\'). If
- no -\b-u\bu option is specified, the command will be run as the
- invoking user (not root). In either case, the primary group
- will be set to _\bg_\br_\bo_\bu_\bp.
-
- -\b-H\bH The -\b-H\bH (_\bH_\bO_\bM_\bE) option requests that the security policy set
+ set to _\bg_\br_\bo_\bu_\bp instead. To specify a numeric group ID (gid)
+ instead of a group name, use _\b#_\bg_\bi_\bd. When running commands as
+ a gid, many shells require that the `#' be escaped with a
+ backslash (`\'). If no -\b-u\bu option is specified, the command
+ will be run as the invoking user (not root). In either case,
+ the primary group will be set to _\bg_\br_\bo_\bu_\bp.
+
+ -\b-H\bH, -\b--\b-s\bse\bet\bt-\b-h\bho\bom\bme\be
+ The -\b-H\bH (_\bH_\bO_\bM_\bE) option requests that the security policy set
the HOME environment variable to the home directory of the
target user (root by default) as specified by the password
database. Depending on the policy, this may be the default
behavior.
- -\b-h\bh [_\bh_\bo_\bs_\bt _\bn_\ba_\bm_\be]
- If a _\bh_\bo_\bs_\bt _\bn_\ba_\bm_\be is specified and the policy plugin supports
+ -\b-h\bh, -\b--\b-h\bhe\bel\blp\bp The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bo will print a short help
+ message to the standard output and exit.
+
+ -\b-h\bh, -\b--\b-h\bho\bos\bst\bt _\br_\be_\bm_\bo_\bt_\be _\bh_\bo_\bs_\bt
+ If a _\br_\be_\bm_\bo_\bt_\be _\bh_\bo_\bs_\bt is specified and the policy plugin supports
it, the command will be run on the specified remote host.
Note that the _\bs_\bu_\bd_\bo_\be_\br_\bs plugin does not currently support
- running remote commands. If no _\bh_\bo_\bs_\bt _\bn_\ba_\bm_\be is specified, s\bsu\bud\bdo\bo
- will print a short help message to the standard output and
- exit.
+ running remote commands.
- -\b-i\bi [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ -\b-i\bi, -\b--\b-l\blo\bog\bgi\bin\bn [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
The -\b-i\bi (_\bs_\bi_\bm_\bu_\bl_\ba_\bt_\be _\bi_\bn_\bi_\bt_\bi_\ba_\bl _\bl_\bo_\bg_\bi_\bn) option runs the shell
specified by the password database entry of the target user
as a login shell. This means that login-specific resource
environment in which a command is run when the _\bs_\bu_\bd_\bo_\be_\br_\bs policy
is in use.
- -\b-K\bK The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option is like -\b-k\bk except that it removes
+ -\b-K\bK, -\b--\b-r\bre\bem\bmo\bov\bve\be-\b-t\bti\bim\bme\bes\bst\bta\bam\bmp\bp
+ The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option is like -\b-k\bk except that it removes
the user's cached credentials entirely and may not be used in
conjunction with a command or other option. This option does
not require a password. Not all security policies support
credential caching.
- -\b-k\bk [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ -\b-k\bk, -\b--\b-r\bre\bes\bse\bet\bt-\b-t\bti\bim\bme\bes\bst\bta\bam\bmp\bp [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
When used alone, the -\b-k\bk (_\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo invalidates the
user's cached credentials. The next time s\bsu\bud\bdo\bo is run a
password will be required. This option does not require a
for a password (if one is required by the security policy)
and will not update the user's cached credentials.
- -\b-l\bl[l\bl] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ -\b-l\bl[l\bl], -\b--\b-l\bli\bis\bst\bt [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
If no _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified, the -\b-l\bl (_\bl_\bi_\bs_\bt) option will list
the allowed (and forbidden) commands for the invoking user
(or the user specified by the -\b-U\bU option) on the current host.
-\b-l\bll\bl), or if -\b-l\bl is specified multiple times, a longer list
format is used.
- -\b-n\bn The -\b-n\bn (_\bn_\bo_\bn_\b-_\bi_\bn_\bt_\be_\br_\ba_\bc_\bt_\bi_\bv_\be) option prevents s\bsu\bud\bdo\bo from prompting
+ -\b-n\bn, -\b--\b-n\bno\bon\bn-\b-i\bin\bnt\bte\ber\bra\bac\bct\bti\biv\bve\be
+ The -\b-n\bn (_\bn_\bo_\bn_\b-_\bi_\bn_\bt_\be_\br_\ba_\bc_\bt_\bi_\bv_\be) option prevents s\bsu\bud\bdo\bo from prompting
the user for a password. If a password is required for the
command to run, s\bsu\bud\bdo\bo will display an error message and exit.
- -\b-P\bP The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bsu\bud\bdo\bo to preserve
+ -\b-P\bP, -\b--\b-p\bpr\bre\bes\bse\ber\brv\bve\be-\b-g\bgr\bro\bou\bup\bps\bs
+ The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bsu\bud\bdo\bo to preserve
the invoking user's group vector unaltered. By default, the
_\bs_\bu_\bd_\bo_\be_\br_\bs policy will initialize the group vector to the list
of groups the target user is in. The real and effective
group IDs, however, are still set to match the target user.
