-n The -\b-n\bn (_\bn_\bo_\bn_\b-_\bi_\bn_\bt_\be_\br_\ba_\bc_\bt_\bi_\bv_\be) option prevents s\bsu\bud\bdo\bo from
prompting the user for a password. If a password is
required for the command to run, s\bsu\bud\bdo\bo will display an error
- messages and exit.
+ message and exit.
-P The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bsu\bud\bdo\bo to
preserve the invoking user's group vector unaltered. By
_\br_\bu_\bn_\ba_\bs_\bp_\bw flags in _\bs_\bu_\bd_\bo_\be_\br_\bs(4))
%U expanded to the login name of the user the command will
- be run as (defaults to root unless the -u option is
+ be run as (defaults to root unless the -\b-u\bu option is
also specified)
%u expanded to the invoking user's login name
string and the version string of the security policy plugin
and any I/O plugins. If the invoking user is already root
the -\b-V\bV option will display the arguments passed to
- configure when _\bs_\bu_\bd_\bo was built and plugins may display more
+ configure when s\bsu\bud\bdo\bo was built and plugins may display more
verbose information such as default options.
-v When given the -\b-v\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bsu\bud\bdo\bo will update the
user's cached credentials, authenticating the user's
password if necessary. For the _\bs_\bu_\bd_\bo_\be_\br_\bs plugin, this
extends the s\bsu\bud\bdo\bo timeout for another 5 minutes (or whatever
- the timeout is set to in _\bs_\bu_\bd_\bo_\be_\br_\bs) but does not run a
- command. Not all security policies support cached
+ the timeout is set to by the security policy) but does not
+ run a command. Not all security policies support cached
credentials.
-- The -\b--\b- option indicates that s\bsu\bud\bdo\bo should stop processing
program to debug (s\bsu\bud\bdo\bo, v\bvi\bis\bsu\bud\bdo\bo, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by), the debug file name and a
comma-separated list of debug flags. The debug flag syntax used by
s\bsu\bud\bdo\bo and the _\bs_\bu_\bd_\bo_\be_\br_\bs plugin is _\bs_\bu_\bb_\bs_\by_\bs_\bt_\be_\bm@_\bp_\br_\bi_\bo_\br_\bi_\bt_\by but the plugin is
- free to use a different format so long as it does not include a command
- ,.
+ free to use a different format so long as it does not include a comma
+ (`,').
For instance:
_\bu_\bt_\bm_\bp utmp handling
-R\bRE\bET\bTU\bUR\bRN\bN V\bVA\bAL\bLU\bUE\bES\bS
+E\bEX\bXI\bIT\bT V\bVA\bAL\bLU\bUE\bE
Upon successful execution of a program, the exit status from s\bsu\bud\bdo\bo will
simply be the exit status of the program that was executed.
has control over the content of the command's environment.
EDITOR Default editor to use in -\b-e\be (sudoedit) mode if neither
- SUDO_EDITOR nor VISUAL is set
+ SUDO_EDITOR nor VISUAL is set.
MAIL In -\b-i\bi mode or when _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is enabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, set
- to the mail spool of the target user
+ to the mail spool of the target user.
HOME Set to the home directory of the target user if -\b-i\bi or
-\b-H\bH are specified, _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt or _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be are set
in _\bs_\bu_\bd_\bo_\be_\br_\bs, or when the -\b-s\bs option is specified and
- _\bs_\be_\bt_\b__\bh_\bo_\bm_\be is set in _\bs_\bu_\bd_\bo_\be_\br_\bs
+ _\bs_\be_\bt_\b__\bh_\bo_\bm_\be is set in _\bs_\bu_\bd_\bo_\be_\br_\bs.
PATH May be overridden by the security policy.
- SHELL Used to determine shell to run with -s option
+ SHELL Used to determine shell to run with -\b-s\bs option.
SUDO_ASKPASS Specifies the path to a helper program used to read the
- password if no terminal is available or if the -A
+ password if no terminal is available or if the -\b-A\bA
option is specified.
