-1.7.3b2 December 19, 2009 1
+1.7.3b2 June 3, 2010 1
-1.7.3b2 December 19, 2009 2
+1.7.3b2 June 3, 2010 2
-1.7.3b2 December 19, 2009 3
+1.7.3b2 June 3, 2010 3
-1.7.3b2 December 19, 2009 4
+1.7.3b2 June 3, 2010 4
-1.7.3b2 December 19, 2009 5
+1.7.3b2 June 3, 2010 5
-1.7.3b2 December 19, 2009 6
+1.7.3b2 June 3, 2010 6
his/her own timestamp with a bogus date on systems that allow users to
give away files.
+ On systems where the boot time is available, s\bsu\bud\bdo\bo will also not honor
+ time stamps from before the machine booted.
+
+ Since time stamp files live in the file system, they can outlive a
+ user's login session. As a result, a user may be able to login, run a
+ command with s\bsu\bud\bdo\bo after authenticating, logout, login again, and run
+ s\bsu\bud\bdo\bo without authenticating so long as the time stamp file's
+ modification time is within 5 minutes (or whatever the timeout is set
+ to in _\bs_\bu_\bd_\bo_\be_\br_\bs). When the _\bt_\bt_\by_\b__\bt_\bi_\bc_\bk_\be_\bt_\bs option is enabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, the
+ time stamp has per-tty granularity but still may outlive the user's
+ session. On Linux systems where the devpts filesystem is used, Solaris
+ systems with the devices filesystem, as well as other systems that
+ utilize a devfs filesystem that monotonically increase the inode number
+ of devices as they are created (such as Mac OS X), s\bsu\bud\bdo\bo is able to
+
+
+
+1.7.3b2 June 3, 2010 7
+
+
+
+
+
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+
+
+ determine when a tty-based time stamp file is stale and will ignore it.
+ Administrators should not rely on this feature as it is not universally
+ available.
+
Please note that s\bsu\bud\bdo\bo will normally only log the command it explicitly
runs. If a user runs a command such as sudo su or sudo sh, subsequent
commands run from that shell will _\bn_\bo_\bt be logged, nor will s\bsu\bud\bdo\bo's access
s\bsu\bud\bdo\bo utilizes the following environment variables:
EDITOR Default editor to use in -\b-e\be (sudoedit) mode if neither
-
-
-
-1.7.3b2 December 19, 2009 7
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
SUDO_EDITOR nor VISUAL is set
HOME In -\b-s\bs or -\b-H\bH mode (or if sudo was configured with the
VISUAL Default editor to use in -\b-e\be (sudoedit) mode if
SUDO_EDITOR is not set
+
+
+
+1.7.3b2 June 3, 2010 8
+
+
+
+
+
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+
+
F\bFI\bIL\bLE\bES\bS
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
To list the home directory of user yaz on a machine where the file
system holding ~yaz is not exported as root:
-
-
-
-1.7.3b2 December 19, 2009 8
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
$ sudo -u yaz ls ~yaz
To edit the _\bi_\bn_\bd_\be_\bx_\b._\bh_\bt_\bm_\bl file as user www:
See the HISTORY file in the s\bsu\bud\bdo\bo distribution or visit
http://www.sudo.ws/sudo/history.html for a short history of s\bsu\bud\bdo\bo.
+
+
+1.7.3b2 June 3, 2010 9
+
+
+
+
+
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+
+
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
There is no easy way to prevent a user from gaining a root shell if
that user is allowed to run arbitrary commands via s\bsu\bud\bdo\bo. Also, many
If users have sudo ALL there is nothing to prevent them from creating
their own program that gives them a root shell regardless of any '!'
-
-
-
-1.7.3b2 December 19, 2009 9
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
elements in the user specification.
Running shell scripts via s\bsu\bud\bdo\bo can expose the same kernel bugs that
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.7.3b2 December 19, 2009 10
+1.7.3b2 June 3, 2010 10
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2009
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2010
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "June 3, 2010" "1.7.3b2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.RE
@SEMAN@.IP "\-r \fIrole\fR" 12
@SEMAN@.IX Item "-r role"
-@SEMAN@The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to
+@SEMAN@The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to
@SEMAN@have the role specified by \fIrole\fR.
