Annotation of src/usr.bin/sudo/sudo.pod, Revision 1.14
1.13 millert 1: Copyright (c) 1994-1996, 1998-2005, 2007-2009
1.6 millert 2: Todd C. Miller <Todd.Miller@courtesan.com>
1.1 millert 3:
4: Permission to use, copy, modify, and distribute this software for any
5: purpose with or without fee is hereby granted, provided that the above
6: copyright notice and this permission notice appear in all copies.
7:
8: THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9: WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10: MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11: ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12: WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13: ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14: OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15: ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
16:
17: Sponsored in part by the Defense Advanced Research Projects
18: Agency (DARPA) and Air Force Research Laboratory, Air Force
19: Materiel Command, USAF, under agreement number F39502-99-1-0512.
20:
1.14 ! millert 21: $Sudo: sudo.pod,v 1.125 2009/09/25 00:31:35 millert Exp $
1.1 millert 22: =pod
23:
24: =head1 NAME
25:
26: sudo, sudoedit - execute a command as another user
27:
28: =head1 SYNOPSIS
29:
1.12 millert 30: B<sudo> B<-h> | B<-K> | B<-k> | B<-L> | B<-V>
1.1 millert 31:
1.12 millert 32: B<sudo> B<-v> [B<-AknS>]
33: S<[B<-a> I<auth_type>]>
34: S<[B<-p> I<prompt>]>
35:
36: B<sudo> B<-l[l]> [B<-AknS>]
37: S<[B<-a> I<auth_type>]>
38: S<[B<-g> I<groupname>|I<#gid>]> S<[B<-p> I<prompt>]>
39: S<[B<-U> I<username>]> S<[B<-u> I<username>|I<#uid>]> [I<command>]
1.10 millert 40:
41: B<sudo> [B<-AbEHnPS>]
1.9 millert 42: S<[B<-a> I<auth_type>]>
1.10 millert 43: S<[B<-C> I<fd>]>
1.9 millert 44: S<[B<-c> I<class>|I<->]>
1.10 millert 45: S<[B<-g> I<groupname>|I<#gid>]> S<[B<-p> I<prompt>]>
1.9 millert 46: S<[B<-u> I<username>|I<#uid>]>
1.10 millert 47: S<[B<VAR>=I<value>]> S<[B<-i> | B<-s>]> [I<command>]
1.1 millert 48:
1.10 millert 49: B<sudoedit> [B<-AnS>]
1.9 millert 50: S<[B<-a> I<auth_type>]>
1.10 millert 51: S<[B<-C> I<fd>]>
1.9 millert 52: S<[B<-c> I<class>|I<->]>
1.10 millert 53: S<[B<-g> I<groupname>|I<#gid>]> S<[B<-p> I<prompt>]>
54: S<[B<-u> I<username>|I<#uid>]> file ...
1.1 millert 55:
56: =head1 DESCRIPTION
57:
58: B<sudo> allows a permitted user to execute a I<command> as the
59: superuser or another user, as specified in the I<sudoers> file.
60: The real and effective uid and gid are set to match those of the
61: target user as specified in the passwd file and the group vector
62: is initialized based on the group file (unless the B<-P> option was
63: specified). If the invoking user is root or if the target user is
64: the same as the invoking user, no password is required. Otherwise,
65: B<sudo> requires that users authenticate themselves with a password
66: by default (NOTE: in the default configuration this is the user's
67: password, not the root password). Once a user has been authenticated,
68: a timestamp is updated and the user may then use sudo without a
69: password for a short period of time (C<@timeout@> minutes unless
70: overridden in I<sudoers>).
71:
72: When invoked as B<sudoedit>, the B<-e> option (described below),
73: is implied.
74:
75: B<sudo> determines who is an authorized user by consulting the file
1.11 millert 76: F<@sysconfdir@/sudoers>. By running B<sudo> with the B<-v> option,
77: a user can update the time stamp without running a I<command>. The
78: password prompt itself will also time out if the user's password
79: is not entered within C<@password_timeout@> minutes (unless overridden
80: via I<sudoers>).