- SUDO_COMMAND Set to the command run by sudo
+ SUDO_COMMAND Set to the command run by sudo.
- SUDO_EDITOR Default editor to use in -\b-e\be (sudoedit) mode
+ SUDO_EDITOR Default editor to use in -\b-e\be (sudoedit) mode.
- SUDO_GID Set to the group ID of the user who invoked sudo
+ SUDO_GID Set to the group ID of the user who invoked sudo.
- SUDO_PROMPT Used as the default password prompt
+ SUDO_PROMPT Used as the default password prompt.
SUDO_PS1 If set, PS1 will be set to its value for the program
- being run
+ being run.
- SUDO_UID Set to the user ID of the user who invoked sudo
+ SUDO_UID Set to the user ID of the user who invoked sudo.
- SUDO_USER Set to the login of the user who invoked sudo
+ SUDO_USER Set to the login name of the user who invoked sudo.
USER Set to the target user (root unless the -\b-u\bu option is
- specified)
+ specified).
VISUAL Default editor to use in -\b-e\be (sudoedit) mode if
- SUDO_EDITOR is not set
+ SUDO_EDITOR is not set.
F\bFI\bIL\bLE\bES\bS
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf s\bsu\bud\bdo\bo front end configuration
_\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), _\bp_\ba_\bs_\bs_\bw_\bd(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(4),
_\bs_\bu_\bd_\bo_\b__\bp_\bl_\bu_\bg_\bi_\bn(1m), _\bs_\bu_\bd_\bo_\br_\be_\bp_\bl_\ba_\by(1m), _\bv_\bi_\bs_\bu_\bd_\bo(1m)
+H\bHI\bIS\bST\bTO\bOR\bRY\bY
+ See the HISTORY file in the s\bsu\bud\bdo\bo distribution
+ (http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
+
A\bAU\bUT\bTH\bHO\bOR\bRS\bS
Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists
of code written primarily by:
Todd C. Miller
See the CONTRIBUTORS file in the s\bsu\bud\bdo\bo distribution
- (http://www.sudo.ws/sudo/contributors.html) for a list of people who
- have contributed to s\bsu\bud\bdo\bo.
-
-H\bHI\bIS\bST\bTO\bOR\bRY\bY
- See the HISTORY file in the s\bsu\bud\bdo\bo distribution
- (http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
+ (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of
+ people who have contributed to s\bsu\bud\bdo\bo.
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
There is no easy way to prevent a user from gaining a root shell if
-1.8.6 June 29, 2012 SUDO(1m)
+1.8.6 July 12, 2012 SUDO(1m)
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "June 29, 2012" "1.8.6" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "July 12, 2012" "1.8.6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.IX Item "-n"
The \fB\-n\fR (\fInon-interactive\fR) option prevents \fBsudo\fR from prompting
the user for a password. If a password is required for the command
-to run, \fBsudo\fR will display an error messages and exit.
+to run, \fBsudo\fR will display an error message and exit.
.IP "\-P" 12
.IX Item "-P"
The \fB\-P\fR (\fIpreserve\fR \fIgroup vector\fR) option causes \fBsudo\fR to
.el .IP "\f(CW%U\fR" 4
.IX Item "%U"
expanded to the login name of the user the command will be run as
-(defaults to root unless the \f(CW\*(C`\-u\*(C'\fR option is also specified)
+(defaults to root unless the \fB\-u\fR option is also specified)
.ie n .IP "%u" 4
.el .IP "\f(CW%u\fR" 4
.IX Item "%u"
The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print its version
string and the version string of the security policy plugin and any
I/O plugins. If the invoking user is already root the \fB\-V\fR option
-will display the arguments passed to configure when \fIsudo\fR was
+will display the arguments passed to configure when \fBsudo\fR was
built and plugins may display more verbose information such as
default options.
