Annotation of src/usr.bin/sudo/sudo.8, Revision 1.10
1.7 millert 1: .\" Automatically generated by Pod::Man version 1.15
1.10 ! millert 2: .\" Thu Apr 25 09:34:52 2002
1.7 millert 3: .\"
4: .\" Standard preamble:
5: .\" ======================================================================
6: .de Sh \" Subsection heading
1.1 millert 7: .br
8: .if t .Sp
9: .ne 5
10: .PP
11: \fB\\$1\fR
12: .PP
13: ..
1.7 millert 14: .de Sp \" Vertical space (when we can't use .PP)
1.1 millert 15: .if t .sp .5v
16: .if n .sp
17: ..
1.7 millert 18: .de Ip \" List item
1.1 millert 19: .br
20: .ie \\n(.$>=3 .ne \\$3
21: .el .ne 3
22: .IP "\\$1" \\$2
23: ..
1.7 millert 24: .de Vb \" Begin verbatim text
1.1 millert 25: .ft CW
26: .nf
27: .ne \\$1
28: ..
1.7 millert 29: .de Ve \" End verbatim text
1.1 millert 30: .ft R
31:
32: .fi
33: ..
1.7 millert 34: .\" Set up some character translations and predefined strings. \*(-- will
35: .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
36: .\" double quote, and \*(R" will give a right double quote. | will give a
37: .\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used
38: .\" to do unbreakable dashes and therefore won't be available. \*(C` and
39: .\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
1.1 millert 40: .tr \(*W-|\(bv\*(Tr
1.7 millert 41: .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
1.1 millert 42: .ie n \{\
1.7 millert 43: . ds -- \(*W-
44: . ds PI pi
45: . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
46: . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
47: . ds L" ""
48: . ds R" ""
49: . ds C`
50: . ds C'
1.1 millert 51: 'br\}
52: .el\{\
1.7 millert 53: . ds -- \|\(em\|
54: . ds PI \(*p
55: . ds L" ``
56: . ds R" ''
1.1 millert 57: 'br\}
1.7 millert 58: .\"
59: .\" If the F register is turned on, we'll generate index entries on stderr
60: .\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
61: .\" index entries marked with X<> in POD. Of course, you'll have to process
62: .\" the output yourself in some meaningful fashion.
63: .if \nF \{\
64: . de IX
65: . tm Index:\\$1\t\\n%\t"\\$2"
1.1 millert 66: ..
1.7 millert 67: . nr % 0
68: . rr F
1.1 millert 69: .\}
1.7 millert 70: .\"
71: .\" For nroff, turn off justification. Always turn off hyphenation; it
72: .\" makes way too many mistakes in technical documents.
73: .hy 0
1.1 millert 74: .if n .na
1.7 millert 75: .\"
76: .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
77: .\" Fear. Run. Save yourself. No user-serviceable parts.
1.1 millert 78: .bd B 3
1.7 millert 79: . \" fudge factors for nroff and troff
1.1 millert 80: .if n \{\
1.7 millert 81: . ds #H 0
82: . ds #V .8m
83: . ds #F .3m
84: . ds #[ \f1
85: . ds #] \fP
1.1 millert 86: .\}
87: .if t \{\
1.7 millert 88: . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
89: . ds #V .6m
90: . ds #F 0
91: . ds #[ \&
92: . ds #] \&
1.1 millert 93: .\}
1.7 millert 94: . \" simple accents for nroff and troff
1.1 millert 95: .if n \{\
1.7 millert 96: . ds ' \&
97: . ds ` \&
98: . ds ^ \&
99: . ds , \&
100: . ds ~ ~
101: . ds /
1.1 millert 102: .\}
103: .if t \{\
1.7 millert 104: . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
105: . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
106: . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
107: . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
108: . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
109: . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
1.1 millert 110: .\}
1.7 millert 111: . \" troff and (daisy-wheel) nroff accents
1.1 millert 112: .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
113: .ds 8 \h'\*(#H'\(*b\h'-\*(#H'
114: .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
115: .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
116: .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