- -\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt The -\b-p\bp (_\bp_\br_\bo_\bm_\bp_\bt) option allows you to override the default
+ -\b-p\bp, -\b--\b-p\bpr\bro\bom\bmp\bpt\bt _\bp_\br_\bo_\bm_\bp_\bt
+ The -\b-p\bp (_\bp_\br_\bo_\bm_\bp_\bt) option allows you to override the default
password prompt and use a custom one. The following percent
(`%') escapes are supported by the _\bs_\bu_\bd_\bo_\be_\br_\bs policy:
system password prompt on systems that support PAM unless the
_\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be flag is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs.
- -\b-r\br _\br_\bo_\bl_\be The -\b-r\br (_\br_\bo_\bl_\be) option causes the new (SELinux) security
- context to have the role specified by _\br_\bo_\bl_\be.
+ -\b-r\br, -\b--\b-r\bro\bol\ble\be _\br_\bo_\bl_\be
+ The -\b-r\br (_\br_\bo_\bl_\be) option causes the new SELinux security context
+ to have the role specified by _\br_\bo_\bl_\be.
- -\b-S\bS The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the password from
+ -\b-S\bS, -\b--\b-s\bst\btd\bdi\bin\bn
+ The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the password from
the standard input instead of the terminal device. The
password must be followed by a newline character.
- -\b-s\bs [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ -\b-s\bs, -\b--\b-s\bsh\bhe\bel\bll\bl [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
The -\b-s\bs (_\bs_\bh_\be_\bl_\bl) option runs the shell specified by the SHELL
environment variable if it is set or the shell as specified
in the password database. If a command is specified, it is
passed to the shell for execution via the shell's -\b-c\bc option.
If no command is specified, an interactive shell is executed.
- -\b-t\bt _\bt_\by_\bp_\be The -\b-t\bt (_\bt_\by_\bp_\be) option causes the new (SELinux) security
- context to have the type specified by _\bt_\by_\bp_\be. If no type is
- specified, the default type is derived from the specified
- role.
+ -\b-t\bt, -\b--\b-t\bty\byp\bpe\be _\bt_\by_\bp_\be
+ The -\b-t\bt (_\bt_\by_\bp_\be) option causes the new SELinux security context
+ to have the type specified by _\bt_\by_\bp_\be. If no type is specified,
+ the default type is derived from the specified role.
- -\b-U\bU _\bu_\bs_\be_\br The -\b-U\bU (_\bo_\bt_\bh_\be_\br _\bu_\bs_\be_\br) option is used in conjunction with the -\b-l\bl
+ -\b-U\bU, -\b--\b-o\bot\bth\bhe\ber\br-\b-u\bus\bse\ber\br _\bu_\bs_\be_\br
+ The -\b-U\bU (_\bo_\bt_\bh_\be_\br _\bu_\bs_\be_\br) option is used in conjunction with the -\b-l\bl
option to specify the user whose privileges should be listed.
The security policy may restrict listing other users'
privileges. The _\bs_\bu_\bd_\bo_\be_\br_\bs policy only allows root or a user
with the ALL privilege on the current host to use this
option.
- -\b-u\bu _\bu_\bs_\be_\br The -\b-u\bu (_\bu_\bs_\be_\br) option causes s\bsu\bud\bdo\bo to run the specified command
- as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd instead of a
- _\bu_\bs_\be_\br _\bn_\ba_\bm_\be, _\b#_\bu_\bi_\bd. When running commands as a _\bu_\bi_\bd, many shells
- require that the `#' be escaped with a backslash (`\').
- Security policies may restrict _\bu_\bi_\bds to those listed in the
- password database. The _\bs_\bu_\bd_\bo_\be_\br_\bs policy allows _\bu_\bi_\bds that are
- not in the password database as long as the _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw option
- is not set. Other security policies may not support this.
-
- -\b-V\bV The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print its version
+ -\b-u\bu, -\b--\b-u\bus\bse\ber\br _\bu_\bs_\be_\br
+ The -\b-u\bu (_\bu_\bs_\be_\br) option causes s\bsu\bud\bdo\bo to run the specified command
+ as a user other than _\br_\bo_\bo_\bt. To specify a numeric user ID
+ (uid) instead of a user name, use _\b#_\bu_\bi_\bd. When running
+ commands as a uid, many shells require that the `#' be
+ escaped with a backslash (`\'). Some security policies may
+ restrict uids to those listed in the password database. The
+ _\bs_\bu_\bd_\bo_\be_\br_\bs policy allows uids that are not in the password
+ database as long as the _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw option is not set. Other
+ security policies may not support this.
+
+ -\b-V\bV, -\b--\b-v\bve\ber\brs\bsi\bio\bon\bn
+ The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print its version
string and the version string of the security policy plugin
and any I/O plugins. If the invoking user is already root
the -\b-V\bV option will display the arguments passed to configure
when s\bsu\bud\bdo\bo was built and plugins may display more verbose
information such as default options.
