* A new Defaults option, "mailfrom" that sets the value of the
"From:" field in the warning/error mail. If unspecified, the
login name of the invoking user is used.
+
+ * A new flag, -n, may be used to indicate that sudo should not
+ prompt the user for a password and, instead, exit with an error
+ if authentication is required.
* verify who he/she is.
*/
void
-check_user(validated)
+check_user(validated, interactive)
int validated;
+ int interactive;
{
char *timestampdir = NULL;
char *timestampfile = NULL;
status = timestamp_status(timestampdir, timestampfile, user_name,
TS_MAKE_DIRS);
if (status != TS_CURRENT || ISSET(validated, FLAG_CHECK_USER)) {
+ /* Bail out if we are non-interactive and a password is required */
+ if (!interactive)
+ errorx(1, "sorry, a password is required to run %s", getprogname());
+
if (!ISSET(tgetpass_flags, TGP_ASKPASS))
lecture(status);
/* Require a password if sudoers says so. */
if (def_authenticate)
- check_user(validated);
+ check_user(validated, !ISSET(sudo_mode, MODE_NONINTERACTIVE));
/* If run as root with SUDO_USER set, set sudo_user.pw to that user. */
/* XXX - causes confusion when root is not listed in sudoers */
* Some trickiness is required to allow environment variables
* to be interspersed with command line options.
*/
- if ((ch = getopt(argc, argv, "+Aa:bC:c:Eeg:HhiKkLlPp:r:Sst:Uu:Vv")) != -1) {
+ if ((ch = getopt(argc, argv, "+Aa:bC:c:Eeg:HhiKkLlnPp:r:Sst:Uu:Vv")) != -1) {
switch (ch) {
case 'A':
SET(tgetpass_flags, TGP_ASKPASS);
usage_excl(1);
excl = 'l';
break;
+ case 'n':
+ SET(rval, MODE_NONINTERACTIVE);
+ break;
case 'V':
rval = MODE_VERSION;
if (excl && excl != 'V')
sudo, sudoedit - execute a command as another user
S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
- s\bsu\bud\bdo\bo -\b-h\bh | -\b-K\bK | -\b-k\bk | -\b-L\bL | -\b-V\bV | -\b-v\bv
+ s\bsu\bud\bdo\bo [-\b-n\bn] -\b-h\bh | -\b-K\bK | -\b-k\bk | -\b-L\bL | -\b-V\bV | -\b-v\bv
- s\bsu\bud\bdo\bo -\b-l\bl[\b[l\bl]\b] [-\b-A\bAS\bS] [-\b-g\bg _\bg_\br_\bo_\bu_\bp_\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-U\bU _\bu_\bs_\be_\br_\bn_\ba_\bm_\be] [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd]
+ s\bsu\bud\bdo\bo -\b-l\bl[\b[l\bl]\b] [-\b-A\bAn\bnS\bS] [-\b-g\bg _\bg_\br_\bo_\bu_\bp_\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-U\bU _\bu_\bs_\be_\br_\bn_\ba_\bm_\be] [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd]
[_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
- s\bsu\bud\bdo\bo [-\b-A\bAb\bbE\bEH\bHP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-] [-\b-g\bg _\bg_\br_\bo_\bu_\bp_\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd]
+ s\bsu\bud\bdo\bo [-\b-A\bAb\bbE\bEH\bHn\bnP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-] [-\b-g\bg _\bg_\br_\bo_\bu_\bp_\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd]
[-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be] [{-\b-i\bi | -\b-s\bs] [<_\bc_\bo_\bm_\bm_\ba_\bn_\bd}]
- s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-A\bAS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-] [-\b-g\bg _\bg_\br_\bo_\bu_\bp_\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd]
+ s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-A\bAn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-] [-\b-g\bg _\bg_\br_\bo_\bu_\bp_\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd]
[-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] file ...
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
-1.7 March 2, 2008 1
+1.7 March 18, 2008 1
-1.7 March 2, 2008 2
+1.7 March 18, 2008 2
-1.7 March 2, 2008 3
+1.7 March 18, 2008 3
-\b-l\bll\bl), or if -\b-l\bl is specified multiple times, a longer list
format is used.
+ -n The -\b-n\bn (_\bn_\bo_\bn_\b-_\bi_\bn_\bt_\be_\br_\ba_\bc_\bt_\bi_\bv_\be) option prevents s\bsu\bud\bdo\bo from prompt-
+ ing the user for a password. If a password is required for
+ the command to run, s\bsu\bud\bdo\bo will display an error messages and
+ exit.