117: .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
118: .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
119: .ds ae a\h'-(\w'a'u*4/10)'e
120: .ds Ae A\h'-(\w'A'u*4/10)'E
1.7 millert 121: . \" corrections for vroff
1.1 millert 122: .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
123: .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
1.7 millert 124: . \" for low resolution devices (crt and lpr)
1.1 millert 125: .if \n(.H>23 .if \n(.V>19 \
126: \{\
1.7 millert 127: . ds : e
128: . ds 8 ss
129: . ds o a
130: . ds d- d\h'-1'\(ga
131: . ds D- D\h'-1'\(hy
132: . ds th \o'bp'
133: . ds Th \o'LP'
134: . ds ae ae
135: . ds Ae AE
1.1 millert 136: .\}
137: .rm #[ #] #H #V #F C
1.7 millert 138: .\" ======================================================================
139: .\"
140: .IX Title "sudo 8"
1.10 ! millert 141: .TH sudo 8 "1.6.6" "April 25, 2002" "MAINTENANCE COMMANDS"
1.7 millert 142: .UC
1.1 millert 143: .SH "NAME"
144: sudo \- execute a command as another user
145: .SH "SYNOPSIS"
1.7 millert 146: .IX Header "SYNOPSIS"
147: \&\fBsudo\fR \fB\-V\fR | \fB\-h\fR | \fB\-l\fR | \fB\-L\fR | \fB\-v\fR | \fB\-k\fR | \fB\-K\fR | \fB\-s\fR |
148: [ \fB\-H\fR ] [\fB\-P\fR ] [\fB\-S\fR ] [ \fB\-b\fR ] | [ \fB\-p\fR \fIprompt\fR ]
149: [ \fB\-c\fR \fIclass\fR|\fI-\fR ] [ \fB\-a\fR \fIauth_type\fR ]
150: [ \fB\-u\fR \fIusername\fR|\fI#uid\fR ] \fIcommand\fR
1.1 millert 151: .SH "DESCRIPTION"
1.7 millert 152: .IX Header "DESCRIPTION"
153: \&\fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the
154: superuser or another user, as specified in the \fIsudoers\fR file.
155: The real and effective uid and gid are set to match those of the
156: target user as specified in the passwd file (the group vector is
157: also initialized when the target user is not root). By default,
158: \&\fBsudo\fR requires that users authenticate themselves with a password
159: (\s-1NOTE:\s0 by default this is the user's password, not the root password).
160: Once a user has been authenticated, a timestamp is updated and the
161: user may then use sudo without a password for a short period of
162: time (\f(CW\*(C`5\*(C'\fR minutes unless overridden in \fIsudoers\fR).
163: .PP
164: \&\fBsudo\fR determines who is an authorized user by consulting the file
165: \&\fI/etc/sudoers\fR. By giving \fBsudo\fR the \fB\-v\fR flag a user
166: can update the time stamp without running a \fIcommand.\fR The password
167: prompt itself will also time out if the user's password is not
168: entered within \f(CW\*(C`5\*(C'\fR minutes (unless overridden via
169: \&\fIsudoers\fR).
170: .PP
171: If a user who is not listed in the \fIsudoers\fR file tries to run a
172: command via \fBsudo\fR, mail is sent to the proper authorities, as
173: defined at configure time or the \fIsudoers\fR file (defaults to root).
174: Note that the mail will not be sent if an unauthorized user tries
175: to run sudo with the \fB\-l\fR or \fB\-v\fR flags. This allows users to
176: determine for themselves whether or not they are allowed to use
177: \&\fBsudo\fR.
1.1 millert 178: .PP
1.7 millert 179: \&\fBsudo\fR can log both successful and unsuccessful attempts (as well
1.1 millert 180: as errors) to \fIsyslog\fR\|(3), a log file, or both. By default \fBsudo\fR
1.7 millert 181: will log via \fIsyslog\fR\|(3) but this is changeable at configure time
182: or via the \fIsudoers\fR file.
1.1 millert 183: .SH "OPTIONS"
1.7 millert 184: .IX Header "OPTIONS"
185: \&\fBsudo\fR accepts the following command line options:
186: .Ip "\-V" 4
187: .IX Item "-V"
188: The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the
189: version number and exit. If the invoking user is already root
190: the \fB\-V\fR option will print out a list of the defaults \fBsudo\fR
191: was compiled with as well as the machine's local network addresses.