1.1 millert 81:
82: If a user who is not listed in the I<sudoers> file tries to run a
83: command via B<sudo>, mail is sent to the proper authorities, as
84: defined at configure time or in the I<sudoers> file (defaults to
85: C<@mailto@>). Note that the mail will not be sent if an unauthorized
1.11 millert 86: user tries to run sudo with the B<-l> or B<-v> option. This allows
1.1 millert 87: users to determine for themselves whether or not they are allowed
88: to use B<sudo>.
89:
90: If B<sudo> is run by root and the C<SUDO_USER> environment variable
91: is set, B<sudo> will use this value to determine who the actual
92: user is. This can be used by a user to log commands through sudo
93: even when a root shell has been invoked. It also allows the B<-e>
1.11 millert 94: option to remain useful even when being run via a sudo-run script or
1.1 millert 95: program. Note however, that the sudoers lookup is still done for
96: root, not the user specified by C<SUDO_USER>.
97:
98: B<sudo> can log both successful and unsuccessful attempts (as well
99: as errors) to syslog(3), a log file, or both. By default B<sudo>
100: will log via syslog(3) but this is changeable at configure time
101: or via the I<sudoers> file.
102:
103: =head1 OPTIONS
104:
105: B<sudo> accepts the following command line options:
106:
1.10 millert 107: =over 12
108:
109: =item -A
110:
111: Normally, if B<sudo> requires a password, it will read it from the
112: current terminal. If the B<-A> (I<askpass>) option is specified,
1.12 millert 113: a (possibly graphical) helper program is executed to read the
114: user's password and output the password to the standard output. If
115: the C<SUDO_ASKPASS> environment variable is set, it specifies the
116: path to the helper program. Otherwise, the value specified by the
117: I<askpass> option in L<sudoers(5)> is used.
1.1 millert 118:
1.10 millert 119: =item -a I<type>
1.1 millert 120:
121: The B<-a> (I<authentication type>) option causes B<sudo> to use the
122: specified authentication type when validating the user, as allowed
1.6 millert 123: by F</etc/login.conf>. The system administrator may specify a list
1.1 millert 124: of sudo-specific authentication methods by adding an "auth-sudo"
1.6 millert 125: entry in F</etc/login.conf>. This option is only available on systems
1.1 millert 126: that support BSD authentication.
127:
128: =item -b
129:
130: The B<-b> (I<background>) option tells B<sudo> to run the given
131: command in the background. Note that if you use the B<-b>
132: option you cannot use shell job control to manipulate the process.
133:
1.10 millert 134: =item -C I<fd>
135:
136: Normally, B<sudo> will close all open file descriptors other than
137: standard input, standard output and standard error. The B<-C>
138: (I<close from>) option allows the user to specify a starting point
139: above the standard error (file descriptor three). Values less than
140: three are not permitted. This option is only available if the
141: administrator has enabled the I<closefrom_override> option in
142: L<sudoers(5)>.
143:
144: =item -c I<class>
1.1 millert 145:
146: The B<-c> (I<class>) option causes B<sudo> to run the specified command
147: with resources limited by the specified login class. The I<class>
1.10 millert 148: argument can be either a class name as defined in F</etc/login.conf>,
1.1 millert 149: or a single '-' character. Specifying a I<class> of C<-> indicates
150: that the command should be run restricted by the default login
151: capabilities for the user the command is run as. If the I<class>
152: argument specifies an existing user class, the command must be run
153: as root, or the B<sudo> command must be run from a shell that is already
154: root. This option is only available on systems with BSD login classes.
155:
156: =item -E
157:
1.6 millert 158: The B<-E> (I<preserve> I<environment>) option will override the
1.1 millert 159: I<env_reset> option in L<sudoers(5)>). It is only
160: available when either the matching command has the C<SETENV> tag
161: or the I<setenv> option is set in L<sudoers(5)>.
162:
163: =item -e
164:
165: The B<-e> (I<edit>) option indicates that, instead of running
166: a command, the user wishes to edit one or more files. In lieu
167: of a command, the string "sudoedit" is used when consulting
168: the I<sudoers> file. If the user is authorized by I<sudoers>
169: the following steps are taken:
170:
1.6 millert 171: =over 4
1.1 millert 172:
173: =item 1.
