| version 1.2, 2000/01/24 04:22:53 |
version 1.3, 2000/03/27 03:44:38 |
|
|
| ''' $RCSfile$$Revision$$Date$ |
''' $RCSfile$$Revision$$Date$ |
| ''' |
''' |
| ''' $Log$ |
''' $Log$ |
| ''' Revision 1.2 2000/01/24 04:22:53 millert |
''' Revision 1.3 2000/03/27 03:44:38 millert |
| ''' sudo 1.6.2 |
''' sudo 1.6.3; see http://www.courtesan.com/sudo/current.html for a list |
| |
''' of changes. |
| ''' |
''' |
| ''' Revision 1.43 2000/01/17 17:28:41 millert |
''' Revision 1.3 2000/03/27 03:26:23 millert |
| ''' Crank version to 1.6.2 |
''' Use 8 and 5 in the man page bodies as well. |
| ''' |
''' |
| ''' |
''' |
| .de Sh |
.de Sh |
|
|
| .nr % 0 |
.nr % 0 |
| .rr F |
.rr F |
| .\} |
.\} |
| .TH sudo 8 "1.6.2" "4/Dec/1999" "MAINTENANCE COMMANDS" |
.TH sudo 8 "1.6.3" "26/Mar/2000" "MAINTENANCE COMMANDS" |
| .UC |
.UC |
| .if n .hy 0 |
.if n .hy 0 |
| .if n .na |
.if n .na |
|
|
| .SH "NAME" |
.SH "NAME" |
| sudo \- execute a command as another user |
sudo \- execute a command as another user |
| .SH "SYNOPSIS" |
.SH "SYNOPSIS" |
| \fBsudo\fR \fB\-V\fR | \fB\-h\fR | \fB\-l\fR | \fB\-L\fR | \fB\-v\fR | \fB\-k\fR | \fB\-K\fR | \fB\-s\fR | \fB\-H\fR | |
\fBsudo\fR \fB\-V\fR | \fB\-h\fR | \fB\-l\fR | \fB\-L\fR | \fB\-v\fR | \fB\-k\fR | \fB\-K\fR | \fB\-s\fR | |
| [ \fB\-b\fR ] | [ \fB\-p\fR prompt ] [ \fB\-u\fR username/#uid] \fIcommand\fR |
[ \fB\-H\fR ] [\fB\-S\fR ] [ \fB\-b\fR ] | [ \fB\-p\fR prompt ] |
| |
[ \fB\-u\fR username/#uid ] \fIcommand\fR |
| .SH "DESCRIPTION" |
.SH "DESCRIPTION" |
| \fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the |
\fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the |
| superuser or another user, as specified in the sudoers file. The |
superuser or another user, as specified in the sudoers file. The |
|
|
| login name. Similarly, \f(CW%h\fR will be replaced with the local |
login name. Similarly, \f(CW%h\fR will be replaced with the local |
| hostname. |
hostname. |
| .Ip "-u" 4 |
.Ip "-u" 4 |
| The \f(CW-u\fR (\fIuser\fR) option causes sudo to run the specified command |
The \f(CW-u\fR (\fIuser\fR) option causes \fBsudo\fR to run the specified command |
| as a user other than \fIroot\fR. To specify a \fIuid\fR instead of a |
as a user other than \fIroot\fR. To specify a \fIuid\fR instead of a |
| \fIusername\fR, use \*(L"#uid\*(R". |
\fIusername\fR, use \*(L"#uid\*(R". |
| .Ip "-s" 4 |
.Ip "-s" 4 |
|
|
| The \f(CW-H\fR (\fI\s-1HOME\s0\fR) option sets the \fI\s-1HOME\s0\fR environment variable |
The \f(CW-H\fR (\fI\s-1HOME\s0\fR) option sets the \fI\s-1HOME\s0\fR environment variable |
| to the homedir of the target user (root by default) as specified |
to the homedir of the target user (root by default) as specified |
| in \fIpasswd\fR\|(5). By default, \fBsudo\fR does not modify \fI\s-1HOME\s0\fR. |
in \fIpasswd\fR\|(5). By default, \fBsudo\fR does not modify \fI\s-1HOME\s0\fR. |
| |
.Ip "-S" 4 |
| |
The \f(CW-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from |
| |
standard input instead of the terminal device. |
| .Ip "--" 4 |
.Ip "--" 4 |
| The \f(CW--\fR flag indicates that \fBsudo\fR should stop processing command |
The \f(CW--\fR flag indicates that \fBsudo\fR should stop processing command |
| line arguments. It is most useful in conjunction with the \f(CW-s\fR flag. |
line arguments. It is most useful in conjunction with the \f(CW-s\fR flag. |
|
|
| behavior or link \fBsudo\fR statically. |
behavior or link \fBsudo\fR statically. |
| .PP |
.PP |
| \fBsudo\fR will check the ownership of its timestamp directory |
\fBsudo\fR will check the ownership of its timestamp directory |
| (\fI/var/run/sudo\fR or \fI/tmp/.odus\fR by default) and ignore the |
(\fI/var/run/sudo\fR by default) and ignore the directory's contents if |
| directory's contents if it is not owned by root and only writable |
it is not owned by root and only writable by root. On systems that |
| by root. On systems that allow non-root users to give away files |
allow non-root users to give away files via \fIchown\fR\|(2), if the timestamp |
| via \fIchown\fR\|(2), if the timestamp directory is located in a directory |
directory is located in a directory writable by anyone (eg: \fI/tmp\fR), |
