-V The -V (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to print the
version number and exit.
- -l The -l (_\bl_\bi_\bs_\bt) option will list out the allowed and
- forbidden commands for the user on the current host.
+ -l The -l (_\bl_\bi_\bs_\bt) option will list out the allowed (and
+ forbidden) commands for the user on the current host.
- -h The -h (_\bh_\be_\bl_\bp) option causes s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to print the version
- of s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo and a usage message before exiting.
+ -h The -h (_\bh_\be_\bl_\bp) option causes s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to print a usage
+ message and exit.
-v If given the -v (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will update
the user's timestamp, prompting for the user's
-17/Aug/1999 1.6 1
+25/Aug/1999 1.6 1
-k The -k (_\bk_\bi_\bl_\bl) option to s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo invalidates the user's
- timestamp file by setting the time on it to the epoch.
- The next time s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo is run a password will be required.
+ timestamp by setting the time on it to the epoch. The
+ next time s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo is run a password will be required.
This option does not require a password and was added
to allow a user to revoke s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo permissions from a
.logout file.
-K The -K (sure _\bk_\bi_\bl_\bl) option to s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo removes the user's
- timestamp file entirely. This option does not require
- a password.
+ timestamp entirely. This option does not require a
+ password.
-b The -b (_\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd) option tells s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to run the given
command in the background. Note that if you use the
-17/Aug/1999 1.6 2
+25/Aug/1999 1.6 2
instance) or create /tmp/.odus with the appropriate owner
(root) and permissions (0700) in the system startup files.
- sudo will not honor timestamps set far in the future.
+ s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will not honor timestamps set far in the future.
Timestamps with a date greater than current_time + 2 *
TIMEOUT will be ignored and sudo will log and complain.
This is done to keep a user from creating his/her own
-17/Aug/1999 1.6 3
+25/Aug/1999 1.6 3
SUDO(8) MAINTENANCE COMMANDS SUDO(8)
+E\bE\bE\bEX\bX\bX\bXA\bA\bA\bAM\bM\bM\bMP\bP\bP\bPL\bL\bL\bLE\bE\bE\bES\bS\bS\bS
+ Note: the following examples assume suitable _\bs_\bu_\bd_\bo_\be_\br_\bs(5)
+ entries.
+
+ To get a file listing of an unreadable directory:
+
+ % sudo ls /usr/local/protected
+
+ To list the home directory of user yazza on a machine
+ where the filesystem holding ~yazza is not exported as
+ root:
+
+ % sudo -u yazza ls ~yazza
+
+ To edit the _\bi_\bn_\bd_\be_\bx_\b._\bh_\bt_\bm_\bl file as user www:
+
+ % sudo -u www vi ~www/htdocs/index.html
+
+ To shutdown a machine:
+
+ % sudo shutdown -r +15 "quick reboot"
+
+ To make a usage listing of the directories in the /home
+ partition. Note that this runs the commands in a sub-
+ shell to make the cd and file redirection work.
+
+ % sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
+
+
+E\bE\bE\bEN\bN\bN\bNV\bV\bV\bVI\bI\bI\bIR\bR\bR\bRO\bO\bO\bON\bN\bN\bNM\bM\bM\bME\bE\bE\bEN\bN\bN\bNT\bT\bT\bT
+ s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo utilizes the following environment variables:
+
+ PATH Set to a sane value if SECURE_PATH is set
+ SHELL Used to determine shell to run with -s option
+ USER Set to the target user (root unless the -u option
+ is specified)
+ HOME In -s or -H mode (or if sudo was configured with
+ the --enable-shell-sets-home option), set to
+ homedir of the target user.
