-SUDO(8) MAINTENANCE COMMANDS SUDO(8)
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
N\bNA\bAM\bME\bE
S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
s\bsu\bud\bdo\bo -\b-h\bh | -\b-K\bK | -\b-k\bk | -\b-L\bL | -\b-V\bV | -\b-v\bv
- s\bsu\bud\bdo\bo -\b-l\bl[\b[l\bl]\b] [-\b-g\bg _\bg_\br_\bo_\bu_\bp_\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-U\bU _\bu_\bs_\be_\br_\bn_\ba_\bm_\be] [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [_\bc_\bo_\bm_\b-
- _\bm_\ba_\bn_\bd]
+ s\bsu\bud\bdo\bo -\b-l\bl[\b[l\bl]\b] [-\b-A\bAS\bS] [-\b-g\bg _\bg_\br_\bo_\bu_\bp_\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-U\bU _\bu_\bs_\be_\br_\bn_\ba_\bm_\be] [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd]
+ [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
- s\bsu\bud\bdo\bo [-\b-b\bbE\bEH\bHP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-] [-\b-g\bg _\bg_\br_\bo_\bu_\bp_\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd]
+ s\bsu\bud\bdo\bo [-\b-A\bAb\bbE\bEH\bHP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-] [-\b-g\bg _\bg_\br_\bo_\bu_\bp_\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd]
[-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be] [{-\b-i\bi | -\b-s\bs] [<_\bc_\bo_\bm_\bm_\ba_\bn_\bd}]
- s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-S\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-] [-\b-g\bg _\bg_\br_\bo_\bu_\bp_\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd]
+ s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-A\bAS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-] [-\b-g\bg _\bg_\br_\bo_\bu_\bp_\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd]
[-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] file ...
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
-1.7 February 18, 2008 1
+1.7 March 2, 2008 1
-SUDO(8) MAINTENANCE COMMANDS SUDO(8)
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
via _\bs_\by_\bs_\bl_\bo_\bg(3) but this is changeable at configure time or via the _\bs_\bu_\bd_\bo_\b-
O\bOP\bPT\bTI\bIO\bON\bNS\bS
s\bsu\bud\bdo\bo accepts the following command line options:
+ -A Normally, if s\bsu\bud\bdo\bo requires a password, it will read it from
+ the current terminal. If the -\b-A\bA (_\ba_\bs_\bk_\bp_\ba_\bs_\bs) option is speci-
+ fied, a helper program is executed to read the user's pass-
+ word and output the password to the standard output. If
+ the SUDO_ASKPASS environment variable is set, it specifies
+ the path to the helper program. Otherwise, the value spec-
+ ified by the _\ba_\bs_\bk_\bp_\ba_\bs_\bs option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4) is used.
+
-a _\bt_\by_\bp_\be The -\b-a\ba (_\ba_\bu_\bt_\bh_\be_\bn_\bt_\bi_\bc_\ba_\bt_\bi_\bo_\bn _\bt_\by_\bp_\be) option causes s\bsu\bud\bdo\bo to use the
specified authentication type when validating the user, as
allowed by _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. The system administrator may
starting point above the standard error (file descriptor
three). Values less than three are not permitted. This
option is only available if the administrator has enabled
- the _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be option in _\bs_\bu_\bd_\bo_\be_\br_\bs(5).
+ the _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
-c _\bc_\bl_\ba_\bs_\bs The -\b-c\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bsu\bud\bdo\bo to run the specified com-
mand with resources limited by the specified login class.
login classes.
-E The -\b-E\bE (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt) option will override the
- _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option in _\bs_\bu_\bd_\bo_\be_\br_\bs(5)). It is only available when
+ _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4)). It is only available when
either the matching command has the SETENV tag or the
- _\bs_\be_\bt_\be_\bn_\bv option is set in _\bs_\bu_\bd_\bo_\be_\br_\bs(5).
+ _\bs_\be_\bt_\be_\bn_\bv option is set in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
-e The -\b-e\be (_\be_\bd_\bi_\bt) option indicates that, instead of running a
command, the user wishes to edit one or more files. In
- lieu of a command, the string "sudoedit" is used when con-
- sulting the _\bs_\bu_\bd_\bo_\be_\br_\bs file. If the user is authorized by
- _\bs_\bu_\bd_\bo_\be_\br_\bs the following steps are taken:
+ lieu of a command, the string "sudoedit" is used when
- 1. Temporary copies are made of the files to be edited
- with the owner set to the invoking user.
