Annotation of src/usr.bin/sudo/sudo.8, Revision 1.11
1.7 millert 1: .\" Automatically generated by Pod::Man version 1.15
1.10 millert 2: .\" Thu Apr 25 09:34:52 2002
1.7 millert 3: .\"
1.11 ! millert 4: .\" Copyright (c) 1994-1996,1998-2002 Todd C. Miller <Todd.Miller@courtesan.com>
! 5: .\" All rights reserved.
! 6: .\"
! 7: .\" Redistribution and use in source and binary forms, with or without
! 8: .\" modification, are permitted provided that the following conditions
! 9: .\" are met:
! 10: .\"
! 11: .\" 1. Redistributions of source code must retain the above copyright
! 12: .\" notice, this list of conditions and the following disclaimer.
! 13: .\"
! 14: .\" 2. Redistributions in binary form must reproduce the above copyright
! 15: .\" notice, this list of conditions and the following disclaimer in the
! 16: .\" documentation and/or other materials provided with the distribution.
! 17: .\"
! 18: .\" 3. The name of the author may not be used to endorse or promote products
! 19: .\" derived from this software without specific prior written permission
! 20: .\" from the author.
! 21: .\"
! 22: .\" 4. Products derived from this software may not be called "Sudo" nor
! 23: .\" may "Sudo" appear in their names without specific prior written
! 24: .\" permission from the author.
! 25: .\"
! 26: .\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
! 27: .\" INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
! 28: .\" AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
! 29: .\" THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
! 30: .\" EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
! 31: .\" PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
! 32: .\" OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
! 33: .\" WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
! 34: .\" OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
! 35: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
! 36: .\"
1.7 millert 37: .\" Standard preamble:
38: .\" ======================================================================
39: .de Sh \" Subsection heading
1.1 millert 40: .br
41: .if t .Sp
42: .ne 5
43: .PP
44: \fB\\$1\fR
45: .PP
46: ..
1.7 millert 47: .de Sp \" Vertical space (when we can't use .PP)
1.1 millert 48: .if t .sp .5v
49: .if n .sp
50: ..
1.7 millert 51: .de Ip \" List item
1.1 millert 52: .br
53: .ie \\n(.$>=3 .ne \\$3
54: .el .ne 3
55: .IP "\\$1" \\$2
56: ..
1.7 millert 57: .de Vb \" Begin verbatim text
1.1 millert 58: .ft CW
59: .nf
60: .ne \\$1
61: ..
1.7 millert 62: .de Ve \" End verbatim text
1.1 millert 63: .ft R
64:
65: .fi
66: ..
1.7 millert 67: .\" Set up some character translations and predefined strings. \*(-- will
68: .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
69: .\" double quote, and \*(R" will give a right double quote. | will give a
70: .\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used
71: .\" to do unbreakable dashes and therefore won't be available. \*(C` and
72: .\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
1.1 millert 73: .tr \(*W-|\(bv\*(Tr
1.7 millert 74: .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
1.1 millert 75: .ie n \{\
1.7 millert 76: . ds -- \(*W-
77: . ds PI pi
78: . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
79: . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
80: . ds L" ""
81: . ds R" ""
82: . ds C`
83: . ds C'
1.1 millert 84: 'br\}
85: .el\{\
1.7 millert 86: . ds -- \|\(em\|
87: . ds PI \(*p
88: . ds L" ``
89: . ds R" ''
1.1 millert 90: 'br\}
1.7 millert 91: .\"
92: .\" If the F register is turned on, we'll generate index entries on stderr
93: .\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
94: .\" index entries marked with X<> in POD. Of course, you'll have to process
95: .\" the output yourself in some meaningful fashion.
96: .if \nF \{\
97: . de IX
98: . tm Index:\\$1\t\\n%\t"\\$2"
1.1 millert 99: ..
1.7 millert 100: . nr % 0
101: . rr F
1.1 millert 102: .\}
1.7 millert 103: .\"
104: .\" For nroff, turn off justification. Always turn off hyphenation; it
105: .\" makes way too many mistakes in technical documents.
106: .hy 0
1.1 millert 107: .if n .na
1.7 millert 108: .\"
109: .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
110: .\" Fear. Run. Save yourself. No user-serviceable parts.
