-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+SUDO(8) MAINTENANCE COMMANDS SUDO(8)
N\bNA\bAM\bME\bE
_\bm_\ba_\bn_\bd]
s\bsu\bud\bdo\bo [-\b-b\bbE\bEH\bHP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-] [-\b-g\bg _\bg_\br_\bo_\bu_\bp_\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd]
- [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-r\br _\br_\bo_\bl_\be] [-\b-t\bt _\bt_\by_\bp_\be] [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be]
- [{-\b-i\bi | -\b-s\bs] [<_\bc_\bo_\bm_\bm_\ba_\bn_\bd}]
+ [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be] [{-\b-i\bi | -\b-s\bs] [<_\bc_\bo_\bm_\bm_\ba_\bn_\bd}]
s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-S\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-] [-\b-g\bg _\bg_\br_\bo_\bu_\bp_\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd]
[-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] file ...
SUDO_USER.
s\bsu\bud\bdo\bo can log both successful and unsuccessful attempts (as well as
+ errors) to _\bs_\by_\bs_\bl_\bo_\bg(3), a log file, or both. By default s\bsu\bud\bdo\bo will log
-1.7 February 15, 2008 1
+1.7 February 18, 2008 1
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+SUDO(8) MAINTENANCE COMMANDS SUDO(8)
- errors) to _\bs_\by_\bs_\bl_\bo_\bg(3), a log file, or both. By default s\bsu\bud\bdo\bo will log
via _\bs_\by_\bs_\bl_\bo_\bg(3) but this is changeable at configure time or via the _\bs_\bu_\bd_\bo_\b-
_\be_\br_\bs file.
starting point above the standard error (file descriptor
three). Values less than three are not permitted. This
option is only available if the administrator has enabled
- the _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
+ the _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be option in _\bs_\bu_\bd_\bo_\be_\br_\bs(5).
-c _\bc_\bl_\ba_\bs_\bs The -\b-c\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bsu\bud\bdo\bo to run the specified com-
mand with resources limited by the specified login class.
login classes.
-E The -\b-E\bE (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt) option will override the
- _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4)). It is only available when
+ _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option in _\bs_\bu_\bd_\bo_\be_\br_\bs(5)). It is only available when
either the matching command has the SETENV tag or the
- _\bs_\be_\bt_\be_\bn_\bv option is set in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
+ _\bs_\be_\bt_\be_\bn_\bv option is set in _\bs_\bu_\bd_\bo_\be_\br_\bs(5).
-e The -\b-e\be (_\be_\bd_\bi_\bt) option indicates that, instead of running a
command, the user wishes to edit one or more files. In
1. Temporary copies are made of the files to be edited
with the owner set to the invoking user.
- 2. The editor specified by the VISUAL or EDITOR
+ 2. The editor specified by the VISUAL or EDITOR environ-
+ ment variables is run to edit the temporary files. If
-1.7 February 15, 2008 2
+1.7 February 18, 2008 2
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+SUDO(8) MAINTENANCE COMMANDS SUDO(8)
- environment variables is run to edit the temporary
- files. If neither VISUAL nor EDITOR are set, the pro-
- gram listed in the _\be_\bd_\bi_\bt_\bo_\br _\bs_\bu_\bd_\bo_\be_\br_\bs variable is used.
+ neither VISUAL nor EDITOR are set, the program listed
+ in the _\be_\bd_\bi_\bt_\bo_\br _\bs_\bu_\bd_\bo_\be_\br_\bs variable is used.
3. If they have been modified, the temporary files are
copied back to their original location and the tempo-
-H The -\b-H\bH (_\bH_\bO_\bM_\bE) option sets the HOME environment variable to
the homedir of the target user (root by default) as speci-
- fied in _\bp_\ba_\bs_\bs_\bw_\bd(4). By default, s\bsu\bud\bdo\bo does not modify HOME
- (see _\bs_\be_\bt_\b__\bh_\bo_\bm_\be and _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be in _\bs_\bu_\bd_\bo_\be_\br_\bs(4)).
+ fied in _\bp_\ba_\bs_\bs_\bw_\bd(5). By default, s\bsu\bud\bdo\bo does not modify HOME
+ (see _\bs_\be_\bt_\b__\bh_\bo_\bm_\be and _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be in _\bs_\bu_\bd_\bo_\be_\br_\bs(5)).
-h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bo to print a usage message
and exit.
-i [command]
The -\b-i\bi (_\bs_\bi_\bm_\bu_\bl_\ba_\bt_\be _\bi_\bn_\bi_\bt_\bi_\ba_\bl _\bl_\bo_\bg_\bi_\bn) option runs the shell spec-
- ified in the _\bp_\ba_\bs_\bs_\bw_\bd(4) entry of the target user as a login
+ ified in the _\bp_\ba_\bs_\bs_\bw_\bd(5) entry of the target user as a login
shell. This means that login-specific resource files such
as .profile or .login will be read by the shell. If a com-
mand is specified, it is passed to the shell for execution.