.IP "\-v" 12
user's cached credentials, authenticating the user's password if
necessary. For the \fIsudoers\fR plugin, this extends the \fBsudo\fR
timeout for another \f(CW\*(C`@timeout@\*(C'\fR minutes (or whatever the timeout
-is set to in \fIsudoers\fR) but does not run a command. Not all
+is set to by the security policy) but does not run a command. Not all
security policies support cached credentials.
.IP "\-\-" 12
The \fB\-\-\fR option indicates that \fBsudo\fR should stop processing command
the debug file name and a comma-separated list of debug flags.
The debug flag syntax used by \fBsudo\fR and the \fIsudoers\fR plugin is
\&\fIsubsystem\fR@\fIpriority\fR but the plugin is free to use a different
-format so long as it does not include a command \f(CW\*(C`,\*(C'\fR.
+format so long as it does not include a comma (`\f(CW\*(C`,\*(C'\fR').
.PP
For instance:
.PP
.IP "\fIutmp\fR" 10
.IX Item "utmp"
utmp handling
-.SH "RETURN VALUES"
-.IX Header "RETURN VALUES"
+.SH "EXIT VALUE"
+.IX Header "EXIT VALUE"
Upon successful execution of a program, the exit status from \fBsudo\fR
will simply be the exit status of the program that was executed.
.PP
.el .IP "\f(CW\*(C`EDITOR\*(C'\fR" 16
.IX Item "EDITOR"
Default editor to use in \fB\-e\fR (sudoedit) mode if neither \f(CW\*(C`SUDO_EDITOR\*(C'\fR
-nor \f(CW\*(C`VISUAL\*(C'\fR is set
+nor \f(CW\*(C`VISUAL\*(C'\fR is set.
.ie n .IP "\*(C`MAIL\*(C'" 16
.el .IP "\f(CW\*(C`MAIL\*(C'\fR" 16
.IX Item "MAIL"
In \fB\-i\fR mode or when \fIenv_reset\fR is enabled in \fIsudoers\fR, set
-to the mail spool of the target user
+to the mail spool of the target user.
.ie n .IP "\*(C`HOME\*(C'" 16
.el .IP "\f(CW\*(C`HOME\*(C'\fR" 16
.IX Item "HOME"
Set to the home directory of the target user if \fB\-i\fR or \fB\-H\fR are
specified, \fIenv_reset\fR or \fIalways_set_home\fR are set in \fIsudoers\fR,
or when the \fB\-s\fR option is specified and \fIset_home\fR is set in
-\&\fIsudoers\fR
+\&\fIsudoers\fR.
.ie n .IP "\*(C`PATH\*(C'" 16
.el .IP "\f(CW\*(C`PATH\*(C'\fR" 16
.IX Item "PATH"
.ie n .IP "\*(C`SHELL\*(C'" 16
.el .IP "\f(CW\*(C`SHELL\*(C'\fR" 16
.IX Item "SHELL"
-Used to determine shell to run with \f(CW\*(C`\-s\*(C'\fR option
+Used to determine shell to run with \fB\-s\fR option.
.ie n .IP "\*(C`SUDO_ASKPASS\*(C'" 16
.el .IP "\f(CW\*(C`SUDO_ASKPASS\*(C'\fR" 16
.IX Item "SUDO_ASKPASS"
Specifies the path to a helper program used to read the password
-if no terminal is available or if the \f(CW\*(C`\-A\*(C'\fR option is specified.
+if no terminal is available or if the \fB\-A\fR option is specified.
.ie n .IP "\*(C`SUDO_COMMAND\*(C'" 16
.el .IP "\f(CW\*(C`SUDO_COMMAND\*(C'\fR" 16
.IX Item "SUDO_COMMAND"
-Set to the command run by sudo
+Set to the command run by sudo.
.ie n .IP "\*(C`SUDO_EDITOR\*(C'" 16
.el .IP "\f(CW\*(C`SUDO_EDITOR\*(C'\fR" 16
.IX Item "SUDO_EDITOR"
-Default editor to use in \fB\-e\fR (sudoedit) mode
+Default editor to use in \fB\-e\fR (sudoedit) mode.