1.1 millert 111: .bd B 3
1.7 millert 112: . \" fudge factors for nroff and troff
1.1 millert 113: .if n \{\
1.7 millert 114: . ds #H 0
115: . ds #V .8m
116: . ds #F .3m
117: . ds #[ \f1
118: . ds #] \fP
1.1 millert 119: .\}
120: .if t \{\
1.7 millert 121: . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
122: . ds #V .6m
123: . ds #F 0
124: . ds #[ \&
125: . ds #] \&
1.1 millert 126: .\}
1.7 millert 127: . \" simple accents for nroff and troff
1.1 millert 128: .if n \{\
1.7 millert 129: . ds ' \&
130: . ds ` \&
131: . ds ^ \&
132: . ds , \&
133: . ds ~ ~
134: . ds /
1.1 millert 135: .\}
136: .if t \{\
1.7 millert 137: . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
138: . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
139: . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
140: . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
141: . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
142: . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
1.1 millert 143: .\}
1.7 millert 144: . \" troff and (daisy-wheel) nroff accents
1.1 millert 145: .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
146: .ds 8 \h'\*(#H'\(*b\h'-\*(#H'
147: .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
148: .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
149: .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
150: .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
151: .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
152: .ds ae a\h'-(\w'a'u*4/10)'e
153: .ds Ae A\h'-(\w'A'u*4/10)'E
1.7 millert 154: . \" corrections for vroff
1.1 millert 155: .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
156: .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
1.7 millert 157: . \" for low resolution devices (crt and lpr)
1.1 millert 158: .if \n(.H>23 .if \n(.V>19 \
159: \{\
1.7 millert 160: . ds : e
161: . ds 8 ss
162: . ds o a
163: . ds d- d\h'-1'\(ga
164: . ds D- D\h'-1'\(hy
165: . ds th \o'bp'
166: . ds Th \o'LP'
167: . ds ae ae
168: . ds Ae AE
1.1 millert 169: .\}
170: .rm #[ #] #H #V #F C
1.7 millert 171: .\" ======================================================================
172: .\"
173: .IX Title "sudo 8"
1.10 millert 174: .TH sudo 8 "1.6.6" "April 25, 2002" "MAINTENANCE COMMANDS"
1.7 millert 175: .UC
1.1 millert 176: .SH "NAME"
177: sudo \- execute a command as another user
178: .SH "SYNOPSIS"
1.7 millert 179: .IX Header "SYNOPSIS"
180: \&\fBsudo\fR \fB\-V\fR | \fB\-h\fR | \fB\-l\fR | \fB\-L\fR | \fB\-v\fR | \fB\-k\fR | \fB\-K\fR | \fB\-s\fR |
181: [ \fB\-H\fR ] [\fB\-P\fR ] [\fB\-S\fR ] [ \fB\-b\fR ] | [ \fB\-p\fR \fIprompt\fR ]
182: [ \fB\-c\fR \fIclass\fR|\fI-\fR ] [ \fB\-a\fR \fIauth_type\fR ]
183: [ \fB\-u\fR \fIusername\fR|\fI#uid\fR ] \fIcommand\fR
1.1 millert 184: .SH "DESCRIPTION"
1.7 millert 185: .IX Header "DESCRIPTION"
186: \&\fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the
187: superuser or another user, as specified in the \fIsudoers\fR file.
188: The real and effective uid and gid are set to match those of the
189: target user as specified in the passwd file (the group vector is
190: also initialized when the target user is not root). By default,
191: \&\fBsudo\fR requires that users authenticate themselves with a password
192: (\s-1NOTE:\s0 by default this is the user's password, not the root password).
193: Once a user has been authenticated, a timestamp is updated and the
194: user may then use sudo without a password for a short period of
195: time (\f(CW\*(C`5\*(C'\fR minutes unless overridden in \fIsudoers\fR).
196: .PP
197: \&\fBsudo\fR determines who is an authorized user by consulting the file
198: \&\fI/etc/sudoers\fR. By giving \fBsudo\fR the \fB\-v\fR flag a user
199: can update the time stamp without running a \fIcommand.\fR The password
200: prompt itself will also time out if the user's password is not
201: entered within \f(CW\*(C`5\*(C'\fR minutes (unless overridden via
202: \&\fIsudoers\fR).
203: .PP
204: If a user who is not listed in the \fIsudoers\fR file tries to run a
205: command via \fBsudo\fR, mail is sent to the proper authorities, as
206: defined at configure time or the \fIsudoers\fR file (defaults to root).