.IP "\-S" 12
.IX Item "-S"
for execution. Otherwise, an interactive shell is executed.
@SEMAN@.IP "\-t \fItype\fR" 12
@SEMAN@.IX Item "-t type"
-@SEMAN@The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to
+@SEMAN@The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to
@SEMAN@have the type specified by \fItype\fR. If no type is specified, the default
@SEMAN@type is derived from the specified role.
.IP "\-U \fIuser\fR" 12
keep a user from creating his/her own timestamp with a bogus
date on systems that allow users to give away files.
.PP
+On systems where the boot time is available, \fBsudo\fR will also not
+honor time stamps from before the machine booted.
+.PP
+Since time stamp files live in the file system, they can outlive a
+user's login session. As a result, a user may be able to login,
+run a command with \fBsudo\fR after authenticating, logout, login
+again, and run \fBsudo\fR without authenticating so long as the time
+stamp file's modification time is within \f(CW\*(C`@timeout@\*(C'\fR minutes (or
+whatever the timeout is set to in \fIsudoers\fR). When the \fItty_tickets\fR
+option is enabled in \fIsudoers\fR, the time stamp has per-tty granularity
+but still may outlive the user's session. On Linux systems where
+the devpts filesystem is used, Solaris systems with the devices
+filesystem, as well as other systems that utilize a devfs filesystem
+that monotonically increase the inode number of devices as they are
+created (such as Mac \s-1OS\s0 X), \fBsudo\fR is able to determine when a
+tty-based time stamp file is stale and will ignore it. Administrators
+should not rely on this feature as it is not universally available.
+.PP
Please note that \fBsudo\fR will normally only log the command it
explicitly runs. If a user runs a command such as \f(CW\*(C`sudo su\*(C'\fR or
\&\f(CW\*(C`sudo sh\*(C'\fR, subsequent commands run from that shell will \fInot\fR be
-Copyright (c) 1994-1996, 1998-2005, 2007-2009
+Copyright (c) 1994-1996, 1998-2005, 2007-2010
Todd C. Miller <Todd.Miller@courtesan.com>
Permission to use, copy, modify, and distribute this software for any
=item -r I<role>
-The B<-r> (I<role>) option causes the new (SELinux) security context to
+The B<-r> (I<role>) option causes the new (SELinux) security context to
have the role specified by I<role>.
=item -S
=item -t I<type>
-The B<-t> (I<type>) option causes the new (SELinux) security context to
+The B<-t> (I<type>) option causes the new (SELinux) security context to
have the type specified by I<type>. If no type is specified, the default
type is derived from the specified role.
keep a user from creating his/her own timestamp with a bogus
date on systems that allow users to give away files.
+On systems where the boot time is available, B<sudo> will also not
+honor time stamps from before the machine booted.
+
+Since time stamp files live in the file system, they can outlive a
+user's login session. As a result, a user may be able to login,
+run a command with B<sudo> after authenticating, logout, login
+again, and run B<sudo> without authenticating so long as the time
+stamp file's modification time is within C<@timeout@> minutes (or
+whatever the timeout is set to in I<sudoers>). When the I<tty_tickets>
+option is enabled in I<sudoers>, the time stamp has per-tty granularity
+but still may outlive the user's session. On Linux systems where
+the devpts filesystem is used, Solaris systems with the devices
+filesystem, as well as other systems that utilize a devfs filesystem
+that monotonically increase the inode number of devices as they are
+created (such as Mac OS X), B<sudo> is able to determine when a
+tty-based time stamp file is stale and will ignore it. Administrators
+should not rely on this feature as it is not universally available.
+
Please note that B<sudo> will normally only log the command it
explicitly runs. If a user runs a command such as C<sudo su> or
C<sudo sh>, subsequent commands run from that shell will I<not> be
projects / sudo / commitdiff