174:
175: Temporary copies are made of the files to be edited with the owner
176: set to the invoking user.
177:
178: =item 2.
179:
1.10 millert 180: The editor specified by the C<SUDO_EDITOR>, C<VISUAL> or C<EDITOR>
181: environment variables is run to edit the temporary files. If none
182: of C<SUDO_EDITOR>, C<VISUAL> or C<EDITOR> are set, the first program
183: listed in the I<editor> I<sudoers> variable is used.
1.1 millert 184:
185: =item 3.
186:
187: If they have been modified, the temporary files are copied back to
188: their original location and the temporary versions are removed.
189:
190: =back
191:
192: If the specified file does not exist, it will be created. Note
193: that unlike most commands run by B<sudo>, the editor is run with
194: the invoking user's environment unmodified. If, for some reason,
195: B<sudo> is unable to update a file with its edited version, the
196: user will receive a warning and the edited copy will remain in a
197: temporary file.
198:
1.10 millert 199: =item -g I<group>
200:
201: Normally, B<sudo> sets the primary group to the one specified by
202: the passwd database for the user the command is being run as (by
203: default, root). The B<-g> (I<group>) option causes B<sudo> to run
204: the specified command with the primary group set to I<group>. To
205: specify a I<gid> instead of a I<group name>, use I<#gid>. When
206: running commands as a I<gid>, many shells require that the '#' be
207: escaped with a backslash ('\'). If no B<-u> option is specified,
208: the command will be run as the invoking user (not root). In either
209: case, the primary group will be set to I<group>.
210:
1.1 millert 211: =item -H
212:
213: The B<-H> (I<HOME>) option sets the C<HOME> environment variable
214: to the homedir of the target user (root by default) as specified
215: in passwd(5). By default, B<sudo> does not modify C<HOME>
216: (see I<set_home> and I<always_set_home> in L<sudoers(5)>).
217:
218: =item -h
219:
220: The B<-h> (I<help>) option causes B<sudo> to print a usage message and exit.
221:
1.10 millert 222: =item -i [command]
1.1 millert 223:
224: The B<-i> (I<simulate initial login>) option runs the shell specified
1.10 millert 225: in the L<passwd(5)> entry of the target user as a login shell. This
226: means that login-specific resource files such as C<.profile> or
227: C<.login> will be read by the shell. If a command is specified,
228: it is passed to the shell for execution. Otherwise, an interactive
229: shell is executed. B<sudo> attempts to change to that user's home
230: directory before running the shell. It also initializes the
231: environment, leaving I<DISPLAY> and I<TERM> unchanged, setting
232: I<HOME>, I<SHELL>, I<USER>, I<LOGNAME>, and I<PATH>, as well as
233: the contents of F</etc/environment> on Linux and AIX systems.
234: All other environment variables are removed.
1.1 millert 235:
236: =item -K
237:
238: The B<-K> (sure I<kill>) option is like B<-k> except that it removes
1.12 millert 239: the user's timestamp entirely and may not be used in conjunction
240: with a command or other option. This option does not require a
241: password.
1.1 millert 242:
243: =item -k
244:
1.12 millert 245: When used by itself, the B<-k> (I<kill>) option to B<sudo> invalidates
246: the user's timestamp by setting the time on it to the Epoch. The
247: next time B<sudo> is run a password will be required. This option
248: does not require a password and was added to allow a user to revoke
249: B<sudo> permissions from a .logout file.
250:
251: When used in conjunction with a command or an option that may require
252: a password, the B<-k> option will cause B<sudo> to ignore the user's
253: timestamp file. As a result, B<sudo> will prompt for a password
254: (if one is required by I<sudoers>) and will not update the user's
255: timestamp file.
1.1 millert 256:
257: =item -L
258:
259: The B<-L> (I<list> defaults) option will list out the parameters
260: that may be set in a I<Defaults> line along with a short description
261: for each. This option is useful in conjunction with L<grep(1)>.
