version 1.9, 2008/07/31 16:44:03 |
version 1.10, 2008/11/14 11:58:08 |
|
|
Copyright (c) 1994-1996, 1998-2005, 2007 |
Copyright (c) 1994-1996, 1998-2005, 2007-2008 |
Todd C. Miller <Todd.Miller@courtesan.com> |
Todd C. Miller <Todd.Miller@courtesan.com> |
|
|
Permission to use, copy, modify, and distribute this software for any |
Permission to use, copy, modify, and distribute this software for any |
|
|
Agency (DARPA) and Air Force Research Laboratory, Air Force |
Agency (DARPA) and Air Force Research Laboratory, Air Force |
Materiel Command, USAF, under agreement number F39502-99-1-0512. |
Materiel Command, USAF, under agreement number F39502-99-1-0512. |
|
|
$Sudo: sudo.pod,v 1.70.2.24 2008/02/19 18:22:11 millert Exp $ |
$Sudo: sudo.pod,v 1.119 2008/11/09 14:13:12 millert Exp $ |
=pod |
=pod |
|
|
=head1 NAME |
=head1 NAME |
|
|
|
|
=head1 SYNOPSIS |
=head1 SYNOPSIS |
|
|
B<sudo> B<-h> | B<-K> | B<-k> | B<-L> | B<-l> | B<-V> | B<-v> |
B<sudo> [B<-n>] B<-h> | B<-K> | B<-k> | B<-L> | B<-V> | B<-v> |
|
|
B<sudo> [B<-bEHPS>] |
B<sudo> B<-l[l]> [B<-AnS>] S<[B<-g> I<groupname>|I<#gid>]> S<[B<-U> I<username>]> |
|
S<[B<-u> I<username>|I<#uid>]> [I<command>] |
|
|
|
B<sudo> [B<-AbEHnPS>] |
S<[B<-a> I<auth_type>]> |
S<[B<-a> I<auth_type>]> |
|
S<[B<-C> I<fd>]> |
S<[B<-c> I<class>|I<->]> |
S<[B<-c> I<class>|I<->]> |
S<[B<-p> I<prompt>]> |
S<[B<-g> I<groupname>|I<#gid>]> S<[B<-p> I<prompt>]> |
S<[B<-u> I<username>|I<#uid>]> |
S<[B<-u> I<username>|I<#uid>]> |
S<[B<VAR>=I<value>]> S<{B<-i> | B<-s> | I<command>}> |
S<[B<VAR>=I<value>]> S<[B<-i> | B<-s>]> [I<command>] |
|
|
B<sudoedit> [B<-S>] |
B<sudoedit> [B<-AnS>] |
S<[B<-a> I<auth_type>]> |
S<[B<-a> I<auth_type>]> |
|
S<[B<-C> I<fd>]> |
S<[B<-c> I<class>|I<->]> |
S<[B<-c> I<class>|I<->]> |
S<[B<-p> I<prompt>]> S<[B<-u> I<username>|I<#uid>]> |
S<[B<-g> I<groupname>|I<#gid>]> S<[B<-p> I<prompt>]> |
file ... |
S<[B<-u> I<username>|I<#uid>]> file ... |
|
|
=head1 DESCRIPTION |
=head1 DESCRIPTION |
|
|
|
|
|
|
B<sudo> accepts the following command line options: |
B<sudo> accepts the following command line options: |
|
|
=over 4 |
=over 12 |
|
|
=item -a |
=item -A |
|
|
|
Normally, if B<sudo> requires a password, it will read it from the |
|
current terminal. If the B<-A> (I<askpass>) option is specified, |
|
a helper program is executed to read the user's password and output |
|
the password to the standard output. If the C<SUDO_ASKPASS> |
|
environment variable is set, it specifies the path to the helper |
|
program. Otherwise, the value specified by the I<askpass> option |
|
in L<sudoers(5)> is used. |
|
|
|
=item -a I<type> |
|
|
The B<-a> (I<authentication type>) option causes B<sudo> to use the |
The B<-a> (I<authentication type>) option causes B<sudo> to use the |
specified authentication type when validating the user, as allowed |
specified authentication type when validating the user, as allowed |
by F</etc/login.conf>. The system administrator may specify a list |
by F</etc/login.conf>. The system administrator may specify a list |
|
|
command in the background. Note that if you use the B<-b> |
command in the background. Note that if you use the B<-b> |
option you cannot use shell job control to manipulate the process. |
option you cannot use shell job control to manipulate the process. |
|
|
=item -c |
=item -C I<fd> |
|
|
|
Normally, B<sudo> will close all open file descriptors other than |
|
standard input, standard output and standard error. The B<-C> |
|
(I<close from>) option allows the user to specify a starting point |
|
above the standard error (file descriptor three). Values less than |