+
-P The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bsu\bud\bdo\bo to pre-
serve the invoking user's group vector unaltered. By
default, s\bsu\bud\bdo\bo will initialize the group vector to the list
%U expanded to the login name of the user the command will
be run as (defaults to root)
- %u expanded to the invoking user's login name
- %% two consecutive % characters are collapsed into a sin-
- gle % character
+1.7 March 18, 2008 4
-1.7 March 2, 2008 4
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ %u expanded to the invoking user's login name
+ %% two consecutive % characters are collapsed into a sin-
+ gle % character
The prompt specified by the -\b-p\bp option will override the
system password prompt on systems that support PAM unless
line are subject to the same restrictions as normal environment vari-
ables with one important exception. If the _\bs_\be_\bt_\be_\bn_\bv option is set in
_\bs_\bu_\bd_\bo_\be_\br_\bs, the command to be run has the SETENV tag set or the command
- matched is ALL, the user may set variables that would overwise be for-
- bidden. See _\bs_\bu_\bd_\bo_\be_\br_\bs(4) for more information.
-
-R\bRE\bET\bTU\bUR\bRN\bN V\bVA\bAL\bLU\bUE\bES\bS
- Upon successful execution of a program, the return value from s\bsu\bud\bdo\bo will
-1.7 March 2, 2008 5
+1.7 March 18, 2008 5
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ matched is ALL, the user may set variables that would overwise be for-
+ bidden. See _\bs_\bu_\bd_\bo_\be_\br_\bs(4) for more information.
+
+R\bRE\bET\bTU\bUR\bRN\bN V\bVA\bAL\bLU\bUE\bES\bS
+ Upon successful execution of a program, the return value from s\bsu\bud\bdo\bo will
simply be the return value of the program that was executed.
Otherwise, s\bsu\bud\bdo\bo quits with an exit value of 1 if there is a configura-
environment variable is _\bn_\bo_\bt modified and is passed unchanged to the
program that s\bsu\bud\bdo\bo executes.
- s\bsu\bud\bdo\bo will check the ownership of its timestamp directory (_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo
- by default) and ignore the directory's contents if it is not owned by
- root or if it is writable by a user other than root. On systems that
- allow non-root users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if the timestamp
- directory is located in a directory writable by anyone (e.g., _\b/_\bt_\bm_\bp), it
-1.7 March 2, 2008 6
+1.7 March 18, 2008 6
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ s\bsu\bud\bdo\bo will check the ownership of its timestamp directory (_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo
+ by default) and ignore the directory's contents if it is not owned by
+ root or if it is writable by a user other than root. On systems that
+ allow non-root users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if the timestamp
+ directory is located in a directory writable by anyone (e.g., _\b/_\bt_\bm_\bp), it
is possible for a user to create the timestamp directory before s\bsu\bud\bdo\bo is
run. However, because s\bsu\bud\bdo\bo checks the ownership and mode of the direc-
tory and its contents, the only damage that can be done is to "hide"
SUDO_COMMAND Set to the command run by sudo
- SUDO_USER Set to the login of the user who invoked sudo
-
- SUDO_UID Set to the uid of the user who invoked sudo
+1.7 March 18, 2008 7
-1.7 March 2, 2008 7
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ SUDO_USER Set to the login of the user who invoked sudo
+ SUDO_UID Set to the uid of the user who invoked sudo
SUDO_GID Set to the gid of the user who invoked sudo
Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists
of code written primarily by:
- Todd C. Miller
-
- See the HISTORY file in the s\bsu\bud\bdo\bo distribution or visit
-
-1.7 March 2, 2008 8
+1.7 March 18, 2008 8
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ Todd C. Miller
+
+ See the HISTORY file in the s\bsu\bud\bdo\bo distribution or visit
http://www.sudo.ws/sudo/history.html for a short history of s\bsu\bud\bdo\bo.
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
-
-
-
-1.7 March 2, 2008 9
+1.7 March 18, 2008 9
#define MODE_RESET_HOME 0x04000
#define MODE_PRESERVE_GROUPS 0x08000
#define MODE_PRESERVE_ENV 0x10000
+#define MODE_NONINTERACTIVE 0x20000
/*
* Used with set_perms()
char *sudo_goodpath __P((const char *, struct stat *));
char *tgetpass __P((const char *, int, int));
int find_path __P((char *, char **, struct stat *, char *));
-void check_user __P((int));
+void check_user __P((int, int));
void verify_user __P((struct passwd *, char *));
#ifdef HAVE_LDAP
int sudo_ldap_open __P((struct sudo_nss *));
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "March 2, 2008" "1.7" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "March 18, 2008" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME"
sudo, sudoedit \- execute a command as another user
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
-\&\fBsudo\fR \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-L\fR | \fB\-V\fR | \fB\-v\fR
+\&\fBsudo\fR [\fB\-n\fR] \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-L\fR | \fB\-V\fR | \fB\-v\fR
.PP
-\&\fBsudo\fR \fB\-l[l]\fR [\fB\-AS\fR] [\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-U\fR\ \fIusername\fR]
+\&\fBsudo\fR \fB\-l[l]\fR [\fB\-AnS\fR] [\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-U\fR\ \fIusername\fR]
[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fIcommand\fR]
.PP
-\&\fBsudo\fR [\fB\-AbEHPS\fR]
+\&\fBsudo\fR [\fB\-AbEHnPS\fR]
@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR]
@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
[\fB\s-1VAR\s0\fR=\fIvalue\fR] [{\fB\-i\fR\ |\ \fB\-s\fR]\ [<\fIcommand\fR}]
.PP
-\&\fBsudoedit\fR [\fB\-AS\fR]
+\&\fBsudoedit\fR [\fB\-AnS\fR]
@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR]
@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
\&\fBsudo\fR will exit with a return value of 1. If the \fB\-l\fR flag is
specified with an \fBl\fR argument (i.e. \fB\-ll\fR), or if \fB\-l\fR
is specified multiple times, a longer list format is used.