- 2. The editor specified by the VISUAL or EDITOR environ-
- ment variables is run to edit the temporary files. If
+1.7 March 2, 2008 2
-1.7 February 18, 2008 2
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-SUDO(8) MAINTENANCE COMMANDS SUDO(8)
+ consulting the _\bs_\bu_\bd_\bo_\be_\br_\bs file. If the user is authorized by
+ _\bs_\bu_\bd_\bo_\be_\br_\bs the following steps are taken:
+ 1. Temporary copies are made of the files to be edited
+ with the owner set to the invoking user.
+ 2. The editor specified by the VISUAL or EDITOR environ-
+ ment variables is run to edit the temporary files. If
neither VISUAL nor EDITOR are set, the program listed
in the _\be_\bd_\bi_\bt_\bo_\br _\bs_\bu_\bd_\bo_\be_\br_\bs variable is used.
-H The -\b-H\bH (_\bH_\bO_\bM_\bE) option sets the HOME environment variable to
the homedir of the target user (root by default) as speci-
- fied in _\bp_\ba_\bs_\bs_\bw_\bd(5). By default, s\bsu\bud\bdo\bo does not modify HOME
- (see _\bs_\be_\bt_\b__\bh_\bo_\bm_\be and _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be in _\bs_\bu_\bd_\bo_\be_\br_\bs(5)).
+ fied in _\bp_\ba_\bs_\bs_\bw_\bd(4). By default, s\bsu\bud\bdo\bo does not modify HOME
+ (see _\bs_\be_\bt_\b__\bh_\bo_\bm_\be and _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be in _\bs_\bu_\bd_\bo_\be_\br_\bs(4)).
-h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bo to print a usage message
and exit.
-i [command]
The -\b-i\bi (_\bs_\bi_\bm_\bu_\bl_\ba_\bt_\be _\bi_\bn_\bi_\bt_\bi_\ba_\bl _\bl_\bo_\bg_\bi_\bn) option runs the shell spec-
- ified in the _\bp_\ba_\bs_\bs_\bw_\bd(5) entry of the target user as a login
+ ified in the _\bp_\ba_\bs_\bs_\bw_\bd(4) entry of the target user as a login
shell. This means that login-specific resource files such
as .profile or .login will be read by the shell. If a com-
mand is specified, it is passed to the shell for execution.
on Linux and AIX systems. All other environment variables
are removed.
- -K The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option is like -\b-k\bk except that it removes
- the user's timestamp entirely. Like -\b-k\bk, this option does
- not require a password.
-
- -k The -\b-k\bk (_\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo invalidates the user's times-
- tamp by setting the time on it to the Epoch. The next time
- s\bsu\bud\bdo\bo is run a password will be required. This option does
+1.7 March 2, 2008 3
-1.7 February 18, 2008 3
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-SUDO(8) MAINTENANCE COMMANDS SUDO(8)
+ -K The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option is like -\b-k\bk except that it removes
+ the user's timestamp entirely. Like -\b-k\bk, this option does
+ not require a password.
+ -k The -\b-k\bk (_\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo invalidates the user's times-
+ tamp by setting the time on it to the Epoch. The next time
+ s\bsu\bud\bdo\bo is run a password will be required. This option does
not require a password and was added to allow a user to
revoke s\bsu\bud\bdo\bo permissions from a .logout file.
%% two consecutive % characters are collapsed into a sin-
gle % character
- The prompt specified by the -\b-p\bp option will override the
- system password prompt on systems that support PAM unless
- the _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be flag is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs.
- -S The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the password from
- the standard input instead of the terminal device.
+1.7 March 2, 2008 4
-1.7 February 18, 2008 4
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-SUDO(8) MAINTENANCE COMMANDS SUDO(8)
+ The prompt specified by the -\b-p\bp option will override the
+ system password prompt on systems that support PAM unless
+ the _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be flag is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+ -S The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the password from
+ the standard input instead of the terminal device.