262:
1.10 millert 263: =item -l[l] [I<command>]
1.1 millert 264:
1.10 millert 265: If no I<command> is specified, the B<-l> (I<list>) option will list
266: the allowed (and forbidden) commands for the invoking user (or the
267: user specified by the B<-U> option) on the current host. If a
268: I<command> is specified and is permitted by I<sudoers>, the
269: fully-qualified path to the command is displayed along with any
270: command line arguments. If I<command> is specified but not allowed,
1.11 millert 271: B<sudo> will exit with a status value of 1. If the B<-l> option is
1.10 millert 272: specified with an B<l> argument (i.e. B<-ll>), or if B<-l>
273: is specified multiple times, a longer list format is used.
274:
275: =item -n
276:
277: The B<-n> (I<non-interactive>) option prevents B<sudo> from prompting
278: the user for a password. If a password is required for the command
279: to run, B<sudo> will display an error messages and exit.
1.1 millert 280:
281: =item -P
282:
1.6 millert 283: The B<-P> (I<preserve> I<group vector>) option causes B<sudo> to
1.1 millert 284: preserve the invoking user's group vector unaltered. By default,
285: B<sudo> will initialize the group vector to the list of groups the
286: target user is in. The real and effective group IDs, however, are
287: still set to match the target user.
288:
1.10 millert 289: =item -p I<prompt>
1.1 millert 290:
291: The B<-p> (I<prompt>) option allows you to override the default
292: password prompt and use a custom one. The following percent (`C<%>')
293: escapes are supported:
294:
1.6 millert 295: =over 4
1.1 millert 296:
297: =item C<%H>
298:
299: expanded to the local hostname including the domain name
300: (on if the machine's hostname is fully qualified or the I<fqdn>
301: I<sudoers> option is set)
302:
303: =item C<%h>
304:
305: expanded to the local hostname without the domain name
1.8 millert 306:
307: =item C<%p>
308:
309: expanded to the user whose password is being asked for (respects the
310: I<rootpw>, I<targetpw> and I<runaspw> flags in I<sudoers>)
1.1 millert 311:
312: =item C<%U>
313:
314: expanded to the login name of the user the command will
315: be run as (defaults to root)
316:
317: =item C<%u>
318:
319: expanded to the invoking user's login name
320:
321: =item C<%%>
322:
323: two consecutive C<%> characters are collapsed into a single C<%> character
324:
325: =back
326:
1.10 millert 327: The prompt specified by the B<-p> option will override the system
328: password prompt on systems that support PAM unless the
329: I<passprompt_override> flag is disabled in I<sudoers>.
330:
1.1 millert 331: =item -S
332:
333: The B<-S> (I<stdin>) option causes B<sudo> to read the password from
1.14 ! millert 334: the standard input instead of the terminal device. The password must
! 335: be followed by a newline character.
1.1 millert 336:
1.10 millert 337: =item -s [command]
1.1 millert 338:
339: The B<-s> (I<shell>) option runs the shell specified by the I<SHELL>
1.10 millert 340: environment variable if it is set or the shell as specified in
341: L<passwd(5)>. If a command is specified, it is passed to the shell
342: for execution. Otherwise, an interactive shell is executed.
343:
344: =item -U I<user>
345:
346: The B<-U> (I<other user>) option is used in conjunction with the B<-l>
347: option to specify the user whose privileges should be listed. Only
348: root or a user with B<sudo> C<ALL> on the current host may use this
349: option.
1.1 millert 350:
1.10 millert 351: =item -u I<user>
1.1 millert 352:
1.6 millert 353: The B<-u> (I<user>) option causes B<sudo> to run the specified
354: command as a user other than I<root>. To specify a I<uid> instead
1.10 millert 355: of a I<user name>, use I<#uid>. When running commands as a I<uid>,
1.6 millert 356: many shells require that the '#' be escaped with a backslash ('\').
357: Note that if the I<targetpw> Defaults option is set (see L<sudoers(5)>)
358: it is not possible to run commands with a uid not listed in the
359: password database.
1.1 millert 360:
361: =item -V
362:
363: The B<-V> (I<version>) option causes B<sudo> to print the version
364: number and exit. If the invoking user is already root the B<-V>
365: option will print out a list of the defaults B<sudo> was compiled
366: with as well as the machine's local network addresses.