-k The -\b-k\bk (_\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo invalidates the user's times-
tamp by setting the time on it to the Epoch. The next time
+ s\bsu\bud\bdo\bo is run a password will be required. This option does
-1.7 February 15, 2008 3
+1.7 February 18, 2008 3
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+SUDO(8) MAINTENANCE COMMANDS SUDO(8)
- s\bsu\bud\bdo\bo is run a password will be required. This option does
not require a password and was added to allow a user to
revoke s\bsu\bud\bdo\bo permissions from a .logout file.
system password prompt on systems that support PAM unless
the _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be flag is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs.
- -r _\br_\bo_\bl_\be The -\b-r\br (_\br_\bo_\bl_\be) option causes the new (SELinux) security
-
-
+ -S The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the password from
+ the standard input instead of the terminal device.
-1.7 February 15, 2008 4
+1.7 February 18, 2008 4
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- context to have the role specified by _\br_\bo_\bl_\be.
+SUDO(8) MAINTENANCE COMMANDS SUDO(8)
- -S The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the password from
- the standard input instead of the terminal device.
-s [command]
The -\b-s\bs (_\bs_\bh_\be_\bl_\bl) option runs the shell specified by the _\bS_\bH_\bE_\bL_\bL
environment variable if it is set or the shell as specified
- in _\bp_\ba_\bs_\bs_\bw_\bd(4). If a command is specified, it is passed to
+ in _\bp_\ba_\bs_\bs_\bw_\bd(5). If a command is specified, it is passed to
the shell for execution. Otherwise, an interactive shell
is executed.
- -t _\bt_\by_\bp_\be The -\b-t\bt (_\bt_\by_\bp_\be) option causes the new (SELinux) security con-
- text to have the type specified by _\bt_\by_\bp_\be. If no type is
- specified, the default type is derived from the specified
- role.
-
-U _\bu_\bs_\be_\br The -\b-U\bU (_\bo_\bt_\bh_\be_\br _\bu_\bs_\be_\br) option is used in conjunction with the
-\b-l\bl option to specify the user whose privileges should be
listed. Only root or a user with s\bsu\bud\bdo\bo ALL on the current
of a _\bu_\bs_\be_\br _\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd. When running commands as a _\bu_\bi_\bd,
many shells require that the '#' be escaped with a back-
slash ('\'). Note that if the _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw Defaults option is
- set (see _\bs_\bu_\bd_\bo_\be_\br_\bs(4)) it is not possible to run commands
+ set (see _\bs_\bu_\bd_\bo_\be_\br_\bs(5)) it is not possible to run commands
with a uid not listed in the password database.
-V The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print the version
ables with one important exception. If the _\bs_\be_\bt_\be_\bn_\bv option is set in
_\bs_\bu_\bd_\bo_\be_\br_\bs, the command to be run has the SETENV tag set or the command
matched is ALL, the user may set variables that would overwise be for-
- bidden. See _\bs_\bu_\bd_\bo_\be_\br_\bs(4) for more information.
+ bidden. See _\bs_\bu_\bd_\bo_\be_\br_\bs(5) for more information.
+R\bRE\bET\bTU\bUR\bRN\bN V\bVA\bAL\bLU\bUE\bES\bS
+ Upon successful execution of a program, the return value from s\bsu\bud\bdo\bo will
+ simply be the return value of the program that was executed.
+ Otherwise, s\bsu\bud\bdo\bo quits with an exit value of 1 if there is a configura-
+ tion/permission problem or if s\bsu\bud\bdo\bo cannot execute the given command.
+ In the latter case the error string is printed to stderr. If s\bsu\bud\bdo\bo can-
+ not _\bs_\bt_\ba_\bt(2) one or more entries in the user's PATH an error is printed
+ on stderr. (If the directory does not exist or if it is not really a
-1.7 February 15, 2008 5
+1.7 February 18, 2008 5
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-R\bRE\bET\bTU\bUR\bRN\bN V\bVA\bAL\bLU\bUE\bES\bS
- Upon successful execution of a program, the return value from s\bsu\bud\bdo\bo will
- simply be the return value of the program that was executed.
+SUDO(8) MAINTENANCE COMMANDS SUDO(8)
+
- Otherwise, s\bsu\bud\bdo\bo quits with an exit value of 1 if there is a configura-
- tion/permission problem or if s\bsu\bud\bdo\bo cannot execute the given command.
