| |
| |
| |
| SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) |
| |
| |
| NNAAMMEE |
| sudo, sudoedit - execute a command as another user |
| |
| SSYYNNOOPPSSIISS |
| ssuuddoo --hh | --KK | --kk | --LL | --VV |
| |
| ssuuddoo --vv [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] |
| [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] |
| |
| ssuuddoo --ll[[ll]] [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] |
| [--UU _u_s_e_r _n_a_m_e] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] [_c_o_m_m_a_n_d] |
| |
| ssuuddoo [--AAbbEEHHnnPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] |
| [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--rr _r_o_l_e] [--tt _t_y_p_e] |
| [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e] [--ii | --ss] [_c_o_m_m_a_n_d] |
| |
| ssuuddooeeddiitt [--AAnnSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] |
| [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] file ... |
| |
| DDEESSCCRRIIPPTTIIOONN |
| ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the superuser or |
| another user, as specified in the _s_u_d_o_e_r_s file. The real and effective |
| uid and gid are set to match those of the target user as specified in |
| the passwd file and the group vector is initialized based on the group |
| file (unless the --PP option was specified). If the invoking user is |
| root or if the target user is the same as the invoking user, no |
| password is required. Otherwise, ssuuddoo requires that users authenticate |
| themselves with a password by default (NOTE: in the default |
| configuration this is the user's password, not the root password). |
| Once a user has been authenticated, a time stamp is updated and the |
| user may then use sudo without a password for a short period of time (5 |
| minutes unless overridden in _s_u_d_o_e_r_s). |
| |
| When invoked as ssuuddooeeddiitt, the --ee option (described below), is implied. |
| |
| ssuuddoo determines who is an authorized user by consulting the file |
| _/_e_t_c_/_s_u_d_o_e_r_s. By running ssuuddoo with the --vv option, a user can update |
| the time stamp without running a _c_o_m_m_a_n_d. If a password is required, |
| ssuuddoo will exit if the user's password is not entered within a |
| configurable time limit. The default password prompt timeout is 5 |
| minutes. |
| |
| If a user who is not listed in the _s_u_d_o_e_r_s file tries to run a command |
| via ssuuddoo, mail is sent to the proper authorities, as defined at |
| configure time or in the _s_u_d_o_e_r_s file (defaults to root). Note that |
| the mail will not be sent if an unauthorized user tries to run sudo |
| with the --ll or --vv option. This allows users to determine for |
| themselves whether or not they are allowed to use ssuuddoo. |
| |
| If ssuuddoo is run by root and the SUDO_USER environment variable is set, |
| ssuuddoo will use this value to determine who the actual user is. This can |
| be used by a user to log commands through sudo even when a root shell |
| has been invoked. It also allows the --ee option to remain useful even |
| when being run via a sudo-run script or program. Note however, that |
| |
| |
| |
| 1.7.4 July 19, 2010 1 |
| |
| |
| |
| |
| |
| SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) |
| |
| |
| the sudoers lookup is still done for root, not the user specified by |
| SUDO_USER. |
| |
| ssuuddoo can log both successful and unsuccessful attempts (as well as |
| errors) to _s_y_s_l_o_g(3), a log file, or both. By default ssuuddoo will log |
| via _s_y_s_l_o_g(3) but this is changeable at configure time or via the |
| _s_u_d_o_e_r_s file. |
| |
| OOPPTTIIOONNSS |
| ssuuddoo accepts the following command line options: |
| |
| -A Normally, if ssuuddoo requires a password, it will read it from |
| the current terminal. If the --AA (_a_s_k_p_a_s_s) option is |
| specified, a (possibly graphical) helper program is |
| executed to read the user's password and output the |
| password to the standard output. If the SUDO_ASKPASS |
| environment variable is set, it specifies the path to the |
| helper program. Otherwise, the value specified by the |
| _a_s_k_p_a_s_s option in _s_u_d_o_e_r_s(4) is used. |
| |
| -a _t_y_p_e The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use the |
| specified authentication type when validating the user, as |
| allowed by _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system administrator may |
| specify a list of sudo-specific authentication methods by |
| adding an "auth-sudo" entry in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This |
| option is only available on systems that support BSD |
| authentication. |