207: Note that the mail will not be sent if an unauthorized user tries
208: to run sudo with the \fB\-l\fR or \fB\-v\fR flags. This allows users to
209: determine for themselves whether or not they are allowed to use
210: \&\fBsudo\fR.
1.1 millert 211: .PP
1.7 millert 212: \&\fBsudo\fR can log both successful and unsuccessful attempts (as well
1.1 millert 213: as errors) to \fIsyslog\fR\|(3), a log file, or both. By default \fBsudo\fR
1.7 millert 214: will log via \fIsyslog\fR\|(3) but this is changeable at configure time
215: or via the \fIsudoers\fR file.
1.1 millert 216: .SH "OPTIONS"
1.7 millert 217: .IX Header "OPTIONS"
218: \&\fBsudo\fR accepts the following command line options:
219: .Ip "\-V" 4
220: .IX Item "-V"
221: The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the
222: version number and exit. If the invoking user is already root
223: the \fB\-V\fR option will print out a list of the defaults \fBsudo\fR
224: was compiled with as well as the machine's local network addresses.
225: .Ip "\-l" 4
226: .IX Item "-l"
227: The \fB\-l\fR (\fIlist\fR) option will list out the allowed (and
1.1 millert 228: forbidden) commands for the user on the current host.
1.7 millert 229: .Ip "\-L" 4
230: .IX Item "-L"
231: The \fB\-L\fR (\fIlist\fR defaults) option will list out the parameters
1.1 millert 232: that may be set in a \fIDefaults\fR line along with a short description
233: for each. This option is useful in conjunction with \fIgrep\fR\|(1).
1.7 millert 234: .Ip "\-h" 4
235: .IX Item "-h"
236: The \fB\-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a usage message and exit.
237: .Ip "\-v" 4
238: .IX Item "-v"
239: If given the \fB\-v\fR (\fIvalidate\fR) option, \fBsudo\fR will update the
1.1 millert 240: user's timestamp, prompting for the user's password if necessary.
1.7 millert 241: This extends the \fBsudo\fR timeout for another \f(CW\*(C`5\*(C'\fR minutes
242: (or whatever the timeout is set to in \fIsudoers\fR) but does not run
243: a command.
244: .Ip "\-k" 4
245: .IX Item "-k"
246: The \fB\-k\fR (\fIkill\fR) option to \fBsudo\fR invalidates the user's timestamp
1.1 millert 247: by setting the time on it to the epoch. The next time \fBsudo\fR is
248: run a password will be required. This option does not require a password
249: and was added to allow a user to revoke \fBsudo\fR permissions from a .logout
250: file.
1.7 millert 251: .Ip "\-K" 4
252: .IX Item "-K"
253: The \fB\-K\fR (sure \fIkill\fR) option to \fBsudo\fR removes the user's timestamp
254: entirely. Likewise, this option does not require a password.
255: .Ip "\-b" 4
256: .IX Item "-b"
257: The \fB\-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given
258: command in the background. Note that if you use the \fB\-b\fR
259: option you cannot use shell job control to manipulate the process.
260: .Ip "\-p" 4
261: .IX Item "-p"
262: The \fB\-p\fR (\fIprompt\fR) option allows you to override the default
1.1 millert 263: password prompt and use a custom one. If the password prompt
1.7 millert 264: contains the \f(CW\*(C`%u\*(C'\fR escape, \f(CW\*(C`%u\*(C'\fR will be replaced with the user's
265: login name. Similarly, \f(CW\*(C`%h\*(C'\fR will be replaced with the local
1.1 millert 266: hostname.
1.5 millert 267: .Ip "\-c" 4
268: .IX Item "-c"
269: The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command
270: with resources limited by the specified login class. The \fIclass\fR
271: argument can be either a class name as defined in /etc/login.conf,
272: or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates
273: that the command should be run restricted by the default login
1.6 pjanzen 274: capabilities for the user the command is run as. If the \fIclass\fR
1.5 millert 275: argument specifies an existing user class, the command must be run
276: as root, or the \fBsudo\fR command must be run from a shell that is already
277: root. This option is only available on systems with \s-1BSD\s0 login classes
278: where \fBsudo\fR has been configured with the \-\-with-logincap option.
279: .Ip "\-a" 4
280: .IX Item "-a"
281: The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the
282: specified authentication type when validating the user, as allowed
283: by /etc/login.conf. The system administrator may specify a list
284: of sudo-specific authentication methods by adding an \*(L"auth-sudo\*(R"
285: entry in /etc/login.conf. This option is only available on systems
286: that support \s-1BSD\s0 authentication where \fBsudo\fR has been configured
287: with the \-\-with-bsdauth option.