- In the latter case the error string is printed to stderr. If s\bsu\bud\bdo\bo can-
- not _\bs_\bt_\ba_\bt(2) one or more entries in the user's PATH an error is printed
- on stderr. (If the directory does not exist or if it is not really a
directory, the entry is ignored and no error is printed.) This should
not happen under normal circumstances. The most common reason for
_\bs_\bt_\ba_\bt(2) to return "permission denied" is if you are running an auto-
s\bsu\bud\bdo\bo will check the ownership of its timestamp directory (_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo
by default) and ignore the directory's contents if it is not owned by
root or if it is writable by a user other than root. On systems that
+ allow non-root users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if the timestamp
+ directory is located in a directory writable by anyone (e.g., _\b/_\bt_\bm_\bp), it
+ is possible for a user to create the timestamp directory before s\bsu\bud\bdo\bo is
+ run. However, because s\bsu\bud\bdo\bo checks the ownership and mode of the direc-
+ tory and its contents, the only damage that can be done is to "hide"
+ files by putting them in the timestamp dir. This is unlikely to happen
+ since once the timestamp dir is owned by root and inaccessible by any
+ other user, the user placing files there would be unable to get them
+ back out. To get around this issue you can use a directory that is not
-1.7 February 15, 2008 6
+1.7 February 18, 2008 6
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+SUDO(8) MAINTENANCE COMMANDS SUDO(8)
- allow non-root users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if the timestamp
- directory is located in a directory writable by anyone (e.g., _\b/_\bt_\bm_\bp), it
- is possible for a user to create the timestamp directory before s\bsu\bud\bdo\bo is
- run. However, because s\bsu\bud\bdo\bo checks the ownership and mode of the direc-
- tory and its contents, the only damage that can be done is to "hide"
- files by putting them in the timestamp dir. This is unlikely to happen
- since once the timestamp dir is owned by root and inaccessible by any
- other user, the user placing files there would be unable to get them
- back out. To get around this issue you can use a directory that is not
world-writable for the timestamps (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for instance) or cre-
ate _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo with the appropriate owner (root) and permissions
(0700) in the system startup files.
when giving users access to commands via s\bsu\bud\bdo\bo to verify that the com-
mand does not inadvertently give the user an effective root shell. For
more information, please see the PREVENTING SHELL ESCAPES section in
- _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
+ _\bs_\bu_\bd_\bo_\be_\br_\bs(5).
E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
s\bsu\bud\bdo\bo utilizes the following environment variables:
SUDO_GID Set to the gid of the user who invoked sudo
+ SUDO_PS1 If set, PS1 will be set to its value
+ USER Set to the target user (root unless the -\b-u\bu option is
+ specified)
+ VISUAL Default editor to use in -\b-e\be (sudoedit) mode
-1.7 February 15, 2008 7
+F\bFI\bIL\bLE\bES\bS
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+1.7 February 18, 2008 7
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- SUDO_PS1 If set, PS1 will be set to its value
- USER Set to the target user (root unless the -\b-u\bu option is
- specified)
+SUDO(8) MAINTENANCE COMMANDS SUDO(8)
- VISUAL Default editor to use in -\b-e\be (sudoedit) mode
-F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
- _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo Directory containing timestamps
- _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt Initial environment for -\b-i\bi m\bmo\bod\bde\be o\bon\bn L\bLi\bin\bnu\bux\bx a\ban\bnd\bd A\bAI\bIX\bX
+ _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo Directory containing timestamps
+
+ _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt Initial environment for -\b-i\bi mode on Linux and
+ AIX
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- Note: the following examples assume suitable _\bs_\bu_\bd_\bo_\be_\br_\bs(4) entries.
+ Note: the following examples assume suitable _\bs_\bu_\bd_\bo_\be_\br_\bs(5) entries.
To get a file listing of an unreadable directory:
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), _\bp_\ba_\bs_\bs_\bw_\bd(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(4),
- _\bv_\bi_\bs_\bu_\bd_\bo(1m)
+ _\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), _\bp_\ba_\bs_\bs_\bw_\bd(5), _\bs_\bu_\bd_\bo_\be_\br_\bs(5), _\bv_\bi_\bs_\bu_\bd_\bo(8)
A\bAU\bUT\bTH\bHO\bOR\bRS\bS
Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
There is no easy way to prevent a user from gaining a root shell if
that user is allowed to run arbitrary commands via s\bsu\bud\bdo\bo. Also, many
+ programs (such as editors) allow the user to run commands via shell
+ escapes, thus avoiding s\bsu\bud\bdo\bo's checks. However, on most systems it is
+ possible to prevent shell escapes with s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality.
+ See the _\bs_\bu_\bd_\bo_\be_\br_\bs(5) manual for details.