- -\b-v\bv When given the -\b-v\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bsu\bud\bdo\bo will update the
+ -\b-v\bv, -\b--\b-v\bva\bal\bli\bid\bda\bat\bte\be
+ When given the -\b-v\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bsu\bud\bdo\bo will update the
user's cached credentials, authenticating the user's password
if necessary. For the _\bs_\bu_\bd_\bo_\be_\br_\bs plugin, this extends the s\bsu\bud\bdo\bo
timeout for another 5 minutes (or whatever the timeout is set
C\bCO\bOM\bMM\bMA\bAN\bND\bD E\bEX\bXE\bEC\bCU\bUT\bTI\bIO\bON\bN
When s\bsu\bud\bdo\bo executes a command, the security policy specifies the execution
- environment for the command. Typically, the real and effective uid and
- gid are set to match those of the target user, as specified in the
- password database, and the group vector is initialized based on the group
- database (unless the -\b-P\bP option was specified).
+ environment for the command. Typically, the real and effective user and
+ group and IDs are set to match those of the target user, as specified in
+ the password database, and the group vector is initialized based on the
+ group database (unless the -\b-P\bP option was specified).
The following parameters may be specified by security policy:
[\fB\-AknS\fR]
[\fB\-a\fR\ \fIauth_type\fR]
[\fB\-g\fR\ \fIgroup\ name\fR\ |\ \fI#gid\fR]
+[\fB\-h\fR\ \fIremote\ host\fR]
[\fB\-p\fR\ \fIprompt\fR]
[\fB\-u\fR\ \fIuser\ name\fR\ |\ \fI#uid\fR]
.br
[\fB\-AknS\fR]
[\fB\-a\fR\ \fIauth_type\fR]
[\fB\-g\fR\ \fIgroup\ name\fR\ |\ \fI#gid\fR]
-[\fB\-h\fR\ \fIhost\ name\fR]
+[\fB\-h\fR\ \fIremote\ host\fR]
[\fB\-p\fR\ \fIprompt\fR]
[\fB\-U\fR\ \fIuser\ name\fR]
[\fB\-u\fR\ \fIuser\ name\fR\ |\ \fI#uid\fR]
[\fB\-C\fR\ \fIfd\fR]
[\fB\-c\fR\ \fIclass\fR\ |\ \fI-\fR]
[\fB\-g\fR\ \fIgroup\ name\fR\ |\ \fI#gid\fR]
-[\fB\-h\fR\ \fIhost\ name\fR]
+[\fB\-h\fR\ \fIremote\ host\fR]
[\fB\-p\fR\ \fIprompt\fR]
[\fB\-r\fR\ \fIrole\fR]
[\fB\-t\fR\ \fItype\fR]
[\fB\-C\fR\ \fIfd\fR]
[\fB\-c\fR\ \fIclass\fR\ |\ \fI-\fR]
[\fB\-g\fR\ \fIgroup\ name\fR\ |\ \fI#gid\fR]
-[\fB\-h\fR\ \fIhost\ name\fR]
+[\fB\-h\fR\ \fIremote\ host\fR]
[\fB\-p\fR\ \fIprompt\fR]
[\fB\-u\fR\ \fIuser\ name\fR\ |\ \fI#uid\fR]
file ...
.PP
The options are as follows:
.TP 12n
-\fB\-A\fR
+\fB\-A\fR, \fB\--askpass\fR
Normally, if
\fBsudo\fR
requires a password, it will read it from the user's terminal.
will exit with an error.
.RE
.TP 12n
-\fB\-a\fR \fItype\fR
+\fB\-a\fR, \fB\--auth-type\fR \fIauth_type\fR
The
\fB\-a\fR (\fIauthentication type\fR)
option causes
\fI/etc/login.conf\fR.
This option is only available on systems that support BSD authentication.
.TP 12n
-\fB\-b\fR
+\fB\-b\fR, \fB\--background\fR
The
\fB\-b\fR (\fIbackground\fR)
option tells
Most interactive commands will fail to work properly in background
mode.
.TP 12n
-\fB\-C\fR \fIfd\fR
+\fB\-C\fR, \fB\--close-from\fR \fIfd\fR
Normally,
\fBsudo\fR
will close all open file descriptors other than standard input,
\fIclosefrom_override\fR
option.
.TP 12n
-\fB\-c\fR \fIclass\fR
+\fB\-c\fR, \fB\--login-class\fR \fIclass\fR
The
\fB\-c\fR (\fIclass\fR)
option causes
command must be run from a shell that is already root.
This option is only available on systems with BSD login classes.
.TP 12n
-\fB\-E\fR
+\fB\-E\fR, \fB\--preserve-env\fR
The
\fB\-E\fR (\fIpreserve environment\fR)
option indicates to the security policy that the user wishes to
option is specified and the user does not have permission to preserve
the environment.
.TP 12n
-\fB\-e\fR
+\fB\-e\fR, \fB\--edit\fR
The
\fB\-e\fR (\fIedit\fR)
option indicates that, instead of running a command, the user wishes
file.
.RE
.TP 12n
-\fB\-g\fR \fIgroup\fR
+\fB\-g\fR, \fB\--group\fR \fIgroup\fR
Normally,
\fBsudo\fR
runs a command with the primary group set to the one specified by
to run the command with the primary group set to
\fIgroup\fR
instead.
-To specify a
-\fIgid\fR
-instead of a
-\fIgroup name\fR,
-use
+To specify a numeric group ID
+(gid)
+instead of a group name, use
\fI#gid\fR.
-When running commands as a
-\fIgid\fR,
-many shells require that the
+When running commands as a gid, many shells require that the
\(oq#\(cq
be escaped with a backslash
(\(oq\e\(cq).
In either case, the primary group will be set to
\fIgroup\fR.