| |
| -b The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run the given |
| command in the background. Note that if you use the --bb |
| option you cannot use shell job control to manipulate the |
| process. |
| |
| -C _f_d Normally, ssuuddoo will close all open file descriptors other |
| than standard input, standard output and standard error. |
| The --CC (_c_l_o_s_e _f_r_o_m) option allows the user to specify a |
| starting point above the standard error (file descriptor |
| three). Values less than three are not permitted. This |
| option is only available if the administrator has enabled |
| the _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option in _s_u_d_o_e_r_s(4). |
| |
| -c _c_l_a_s_s The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified |
| command with resources limited by the specified login |
| class. The _c_l_a_s_s argument can be either a class name as |
| defined in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a single '-' character. |
| Specifying a _c_l_a_s_s of - indicates that the command should |
| be run restricted by the default login capabilities for the |
| user the command is run as. If the _c_l_a_s_s argument |
| specifies an existing user class, the command must be run |
| as root, or the ssuuddoo command must be run from a shell that |
| is already root. This option is only available on systems |
| with BSD login classes. |
| |
| -E The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option will override the |
| |
| |
| |
| 1.7.4 July 19, 2010 2 |
| |
| |
| |
| |
| |
| SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) |
| |
| |
| _e_n_v___r_e_s_e_t option in _s_u_d_o_e_r_s(4)). It is only available when |
| either the matching command has the SETENV tag or the |
| _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s(4). |
| |
| -e The --ee (_e_d_i_t) option indicates that, instead of running a |
| command, the user wishes to edit one or more files. In |
| lieu of a command, the string "sudoedit" is used when |
| consulting the _s_u_d_o_e_r_s file. If the user is authorized by |
| _s_u_d_o_e_r_s the following steps are taken: |
| |
| 1. Temporary copies are made of the files to be edited |
| with the owner set to the invoking user. |
| |
| 2. The editor specified by the SUDO_EDITOR, VISUAL or |
| EDITOR environment variables is run to edit the |
| temporary files. If none of SUDO_EDITOR, VISUAL or |
| EDITOR are set, the first program listed in the _e_d_i_t_o_r |
| _s_u_d_o_e_r_s variable is used. |
| |
| 3. If they have been modified, the temporary files are |
| copied back to their original location and the |
| temporary versions are removed. |
| |
| If the specified file does not exist, it will be created. |
| Note that unlike most commands run by ssuuddoo, the editor is |
| run with the invoking user's environment unmodified. If, |
| for some reason, ssuuddoo is unable to update a file with its |
| edited version, the user will receive a warning and the |
| edited copy will remain in a temporary file. |
| |
| -g _g_r_o_u_p Normally, ssuuddoo sets the primary group to the one specified |
| by the passwd database for the user the command is being |
| run as (by default, root). The --gg (_g_r_o_u_p) option causes |
| ssuuddoo to run the specified command with the primary group |
| set to _g_r_o_u_p. To specify a _g_i_d instead of a _g_r_o_u_p _n_a_m_e, |
| use _#_g_i_d. When running commands as a _g_i_d, many shells |
| require that the '#' be escaped with a backslash ('\'). If |
| no --uu option is specified, the command will be run as the |
| invoking user (not root). In either case, the primary |
| group will be set to _g_r_o_u_p. |
| |
| -H The --HH (_H_O_M_E) option sets the HOME environment variable to |
| the homedir of the target user (root by default) as |
| specified in _p_a_s_s_w_d(4). The default handling of the HOME |
| environment variable depends on _s_u_d_o_e_r_s(4) settings. By |
| default, ssuuddoo will set HOME if _e_n_v___r_e_s_e_t or _a_l_w_a_y_s___s_e_t___h_o_m_e |
| are set, or if _s_e_t___h_o_m_e is set and the --ss option is |
| specified on the command line. |
| |
| -h The --hh (_h_e_l_p) option causes ssuuddoo to print a usage message |
| and exit. |
| |
| -i [command] |
| The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell |
| |
| |
| |
| 1.7.4 July 19, 2010 3 |
| |
| |
| |
| |
| |
| SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) |
| |
| |
| specified in the _p_a_s_s_w_d(4) entry of the target user as a |
| login shell. This means that login-specific resource files |
| such as .profile or .login will be read by the shell. If a |
| command is specified, it is passed to the shell for |