+ It is not meaningful to run the cd command directly via sudo, e.g.,
-
-1.7 February 15, 2008 8
+ $ sudo cd /usr/local/protected
+1.7 February 18, 2008 8
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- programs (such as editors) allow the user to run commands via shell
- escapes, thus avoiding s\bsu\bud\bdo\bo's checks. However, on most systems it is
- possible to prevent shell escapes with s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality.
- See the _\bs_\bu_\bd_\bo_\be_\br_\bs(4) manual for details.
- It is not meaningful to run the cd command directly via sudo, e.g.,
+SUDO(8) MAINTENANCE COMMANDS SUDO(8)
- $ sudo cd /usr/local/protected
since when the command exits the parent process (your shell) will still
be the same. Please see the EXAMPLES section for more information.
-1.7 February 15, 2008 9
+
+
+
+
+
+
+
+
+
+1.7 February 18, 2008 9
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "February 15, 2008" "1.7" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "February 18, 2008" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME"
sudo, sudoedit \- execute a command as another user
.SH "SYNOPSIS"
\&\fBsudo\fR \fB\-l[l]\fR [\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-U\fR\ \fIusername\fR]
[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fIcommand\fR]
.PP
-\&\fBsudo\fR [\fB\-bEHPS\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-C\fR\ \fIfd\fR]
-[\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
-[\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR]
+\&\fBsudo\fR [\fB\-bEHPS\fR]
+@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
+[\fB\-C\fR\ \fIfd\fR]
+@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
+[\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
+@SEMAN@[\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR]
[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
[\fB\s-1VAR\s0\fR=\fIvalue\fR] [{\fB\-i\fR\ |\ \fB\-s\fR]\ [<\fIcommand\fR}]
.PP
-\&\fBsudoedit\fR [\fB\-S\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-C\fR\ \fIfd\fR]
-[\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
+\&\fBsudoedit\fR [\fB\-S\fR]
+@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
+[\fB\-C\fR\ \fIfd\fR]
+@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
+[\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] file ...
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
.SH "OPTIONS"
.IX Header "OPTIONS"
\&\fBsudo\fR accepts the following command line options:
-.IP "\-a \fItype\fR" 12
-.IX Item "-a type"
-The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the
-specified authentication type when validating the user, as allowed
-by \fI/etc/login.conf\fR. The system administrator may specify a list
-of sudo-specific authentication methods by adding an \*(L"auth\-sudo\*(R"
-entry in \fI/etc/login.conf\fR. This option is only available on systems
-that support \s-1BSD\s0 authentication.
+@BAMAN@.IP "\-a \fItype\fR" 12
+@BAMAN@.IX Item "-a type"
+@BAMAN@The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the
+@BAMAN@specified authentication type when validating the user, as allowed
+@BAMAN@by \fI/etc/login.conf\fR. The system administrator may specify a list
+@BAMAN@of sudo-specific authentication methods by adding an \*(L"auth\-sudo\*(R"
+@BAMAN@entry in \fI/etc/login.conf\fR. This option is only available on systems
+@BAMAN@that support \s-1BSD\s0 authentication.
.IP "\-b" 12
.IX Item "-b"
The \fB\-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given
three are not permitted. This option is only available if the
administrator has enabled the \fIclosefrom_override\fR option in
\&\fIsudoers\fR\|(@mansectform@).
-.IP "\-c \fIclass\fR" 12
-.IX Item "-c class"
-The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command
-with resources limited by the specified login class. The \fIclass\fR
-argument can be either a class name as defined in \fI/etc/login.conf\fR,
-or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates
-that the command should be run restricted by the default login
-capabilities for the user the command is run as. If the \fIclass\fR
-argument specifies an existing user class, the command must be run
-as root, or the \fBsudo\fR command must be run from a shell that is already
-root. This option is only available on systems with \s-1BSD\s0 login classes.
+@LCMAN@.IP "\-c \fIclass\fR" 12
+@LCMAN@.IX Item "-c class"
+@LCMAN@The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command
+@LCMAN@with resources limited by the specified login class. The \fIclass\fR
+@LCMAN@argument can be either a class name as defined in \fI/etc/login.conf\fR,
+@LCMAN@or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates
+@LCMAN@that the command should be run restricted by the default login
+@LCMAN@capabilities for the user the command is run as. If the \fIclass\fR
+@LCMAN@argument specifies an existing user class, the command must be run
+@LCMAN@as root, or the \fBsudo\fR command must be run from a shell that is already
+@LCMAN@root. This option is only available on systems with \s-1BSD\s0 login classes.
.IP "\-E" 12
.IX Item "-E"
The \fB\-E\fR (\fIpreserve\fR \fIenvironment\fR) option will override the
password prompt on systems that support \s-1PAM\s0 unless the
\&\fIpassprompt_override\fR flag is disabled in \fIsudoers\fR.
