sudo, sudoedit - execute a command as another user
S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
- s\bsu\bud\bdo\bo -\b-K\bK | -\b-L\bL | -\b-V\bV | -\b-h\bh | -\b-k\bk | -\b-v\bv
+ s\bsu\bud\bdo\bo -\b-K\bK | -\b-k\bk | -\b-h\bh | -\b-L\bL | -\b-V\bV | -\b-v\bv
- s\bsu\bud\bdo\bo [-\b-U\bU _\bu_\bs_\be_\br_\bn_\ba_\bm_\be] [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] -\b-l\bl [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ s\bsu\bud\bdo\bo -\b-l\bl [-\b-U\bU _\bu_\bs_\be_\br_\bn_\ba_\bm_\be] [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
- s\bsu\bud\bdo\bo [-\b-H\bHP\bPS\bSb\bb] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
- [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] {-\b-e\be file [...] | -\b-i\bi | -\b-s\bs | _\bc_\bo_\bm_\bm_\ba_\bn_\bd}
+ s\bsu\bud\bdo\bo [-\b-b\bbE\bEH\bHP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
+ [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be]
+ {-\b-e\be file [...] | -\b-i\bi | -\b-s\bs | _\bc_\bo_\bm_\bm_\ba_\bn_\bd}
- s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-S\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br_\b
+ s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-S\bS] [-\b-u\bu _\bu_\bs_\be_\br_\b
_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] file [...]
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
actual user is. This can be used by a user to log com
mands through sudo even when a root shell has been
invoked. It also allows the -\b-e\be flag to remain useful even
- when being run via a sudo-run script or program. Note
-1.6.9 November 24, 2004 1
+1.7 June 23, 2007 1
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ when being run via a sudo-run script or program. Note
however, that the sudoers lookup is still done for root,
not the user specified by SUDO_USER.
O\bOP\bPT\bTI\bIO\bON\bNS\bS
s\bsu\bud\bdo\bo accepts the following command line options:
- -H The -\b-H\bH (_\bH_\bO_\bM_\bE) option sets the HOME environment vari
- able to the homedir of the target user (root by
- default) as specified in passwd(4). By default, s\bsu\bud\bdo\bo
- does not modify HOME (see _\bs_\be_\bt_\b__\bh_\bo_\bm_\be and _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be
- in sudoers(4)).
-
- -K The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option is like -\b-k\bk except that it
- removes the user's timestamp entirely. Like -\b-k\bk, this
- option does not require a password.
-
- -L The -\b-L\bL (_\bl_\bi_\bs_\bt defaults) option will list out the param
- eters that may be set in a _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs line along with a
- short description for each. This option is useful in
- conjunction with _\bg_\br_\be_\bp(1).
-
- -P The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bsu\bud\bdo\bo to
- preserve the invoking user's group vector unaltered.
- By default, s\bsu\bud\bdo\bo will initialize the group vector to
- the list of groups the target user is in. The real
- and effective group IDs, however, are still set to
- match the target user.
-
- -S The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the password
- from the standard input instead of the terminal
- device.
-
- -U The -\b-U\bU (_\bo_\bt_\bh_\be_\br _\bu_\bs_\be_\br) option is used in conjunction with
- the -\b-l\bl option to specify the user whose privileges
- should be listed. Only root or a user with s\bsu\bud\bdo\bo ALL
- on the current host may use this option.
-
- -V The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print the ver
- sion number and exit. If the invoking user is already
- root the -\b-V\bV option will print out a list of the
- defaults s\bsu\bud\bdo\bo was compiled with as well as the
- machine's local network addresses.
-
-a The -\b-a\ba (_\ba_\bu_\bt_\bh_\be_\bn_\bt_\bi_\bc_\ba_\bt_\bi_\bo_\bn _\bt_\by_\bp_\be) option causes s\bsu\bud\bdo\bo to use
the specified authentication type when validating the
user, as allowed by /etc/login.conf. The system
administrator may specify a list of sudo-specific
authentication methods by adding an "auth-sudo" entry
in /etc/login.conf. This option is only available on
-
-
-
-1.6.9 November 24, 2004 2
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
systems that support BSD authentication where s\bsu\bud\bdo\bo has
been configured with the --with-bsdauth option.
-\b-b\bb option you cannot use shell job control to manipu
late the process.
+ -C fd
+ Normally, s\bsu\bud\bdo\bo will close all open file descriptors
+ other than standard input, standard output and stan
+ dard error. The -\b-C\bC (_\bc_\bl_\bo_\bs_\be _\bf_\br_\bo_\bm) option allows the
+ user to specify a starting point above the standard
+ error (file descriptor three). Values less than three
+ are not permitted. This option is only available if
+ the administrator has enabled the _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be
+ option in sudoers(4).
+
-c The -\b-c\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bsu\bud\bdo\bo to run the specified
command with resources limited by the specified login
class. The _\bc_\bl_\ba_\bs_\bs argument can be either a class name
classes where s\bsu\bud\bdo\bo has been configured with the
--with-logincap option.
+ -E The -\b-E\bE (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt) option will override the
+ _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option in sudoers(4)). It is only available
+ when either the matching command has the SETENV tag or
+ the _\bs_\be_\bt_\be_\bn_\bv option is set in sudoers(4).
+
+
+
+1.7 June 23, 2007 2
+
+
+
+
+
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+
+
-e The -\b-e\be (_\be_\bd_\bi_\bt) option indicates that, instead of run
ning a command, the user wishes to edit one or more
files. In lieu of a command, the string "sudoedit" is
receive a warning and the edited copy will remain in a
temporary file.
+ -H The -\b-H\bH (_\bH_\bO_\bM_\bE) option sets the HOME environment vari
+ able to the homedir of the target user (root by
+ default) as specified in passwd(4). By default, s\bsu\bud\bdo\bo
+ does not modify HOME (see _\bs_\be_\bt_\b__\bh_\bo_\bm_\be and _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be
+ in sudoers(4)).
+
-h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bo to print a usage mes
sage and exit.
-i The -\b-i\bi (_\bs_\bi_\bm_\bu_\bl_\ba_\bt_\be _\bi_\bn_\bi_\bt_\bi_\ba_\bl _\bl_\bo_\bg_\bi_\bn) option runs the shell
+ specified in the passwd(4) entry of the user that the
+ command is being run as. The command name argument
+ given to the shell begins with a `-' to tell the shell
+ to run as a login shell. s\bsu\bud\bdo\bo attempts to change to
+ that user's home directory before running the shell.
+ It also initializes the environment, leaving _\bD_\bI_\bS_\bP_\bL_\bA_\bY
+ and _\bT_\bE_\bR_\bM unchanged, setting _\bH_\bO_\bM_\bE, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, _\bL_\bO_\bG_\b
+ _\bN_\bA_\bM_\bE, and _\bP_\bA_\bT_\bH, and unsetting all other environment
+ variables.
+ -K The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option is like -\b-k\bk except that it
+ removes the user's timestamp entirely. Like -\b-k\bk, this
+ option does not require a password.
+ -k The -\b-k\bk (_\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo invalidates the user's
+ timestamp by setting the time on it to the Epoch. The
-1.6.9 November 24, 2004 3
+1.7 June 23, 2007 3
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- specified in the passwd(4) entry of the user that the
- command is being run as. The command name argument
- given to the shell begins with a `-' to tell the shell
- to run as a login shell. s\bsu\bud\bdo\bo attempts to change to
- that user's home directory before running the shell.
- It also initializes the environment, leaving _\bT_\bE_\bR_\bM
- unchanged, setting _\bH_\bO_\bM_\bE, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, _\bL_\bO_\bG_\bN_\bA_\bM_\bE, and
- _\bP_\bA_\bT_\bH, and unsetting all other environment variables.
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+
- -k The -\b-k\bk (_\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo invalidates the user's
- timestamp by setting the time on it to the Epoch. The
next time s\bsu\bud\bdo\bo is run a password will be required.
This option does not require a password and was added
to allow a user to revoke s\bsu\bud\bdo\bo permissions from a
.logout file.
+ -L The -\b-L\bL (_\bl_\bi_\bs_\bt defaults) option will list out the param
+ eters that may be set in a _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs line along with a
+ short description for each. This option is useful in
+ conjunction with _\bg_\br_\be_\bp(1).
+
-l [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
If no _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified, the -\b-l\bl (_\bl_\bi_\bs_\bt) option will
list the allowed (and forbidden) commands for the
ments. If _\bc_\bo_\bm_\bm_\ba_\bn_\bd is not allowed, s\bsu\bud\bdo\bo will exit with
a return value of 1.
+ -P The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bsu\bud\bdo\bo to
+ preserve the invoking user's group vector unaltered.
+ By default, s\bsu\bud\bdo\bo will initialize the group vector to
+ the list of groups the target user is in. The real
+ and effective group IDs, however, are still set to
+ match the target user.