1.7 millert 288: .Ip "\-u" 4
289: .IX Item "-u"
290: The \fB\-u\fR (\fIuser\fR) option causes \fBsudo\fR to run the specified command
1.1 millert 291: as a user other than \fIroot\fR. To specify a \fIuid\fR instead of a
1.7 millert 292: \&\fIusername\fR, use \fI#uid\fR.
293: .Ip "\-s" 4
294: .IX Item "-s"
295: The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\s0\fR
1.1 millert 296: environment variable if it is set or the shell as specified
297: in \fIpasswd\fR\|(5).
1.7 millert 298: .Ip "\-H" 4
299: .IX Item "-H"
300: The \fB\-H\fR (\fI\s-1HOME\s0\fR) option sets the \f(CW\*(C`HOME\*(C'\fR environment variable
1.1 millert 301: to the homedir of the target user (root by default) as specified
1.7 millert 302: in \fIpasswd\fR\|(5). By default, \fBsudo\fR does not modify \f(CW\*(C`HOME\*(C'\fR.
303: .Ip "\-P" 4
304: .IX Item "-P"
305: The \fB\-P\fR (\fIpreserve group vector\fR) option causes \fBsudo\fR to preserve
306: the user's group vector unaltered. By default, \fBsudo\fR will initialize
307: the group vector to the list of groups the target user is in.
308: The real and effective group IDs, however, are still set to match
309: the target user.
310: .Ip "\-S" 4
311: .IX Item "-S"
312: The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from
1.3 millert 313: standard input instead of the terminal device.
1.7 millert 314: .Ip "\-\-" 4
315: The \fB\--\fR flag indicates that \fBsudo\fR should stop processing command
316: line arguments. It is most useful in conjunction with the \fB\-s\fR flag.
1.1 millert 317: .SH "RETURN VALUES"
1.7 millert 318: .IX Header "RETURN VALUES"
319: Upon successful execution of a program, the return value from \fBsudo\fR
320: will simply be the return value of the program that was executed.
321: .PP
322: Otherwise, \fBsudo\fR quits with an exit value of 1 if there is a
1.1 millert 323: configuration/permission problem or if \fBsudo\fR cannot execute the
324: given command. In the latter case the error string is printed to
325: stderr. If \fBsudo\fR cannot \fIstat\fR\|(2) one or more entries in the user's
1.7 millert 326: \&\f(CW\*(C`PATH\*(C'\fR an error is printed on stderr. (If the directory does not
1.1 millert 327: exist or if it is not really a directory, the entry is ignored and
328: no error is printed.) This should not happen under normal
329: circumstances. The most common reason for \fIstat\fR\|(2) to return
1.7 millert 330: \&\*(L"permission denied\*(R" is if you are running an automounter and one
331: of the directories in your \f(CW\*(C`PATH\*(C'\fR is on a machine that is currently
1.1 millert 332: unreachable.
333: .SH "SECURITY NOTES"
1.7 millert 334: .IX Header "SECURITY NOTES"
335: \&\fBsudo\fR tries to be safe when executing external commands. Variables
1.1 millert 336: that control how dynamic loading and binding is done can be used
337: to subvert the program that \fBsudo\fR runs. To combat this the
1.7 millert 338: \&\f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`_RLD_*\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR (\s-1HP-UX\s0 only), and \f(CW\*(C`LIBPATH\*(C'\fR (\s-1AIX\s0
1.1 millert 339: only) environment variables are removed from the environment passed
1.7 millert 340: on to all commands executed. \fBsudo\fR will also remove the \f(CW\*(C`IFS\*(C'\fR,
341: \&\f(CW\*(C`ENV\*(C'\fR, \f(CW\*(C`BASH_ENV\*(C'\fR, \f(CW\*(C`KRB_CONF\*(C'\fR, \f(CW\*(C`KRBCONFDIR\*(C'\fR, \f(CW\*(C`KRBTKFILE\*(C'\fR,
342: \&\f(CW\*(C`KRB5_CONFIG\*(C'\fR, \f(CW\*(C`LOCALDOMAIN\*(C'\fR, \f(CW\*(C`RES_OPTIONS\*(C'\fR, \f(CW\*(C`HOSTALIASES\*(C'\fR,
343: \&\f(CW\*(C`NLSPATH\*(C'\fR, \f(CW\*(C`PATH_LOCALE\*(C'\fR, \f(CW\*(C`TERMINFO\*(C'\fR, \f(CW\*(C`TERMINFO_DIRS\*(C'\fR and
344: \&\f(CW\*(C`TERMPATH\*(C'\fR variables as they too can pose a threat. If the
345: \&\f(CW\*(C`TERMCAP\*(C'\fR variable is set and is a pathname, it too is ignored.