.RE
-.IP "\-r \fIrole\fR" 12
-.IX Item "-r role"
-The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to
-have the role specified by \fIrole\fR.
+@SEMAN@.IP "\-r \fIrole\fR" 12
+@SEMAN@.IX Item "-r role"
+@SEMAN@The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to
+@SEMAN@have the role specified by \fIrole\fR.
.IP "\-S" 12
.IX Item "-S"
The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from
environment variable if it is set or the shell as specified in
\&\fIpasswd\fR\|(@mansectform@). If a command is specified, it is passed to the shell
for execution. Otherwise, an interactive shell is executed.
-.IP "\-t \fItype\fR" 12
-.IX Item "-t type"
-The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to
-have the type specified by \fItype\fR. If no type is specified, the default
-type is derived from the specified role.
+@SEMAN@.IP "\-t \fItype\fR" 12
+@SEMAN@.IX Item "-t type"
+@SEMAN@The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to
+@SEMAN@have the type specified by \fItype\fR. If no type is specified, the default
+@SEMAN@type is derived from the specified role.
.IP "\-U \fIuser\fR" 12
.IX Item "-U user"
The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the \fB\-l\fR
Default editor to use in \fB\-e\fR (sudoedit) mode
.SH "FILES"
.IX Header "FILES"
-.ie n .IP "\fI@sysconfdir@/sudoers\fR\*(C` \*(C'List of who can run what" 4
-.el .IP "\fI@sysconfdir@/sudoers\fR\f(CW\*(C` \*(C'\fRList of who can run what" 4
-.IX Item "@sysconfdir@/sudoers List of who can run what"
-.PD 0
-.ie n .IP "\fI@timedir@\fR\*(C` \*(C'Directory containing timestamps" 4
-.el .IP "\fI@timedir@\fR\f(CW\*(C` \*(C'\fRDirectory containing timestamps" 4
-.IX Item "@timedir@ Directory containing timestamps"
-.ie n .IP "\fI/etc/environment\fR\*(C` \*(C'\fRInitial environment for \fB\-i mode on Linux and \s-1AIX\s0" 4
-.el .IP "\fI/etc/environment\fR\f(CW\*(C` \*(C'\fRInitial environment for \fB\-i\fR mode on Linux and \s-1AIX\s0" 4
-.IX Item "/etc/environment Initial environment for -i mode on Linux and AIX"
-.PD
+.IP "\fI@sysconfdir@/sudoers\fR" 24
+.IX Item "@sysconfdir@/sudoers"
+List of who can run what
+.IP "\fI@timedir@\fR" 24
+.IX Item "@timedir@"
+Directory containing timestamps
+.IP "\fI/etc/environment\fR" 24
+.IX Item "/etc/environment"
+Initial environment for \fB\-i\fR mode on Linux and \s-1AIX\s0
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Note: the following examples assume suitable \fIsudoers\fR\|(@mansectform@) entries.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
N\bNA\bAM\bME\bE
-1.7 January 21, 2008 1
+1.7 February 18, 2008 1
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
Host_Alias ::= NAME '=' Host_List
-1.7 January 21, 2008 2
+1.7 February 18, 2008 2
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
Host ::= '!'* hostname |
-1.7 January 21, 2008 3
+1.7 February 18, 2008 3
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
users on any host, all users on a specific host, a specific user, a
-1.7 January 21, 2008 4
+1.7 February 18, 2008 4
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
Let's break that down into its constituent parts:
-1.7 January 21, 2008 5
+1.7 February 18, 2008 5
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
Cmnd_Spec_List, inherit the tag unless it is overridden by the opposite
-1.7 January 21, 2008 6
+1.7 February 18, 2008 6
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
-1.7 January 21, 2008 7
+1.7 February 18, 2008 7
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
-1.7 January 21, 2008 8
+1.7 February 18, 2008 8
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the EDITOR or
fied. This flag is _\bo_\bf_\bf by default.
ignore_local_sudoers
- If set via LDAP, parsing of @sysconfdir@/sudoers will
- be skipped. This is intended for Enterprises that wish
- to prevent the usage of local sudoers files so that
- only LDAP is used. This thwarts the efforts of rogue
- operators who would attempt to add roles to
- @sysconfdir@/sudoers. When this option is present,
- @sysconfdir@/sudoers does not even need to exist.
- Since this option tells s\bsu\bud\bdo\bo how to behave when no spe-
- cific LDAP entries have been matched, this sudoOption
- is only meaningful for the cn=defaults section. This
- flag is _\bo_\bf_\bf by default.
+ If set via LDAP, parsing of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
+ skipped. This is intended for Enterprises that wish to
+ prevent the usage of local sudoers files so that only
+ LDAP is used. This thwarts the efforts of rogue opera-
+ tors who would attempt to add roles to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs.