-s [command]
The -\b-s\bs (_\bs_\bh_\be_\bl_\bl) option runs the shell specified by the _\bS_\bH_\bE_\bL_\bL
environment variable if it is set or the shell as specified
- in _\bp_\ba_\bs_\bs_\bw_\bd(5). If a command is specified, it is passed to
+ in _\bp_\ba_\bs_\bs_\bw_\bd(4). If a command is specified, it is passed to
the shell for execution. Otherwise, an interactive shell
is executed.
of a _\bu_\bs_\be_\br _\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd. When running commands as a _\bu_\bi_\bd,
many shells require that the '#' be escaped with a back-
slash ('\'). Note that if the _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw Defaults option is
- set (see _\bs_\bu_\bd_\bo_\be_\br_\bs(5)) it is not possible to run commands
+ set (see _\bs_\bu_\bd_\bo_\be_\br_\bs(4)) it is not possible to run commands
with a uid not listed in the password database.
-V The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print the version
ables with one important exception. If the _\bs_\be_\bt_\be_\bn_\bv option is set in
_\bs_\bu_\bd_\bo_\be_\br_\bs, the command to be run has the SETENV tag set or the command
matched is ALL, the user may set variables that would overwise be for-
- bidden. See _\bs_\bu_\bd_\bo_\be_\br_\bs(5) for more information.
+ bidden. See _\bs_\bu_\bd_\bo_\be_\br_\bs(4) for more information.
R\bRE\bET\bTU\bUR\bRN\bN V\bVA\bAL\bLU\bUE\bES\bS
Upon successful execution of a program, the return value from s\bsu\bud\bdo\bo will
- simply be the return value of the program that was executed.
- Otherwise, s\bsu\bud\bdo\bo quits with an exit value of 1 if there is a configura-
- tion/permission problem or if s\bsu\bud\bdo\bo cannot execute the given command.
- In the latter case the error string is printed to stderr. If s\bsu\bud\bdo\bo can-
- not _\bs_\bt_\ba_\bt(2) one or more entries in the user's PATH an error is printed
- on stderr. (If the directory does not exist or if it is not really a
+1.7 March 2, 2008 5
-1.7 February 18, 2008 5
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-SUDO(8) MAINTENANCE COMMANDS SUDO(8)
+ simply be the return value of the program that was executed.
+ Otherwise, s\bsu\bud\bdo\bo quits with an exit value of 1 if there is a configura-
+ tion/permission problem or if s\bsu\bud\bdo\bo cannot execute the given command.
+ In the latter case the error string is printed to stderr. If s\bsu\bud\bdo\bo can-
+ not _\bs_\bt_\ba_\bt(2) one or more entries in the user's PATH an error is printed
+ on stderr. (If the directory does not exist or if it is not really a
directory, the entry is ignored and no error is printed.) This should
not happen under normal circumstances. The most common reason for
_\bs_\bt_\ba_\bt(2) to return "permission denied" is if you are running an auto-
root or if it is writable by a user other than root. On systems that
allow non-root users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if the timestamp
directory is located in a directory writable by anyone (e.g., _\b/_\bt_\bm_\bp), it
- is possible for a user to create the timestamp directory before s\bsu\bud\bdo\bo is
- run. However, because s\bsu\bud\bdo\bo checks the ownership and mode of the direc-
- tory and its contents, the only damage that can be done is to "hide"
- files by putting them in the timestamp dir. This is unlikely to happen
- since once the timestamp dir is owned by root and inaccessible by any
- other user, the user placing files there would be unable to get them
- back out. To get around this issue you can use a directory that is not
-1.7 February 18, 2008 6
+1.7 March 2, 2008 6
-SUDO(8) MAINTENANCE COMMANDS SUDO(8)
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ is possible for a user to create the timestamp directory before s\bsu\bud\bdo\bo is
+ run. However, because s\bsu\bud\bdo\bo checks the ownership and mode of the direc-
+ tory and its contents, the only damage that can be done is to "hide"
+ files by putting them in the timestamp dir. This is unlikely to happen
+ since once the timestamp dir is owned by root and inaccessible by any
+ other user, the user placing files there would be unable to get them
+ back out. To get around this issue you can use a directory that is not
world-writable for the timestamps (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for instance) or cre-
ate _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo with the appropriate owner (root) and permissions
(0700) in the system startup files.
when giving users access to commands via s\bsu\bud\bdo\bo to verify that the com-
mand does not inadvertently give the user an effective root shell. For
more information, please see the PREVENTING SHELL ESCAPES section in
- _\bs_\bu_\bd_\bo_\be_\br_\bs(5).