|
three are not permitted. This option is only available if the |
|
administrator has enabled the I<closefrom_override> option in |
|
L<sudoers(5)>. |
|
|
|
=item -c I<class> |
|
|
The B<-c> (I<class>) option causes B<sudo> to run the specified command |
The B<-c> (I<class>) option causes B<sudo> to run the specified command |
with resources limited by the specified login class. The I<class> |
with resources limited by the specified login class. The I<class> |
argument can be either a class name as defined in C</etc/login.conf>, |
argument can be either a class name as defined in F</etc/login.conf>, |
or a single '-' character. Specifying a I<class> of C<-> indicates |
or a single '-' character. Specifying a I<class> of C<-> indicates |
that the command should be run restricted by the default login |
that the command should be run restricted by the default login |
capabilities for the user the command is run as. If the I<class> |
capabilities for the user the command is run as. If the I<class> |
|
|
|
|
=item 2. |
=item 2. |
|
|
The editor specified by the C<VISUAL> or C<EDITOR> environment |
The editor specified by the C<SUDO_EDITOR>, C<VISUAL> or C<EDITOR> |
variables is run to edit the temporary files. If neither C<VISUAL> |
environment variables is run to edit the temporary files. If none |
nor C<EDITOR> are set, the program listed in the I<editor> I<sudoers> |
of C<SUDO_EDITOR>, C<VISUAL> or C<EDITOR> are set, the first program |
variable is used. |
listed in the I<editor> I<sudoers> variable is used. |
|
|
=item 3. |
=item 3. |
|
|
|
|
user will receive a warning and the edited copy will remain in a |
user will receive a warning and the edited copy will remain in a |
temporary file. |
temporary file. |
|
|
|
=item -g I<group> |
|
|
|
Normally, B<sudo> sets the primary group to the one specified by |
|
the passwd database for the user the command is being run as (by |
|
default, root). The B<-g> (I<group>) option causes B<sudo> to run |
|
the specified command with the primary group set to I<group>. To |
|
specify a I<gid> instead of a I<group name>, use I<#gid>. When |
|
running commands as a I<gid>, many shells require that the '#' be |
|
escaped with a backslash ('\'). If no B<-u> option is specified, |
|
the command will be run as the invoking user (not root). In either |
|
case, the primary group will be set to I<group>. |
|
|
=item -H |
=item -H |
|
|
The B<-H> (I<HOME>) option sets the C<HOME> environment variable |
The B<-H> (I<HOME>) option sets the C<HOME> environment variable |
|
|
|
|
The B<-h> (I<help>) option causes B<sudo> to print a usage message and exit. |
The B<-h> (I<help>) option causes B<sudo> to print a usage message and exit. |
|
|
=item -i |
=item -i [command] |
|
|
The B<-i> (I<simulate initial login>) option runs the shell specified |
The B<-i> (I<simulate initial login>) option runs the shell specified |
in the L<passwd(5)> entry of the user that the command is |
in the L<passwd(5)> entry of the target user as a login shell. This |
being run as. The command name argument given to the shell begins |
means that login-specific resource files such as C<.profile> or |
with a `C<->' to tell the shell to run as a login shell. B<sudo> |
C<.login> will be read by the shell. If a command is specified, |
attempts to change to that user's home directory before running the |
it is passed to the shell for execution. Otherwise, an interactive |
shell. It also initializes the environment, leaving I<TERM> |
shell is executed. B<sudo> attempts to change to that user's home |