.TP 12n
-\fB\-H\fR
+\fB\-H\fR, \fB\--set-home\fR
The
\fB\-H\fR (\fIHOME\fR)
option requests that the security policy set the
by default) as specified by the password database.
Depending on the policy, this may be the default behavior.
.TP 12n
-\fB\-h\fR [\fIhost name\fR]
+\fB\-h\fR, \fB\--help\fR
+The
+\fB\-h\fR (\fIhelp\fR)
+option causes
+\fBsudo\fR
+will print a short help message to the standard output and exit.
+.TP 12n
+\fB\-h\fR, \fB\--host\fR \fIremote host\fR
If a
-\fIhost name\fR
+\fIremote host\fR
is specified and the policy plugin supports it, the command will be run
on the specified remote host.
Note that the
\fIsudoers\fR
plugin does not currently support running remote commands.
-If no
-\fIhost name\fR
-is specified,
-\fBsudo\fR
-will print a short help message to the standard output and exit.
.TP 12n
-\fB\-i\fR [\fIcommand\fR]
+\fB\-i\fR, \fB\--login\fR [\fIcommand\fR]
The
\fB\-i\fR (\fIsimulate initial login\fR)
option runs the shell specified by the password database entry of
\fIsudoers\fR
policy is in use.
.TP 12n
-\fB\-K\fR
+\fB\-K\fR, \fB\--remove-timestamp\fR
The
\fB\-K\fR (sure \fIkill\fR)
option is like
This option does not require a password.
Not all security policies support credential caching.
.TP 12n
-\fB\-k\fR [\fIcommand\fR]
+\fB\-k\fR, \fB\--reset-timestamp\fR [\fIcommand\fR]
When used alone, the
\fB\-k\fR (\fIkill\fR)
option to
will prompt for a password (if one is required by the security
policy) and will not update the user's cached credentials.
.TP 12n
-\fB\-l\fR[\fBl\fR] [\fIcommand\fR]
+\fB\-l\fR[\fBl\fR], \fB\--list\fR [\fIcommand\fR]
If no
\fIcommand\fR
is specified, the
\fB\-l\fR
is specified multiple times, a longer list format is used.
.TP 12n
-\fB\-n\fR
+\fB\-n\fR, \fB\--non-interactive\fR
The
\fB\-n\fR (\fInon-interactive\fR)
option prevents
\fBsudo\fR
will display an error message and exit.
.TP 12n
-\fB\-P\fR
+\fB\-P\fR, \fB\--preserve-groups\fR
The
\fB\-P\fR (\fIpreserve group vector\fR)
option causes
The real and effective group IDs, however, are still set to match
the target user.
.TP 12n
-\fB\-p\fR \fIprompt\fR
+\fB\-p\fR, \fB\--prompt\fR \fIprompt\fR
The
\fB\-p\fR (\fIprompt\fR)
option allows you to override the default password prompt and use
\fIsudoers\fR.
.RE
.TP 12n
-\fB\-r\fR \fIrole\fR
+\fB\-r\fR, \fB\--role\fR \fIrole\fR
The
\fB\-r\fR (\fIrole\fR)
-option causes the new (SELinux) security context to have the role
+option causes the new SELinux security context to have the role
specified by
\fIrole\fR.
.TP 12n
-\fB\-S\fR
+\fB\-S\fR, \fB\--stdin\fR
The
\fB\-S\fR (\fIstdin\fR)
option causes
device.
The password must be followed by a newline character.
.TP 12n
-\fB\-s\fR [\fIcommand\fR]
+\fB\-s\fR, \fB\--shell\fR [\fIcommand\fR]
The
\fB\-s\fR (\fIshell\fR)
option runs the shell specified by the
option.
If no command is specified, an interactive shell is executed.
.TP 12n
-\fB\-t\fR \fItype\fR
+\fB\-t\fR, \fB\--type\fR \fItype\fR
The
\fB\-t\fR (\fItype\fR)
-option causes the new (SELinux) security context to have the type
+option causes the new SELinux security context to have the type
specified by
\fItype\fR.
If no type is specified, the default type is derived from the
specified role.
.TP 12n
-\fB\-U\fR \fIuser\fR
+\fB\-U\fR, \fB\--other-user\fR \fIuser\fR
The
\fB\-U\fR (\fIother user\fR)
option is used in conjunction with the
\fRALL\fR
privilege on the current host to use this option.
.TP 12n
-\fB\-u\fR \fIuser\fR
+\fB\-u\fR, \fB\--user\fR \fIuser\fR
The
\fB\-u\fR (\fIuser\fR)
option causes
\fBsudo\fR
to run the specified command as a user other than
\fIroot\fR.
-To specify a
-\fIuid\fR
-instead of a
-\fIuser name\fR,
+To specify a numeric user ID
+(uid)
+instead of a user name, use
\fI#uid\fR.
-When running commands as a
-\fIuid\fR,
-many shells require that the
+When running commands as a uid, many shells require that the
\(oq#\(cq
be escaped with a backslash
(\(oq\e\(cq).
-Security policies may restrict
-\fIuid\fRs
+Some security policies may restrict uids
to those listed in the password database.
The
\fIsudoers\fR
-policy allows
-\fIuid\fRs
-that are not in the password database as long as the
+policy allows uids that are not in the password database as long as the
\fItargetpw\fR
option is not set.