| execution. Otherwise, an interactive shell is executed. |
| ssuuddoo attempts to change to that user's home directory |
| before running the shell. It also initializes the |
| environment, leaving _D_I_S_P_L_A_Y and _T_E_R_M unchanged, setting |
| _H_O_M_E, _M_A_I_L, _S_H_E_L_L, _U_S_E_R, _L_O_G_N_A_M_E, and _P_A_T_H, as well as the |
| contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t on Linux and AIX systems. All |
| other environment variables are removed. |
| |
| -K The --KK (sure _k_i_l_l) option is like --kk except that it removes |
| the user's time stamp entirely and may not be used in |
| conjunction with a command or other option. This option |
| does not require a password. |
| |
| -k When used by itself, the --kk (_k_i_l_l) option to ssuuddoo |
| invalidates the user's time stamp by setting the time on it |
| to the Epoch. The next time ssuuddoo is run a password will be |
| required. This option does not require a password and was |
| added to allow a user to revoke ssuuddoo permissions from a |
| .logout file. |
| |
| When used in conjunction with a command or an option that |
| may require a password, the --kk option will cause ssuuddoo to |
| ignore the user's time stamp file. As a result, ssuuddoo will |
| prompt for a password (if one is required by _s_u_d_o_e_r_s) and |
| will not update the user's time stamp file. |
| |
| -L The --LL (_l_i_s_t defaults) option will list the parameters that |
| may be set in a _D_e_f_a_u_l_t_s line along with a short |
| description for each. This option will be removed from a |
| future version of ssuuddoo. |
| |
| -l[l] [_c_o_m_m_a_n_d] |
| If no _c_o_m_m_a_n_d is specified, the --ll (_l_i_s_t) option will list |
| the allowed (and forbidden) commands for the invoking user |
| (or the user specified by the --UU option) on the current |
| host. If a _c_o_m_m_a_n_d is specified and is permitted by |
| _s_u_d_o_e_r_s, the fully-qualified path to the command is |
| displayed along with any command line arguments. If |
| _c_o_m_m_a_n_d is specified but not allowed, ssuuddoo will exit with a |
| status value of 1. If the --ll option is specified with an ll |
| argument (i.e. --llll), or if --ll is specified multiple times, |
| a longer list format is used. |
| |
| -n The --nn (_n_o_n_-_i_n_t_e_r_a_c_t_i_v_e) option prevents ssuuddoo from |
| prompting the user for a password. If a password is |
| required for the command to run, ssuuddoo will display an error |
| messages and exit. |
| |
| -P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to |
| preserve the invoking user's group vector unaltered. By |
| |
| |
| |
| 1.7.4 July 19, 2010 4 |
| |
| |
| |
| |
| |
| SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) |
| |
| |
| default, ssuuddoo will initialize the group vector to the list |
| of groups the target user is in. The real and effective |
| group IDs, however, are still set to match the target user. |
| |
| -p _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default |
| password prompt and use a custom one. The following |
| percent (`%') escapes are supported: |
| |
| %H expanded to the local host name including the domain |
| name (on if the machine's host name is fully qualified |
| or the _f_q_d_n _s_u_d_o_e_r_s option is set) |
| |
| %h expanded to the local host name without the domain name |
| |
| %p expanded to the user whose password is being asked for |
| (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w flags in |
| _s_u_d_o_e_r_s) |
| |
| %U expanded to the login name of the user the command will |
| be run as (defaults to root) |
| |
| %u expanded to the invoking user's login name |
| |
| %% two consecutive % characters are collapsed into a |
| single % character |
| |
| The prompt specified by the --pp option will override the |
| system password prompt on systems that support PAM unless |
| the _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s. |
| |
| -r _r_o_l_e The --rr (_r_o_l_e) option causes the new (SELinux) security |
| context to have the role specified by _r_o_l_e. |
| |
| -S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from |
| the standard input instead of the terminal device. The |
| password must be followed by a newline character. |
| |
| -s [command] |
| The --ss (_s_h_e_l_l) option runs the shell specified by the _S_H_E_L_L |
| environment variable if it is set or the shell as specified |
| in _p_a_s_s_w_d(4). If a command is specified, it is passed to |
| the shell for execution. Otherwise, an interactive shell |
| is executed. |
| |
| -t _t_y_p_e The --tt (_t_y_p_e) option causes the new (SELinux) security |
| context to have the type specified by _t_y_p_e. If no type is |