+ _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
s\bsu\bud\bdo\bo utilizes the following environment variables:
SHELL Used to determine shell to run with -s option
+ SUDO_ASKPASS Specifies the path to a helper program used to read the
+ password if no terminal is available or if the -A
+ option is specified.
+
SUDO_PROMPT Used as the default password prompt
SUDO_COMMAND Set to the command run by sudo
SUDO_UID Set to the uid of the user who invoked sudo
- SUDO_GID Set to the gid of the user who invoked sudo
- SUDO_PS1 If set, PS1 will be set to its value
- USER Set to the target user (root unless the -\b-u\bu option is
- specified)
- VISUAL Default editor to use in -\b-e\be (sudoedit) mode
+1.7 March 2, 2008 7
-F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
-1.7 February 18, 2008 7
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ SUDO_GID Set to the gid of the user who invoked sudo
+ SUDO_PS1 If set, PS1 will be set to its value
-SUDO(8) MAINTENANCE COMMANDS SUDO(8)
+ USER Set to the target user (root unless the -\b-u\bu option is
+ specified)
+ VISUAL Default editor to use in -\b-e\be (sudoedit) mode
+
+F\bFI\bIL\bLE\bES\bS
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo Directory containing timestamps
AIX
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- Note: the following examples assume suitable _\bs_\bu_\bd_\bo_\be_\br_\bs(5) entries.
+ Note: the following examples assume suitable _\bs_\bu_\bd_\bo_\be_\br_\bs(4) entries.
To get a file listing of an unreadable directory:
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), _\bp_\ba_\bs_\bs_\bw_\bd(5), _\bs_\bu_\bd_\bo_\be_\br_\bs(5), _\bv_\bi_\bs_\bu_\bd_\bo(8)
+ _\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), _\bp_\ba_\bs_\bs_\bw_\bd(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(5),
+ _\bv_\bi_\bs_\bu_\bd_\bo(1m)
A\bAU\bUT\bTH\bHO\bOR\bRS\bS
Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists
Todd C. Miller
See the HISTORY file in the s\bsu\bud\bdo\bo distribution or visit
- http://www.sudo.ws/sudo/history.html for a short history of s\bsu\bud\bdo\bo.
-C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- There is no easy way to prevent a user from gaining a root shell if
- that user is allowed to run arbitrary commands via s\bsu\bud\bdo\bo. Also, many
- programs (such as editors) allow the user to run commands via shell
- escapes, thus avoiding s\bsu\bud\bdo\bo's checks. However, on most systems it is
- possible to prevent shell escapes with s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality.
- See the _\bs_\bu_\bd_\bo_\be_\br_\bs(5) manual for details.
- It is not meaningful to run the cd command directly via sudo, e.g.,
- $ sudo cd /usr/local/protected
+1.7 March 2, 2008 8
-1.7 February 18, 2008 8
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ http://www.sudo.ws/sudo/history.html for a short history of s\bsu\bud\bdo\bo.
+
+C\bCA\bAV\bVE\bEA\bAT\bTS\bS
+ There is no easy way to prevent a user from gaining a root shell if
+ that user is allowed to run arbitrary commands via s\bsu\bud\bdo\bo. Also, many
+ programs (such as editors) allow the user to run commands via shell
+ escapes, thus avoiding s\bsu\bud\bdo\bo's checks. However, on most systems it is
+ possible to prevent shell escapes with s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality.
+ See the _\bs_\bu_\bd_\bo_\be_\br_\bs(4) manual for details.