+ When this option is present, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs does not even
+ need to exist. Since this option tells s\bsu\bud\bdo\bo how to
+ behave when no specific LDAP entries have been matched,
+ this sudoOption is only meaningful for the cn=defaults
+ section. This flag is _\bo_\bf_\bf by default.
insults If set, s\bsu\bud\bdo\bo will insult users when they enter an
incorrect password. This flag is _\bo_\bf_\bf by default.
-1.7 January 21, 2008 9
+
+1.7 February 18, 2008 9
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
log_host If set, the hostname will be logged in the (non-syslog)
-1.7 January 21, 2008 10
+1.7 February 18, 2008 10
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
normally only be used if the passwod prompt provided by
-1.7 January 21, 2008 11
+1.7 February 18, 2008 11
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
setenv Allow the user to disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the
-1.7 January 21, 2008 12
+1.7 February 18, 2008 12
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
password before s\bsu\bud\bdo\bo logs the failure and exits. The
-1.7 January 21, 2008 13
+1.7 February 18, 2008 13
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
environment variable. The following percent (`%')
-1.7 January 21, 2008 14
+1.7 February 18, 2008 14
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
once Only lecture the user the first time they run s\bsu\bud\bdo\bo.
-1.7 January 21, 2008 15
+1.7 February 18, 2008 15
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
syslog Syslog facility if syslog is being used for logging (negate
-1.7 January 21, 2008 16
+1.7 February 18, 2008 16
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
env_keep Environment variables to be preserved in the user's
i\bin\bng\bg.
F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
- _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp Local groups file
- _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+
+ _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp Local groups file
+
+ _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of these are a bit
-
-
-1.7 January 21, 2008 17
+1.7 February 18, 2008 17
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
# Cmnd alias specification
-1.7 January 21, 2008 18
+1.7 February 18, 2008 18
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
The user j\bja\bac\bck\bk may run any command on the machines in the _\bC_\bS_\bN_\bE_\bT_\bS alias
-1.7 January 21, 2008 19
+1.7 February 18, 2008 19
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
jen ALL, !SERVERS = ALL
-1.7 January 21, 2008 20
+1.7 February 18, 2008 20
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
that permit shell escapes include shells (obviously), editors, pagina-
-1.7 January 21, 2008 21
+1.7 February 18, 2008 21
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
Note that restricting shell escapes is not a panacea. Programs running
approach is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bs_\bu_\bd_\bo(8)
+ _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), _\bs_\bu_\bd_\bo(8), _\bv_\bi_\bs_\bu_\bd_\bo(8)
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo command which
-1.7 January 21, 2008 22
+1.7 February 18, 2008 22
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
N\bNA\bAM\bME\bE
-1.7 February 9, 2008 1
+1.7 February 18, 2008 1
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
manner as a global Defaults line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. In the following
-1.7 February 9, 2008 2
+1.7 February 18, 2008 2
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
-1.7 February 9, 2008 3
+1.7 February 18, 2008 3
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
# LDAP equivalent of puddles
Typically, this file is shared amongst different LDAP-aware clients.
As such, most of the settings are not s\bsu\bud\bdo\bo-specific. Note that s\bsu\bud\bdo\bo
parses _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf itself and may support options that differ from
- those described in the _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4) manual.
+ those described in the _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(5) manual.
Also note that on systems using the OpenLDAP libraries, default values
specified in _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf or the user's _\b._\bl_\bd_\ba_\bp_\br_\bc files are
-1.7 February 9, 2008 4
+1.7 February 18, 2008 4
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
Only those options explicitly listed in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf that are sup-
-1.7 February 9, 2008 5
+1.7 February 18, 2008 5
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
B\bBI\bIN\bND\bDD\bDN\bN DN
-1.7 February 9, 2008 6
+1.7 February 18, 2008 6
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
OpenLDAP libraries.
-1.7 February 9, 2008 7
+1.7 February 18, 2008 7
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
S\bSA\bAS\bSL\bL_\b_S\bSE\bEC\bCP\bPR\bRO\bOP\bPS\bS none/properties
-1.7 February 9, 2008 8
+1.7 February 18, 2008 8
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
# Either specify one or more URIs or one or more host:port pairs.
-1.7 February 9, 2008 9
+1.7 February 18, 2008 9
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
#tls_cacertfile /etc/certs/trusted_signers.pem
-1.7 February 9, 2008 10
+1.7 February 18, 2008 10
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
attributetype ( 1.3.6.1.4.1.15953.9.1.2
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(5)
+ _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(5), _\bs_\bu_\bd_\bo_\be_\br_\bs(5)
-1.7 February 9, 2008 11
+1.7 February 18, 2008 11
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
-1.7 February 9, 2008 12
+1.7 February 18, 2008 12
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
-.TH SUDOERS.LDAP @mansectform@ "February 9, 2008" "1.7" "MAINTENANCE COMMANDS"
+.TH SUDOERS.LDAP @mansectform@ "February 18, 2008" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME"
sudoers.ldap \- sudo LDAP configuration
.SH "DESCRIPTION"
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "January 21, 2008" "1.7" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "February 18, 2008" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME"
sudoers \- list of which users may execute what
.SH "DESCRIPTION"
flag is \fI@ignore_dot@\fR by default.