192: .Ip "\-l" 4
193: .IX Item "-l"
194: The \fB\-l\fR (\fIlist\fR) option will list out the allowed (and
1.1 millert 195: forbidden) commands for the user on the current host.
1.7 millert 196: .Ip "\-L" 4
197: .IX Item "-L"
198: The \fB\-L\fR (\fIlist\fR defaults) option will list out the parameters
1.1 millert 199: that may be set in a \fIDefaults\fR line along with a short description
200: for each. This option is useful in conjunction with \fIgrep\fR\|(1).
1.7 millert 201: .Ip "\-h" 4
202: .IX Item "-h"
203: The \fB\-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a usage message and exit.
204: .Ip "\-v" 4
205: .IX Item "-v"
206: If given the \fB\-v\fR (\fIvalidate\fR) option, \fBsudo\fR will update the
1.1 millert 207: user's timestamp, prompting for the user's password if necessary.
1.7 millert 208: This extends the \fBsudo\fR timeout for another \f(CW\*(C`5\*(C'\fR minutes
209: (or whatever the timeout is set to in \fIsudoers\fR) but does not run
210: a command.
211: .Ip "\-k" 4
212: .IX Item "-k"
213: The \fB\-k\fR (\fIkill\fR) option to \fBsudo\fR invalidates the user's timestamp
1.1 millert 214: by setting the time on it to the epoch. The next time \fBsudo\fR is
215: run a password will be required. This option does not require a password
216: and was added to allow a user to revoke \fBsudo\fR permissions from a .logout
217: file.
1.7 millert 218: .Ip "\-K" 4
219: .IX Item "-K"
220: The \fB\-K\fR (sure \fIkill\fR) option to \fBsudo\fR removes the user's timestamp
221: entirely. Likewise, this option does not require a password.
222: .Ip "\-b" 4
223: .IX Item "-b"
224: The \fB\-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given
225: command in the background. Note that if you use the \fB\-b\fR
226: option you cannot use shell job control to manipulate the process.
227: .Ip "\-p" 4
228: .IX Item "-p"
229: The \fB\-p\fR (\fIprompt\fR) option allows you to override the default
1.1 millert 230: password prompt and use a custom one. If the password prompt
1.7 millert 231: contains the \f(CW\*(C`%u\*(C'\fR escape, \f(CW\*(C`%u\*(C'\fR will be replaced with the user's
232: login name. Similarly, \f(CW\*(C`%h\*(C'\fR will be replaced with the local
1.1 millert 233: hostname.
1.5 millert 234: .Ip "\-c" 4
235: .IX Item "-c"
236: The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command
237: with resources limited by the specified login class. The \fIclass\fR
238: argument can be either a class name as defined in /etc/login.conf,
239: or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates
240: that the command should be run restricted by the default login
1.6 pjanzen 241: capabilities for the user the command is run as. If the \fIclass\fR
1.5 millert 242: argument specifies an existing user class, the command must be run
243: as root, or the \fBsudo\fR command must be run from a shell that is already
244: root. This option is only available on systems with \s-1BSD\s0 login classes
245: where \fBsudo\fR has been configured with the \-\-with-logincap option.
246: .Ip "\-a" 4
247: .IX Item "-a"
248: The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the
249: specified authentication type when validating the user, as allowed
250: by /etc/login.conf. The system administrator may specify a list
251: of sudo-specific authentication methods by adding an \*(L"auth-sudo\*(R"
252: entry in /etc/login.conf. This option is only available on systems
253: that support \s-1BSD\s0 authentication where \fBsudo\fR has been configured
254: with the \-\-with-bsdauth option.
1.7 millert 255: .Ip "\-u" 4
256: .IX Item "-u"
257: The \fB\-u\fR (\fIuser\fR) option causes \fBsudo\fR to run the specified command
1.1 millert 258: as a user other than \fIroot\fR. To specify a \fIuid\fR instead of a
1.7 millert 259: \&\fIusername\fR, use \fI#uid\fR.
260: .Ip "\-s" 4
261: .IX Item "-s"
262: The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\s0\fR
1.1 millert 263: environment variable if it is set or the shell as specified
264: in \fIpasswd\fR\|(5).