| specified, the default type is derived from the specified |
| role. |
| |
| -U _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the |
| --ll option to specify the user whose privileges should be |
| listed. Only root or a user with ssuuddoo ALL on the current |
| host may use this option. |
| |
| |
| |
| |
| 1.7.4 July 19, 2010 5 |
| |
| |
| |
| |
| |
| SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) |
| |
| |
| -u _u_s_e_r The --uu (_u_s_e_r) option causes ssuuddoo to run the specified |
| command as a user other than _r_o_o_t. To specify a _u_i_d |
| instead of a _u_s_e_r _n_a_m_e, use _#_u_i_d. When running commands as |
| a _u_i_d, many shells require that the '#' be escaped with a |
| backslash ('\'). Note that if the _t_a_r_g_e_t_p_w Defaults option |
| is set (see _s_u_d_o_e_r_s(4)) it is not possible to run commands |
| with a uid not listed in the password database. |
| |
| -V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print the version |
| number and exit. If the invoking user is already root the |
| --VV option will print out a list of the defaults ssuuddoo was |
| compiled with as well as the machine's local network |
| addresses. |
| |
| -v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the |
| user's time stamp, prompting for the user's password if |
| necessary. This extends the ssuuddoo timeout for another 5 |
| minutes (or whatever the timeout is set to in _s_u_d_o_e_r_s) but |
| does not run a command. |
| |
| -- The ---- option indicates that ssuuddoo should stop processing |
| command line arguments. |
| |
| Environment variables to be set for the command may also be passed on |
| the command line in the form of VVAARR=_v_a_l_u_e, e.g. |
| LLDD__LLIIBBRRAARRYY__PPAATTHH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. Variables passed on the command |
| line are subject to the same restrictions as normal environment |
| variables with one important exception. If the _s_e_t_e_n_v option is set in |
| _s_u_d_o_e_r_s, the command to be run has the SETENV tag set or the command |
| matched is ALL, the user may set variables that would overwise be |
| forbidden. See _s_u_d_o_e_r_s(4) for more information. |
| |
| RREETTUURRNN VVAALLUUEESS |
| Upon successful execution of a program, the exit status from ssuuddoo will |
| simply be the exit status of the program that was executed. |
| |
| Otherwise, ssuuddoo quits with an exit value of 1 if there is a |
| configuration/permission problem or if ssuuddoo cannot execute the given |
| command. In the latter case the error string is printed to stderr. If |
| ssuuddoo cannot _s_t_a_t(2) one or more entries in the user's PATH an error is |
| printed on stderr. (If the directory does not exist or if it is not |
| really a directory, the entry is ignored and no error is printed.) |
| This should not happen under normal circumstances. The most common |
| reason for _s_t_a_t(2) to return "permission denied" is if you are running |
| an automounter and one of the directories in your PATH is on a machine |
| that is currently unreachable. |
| |
| SSEECCUURRIITTYY NNOOTTEESS |
| ssuuddoo tries to be safe when executing external commands. |
| |
| There are two distinct ways to deal with environment variables. By |
| default, the _e_n_v___r_e_s_e_t _s_u_d_o_e_r_s option is enabled. This causes commands |
| to be executed with a minimal environment containing TERM, PATH, HOME, |
| SHELL, LOGNAME, USER and USERNAME in addition to variables from the |
| |
| |
| |
| 1.7.4 July 19, 2010 6 |
| |
| |
| |
| |
| |
| SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) |
| |
| |
| invoking process permitted by the _e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p _s_u_d_o_e_r_s |
| options. There is effectively a whitelist for environment variables. |
| |
| If, however, the _e_n_v___r_e_s_e_t option is disabled in _s_u_d_o_e_r_s, any variables |
| not explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are |
| inherited from the invoking process. In this case, _e_n_v___c_h_e_c_k and |
| _e_n_v___d_e_l_e_t_e behave like a blacklist. Since it is not possible to |
| blacklist all potentially dangerous environment variables, use of the |
| default _e_n_v___r_e_s_e_t behavior is encouraged. |
| |
| In all cases, environment variables with a value beginning with () are |
| removed as they could be interpreted as bbaasshh functions. The list of |
| environment variables that ssuuddoo allows or denies is contained in the |
| output of sudo -V when run as root. |
| |
| Note that the dynamic linker on most operating systems will remove |
| variables that can control dynamic linking from the environment of |