346: Additionally, if the \f(CW\*(C`LC_*\*(C'\fR or \f(CW\*(C`LANGUAGE\*(C'\fR variables contain the
347: \&\f(CW\*(C`/\*(C'\fR or \f(CW\*(C`%\*(C'\fR characters, they are ignored. If \fBsudo\fR has been
348: compiled with SecurID support, the \f(CW\*(C`VAR_ACE\*(C'\fR, \f(CW\*(C`USR_ACE\*(C'\fR and
349: \&\f(CW\*(C`DLC_ACE\*(C'\fR variables are cleared as well. The list of environment
350: variables that \fBsudo\fR clears is contained in the output of
351: \&\f(CW\*(C`sudo \-V\*(C'\fR when run as root.
1.1 millert 352: .PP
1.7 millert 353: To prevent command spoofing, \fBsudo\fR checks \*(L".\*(R" and "" (both denoting
1.1 millert 354: current directory) last when searching for a command in the user's
1.7 millert 355: \&\s-1PATH\s0 (if one or both are in the \s-1PATH\s0). Note, however, that the
356: actual \f(CW\*(C`PATH\*(C'\fR environment variable is \fInot\fR modified and is passed
1.1 millert 357: unchanged to the program that \fBsudo\fR executes.
358: .PP
1.7 millert 359: For security reasons, if your \s-1OS\s0 supports shared libraries and does
1.1 millert 360: not disable user-defined library search paths for setuid programs
361: (most do), you should either use a linker option that disables this
362: behavior or link \fBsudo\fR statically.
363: .PP
1.7 millert 364: \&\fBsudo\fR will check the ownership of its timestamp directory
1.3 millert 365: (\fI/var/run/sudo\fR by default) and ignore the directory's contents if
366: it is not owned by root and only writable by root. On systems that
367: allow non-root users to give away files via \fIchown\fR\|(2), if the timestamp
1.6 pjanzen 368: directory is located in a directory writable by anyone (e.g.: \fI/tmp\fR),
1.3 millert 369: it is possible for a user to create the timestamp directory before
1.7 millert 370: \&\fBsudo\fR is run. However, because \fBsudo\fR checks the ownership and
1.3 millert 371: mode of the directory and its contents, the only damage that can
372: be done is to \*(L"hide\*(R" files by putting them in the timestamp dir.
373: This is unlikely to happen since once the timestamp dir is owned
374: by root and inaccessible by any other user the user placing files
375: there would be unable to get them back out. To get around this
376: issue you can use a directory that is not world-writable for the
377: timestamps (\fI/var/adm/sudo\fR for instance) or create \fI/var/run/sudo\fR
378: with the appropriate owner (root) and permissions (0700) in the
379: system startup files.
1.1 millert 380: .PP
1.7 millert 381: \&\fBsudo\fR will not honor timestamps set far in the future.
382: Timestamps with a date greater than current_time + 2 * \f(CW\*(C`TIMEOUT\*(C'\fR
1.1 millert 383: will be ignored and sudo will log and complain. This is done to
384: keep a user from creating his/her own timestamp with a bogus
1.7 millert 385: date on systems that allow users to give away files.
386: .PP
387: Please note that \fBsudo\fR will only log the command it explicitly
388: runs. If a user runs a command such as \f(CW\*(C`sudo su\*(C'\fR or \f(CW\*(C`sudo sh\*(C'\fR,
389: subsequent commands run from that shell will \fInot\fR be logged, nor
390: will \fBsudo\fR's access control affect them. The same is true for
391: commands that offer shell escapes (including most editors). Because
392: of this, care must be taken when giving users access to commands
393: via \fBsudo\fR to verify that the command does not inadvertantly give
394: the user an effective root shell.
1.1 millert 395: .SH "EXAMPLES"
1.7 millert 396: .IX Header "EXAMPLES"
1.1 millert 397: Note: the following examples assume suitable \fIsudoers\fR\|(5) entries.