1.7 millert 265: .Ip "\-H" 4
266: .IX Item "-H"
267: The \fB\-H\fR (\fI\s-1HOME\s0\fR) option sets the \f(CW\*(C`HOME\*(C'\fR environment variable
1.1 millert 268: to the homedir of the target user (root by default) as specified
1.7 millert 269: in \fIpasswd\fR\|(5). By default, \fBsudo\fR does not modify \f(CW\*(C`HOME\*(C'\fR.
270: .Ip "\-P" 4
271: .IX Item "-P"
272: The \fB\-P\fR (\fIpreserve group vector\fR) option causes \fBsudo\fR to preserve
273: the user's group vector unaltered. By default, \fBsudo\fR will initialize
274: the group vector to the list of groups the target user is in.
275: The real and effective group IDs, however, are still set to match
276: the target user.
277: .Ip "\-S" 4
278: .IX Item "-S"
279: The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from
1.3 millert 280: standard input instead of the terminal device.
1.7 millert 281: .Ip "\-\-" 4
282: The \fB\--\fR flag indicates that \fBsudo\fR should stop processing command
283: line arguments. It is most useful in conjunction with the \fB\-s\fR flag.
1.1 millert 284: .SH "RETURN VALUES"
1.7 millert 285: .IX Header "RETURN VALUES"
286: Upon successful execution of a program, the return value from \fBsudo\fR
287: will simply be the return value of the program that was executed.
288: .PP
289: Otherwise, \fBsudo\fR quits with an exit value of 1 if there is a
1.1 millert 290: configuration/permission problem or if \fBsudo\fR cannot execute the
291: given command. In the latter case the error string is printed to
292: stderr. If \fBsudo\fR cannot \fIstat\fR\|(2) one or more entries in the user's
1.7 millert 293: \&\f(CW\*(C`PATH\*(C'\fR an error is printed on stderr. (If the directory does not
1.1 millert 294: exist or if it is not really a directory, the entry is ignored and
295: no error is printed.) This should not happen under normal
296: circumstances. The most common reason for \fIstat\fR\|(2) to return
1.7 millert 297: \&\*(L"permission denied\*(R" is if you are running an automounter and one
298: of the directories in your \f(CW\*(C`PATH\*(C'\fR is on a machine that is currently
1.1 millert 299: unreachable.
300: .SH "SECURITY NOTES"
1.7 millert 301: .IX Header "SECURITY NOTES"
302: \&\fBsudo\fR tries to be safe when executing external commands. Variables
1.1 millert 303: that control how dynamic loading and binding is done can be used
304: to subvert the program that \fBsudo\fR runs. To combat this the
1.7 millert 305: \&\f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`_RLD_*\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR (\s-1HP-UX\s0 only), and \f(CW\*(C`LIBPATH\*(C'\fR (\s-1AIX\s0
1.1 millert 306: only) environment variables are removed from the environment passed
1.7 millert 307: on to all commands executed. \fBsudo\fR will also remove the \f(CW\*(C`IFS\*(C'\fR,
308: \&\f(CW\*(C`ENV\*(C'\fR, \f(CW\*(C`BASH_ENV\*(C'\fR, \f(CW\*(C`KRB_CONF\*(C'\fR, \f(CW\*(C`KRBCONFDIR\*(C'\fR, \f(CW\*(C`KRBTKFILE\*(C'\fR,
309: \&\f(CW\*(C`KRB5_CONFIG\*(C'\fR, \f(CW\*(C`LOCALDOMAIN\*(C'\fR, \f(CW\*(C`RES_OPTIONS\*(C'\fR, \f(CW\*(C`HOSTALIASES\*(C'\fR,
310: \&\f(CW\*(C`NLSPATH\*(C'\fR, \f(CW\*(C`PATH_LOCALE\*(C'\fR, \f(CW\*(C`TERMINFO\*(C'\fR, \f(CW\*(C`TERMINFO_DIRS\*(C'\fR and
311: \&\f(CW\*(C`TERMPATH\*(C'\fR variables as they too can pose a threat. If the
312: \&\f(CW\*(C`TERMCAP\*(C'\fR variable is set and is a pathname, it too is ignored.