Other security policies may not support this.
.TP 12n
-\fB\-V\fR
+\fB\-V\fR, \fB\--version\fR
The
\fB\-V\fR (\fIversion\fR)
option causes
was built and plugins may display more verbose information such as
default options.
.TP 12n
-\fB\-v\fR
+\fB\-v\fR, \fB\--validate\fR
When given the
\fB\-v\fR (\fIvalidate\fR)
option,
\fBsudo\fR
executes a command, the security policy specifies the execution
environment for the command.
-Typically, the real and effective uid and gid are set to
+Typically, the real and effective user and group and IDs are set to
match those of the target user, as specified in the password database,
and the group vector is initialized based on the group database
(unless the
.Op Fl g Ar group name No | Ar #gid
.Ek
.Bk -words
+.Op Fl h Ar remote host
+.Ek
+.Bk -words
.Op Fl p Ar prompt
.Ek
.Bk -words
.Op Fl g Ar group name No | Ar #gid
.Ek
.Bk -words
-.Op Fl h Ar host name
+.Op Fl h Ar remote host
.Ek
.Bk -words
.Op Fl p Ar prompt
.Op Fl g Ar group name No | Ar #gid
.Ek
.Bk -words
-.Op Fl h Ar host name
+.Op Fl h Ar remote host
.Ek
.Bk -words
.Op Fl p Ar prompt
.Op Fl g Ar group name No | Ar #gid
.Ek
.Bk -words
-.Op Fl h Ar host name
+.Op Fl h Ar remote host
.Ek
.Bk -words
.Op Fl p Ar prompt
.Pp
The options are as follows:
.Bl -tag -width Fl
-.It Fl A
+.It Fl A , -askpass
Normally, if
.Nm sudo
requires a password, it will read it from the user's terminal.
If no askpass program is available,
.Nm sudo
will exit with an error.
-.It Fl a Ar type
+.It Fl a , -auth-type Ar auth_type
The
.Fl a No ( Em "authentication type" Ns No )
option causes
entry in
.Pa /etc/login.conf .
This option is only available on systems that support BSD authentication.
-.It Fl b
+.It Fl b , -background
The
.Fl b No ( Em background Ns No )
option tells
option you cannot use shell job control to manipulate the process.
Most interactive commands will fail to work properly in background
mode.
-.It Fl C Ar fd
+.It Fl C , -close-from Ar fd
Normally,
.Nm sudo
will close all open file descriptors other than standard input,
option when the administrator has enabled the
.Em closefrom_override
option.
-.It Fl c Ar class
+.It Fl c , -login-class Ar class
The
.Fl c No ( Em class Ns No )
option causes
.Nm sudo
command must be run from a shell that is already root.
This option is only available on systems with BSD login classes.
-.It Fl E
+.It Fl E , -preserve-env
The
.Fl E No ( Em preserve environment Ns No )
option indicates to the security policy that the user wishes to
.Fl E
option is specified and the user does not have permission to preserve
the environment.
-.It Fl e
+.It Fl e , -edit
The
.Fl e No ( Em edit Ns No )
option indicates that, instead of running a command, the user wishes
is unable to update a file with its edited version, the user will
receive a warning and the edited copy will remain in a temporary
file.
-.It Fl g Ar group
+.It Fl g , -group Ar group
Normally,
.Nm sudo
runs a command with the primary group set to the one specified by
to run the command with the primary group set to
.Ar group
instead.
-To specify a
-.Em gid
-instead of a
-.Em "group name" ,
-use
-.Em #gid .
-When running commands as a
-.Em gid ,
-many shells require that the
+To specify a numeric group ID
+.Pq gid
+instead of a group name, use
+.Ar #gid .
+When running commands as a gid, many shells require that the
.Ql #
be escaped with a backslash
.Pq Ql \e .
option is specified, the command will be run as the invoking user
(not root).
In either case, the primary group will be set to
-.Em group .
-.It Fl H
+.Ar group .
+.It Fl H , -set-home
The
.Fl H No ( Em HOME Ns No )
option requests that the security policy set the
environment variable to the home directory of the target user (root
by default) as specified by the password database.
Depending on the policy, this may be the default behavior.
-.It Fl h Op Ar host name
+.It Fl h , -help
+The
+.Fl h No ( Em help Ns No )
+option causes
+.Nm sudo
+will print a short help message to the standard output and exit.
+.It Fl h , -host Ar remote host
If a
-.Ar host name
+.Ar remote host
is specified and the policy plugin supports it, the command will be run
on the specified remote host.
Note that the
.Em sudoers
plugin does not currently support running remote commands.
-If no
-.Ar host name
-is specified,
-.Nm sudo
-will print a short help message to the standard output and exit.
-.It Fl i Op Ar command
+.It Fl i , -login Op Ar command
The
.Fl i No ( Em simulate initial login Ns No )
option runs the shell specified by the password database entry of
option affects the environment in which a command is run when the
.Em sudoers
policy is in use.
-.It Fl K
+.It Fl K , -remove-timestamp
The
.Fl K No ( sure Em kill Ns No )
option is like
may not be used in conjunction with a command or other option.
This option does not require a password.
Not all security policies support credential caching.
-.It Fl k Op Ar command
+.It Fl k , -reset-timestamp Op Ar command
When used alone, the
.Fl k No ( Em kill Ns No )
option to
.Nm sudo
will prompt for a password (if one is required by the security
policy) and will not update the user's cached credentials.