unchanged, setting I<HOME>, I<SHELL>, I<USER>, I<LOGNAME>, and |
directory before running the shell. It also initializes the |
I<PATH>, and unsetting all other environment variables. Note that |
environment, leaving I<DISPLAY> and I<TERM> unchanged, setting |
because the shell to use is determined before the I<sudoers> file |
I<HOME>, I<SHELL>, I<USER>, I<LOGNAME>, and I<PATH>, as well as |
is parsed, a I<runas_default> setting in I<sudoers> will specify |
the contents of F</etc/environment> on Linux and AIX systems. |
the user to run the shell as but will not affect which shell is |
All other environment variables are removed. |
actually run. |
|
|
|
=item -K |
=item -K |
|
|
|
|
that may be set in a I<Defaults> line along with a short description |
that may be set in a I<Defaults> line along with a short description |
for each. This option is useful in conjunction with L<grep(1)>. |
for each. This option is useful in conjunction with L<grep(1)>. |
|
|
=item -l |
=item -l[l] [I<command>] |
|
|
The B<-l> (I<list>) option will list out the allowed (and |
If no I<command> is specified, the B<-l> (I<list>) option will list |
forbidden) commands for the invoking user on the current host. |
the allowed (and forbidden) commands for the invoking user (or the |
|
user specified by the B<-U> option) on the current host. If a |
|
I<command> is specified and is permitted by I<sudoers>, the |
|
fully-qualified path to the command is displayed along with any |
|
command line arguments. If I<command> is specified but not allowed, |
|
B<sudo> will exit with a return value of 1. If the B<-l> flag is |
|
specified with an B<l> argument (i.e. B<-ll>), or if B<-l> |
|
is specified multiple times, a longer list format is used. |
|
|
|
=item -n |
|
|
|
The B<-n> (I<non-interactive>) option prevents B<sudo> from prompting |
|
the user for a password. If a password is required for the command |
|
to run, B<sudo> will display an error messages and exit. |
|
|
=item -P |
=item -P |
|
|
The B<-P> (I<preserve> I<group vector>) option causes B<sudo> to |
The B<-P> (I<preserve> I<group vector>) option causes B<sudo> to |
|
|
target user is in. The real and effective group IDs, however, are |
target user is in. The real and effective group IDs, however, are |
still set to match the target user. |
still set to match the target user. |
|
|
=item -p |
=item -p I<prompt> |
|
|
The B<-p> (I<prompt>) option allows you to override the default |
The B<-p> (I<prompt>) option allows you to override the default |
password prompt and use a custom one. The following percent (`C<%>') |
password prompt and use a custom one. The following percent (`C<%>') |
|
|
|
|
=back |
=back |
|
|
|
The prompt specified by the B<-p> option will override the system |
|
password prompt on systems that support PAM unless the |
|
I<passprompt_override> flag is disabled in I<sudoers>. |
|
|
=item -S |
=item -S |
|
|
The B<-S> (I<stdin>) option causes B<sudo> to read the password from |
The B<-S> (I<stdin>) option causes B<sudo> to read the password from |
the standard input instead of the terminal device. |
the standard input instead of the terminal device. |
|
|
=item -s |
=item -s [command] |
|
|
The B<-s> (I<shell>) option runs the shell specified by the I<SHELL> |
The B<-s> (I<shell>) option runs the shell specified by the I<SHELL> |
environment variable if it is set or the shell as specified |
environment variable if it is set or the shell as specified in |
in L<passwd(5)>. |
L<passwd(5)>. If a command is specified, it is passed to the shell |
|
for execution. Otherwise, an interactive shell is executed. |
|
|