367:
368: =item -v
369:
370: If given the B<-v> (I<validate>) option, B<sudo> will update the
371: user's timestamp, prompting for the user's password if necessary.
372: This extends the B<sudo> timeout for another C<@timeout@> minutes
373: (or whatever the timeout is set to in I<sudoers>) but does not run
374: a command.
375:
376: =item --
377:
1.11 millert 378: The B<--> option indicates that B<sudo> should stop processing command
379: line arguments. It is most useful in conjunction with the B<-s> option.
1.1 millert 380:
381: =back
382:
383: Environment variables to be set for the command may also be passed
384: on the command line in the form of B<VAR>=I<value>, e.g.
385: B<LD_LIBRARY_PATH>=I</usr/local/pkg/lib>. Variables passed on the
386: command line are subject to the same restrictions as normal environment
387: variables with one important exception. If the I<setenv> option
1.7 millert 388: is set in I<sudoers>, the command to be run has the C<SETENV> tag
389: set or the command matched is C<ALL>, the user may set variables
390: that would overwise be forbidden. See L<sudoers(5)> for more information.
1.1 millert 391:
392: =head1 RETURN VALUES
393:
1.11 millert 394: Upon successful execution of a program, the exit status from B<sudo>
395: will simply be the exit status of the program that was executed.
1.1 millert 396:
397: Otherwise, B<sudo> quits with an exit value of 1 if there is a
398: configuration/permission problem or if B<sudo> cannot execute the
399: given command. In the latter case the error string is printed to
400: stderr. If B<sudo> cannot L<stat(2)> one or more entries in the user's
401: C<PATH> an error is printed on stderr. (If the directory does not
402: exist or if it is not really a directory, the entry is ignored and
403: no error is printed.) This should not happen under normal
404: circumstances. The most common reason for L<stat(2)> to return
405: "permission denied" is if you are running an automounter and one
406: of the directories in your C<PATH> is on a machine that is currently
407: unreachable.
408:
409: =head1 SECURITY NOTES
410:
411: B<sudo> tries to be safe when executing external commands.
412:
413: There are two distinct ways to deal with environment variables.
414: By default, the I<env_reset> I<sudoers> option is enabled.
415: This causes commands to be executed with a minimal environment
416: containing C<TERM>, C<PATH>, C<HOME>, C<SHELL>, C<LOGNAME>, C<USER>
417: and C<USERNAME> in addition to variables from the invoking process
418: permitted by the I<env_check> and I<env_keep> I<sudoers> options.
419: There is effectively a whitelist for environment variables.
420:
421: If, however, the I<env_reset> option is disabled in I<sudoers>, any
422: variables not explicitly denied by the I<env_check> and I<env_delete>
423: options are inherited from the invoking process. In this case,
424: I<env_check> and I<env_delete> behave like a blacklist. Since it
425: is not possible to blacklist all potentially dangerous environment
426: variables, use of the default I<env_reset> behavior is encouraged.
427:
428: In all cases, environment variables with a value beginning with
429: C<()> are removed as they could be interpreted as B<bash> functions.
430: The list of environment variables that B<sudo> allows or denies is
431: contained in the output of C<sudo -V> when run as root.
432:
433: Note that the dynamic linker on most operating systems will remove
434: variables that can control dynamic linking from the environment of
435: setuid executables, including B<sudo>. Depending on the operating
436: system this may include C<_RLD*>, C<DYLD_*>, C<LD_*>, C<LDR_*>,
437: C<LIBPATH>, C<SHLIB_PATH>, and others. These type of variables are
438: removed from the environment before B<sudo> even begins execution
439: and, as such, it is not possible for B<sudo> to preserve them.
440:
441: To prevent command spoofing, B<sudo> checks "." and "" (both denoting
442: current directory) last when searching for a command in the user's
443: PATH (if one or both are in the PATH). Note, however, that the
444: actual C<PATH> environment variable is I<not> modified and is passed
445: unchanged to the program that B<sudo> executes.