.ie n .IP "\*(C`SUDO_GID\*(C'" 16
.el .IP "\f(CW\*(C`SUDO_GID\*(C'\fR" 16
.IX Item "SUDO_GID"
-Set to the group \s-1ID\s0 of the user who invoked sudo
+Set to the group \s-1ID\s0 of the user who invoked sudo.
.ie n .IP "\*(C`SUDO_PROMPT\*(C'" 16
.el .IP "\f(CW\*(C`SUDO_PROMPT\*(C'\fR" 16
.IX Item "SUDO_PROMPT"
-Used as the default password prompt
+Used as the default password prompt.
.ie n .IP "\*(C`SUDO_PS1\*(C'" 16
.el .IP "\f(CW\*(C`SUDO_PS1\*(C'\fR" 16
.IX Item "SUDO_PS1"
-If set, \f(CW\*(C`PS1\*(C'\fR will be set to its value for the program being run
+If set, \f(CW\*(C`PS1\*(C'\fR will be set to its value for the program being run.
.ie n .IP "\*(C`SUDO_UID\*(C'" 16
.el .IP "\f(CW\*(C`SUDO_UID\*(C'\fR" 16
.IX Item "SUDO_UID"
-Set to the user \s-1ID\s0 of the user who invoked sudo
+Set to the user \s-1ID\s0 of the user who invoked sudo.
.ie n .IP "\*(C`SUDO_USER\*(C'" 16
.el .IP "\f(CW\*(C`SUDO_USER\*(C'\fR" 16
.IX Item "SUDO_USER"
-Set to the login of the user who invoked sudo
+Set to the login name of the user who invoked sudo.
.ie n .IP "\*(C`USER\*(C'" 16
.el .IP "\f(CW\*(C`USER\*(C'\fR" 16
.IX Item "USER"
-Set to the target user (root unless the \fB\-u\fR option is specified)
+Set to the target user (root unless the \fB\-u\fR option is specified).
.ie n .IP "\*(C`VISUAL\*(C'" 16
.el .IP "\f(CW\*(C`VISUAL\*(C'\fR" 16
.IX Item "VISUAL"
Default editor to use in \fB\-e\fR (sudoedit) mode if \f(CW\*(C`SUDO_EDITOR\*(C'\fR
-is not set
+is not set.
.SH "FILES"
.IX Header "FILES"
.ie n .IP "\fI@sysconfdir@/sudo.conf\fR" 24
\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2),
.if \n(LC \&\fIlogin_cap\fR\|(3),
\&\fIpasswd\fR\|(@mansectform@), \fIsudoers\fR\|(@mansectform@), \fIsudo_plugin\fR\|(@mansectsu@), \fIsudoreplay\fR\|(@mansectsu@), \fIvisudo\fR\|(@mansectsu@)
+.SH "HISTORY"
+.IX Header "HISTORY"
+See the \s-1HISTORY\s0 file in the \fBsudo\fR distribution
+(http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
.SH "AUTHORS"
.IX Header "AUTHORS"
Many people have worked on \fBsudo\fR over the years; this
.Ve
.PP
See the \s-1CONTRIBUTORS\s0 file in the \fBsudo\fR distribution
-(http://www.sudo.ws/sudo/contributors.html) for a list of people
+(http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of people
who have contributed to \fBsudo\fR.
-.SH "HISTORY"
-.IX Header "HISTORY"
-See the \s-1HISTORY\s0 file in the \fBsudo\fR distribution
-(http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
.SH "CAVEATS"
.IX Header "CAVEATS"
There is no easy way to prevent a user from gaining a root shell
The B<-n> (I<non-interactive>) option prevents B<sudo> from prompting
the user for a password. If a password is required for the command
-to run, B<sudo> will display an error messages and exit.
+to run, B<sudo> will display an error message and exit.
