diff options
Diffstat (limited to 'doc/sudo.cat')
-rw-r--r-- | doc/sudo.cat | 741 |
1 files changed, 741 insertions, 0 deletions
diff --git a/doc/sudo.cat b/doc/sudo.cat new file mode 100644 index 0000000..6d7671b --- /dev/null +++ b/doc/sudo.cat @@ -0,0 +1,741 @@ +SUDO(1m) System Manager's Manual SUDO(1m) + +NNAAMMEE + ssuuddoo, ssuuddooeeddiitt - execute a command as another user + +SSYYNNOOPPSSIISS + ssuuddoo --hh | --KK | --kk | --VV + ssuuddoo --vv [--AAkknnSS] [--aa _t_y_p_e] [--gg _g_r_o_u_p] [--hh _h_o_s_t] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r] + ssuuddoo --ll [--AAkknnSS] [--aa _t_y_p_e] [--gg _g_r_o_u_p] [--hh _h_o_s_t] [--pp _p_r_o_m_p_t] [--UU _u_s_e_r] + [--uu _u_s_e_r] [_c_o_m_m_a_n_d] + ssuuddoo [--AAbbEEHHnnPPSS] [--aa _t_y_p_e] [--CC _n_u_m] [--cc _c_l_a_s_s] [--gg _g_r_o_u_p] [--hh _h_o_s_t] + [--pp _p_r_o_m_p_t] [--rr _r_o_l_e] [--tt _t_y_p_e] [--TT _t_i_m_e_o_u_t] [--uu _u_s_e_r] [_V_A_R=_v_a_l_u_e] + [--ii | --ss] [_c_o_m_m_a_n_d] + ssuuddooeeddiitt [--AAkknnSS] [--aa _t_y_p_e] [--CC _n_u_m] [--cc _c_l_a_s_s] [--gg _g_r_o_u_p] [--hh _h_o_s_t] + [--pp _p_r_o_m_p_t] [--TT _t_i_m_e_o_u_t] [--uu _u_s_e_r] _f_i_l_e _._._. + +DDEESSCCRRIIPPTTIIOONN + ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the superuser or + another user, as specified by the security policy. The invoking user's + real (_n_o_t effective) user ID is used to determine the user name with + which to query the security policy. + + ssuuddoo supports a plugin architecture for security policies and + input/output logging. Third parties can develop and distribute their own + policy and I/O logging plugins to work seamlessly with the ssuuddoo front + end. The default security policy is _s_u_d_o_e_r_s, which is configured via the + file _/_e_t_c_/_s_u_d_o_e_r_s, or via LDAP. See the _P_l_u_g_i_n_s section for more + information. + + The security policy determines what privileges, if any, a user has to run + ssuuddoo. The policy may require that users authenticate themselves with a + password or another authentication mechanism. If authentication is + required, ssuuddoo will exit if the user's password is not entered within a + configurable time limit. This limit is policy-specific; the default + password prompt timeout for the _s_u_d_o_e_r_s security policy is 5 minutes. + + Security policies may support credential caching to allow the user to run + ssuuddoo again for a period of time without requiring authentication. The + _s_u_d_o_e_r_s policy caches credentials for 5 minutes, unless overridden in + sudoers(4). By running ssuuddoo with the --vv option, a user can update the + cached credentials without running a _c_o_m_m_a_n_d. + + When invoked as ssuuddooeeddiitt, the --ee option (described below), is implied. + + Security policies may log successful and failed attempts to use ssuuddoo. If + an I/O plugin is configured, the running command's input and output may + be logged as well. + + The options are as follows: + + --AA, ----aasskkppaassss + Normally, if ssuuddoo requires a password, it will read it from + the user's terminal. If the --AA (_a_s_k_p_a_s_s) option is + specified, a (possibly graphical) helper program is executed + to read the user's password and output the password to the + standard output. If the SUDO_ASKPASS environment variable is + set, it specifies the path to the helper program. Otherwise, + if sudo.conf(4) contains a line specifying the askpass + program, that value will be used. For example: + + # Path to askpass helper program + Path askpass /usr/X11R6/bin/ssh-askpass + + If no askpass program is available, ssuuddoo will exit with an + error. + + --aa _t_y_p_e, ----aauutthh--ttyyppee=_t_y_p_e + Use the specified BSD authentication _t_y_p_e when validating the + user, if allowed by _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system + administrator may specify a list of sudo-specific + authentication methods by adding an "auth-sudo" entry in + _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This option is only available on systems + that support BSD authentication. + + --bb, ----bbaacckkggrroouunndd + Run the given command in the background. Note that it is not + possible to use shell job control to manipulate background + processes started by ssuuddoo. Most interactive commands will + fail to work properly in background mode. + + --CC _n_u_m, ----cclloossee--ffrroomm=_n_u_m + Close all file descriptors greater than or equal to _n_u_m + before executing a command. Values less than three are not + permitted. By default, ssuuddoo will close all open file + descriptors other than standard input, standard output and + standard error when executing a command. The security policy + may restrict the user's ability to use this option. The + _s_u_d_o_e_r_s policy only permits use of the --CC option when the + administrator has enabled the _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option. + + --cc _c_l_a_s_s, ----llooggiinn--ccllaassss=_c_l_a_s_s + Run the command with resource limits and scheduling priority + of the specified login _c_l_a_s_s. The _c_l_a_s_s argument can be + either a class name as defined in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a + single `-' character. If _c_l_a_s_s is --, the default login class + of the target user will be used. Otherwise, the command must + be run as the superuser (user ID 0), or ssuuddoo must be run from + a shell that is already running as the superuser. If the + command is being run as a login shell, additional + _/_e_t_c_/_l_o_g_i_n_._c_o_n_f settings, such as the umask and environment + variables, will be applied, if present. This option is only + available on systems with BSD login classes. + + --EE, ----pprreesseerrvvee--eennvv + Indicates to the security policy that the user wishes to + preserve their existing environment variables. The security + policy may return an error if the user does not have + permission to preserve the environment. + + ----pprreesseerrvvee--eennvv==lliisstt + Indicates to the security policy that the user wishes to add + the comma-separated list of environment variables to those + preserved from the user's environment. The security policy + may return an error if the user does not have permission to + preserve the environment. + + --ee, ----eeddiitt Edit one or more files instead of running a command. In lieu + of a path name, the string "sudoedit" is used when consulting + the security policy. If the user is authorized by the + policy, the following steps are taken: + + 1. Temporary copies are made of the files to be edited + with the owner set to the invoking user. + + 2. The editor specified by the policy is run to edit the + temporary files. The _s_u_d_o_e_r_s policy uses the + SUDO_EDITOR, VISUAL and EDITOR environment variables + (in that order). If none of SUDO_EDITOR, VISUAL or + EDITOR are set, the first program listed in the _e_d_i_t_o_r + sudoers(4) option is used. + + 3. If they have been modified, the temporary files are + copied back to their original location and the + temporary versions are removed. + + To help prevent the editing of unauthorized files, the + following restrictions are enforced unless explicitly allowed + by the security policy: + + ++oo Symbolic links may not be edited (version 1.8.15 and + higher). + + ++oo Symbolic links along the path to be edited are not + followed when the parent directory is writable by the + invoking user unless that user is root (version 1.8.16 + and higher). + + ++oo Files located in a directory that is writable by the + invoking user may not be edited unless that user is root + (version 1.8.16 and higher). + + Users are never allowed to edit device special files. + + If the specified file does not exist, it will be created. + Note that unlike most commands run by _s_u_d_o, the editor is run + with the invoking user's environment unmodified. If, for + some reason, ssuuddoo is unable to update a file with its edited + version, the user will receive a warning and the edited copy + will remain in a temporary file. + + --gg _g_r_o_u_p, ----ggrroouupp=_g_r_o_u_p + Run the command with the primary group set to _g_r_o_u_p instead + of the primary group specified by the target user's password + database entry. The _g_r_o_u_p may be either a group name or a + numeric group ID (GID) prefixed with the `#' character (e.g., + #0 for GID 0). When running a command as a GID, many shells + require that the `#' be escaped with a backslash (`\'). If + no --uu option is specified, the command will be run as the + invoking user. In either case, the primary group will be set + to _g_r_o_u_p. The _s_u_d_o_e_r_s policy permits any of the target + user's groups to be specified via the --gg option as long as + the --PP option is not in use. + + --HH, ----sseett--hhoommee + Request that the security policy set the HOME environment + variable to the home directory specified by the target user's + password database entry. Depending on the policy, this may + be the default behavior. + + --hh, ----hheellpp Display a short help message to the standard output and exit. + + --hh _h_o_s_t, ----hhoosstt=_h_o_s_t + Run the command on the specified _h_o_s_t if the security policy + plugin supports remote commands. Note that the _s_u_d_o_e_r_s + plugin does not currently support running remote commands. + This may also be used in conjunction with the --ll option to + list a user's privileges for the remote host. + + --ii, ----llooggiinn + Run the shell specified by the target user's password + database entry as a login shell. This means that login- + specific resource files such as _._p_r_o_f_i_l_e, _._b_a_s_h___p_r_o_f_i_l_e or + _._l_o_g_i_n will be read by the shell. If a command is specified, + it is passed to the shell for execution via the shell's --cc + option. If no command is specified, an interactive shell is + executed. ssuuddoo attempts to change to that user's home + directory before running the shell. The command is run with + an environment similar to the one a user would receive at log + in. Note that most shells behave differently when a command + is specified as compared to an interactive session; consult + the shell's manual for details. The _C_o_m_m_a_n_d _e_n_v_i_r_o_n_m_e_n_t + section in the sudoers(4) manual documents how the --ii option + affects the environment in which a command is run when the + _s_u_d_o_e_r_s policy is in use. + + --KK, ----rreemmoovvee--ttiimmeessttaammpp + Similar to the --kk option, except that it removes the user's + cached credentials entirely and may not be used in + conjunction with a command or other option. This option does + not require a password. Not all security policies support + credential caching. + + --kk, ----rreesseett--ttiimmeessttaammpp + When used without a command, invalidates the user's cached + credentials. In other words, the next time ssuuddoo is run a + password will be required. This option does not require a + password and was added to allow a user to revoke ssuuddoo + permissions from a _._l_o_g_o_u_t file. + + When used in conjunction with a command or an option that may + require a password, this option will cause ssuuddoo to ignore the + user's cached credentials. As a result, ssuuddoo will prompt for + a password (if one is required by the security policy) and + will not update the user's cached credentials. + + Not all security policies support credential caching. + + --ll, ----lliisstt If no _c_o_m_m_a_n_d is specified, list the allowed (and forbidden) + commands for the invoking user (or the user specified by the + --UU option) on the current host. A longer list format is used + if this option is specified multiple times and the security + policy supports a verbose output format. + + If a _c_o_m_m_a_n_d is specified and is permitted by the security + policy, the fully-qualified path to the command is displayed + along with any command line arguments. If a _c_o_m_m_a_n_d is + specified but not allowed by the policy, ssuuddoo will exit with + a status value of 1. + + --nn, ----nnoonn--iinntteerraaccttiivvee + Avoid prompting the user for input of any kind. If a + password is required for the command to run, ssuuddoo will + display an error message and exit. + + --PP, ----pprreesseerrvvee--ggrroouuppss + Preserve the invoking user's group vector unaltered. By + default, the _s_u_d_o_e_r_s policy will initialize the group vector + to the list of groups the target user is a member of. The + real and effective group IDs, however, are still set to match + the target user. + + --pp _p_r_o_m_p_t, ----pprroommpptt=_p_r_o_m_p_t + Use a custom password prompt with optional escape sequences. + The following percent (`%') escape sequences are supported by + the _s_u_d_o_e_r_s policy: + + %H expanded to the host name including the domain name (on + if the machine's host name is fully qualified or the _f_q_d_n + option is set in sudoers(4)) + + %h expanded to the local host name without the domain name + + %p expanded to the name of the user whose password is being + requested (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w, and _r_u_n_a_s_p_w + flags in sudoers(4)) + + %U expanded to the login name of the user the command will + be run as (defaults to root unless the --uu option is also + specified) + + %u expanded to the invoking user's login name + + %% two consecutive `%' characters are collapsed into a + single `%' character + + The custom prompt will override the default prompt specified + by either the security policy or the SUDO_PROMPT environment + variable. On systems that use PAM, the custom prompt will + also override the prompt specified by a PAM module unless the + _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s. + + --rr _r_o_l_e, ----rroollee=_r_o_l_e + Run the command with an SELinux security context that + includes the specified _r_o_l_e. + + --SS, ----ssttddiinn + Write the prompt to the standard error and read the password + from the standard input instead of using the terminal device. + + --ss, ----sshheellll + Run the shell specified by the SHELL environment variable if + it is set or the shell specified by the invoking user's + password database entry. If a command is specified, it is + passed to the shell for execution via the shell's --cc option. + If no command is specified, an interactive shell is executed. + Note that most shells behave differently when a command is + specified as compared to an interactive session; consult the + shell's manual for details. + + --tt _t_y_p_e, ----ttyyppee=_t_y_p_e + Run the command with an SELinux security context that + includes the specified _t_y_p_e. If no _t_y_p_e is specified, the + default type is derived from the role. + + --UU _u_s_e_r, ----ootthheerr--uusseerr=_u_s_e_r + Used in conjunction with the --ll option to list the privileges + for _u_s_e_r instead of for the invoking user. The security + policy may restrict listing other users' privileges. The + _s_u_d_o_e_r_s policy only allows root or a user with the ALL + privilege on the current host to use this option. + + --TT _t_i_m_e_o_u_t, ----ccoommmmaanndd--ttiimmeeoouutt=_t_i_m_e_o_u_t + Used to set a timeout for the command. If the timeout + expires before the command has exited, the command will be + terminated. The security policy may restrict the ability to + set command timeouts. The _s_u_d_o_e_r_s policy requires that user- + specified timeouts be explicitly enabled. + + --uu _u_s_e_r, ----uusseerr=_u_s_e_r + Run the command as a user other than the default target user + (usually _r_o_o_t). The _u_s_e_r may be either a user name or a + numeric user ID (UID) prefixed with the `#' character (e.g., + #0 for UID 0). When running commands as a UID, many shells + require that the `#' be escaped with a backslash (`\'). Some + security policies may restrict UIDs to those listed in the + password database. The _s_u_d_o_e_r_s policy allows UIDs that are + not in the password database as long as the _t_a_r_g_e_t_p_w option + is not set. Other security policies may not support this. + + --VV, ----vveerrssiioonn + Print the ssuuddoo version string as well as the version string + of the security policy plugin and any I/O plugins. If the + invoking user is already root the --VV option will display the + arguments passed to configure when ssuuddoo was built and plugins + may display more verbose information such as default options. + + --vv, ----vvaalliiddaattee + Update the user's cached credentials, authenticating the user + if necessary. For the _s_u_d_o_e_r_s plugin, this extends the ssuuddoo + timeout for another 5 minutes by default, but does not run a + command. Not all security policies support cached + credentials. + + ---- The ---- option indicates that ssuuddoo should stop processing + command line arguments. + + Environment variables to be set for the command may also be passed on the + command line in the form of _V_A_R=_v_a_l_u_e, e.g., + LD_LIBRARY_PATH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. Variables passed on the command line + are subject to restrictions imposed by the security policy plugin. The + _s_u_d_o_e_r_s policy subjects variables passed on the command line to the same + restrictions as normal environment variables with one important + exception. If the _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s, the command to be run + has the SETENV tag set or the command matched is ALL, the user may set + variables that would otherwise be forbidden. See sudoers(4) for more + information. + +CCOOMMMMAANNDD EEXXEECCUUTTIIOONN + When ssuuddoo executes a command, the security policy specifies the execution + environment for the command. Typically, the real and effective user and + group and IDs are set to match those of the target user, as specified in + the password database, and the group vector is initialized based on the + group database (unless the --PP option was specified). + + The following parameters may be specified by security policy: + + ++oo real and effective user ID + + ++oo real and effective group ID + + ++oo supplementary group IDs + + ++oo the environment list + + ++oo current working directory + + ++oo file creation mode mask (umask) + + ++oo SELinux role and type + + ++oo Solaris project + + ++oo Solaris privileges + + ++oo BSD login class + + ++oo scheduling priority (aka nice value) + + PPrroocceessss mmooddeell + There are two distinct ways ssuuddoo can run a command. + + If an I/O logging plugin is configured or if the security policy + explicitly requests it, a new pseudo-terminal ("pty") is allocated and + fork(2) is used to create a second ssuuddoo process, referred to as the + _m_o_n_i_t_o_r. The _m_o_n_i_t_o_r creates a new terminal session with itself as the + leader and the pty as its controlling terminal, calls fork(2), sets up + the execution environment as described above, and then uses the execve(2) + system call to run the command in the child process. The _m_o_n_i_t_o_r exists + to relay job control signals between the user's existing terminal and the + pty the command is being run in. This makes it possible to suspend and + resume the command. Without the monitor, the command would be in what + POSIX terms an "orphaned process group" and it would not receive any job + control signals from the kernel. When the command exits or is terminated + by a signal, the _m_o_n_i_t_o_r passes the command's exit status to the main + ssuuddoo process and exits. After receiving the command's exit status, the + main ssuuddoo passes the command's exit status to the security policy's close + function and exits. + + If no pty is used, ssuuddoo calls fork(2), sets up the execution environment + as described above, and uses the execve(2) system call to run the command + in the child process. The main ssuuddoo process waits until the command has + completed, then passes the command's exit status to the security policy's + close function and exits. As a special case, if the policy plugin does + not define a close function, ssuuddoo will execute the command directly + instead of calling fork(2) first. The _s_u_d_o_e_r_s policy plugin will only + define a close function when I/O logging is enabled, a pty is required, + or the _p_a_m___s_e_s_s_i_o_n or _p_a_m___s_e_t_c_r_e_d options are enabled. Note that + _p_a_m___s_e_s_s_i_o_n and _p_a_m___s_e_t_c_r_e_d are enabled by default on systems using PAM. + + SSiiggnnaall hhaannddlliinngg + When the command is run as a child of the ssuuddoo process, ssuuddoo will relay + signals it receives to the command. The SIGINT and SIGQUIT signals are + only relayed when the command is being run in a new pty or when the + signal was sent by a user process, not the kernel. This prevents the + command from receiving SIGINT twice each time the user enters control-C. + Some signals, such as SIGSTOP and SIGKILL, cannot be caught and thus will + not be relayed to the command. As a general rule, SIGTSTP should be used + instead of SIGSTOP when you wish to suspend a command being run by ssuuddoo. + + As a special case, ssuuddoo will not relay signals that were sent by the + command it is running. This prevents the command from accidentally + killing itself. On some systems, the reboot(1m) command sends SIGTERM to + all non-system processes other than itself before rebooting the system. + This prevents ssuuddoo from relaying the SIGTERM signal it received back to + reboot(1m), which might then exit before the system was actually rebooted, + leaving it in a half-dead state similar to single user mode. Note, + however, that this check only applies to the command run by ssuuddoo and not + any other processes that the command may create. As a result, running a + script that calls reboot(1m) or shutdown(1m) via ssuuddoo may cause the system + to end up