446:
447: B<sudo> will check the ownership of its timestamp directory
448: (F<@timedir@> by default) and ignore the directory's contents if
449: it is not owned by root or if it is writable by a user other than
450: root. On systems that allow non-root users to give away files via
451: L<chown(2)>, if the timestamp directory is located in a directory
452: writable by anyone (e.g., F</tmp>), it is possible for a user to
453: create the timestamp directory before B<sudo> is run. However,
454: because B<sudo> checks the ownership and mode of the directory and
455: its contents, the only damage that can be done is to "hide" files
456: by putting them in the timestamp dir. This is unlikely to happen
457: since once the timestamp dir is owned by root and inaccessible by
458: any other user, the user placing files there would be unable to get
459: them back out. To get around this issue you can use a directory
460: that is not world-writable for the timestamps (F</var/adm/sudo> for
461: instance) or create F<@timedir@> with the appropriate owner (root)
462: and permissions (0700) in the system startup files.
463:
464: B<sudo> will not honor timestamps set far in the future.
465: Timestamps with a date greater than current_time + 2 * C<TIMEOUT>
466: will be ignored and sudo will log and complain. This is done to
467: keep a user from creating his/her own timestamp with a bogus
468: date on systems that allow users to give away files.
469:
470: Please note that B<sudo> will normally only log the command it
471: explicitly runs. If a user runs a command such as C<sudo su> or
472: C<sudo sh>, subsequent commands run from that shell will I<not> be
473: logged, nor will B<sudo>'s access control affect them. The same
474: is true for commands that offer shell escapes (including most
475: editors). Because of this, care must be taken when giving users
476: access to commands via B<sudo> to verify that the command does not
477: inadvertently give the user an effective root shell. For more
478: information, please see the C<PREVENTING SHELL ESCAPES> section in
479: L<sudoers(5)>.
480:
481: =head1 ENVIRONMENT
482:
483: B<sudo> utilizes the following environment variables:
484:
1.6 millert 485: =over 16
486:
487: =item C<EDITOR>
488:
1.10 millert 489: Default editor to use in B<-e> (sudoedit) mode if neither C<SUDO_EDITOR>
490: nor C<VISUAL> is set
1.6 millert 491:
492: =item C<HOME>
493:
494: In B<-s> or B<-H> mode (or if sudo was configured with the
495: --enable-shell-sets-home option), set to homedir of the target user
496:
497: =item C<PATH>
498:
499: Set to a sane value if the I<secure_path> sudoers option is set.
500:
501: =item C<SHELL>
1.1 millert 502:
1.6 millert 503: Used to determine shell to run with C<-s> option
1.1 millert 504:
1.10 millert 505: =item C<SUDO_ASKPASS>
1.1 millert 506:
1.10 millert 507: Specifies the path to a helper program used to read the password
508: if no terminal is available or if the C<-A> option is specified.
1.1 millert 509:
1.6 millert 510: =item C<SUDO_COMMAND>
1.1 millert 511:
1.6 millert 512: Set to the command run by sudo
1.1 millert 513:
1.10 millert 514: =item C<SUDO_EDITOR>
1.1 millert 515:
1.10 millert 516: Default editor to use in B<-e> (sudoedit) mode
1.1 millert 517:
1.10 millert 518: =item C<SUDO_GID>
1.1 millert 519:
1.10 millert 520: Set to the group ID of the user who invoked sudo
1.1 millert 521:
1.10 millert 522: =item C<SUDO_PROMPT>
1.1 millert 523:
1.10 millert 524: Used as the default password prompt
1.6 millert 525:
526: =item C<SUDO_PS1>
527:
1.10 millert 528: If set, C<PS1> will be set to its value for the program being run
529:
530: =item C<SUDO_UID>
531:
532: Set to the user ID of the user who invoked sudo
533:
534: =item C<SUDO_USER>
535:
536: Set to the login of the user who invoked sudo
1.6 millert 537:
538: =item C<USER>
539:
540: Set to the target user (root unless the B<-u> option is specified)
541:
542: =item C<VISUAL>
543:
1.10 millert 544: Default editor to use in B<-e> (sudoedit) mode if C<SUDO_EDITOR>
545: is not set
1.6 millert 546:
547: =back
1.1 millert 548:
549: =head1 FILES
550:
1.9 millert 551: =over 24
552:
553: =item F<@sysconfdir@/sudoers>
554:
555: List of who can run what
1.5 millert 556:
1.9 millert 557: =item F<@timedir@>
1.4 millert 558:
1.9 millert 559: Directory containing timestamps
1.5 millert 560:
1.10 millert 561: =item F</etc/environment>
562:
563: Initial environment for B<-i> mode on Linux and AIX
564:
1.5 millert 565: =back
1.1 millert 566:
567: =head1 EXAMPLES
568:
569: Note: the following examples assume suitable L<sudoers(5)> entries.