-.It Fl l Ns Oo Sy l Oc Op Ar command
+.It Fl l Ns Oo Sy l Oc , Fl -list Op Ar command
If no
.Ar command
is specified, the
or if
.Fl l
is specified multiple times, a longer list format is used.
-.It Fl n
+.It Fl n , -non-interactive
The
.Fl n No ( Em non-interactive Ns No )
option prevents
If a password is required for the command to run,
.Nm sudo
will display an error message and exit.
-.It Fl P
+.It Fl P , -preserve-groups
The
.Fl P No ( Em preserve group vector Ns No )
option causes
target user is in.
The real and effective group IDs, however, are still set to match
the target user.
-.It Fl p Ar prompt
+.It Fl p , -prompt Ar prompt
The
.Fl p No ( Em prompt Ns No )
option allows you to override the default password prompt and use
.Em passprompt_override
flag is disabled in
.Em sudoers .
-.It Fl r Ar role
+.It Fl r , -role Ar role
The
.Fl r No ( Em role Ns No )
-option causes the new (SELinux) security context to have the role
+option causes the new SELinux security context to have the role
specified by
.Ar role .
-.It Fl S
+.It Fl S , -stdin
The
.Fl S ( Em stdin Ns No )
option causes
to read the password from the standard input instead of the terminal
device.
The password must be followed by a newline character.
-.It Fl s Op Ar command
+.It Fl s , -shell Op Ar command
The
.Fl s ( Em shell Ns No )
option runs the shell specified by the
.Fl c
option.
If no command is specified, an interactive shell is executed.
-.It Fl t Ar type
+.It Fl t , -type Ar type
The
.Fl t ( Em type Ns No )
-option causes the new (SELinux) security context to have the type
+option causes the new SELinux security context to have the type
specified by
.Ar type .
If no type is specified, the default type is derived from the
specified role.
-.It Fl U Ar user
+.It Fl U , -other-user Ar user
The
.Fl U ( Em other user Ns No )
option is used in conjunction with the
policy only allows root or a user with the
.Li ALL
privilege on the current host to use this option.
-.It Fl u Ar user
+.It Fl u , -user Ar user
The
.Fl u ( Em user Ns No )
option causes
.Nm sudo
to run the specified command as a user other than
.Em root .
-To specify a
-.Em uid
-instead of a
-.Em user name ,
-.Em #uid .
-When running commands as a
-.Em uid ,
-many shells require that the
+To specify a numeric user ID
+.Pq uid
+instead of a user name, use
+.Ar #uid .
+When running commands as a uid, many shells require that the
.Ql #
be escaped with a backslash
.Pq Ql \e .
-Security policies may restrict
-.Em uid Ns No s
+Some security policies may restrict uids
to those listed in the password database.
The
.Em sudoers
-policy allows
-.Em uid Ns No s
-that are not in the password database as long as the
+policy allows uids that are not in the password database as long as the
.Em targetpw
option is not set.
Other security policies may not support this.
-.It Fl V
+.It Fl V , -version
The
.Fl V ( Em version Ns No )
option causes
.Nm sudo
was built and plugins may display more verbose information such as
default options.
-.It Fl v
+.It Fl v , -validate
When given the
.Fl v ( Em validate Ns No )
option,
.Nm sudo
executes a command, the security policy specifies the execution
environment for the command.
-Typically, the real and effective uid and gid are set to
+Typically, the real and effective user and group and IDs are set to
match those of the target user, as specified in the password database,
and the group vector is initialized based on the group database
(unless the
LIBS = @LIBS@ @SUDO_LIBS@ @GETGROUPS_LIB@ @NET_LIBS@ @LIBINTL@ $(LT_LIBS)
# C preprocessor flags
-CPPFLAGS = -I$(incdir) -I$(top_builddir) -I$(srcdir) -I$(top_srcdir) -I. @CPPFLAGS@
+CPPFLAGS = -I$(incdir) -I$(top_builddir) -I. -I$(srcdir) -I$(top_srcdir) @CPPFLAGS@
# Usually -O and/or -g
CFLAGS = @CFLAGS@
(cd $(top_builddir) && ./config.status --file src/Makefile)
./sudo_usage.h: $(srcdir)/sudo_usage.h.in
- (cd $(top_builddir) && ./config.status --file src/sudo_usage.h)
+ (cd $(top_builddir) && ./config.status --file src/sudo_usage.h)
.SUFFIXES: .c .h .lo .o
#include <grp.h>
#include <pwd.h>
-#include "sudo_usage.h"
+#include <sudo_usage.h>
#include "sudo.h"
#include "lbuf.h"
*/
#define DEFAULT_VALID_FLAGS (MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_SHELL)
+/* Option number for the --host long option due to ambiguity of the -h flag. */
+#define OPT_HOSTNAME 256
+
+/*
+ * Available command line options, both short and long.
+ * Note that we must disable arg permutation to support setting environment
+ * variables and to better support the optional arg of the -h flag.