| setuid executables, including ssuuddoo. Depending on the operating system |
| this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and |
| others. These type of variables are removed from the environment |
| before ssuuddoo even begins execution and, as such, it is not possible for |
| ssuuddoo to preserve them. |
| |
| To prevent command spoofing, ssuuddoo checks "." and "" (both denoting |
| current directory) last when searching for a command in the user's PATH |
| (if one or both are in the PATH). Note, however, that the actual PATH |
| environment variable is _n_o_t modified and is passed unchanged to the |
| program that ssuuddoo executes. |
| |
| ssuuddoo will check the ownership of its time stamp directory |
| (_/_v_a_r_/_a_d_m_/_s_u_d_o by default) and ignore the directory's contents if it is |
| not owned by root or if it is writable by a user other than root. On |
| systems that allow non-root users to give away files via _c_h_o_w_n(2), if |
| the time stamp directory is located in a directory writable by anyone |
| (e.g., _/_t_m_p), it is possible for a user to create the time stamp |
| directory before ssuuddoo is run. However, because ssuuddoo checks the |
| ownership and mode of the directory and its contents, the only damage |
| that can be done is to "hide" files by putting them in the time stamp |
| dir. This is unlikely to happen since once the time stamp dir is owned |
| by root and inaccessible by any other user, the user placing files |
| there would be unable to get them back out. To get around this issue |
| you can use a directory that is not world-writable for the time stamps |
| (_/_v_a_r_/_a_d_m_/_s_u_d_o for instance) or create _/_v_a_r_/_a_d_m_/_s_u_d_o with the |
| appropriate owner (root) and permissions (0700) in the system startup |
| files. |
| |
| ssuuddoo will not honor time stamps set far in the future. Timestamps with |
| a date greater than current_time + 2 * TIMEOUT will be ignored and sudo |
| will log and complain. This is done to keep a user from creating |
| his/her own time stamp with a bogus date on systems that allow users to |
| give away files. |
| |
| On systems where the boot time is available, ssuuddoo will also not honor |
| time stamps from before the machine booted. |
| |
| |
| |
| 1.7.4 July 19, 2010 7 |
| |
| |
| |
| |
| |
| SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) |
| |
| |
| Since time stamp files live in the file system, they can outlive a |
| user's login session. As a result, a user may be able to login, run a |
| command with ssuuddoo after authenticating, logout, login again, and run |
| ssuuddoo without authenticating so long as the time stamp file's |
| modification time is within 5 minutes (or whatever the timeout is set |
| to in _s_u_d_o_e_r_s). When the _t_t_y___t_i_c_k_e_t_s option is enabled in _s_u_d_o_e_r_s, the |
| time stamp has per-tty granularity but still may outlive the user's |
| session. On Linux systems where the devpts filesystem is used, Solaris |
| systems with the devices filesystem, as well as other systems that |
| utilize a devfs filesystem that monotonically increase the inode number |
| of devices as they are created (such as Mac OS X), ssuuddoo is able to |
| determine when a tty-based time stamp file is stale and will ignore it. |
| Administrators should not rely on this feature as it is not universally |
| available. |
| |
| Please note that ssuuddoo will normally only log the command it explicitly |
| runs. If a user runs a command such as sudo su or sudo sh, subsequent |
| commands run from that shell will _n_o_t be logged, nor will ssuuddoo's access |
| control affect them. The same is true for commands that offer shell |
| escapes (including most editors). Because of this, care must be taken |
| when giving users access to commands via ssuuddoo to verify that the |
| command does not inadvertently give the user an effective root shell. |
| For more information, please see the PREVENTING SHELL ESCAPES section |
| in _s_u_d_o_e_r_s(4). |
| |
| EENNVVIIRROONNMMEENNTT |
| ssuuddoo utilizes the following environment variables: |
| |
| EDITOR Default editor to use in --ee (sudoedit) mode if neither |
| SUDO_EDITOR nor VISUAL is set |
| |
| MAIL In --ii mode or when _e_n_v___r_e_s_e_t is enabled in _s_u_d_o_e_r_s, set |
| to the mail spool of the target user |
| |
| HOME Set to the home directory of the target user if --ii or |
| --HH are specified, _e_n_v___r_e_s_e_t or _a_l_w_a_y_s___s_e_t___h_o_m_e are set |
| in _s_u_d_o_e_r_s, or when the --ss option is specified and |
| _s_e_t___h_o_m_e is set in _s_u_d_o_e_r_s |
| |