in this undefined state unless the reboot(1m) or shutdown(1m) are + run using the eexxeecc() family of functions instead of ssyysstteemm() (which + interposes a shell between the command and the calling process). + + If no I/O logging plugins are loaded and the policy plugin has not + defined a cclloossee() function, set a command timeout or required that the + command be run in a new pty, ssuuddoo may execute the command directly + instead of running it as a child process. + + PPlluuggiinnss + Plugins may be specified via Plugin directives in the sudo.conf(4) file. + They may be loaded as dynamic shared objects (on systems that support + them), or compiled directly into the ssuuddoo binary. If no sudo.conf(4) + file is present, or it contains no Plugin lines, ssuuddoo will use the + traditional _s_u_d_o_e_r_s security policy and I/O logging. See the + sudo.conf(4) manual for details of the _/_e_t_c_/_s_u_d_o_._c_o_n_f file and the + sudo_plugin(4) manual for more information about the ssuuddoo plugin + architecture. + +EEXXIITT VVAALLUUEE + Upon successful execution of a command, the exit status from ssuuddoo will be + the exit status of the program that was executed. If the command + terminated due to receipt of a signal, ssuuddoo will send itself the same + signal that terminated the command. + + If the --ll option was specified without a command, ssuuddoo will exit with a + value of 0 if the user is allowed to run ssuuddoo and they authenticated + successfully (as required by the security policy). If a command is + specified with the --ll option, the exit value will only be 0 if the + command is permitted by the security policy, otherwise it will be 1. + + If there is an authentication failure, a configuration/permission problem + or if the given command cannot be executed, ssuuddoo exits with a value of 1. + In the latter case, the error string is printed to the standard error. + If ssuuddoo cannot stat(2) one or more entries in the user's PATH, an error + is printed to the standard error. (If the directory does not exist or if + it is not really a directory, the entry is ignored and no error is + printed.) This should not happen under normal circumstances. The most + common reason for stat(2) to return "permission denied" is if you are + running an automounter and one of the directories in your PATH is on a + machine that is currently unreachable. + +SSEECCUURRIITTYY NNOOTTEESS + ssuuddoo tries to be safe when executing external commands. + + To prevent command spoofing, ssuuddoo checks "." and "" (both denoting + current directory) last when searching for a command in the user's PATH + (if one or both are in the PATH). Note, however, that the actual PATH + environment variable is _n_o_t modified and is passed unchanged to the + program that ssuuddoo executes. + + Users should _n_e_v_e_r be granted ssuuddoo privileges to execute files that are + writable by the user or that reside in a directory that is writable by + the user. If the user can modify or replace the command there is no way + to limit what additional commands they can run. + + Please note that ssuuddoo will normally only log the command it explicitly + runs. If a user runs a command such as sudo su or sudo sh, subsequent + commands run from that shell are not subject to ssuuddoo's security policy. + The same is true for commands that offer shell escapes (including most + editors). If I/O logging is enabled, subsequent commands will have their + input and/or output logged, but there will not be traditional logs for + those commands. Because of this, care must be taken when giving users + access to commands via ssuuddoo to verify that the command does not + inadvertently give the user an effective root shell. For more + information, please see the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section in + sudoers(4). + + To prevent the disclosure of potentially sensitive information, ssuuddoo + disables core dumps by default while it is executing (they are re-enabled + for the command that is run). This historical practice dates from a time + when most operating systems allowed setuid processes to dump core by + default. To aid in debugging ssuuddoo crashes, you may wish to re-enable + core dumps by setting "disable_coredump" to false in the sudo.conf(4) + file as follows: + + Set disable_coredump false + + See the sudo.conf(4) manual for more information. + +EENNVVIIRROONNMMEENNTT + ssuuddoo utilizes the following environment variables. The security policy + has control over the actual content of the command's environment. + + EDITOR Default editor to use in --ee (sudoedit) mode if neither + SUDO_EDITOR nor VISUAL is set. + + MAIL Set to the mail spool of the target user when the --ii + option is specified or when _e_n_v___r_e_s_e_t is enabled in + _s_u_d_o_e_r_s (unless MAIL is present in the _e_n_v___k_e_e_p list). + + HOME Set to the home directory of the target user when the --ii + or --HH options are specified, when the --ss option is + specified and _s_e_t___h_o_m_e is set in _s_u_d_o_e_r_s, when + _a_l_w_a_y_s___s_e_t___h_o_m_e is enabled in _s_u_d_o_e_r_s, or when _e_n_v___r_e_s_e_t + is enabled in _s_u_d_o_e_r_s and _H_O_M_E is not present in the + _e_n_v___k_e_e_p list. + + LOGNAME Set to the login name of the target user when the --ii + option is specified, when the _s_e_t___l_o_g_n_a_m_e option is + enabled in _s_u_d_o_e_r_s or when the _e_n_v___r_e_s_e_t option is + enabled in _s_u_d_o_e_r_s (unless LOGNAME is present in the + _e_n_v___k_e_e_p list). + + PATH May be overridden by the security policy. + + SHELL Used to determine shell to run with --ss option. + + SUDO_ASKPASS Specifies the path to a helper program used to read the + password if no terminal is available or if the --AA option + is specified. + + SUDO_COMMAND Set to the command run by sudo. + + SUDO_EDITOR Default editor to use in --ee (sudoedit) mode. + + SUDO_GID Set to the group ID of the user who invoked sudo. + + SUDO_PROMPT Used as the default password prompt unless the --pp option + was specified. + + SUDO_PS1 If set, PS1 will be set to its value for the program + being run. + + SUDO_UID Set to the user ID of the user who invoked sudo. + + SUDO_USER Set to the login name of the user who invoked sudo. + + USER Set to the same value as LOGNAME, described above. + + VISUAL Default editor to use in --ee (sudoedit) mode if + SUDO_EDITOR is not set. + +FFIILLEESS + _/_e_t_c_/_s_u_d_o_._c_o_n_f ssuuddoo front end configuration + +EEXXAAMMPPLLEESS + Note: the following examples assume a properly configured security + policy. + + To get a file listing of an unreadable directory: + + $ sudo ls /usr/local/protected + + To list the home directory of user yaz on a machine where the file system + holding ~yaz is not exported as root: + + $ sudo -u yaz ls ~yaz + + To edit the _i_n_d_e_x_._h_t_m_l file as user www: + + $ sudoedit -u www ~www/htdocs/index.html + + To view system logs only accessible to root and users in the adm group: + + $ sudo -g adm more /var/log/syslog + + To run an editor as jim with a different primary group: + + $ sudoedit -u jim -g audio ~jim/sound.txt + + To shut down a machine: + + $ sudo shutdown -r +15 "quick reboot" + + To make a usage listing of the directories in the /home partition. Note + that this runs the commands in a sub-shell to make the cd and file + redirection work. + + $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" + +DDIIAAGGNNOOSSTTIICCSS + Error messages produced by ssuuddoo include: + + editing files in a writable directory is not permitted + By default, ssuuddooeeddiitt does not permit editing a file when any of the + parent directories are writable by the invoking user. This avoids + a race condition that could allow the user to overwrite an + arbitrary file. See the _s_u_d_o_e_d_i_t___c_h_e_c_k_d_i_r option in sudoers(4) for + more information. + + editing symbolic links is not permitted + By default, ssuuddooeeddiitt does not follow symbolic links when opening + files. See the _s_u_d_o_e_d_i_t___f_o_l_l_o_w option in sudoers(4) for more + information. + + effective uid is not 0, is sudo installed setuid root? + ssuuddoo was not run with root privileges. The ssuuddoo binary must be + owned by the root user and have the Set-user-ID bit set. Also, it + must not be located on a file system mounted with the `nosuid' + option or on an NFS file system that maps uid 0 to an unprivileged + uid. + + effective uid is not 0, is sudo on a file system with the 'nosuid' option + set or an NFS file system without root privileges? + ssuuddoo was not run with root privileges. The ssuuddoo binary has the + proper owner and permissions but it still did not run with root + privileges. The most common reason for this is that the file + system the ssuuddoo binary is located on is mounted with the `nosuid' + option or it is an NFS file system that maps uid 0 to an + unprivileged uid. + + fatal error, unable to load plugins + An error occurred while loading or initializing the plugins + specified in sudo.conf(4). + + invalid environment variable name + One or more environment variable names specified via the --EE option + contained an equal sign (`='). The arguments to the --EE option + should be environment variable names without an associated value. + + no password was provided + When ssuuddoo tried to read the password, it did not receive any + characters. This may happen if no terminal is available (or the --SS + option is specified) and the standard input has been redirected + from _/_d_e_v_/_n_u_l_l. + + no tty present and no askpass program specified + ssuuddoo needs to read the password but there is no mechanism available + to do so. A terminal is not present to read the password from, + ssuuddoo has not been configured to read from the standard input, and + no askpass program has been specified either via the --AA option or + the SUDO_ASKPASS environment variable. + + no writable temporary directory found + ssuuddooeeddiitt was unable to find a usable temporary directory in which + to store its intermediate files. + + sudo must be owned by uid 0 and have the setuid bit set + ssuuddoo was not run with root privileges. The ssuuddoo binary does not + have the correct owner or permissions. It must be owned by the + root user and have the Set-user-ID bit set. + + sudoedit is not supported on this platform + It is only possible to run ssuuddooeeddiitt on systems that support setting + the effective user-ID. + + timed out reading password + The user did not enter a password before the password timeout (5 + minutes by default) expired. + + you do not exist in the passwd database + Your user ID does not appear in the system passwd database. + + you may not specify environment variables in edit mode + It is only possible to specify environment variables when running a + command. When editing a file, the editor is run with the user's + environment unmodified. + +SSEEEE AALLSSOO + su(1), stat(2), login_cap(3), passwd(4), sudo.conf(4), sudo_plugin(4), + sudoers(4), sudoreplay(1m), visudo(1m) + +HHIISSTTOORRYY + See the HISTORY file in the ssuuddoo distribution + (https://www.sudo.ws/history.html) for a brief history of sudo. + +AAUUTTHHOORRSS + Many people have worked on ssuuddoo over the years; this version consists of + code written primarily by: + + Todd C. Miller + + See the CONTRIBUTORS file in the ssuuddoo distribution + (https://www.sudo.ws/contributors.html) for an exhaustive list of people + who have contributed to ssuuddoo. + +CCAAVVEEAATTSS + There is no easy way to prevent a user from gaining a root shell if that + user is allowed to run arbitrary commands via ssuuddoo. Also, many programs + (such as editors) allow the user to run commands via shell escapes, thus + avoiding ssuuddoo's checks. However, on most systems it is possible to + prevent shell escapes with the sudoers(4) plugin's _n_o_e_x_e_c functionality. + + It is not meaningful to run the cd command directly via sudo, e.g., + + $ sudo cd /usr/local/protected + + since when the command exits the parent process (your shell) will still + be the same. Please see the _E_X_A_M_P_L_E_S section for more information. + + Running shell scripts via ssuuddoo can expose the same kernel bugs that make + setuid shell scripts unsafe on some operating systems (if your OS has a + /dev/fd/ directory, setuid shell scripts are generally safe). + +BBUUGGSS + If you feel you have found a bug in ssuuddoo, please submit a bug report at + https://bugzilla.sudo.ws/ + +SSUUPPPPOORRTT + Limited free support is available via the sudo-users mailing list, see + https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search + the archives. + +DDIISSCCLLAAIIMMEERR + ssuuddoo is provided "AS IS" and any express or implied warranties, + including, but not limited to, the implied warranties of merchantability + and fitness for a particular purpose are disclaimed. See the LICENSE + file distributed with ssuuddoo or https://www.sudo.ws/license.html for + complete details. + +Sudo 1.8.26 November 25, 2018 Sudo 1.8.26 |