+
-p The -\b-p\bp (_\bp_\br_\bo_\bm_\bp_\bt) option allows you to override the
default password prompt and use a custom one. The
following percent (`%') escapes are supported:
%H expanded to the local hostname including the
domain name (on if the machine's hostname is
- fully qualified or the _\bf_\bq_\bd_\bn sudoers option is
+ fully qualified or the _\bf_\bq_\bd_\bn _\bs_\bu_\bd_\bo_\be_\br_\bs option is
set)
%% two consecutive % characters are collapsed
into a single % character
+ -S The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the password
+ from the standard input instead of the terminal
+ device.
+
-s The -\b-s\bs (_\bs_\bh_\be_\bl_\bl) option runs the shell specified by the
_\bS_\bH_\bE_\bL_\bL environment variable if it is set or the shell
as specified in passwd(4).
- -u The -\b-u\bu (_\bu_\bs_\be_\br) option causes s\bsu\bud\bdo\bo to run the specified
- command as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd
- instead of a _\bu_\bs_\be_\br_\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd. Note that if the
- _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw Defaults option is set (see sudoers(4)) it is
-
-1.6.9 November 24, 2004 4
+1.7 June 23, 2007 4
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ -U The -\b-U\bU (_\bo_\bt_\bh_\be_\br _\bu_\bs_\be_\br) option is used in conjunction with
+ the -\b-l\bl option to specify the user whose privileges
+ should be listed. Only root or a user with s\bsu\bud\bdo\bo ALL
+ on the current host may use this option.
+
+ -u The -\b-u\bu (_\bu_\bs_\be_\br) option causes s\bsu\bud\bdo\bo to run the specified
+ command as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd
+ instead of a _\bu_\bs_\be_\br_\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd. Note that if the
+ _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw Defaults option is set (see sudoers(4)) it is
not possible to run commands with a uid not listed in
the password database.
+ -V The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print the ver
+ sion number and exit. If the invoking user is already
+ root the -\b-V\bV option will print out a list of the
+ defaults s\bsu\bud\bdo\bo was compiled with as well as the
+ machine's local network addresses.
+
-v If given the -\b-v\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bsu\bud\bdo\bo will update
the user's timestamp, prompting for the user's pass
word if necessary. This extends the s\bsu\bud\bdo\bo timeout for
command line arguments. It is most useful in conjunc
tion with the -\b-s\bs flag.
+ Environment variables to be set for the command may also
+ be passed on the command line in the form of V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be,
+ e.g. L\bLD\bD_\b_L\bLI\bIB\bBR\bRA\bAR\bRY\bY_\b_P\bPA\bAT\bTH\bH=_\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bp_\bk_\bg_\b/_\bl_\bi_\bb. This is only
+ permitted when the _\bs_\be_\bt_\be_\bn_\bv option is set in _\bs_\bu_\bd_\bo_\be_\br_\bs or the
+ command to be run has the SETENV tag set. See sudoers(4)
+ for more information.
+
R\bRE\bET\bTU\bUR\bRN\bN V\bVA\bAL\bLU\bUE\bES\bS
Upon successful execution of a program, the return value
from s\bsu\bud\bdo\bo will simply be the return value of the program
and one of the directories in your PATH is on a machine
that is currently unreachable.
+
+
+
+
+1.7 June 23, 2007 5
+
+
+
+
+
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+
+
S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
s\bsu\bud\bdo\bo tries to be safe when executing external commands.
Variables that control how dynamic loading and binding is
as root.
To prevent command spoofing, s\bsu\bud\bdo\bo checks "." and "" (both
-
-
-
-1.6.9 November 24, 2004 5
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
denoting current directory) last when searching for a com
mand in the user's PATH (if one or both are in the PATH).
Note, however, that the actual PATH environment variable
s\bsu\bud\bdo\bo will check the ownership of its timestamp directory
(_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's con
- tents if it is not owned by root and only writable by
- root. On systems that allow non-root users to give away
- files via _\bc_\bh_\bo_\bw_\bn(2), if the timestamp directory is located
- in a directory writable by anyone (e.g.: _\b/_\bt_\bm_\bp), it is pos
- sible for a user to create the timestamp directory before
- s\bsu\bud\bdo\bo is run. However, because s\bsu\bud\bdo\bo checks the ownership
- and mode of the directory and its contents, the only dam
- age that can be done is to "hide" files by putting them in
- the timestamp dir. This is unlikely to happen since once
- the timestamp dir is owned by root and inaccessible by any
- other user the user placing files there would be unable to
- get them back out. To get around this issue you can use a
- directory that is not world-writable for the timestamps
- (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for instance) or create _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo with
- the appropriate owner (root) and permissions (0700) in the
- system startup files.
+ tents if it is not owned by root or if it is writable by a
+ user other than root. On systems that allow non-root
+ users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if the timestamp
+ directory is located in a directory writable by anyone
+ (e.g., _\b/_\bt_\bm_\bp), it is possible for a user to create the
+ timestamp directory before s\bsu\bud\bdo\bo is run. However, because
+ s\bsu\bud\bdo\bo checks the ownership and mode of the directory and
+ its contents, the only damage that can be done is to
+ "hide" files by putting them in the timestamp dir. This
+ is unlikely to happen since once the timestamp dir is
+ owned by root and inaccessible by any other user, the user
+ placing files there would be unable to get them back out.
+ To get around this issue you can use a directory that is
+ not world-writable for the timestamps (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for
+ instance) or create _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo with the appropriate
+ owner (root) and permissions (0700) in the system startup
+ files.
+
+
+
+1.7 June 23, 2007 6
+
+
+
+
+
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+
s\bsu\bud\bdo\bo will not honor timestamps set far in the future.
Timestamps with a date greater than current_time + 2 *
E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
s\bsu\bud\bdo\bo utilizes the following environment variables:
-
-
-
-
-1.6.9 November 24, 2004 6
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
EDITOR Default editor to use in -e (sudoedit) mode if
VISUAL is not set
/etc/sudoers List of who can run what
/var/run/sudo Directory containing timestamps
+
+
+1.7 June 23, 2007 7
+
+
+
+
+
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+
+
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
Note: the following examples assume suitable sudoers(4)
entries.
$ sudo shutdown -r +15 "quick reboot"
-
-
-1.6.9 November 24, 2004 7
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
To make a usage listing of the directories in the /home
partition. Note that this runs the commands in a sub-
shell to make the cd and file redirection work.
Many people have worked on s\bsu\bud\bdo\bo over the years; this ver
sion consists of code written primarily by:
- Todd Miller
- Chris Jepeway
+ Todd C. Miller
See the HISTORY file in the s\bsu\bud\bdo\bo distribution or visit
http://www.sudo.ws/sudo/history.html for a short history
See the sudoers(4) manual for details.
It is not meaningful to run the cd command directly via
- sudo, e.g.
+ sudo, e.g.,
+
+
+
+
+1.7 June 23, 2007 8
+
+
+
+
+
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+
$ sudo cd /usr/local/protected
- since when whe command exits the parent process (your
+ since when the command exits the parent process (your
shell) will still be the same. Please see the EXAMPLES
section for more information.
If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a
bug report at http://www.sudo.ws/sudo/bugs/
-
-
-
-
-1.6.9 November 24, 2004 8
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Commercial support is available for s\bsu\bud\bdo\bo, see
- http://www.sudo.ws/sudo/support.html for details.
-
Limited free support is available via the sudo-users mail
ing list, see http://www.sudo.ws/mail
man/listinfo/sudo-users to subscribe or search the
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.6.9 November 24, 2004 9
+1.7 June 23, 2007 9
-.\" Copyright (c) 1994-1996,1998-2003 Todd C. Miller <Todd.Miller@courtesan.com>
+.\" Copyright (c) 1994-1996, 1998-2005, 2007
+.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.\" $Sudo$
-.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
.\"
.\" Standard preamble:
.\" ========================================================================
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "November 24, 2004" "1.6.9" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "June 23, 2007" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME"
sudo, sudoedit \- execute a command as another user
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
-\&\fBsudo\fR \fB\-K\fR | \fB\-L\fR | \fB\-V\fR | \fB\-h\fR | \fB\-k\fR | \fB\-v\fR
+\&\fBsudo\fR \fB\-K\fR | \fB\-k\fR | \fB\-h\fR | \fB\-L\fR | \fB\-V\fR | \fB\-v\fR
.PP
-\&\fBsudo\fR [\fB\-U\fR\ \fIusername\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] \fB\-l\fR [\fIcommand\fR]
+\&\fBsudo\fR \fB\-l\fR [\fB\-U\fR\ \fIusername\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fIcommand\fR]
.PP
-\&\fBsudo\fR [\fB\-HPSb\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
-[\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
-{\fB\-e\fR\ file\ [...]\ |\ \fB\-i\fR\ |\ \fB\-s\fR\ |\ \fIcommand\fR}
+\&\fBsudo\fR [\fB\-bEHPS\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-C\fR\ \fIfd\fR]
+[\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
+[\fB\s-1VAR\s0\fR=\fIvalue\fR] {\fB\-e\fR\ file\ [...]\ |\ \fB\-i\fR\ |\ \fB\-s\fR\ |\ \fIcommand\fR}
.PP
-\&\fBsudoedit\fR [\fB\-S\fR] [\fB\-a\fR\ \fIauth_type\fR]
-[\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
+\&\fBsudoedit\fR [\fB\-a\fR\ \fIauth_type\fR]
+[\fB\-p\fR\ \fIprompt\fR] [\fB\-S\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
file [...]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
.SH "OPTIONS"
.IX Header "OPTIONS"
\&\fBsudo\fR accepts the following command line options:
-.IP "\-H" 4
-.IX Item "-H"
-The \fB\-H\fR (\fI\s-1HOME\s0\fR) option sets the \f(CW\*(C`HOME\*(C'\fR environment variable
-to the homedir of the target user (root by default) as specified
-in passwd(@mansectform@). By default, \fBsudo\fR does not modify \f(CW\*(C`HOME\*(C'\fR
-(see \fIset_home\fR and \fIalways_set_home\fR in sudoers(@mansectform@)).