-SUDO(8) MAINTENANCE COMMANDS SUDO(8)
+ It is not meaningful to run the cd command directly via sudo, e.g.,
+ $ sudo cd /usr/local/protected
since when the command exits the parent process (your shell) will still
be the same. Please see the EXAMPLES section for more information.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.7 February 18, 2008 9
+1.7 March 2, 2008 9
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "February 18, 2008" "1.7" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "March 2, 2008" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME"
sudo, sudoedit \- execute a command as another user
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBsudo\fR \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-L\fR | \fB\-V\fR | \fB\-v\fR
.PP
-\&\fBsudo\fR \fB\-l[l]\fR [\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-U\fR\ \fIusername\fR]
+\&\fBsudo\fR \fB\-l[l]\fR [\fB\-AS\fR] [\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-U\fR\ \fIusername\fR]
[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fIcommand\fR]
.PP
-\&\fBsudo\fR [\fB\-bEHPS\fR]
+\&\fBsudo\fR [\fB\-AbEHPS\fR]
@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR]
@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
[\fB\s-1VAR\s0\fR=\fIvalue\fR] [{\fB\-i\fR\ |\ \fB\-s\fR]\ [<\fIcommand\fR}]
.PP
-\&\fBsudoedit\fR [\fB\-S\fR]
+\&\fBsudoedit\fR [\fB\-AS\fR]
@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR]
@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
.SH "OPTIONS"
.IX Header "OPTIONS"
\&\fBsudo\fR accepts the following command line options:
+.IP "\-A" 12
+.IX Item "-A"
+Normally, if \fBsudo\fR requires a password, it will read it from the
+current terminal. If the \fB\-A\fR (\fIaskpass\fR) option is specified,
+a helper program is executed to read the user's password and output
+the password to the standard output. If the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR
+environment variable is set, it specifies the path to the helper
+program. Otherwise, the value specified by the \fIaskpass\fR option
+in \fIsudoers\fR\|(@mansectform@) is used.
@BAMAN@.IP "\-a \fItype\fR" 12
@BAMAN@.IX Item "-a type"
@BAMAN@The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the
.el .IP "\f(CW\*(C`SHELL\*(C'\fR" 16
.IX Item "SHELL"
Used to determine shell to run with \f(CW\*(C`\-s\*(C'\fR option
+.ie n .IP "\*(C`SUDO_ASKPASS\*(C'" 16
+.el .IP "\f(CW\*(C`SUDO_ASKPASS\*(C'\fR" 16
+.IX Item "SUDO_ASKPASS"
+Specifies the path to a helper program used to read the password
+if no terminal is available or if the \f(CW\*(C`\-A\*(C'\fR option is specified.
.ie n .IP "\*(C`SUDO_PROMPT\*(C'" 16
.el .IP "\f(CW\*(C`SUDO_PROMPT\*(C'\fR" 16
.IX Item "SUDO_PROMPT"
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
-\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2), \fIlogin_cap\fR\|(3), \fIpasswd\fR\|(@mansectform@),
-\&\fIsudoers\fR\|(@mansectform@), \fIvisudo\fR\|(@mansectsu@)
+\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2),
+@LCMAN@\&\fIlogin_cap\fR\|(3),
+\&\fIpasswd\fR\|(@mansectform@), \fIsudoers\fR\|(5), \fIvisudo\fR\|(@mansectsu@)
.SH "AUTHORS"
.IX Header "AUTHORS"
Many people have worked on \fBsudo\fR over the years; this
-SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
N\bNA\bAM\bME\bE
-1.7 February 18, 2008 1
+1.7 March 2, 2008 1
-SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Host_Alias ::= NAME '=' Host_List
-1.7 February 18, 2008 2
+1.7 March 2, 2008 2
-SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Host ::= '!'* hostname |
-1.7 February 18, 2008 3
+1.7 March 2, 2008 3
-SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
users on any host, all users on a specific host, a specific user, a
-1.7 February 18, 2008 4
+1.7 March 2, 2008 4
-SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Let's break that down into its constituent parts:
-1.7 February 18, 2008 5
+1.7 March 2, 2008 5
-SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Cmnd_Spec_List, inherit the tag unless it is overridden by the opposite
-1.7 February 18, 2008 6
+1.7 March 2, 2008 6
-SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
-1.7 February 18, 2008 7
+1.7 March 2, 2008 7
-SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
-1.7 February 18, 2008 8
+1.7 March 2, 2008 8
-SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the EDITOR or
-1.7 February 18, 2008 9
+1.7 March 2, 2008 9
-SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
log_host If set, the hostname will be logged in the (non-syslog)
-1.7 February 18, 2008 10
+1.7 March 2, 2008 10
-SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
normally only be used if the passwod prompt provided by
-1.7 February 18, 2008 11
+1.7 March 2, 2008 11
-SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
setenv Allow the user to disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the
-1.7 February 18, 2008 12
+1.7 March 2, 2008 12
-SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
password before s\bsu\bud\bdo\bo logs the failure and exits. The
-1.7 February 18, 2008 13
+1.7 March 2, 2008 13
-SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
environment variable. The following percent (`%')
S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- exempt_group
- Users in this group are exempt from password and PATH
- requirements. This is not set by default.