=item -u |
=item -U I<user> |
|
|
|
The B<-U> (I<other user>) option is used in conjunction with the B<-l> |
|
option to specify the user whose privileges should be listed. Only |
|
root or a user with B<sudo> C<ALL> on the current host may use this |
|
option. |
|
|
|
=item -u I<user> |
|
|
The B<-u> (I<user>) option causes B<sudo> to run the specified |
The B<-u> (I<user>) option causes B<sudo> to run the specified |
command as a user other than I<root>. To specify a I<uid> instead |
command as a user other than I<root>. To specify a I<uid> instead |
of a I<username>, use I<#uid>. When running commands as a I<uid>, |
of a I<user name>, use I<#uid>. When running commands as a I<uid>, |
many shells require that the '#' be escaped with a backslash ('\'). |
many shells require that the '#' be escaped with a backslash ('\'). |
Note that if the I<targetpw> Defaults option is set (see L<sudoers(5)>) |
Note that if the I<targetpw> Defaults option is set (see L<sudoers(5)>) |
it is not possible to run commands with a uid not listed in the |
it is not possible to run commands with a uid not listed in the |
|
|
|
|
=item C<EDITOR> |
=item C<EDITOR> |
|
|
Default editor to use in B<-e> (sudoedit) mode if C<VISUAL> is not set |
Default editor to use in B<-e> (sudoedit) mode if neither C<SUDO_EDITOR> |
|
nor C<VISUAL> is set |
|
|
=item C<HOME> |
=item C<HOME> |
|
|
|
|
|
|
Used to determine shell to run with C<-s> option |
Used to determine shell to run with C<-s> option |
|
|
=item C<SUDO_PROMPT> |
=item C<SUDO_ASKPASS> |
|
|
Used as the default password prompt |
Specifies the path to a helper program used to read the password |
|
if no terminal is available or if the C<-A> option is specified. |
|
|
=item C<SUDO_COMMAND> |
=item C<SUDO_COMMAND> |
|
|
Set to the command run by sudo |
Set to the command run by sudo |
|
|
=item C<SUDO_USER> |
=item C<SUDO_EDITOR> |
|
|
Set to the login of the user who invoked sudo |
Default editor to use in B<-e> (sudoedit) mode |
|
|
=item C<SUDO_UID> |
=item C<SUDO_GID> |
|
|
Set to the uid of the user who invoked sudo |
Set to the group ID of the user who invoked sudo |
|
|
=item C<SUDO_GID> |
=item C<SUDO_PROMPT> |
|
|
Set to the gid of the user who invoked sudo |
Used as the default password prompt |
|
|
=item C<SUDO_PS1> |
=item C<SUDO_PS1> |
|
|
If set, C<PS1> will be set to its value |
If set, C<PS1> will be set to its value for the program being run |
|
|
|
=item C<SUDO_UID> |
|
|
|
Set to the user ID of the user who invoked sudo |
|
|
|
=item C<SUDO_USER> |
|
|
|
Set to the login of the user who invoked sudo |
|
|
=item C<USER> |
=item C<USER> |
|
|
Set to the target user (root unless the B<-u> option is specified) |
Set to the target user (root unless the B<-u> option is specified) |
|
|
=item C<VISUAL> |
=item C<VISUAL> |
|
|
Default editor to use in B<-e> (sudoedit) mode |
Default editor to use in B<-e> (sudoedit) mode if C<SUDO_EDITOR> |
|
is not set |
|
|
=back |
=back |
|
|
|
|
|
|
Directory containing timestamps |
Directory containing timestamps |
|
|
|
=item F</etc/environment> |
|
|
|
Initial environment for B<-i> mode on Linux and AIX |
|
|
=back |
=back |
|
|
=head1 EXAMPLES |
=head1 EXAMPLES |
|
|
version consists of code written primarily by: |
version consists of code written primarily by: |
|
|
Todd C. Miller |
Todd C. Miller |
Chris Jepeway |
|
|
|
See the HISTORY file in the B<sudo> distribution or visit |
See the HISTORY file in the B<sudo> distribution or visit |
http://www.sudo.ws/sudo/history.html for a short history |
http://www.sudo.ws/sudo/history.html for a short history |