+ */
+static const char short_opts[] = "+Aa:bC:c:D:Eeg:Hh::iKklnPp:r:Sst:U:u:Vv";
+static struct option long_opts[] = {
+ { "askpass", no_argument, NULL, 'A' },
+ { "auth-type", required_argument, NULL, 'a' },
+ { "background", no_argument, NULL, 'b' },
+ { "close-from", required_argument, NULL, 'C' },
+ { "login-class", required_argument, NULL, 'c' },
+ { "preserve-env", no_argument, NULL, 'E' },
+ { "edit", no_argument, NULL, 'e' },
+ { "group", required_argument, NULL, 'g' },
+ { "set-home", no_argument, NULL, 'H' },
+ { "help", no_argument, NULL, 'h' },
+ { "host", required_argument, NULL, OPT_HOSTNAME },
+ { "login", no_argument, NULL, 'i' },
+ { "remove-timestamp", no_argument, NULL, 'K' },
+ { "reset-timestamp", no_argument, NULL, 'k' },
+ { "list", no_argument, NULL, 'l' },
+ { "non-interactive", no_argument, NULL, 'n' },
+ { "preserve-groups", no_argument, NULL, 'P' },
+ { "prompt", required_argument, NULL, 'p' },
+ { "role", required_argument, NULL, 'r' },
+ { "stdin", no_argument, NULL, 'S' },
+ { "shell", no_argument, NULL, 's' },
+ { "type", required_argument, NULL, 't' },
+ { "other-user", required_argument, NULL, 'U' },
+ { "user", required_argument, NULL, 'u' },
+ { "version", no_argument, NULL, 'V' },
+ { "validate", no_argument, NULL, 'v' },
+ { NULL, no_argument, NULL, '\0' },
+};
+
/*
* Command line argument parsing.
* Sets nargc and nargv which corresponds to the argc/argv we'll use
/* XXX - should fill in settings at the end to avoid dupes */
for (;;) {
/*
- * We disable arg permutation for GNU getopt().
* Some trickiness is required to allow environment variables
* to be interspersed with command line options.
*/
- if ((ch = getopt_long(argc, argv, "+Aa:bC:c:D:Eeg:Hh::iKklnPp:r:Sst:U:u:Vv", NULL, NULL)) != -1) {
+ if ((ch = getopt_long(argc, argv, short_opts, long_opts, NULL)) != -1) {
switch (ch) {
case 'A':
SET(tgetpass_flags, TGP_ASKPASS);
sudo_settings[ARG_SET_HOME].value = "true";
break;
case 'h':
- if (optarg != NULL) {
- sudo_settings[ARG_REMOTE_HOST].value = optarg;
- } else {
+ if (optarg == NULL) {
if (mode && mode != MODE_HELP) {
if (strcmp(getprogname(), "sudoedit") != 0)
usage_excl(1);
}
mode = MODE_HELP;
valid_flags = 0;
+ break;
}
+ /* FALLTHROUGH */
+ case OPT_HOSTNAME:
+ sudo_settings[ARG_REMOTE_HOST].value = optarg;
break;
case 'i':
sudo_settings[ARG_LOGIN_SHELL].value = "true";
default:
usage(1);
}
- } else if (got_host_flag) {
+ } else if (got_host_flag && optind < argc) {
/*
* Optional args only support -hhostname, not -h hostname.
* If we see a non-option after the -h flag, treat as
help(void)
{
struct lbuf lbuf;
- int indent = 16;
+ const int indent = 30;
const char *pname = getprogname();
debug_decl(help, SUDO_DEBUG_ARGS)
usage(0);
lbuf_append(&lbuf, _("\nOptions:\n"));
- lbuf_append(&lbuf, " -A %s",
+ lbuf_append(&lbuf, " -A, --askpass %s",
_("use helper program for password prompting\n"));
#ifdef HAVE_BSD_AUTH_H
- lbuf_append(&lbuf, " -a type %s",
+ lbuf_append(&lbuf, " -a, --auth-type auth_type %s",
_("use specified BSD authentication type\n"));
#endif
- lbuf_append(&lbuf, " -b %s",
+ lbuf_append(&lbuf, " -b, --background %s",
_("run command in the background\n"));
- lbuf_append(&lbuf, " -C fd %s",
+ lbuf_append(&lbuf, " -C, --close-from fd %s",
_("close all file descriptors >= fd\n"));
#ifdef HAVE_LOGIN_CAP_H
- lbuf_append(&lbuf, " -c class %s",
+ lbuf_append(&lbuf, " -c, --login-class class %s",
_("run command with specified login class\n"));
#endif
- lbuf_append(&lbuf, " -E %s",
+ lbuf_append(&lbuf, " -E, --preserve-env %s",
_("preserve user environment when executing command\n"));
- lbuf_append(&lbuf, " -e %s",
+ lbuf_append(&lbuf, " -e, --edit %s",
_("edit files instead of running a command\n"));
- lbuf_append(&lbuf, " -g group %s",
+ lbuf_append(&lbuf, " -g, --group group name|#gid %s",
_("execute command as the specified group\n"));
- lbuf_append(&lbuf, " -H %s",
+ lbuf_append(&lbuf, " -H, --set-home %s",
_("set HOME variable to target user's home dir.\n"));
- lbuf_append(&lbuf, " -h %s",
+ lbuf_append(&lbuf, " -h, --help %s",
_("display help message and exit\n"));
- lbuf_append(&lbuf, " -h host name %s",
- _("run command on specified host if supported\n"));