+ askpass The _\ba_\bs_\bk_\bp_\ba_\bs_\bs option specifies the fully-qualilfy path to a
+ helper program used to read the user's password when no
+ terminal is available. This may be the case when s\bsu\bud\bdo\bo is
+ executed from a graphical (as opposed to text-based) appli-
+ cation. The program specified by _\ba_\bs_\bk_\bp_\ba_\bs_\bs should display
+ the argument passed to it as the prompt and write the
+ user's password to the standard output. The value of
+ _\ba_\bs_\bk_\bp_\ba_\bs_\bs may be overridden by the SUDO_ASKPASS environment
+ variable.
- lecture This option controls when a short lecture will be printed
- along with the password prompt. It has the following pos-
- sible values:
- always Always lecture the user.
- never Never lecture the user.
+
+
+1.7 March 2, 2008 14
-1.7 February 18, 2008 14
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ exempt_group
+ Users in this group are exempt from password and PATH
+ requirements. This is not set by default.
+
+ lecture This option controls when a short lecture will be printed
+ along with the password prompt. It has the following pos-
+ sible values:
-SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
+ always Always lecture the user.
+ never Never lecture the user.
once Only lecture the user the first time they run s\bsu\bud\bdo\bo.
mailerpath Path to mail program used to send warning mail. Defaults
to the path to sendmail found at configure time.
- mailto Address to send warning and error mail to. The address
- should be enclosed in double quotes (") to protect against
- s\bsu\bud\bdo\bo interpreting the @ sign. Defaults to root.
- secure_path Path used for every command run from s\bsu\bud\bdo\bo. If you don't
- trust the people running s\bsu\bud\bdo\bo to have a sane PATH environ-
- ment variable you may want to use this. Another use is if
- you want to have the "root path" be separate from the "user
- path." Users in the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp
- option are not affected by _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This is not set by
- default.
+1.7 March 2, 2008 15
-1.7 February 18, 2008 15
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
+ mailto Address to send warning and error mail to. The address
+ should be enclosed in double quotes (") to protect against
+ s\bsu\bud\bdo\bo interpreting the @ sign. Defaults to root.
+ secure_path Path used for every command run from s\bsu\bud\bdo\bo. If you don't
+ trust the people running s\bsu\bud\bdo\bo to have a sane PATH environ-
+ ment variable you may want to use this. Another use is if
+ you want to have the "root path" be separate from the "user
+ path." Users in the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp
+ option are not affected by _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This is not set by
+ default.
syslog Syslog facility if syslog is being used for logging (negate
to disable syslog logging). Defaults to local2.
environment variables to check is displayed when s\bsu\bud\bdo\bo
is run by root with the _\b-_\bV option.
+
+
+
+1.7 March 2, 2008 16
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
env_delete Environment variables to be removed from the user's
environment. The argument may be a double-quoted,
space-separated list or a single value without dou-
from the environment of any setuid process (such as
s\bsu\bud\bdo\bo).
-
-
-
-1.7 February 18, 2008 16
-
-
-
-
-
-SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
-
-
env_keep Environment variables to be preserved in the user's
environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is in effect.