.IP "ignore_local_sudoers" 16
.IX Item "ignore_local_sudoers"
-If set via \s-1LDAP\s0, parsing of \f(CW@sysconfdir\fR@/sudoers will be skipped.
+If set via \s-1LDAP\s0, parsing of \fI@sysconfdir@/sudoers\fR will be skipped.
This is intended for Enterprises that wish to prevent the usage of local
sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of
-rogue operators who would attempt to add roles to \f(CW@sysconfdir\fR@/sudoers.
-When this option is present, \f(CW@sysconfdir\fR@/sudoers does not even need to exist.
-Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0 entries
-have been matched, this sudoOption is only meaningful for the cn=defaults
-section. This flag is \fIoff\fR by default.
+rogue operators who would attempt to add roles to \fI@sysconfdir@/sudoers\fR.
+When this option is present, \fI@sysconfdir@/sudoers\fR does not even need to
+exist. Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0
+entries have been matched, this sudoOption is only meaningful for the
+\&\f(CW\*(C`cn=defaults\*(C'\fR section. This flag is \fIoff\fR by default.
.IP "insults" 16
.IX Item "insults"
If set, \fBsudo\fR will insult users when they enter an incorrect
the user running it. With this flag enabled, \fBsudo\fR will use a
file named for the tty the user is logged in on in that directory.
This flag is \fI@tty_tickets@\fR by default.
-.IP "use_loginclass" 16
-.IX Item "use_loginclass"
-If set, \fBsudo\fR will apply the defaults specified for the target user's
-login class if one exists. Only available if \fBsudo\fR is configured with
-the \-\-with\-logincap option. This flag is \fIoff\fR by default.
+@LCMAN@.IP "use_loginclass" 16
+@LCMAN@.IX Item "use_loginclass"
+@LCMAN@If set, \fBsudo\fR will apply the defaults specified for the target user's
+@LCMAN@login class if one exists. Only available if \fBsudo\fR is configured with
+@LCMAN@the \-\-with\-logincap option. This flag is \fIoff\fR by default.
.PP
\&\fBIntegers\fR:
.IP "closefrom" 16
.Sp
The default value is \f(CW\*(C`@passprompt@\*(C'\fR.
.RE
+@SEMAN@.IP "role" 16
+@SEMAN@.IX Item "role"
+@SEMAN@The default SELinux role to use when constructing a new security
+@SEMAN@context to run the command. The default role may be overridden on
+@SEMAN@a per-command basis in \fIsudoers\fR or via command line options.
+@SEMAN@This option is only available whe \fBsudo\fR is built with SELinux support.
.IP "runas_default" 16
.IX Item "runas_default"
The default user to run commands as if the \fB\-u\fR flag is not specified
.IX Item "timestampowner"
The owner of the timestamp directory and the timestamps stored therein.
The default is \f(CW\*(C`root\*(C'\fR.
+@SEMAN@.IP "type" 16
+@SEMAN@.IX Item "type"
+@SEMAN@The default SELinux type to use when constructing a new security
+@SEMAN@context to run the command. The default type may be overridden on
+@SEMAN@a per-command basis in \fIsudoers\fR or via command line options.
+@SEMAN@This option is only available whe \fBsudo\fR is built with SELinux support.
.PP
\&\fBStrings that can be used in a boolean context\fR:
.IP "exempt_group" 12
\&\fBnotice\fR, and \fBwarning\fR.