-.IP "\-K" 4
-.IX Item "-K"
-The \fB\-K\fR (sure \fIkill\fR) option is like \fB\-k\fR except that it removes
-the user's timestamp entirely. Like \fB\-k\fR, this option does not
-require a password.
-.IP "\-L" 4
-.IX Item "-L"
-The \fB\-L\fR (\fIlist\fR defaults) option will list out the parameters
-that may be set in a \fIDefaults\fR line along with a short description
-for each. This option is useful in conjunction with \fIgrep\fR\|(1).
-.IP "\-P" 4
-.IX Item "-P"
-The \fB\-P\fR (\fIpreserve group vector\fR) option causes \fBsudo\fR to
-preserve the invoking user's group vector unaltered. By default,
-\&\fBsudo\fR will initialize the group vector to the list of groups the
-target user is in. The real and effective group IDs, however, are
-still set to match the target user.
-.IP "\-S" 4
-.IX Item "-S"
-The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from
-the standard input instead of the terminal device.
-.IP "\-U" 4
-.IX Item "-U"
-The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the \fB\-l\fR
-option to specify the user whose privileges should be listed. Only
-root or a user with \fBsudo\fR \f(CW\*(C`ALL\*(C'\fR on the current host may use this
-option.
-.IP "\-V" 4
-.IX Item "-V"
-The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the version
-number and exit. If the invoking user is already root the \fB\-V\fR
-option will print out a list of the defaults \fBsudo\fR was compiled
-with as well as the machine's local network addresses.
.IP "\-a" 4
.IX Item "-a"
The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the
The \fB\-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given
command in the background. Note that if you use the \fB\-b\fR
option you cannot use shell job control to manipulate the process.
+.IP "\-C fd" 4
+.IX Item "-C fd"
+Normally, \fBsudo\fR will close all open file descriptors other than
+standard input, standard output and standard error. The \fB\-C\fR
+(\fIclose from\fR) option allows the user to specify a starting point
+above the standard error (file descriptor three). Values less than
+three are not permitted. This option is only available if the
+administrator has enabled the \fIclosefrom_override\fR option in
+sudoers(@mansectform@).
.IP "\-c" 4
.IX Item "-c"
The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command
as root, or the \fBsudo\fR command must be run from a shell that is already
root. This option is only available on systems with \s-1BSD\s0 login classes
where \fBsudo\fR has been configured with the \-\-with\-logincap option.
+.IP "\-E" 4
+.IX Item "-E"
+The \fB\-E\fR (\fIpreserve environment\fR) option will override the
+\&\fIenv_reset\fR option in sudoers(@mansectform@)). It is only
+available when either the matching command has the \f(CW\*(C`SETENV\*(C'\fR tag
+or the \fIsetenv\fR option is set in sudoers(@mansectform@).
.IP "\-e" 4
.IX Item "-e"
The \fB\-e\fR (\fIedit\fR) option indicates that, instead of running
user will receive a warning and the edited copy will remain in a
temporary file.
.RE
+.IP "\-H" 4
+.IX Item "-H"
+The \fB\-H\fR (\fI\s-1HOME\s0\fR) option sets the \f(CW\*(C`HOME\*(C'\fR environment variable
+to the homedir of the target user (root by default) as specified
+in passwd(@mansectform@). By default, \fBsudo\fR does not modify \f(CW\*(C`HOME\*(C'\fR
+(see \fIset_home\fR and \fIalways_set_home\fR in sudoers(@mansectform@)).
.IP "\-h" 4
.IX Item "-h"
The \fB\-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a usage message and exit.
being run as. The command name argument given to the shell begins
with a `\f(CW\*(C`\-\*(C'\fR' to tell the shell to run as a login shell. \fBsudo\fR
attempts to change to that user's home directory before running the
-shell. It also initializes the environment, leaving \fI\s-1TERM\s0\fR
-unchanged, setting \fI\s-1HOME\s0\fR, \fI\s-1SHELL\s0\fR, \fI\s-1USER\s0\fR, \fI\s-1LOGNAME\s0\fR, and
+shell. It also initializes the environment, leaving \fI\s-1DISPLAY\s0\fR
+and \fI\s-1TERM\s0\fR unchanged, setting \fI\s-1HOME\s0\fR, \fI\s-1SHELL\s0\fR, \fI\s-1USER\s0\fR, \fI\s-1LOGNAME\s0\fR, and
\&\fI\s-1PATH\s0\fR, and unsetting all other environment variables.
+.IP "\-K" 4
+.IX Item "-K"
+The \fB\-K\fR (sure \fIkill\fR) option is like \fB\-k\fR except that it removes
+the user's timestamp entirely. Like \fB\-k\fR, this option does not
+require a password.
.IP "\-k" 4
.IX Item "-k"
The \fB\-k\fR (\fIkill\fR) option to \fBsudo\fR invalidates the user's timestamp
run a password will be required. This option does not require a password
and was added to allow a user to revoke \fBsudo\fR permissions from a .logout
file.
+.IP "\-L" 4
+.IX Item "-L"
+The \fB\-L\fR (\fIlist\fR defaults) option will list out the parameters
+that may be set in a \fIDefaults\fR line along with a short description
+for each. This option is useful in conjunction with \fIgrep\fR\|(1).
.IP "\-l [\fIcommand\fR]" 4
.IX Item "-l [command]"
If no \fIcommand\fR is specified, the \fB\-l\fR (\fIlist\fR) option will list
fully-qualified path to the command is displayed along with any
command line arguments. If \fIcommand\fR is not allowed, \fBsudo\fR will
exit with a return value of 1.
+.IP "\-P" 4
+.IX Item "-P"
+The \fB\-P\fR (\fIpreserve group vector\fR) option causes \fBsudo\fR to
+preserve the invoking user's group vector unaltered. By default,
+\&\fBsudo\fR will initialize the group vector to the list of groups the
+target user is in. The real and effective group IDs, however, are
+still set to match the target user.
.IP "\-p" 4
.IX Item "-p"
The \fB\-p\fR (\fIprompt\fR) option allows you to override the default
.IX Item "%H"
expanded to the local hostname including the domain name
(on if the machine's hostname is fully qualified or the \fIfqdn\fR
-sudoers option is set)
+\&\fIsudoers\fR option is set)
.ie n .IP "\*(C`%%\*(C'" 8
.el .IP "\f(CW\*(C`%%\*(C'\fR" 8
.IX Item "%%"
.RE
.RS 4
.RE
+.IP "\-S" 4
+.IX Item "-S"
+The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from
+the standard input instead of the terminal device.
.IP "\-s" 4
.IX Item "-s"
The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\s0\fR
environment variable if it is set or the shell as specified
in passwd(@mansectform@).
+.IP "\-U" 4
+.IX Item "-U"
+The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the \fB\-l\fR
+option to specify the user whose privileges should be listed. Only
+root or a user with \fBsudo\fR \f(CW\*(C`ALL\*(C'\fR on the current host may use this
+option.
.IP "\-u" 4
.IX Item "-u"
The \fB\-u\fR (\fIuser\fR) option causes \fBsudo\fR to run the specified command
\&\fIusername\fR, use \fI#uid\fR. Note that if the \fItargetpw\fR Defaults
option is set (see sudoers(@mansectform@)) it is not possible
to run commands with a uid not listed in the password database.
+.IP "\-V" 4
+.IX Item "-V"
+The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the version
+number and exit. If the invoking user is already root the \fB\-V\fR
+option will print out a list of the defaults \fBsudo\fR was compiled
+with as well as the machine's local network addresses.
.IP "\-v" 4
.IX Item "-v"
If given the \fB\-v\fR (\fIvalidate\fR) option, \fBsudo\fR will update the
.IP "\-\-" 4
The \fB\-\-\fR flag indicates that \fBsudo\fR should stop processing command
line arguments. It is most useful in conjunction with the \fB\-s\fR flag.