313: Additionally, if the \f(CW\*(C`LC_*\*(C'\fR or \f(CW\*(C`LANGUAGE\*(C'\fR variables contain the
314: \&\f(CW\*(C`/\*(C'\fR or \f(CW\*(C`%\*(C'\fR characters, they are ignored. If \fBsudo\fR has been
315: compiled with SecurID support, the \f(CW\*(C`VAR_ACE\*(C'\fR, \f(CW\*(C`USR_ACE\*(C'\fR and
316: \&\f(CW\*(C`DLC_ACE\*(C'\fR variables are cleared as well. The list of environment
317: variables that \fBsudo\fR clears is contained in the output of
318: \&\f(CW\*(C`sudo \-V\*(C'\fR when run as root.
1.1 millert 319: .PP
1.7 millert 320: To prevent command spoofing, \fBsudo\fR checks \*(L".\*(R" and "" (both denoting
1.1 millert 321: current directory) last when searching for a command in the user's
1.7 millert 322: \&\s-1PATH\s0 (if one or both are in the \s-1PATH\s0). Note, however, that the
323: actual \f(CW\*(C`PATH\*(C'\fR environment variable is \fInot\fR modified and is passed
1.1 millert 324: unchanged to the program that \fBsudo\fR executes.
325: .PP
1.7 millert 326: For security reasons, if your \s-1OS\s0 supports shared libraries and does
1.1 millert 327: not disable user-defined library search paths for setuid programs
328: (most do), you should either use a linker option that disables this
329: behavior or link \fBsudo\fR statically.
330: .PP
1.7 millert 331: \&\fBsudo\fR will check the ownership of its timestamp directory
1.3 millert 332: (\fI/var/run/sudo\fR by default) and ignore the directory's contents if
333: it is not owned by root and only writable by root. On systems that
334: allow non-root users to give away files via \fIchown\fR\|(2), if the timestamp
1.6 pjanzen 335: directory is located in a directory writable by anyone (e.g.: \fI/tmp\fR),
1.3 millert 336: it is possible for a user to create the timestamp directory before
1.7 millert 337: \&\fBsudo\fR is run. However, because \fBsudo\fR checks the ownership and
1.3 millert 338: mode of the directory and its contents, the only damage that can
339: be done is to \*(L"hide\*(R" files by putting them in the timestamp dir.
340: This is unlikely to happen since once the timestamp dir is owned
341: by root and inaccessible by any other user the user placing files
342: there would be unable to get them back out. To get around this
343: issue you can use a directory that is not world-writable for the
344: timestamps (\fI/var/adm/sudo\fR for instance) or create \fI/var/run/sudo\fR
345: with the appropriate owner (root) and permissions (0700) in the
346: system startup files.
1.1 millert 347: .PP
1.7 millert 348: \&\fBsudo\fR will not honor timestamps set far in the future.
349: Timestamps with a date greater than current_time + 2 * \f(CW\*(C`TIMEOUT\*(C'\fR
1.1 millert 350: will be ignored and sudo will log and complain. This is done to
351: keep a user from creating his/her own timestamp with a bogus
1.7 millert 352: date on systems that allow users to give away files.
353: .PP
354: Please note that \fBsudo\fR will only log the command it explicitly
355: runs. If a user runs a command such as \f(CW\*(C`sudo su\*(C'\fR or \f(CW\*(C`sudo sh\*(C'\fR,
356: subsequent commands run from that shell will \fInot\fR be logged, nor
357: will \fBsudo\fR's access control affect them. The same is true for
358: commands that offer shell escapes (including most editors). Because
359: of this, care must be taken when giving users access to commands
360: via \fBsudo\fR to verify that the command does not inadvertantly give
361: the user an effective root shell.
1.1 millert 362: .SH "EXAMPLES"
1.7 millert 363: .IX Header "EXAMPLES"
1.1 millert 364: Note: the following examples assume suitable \fIsudoers\fR\|(5) entries.