This allows fine-grained control over the environment
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
- # Host alias specification
- Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
- SGI = grolsch, dandelion, black :\
- ALPHA = widget, thalamus, foobar :\
- HPPA = boa, nag, python
- Host_Alias CUNETS = 128.138.0.0/255.255.0.0
- Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
- Host_Alias SERVERS = master, mail, www, ns
- Host_Alias CDROM = orion, perseus, hercules
-
-
+1.7 March 2, 2008 17
-1.7 February 18, 2008 17
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
+ # Host alias specification
+ Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
+ SGI = grolsch, dandelion, black :\
+ ALPHA = widget, thalamus, foobar :\
+ HPPA = boa, nag, python
+ Host_Alias CUNETS = 128.138.0.0/255.255.0.0
+ Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
+ Host_Alias SERVERS = master, mail, www, ns
+ Host_Alias CDROM = orion, perseus, hercules
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
FULLTIMERS ALL = NOPASSWD: ALL
- Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run any command on
- any host without authenticating themselves.
- PARTTIMERS ALL = ALL
- Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run any command on
- any host but they must authenticate themselves first (since the entry
- lacks the NOPASSWD tag).
- jack CSNETS = ALL
+1.7 March 2, 2008 18
-1.7 February 18, 2008 18
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run any command on
+ any host without authenticating themselves.
+
+ PARTTIMERS ALL = ALL
-SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
+ Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run any command on
+ any host but they must authenticate themselves first (since the entry
+ lacks the NOPASSWD tag).
+ jack CSNETS = ALL
The user j\bja\bac\bck\bk may run any command on the machines in the _\bC_\bS_\bN_\bE_\bT_\bS alias
(the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the printers as
well as add and remove users, so they are allowed to run those commands
- on all machines.
- fred ALL = (DB) NOPASSWD: ALL
- The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB Runas_Alias (o\bor\bra\ba-\b-
- c\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
- john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+1.7 March 2, 2008 19
- On the _\bA_\bL_\bP_\bH_\bA machines, user j\bjo\boh\bhn\bn may su to anyone except root but he is
- not allowed to give _\bs_\bu(1) any flags.
-1.7 February 18, 2008 19
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ on all machines.
+ fred ALL = (DB) NOPASSWD: ALL
+
+ The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB Runas_Alias (o\bor\bra\ba-\b-
+ c\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
-SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
+ john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+ On the _\bA_\bL_\bP_\bH_\bA machines, user j\bjo\boh\bhn\bn may su to anyone except root but he is
+ not allowed to give _\bs_\bu(1) any flags.
jen ALL, !SERVERS = ALL
bill ALL = ALL, !SU, !SHELLS
+
+
+1.7 March 2, 2008 20
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
Doesn't really prevent b\bbi\bil\bll\bl from running the commands listed in _\bS_\bU or
_\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those commands to a different name, or
use a shell escape from an editor or other program. Therefore, these
pleases, including run other programs. This can be a security issue
since it is not uncommon for a program to allow shell escapes, which
lets a user bypass s\bsu\bud\bdo\bo's access control and logging. Common programs
-
-
-
-1.7 February 18, 2008 20
-
-
-
-
-
-SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
-
-
that permit shell escapes include shells (obviously), editors, pagina-
tors, mail and terminal programs.
(usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see
if LD_PRELOAD is supported.
- To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC tag as docu-
- mented in the User Specification section above. Here is that
- example again:
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
- This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi
- with _\bn_\bo_\be_\bx_\be_\bc enabled. This will prevent those two commands
- from executing other commands (such as a shell). If you are
- unsure whether or not your system is capable of supporting
- _\bn_\bo_\be_\bx_\be_\bc you can always just try it out and see if it works.
+1.7 March 2, 2008 21
-1.7 February 18, 2008 21
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
+ To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC tag as docu-
+ mented in the User Specification section above. Here is that
+ example again:
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+
+ This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi
+ with _\bn_\bo_\be_\bx_\be_\bc enabled. This will prevent those two commands
+ from executing other commands (such as a shell). If you are
+ unsure whether or not your system is capable of supporting
+ _\bn_\bo_\be_\bx_\be_\bc you can always just try it out and see if it works.
Note that restricting shell escapes is not a panacea. Programs running
as root are still capable of many potentially hazardous operations
approach is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), _\bs_\bu_\bd_\bo(8), _\bv_\bi_\bs_\bu_\bd_\bo(8)
+ _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bs_\bu_\bd_\bo(8)
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo command which
-
-
-
-
-
-
-
-
-
-
-
-
-1.7 February 18, 2008 22
+1.7 March 2, 2008 22
-SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
N\bNA\bAM\bME\bE
-SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
manner as a global Defaults line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. In the following
-SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
-SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
# LDAP equivalent of puddles
Typically, this file is shared amongst different LDAP-aware clients.