+ SUDO_PROMPT Used as the default password prompt
+ SUDO_COMMAND Set to the command run by sudo
+ SUDO_USER Set to the login of the user who invoked sudo
+ SUDO_UID Set to the uid of the user who invoked sudo
+ SUDO_GID Set to the gid of the user who invoked sudo
+ SUDO_PS1 If set, PS1 will be set to its value
+
+
F\bF\bF\bFI\bI\bI\bIL\bL\bL\bLE\bE\bE\bES\bS\bS\bS
/etc/sudoers List of who can run what
/var/run/sudo Directory containing timestamps
- /tmp/.odus Same as above if no /var/run exists
+
+ s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo utilizes the following environment variables:
+
+
+
+
+
+25/Aug/1999 1.6 4
+
+
+
+
+
+SUDO(8) MAINTENANCE COMMANDS SUDO(8)
-E\bE\bE\bEN\bN\bN\bNV\bV\bV\bVI\bI\bI\bIR\bR\bR\bRO\bO\bO\bON\bN\bN\bNM\bM\bM\bME\bE\bE\bEN\bN\bN\bNT\bT\bT\bT V\bV\bV\bVA\bA\bA\bAR\bR\bR\bRI\bI\bI\bIA\bA\bA\bAB\bB\bB\bBL\bL\bL\bLE\bE\bE\bES\bS\bS\bS
PATH Set to a sane value if SECURE_PATH is set
SHELL Used to determine shell to run with -s option
USER Set to the target user (root unless the -u option
SUDO_PS1 If set, PS1 will be set to its value
+F\bF\bF\bFI\bI\bI\bIL\bL\bL\bLE\bE\bE\bES\bS\bS\bS
+ /etc/sudoers List of who can run what
+ /var/run/sudo Directory containing timestamps
+ /tmp/.odus Same as above if no /var/run exists
+
+
A\bA\bA\bAU\bU\bU\bUT\bT\bT\bTH\bH\bH\bHO\bO\bO\bOR\bR\bR\bRS\bS\bS\bS
Many people have worked on s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo over the years, this
version consists of code written primarily by:
shell regardless of any '!' elements in the user
specification.
+ Running shell scripts via s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo can expose the same kernel
-17/Aug/1999 1.6 4
+25/Aug/1999 1.6 5
SUDO(8) MAINTENANCE COMMANDS SUDO(8)
- Running shell scripts via s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo can expose the same kernel
bugs that make setuid shell scripts unsafe on some
- operating systems.
+ operating systems (if your OS supports the /dev/fd/
+ directory, setuid shell scripts are generally safe).
S\bS\bS\bSE\bE\bE\bEE\bE\bE\bE A\bA\bA\bAL\bL\bL\bLS\bS\bS\bSO\bO\bO\bO
_\bs_\bu_\bd_\bo_\be_\br_\bs(5), _\bv_\bi_\bs_\bu_\bd_\bo(8), _\bs_\bu(1).
-17/Aug/1999 1.6 5
+25/Aug/1999 1.6 6
<LI><A HREF="#OPTIONS">OPTIONS</A>
<LI><A HREF="#RETURN_VALUES">RETURN VALUES</A>
<LI><A HREF="#SECURITY_NOTES">SECURITY NOTES</A>
+ <LI><A HREF="#EXAMPLES">EXAMPLES</A>
+ <LI><A HREF="#ENVIRONMENT">ENVIRONMENT</A>
+ <LI><A HREF="#FILES">FILES</A>
<LI><A HREF="#FILES">FILES</A>
- <LI><A HREF="#ENVIRONMENT_VARIABLES">ENVIRONMENT VARIABLES</A>
<LI><A HREF="#AUTHORS">AUTHORS</A>
<LI><A HREF="#BUGS">BUGS</A>
<LI><A HREF="#DISCLAIMER">DISCLAIMER</A>
<DT><STRONG><A NAME="item__l">-l</A></STRONG><DD>
<P>
-The <CODE>-l</CODE> (<EM>list</EM>) option will list out the allowed and forbidden commands for the user on
+The <CODE>-l</CODE> (<EM>list</EM>) option will list out the allowed (and forbidden) commands for the user on
the current host.
<DT><STRONG><A NAME="item__h">-h</A></STRONG><DD>
<P>
-The <CODE>-h</CODE> (<EM>help</EM>) option causes <STRONG>sudo</STRONG> to print the version of <STRONG>sudo</STRONG> and a usage message before exiting.