398: .PP
399: To get a file listing of an unreadable directory:
400: .PP
401: .Vb 1
402: \& % sudo ls /usr/local/protected
403: .Ve
404: To list the home directory of user yazza on a machine where the
405: filesystem holding ~yazza is not exported as root:
406: .PP
407: .Vb 1
408: \& % sudo -u yazza ls ~yazza
409: .Ve
410: To edit the \fIindex.html\fR file as user www:
411: .PP
412: .Vb 1
413: \& % sudo -u www vi ~www/htdocs/index.html
414: .Ve
415: To shutdown a machine:
416: .PP
417: .Vb 1
418: \& % sudo shutdown -r +15 "quick reboot"
419: .Ve
420: To make a usage listing of the directories in the /home
421: partition. Note that this runs the commands in a sub-shell
1.7 millert 422: to make the \f(CW\*(C`cd\*(C'\fR and file redirection work.
1.1 millert 423: .PP
424: .Vb 1
425: \& % sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
426: .Ve
427: .SH "ENVIRONMENT"
1.7 millert 428: .IX Header "ENVIRONMENT"
429: \&\fBsudo\fR utilizes the following environment variables:
1.1 millert 430: .PP
431: .Vb 13
432: \& PATH Set to a sane value if SECURE_PATH is set
433: \& SHELL Used to determine shell to run with -s option
434: \& USER Set to the target user (root unless the -u option
435: \& is specified)
436: \& HOME In -s or -H mode (or if sudo was configured with
437: \& the --enable-shell-sets-home option), set to
438: \& homedir of the target user.
439: \& SUDO_PROMPT Used as the default password prompt
440: \& SUDO_COMMAND Set to the command run by sudo
441: \& SUDO_USER Set to the login of the user who invoked sudo
442: \& SUDO_UID Set to the uid of the user who invoked sudo
443: \& SUDO_GID Set to the gid of the user who invoked sudo
444: \& SUDO_PS1 If set, PS1 will be set to its value
445: .Ve
446: .SH "FILES"
1.7 millert 447: .IX Header "FILES"
1.1 millert 448: .Vb 2
449: \& /etc/sudoers List of who can run what
1.3 millert 450: \& /var/run/sudo Directory containing timestamps
1.1 millert 451: .Ve
452: .SH "AUTHORS"
1.7 millert 453: .IX Header "AUTHORS"
454: Many people have worked on \fBsudo\fR over the years; this
1.1 millert 455: version consists of code written primarily by:
456: .PP
457: .Vb 2
458: \& Todd Miller
459: \& Chris Jepeway
460: .Ve
1.7 millert 461: See the \s-1HISTORY\s0 file in the \fBsudo\fR distribution or visit
1.8 millert 462: http://www.sudo.ws/sudo/history.html for a short history
1.1 millert 463: of \fBsudo\fR.
464: .SH "BUGS"
1.7 millert 465: .IX Header "BUGS"
1.1 millert 466: If you feel you have found a bug in sudo, please submit a bug report
1.8 millert 467: at http://www.sudo.ws/sudo/bugs/
1.1 millert 468: .SH "DISCLAIMER"
1.7 millert 469: .IX Header "DISCLAIMER"
470: \&\fBSudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
1.1 millert 471: including, but not limited to, the implied warranties of merchantability
472: and fitness for a particular purpose are disclaimed.
1.7 millert 473: See the \s-1LICENSE\s0 file distributed with \fBsudo\fR for complete details.
1.1 millert 474: .SH "CAVEATS"
1.7 millert 475: .IX Header "CAVEATS"
1.1 millert 476: There is no easy way to prevent a user from gaining a root shell if
477: that user has access to commands allowing shell escapes.
478: .PP
1.7 millert 479: If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from creating
480: their own program that gives them a root shell regardless of any '!'
1.1 millert 481: elements in the user specification.
482: .PP
483: Running shell scripts via \fBsudo\fR can expose the same kernel bugs
484: that make setuid shell scripts unsafe on some operating systems
1.7 millert 485: (if your \s-1OS\s0 supports the /dev/fd/ directory, setuid shell scripts
1.1 millert 486: are generally safe).
487: .SH "SEE ALSO"
488: .IX Header "SEE ALSO"
1.7 millert 489: \&\fIstat\fR\|(2), \fIlogin_cap\fR\|(3), \fIsudoers\fR\|(5), \fIpasswd\fR\|(5), \fIvisudo\fR\|(8), \fIgrep\fR\|(1), \fIsu\fR\|(1).