| writable by anyone (ie: \fI/tmp\fR), it is possible for a user to |
it is possible for a user to create the timestamp directory before |
| create the timestamp directory before \fBsudo\fR is run. However, |
\fBsudo\fR is run. However, because \fBsudo\fR checks the ownership and |
| because \fBsudo\fR checks the ownership and mode of the directory and |
mode of the directory and its contents, the only damage that can |
| its contents, the only damage that can be done is to \*(L"hide\*(R" files |
be done is to \*(L"hide\*(R" files by putting them in the timestamp dir. |
| by putting them in the timestamp dir. This is unlikely to happen |
This is unlikely to happen since once the timestamp dir is owned |
| since once the timestamp dir is owned by root and inaccessible by |
by root and inaccessible by any other user the user placing files |
| any other user the user placing files there would be unable to get |
there would be unable to get them back out. To get around this |
| them back out. To get around this issue you can use a directory |
issue you can use a directory that is not world-writable for the |
| that is not world-writable for the timestamps (\fI/var/adm/sudo\fR for |
timestamps (\fI/var/adm/sudo\fR for instance) or create \fI/var/run/sudo\fR |
| instance) or create /tmp/.odus with the appropriate owner (root) |
with the appropriate owner (root) and permissions (0700) in the |
| and permissions (0700) in the system startup files. |
system startup files. |
| .PP |
.PP |
| \fBsudo\fR will not honor timestamps set far in the future. |
\fBsudo\fR will not honor timestamps set far in the future. |
| Timestamps with a date greater than current_time + 2 * \f(CWTIMEOUT\fR |
Timestamps with a date greater than current_time + 2 * \f(CWTIMEOUT\fR |
|
|
| .PP |
.PP |
| .Vb 2 |
.Vb 2 |
| \& /etc/sudoers List of who can run what |
\& /etc/sudoers List of who can run what |
| \& /var/run/sudo Directory containing timestamps |
\& /var/run/sudo Directory containing timestamps |
| .Ve |
.Ve |
| \fBsudo\fR utilizes the following environment variables: |
|
| .PP |
|
| .Vb 13 |
|
| \& PATH Set to a sane value if SECURE_PATH is set |
|
| \& SHELL Used to determine shell to run with -s option |
|
| \& USER Set to the target user (root unless the -u option |
|
| \& is specified) |
|
| \& HOME In -s or -H mode (or if sudo was configured with |
|
| \& the --enable-shell-sets-home option), set to |
|
| \& homedir of the target user. |
|
| \& SUDO_PROMPT Used as the default password prompt |
|
| \& SUDO_COMMAND Set to the command run by sudo |
|
| \& SUDO_USER Set to the login of the user who invoked sudo |
|
| \& SUDO_UID Set to the uid of the user who invoked sudo |
|
| \& SUDO_GID Set to the gid of the user who invoked sudo |
|
| \& SUDO_PS1 If set, PS1 will be set to its value |
|
| .Ve |
|
| .SH "FILES" |
|
| .PP |
|
| .Vb 3 |
|
| \& /etc/sudoers List of who can run what |
|
| \& /var/run/sudo Directory containing timestamps |
|
| \& /tmp/.odus Same as above if no /var/run exists |
|
| .Ve |
|
| .SH "AUTHORS" |
.SH "AUTHORS" |
| Many people have worked on \fBsudo\fR over the years, this |
Many people have worked on \fBsudo\fR over the years, this |
| version consists of code written primarily by: |
version consists of code written primarily by: |
|
|
| (if your OS supports the /dev/fd/ directory, setuid shell scripts |
(if your OS supports the /dev/fd/ directory, setuid shell scripts |
| are generally safe). |
are generally safe). |
| .SH "SEE ALSO" |
.SH "SEE ALSO" |
| \fIsudoers\fR\|(5), \fIvisudo\fR\|(8), \fIsu\fR\|(1). |
\\fIsudoers\fR\|(5), \fIvisudo\fR\|(8), \fIsu\fR\|(1). |
| |
|
| .rn }` '' |
.rn }` '' |
| .IX Title "sudo 8" |
.IX Title "sudo 8" |
|
|
| |
|
| .IX Item "-H" |
.IX Item "-H" |
| |
|
| |
.IX Item "-S" |
| |
|
| .IX Item "--" |
.IX Item "--" |
| |
|
| .IX Header "RETURN VALUES" |
.IX Header "RETURN VALUES" |
|
|
| .IX Header "EXAMPLES" |
.IX Header "EXAMPLES" |
| |
|
| .IX Header "ENVIRONMENT" |
.IX Header "ENVIRONMENT" |
| |
|
| .IX Header "FILES" |
|
| |
|
| .IX Header "FILES" |
.IX Header "FILES" |
| |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to sudo.8 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / sudo