+The <CODE>-h</CODE> (<EM>help</EM>) option causes <STRONG>sudo</STRONG> to print a usage message and exit.
<DT><STRONG><A NAME="item__v">-v</A></STRONG><DD>
<P>
<DT><STRONG><A NAME="item__k">-k</A></STRONG><DD>
<P>
-The <CODE>-k</CODE> (<EM>kill</EM>) option to <STRONG>sudo</STRONG> invalidates the user's timestamp file by setting the time on it to the
-epoch. The next time <STRONG>sudo</STRONG> is run a password will be required. This option does not require a password
+The <CODE>-k</CODE> (<EM>kill</EM>) option to <STRONG>sudo</STRONG> invalidates the user's timestamp by setting the time on it to the epoch.
+The next time <STRONG>sudo</STRONG> is run a password will be required. This option does not require a password
and was added to allow a user to revoke <STRONG>sudo</STRONG> permissions from a .logout file.
<DT><STRONG><A NAME="item__K">-K</A></STRONG><DD>
<P>
-The <CODE>-K</CODE> (sure <EM>kill</EM>) option to <STRONG>sudo</STRONG> removes the user's timestamp file entirely. This option does not require a
+The <CODE>-K</CODE> (sure <EM>kill</EM>) option to <STRONG>sudo</STRONG> removes the user's timestamp entirely. This option does not require a
password.
<DT><STRONG><A NAME="item__b">-b</A></STRONG><DD>
permissions (0700) in the system startup files.
<P>
-<CODE>sudo</CODE> will not honor timestamps set far in the future. Timestamps with a date
+<STRONG>sudo</STRONG> will not honor timestamps set far in the future. Timestamps with a date
greater than current_time + 2 * <CODE>TIMEOUT</CODE>
will be ignored and sudo will log and complain. This is done to keep a user
from creating his/her own timestamp with a bogus date on system that allow
users to give away files.
+<P>
+<HR>
+<H1><A NAME="EXAMPLES">EXAMPLES</A></H1>
+<P>
+Note: the following examples assume suitable <CODE>sudoers(5)</CODE>
+entries.
+
+<P>
+To get a file listing of an unreadable directory:
+
+<P>
+<PRE> % sudo ls /usr/local/protected
+</PRE>
+<P>
+To list the home directory of user yazza on a machine where the filesystem
+holding ~yazza is not exported as root:
+
+<P>
+<PRE> % sudo -u yazza ls ~yazza
+</PRE>
+<P>
+To edit the <EM>index.html</EM> file as user www:
+
+<P>
+<PRE> % sudo -u www vi ~www/htdocs/index.html
+</PRE>
+<P>
+To shutdown a machine:
+
+<P>
+<PRE> % sudo shutdown -r +15 "quick reboot"
+</PRE>
+<P>
+To make a usage listing of the directories in the /home partition. Note
+that this runs the commands in a sub-shell to make the <CODE>cd</CODE> and file redirection work.
+
+<P>
+<PRE> % sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
+</PRE>
+<P>
+<HR>
+<H1><A NAME="ENVIRONMENT">ENVIRONMENT</A></H1>
+<P>
+<STRONG>sudo</STRONG> utilizes the following environment variables:
+
+<P>
+<PRE> PATH Set to a sane value if SECURE_PATH is set
+ SHELL Used to determine shell to run with -s option
+ USER Set to the target user (root unless the -u option
+ is specified)
+ HOME In -s or -H mode (or if sudo was configured with
+ the --enable-shell-sets-home option), set to
+ homedir of the target user.