=item -P
=item C<%U>
expanded to the login name of the user the command will be run as
-(defaults to root unless the C<-u> option is also specified)
+(defaults to root unless the B<-u> option is also specified)
=item C<%u>
The B<-V> (I<version>) option causes B<sudo> to print its version
string and the version string of the security policy plugin and any
I/O plugins. If the invoking user is already root the B<-V> option
-will display the arguments passed to configure when I<sudo> was
+will display the arguments passed to configure when B<sudo> was
built and plugins may display more verbose information such as
default options.
user's cached credentials, authenticating the user's password if
necessary. For the I<sudoers> plugin, this extends the B<sudo>
timeout for another C<@timeout@> minutes (or whatever the timeout
-is set to in I<sudoers>) but does not run a command. Not all
+is set to by the security policy) but does not run a command. Not all
security policies support cached credentials.
=item --
the debug file name and a comma-separated list of debug flags.
The debug flag syntax used by B<sudo> and the I<sudoers> plugin is
I<subsystem>@I<priority> but the plugin is free to use a different
-format so long as it does not include a command C<,>.
+format so long as it does not include a comma (`C<,>').
For instance:
=back
-=head1 RETURN VALUES
+=head1 EXIT VALUE
Upon successful execution of a program, the exit status from B<sudo>
will simply be the exit status of the program that was executed.
=item C<EDITOR>
Default editor to use in B<-e> (sudoedit) mode if neither C<SUDO_EDITOR>
-nor C<VISUAL> is set
+nor C<VISUAL> is set.
=item C<MAIL>
In B<-i> mode or when I<env_reset> is enabled in I<sudoers>, set
-to the mail spool of the target user
+to the mail spool of the target user.
=item C<HOME>
Set to the home directory of the target user if B<-i> or B<-H> are
specified, I<env_reset> or I<always_set_home> are set in I<sudoers>,
or when the B<-s> option is specified and I<set_home> is set in
-I<sudoers>
+I<sudoers>.
=item C<PATH>
=item C<SHELL>
-Used to determine shell to run with C<-s> option
+Used to determine shell to run with B<-s> option.
=item C<SUDO_ASKPASS>
Specifies the path to a helper program used to read the password
-if no terminal is available or if the C<-A> option is specified.
+if no terminal is available or if the B<-A> option is specified.
=item C<SUDO_COMMAND>
-Set to the command run by sudo
+Set to the command run by sudo.
=item C<SUDO_EDITOR>
-Default editor to use in B<-e> (sudoedit) mode
+Default editor to use in B<-e> (sudoedit) mode.
=item C<SUDO_GID>
-Set to the group ID of the user who invoked sudo
+Set to the group ID of the user who invoked sudo.
=item C<SUDO_PROMPT>
-Used as the default password prompt
+Used as the default password prompt.
=item C<SUDO_PS1>
-If set, C<PS1> will be set to its value for the program being run
+If set, C<PS1> will be set to its value for the program being run.
=item C<SUDO_UID>
-Set to the user ID of the user who invoked sudo
+Set to the user ID of the user who invoked sudo.
=item C<SUDO_USER>
-Set to the login of the user who invoked sudo
+Set to the login name of the user who invoked sudo.
=item C<USER>
-Set to the target user (root unless the B<-u> option is specified)
+Set to the target user (root unless the B<-u> option is specified).
=item C<VISUAL>
Default editor to use in B<-e> (sudoedit) mode if C<SUDO_EDITOR>
-is not set
+is not set.
=back
L<login_cap(3)>,
L<passwd(5)>, L<sudoers(5)>, L<sudo_plugin(8)>, L<sudoreplay(8)>, L<visudo(8)>
+=head1 HISTORY
+
+See the HISTORY file in the B<sudo> distribution
+(http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
+
=head1 AUTHORS
Many people have worked on B<sudo> over the years; this
Todd C. Miller
See the CONTRIBUTORS file in the B<sudo> distribution
-(http://www.sudo.ws/sudo/contributors.html) for a list of people
+(http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of people
who have contributed to B<sudo>.
-=head1 HISTORY
-
-See the HISTORY file in the B<sudo> distribution
-(http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
-
=head1 CAVEATS
There is no easy way to prevent a user from gaining a root shell
projects / sudo / commitdiff