+.PP
+Environment variables to be set for the command may also be passed
+on the command line in the form of \fB\s-1VAR\s0\fR=\fIvalue\fR, e.g.
+\&\fB\s-1LD_LIBRARY_PATH\s0\fR=\fI/usr/local/pkg/lib\fR. This is only permitted
+when the \fIsetenv\fR option is set in \fIsudoers\fR or the command to
+be run has the \f(CW\*(C`SETENV\*(C'\fR tag set. See sudoers(@mansectform@)
+for more information.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
Upon successful execution of a program, the return value from \fBsudo\fR
.PP
\&\fBsudo\fR will check the ownership of its timestamp directory
(\fI@timedir@\fR by default) and ignore the directory's contents if
-it is not owned by root and only writable by root. On systems that
-allow non-root users to give away files via \fIchown\fR\|(2), if the timestamp
-directory is located in a directory writable by anyone (e.g.: \fI/tmp\fR),
-it is possible for a user to create the timestamp directory before
-\&\fBsudo\fR is run. However, because \fBsudo\fR checks the ownership and
-mode of the directory and its contents, the only damage that can
-be done is to \*(L"hide\*(R" files by putting them in the timestamp dir.
-This is unlikely to happen since once the timestamp dir is owned
-by root and inaccessible by any other user the user placing files
-there would be unable to get them back out. To get around this
-issue you can use a directory that is not world-writable for the
-timestamps (\fI/var/adm/sudo\fR for instance) or create \fI@timedir@\fR
-with the appropriate owner (root) and permissions (0700) in the
-system startup files.
+it is not owned by root or if it is writable by a user other than
+root. On systems that allow non-root users to give away files via
+\&\fIchown\fR\|(2), if the timestamp directory is located in a directory
+writable by anyone (e.g., \fI/tmp\fR), it is possible for a user to
+create the timestamp directory before \fBsudo\fR is run. However,
+because \fBsudo\fR checks the ownership and mode of the directory and
+its contents, the only damage that can be done is to \*(L"hide\*(R" files
+by putting them in the timestamp dir. This is unlikely to happen
+since once the timestamp dir is owned by root and inaccessible by
+any other user, the user placing files there would be unable to get
+them back out. To get around this issue you can use a directory
+that is not world-writable for the timestamps (\fI/var/adm/sudo\fR for
+instance) or create \fI@timedir@\fR with the appropriate owner (root)
+and permissions (0700) in the system startup files.
.PP
\&\fBsudo\fR will not honor timestamps set far in the future.
Timestamps with a date greater than current_time + 2 * \f(CW\*(C`TIMEOUT\*(C'\fR
Many people have worked on \fBsudo\fR over the years; this
version consists of code written primarily by:
.PP
-.Vb 2
-\& Todd Miller
-\& Chris Jepeway
+.Vb 1
+\& Todd C. Miller
.Ve
.PP
See the \s-1HISTORY\s0 file in the \fBsudo\fR distribution or visit
\&\fInoexec\fR functionality. See the sudoers(@mansectform@) manual
for details.
.PP
-It is not meaningful to run the \f(CW\*(C`cd\*(C'\fR command directly via sudo, e.g.
+It is not meaningful to run the \f(CW\*(C`cd\*(C'\fR command directly via sudo, e.g.,
.PP
.Vb 1
\& $ sudo cd /usr/local/protected
.Ve
.PP
-since when whe command exits the parent process (your shell) will
+since when the command exits the parent process (your shell) will
still be the same. Please see the \s-1EXAMPLES\s0 section for more information.
.PP
If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from
at http://www.sudo.ws/sudo/bugs/
.SH "SUPPORT"
.IX Header "SUPPORT"
-Commercial support is available for \fBsudo\fR, see
-http://www.sudo.ws/sudo/support.html for details.
-.PP
Limited free support is available via the sudo-users mailing list,
see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
search the archives.
-1.6.9 November 28, 2004 1
+1.7 June 23, 2007 1
-1.6.9 November 28, 2004 2
+1.7 June 23, 2007 2
addresses, network numbers, netgroups (prefixed with '+')
and other aliases. Again, the value of an item may be
negated with the '!' operator. If you do not specify a
- netmask with a network number, the netmask of the host's
- ethernet interface(s) will be used when matching. The
+ netmask along with the network number, s\bsu\bud\bdo\bo will query
+ each of the local host's network interfaces and, if the
+ network number corresponds to one of the hosts's network
+ interfaces, the corresponding netmask will be used. The
netmask may be specified either in dotted quad notation
- (e.g. 255.255.255.0) or CIDR notation (number of bits,
+ (e.g. 255.255.255.0) or CIDR notation (number of bits,
e.g. 24). A hostname may include shell-style wildcards
(see the Wildcards section below), but unless the hostname
command on your machine returns the fully qualified host
he/she wishes. However, you may also specify command line
arguments (including wildcards). Alternately, you can
specify "" to indicate that the command may only be run
- w\bwi\bit\bth\bho\bou\but\bt command line arguments. A directory is a fully
- qualified pathname ending in a '/'. When you specify a
-1.6.9 November 28, 2004 3
+1.7 June 23, 2007 3
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ w\bwi\bit\bth\bho\bou\but\bt command line arguments. A directory is a fully
+ qualified pathname ending in a '/'. When you specify a
directory in a Cmnd_List, the user will be able to run any
file within that directory (but not in any subdirectories
therein).
Lists have two additional assignment operators, += and -=.
These operators are used to add to and delete from a list
respectively. It is not an error to use the -= operator
- to remove an element that does not exist in a list.
-
-1.6.9 November 28, 2004 4
+1.7 June 23, 2007 4
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ to remove an element that does not exist in a list.
+
F\bFl\bla\bag\bgs\bs:
long_otp_prompt
authenticate
If set, users must authenticate themselves via
- a password (or other means of authentication)
- before they may run commands. This default
-1.6.9 November 28, 2004 5
+1.7 June 23, 2007 5
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ a password (or other means of authentication)
+ before they may run commands. This default
may be overridden via the PASSWD and NOPASSWD
tags. This flag is _\bo_\bn by default.
on the location of executables that the normal
user does not have access to. The disadvan
tage is that if the executable is simply not
- in the user's PATH, s\bsu\bud\bdo\bo will tell the user
- that they are not allowed to run it, which can
-1.6.9 November 28, 2004 6
+1.7 June 23, 2007 6
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ in the user's PATH, s\bsu\bud\bdo\bo will tell the user
+ that they are not allowed to run it, which can
be confusing. This flag is _\bo_\bf_\bf by default.
preserve_groups
things like "rsh somehost sudo ls" since
_\br_\bs_\bh(1) does not allocate a tty. Because it is
not possible to turn off echo when there is no
- tty present, some sites may with to set this
+ tty present, some sites may wish to set this
flag to prevent a user from entering a visible
password. This flag is _\bo_\bf_\bf by default.
in the editor variable. v\bvi\bis\bsu\bud\bdo\bo will then only
use the EDITOR or VISUAL if they match a value
specified in editor. This flag is off by
- default.
-
-1.6.9 November 28, 2004 7
+1.7 June 23, 2007 7
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ default.
+
rootpw If set, s\bsu\bud\bdo\bo will prompt for the root password
instead of the password of the invoking user.
This flag is _\bo_\bf_\bf by default.
argument to the -\b-u\bu flag. This flag is _\bo_\bf_\bf by
default.
- set_logname Normally, s\bsu\bud\bdo\bo will set the LOGNAME and USER
- environment variables to the name of the tar
- get user (usually root unless the -\b-u\bu flag is
- given). However, since some programs (includ
- ing the RCS revision control system) use LOG
- NAME to determine the real identity of the
- user, it may be desirable to change this
+ set_logname Normally, s\bsu\bud\bdo\bo will set the LOGNAME, USER and
+ USERNAME environment variables to the name of
+ the target user (usually root unless the -\b-u\bu
+ flag is given). However, since some programs
+ (including the RCS revision control system)
+ use LOGNAME to determine the real identity of
+ the user, it may be desirable to change this
behavior. This can be done by negating the
- set_logname option.
+ set_logname option. Note that if the
+ _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option has not been disabled,
+ entries in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list will override the
+ value of _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be.
stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the
real and effective UIDs are set to the target
_\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or _\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function.
env_reset If set, s\bsu\bud\bdo\bo will reset the environment to
- only contain the following variables: HOME,
- LOGNAME, PATH, SHELL, TERM, and USER (in addi
- tion to the SUDO_* variables). Of these, only
- TERM is copied unaltered from the old environ
- ment. The other variables are set to default
- values (possibly modified by the value of the
- _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be option). If the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh
- option is set, its value will be used for the
- PATH environment variable. Other variables
- may be preserved with the _\be_\bn_\bv_\b__\bk_\be_\be_\bp option.