+ SUDO_PROMPT Used as the default password prompt
+ SUDO_COMMAND Set to the command run by sudo
+ SUDO_USER Set to the login of the user who invoked sudo
+ SUDO_UID Set to the uid of the user who invoked sudo
+ SUDO_GID Set to the gid of the user who invoked sudo
+ SUDO_PS1 If set, PS1 will be set to its value
+</PRE>
<P>
<HR>
<H1><A NAME="FILES">FILES</A></H1>
<P>
<PRE> /etc/sudoers List of who can run what
/var/run/sudo Directory containing timestamps
- /tmp/.odus Same as above if no /var/run exists
</PRE>
<P>
-<HR>
-<H1><A NAME="ENVIRONMENT_VARIABLES">ENVIRONMENT VARIABLES</A></H1>
+<STRONG>sudo</STRONG> utilizes the following environment variables:
+
<P>
<PRE> PATH Set to a sane value if SECURE_PATH is set
SHELL Used to determine shell to run with -s option
</PRE>
<P>
<HR>
+<H1><A NAME="FILES">FILES</A></H1>
+<P>
+<PRE> /etc/sudoers List of who can run what
+ /var/run/sudo Directory containing timestamps
+ /tmp/.odus Same as above if no /var/run exists
+</PRE>
+<P>
+<HR>
<H1><A NAME="AUTHORS">AUTHORS</A></H1>
<P>
Many people have worked on <STRONG>sudo</STRONG> over the years, this version consists of code written primarily by:
user has access to commands allowing shell escapes.
<P>
-If users have sudo ALL there is nothing to prevent them from creating their
-own program that gives them a root shell regardless of any '!' elements in
-the user specification.
+If users have sudo <CODE>ALL</CODE> there is nothing to prevent them from creating their own program that gives
+them a root shell regardless of any '!' elements in the user specification.
<P>
Running shell scripts via <STRONG>sudo</STRONG> can expose the same kernel bugs that make setuid shell scripts unsafe on
-some operating systems.
+some operating systems (if your OS supports the /dev/fd/ directory, setuid
+shell scripts are generally safe).
<P>
<HR>
''' $RCSfile$$Revision$$Date$
'''
''' $Log$
-''' Revision 1.35 1999/08/17 15:20:48 millert
-''' Add BUGS section
+''' Revision 1.36 1999/08/26 09:10:11 millert
+''' rename "ENVIRONMENT VARIABLES" section to "ENVIRONMENT" to be more standard and add "EXAMPLES" section
'''
'''
.de Sh
.nr % 0
.rr F
.\}
-.TH SUDO 8 "1.6" "17/Aug/1999" "MAINTENANCE COMMANDS"
+.TH SUDO 8 "1.6" "25/Aug/1999" "MAINTENANCE COMMANDS"
.UC
.if n .hy 0
.if n .na
The \f(CW-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the
version number and exit.
.Ip "-l" 4
-The \f(CW-l\fR (\fIlist\fR) option will list out the allowed and
-forbidden commands for the user on the current host.
+The \f(CW-l\fR (\fIlist\fR) option will list out the allowed (and
+forbidden) commands for the user on the current host.
.Ip "-h" 4
-The \f(CW-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print the version
-of \fBsudo\fR and a usage message before exiting.
+The \f(CW-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a usage message and exit.
.Ip "-v" 4
If given the \f(CW-v\fR (\fIvalidate\fR) option, \fBsudo\fR will update the
user's timestamp, prompting for the user's password if necessary.
minutes) but does not run a command.
.Ip "-k" 4
The \f(CW-k\fR (\fIkill\fR) option to \fBsudo\fR invalidates the user's timestamp
-file by setting the time on it to the epoch. The next time \fBsudo\fR is
+by setting the time on it to the epoch. The next time \fBsudo\fR is
run a password will be required. This option does not require a password
and was added to allow a user to revoke \fBsudo\fR permissions from a .logout
file.
.Ip "-K" 4
The \f(CW-K\fR (sure \fIkill\fR) option to \fBsudo\fR removes the user's timestamp
-file entirely. This option does not require a password.
+entirely. This option does not require a password.
.Ip "-b" 4
The \f(CW-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given
command in the background. Note that if you use the \f(CW-b\fR
instance) or create /tmp/.odus with the appropriate owner (root)
and permissions (0700) in the system startup files.
.PP
-\f(CWsudo\fR will not honor timestamps set far in the future.
+\fBsudo\fR will not honor timestamps set far in the future.
Timestamps with a date greater than current_time + 2 * \f(CWTIMEOUT\fR
will be ignored and sudo will log and complain. This is done to
keep a user from creating his/her own timestamp with a bogus
date on system that allow users to give away files.