.SH "FILES"
.IX Header "FILES"
-.ie n .IP "\fI@sysconfdir@/sudoers\fR\*(C` \*(C' List of who can run what" 4
-.el .IP "\fI@sysconfdir@/sudoers\fR\f(CW\*(C` \*(C'\fR List of who can run what" 4
-.IX Item "@sysconfdir@/sudoers List of who can run what"
-.PD 0
-.ie n .IP "\fI/etc/group\fR\*(C` \*(C' Local groups file" 4
-.el .IP "\fI/etc/group\fR\f(CW\*(C` \*(C'\fR Local groups file" 4
-.IX Item "/etc/group Local groups file"
-.ie n .IP "\fI/etc/netgroup\fR\*(C` \*(C' List of network groups" 4
-.el .IP "\fI/etc/netgroup\fR\f(CW\*(C` \*(C'\fR List of network groups" 4
-.IX Item "/etc/netgroup List of network groups"
-.PD
+.IP "\fI@sysconfdir@/sudoers\fR" 24
+.IX Item "@sysconfdir@/sudoers"
+List of who can run what
+.IP "\fI/etc/group\fR" 24
+.IX Item "/etc/group"
+Local groups file
+.IP "\fI/etc/netgroup\fR" 24
+.IX Item "/etc/netgroup"
+List of network groups
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Below are example \fIsudoers\fR entries. Admittedly, some of
-VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
+VISUDO(8) MAINTENANCE COMMANDS VISUDO(8)
N\bNA\bAM\bME\bE
v\bvi\bis\bsu\bud\bdo\bo [-\b-c\bc] [-\b-q\bq] [-\b-s\bs] [-\b-V\bV] [-\b-f\bf _\bs_\bu_\bd_\bo_\be_\br_\bs]
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- v\bvi\bis\bsu\bud\bdo\bo edits the _\bs_\bu_\bd_\bo_\be_\br_\bs file in a safe fashion, analogous to _\bv_\bi_\bp_\bw(1m).
+ v\bvi\bis\bsu\bud\bdo\bo edits the _\bs_\bu_\bd_\bo_\be_\br_\bs file in a safe fashion, analogous to _\bv_\bi_\bp_\bw(8).
v\bvi\bis\bsu\bud\bdo\bo locks the _\bs_\bu_\bd_\bo_\be_\br_\bs file against multiple simultaneous edits, pro-
vides basic sanity checks, and checks for parse errors. If the _\bs_\bu_\bd_\bo_\be_\br_\bs
file is currently being edited you will receive a message to try again
-1.7 January 21, 2008 1
+1.7 February 18, 2008 1
-VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
+VISUDO(8) MAINTENANCE COMMANDS VISUDO(8)
combined with the -\b-c\bc flag.
EDITOR Used by visudo if VISUAL is not set
F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bt_\bm_\bp Lock file for visudo
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bt_\bm_\bp Lock file for visudo
D\bDI\bIA\bAG\bGN\bNO\bOS\bST\bTI\bIC\bCS\bS
sudoers file busy, try again later.
-\b-s\bs (strict) mode this is an error, not a warning.
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bv_\bi(1), _\bs_\bu_\bd_\bo_\be_\br_\bs(4), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bp_\bw(8)
+ _\bv_\bi(1), _\bs_\bu_\bd_\bo_\be_\br_\bs(5), _\bs_\bu_\bd_\bo(8), _\bv_\bi_\bp_\bw(8)
A\bAU\bUT\bTH\bHO\bOR\bR
Many people have worked on _\bs_\bu_\bd_\bo over the years; this version of v\bvi\bis\bsu\bud\bdo\bo
-
-1.7 January 21, 2008 2
+1.7 February 18, 2008 2
-VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
+VISUDO(8) MAINTENANCE COMMANDS VISUDO(8)
Todd Miller
-1.7 January 21, 2008 3
+1.7 February 18, 2008 3
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
-.TH VISUDO @mansectsu@ "January 21, 2008" "1.7" "MAINTENANCE COMMANDS"
+.TH VISUDO @mansectsu@ "February 18, 2008" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME"
visudo \- edit the sudoers file
.SH "SYNOPSIS"
Used by visudo if \s-1VISUAL\s0 is not set
.SH "FILES"
.IX Header "FILES"
-.ie n .IP "\fI@sysconfdir@/sudoers\fR\*(C` \*(C'List of who can run what" 4
-.el .IP "\fI@sysconfdir@/sudoers\fR\f(CW\*(C` \*(C'\fRList of who can run what" 4
-.IX Item "@sysconfdir@/sudoers List of who can run what"
-.PD 0
-.ie n .IP "\fI@sysconfdir@/sudoers.tmp\fR\*(C` \*(C'Lock file for visudo" 4
-.el .IP "\fI@sysconfdir@/sudoers.tmp\fR\f(CW\*(C` \*(C'\fRLock file for visudo" 4
-.IX Item "@sysconfdir@/sudoers.tmp Lock file for visudo"
-.PD
+.IP "\fI@sysconfdir@/sudoers\fR" 24
+.IX Item "@sysconfdir@/sudoers"
+List of who can run what
+.IP "\fI@sysconfdir@/sudoers.tmp\fR" 24
+.IX Item "@sysconfdir@/sudoers.tmp"
+Lock file for visudo
.SH "DIAGNOSTICS"
.IX Header "DIAGNOSTICS"
.IP "sudoers file busy, try again later." 4
projects / sudo / commitdiff