-
- use_loginclass
- If set, s\bsu\bud\bdo\bo will apply the defaults specified
+ only contain the LOGNAME, SHELL, USER, USER
+ NAME and the SUDO_* variables. Any variables
+ in the caller's environment that match the
+ env_keep and env_check lists are then added.
+ The default contents of the env_keep and
+ env_check lists are displayed when s\bsu\bud\bdo\bo is run
+ by root with the _\b-_\bV option. If the
+ _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh option is set, its -value will be
-1.6.9 November 28, 2004 8
+1.7 June 23, 2007 8
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ used for the PATH environment variable. This
+ flag is _\bo_\bn by default.
+
+ use_loginclass
+ If set, s\bsu\bud\bdo\bo will apply the defaults specified
for the target user's login class if one
exists. Only available if s\bsu\bud\bdo\bo is configured
with the --with-logincap option. This flag is
ignore_local_sudoers
If set via LDAP, parsing of @sysconfdir@/sudo
- ers will be skipped. This is intended for an
+ ers will be skipped. This is intended for
Enterprises that wish to prevent the usage of
local sudoers files so that only LDAP is used.
This thwarts the efforts of rogue operators
meaningful for the cn=defaults section. This
flag is _\bo_\bf_\bf by default.
+ closefrom_override
+ If set, the user may use s\bsu\bud\bdo\bo's -\b-C\bC option
+ which overrides the default starting point at
+ which s\bsu\bud\bdo\bo begins closing open file descrip
+ tors. This flag is _\bo_\bf_\bf by default.
+
I\bIn\bnt\bte\beg\bge\ber\brs\bs:
passwd_tries
The number of tries a user gets to enter
his/her password before s\bsu\bud\bdo\bo logs the failure
- and exits. The default is 3.
- I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- loglinelen Number of characters per line for the file
- log. This value is used to decide when to
- wrap lines for nicer log files. This has no
- effect on the syslog log file, only the file
- log. The default is 80 (use 0 or negate the
- option to disable word wrap).
+1.7 June 23, 2007 9
-1.6.9 November 28, 2004 9
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ and exits. The default is 3.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+ loglinelen Number of characters per line for the file
+ log. This value is used to decide when to
+ wrap lines for nicer log files. This has no
+ effect on the syslog log file, only the file
+ log. The default is 80 (use 0 or negate the
+ option to disable word wrap).
timestamp_timeout
Number of minutes that can elapse before s\bsu\bud\bdo\bo
this option or set it to 0777 to preserve the
user's umask. The default is 0022.
+ closefrom Before it executes a command, s\bsu\bud\bdo\bo will close
+ all open file descriptors other than standard
+ input, standard output and standard error (ie:
+ file descriptors 0-2). The _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm option
+ can be used to specify a different file
+ descriptor at which to start closing. The
+ default is 3.
+
+ setenv Allow the user to set additional environment
+ variables from the command line. Note that
+ variables set this way are not subject to the
+ restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be,
+ or _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt. As such, only trusted users
+ should be allowed to set variables in this
+ manner.
+
S\bSt\btr\bri\bin\bng\bgs\bs:
mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user.
the machine. Default is *** SECURITY informa
tion for %h ***.
+
+
+
+
+1.7 June 23, 2007 10
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
badpass_message
Message that is displayed if a user enters an
incorrect password. The default is Sorry, try
%h expanded to the local hostname without
the domain name
-
-
-1.6.9 November 28, 2004 10
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
%H expanded to the local hostname includ
ing the domain name (on if the
machine's hostname is fully qualified
or the _\bf_\bq_\bd_\bn option is set)
%% two consecutive % characters are col
- laped into a single % character
+ lapsed into a single % character
The default value is Password:.
Syslog priority to use when user authenticates
unsuccessfully. Defaults to alert.
+
+
+
+1.7 June 23, 2007 11
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
editor A colon (':') separated list of editors
allowed to be used with v\bvi\bis\bsu\bud\bdo\bo. v\bvi\bis\bsu\bud\bdo\bo will
- choose the editor that matches the user's USER
- environment variable if possible, or the first
- editor in the list that exists and is exe
- cutable. The default is the path to vi on
+ choose the editor that matches the user's EDI
+ TOR environment variable if possible, or the
+ first editor in the list that exists and is
+ executable. The default is the path to vi on
your system.
noexec_file Path to a shared library containing dummy ver
This is used to implement the _\bn_\bo_\be_\bx_\be_\bc function
ality on systems that support LD_PRELOAD or
its equivalent. Defaults to
- _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo_\b__\bn_\bo_\be_\bx_\be_\bc_\b._\bs_\bo.
+ _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo_\b__\bn_\bo_\be_\bx_\be_\bc.
S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
always Always lecture the user.
-
-
-
-1.6.9 November 28, 2004 11
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
If no value is specified, a value of _\bo_\bn_\bc_\be is
implied. Negating the option results in a
value of _\bn_\be_\bv_\be_\br being used. The default value
mailerflags Flags to use when invoking mailer. Defaults to
-\b-t\bt.
+
+
+
+1.7 June 23, 2007 12
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
mailto Address to send warning and error mail to.
The address should be enclosed in double
quotes (") to protect against s\bsu\bud\bdo\bo interpret
any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs
entries for the current host must have
-
-
-
-1.6.9 November 28, 2004 12
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
the NOPASSWD flag set to avoid enter
ing a password.
any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs
entries for the current host must have
- the NOPASSWD flag set to avoid enter
- ing a password.
+ the NOPASSWD flag set to avoid
+
+
+
+1.7 June 23, 2007 13
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
+ entering a password.
never The user need never enter a password
to use the -\b-l\bl flag.
rated list or a single value without dou
ble-quotes. The list can be replaced, added
to, deleted from, or disabled by using the =,
- +=, -=, and ! operators respectively. The
+ +=, -=, and ! operators respectively. Regard
+ less of whether the env_reset option is
+ enabled or disabled, variables specified by
+ env_check will be preserved in the environment
+ if they pass the aforementioned check. The
default list of environment variables to check
- is printed when s\bsu\bud\bdo\bo is run by root with the
+ is displayed when s\bsu\bud\bdo\bo is run by root with the
_\b-_\bV option.
-
-
-
-1.6.9 November 28, 2004 13
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
env_delete Environment variables to be removed from the
user's environment. The argument may be a
double-quoted, space-separated list or a sin
be replaced, added to, deleted from, or dis
abled by using the =, +=, -=, and ! operators
respectively. The default list of environment
- variables to remove is printed when s\bsu\bud\bdo\bo is
+ variables to remove is displayed when s\bsu\bud\bdo\bo is
run by root with the _\b-_\bV option. Note that
many operating systems will remove potentially
dangerous variables from the environment of
cesses will receive. The argument may be a
double-quoted, space-separated list or a sin
gle value without double-quotes. The list can
- be replaced, added to, deleted from, or dis
- abled by using the =, +=, -=, and ! operators
- respectively. This list has no default mem
- bers.
+ be replaced, added to, deleted from, or
+
+
+
+1.7 June 23, 2007 14
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
+ disabled by using the =, +=, -=, and ! opera
+ tors respectively. The default list of vari
+ ables to keep is displayed when s\bsu\bud\bdo\bo is run by
+ root with the _\b-_\bV option.
When logging via _\bs_\by_\bs_\bl_\bo_\bg(3), s\bsu\bud\bdo\bo accepts the following
values for the syslog facility (the value of the s\bsy\bys\bsl\blo\bog\bg
Runas_Spec ::= '(' Runas_List ')'
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
- 'MONITOR' | 'NOMONITOR')
+ 'SETENV:' | 'NOSETENV:' | 'MONITOR:' | 'NOMONITOR:')
A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may
run (and as what user) on specified hosts. By default,
Let's break that down into its constituent parts:
-
-
-1.6.9 November 28, 2004 14
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
A Runas_Spec is simply a Runas_List (as defined above)
It is also possible to override a Runas_Spec later on in
an entry. If we modify the entry like so:
+
+
+
+1.7 June 23, 2007 15
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br,
T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
A command may have zero or more tags associated with it.
- There are four possible tag values, NOPASSWD, PASSWD,
- NOEXEC, EXEC, MONITOR and NOMONITOR. Once a tag is set on
- a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit
- the tag unless it is overridden by the opposite tag (ie:
- PASSWD overrides NOPASSWD and NOMONITOR overrides MONI
- TOR).
+ There are eight possible tag values, NOPASSWD, PASSWD,
+ NOEXEC, EXEC, SETENV, NOSETENV, MONITOR and NOMONITOR.
+ Once a tag is set on a Cmnd, subsequent Cmnds in the
+ Cmnd_Spec_List, inherit the tag unless it is overridden by
+ the opposite tag (i.e.: PASSWD overrides NOPASSWD and
+ NOEXEC overrides EXEC).