+.SH "EXAMPLES"
+Note: the following examples assume suitable \fIsudoers\fR\|(5) entries.
+.PP
+To get a file listing of an unreadable directory:
+.PP
+.Vb 1
+\& % sudo ls /usr/local/protected
+.Ve
+To list the home directory of user yazza on a machine where the
+filesystem holding ~yazza is not exported as root:
+.PP
+.Vb 1
+\& % sudo -u yazza ls ~yazza
+.Ve
+To edit the \fIindex.html\fR file as user www:
+.PP
+.Vb 1
+\& % sudo -u www vi ~www/htdocs/index.html
+.Ve
+To shutdown a machine:
+.PP
+.Vb 1
+\& % sudo shutdown -r +15 "quick reboot"
+.Ve
+To make a usage listing of the directories in the /home
+partition. Note that this runs the commands in a sub-shell
+to make the \f(CWcd\fR and file redirection work.
+.PP
+.Vb 1
+\& % sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
+.Ve
+.SH "ENVIRONMENT"
+\fBsudo\fR utilizes the following environment variables:
+.PP
+.Vb 13
+\& PATH Set to a sane value if SECURE_PATH is set
+\& SHELL Used to determine shell to run with -s option
+\& USER Set to the target user (root unless the -u option
+\& is specified)
+\& HOME In -s or -H mode (or if sudo was configured with
+\& the --enable-shell-sets-home option), set to
+\& homedir of the target user.
+\& SUDO_PROMPT Used as the default password prompt
+\& SUDO_COMMAND Set to the command run by sudo
+\& SUDO_USER Set to the login of the user who invoked sudo
+\& SUDO_UID Set to the uid of the user who invoked sudo
+\& SUDO_GID Set to the gid of the user who invoked sudo
+\& SUDO_PS1 If set, PS1 will be set to its value
+.Ve
.SH "FILES"
.PP
-.Vb 3
+.Vb 2
\& /etc/sudoers List of who can run what
\& /var/run/sudo Directory containing timestamps
-\& /tmp/.odus Same as above if no /var/run exists
.Ve
-.SH "ENVIRONMENT VARIABLES"
+\fBsudo\fR utilizes the following environment variables:
.PP
.Vb 13
\& PATH Set to a sane value if SECURE_PATH is set
\& SUDO_GID Set to the gid of the user who invoked sudo
\& SUDO_PS1 If set, PS1 will be set to its value
.Ve
+.SH "FILES"
+.PP
+.Vb 3
+\& /etc/sudoers List of who can run what
+\& /var/run/sudo Directory containing timestamps
+\& /tmp/.odus Same as above if no /var/run exists
+.Ve
.SH "AUTHORS"
Many people have worked on \fBsudo\fR over the years, this
version consists of code written primarily by:
There is no easy way to prevent a user from gaining a root shell if
that user has access to commands allowing shell escapes.
.PP
-If users have sudo ALL there is nothing to prevent them from creating
+If users have sudo \f(CWALL\fR there is nothing to prevent them from creating
their own program that gives them a root shell regardless of any \*(L'!\*(R'
elements in the user specification.
.PP
Running shell scripts via \fBsudo\fR can expose the same kernel bugs
-that make setuid shell scripts unsafe on some operating systems.
+that make setuid shell scripts unsafe on some operating systems
+(if your OS supports the /dev/fd/ directory, setuid shell scripts
+are generally safe).
.SH "SEE ALSO"
\fIsudoers\fR\|(5), \fIvisudo\fR\|(8), \fIsu\fR\|(1).
.IX Header "SECURITY NOTES"
+.IX Header "EXAMPLES"
+
+.IX Header "ENVIRONMENT"
+
.IX Header "FILES"
-.IX Header "ENVIRONMENT VARIABLES"
+.IX Header "FILES"
.IX Header "AUTHORS"
=item -l
-The C<-l> (I<list>) option will list out the allowed and
-forbidden commands for the user on the current host.
+The C<-l> (I<list>) option will list out the allowed (and
+forbidden) commands for the user on the current host.