570:
571: To get a file listing of an unreadable directory:
572:
573: $ sudo ls /usr/local/protected
574:
1.13 millert 575: To list the home directory of user yaz on a machine where the
576: file system holding ~yaz is not exported as root:
1.1 millert 577:
1.13 millert 578: $ sudo -u yaz ls ~yaz
1.1 millert 579:
580: To edit the F<index.html> file as user www:
581:
582: $ sudo -u www vi ~www/htdocs/index.html
1.13 millert 583:
584: To view system logs only accessible to root and users in the adm group:
585:
586: $ sudo -g adm view /var/log/syslog
587:
588: To run an editor as jim with a different primary group:
589:
590: $ sudo -u jim -g audio vi ~jim/sound.txt
1.1 millert 591:
592: To shutdown a machine:
593:
594: $ sudo shutdown -r +15 "quick reboot"
595:
596: To make a usage listing of the directories in the /home
597: partition. Note that this runs the commands in a sub-shell
598: to make the C<cd> and file redirection work.
599:
600: $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
601:
602: =head1 SEE ALSO
603:
1.9 millert 604: L<grep(1)>, L<su(1)>, L<stat(2)>,
605: L<login_cap(3)>,
606: L<passwd(5)>, L<sudoers(5)>, L<visudo(8)>
1.1 millert 607:
608: =head1 AUTHORS
609:
610: Many people have worked on B<sudo> over the years; this
611: version consists of code written primarily by:
612:
613: Todd C. Miller
614:
615: See the HISTORY file in the B<sudo> distribution or visit
616: http://www.sudo.ws/sudo/history.html for a short history
617: of B<sudo>.
618:
619: =head1 CAVEATS
620:
621: There is no easy way to prevent a user from gaining a root shell
622: if that user is allowed to run arbitrary commands via B<sudo>.
623: Also, many programs (such as editors) allow the user to run commands
624: via shell escapes, thus avoiding B<sudo>'s checks. However, on
625: most systems it is possible to prevent shell escapes with B<sudo>'s
626: I<noexec> functionality. See the L<sudoers(5)> manual
627: for details.
628:
629: It is not meaningful to run the C<cd> command directly via sudo, e.g.,
630:
631: $ sudo cd /usr/local/protected
632:
633: since when the command exits the parent process (your shell) will
634: still be the same. Please see the EXAMPLES section for more information.
635:
636: If users have sudo C<ALL> there is nothing to prevent them from
637: creating their own program that gives them a root shell regardless
638: of any '!' elements in the user specification.
639:
640: Running shell scripts via B<sudo> can expose the same kernel bugs that
641: make setuid shell scripts unsafe on some operating systems (if your OS
642: has a /dev/fd/ directory, setuid shell scripts are generally safe).
643:
644: =head1 BUGS
645:
646: If you feel you have found a bug in B<sudo>, please submit a bug report
647: at http://www.sudo.ws/sudo/bugs/
648:
649: =head1 SUPPORT
650:
651: Limited free support is available via the sudo-users mailing list,
652: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
653: search the archives.
654:
655: =head1 DISCLAIMER
656:
657: B<sudo> is provided ``AS IS'' and any express or implied warranties,
658: including, but not limited to, the implied warranties of merchantability
659: and fitness for a particular purpose are disclaimed. See the LICENSE
660: file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
661: for complete details.
![[BACK]](/icons/back.gif){kind=icon}
Return to sudo.pod CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / sudo