_\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD _\ba_\bn_\bd _\bP_\bA_\bS_\bS_\bW_\bD
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
Note, however, that the PASSWD tag has no effect on users
-
-
-
-1.6.9 November 28, 2004 15
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
who are in the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
By default, if the NOPASSWD tag is applied to any of the
In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be
and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
+
+
+1.7 June 23, 2007 16
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
See the "PREVENTING SHELL ESCAPES" section below for more
details on how NOEXEC works and whether or not it will
work on your system.
+ _\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
+
+ These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a
+ per-command basis. Note that environment variables set on
+ the command line way are not subject to the restrictions
+ imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt. As such,
+ only trusted users should be allowed to set variables in
+ this manner.
+
_\bM_\bO_\bN_\bI_\bT_\bO_\bR _\ba_\bn_\bd _\bN_\bO_\bM_\bO_\bN_\bI_\bT_\bO_\bR
If s\bsu\bud\bdo\bo has been configured with the --with-systrace
* Matches any set of zero or more characters.
+ ? Matches any single character.
+
+ [...] Matches any character in the specified range.
+ [!...] Matches any character n\bno\bot\bt in the specified range.
-1.6.9 November 28, 2004 16
+ \x For any character "x", evaluates to "x". This is
+ used to escape special characters such as: "*",
+ "?", "[", and "}".
+1.7 June 23, 2007 17
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- ? Matches any single character.
- [...] Matches any character in the specified range.
- [!...] Matches any character n\bno\bot\bt in the specified range.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- \x For any character "x", evaluates to "x". This is
- used to escape special characters such as: "*",
- "?", "[", and "}".
Note that a forward slash ('/') will n\bno\bot\bt be matched by
wildcards used in the pathname. When matching the command
The pound sign ('#') is used to indicate a comment (unless
it is part of a #include directive or unless it occurs in
the context of a user name and is followed by one or more
+ digits, in which case it is treated as a uid). Both the
+ comment character and any text after it, up to the end of
+ the line, are ignored.
+ The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always
+ causes a match to succeed. It can be used wherever one
+ might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias,
+ or Host_Alias. You should not try to define your own
+ _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
+ preference to your own. Please note that using A\bAL\bLL\bL can be
-1.6.9 November 28, 2004 17
+1.7 June 23, 2007 18
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- digits, in which case it is treated as a uid). Both the
- comment character and any text after it, up to the end of
- the line, are ignored.
- The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always
- causes a match to succeed. It can be used wherever one
- might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias,
- or Host_Alias. You should not try to define your own
- _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
- preference to your own. Please note that using A\bAL\bLL\bL can be
dangerous since in a command context, it allows the user
to run a\ban\bny\by command on the system.
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
+ # Host alias specification
+ Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
+ SGI = grolsch, dandelion, black :\
+ ALPHA = widget, thalamus, foobar :\
+ HPPA = boa, nag, python
+ Host_Alias CUNETS = 128.138.0.0/255.255.0.0
+ Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
+ Host_Alias SERVERS = master, mail, www, ns
+ Host_Alias CDROM = orion, perseus, hercules
+
-1.6.9 November 28, 2004 18
+1.7 June 23, 2007 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- # Host alias specification
- Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
- SGI = grolsch, dandelion, black :\
- ALPHA = widget, thalamus, foobar :\
- HPPA = boa, nag, python
- Host_Alias CUNETS = 128.138.0.0/255.255.0.0
- Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
- Host_Alias SERVERS = master, mail, www, ns
- Host_Alias CDROM = orion, perseus, hercules
-
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
We want s\bsu\bud\bdo\bo to log via _\bs_\by_\bs_\bl_\bo_\bg(3) using the _\ba_\bu_\bt_\bh facility
in all cases. We don't want to subject the full time
staff to the s\bsu\bud\bdo\bo lecture, user m\bmi\bil\bll\ble\ber\brt\bt need not give a
- password, and we don't want to reset the LOGNAME or USER
- environment variables when running commands as root.
- Additionally, on the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias,
- we keep an additional local log file and make sure we log
- the year in each log line since the log entries will be
- kept around for several years. Lastly, we disable shell
- escapes for the commands in the PAGERS Cmnd_Alias
- (/usr/bin/more, /usr/bin/pg and /usr/bin/less).
+ password, and we don't want to reset the LOGNAME, USER or
+ USERNAME environment variables when running commands as
+ root. Additionally, on the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS
+ Host_Alias, we keep an additional local log file and make
+ sure we log the year in each log line since the log
+ entries will be kept around for several years. Lastly, we
+ disable shell escapes for the commands in the PAGERS
+ Cmnd_Alias (/usr/bin/more, /usr/bin/pg and /usr/bin/less).
# Override built-in defaults
Defaults syslog=auth
We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on
any host as any user.
+ FULLTIMERS ALL = NOPASSWD: ALL
+ Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run
+ any command on any host without authenticating themselves.
+ PARTTIMERS ALL = ALL
-1.6.9 November 28, 2004 19
-
+ Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run
+ any command on any host but they must authenticate them
+ selves first (since the entry lacks the NOPASSWD tag).
+1.7 June 23, 2007 20
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- FULLTIMERS ALL = NOPASSWD: ALL
- Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run
- any command on any host without authenticating themselves.
- PARTTIMERS ALL = ALL
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run
- any command on any host but they must authenticate them
- selves first (since the entry lacks the NOPASSWD tag).
jack CSNETS = ALL
The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb
netgroup. S\bSu\bud\bdo\bo knows that "biglab" is a netgroup due to
+ the '+' prefix.
+ +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
+ Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the
+ printers as well as add and remove users, so they are
+ allowed to run those commands on all machines.
-1.6.9 November 28, 2004 20
+ fred ALL = (DB) NOPASSWD: ALL
+ The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB
+1.7 June 23, 2007 21
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- the '+' prefix.
- +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
- Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the
- printers as well as add and remove users, so they are
- allowed to run those commands on all machines.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- fred ALL = (DB) NOPASSWD: ALL
- The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB
Runas_Alias (o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
type, so it is a prime candidate for encapsulating in a
shell script.
+S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
+ It is generally not effective to "subtract" commands from
+ ALL using the '!' operator. A user can trivially circum
+ vent this by copying the desired command to a different
+ name and then executing that. For example:
+
+ bill ALL = ALL, !SU, !SHELLS
+ Doesn't really prevent b\bbi\bil\bll\bl from running the commands
+ listed in _\bS_\bU or _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those
-1.6.9 November 28, 2004 21
+1.7 June 23, 2007 22
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
- It is generally not effective to "subtract" commands from
- ALL using the '!' operator. A user can trivially circum
- vent this by copying the desired command to a different
- name and then executing that. For example:
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- bill ALL = ALL, !SU, !SHELLS
- Doesn't really prevent b\bbi\bil\bll\bl from running the commands
- listed in _\bS_\bU or _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those com
- mands to a different name, or use a shell escape from an
- editor or other program. Therefore, these kind of
+ commands to a different name, or use a shell escape from
+ an editor or other program. Therefore, these kind of
restrictions should be considered advisory at best (and
reinforced by policy).
If the resulting output contains a line that
begins with:
+ File containing dummy exec functions:
+ then s\bsu\bud\bdo\bo may be able to replace the exec family
+ of functions in the standard library with its
+ own that simply return an error. Unfortunately,
+ there is no foolproof way to know whether or not
+ _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bN_\bo_\be_\bx_\be_\bc should
+ work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64
+ UNIX, MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt
-1.6.9 November 28, 2004 22
+1.7 June 23, 2007 23
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- File containing dummy exec functions:
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
- then s\bsu\bud\bdo\bo may be able to replace the exec family
- of functions in the standard library with its
- own that simply return an error. Unfortunately,
- there is no foolproof way to know whether or not
- _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bN_\bo_\be_\bx_\be_\bc should
- work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64
- UNIX, MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt
to work on AIX and UnixWare. _\bN_\bo_\be_\bx_\be_\bc is expected
to work on most operating systems that support
the LD_PRELOAD environment variable. Check your
At the time of this writing the s\bsy\bys\bst\btr\bra\bac\bce\be pseudo-
device comes standard with OpenBSD and NetBSD
+ and is available as patches to FreeBSD, MacOS X
+ and Linux. See <http://www.systrace.org/> for
+ more information.
+ Note that restricting shell escapes is not a panacea.
+ Programs running as root are still capable of many poten
+ tially hazardous operations (such as changing or overwrit
+ ing files) that could lead to unintended privilege escala
+ tion. In the specific case of an editor, a safer approach
-1.6.9 November 28, 2004 23
+
+1.7 June 23, 2007 24
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- and is available as patches to FreeBSD, MacOS X
- and Linux. See <http://www.systrace.org/> for
- more information.
-
- Note that restricting shell escapes is not a panacea.
