S\bS\bS\bSY\bY\bY\bYN\bN\bN\bNO\bO\bO\bOP\bP\bP\bPS\bS\bS\bSI\bI\bI\bIS\bS\bS\bS
s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo -\b-\b-\b-V\bV\bV\bV | -\b-\b-\b-h\bh\bh\bh | -\b-\b-\b-l\bl\bl\bl | -\b-\b-\b-L\bL\bL\bL | -\b-\b-\b-v\bv\bv\bv | -\b-\b-\b-k\bk\bk\bk | -\b-\b-\b-K\bK\bK\bK | -\b-\b-\b-s\bs\bs\bs | [ -\b-\b-\b-H\bH\bH\bH ] [-\b-\b-\b-S\bS\bS\bS ]
- [ -\b-\b-\b-b\bb\bb\bb ] | [ -\b-\b-\b-p\bp\bp\bp _\bp_\br_\bo_\bm_\bp_\bt ] [ -\b-\b-\b-c\bc\bc\bc _\bc_\bl_\ba_\bs_\bs|_\b- ] [ -\b-\b-\b-u\bu\bu\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd ]
- _\bc_\bo_\bm_\bm_\ba_\bn_\bd
+ [ -\b-\b-\b-b\bb\bb\bb ] | [ -\b-\b-\b-p\bp\bp\bp _\bp_\br_\bo_\bm_\bp_\bt ] [ -\b-\b-\b-c\bc\bc\bc _\bc_\bl_\ba_\bs_\bs|_\b- ] [ -\b-\b-\b-a\ba\ba\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be ] [
+ -\b-\b-\b-u\bu\bu\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd ] _\bc_\bo_\bm_\bm_\ba_\bn_\bd
D\bD\bD\bDE\bE\bE\bES\bS\bS\bSC\bC\bC\bCR\bR\bR\bRI\bI\bI\bIP\bP\bP\bPT\bT\bT\bTI\bI\bI\bIO\bO\bO\bON\bN\bN\bN
s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo allows a permitted user to execute a _\bc_\bo_\bm_\bm_\ba_\bn_\bd as the
-August 13, 2000 1.6.4 1
+October 26, 2000 1.6.4 1
-v If given the -\b-\b-\b-v\bv\bv\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will update
the user's timestamp, prompting for the user's pass
- word if necessary. This extends the s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo timeout to
- for another `5' minutes (or whatever the timeout is
- set to in _\bs_\bu_\bd_\bo_\be_\br_\bs) but does not run a command.
+ word if necessary. This extends the s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo timeout for
+ another `5' minutes (or whatever the timeout is set to
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs) but does not run a command.
-k The -\b-\b-\b-k\bk\bk\bk (_\bk_\bi_\bl_\bl) option to s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo invalidates the user's
timestamp by setting the time on it to the epoch. The
classes where s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo has been configured with the
--with-logincap option.
- -u The -\b-\b-\b-u\bu\bu\bu (_\bu_\bs_\be_\br) option causes s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to run the specified
- command as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd
- instead of a _\bu_\bs_\be_\br_\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd.
+ -a The -\b-\b-\b-a\ba\ba\ba (_\ba_\bu_\bt_\bh_\be_\bn_\bt_\bi_\bc_\ba_\bt_\bi_\bo_\bn _\bt_\by_\bp_\be) option causes s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to use
+ the specified authentication type when validating the
+ user, as allowed by /etc/login.conf. The system
+ administrator may specify a list of sudo-specific
+ authentication methods by adding an "auth-sudo" entry
+ in /etc/login.conf. This option is only available on
+ systems that support BSD authentication where s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo has
+ been configured with the --with-bsdauth option.
- -s The -\b-\b-\b-s\bs\bs\bs (_\bs_\bh_\be_\bl_\bl) option runs the shell specified by the
- _\bS_\bH_\bE_\bL_\bL environment variable if it is set or the shell
- as specified in _\bp_\ba_\bs_\bs_\bw_\bd(4).
+October 26, 2000 1.6.4 2
-August 13, 2000 1.6.4 2
+sudo(1m) MAINTENANCE COMMANDS sudo(1m)
-sudo(1m) MAINTENANCE COMMANDS sudo(1m)
+ -u The -\b-\b-\b-u\bu\bu\bu (_\bu_\bs_\be_\br) option causes s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to run the specified
+ command as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd
+ instead of a _\bu_\bs_\be_\br_\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd.