| PATH Set to a sane value if the _s_e_c_u_r_e___p_a_t_h sudoers option |
| is set. |
| |
| SHELL Used to determine shell to run with -s option |
| |
| SUDO_ASKPASS Specifies the path to a helper program used to read the |
| password if no terminal is available or if the -A |
| option is specified. |
| |
| SUDO_COMMAND Set to the command run by sudo |
| |
| SUDO_EDITOR Default editor to use in --ee (sudoedit) mode |
| |
| SUDO_GID Set to the group ID of the user who invoked sudo |
| |
| |
| |
| |
| 1.7.4 July 19, 2010 8 |
| |
| |
| |
| |
| |
| SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) |
| |
| |
| SUDO_PROMPT Used as the default password prompt |
| |
| SUDO_PS1 If set, PS1 will be set to its value for the program |
| being run |
| |
| SUDO_UID Set to the user ID of the user who invoked sudo |
| |
| SUDO_USER Set to the login of the user who invoked sudo |
| |
| USER Set to the target user (root unless the --uu option is |
| specified) |
| |
| VISUAL Default editor to use in --ee (sudoedit) mode if |
| SUDO_EDITOR is not set |
| |
| FFIILLEESS |
| _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what |
| |
| _/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps |
| |
| _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on Linux and |
| AIX |
| |
| EEXXAAMMPPLLEESS |
| Note: the following examples assume suitable _s_u_d_o_e_r_s(4) entries. |
| |
| To get a file listing of an unreadable directory: |
| |
| $ sudo ls /usr/local/protected |
| |
| To list the home directory of user yaz on a machine where the file |
| system holding ~yaz is not exported as root: |
| |
| $ sudo -u yaz ls ~yaz |
| |
| To edit the _i_n_d_e_x_._h_t_m_l file as user www: |
| |
| $ sudo -u www vi ~www/htdocs/index.html |
| |
| To view system logs only accessible to root and users in the adm group: |
| |
| $ sudo -g adm view /var/log/syslog |
| |
| To run an editor as jim with a different primary group: |
| |
| $ sudo -u jim -g audio vi ~jim/sound.txt |
| |
| To shutdown a machine: |
| |
| $ sudo shutdown -r +15 "quick reboot" |
| |
| To make a usage listing of the directories in the /home partition. |
| Note that this runs the commands in a sub-shell to make the cd and file |
| redirection work. |
| |
| |
| |
| 1.7.4 July 19, 2010 9 |
| |
| |
| |
| |
| |
| SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) |
| |
| |
| $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" |
| |
| SSEEEE AALLSSOO |
| _g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), _p_a_s_s_w_d(4), _s_u_d_o_e_r_s(5), |
| _v_i_s_u_d_o(1m) |
| |
| AAUUTTHHOORRSS |
| Many people have worked on ssuuddoo over the years; this version consists |
| of code written primarily by: |
| |
| Todd C. Miller |
| |
| See the HISTORY file in the ssuuddoo distribution or visit |
| http://www.sudo.ws/sudo/history.html for a short history of ssuuddoo. |
| |
| CCAAVVEEAATTSS |
| There is no easy way to prevent a user from gaining a root shell if |
| that user is allowed to run arbitrary commands via ssuuddoo. Also, many |
| programs (such as editors) allow the user to run commands via shell |
| escapes, thus avoiding ssuuddoo's checks. However, on most systems it is |
| possible to prevent shell escapes with ssuuddoo's _n_o_e_x_e_c functionality. |
| See the _s_u_d_o_e_r_s(4) manual for details. |
| |
| It is not meaningful to run the cd command directly via sudo, e.g., |
| |
| $ sudo cd /usr/local/protected |
| |
| since when the command exits the parent process (your shell) will still |
| be the same. Please see the EXAMPLES section for more information. |
| |
| If users have sudo ALL there is nothing to prevent them from creating |
| their own program that gives them a root shell regardless of any '!' |
| elements in the user specification. |
| |
| Running shell scripts via ssuuddoo can expose the same kernel bugs that |
| make setuid shell scripts unsafe on some operating systems (if your OS |
| has a /dev/fd/ directory, setuid shell scripts are generally safe). |
| |
| BBUUGGSS |
| If you feel you have found a bug in ssuuddoo, please submit a bug report at |
| http://www.sudo.ws/sudo/bugs/ |
| |
| SSUUPPPPOORRTT |
| Limited free support is available via the sudo-users mailing list, see |
| http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search |
| the archives. |
| |
| DDIISSCCLLAAIIMMEERR |
| ssuuddoo is provided ``AS IS'' and any express or implied warranties, |
| including, but not limited to, the implied warranties of |
| merchantability and fitness for a particular purpose are disclaimed. |
| See the LICENSE file distributed with ssuuddoo or |
| http://www.sudo.ws/sudo/license.html for complete details. |
| |
| |
| |
| |
| 1.7.4 July 19, 2010 10 |
| |
| |