As such, most of the settings are not s\bsu\bud\bdo\bo-specific. Note that s\bsu\bud\bdo\bo
parses _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf itself and may support options that differ from
- those described in the _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(5) manual.
+ those described in the _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4) manual.
Also note that on systems using the OpenLDAP libraries, default values
specified in _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf or the user's _\b._\bl_\bd_\ba_\bp_\br_\bc files are
-SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
Only those options explicitly listed in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf that are sup-
-SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
B\bBI\bIN\bND\bDD\bDN\bN DN
-SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
OpenLDAP libraries.
-SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
S\bSA\bAS\bSL\bL_\b_S\bSE\bEC\bCP\bPR\bRO\bOP\bPS\bS none/properties
-SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
# Either specify one or more URIs or one or more host:port pairs.
-SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
#tls_cacertfile /etc/certs/trusted_signers.pem
-SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
attributetype ( 1.3.6.1.4.1.15953.9.1.2
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(5), _\bs_\bu_\bd_\bo_\be_\br_\bs(5)
+ _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(5)
-SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "February 18, 2008" "1.7" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "March 2, 2008" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME"
sudoers \- list of which users may execute what
.SH "DESCRIPTION"
@SEMAN@This option is only available whe \fBsudo\fR is built with SELinux support.
.PP
\&\fBStrings that can be used in a boolean context\fR:
+.IP "askpass" 12
+.IX Item "askpass"
+The \fIaskpass\fR option specifies the fully-qualilfy path to a helper
+program used to read the user's password when no terminal is
+available. This may be the case when \fBsudo\fR is executed from a
+graphical (as opposed to text\-based) application. The program
+specified by \fIaskpass\fR should display the argument passed to it
+as the prompt and write the user's password to the standard output.
+The value of \fIaskpass\fR may be overridden by the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR
+environment variable.
.IP "exempt_group" 12
.IX Item "exempt_group"
Users in this group are exempt from password and \s-1PATH\s0 requirements.
-VISUDO(8) MAINTENANCE COMMANDS VISUDO(8)
+VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
N\bNA\bAM\bME\bE
v\bvi\bis\bsu\bud\bdo\bo [-\b-c\bc] [-\b-q\bq] [-\b-s\bs] [-\b-V\bV] [-\b-f\bf _\bs_\bu_\bd_\bo_\be_\br_\bs]
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- v\bvi\bis\bsu\bud\bdo\bo edits the _\bs_\bu_\bd_\bo_\be_\br_\bs file in a safe fashion, analogous to _\bv_\bi_\bp_\bw(8).
+ v\bvi\bis\bsu\bud\bdo\bo edits the _\bs_\bu_\bd_\bo_\be_\br_\bs file in a safe fashion, analogous to _\bv_\bi_\bp_\bw(1m).
v\bvi\bis\bsu\bud\bdo\bo locks the _\bs_\bu_\bd_\bo_\be_\br_\bs file against multiple simultaneous edits, pro-
vides basic sanity checks, and checks for parse errors. If the _\bs_\bu_\bd_\bo_\be_\br_\bs
file is currently being edited you will receive a message to try again
-VISUDO(8) MAINTENANCE COMMANDS VISUDO(8)
+VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
combined with the -\b-c\bc flag.
-\b-s\bs (strict) mode this is an error, not a warning.
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bv_\bi(1), _\bs_\bu_\bd_\bo_\be_\br_\bs(5), _\bs_\bu_\bd_\bo(8), _\bv_\bi_\bp_\bw(8)
+ _\bv_\bi(1), _\bs_\bu_\bd_\bo_\be_\br_\bs(4), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bp_\bw(8)
A\bAU\bUT\bTH\bHO\bOR\bR
Many people have worked on _\bs_\bu_\bd_\bo over the years; this version of v\bvi\bis\bsu\bud\bdo\bo
-VISUDO(8) MAINTENANCE COMMANDS VISUDO(8)
+VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
Todd Miller
projects / sudo / commitdiff