+ -s The -\b-\b-\b-s\bs\bs\bs (_\bs_\bh_\be_\bl_\bl) option runs the shell specified by the
+ _\bS_\bH_\bE_\bL_\bL environment variable if it is set or the shell
+ as specified in _\bp_\ba_\bs_\bs_\bw_\bd(4).
-H The -\b-\b-\b-H\bH\bH\bH (_\bH_\bO_\bM_\bE) option sets the `HOME' environment vari
able to the homedir of the target user (root by
denoting current directory) last when searching for a com
mand in the user's PATH (if one or both are in the PATH).
Note, however, that the actual `PATH' environment variable
- is _\bn_\bo_\bt modified and is passed unchanged to the program
- that s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo executes.
-
- For security reasons, if your OS supports shared libraries
- and does not disable user-defined library search paths for
- setuid programs (most do), you should either use a linker
- option that disables this behavior or link s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo stati
- cally.
-August 13, 2000 1.6.4 3
+October 26, 2000 1.6.4 3
sudo(1m) MAINTENANCE COMMANDS sudo(1m)
+ is _\bn_\bo_\bt modified and is passed unchanged to the program
+ that s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo executes.
+
+ For security reasons, if your OS supports shared libraries
+ and does not disable user-defined library search paths for
+ setuid programs (most do), you should either use a linker
+ option that disables this behavior or link s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo stati
+ cally.
+
s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will check the ownership of its timestamp directory
(_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's con
tents if it is not owned by root and only writable by
Timestamps with a date greater than current_time + 2 *
`TIMEOUT' will be ignored and sudo will log and complain.
This is done to keep a user from creating his/her own
- timestamp with a bogus date on system that allow users to
+ timestamp with a bogus date on systems that allow users to
give away files.
E\bE\bE\bEX\bX\bX\bXA\bA\bA\bAM\bM\bM\bMP\bP\bP\bPL\bL\bL\bLE\bE\bE\bES\bS\bS\bS
To shutdown a machine:
- % sudo shutdown -r +15 "quick reboot"
- To make a usage listing of the directories in the /home
- partition. Note that this runs the commands in a sub-
- shell to make the `cd' and file redirection work.
- % sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
+October 26, 2000 1.6.4 4
-August 13, 2000 1.6.4 4
+sudo(1m) MAINTENANCE COMMANDS sudo(1m)
+ % sudo shutdown -r +15 "quick reboot"
+ To make a usage listing of the directories in the /home
+ partition. Note that this runs the commands in a sub-
+ shell to make the `cd' and file redirection work.
-sudo(1m) MAINTENANCE COMMANDS sudo(1m)
+ % sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
E\bE\bE\bEN\bN\bN\bNV\bV\bV\bVI\bI\bI\bIR\bR\bR\bRO\bO\bO\bON\bN\bN\bNM\bM\bM\bME\bE\bE\bEN\bN\bN\bNT\bT\bT\bT
A\bA\bA\bAU\bU\bU\bUT\bT\bT\bTH\bH\bH\bHO\bO\bO\bOR\bR\bR\bRS\bS\bS\bS
- Many people have worked on s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo over the years, this ver
+ Many people have worked on s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo over the years; this ver
sion consists of code written primarily by:
Todd Miller
Chris Jepeway
- See the HISTORY file in the s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo distribution for a short
+ See the HISTORY file in the s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo distribution or visit
+ http://www.courtesan.com/sudo/history.html for a short
history of s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo.
B\bB\bB\bBU\bU\bU\bUG\bG\bG\bGS\bS\bS\bS
purpose are disclaimed. See the LICENSE file distributed
with s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo for complete details.
-C\bC\bC\bCA\bA\bA\bAV\bV\bV\bVE\bE\bE\bEA\bA\bA\bAT\bT\bT\bTS\bS\bS\bS
- There is no easy way to prevent a user from gaining a root
- shell if that user has access to commands allowing shell
- escapes.
- If users have sudo `ALL' there is nothing to prevent them
- from creating their own program that gives them a root
- shell regardless of any '!' elements in the user specifi
- cation.