=item -h
-The C<-h> (I<help>) option causes B<sudo> to print the version
-of B<sudo> and a usage message before exiting.
+The C<-h> (I<help>) option causes B<sudo> to print a usage message and exit.
=item -v
=item -k
The C<-k> (I<kill>) option to B<sudo> invalidates the user's timestamp
-file by setting the time on it to the epoch. The next time B<sudo> is
+by setting the time on it to the epoch. The next time B<sudo> is
run a password will be required. This option does not require a password
and was added to allow a user to revoke B<sudo> permissions from a .logout
file.
=item -K
The C<-K> (sure I<kill>) option to B<sudo> removes the user's timestamp
-file entirely. This option does not require a password.
+entirely. This option does not require a password.
=item -b
instance) or create /tmp/.odus with the appropriate owner (root)
and permissions (0700) in the system startup files.
-C<sudo> will not honor timestamps set far in the future.
+B<sudo> will not honor timestamps set far in the future.
Timestamps with a date greater than current_time + 2 * C<TIMEOUT>
will be ignored and sudo will log and complain. This is done to
keep a user from creating his/her own timestamp with a bogus
date on system that allow users to give away files.
+=head1 EXAMPLES
+
+Note: the following examples assume suitable sudoers(5) entries.
+
+To get a file listing of an unreadable directory:
+
+ % sudo ls /usr/local/protected
+
+To list the home directory of user yazza on a machine where the
+filesystem holding ~yazza is not exported as root:
+
+ % sudo -u yazza ls ~yazza
+
+To edit the F<index.html> file as user www:
+
+ % sudo -u www vi ~www/htdocs/index.html
+
+To shutdown a machine:
+
+ % sudo shutdown -r +15 "quick reboot"
+
+To make a usage listing of the directories in the /home
+partition. Note that this runs the commands in a sub-shell
+to make the C<cd> and file redirection work.
+
+ % sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
+
+=head1 ENVIRONMENT
+
+B<sudo> utilizes the following environment variables:
+
+ PATH Set to a sane value if SECURE_PATH is set
+ SHELL Used to determine shell to run with -s option
+ USER Set to the target user (root unless the -u option
+ is specified)
+ HOME In -s or -H mode (or if sudo was configured with
+ the --enable-shell-sets-home option), set to
+ homedir of the target user.
+ SUDO_PROMPT Used as the default password prompt
+ SUDO_COMMAND Set to the command run by sudo
+ SUDO_USER Set to the login of the user who invoked sudo
+ SUDO_UID Set to the uid of the user who invoked sudo
+ SUDO_GID Set to the gid of the user who invoked sudo
+ SUDO_PS1 If set, PS1 will be set to its value
+
=head1 FILES
/etc/sudoers List of who can run what
/var/run/sudo Directory containing timestamps
- /tmp/.odus Same as above if no /var/run exists
-=head1 ENVIRONMENT VARIABLES
+B<sudo> utilizes the following environment variables:
PATH Set to a sane value if SECURE_PATH is set
SHELL Used to determine shell to run with -s option
SUDO_GID Set to the gid of the user who invoked sudo
SUDO_PS1 If set, PS1 will be set to its value
+=head1 FILES
+
+ /etc/sudoers List of who can run what
+ /var/run/sudo Directory containing timestamps
+ /tmp/.odus Same as above if no /var/run exists
+
=head1 AUTHORS
Many people have worked on B<sudo> over the years, this
There is no easy way to prevent a user from gaining a root shell if
that user has access to commands allowing shell escapes.
-If users have sudo ALL there is nothing to prevent them from creating
+If users have sudo C<ALL> there is nothing to prevent them from creating
their own program that gives them a root shell regardless of any '!'
elements in the user specification.
Running shell scripts via B<sudo> can expose the same kernel bugs
-that make setuid shell scripts unsafe on some operating systems.
+that make setuid shell scripts unsafe on some operating systems
+(if your OS supports the /dev/fd/ directory, setuid shell scripts
+are generally safe).
=head1 SEE ALSO
projects / sudo / commitdiff