- Programs running as root are still capable of many poten
- tially hazardous operations (such as changing or overwrit
- ing files) that could lead to unintended privilege escala
- tion. In the specific case of an editor, a safer approach
is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
bug report at http://www.sudo.ws/sudo/bugs/
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Commercial support is available for s\bsu\bud\bdo\bo, see
- http://www.sudo.ws/sudo/support.html for details.
-
Limited free support is available via the sudo-users mail
ing list, see http://www.sudo.ws/mail
man/listinfo/sudo-users to subscribe or search the
-1.6.9 November 28, 2004 24
+
+
+
+
+
+
+
+
+
+
+
+
+1.7 June 23, 2007 25
-.\" Copyright (c) 1994-1996,1998-2004 Todd C. Miller <Todd.Miller@courtesan.com>
+.\" Copyright (c) 1994-1996,1998-2005 Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.\" $Sudo$
-.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
.\"
.\" Standard preamble:
.\" ========================================================================
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "November 28, 2004" "1.6.9" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "June 23, 2007" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME"
sudoers \- list of which users may execute what
.SH "DESCRIPTION"
it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that usernames and groups
are matched as strings. In other words, two users (groups) with
the same uid (gid) are considered to be distinct. If you wish to
-match all usernames with the same uid (e.g. root and toor), you
+match all usernames with the same uid (e.g.\ root and toor), you
can use a uid instead (#0 in the example given).
.PP
.Vb 2
A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more hostnames, \s-1IP\s0 addresses,
network numbers, netgroups (prefixed with '+') and other aliases.
Again, the value of an item may be negated with the '!' operator.
-If you do not specify a netmask with a network number, the netmask
-of the host's ethernet interface(s) will be used when matching.
-The netmask may be specified either in dotted quad notation (e.g.
-255.255.255.0) or \s-1CIDR\s0 notation (number of bits, e.g. 24). A hostname
-may include shell-style wildcards (see the Wildcards section below),
+If you do not specify a netmask along with the network number,
+\&\fBsudo\fR will query each of the local host's network interfaces and,
+if the network number corresponds to one of the hosts's network
+interfaces, the corresponding netmask will be used. The netmask
+may be specified either in dotted quad notation (e.g.\ 255.255.255.0)
+or \s-1CIDR\s0 notation (number of bits, e.g.\ 24). A hostname may
+include shell-style wildcards (see the Wildcards section below),
but unless the \f(CW\*(C`hostname\*(C'\fR command on your machine returns the fully
-qualified hostname, you'll need to use the \fIfqdn\fR option for wildcards
-to be useful.
+qualified hostname, you'll need to use the \fIfqdn\fR option for
+wildcards to be useful.
.PP
.Vb 2
\& Cmnd_List ::= Cmnd |
If set, \fBsudo\fR will only run when the user is logged in to a real
tty. This will disallow things like \f(CW"rsh somehost sudo ls"\fR since
\&\fIrsh\fR\|(1) does not allocate a tty. Because it is not possible to turn
-off echo when there is no tty present, some sites may with to set
+off echo when there is no tty present, some sites may wish to set
this flag to prevent a user from entering a visible password. This
flag is \fIoff\fR by default.
.IP "env_editor" 12
This flag is \fIoff\fR by default.
.IP "set_logname" 12
.IX Item "set_logname"
-Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR and \f(CW\*(C`USER\*(C'\fR environment variables
-to the name of the target user (usually root unless the \fB\-u\fR flag is given).
-However, since some programs (including the \s-1RCS\s0 revision control system)
-use \f(CW\*(C`LOGNAME\*(C'\fR to determine the real identity of the user, it may be desirable
-to change this behavior. This can be done by negating the set_logname option.
+Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR
+environment variables to the name of the target user (usually root
+unless the \fB\-u\fR flag is given). However, since some programs
+(including the \s-1RCS\s0 revision control system) use \f(CW\*(C`LOGNAME\*(C'\fR to
+determine the real identity of the user, it may be desirable to
+change this behavior. This can be done by negating the set_logname
+option. Note that if the \fIenv_reset\fR option has not been disabled,
+entries in the \fIenv_keep\fR list will override the value of
+\&\fIset_logname\fR.
.IP "stay_setuid" 12
.IX Item "stay_setuid"
Normally, when \fBsudo\fR executes a command the real and effective
.IP "env_reset" 12
.IX Item "env_reset"
If set, \fBsudo\fR will reset the environment to only contain the
-following variables: \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`TERM\*(C'\fR,
-and \f(CW\*(C`USER\*(C'\fR (in addition to the \f(CW\*(C`SUDO_*\*(C'\fR variables).
-Of these, only \f(CW\*(C`TERM\*(C'\fR is copied unaltered from the old environment.
-The other variables are set to default values (possibly modified
-by the value of the \fIset_logname\fR option). If the \fIsecure_path\fR
-option is set, its value will be used for the \f(CW\*(C`PATH\*(C'\fR environment variable.
-Other variables may be preserved with the \fIenv_keep\fR option.
+\&\s-1LOGNAME\s0, \s-1SHELL\s0, \s-1USER\s0, \s-1USERNAME\s0 and the \f(CW\*(C`SUDO_*\*(C'\fR variables. Any
+variables in the caller's environment that match the \f(CW\*(C`env_keep\*(C'\fR
+and \f(CW\*(C`env_check\*(C'\fR lists are then added. The default contents of the
+\&\f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are displayed when \fBsudo\fR is
+run by root with the \fI\-V\fR option. If the \fIsecure_path\fR option
+is set, its \-value will be used for the \f(CW\*(C`PATH\*(C'\fR environment variable.
+This flag is \fIon\fR by default.
.IP "use_loginclass" 12
.IX Item "use_loginclass"
If set, \fBsudo\fR will apply the defaults specified for the target user's
.IP "ignore_local_sudoers" 12
.IX Item "ignore_local_sudoers"
If set via \s-1LDAP\s0, parsing of \f(CW@sysconfdir\fR@/sudoers will be skipped.
-This is intended for an Enterprises that wish to prevent the usage of local
+This is intended for Enterprises that wish to prevent the usage of local
sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of
rogue operators who would attempt to add roles to \f(CW@sysconfdir\fR@/sudoers.
When this option is present, \f(CW@sysconfdir\fR@/sudoers does not even need to exist.
Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0 entries
have been matched, this sudoOption is only meaningful for the cn=defaults
section. This flag is \fIoff\fR by default.
+.IP "closefrom_override" 12
+.IX Item "closefrom_override"
+If set, the user may use \fBsudo\fR's \fB\-C\fR option which
+overrides the default starting point at which \fBsudo\fR begins
+closing open file descriptors. This flag is \fIoff\fR by default.
.PP
\&\fBIntegers\fR:
.IP "passwd_tries" 12
.IX Item "umask"
Umask to use when running the command. Negate this option or set
it to 0777 to preserve the user's umask. The default is \f(CW\*(C`@sudo_umask@\*(C'\fR.
+.IP "closefrom" 12
+.IX Item "closefrom"
+Before it executes a command, \fBsudo\fR will close all open file
+descriptors other than standard input, standard output and standard
+error (ie: file descriptors 0\-2). The \fIclosefrom\fR option can be used
+to specify a different file descriptor at which to start closing.
+The default is 3.
+.IP "setenv" 12
+.IX Item "setenv"
+Allow the user to set additional environment variables from the
+command line. Note that variables set this way are not subject to
+the restrictions imposed by \fIenv_check\fR, \fIenv_delete\fR, or
+\&\fIenv_reset\fR. As such, only trusted users should be allowed to set
+variables in this manner.
.PP
\&\fBStrings\fR:
.IP "mailsub" 12
.ie n .IP "\*(C`%%\*(C'" 8
.el .IP "\f(CW\*(C`%%\*(C'\fR" 8
.IX Item "%%"
-two consecutive \f(CW\*(C`%\*(C'\fR characters are collaped into a single \f(CW\*(C`%\*(C'\fR character
+two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character
.RE
.RS 12
.Sp
.IX Item "editor"
A colon (':') separated list of editors allowed to be used with
\&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's
-\&\s-1USER\s0 environment variable if possible, or the first editor in the
+\&\s-1EDITOR\s0 environment variable if possible, or the first editor in the
list that exists and is executable. The default is the path to vi
on your system.
.IP "noexec_file" 12
poorly-written programs. The argument may be a double\-quoted,
space-separated list or a single value without double\-quotes. The
list can be replaced, added to, deleted from, or disabled by using
-the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators respectively. The default
-list of environment variables to check is printed when \fBsudo\fR is
-run by root with the \fI\-V\fR option.
+the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators respectively. Regardless
+of whether the \f(CW\*(C`env_reset\*(C'\fR option is enabled or disabled, variables
+specified by \f(CW\*(C`env_check\*(C'\fR will be preserved in the environment if
+they pass the aforementioned check. The default list of environment
+variables to check is displayed when \fBsudo\fR is run by root with
+the \fI\-V\fR option.