+October 26, 2000 1.6.4 5
-August 13, 2000 1.6.4 5
+sudo(1m) MAINTENANCE COMMANDS sudo(1m)
-sudo(1m) MAINTENANCE COMMANDS sudo(1m)
+C\bC\bC\bCA\bA\bA\bAV\bV\bV\bVE\bE\bE\bEA\bA\bA\bAT\bT\bT\bTS\bS\bS\bS
+ There is no easy way to prevent a user from gaining a root
+ shell if that user has access to commands allowing shell
+ escapes.
+ If users have sudo `ALL' there is nothing to prevent them
+ from creating their own program that gives them a root
+ shell regardless of any '!' elements in the user specifi
+ cation.
Running shell scripts via s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo can expose the same kernel
bugs that make setuid shell scripts unsafe on some operat
-
-
-
-
-
-
-
-
-
-
-August 13, 2000 1.6.4 6
+October 26, 2000 1.6.4 6
.\" Automatically generated by Pod::Man version 1.04
-.\" Sun Aug 13 14:54:25 2000
+.\" Thu Oct 26 11:02:49 2000
.\"
.\" Standard preamble:
.\" ======================================================================
.\" ======================================================================
.\"
.IX Title "sudo @mansectsu@"
-.TH sudo @mansectsu@ "1.6.4" "August 13, 2000" "MAINTENANCE COMMANDS"
+.TH sudo @mansectsu@ "1.6.4" "October 26, 2000" "MAINTENANCE COMMANDS"
.UC
.SH "NAME"
sudo \- execute a command as another user
.IX Header "SYNOPSIS"
\&\fBsudo\fR \fB\-V\fR | \fB\-h\fR | \fB\-l\fR | \fB\-L\fR | \fB\-v\fR | \fB\-k\fR | \fB\-K\fR | \fB\-s\fR |
[ \fB\-H\fR ] [\fB\-S\fR ] [ \fB\-b\fR ] | [ \fB\-p\fR \fIprompt\fR ] [ \fB\-c\fR \fIclass\fR|\fI-\fR ]
+[ \fB\-a\fR \fIauth_type\fR ]
[ \fB\-u\fR \fIusername\fR|\fI#uid\fR ] \fIcommand\fR
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
.IX Item "-v"
If given the \fB\-v\fR (\fIvalidate\fR) option, \fBsudo\fR will update the
user's timestamp, prompting for the user's password if necessary.
-This extends the \fBsudo\fR timeout to for another \f(CW\*(C`@timeout@\*(C'\fR minutes
+This extends the \fBsudo\fR timeout for another \f(CW\*(C`@timeout@\*(C'\fR minutes
(or whatever the timeout is set to in \fIsudoers\fR) but does not run
a command.
.Ip "\-k" 4
as root, or the \fBsudo\fR command must be run from a shell that is already
root. This option is only available on systems with \s-1BSD\s0 login classes
where \fBsudo\fR has been configured with the \-\-with-logincap option.
+.Ip "\-a" 4
+.IX Item "-a"
+The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the
+specified authentication type when validating the user, as allowed
+by /etc/login.conf. The system administrator may specify a list
+of sudo-specific authentication methods by adding an \*(L"auth-sudo\*(R"
+entry in /etc/login.conf. This option is only available on systems
+that support \s-1BSD\s0 authentication where \fBsudo\fR has been configured
+with the \-\-with-bsdauth option.
.Ip "\-u" 4
.IX Item "-u"
The \fB\-u\fR (\fIuser\fR) option causes \fBsudo\fR to run the specified command
Timestamps with a date greater than current_time + 2 * \f(CW\*(C`TIMEOUT\*(C'\fR
will be ignored and sudo will log and complain. This is done to
keep a user from creating his/her own timestamp with a bogus
-date on system that allow users to give away files.
+date on systems that allow users to give away files.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Note: the following examples assume suitable \fIsudoers\fR\|(@mansectform@) entries.
.Ve
.SH "AUTHORS"
.IX Header "AUTHORS"
-Many people have worked on \fBsudo\fR over the years, this
+Many people have worked on \fBsudo\fR over the years; this
version consists of code written primarily by:
.PP
.Vb 2
\& Todd Miller
\& Chris Jepeway
.Ve
-See the \s-1HISTORY\s0 file in the \fBsudo\fR distribution for a short history
+See the \s-1HISTORY\s0 file in the \fBsudo\fR distribution or visit
+http://www.courtesan.com/sudo/history.html for a short history
of \fBsudo\fR.
.SH "BUGS"
.IX Header "BUGS"
projects / sudo / commitdiff