365: .PP
366: To get a file listing of an unreadable directory:
367: .PP
368: .Vb 1
369: \& % sudo ls /usr/local/protected
370: .Ve
371: To list the home directory of user yazza on a machine where the
372: filesystem holding ~yazza is not exported as root:
373: .PP
374: .Vb 1
375: \& % sudo -u yazza ls ~yazza
376: .Ve
377: To edit the \fIindex.html\fR file as user www:
378: .PP
379: .Vb 1
380: \& % sudo -u www vi ~www/htdocs/index.html
381: .Ve
382: To shutdown a machine:
383: .PP
384: .Vb 1
385: \& % sudo shutdown -r +15 "quick reboot"
386: .Ve
387: To make a usage listing of the directories in the /home
388: partition. Note that this runs the commands in a sub-shell
1.7 millert 389: to make the \f(CW\*(C`cd\*(C'\fR and file redirection work.
1.1 millert 390: .PP
391: .Vb 1
392: \& % sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
393: .Ve
394: .SH "ENVIRONMENT"
1.7 millert 395: .IX Header "ENVIRONMENT"
396: \&\fBsudo\fR utilizes the following environment variables:
1.1 millert 397: .PP
398: .Vb 13
399: \& PATH Set to a sane value if SECURE_PATH is set
400: \& SHELL Used to determine shell to run with -s option
401: \& USER Set to the target user (root unless the -u option
402: \& is specified)
403: \& HOME In -s or -H mode (or if sudo was configured with
404: \& the --enable-shell-sets-home option), set to
405: \& homedir of the target user.
406: \& SUDO_PROMPT Used as the default password prompt
407: \& SUDO_COMMAND Set to the command run by sudo
408: \& SUDO_USER Set to the login of the user who invoked sudo
409: \& SUDO_UID Set to the uid of the user who invoked sudo
410: \& SUDO_GID Set to the gid of the user who invoked sudo
411: \& SUDO_PS1 If set, PS1 will be set to its value
412: .Ve
413: .SH "FILES"
1.7 millert 414: .IX Header "FILES"
1.1 millert 415: .Vb 2
416: \& /etc/sudoers List of who can run what
1.3 millert 417: \& /var/run/sudo Directory containing timestamps
1.1 millert 418: .Ve
419: .SH "AUTHORS"
1.7 millert 420: .IX Header "AUTHORS"
421: Many people have worked on \fBsudo\fR over the years; this
1.1 millert 422: version consists of code written primarily by:
423: .PP
424: .Vb 2
425: \& Todd Miller
426: \& Chris Jepeway
427: .Ve
1.7 millert 428: See the \s-1HISTORY\s0 file in the \fBsudo\fR distribution or visit
1.8 millert 429: http://www.sudo.ws/sudo/history.html for a short history
1.1 millert 430: of \fBsudo\fR.
431: .SH "BUGS"
1.7 millert 432: .IX Header "BUGS"
1.1 millert 433: If you feel you have found a bug in sudo, please submit a bug report
1.8 millert 434: at http://www.sudo.ws/sudo/bugs/
1.1 millert 435: .SH "DISCLAIMER"
1.7 millert 436: .IX Header "DISCLAIMER"
437: \&\fBSudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
1.1 millert 438: including, but not limited to, the implied warranties of merchantability
439: and fitness for a particular purpose are disclaimed.
1.7 millert 440: See the \s-1LICENSE\s0 file distributed with \fBsudo\fR for complete details.
1.1 millert 441: .SH "CAVEATS"
1.7 millert 442: .IX Header "CAVEATS"
1.1 millert 443: There is no easy way to prevent a user from gaining a root shell if
444: that user has access to commands allowing shell escapes.
445: .PP
1.7 millert 446: If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from creating
447: their own program that gives them a root shell regardless of any '!'
1.1 millert 448: elements in the user specification.
449: .PP
450: Running shell scripts via \fBsudo\fR can expose the same kernel bugs
451: that make setuid shell scripts unsafe on some operating systems
1.7 millert 452: (if your \s-1OS\s0 supports the /dev/fd/ directory, setuid shell scripts
1.1 millert 453: are generally safe).
454: .SH "SEE ALSO"
455: .IX Header "SEE ALSO"
1.7 millert 456: \&\fIstat\fR\|(2), \fIlogin_cap\fR\|(3), \fIsudoers\fR\|(5), \fIpasswd\fR\|(5), \fIvisudo\fR\|(8), \fIgrep\fR\|(1), \fIsu\fR\|(1).