.IP "env_delete" 12
.IX Item "env_delete"
Environment variables to be removed from the user's environment.
single value without double\-quotes. The list can be replaced, added
to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
\&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of environment
-variables to remove is printed when \fBsudo\fR is run by root with the
+variables to remove is displayed when \fBsudo\fR is run by root with the
\&\fI\-V\fR option. Note that many operating systems will remove potentially
dangerous variables from the environment of any setuid process (such
as \fBsudo\fR).
The argument may be a double\-quoted, space-separated list or a
single value without double\-quotes. The list can be replaced, added
to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
-\&\f(CW\*(C`!\*(C'\fR operators respectively. This list has no default members.
+\&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of variables to keep
+is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
.PP
When logging via \fIsyslog\fR\|(3), \fBsudo\fR accepts the following values
for the syslog facility (the value of the \fBsyslog\fR Parameter):
.PP
.Vb 2
\& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
-\& 'MONITOR' | 'NOMONITOR')
+\& 'SETENV:' | 'NOSETENV:' | 'MONITOR:' | 'NOMONITOR:')
.Ve
.PP
A \fBuser specification\fR determines which commands a user may run
.Sh "Tag_Spec"
.IX Subsection "Tag_Spec"
A command may have zero or more tags associated with it. There are
-four possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR,
-\&\f(CW\*(C`MONITOR\*(C'\fR and \f(CW\*(C`NOMONITOR\*(C'\fR.
+eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR,
+\&\f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`MONITOR\*(C'\fR and \f(CW\*(C`NOMONITOR\*(C'\fR.
Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the
\&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the
-opposite tag (ie: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOMONITOR\*(C'\fR
-overrides \f(CW\*(C`MONITOR\*(C'\fR).
+opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR
+overrides \f(CW\*(C`EXEC\*(C'\fR).
.PP
\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR
.IX Subsection "NOPASSWD and PASSWD"
See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system.
.PP
+\fI\s-1SETENV\s0 and \s-1NOSETENV\s0\fR
+.IX Subsection "SETENV and NOSETENV"
+.PP
+These tags override the value of the \fIsetenv\fR option on a per-command
+basis. Note that environment variables set on the command line way
+are not subject to the restrictions imposed by \fIenv_check\fR,
+\&\fIenv_delete\fR, or \fIenv_reset\fR. As such, only trusted users should
+be allowed to set variables in this manner.
+.PP
\fI\s-1MONITOR\s0 and \s-1NOMONITOR\s0\fR
.IX Subsection "MONITOR and NOMONITOR"
.PP
characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional.
.PP
The following characters must be escaped with a backslash ('\e') when
-used as part of a word (e.g. a username or hostname):
+used as part of a word (e.g.\ a username or hostname):
\&'@', '!', '=', ':', ',', '(', ')', '\e'.
.SH "FILES"
.IX Header "FILES"
\&\fBsudo\fR to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all
cases. We don't want to subject the full time staff to the \fBsudo\fR
lecture, user \fBmillert\fR need not give a password, and we don't
-want to reset the \f(CW\*(C`LOGNAME\*(C'\fR or \f(CW\*(C`USER\*(C'\fR environment variables when
-running commands as root. Additionally, on the machines in the
-\&\fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, we keep an additional local log file and
-make sure we log the year in each log line since the log entries
-will be kept around for several years. Lastly, we disable shell
-escapes for the commands in the \s-1PAGERS\s0 \f(CW\*(C`Cmnd_Alias\*(C'\fR (/usr/bin/more,
-/usr/bin/pg and /usr/bin/less).
+want to reset the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR or \f(CW\*(C`USERNAME\*(C'\fR environment
+variables when running commands as root. Additionally, on the
+machines in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, we keep an additional
+local log file and make sure we log the year in each log line since
+the log entries will be kept around for several years. Lastly, we
+disable shell escapes for the commands in the \s-1PAGERS\s0 \f(CW\*(C`Cmnd_Alias\*(C'\fR
+(/usr/bin/more, /usr/bin/pg and /usr/bin/less).
.PP
.Vb 7
\& # Override built-in defaults
at http://www.sudo.ws/sudo/bugs/
.SH "SUPPORT"
.IX Header "SUPPORT"
-Commercial support is available for \fBsudo\fR, see
-http://www.sudo.ws/sudo/support.html for details.
-.PP
Limited free support is available via the sudo-users mailing list,
see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
search the archives.
script. Normally, v\bvi\bis\bsu\bud\bdo\bo does not honor the VISUAL or
EDITOR environment variables unless they contain an editor
in the aforementioned editors list. However, if v\bvi\bis\bsu\bud\bdo\bo is
- configured with the _\b-_\b-_\bw_\bi_\bt_\bh_\b-_\be_\bn_\bv_\be_\bd_\bi_\bt_\bo_\br flag or the _\be_\bn_\bv_\be_\bd_\bi_\bt_\bo_\br
- Default variable is set in _\bs_\bu_\bd_\bo_\be_\br_\bs, v\bvi\bis\bsu\bud\bdo\bo will use any
- the editor defines by VISUAL or EDITOR. Note that this
- can be a security hole since it allows the user to execute
- any program they wish simply by setting VISUAL or EDITOR.
+ configured with the _\b-_\b-_\bw_\bi_\bt_\bh_\b-_\be_\bn_\bv_\be_\bd_\bi_\bt_\bo_\br flag or the _\be_\bn_\bv_\b__\be_\bd_\bi_\b
+ _\bt_\bo_\br Default variable is set in _\bs_\bu_\bd_\bo_\be_\br_\bs, v\bvi\bis\bsu\bud\bdo\bo will use
+ any the editor defines by VISUAL or EDITOR. Note that
+ this can be a security hole since it allows the user to
+ execute any program they wish simply by setting VISUAL or
+ EDITOR.
v\bvi\bis\bsu\bud\bdo\bo parses the _\bs_\bu_\bd_\bo_\be_\br_\bs file after the edit and will not
save the changes if there is a syntax error. Upon finding
is encountered, v\bvi\bis\bsu\bud\bdo\bo will exit with a value of 1.
-f Specify and alternate _\bs_\bu_\bd_\bo_\be_\br_\bs file location. With
- this option v\bvi\bis\bsu\bud\bdo\bo will edit (or check) the _\bs_\bu_\bd_\bo_\be_\br_\bs
-1.6.9 October 26, 2004 1
+1.7 June 23, 2007 1
VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
+ this option v\bvi\bis\bsu\bud\bdo\bo will edit (or check) the _\bs_\bu_\bd_\bo_\be_\br_\bs
file of your choice, instead of the default,
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. The lock file used is the specified
_\bs_\bu_\bd_\bo_\be_\br_\bs file with ".tmp" appended to it.
The specified {User,Runas,Host,Cmnd}_Alias was defined
but never used. You may wish to comment out or remove
the unused alias. In -\b-s\bs (strict) mode this is an
- error, not a warning.
-1.6.9 October 26, 2004 2
+1.7 June 23, 2007 2
VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
+ error, not a warning.
+
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
_\bv_\bi(1), sudoers(4), sudo(1m), vipw(1m)
a bug report at http://www.sudo.ws/sudo/bugs/
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Commercial support is available for s\bsu\bud\bdo\bo, see
- http://www.sudo.ws/sudo/support.html for details.
-
Limited free support is available via the sudo-users mail
ing list, see http://www.sudo.ws/mail
man/listinfo/sudo-users to subscribe or search the
-1.6.9 October 26, 2004 3
+
+1.7 June 23, 2007 3
-.\" Copyright (c) 1996,1998-2003 Todd C. Miller <Todd.Miller@courtesan.com>
+.\" Copyright (c) 1996,1998-2004 Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.\" $Sudo$
-.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
.\"
.\" Standard preamble:
.\" ========================================================================
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
-.TH VISUDO @mansectsu@ "October 26, 2004" "1.6.9" "MAINTENANCE COMMANDS"
+.TH VISUDO @mansectsu@ "June 23, 2007" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME"
visudo \- edit the sudoers file
.SH "SYNOPSIS"
\&\fBvisudo\fR does not honor the \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR environment
variables unless they contain an editor in the aforementioned editors
list. However, if \fBvisudo\fR is configured with the \fI\-\-with\-enveditor\fR
-flag or the \fIenveditor\fR \f(CW\*(C`Default\*(C'\fR variable is set in \fIsudoers\fR,
+flag or the \fIenv_editor\fR \f(CW\*(C`Default\*(C'\fR variable is set in \fIsudoers\fR,
\&\fBvisudo\fR will use any the editor defines by \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR.
Note that this can be a security hole since it allows the user to
execute any program they wish simply by setting \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR.
at http://www.sudo.ws/sudo/bugs/
.SH "SUPPORT"
.IX Header "SUPPORT"
-Commercial support is available for \fBsudo\fR, see
-http://www.sudo.ws/sudo/support.html for details.
-.PP
Limited free support is available via the sudo-users mailing list,
see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
search the archives.
projects / sudo / commitdiff