+.IP "\-n" 12
+.IX Item "-n"
+The \fB\-n\fR (\fInon-interactive\fR) option prevents \fBsudo\fR from prompting
+the user for a password. If a password is required for the command
+to run, \fBsudo\fR will display an error messages and exit.
.IP "\-P" 12
.IX Item "-P"
The \fB\-P\fR (\fIpreserve\fR \fIgroup vector\fR) option causes \fBsudo\fR to
=head1 SYNOPSIS
-B<sudo> B<-h> | B<-K> | B<-k> | B<-L> | B<-V> | B<-v>
+B<sudo> [B<-n>] B<-h> | B<-K> | B<-k> | B<-L> | B<-V> | B<-v>
-B<sudo> B<-l[l]> [B<-AS>] S<[B<-g> I<groupname>|I<#gid>]> S<[B<-U> I<username>]>
+B<sudo> B<-l[l]> [B<-AnS>] S<[B<-g> I<groupname>|I<#gid>]> S<[B<-U> I<username>]>
S<[B<-u> I<username>|I<#uid>]> [I<command>]
-B<sudo> [B<-AbEHPS>]
+B<sudo> [B<-AbEHnPS>]
S<[B<-a> I<auth_type>]>
S<[B<-C> I<fd>]>
S<[B<-c> I<class>|I<->]>
S<[B<-u> I<username>|I<#uid>]>
S<[B<VAR>=I<value>]> [S<{B<-i> | B<-s>] [<I<command>}>]
-B<sudoedit> [B<-AS>]
+B<sudoedit> [B<-AnS>]
S<[B<-a> I<auth_type>]>
S<[B<-C> I<fd>]>
S<[B<-c> I<class>|I<->]>
specified with an B<l> argument (i.e. B<-ll>), or if B<-l>
is specified multiple times, a longer list format is used.
+=item -n
+
+The B<-n> (I<non-interactive>) option prevents B<sudo> from prompting
+the user for a password. If a password is required for the command
+to run, B<sudo> will display an error messages and exit.
+
=item -P
The B<-P> (I<preserve> I<group vector>) option causes B<sudo> to
* Usage strings for sudo. These are here because we
* need to be able to substitute values from configure.
*/
-#define SUDO_USAGE1 " -h | -K | -k | -L | -V | -v"
-#define SUDO_USAGE2 " -l[l] [-AS] [-g groupname|#gid] [-U username] [-u username|#uid] [-g groupname|#gid] [command]"
-#define SUDO_USAGE3 " [-AbEHPS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C fd] @LOGINCAP_USAGE@[-g groupname|#gid] [-p prompt] [-u username|#uid] [-g groupname|#gid] [VAR=value] [-i|-s] [<command>]"
-#define SUDO_USAGE4 " -e [-AS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C fd] @LOGINCAP_USAGE@[-g groupname|#gid] [-p prompt] [-u username|#uid] file ..."
+#define SUDO_USAGE1 " [-n] -h | -K | -k | -L | -V | -v"
+#define SUDO_USAGE2 " -l[l] [-AnS] [-g groupname|#gid] [-U username] [-u username|#uid] [-g groupname|#gid] [command]"
+#define SUDO_USAGE3 " [-AbEHnPS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C fd] @LOGINCAP_USAGE@[-g groupname|#gid] [-p prompt] [-u username|#uid] [-g groupname|#gid] [VAR=value] [-i|-s] [<command>]"
+#define SUDO_USAGE4 " -e [-AnS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C fd] @LOGINCAP_USAGE@[-g groupname|#gid] [-p prompt] [-u username|#uid] file ..."
#endif /* _SUDO_USAGE_H */
projects / sudo / commitdiff