- lbuf_append(&lbuf, " -i [command] %s",
+ lbuf_append(&lbuf, " -h, --host remote host %s",
+ _("run command on specified host (if supported)\n"));
+ lbuf_append(&lbuf, " -i, --login [command] %s",
_("run a login shell as target user\n"));
- lbuf_append(&lbuf, " -K %s",
+ lbuf_append(&lbuf, " -K, --remove-timestamp %s",
_("remove timestamp file completely\n"));
- lbuf_append(&lbuf, " -k %s",
+ lbuf_append(&lbuf, " -k, --reset-timestamp %s",
_("invalidate timestamp file\n"));
- lbuf_append(&lbuf, " -l[l] command %s",
+ lbuf_append(&lbuf, " -l[l], --list [command] %s",
_("list user's available commands\n"));
- lbuf_append(&lbuf, " -n %s",
+ lbuf_append(&lbuf, " -n, --non-interactive %s",
_("non-interactive mode, will not prompt user\n"));
- lbuf_append(&lbuf, " -P %s",
+ lbuf_append(&lbuf, " -P, --preserve-groups %s",
_("preserve group vector instead of setting to target's\n"));
- lbuf_append(&lbuf, " -p prompt %s",
+ lbuf_append(&lbuf, " -p, --prompt prompt %s",
_("use specified password prompt\n"));
#ifdef HAVE_SELINUX
- lbuf_append(&lbuf, " -r role %s",
+ lbuf_append(&lbuf, " -r, --role role %s",
_("create SELinux security context with specified role\n"));
#endif
- lbuf_append(&lbuf, " -S %s",
+ lbuf_append(&lbuf, " -S, --stdin %s",
_("read password from standard input\n"));
- lbuf_append(&lbuf,
- " -s [command] %s", _("run a shell as target user\n"));
+ lbuf_append(&lbuf, " -s, --shell [command] %s",
+ _("run a shell as target user\n"));
#ifdef HAVE_SELINUX
- lbuf_append(&lbuf, " -t type %s",
+ lbuf_append(&lbuf, " -t, --type type %s",
_("create SELinux security context with specified role\n"));
#endif
- lbuf_append(&lbuf, " -U user %s",
+ lbuf_append(&lbuf, " -U, --other-user user name %s",
_("when listing, list specified user's privileges\n"));
- lbuf_append(&lbuf, " -u user %s",
+ lbuf_append(&lbuf, " -u, --user user name|#uid %s",
_("run command (or edit file) as specified user\n"));
- lbuf_append(&lbuf, " -V %s",
+ lbuf_append(&lbuf, " -V, --version %s",
_("display version information and exit\n"));
- lbuf_append(&lbuf, " -v %s",
+ lbuf_append(&lbuf, " -v, --validate %s",
_("update user's timestamp without running a command\n"));
- lbuf_append(&lbuf, " -- %s",
+ lbuf_append(&lbuf, " -- %s",
_("stop processing command line arguments\n"));
lbuf_print(&lbuf);
lbuf_destroy(&lbuf);
# include <prot.h>
#endif /* HAVE_GETPRPWNAM && HAVE_SET_AUTH_PARAMETERS */
+#include <sudo_usage.h>
#include "sudo.h"
#include "sudo_plugin.h"
#include "sudo_plugin_int.h"
-#include "sudo_usage.h"
/*
* Local variables
* Usage strings for sudo. These are here because we
* need to be able to substitute values from configure.
*/
-#define SUDO_USAGE1 " [-D level] -h | -K | -k | -V"
-#define SUDO_USAGE2 " -v [-AknS] @BSDAUTH_USAGE@[-D level] [-g groupname|#gid] [-h hostname] [-p prompt] [-u user name|#uid]"
-#define SUDO_USAGE3 " -l[l] [-AknS] @BSDAUTH_USAGE@[-D level] [-g groupname|#gid] [-h hostname] [-p prompt] [-U user name] [-u user name|#uid] [command]"
-#define SUDO_USAGE4 " [-AbEHknPS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C fd] [-D level] @LOGINCAP_USAGE@[-g groupname|#gid] [-h hostname] [-p prompt] [-u user name|#uid] [VAR=value] [-i|-s] [<command>]"
-#define SUDO_USAGE5 " -e [-AknS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C fd] [-D level] @LOGINCAP_USAGE@[-g groupname|#gid] [-h hostname] [-p prompt] [-u user name|#uid] file ..."
+#define SUDO_USAGE1 " -h | -K | -k | -V"
+#define SUDO_USAGE2 " -v [-AknS] @BSDAUTH_USAGE@[-g group name|#gid] [-h remote host] [-p prompt] [-u user name|#uid]"
+#define SUDO_USAGE3 " -l[l] [-AknS] @BSDAUTH_USAGE@[-g group name|#gid] [-h remote host] [-p prompt] [-U user name] [-u user name|#uid] [command]"
+#define SUDO_USAGE4 " [-AbEHknPS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C fd] @LOGINCAP_USAGE@[-g group name|#gid] [-h remote host] [-p prompt] [-u user name|#uid] [VAR=value] [-i|-s] [<command>]"
+#define SUDO_USAGE5 " -e [-AknS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C fd] @LOGINCAP_USAGE@[-g group name|#gid] [-h remote host] [-p prompt] [-u user name|#uid] file ..."
/*
* Configure script arguments used to build sudo.
projects / sudo / commitdiff