summaryrefslogtreecommitdiffstats
path: root/doc/sudo.cat
diff options
context:
space:
mode:
Diffstat (limited to 'doc/sudo.cat')
-rw-r--r--doc/sudo.cat741
1 files changed, 741 insertions, 0 deletions
diff --git a/doc/sudo.cat b/doc/sudo.cat
new file mode 100644
index 0000000..6d7671b
--- /dev/null
+++ b/doc/sudo.cat
@@ -0,0 +1,741 @@
+SUDO(1m) System Manager's Manual SUDO(1m)
+
+NNAAMMEE
+ ssuuddoo, ssuuddooeeddiitt - execute a command as another user
+
+SSYYNNOOPPSSIISS
+ ssuuddoo --hh | --KK | --kk | --VV
+ ssuuddoo --vv [--AAkknnSS] [--aa _t_y_p_e] [--gg _g_r_o_u_p] [--hh _h_o_s_t] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r]
+ ssuuddoo --ll [--AAkknnSS] [--aa _t_y_p_e] [--gg _g_r_o_u_p] [--hh _h_o_s_t] [--pp _p_r_o_m_p_t] [--UU _u_s_e_r]
+ [--uu _u_s_e_r] [_c_o_m_m_a_n_d]
+ ssuuddoo [--AAbbEEHHnnPPSS] [--aa _t_y_p_e] [--CC _n_u_m] [--cc _c_l_a_s_s] [--gg _g_r_o_u_p] [--hh _h_o_s_t]
+ [--pp _p_r_o_m_p_t] [--rr _r_o_l_e] [--tt _t_y_p_e] [--TT _t_i_m_e_o_u_t] [--uu _u_s_e_r] [_V_A_R=_v_a_l_u_e]
+ [--ii | --ss] [_c_o_m_m_a_n_d]
+ ssuuddooeeddiitt [--AAkknnSS] [--aa _t_y_p_e] [--CC _n_u_m] [--cc _c_l_a_s_s] [--gg _g_r_o_u_p] [--hh _h_o_s_t]
+ [--pp _p_r_o_m_p_t] [--TT _t_i_m_e_o_u_t] [--uu _u_s_e_r] _f_i_l_e _._._.
+
+DDEESSCCRRIIPPTTIIOONN
+ ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the superuser or
+ another user, as specified by the security policy. The invoking user's
+ real (_n_o_t effective) user ID is used to determine the user name with
+ which to query the security policy.
+
+ ssuuddoo supports a plugin architecture for security policies and
+ input/output logging. Third parties can develop and distribute their own
+ policy and I/O logging plugins to work seamlessly with the ssuuddoo front
+ end. The default security policy is _s_u_d_o_e_r_s, which is configured via the
+ file _/_e_t_c_/_s_u_d_o_e_r_s, or via LDAP. See the _P_l_u_g_i_n_s section for more
+ information.
+
+ The security policy determines what privileges, if any, a user has to run
+ ssuuddoo. The policy may require that users authenticate themselves with a
+ password or another authentication mechanism. If authentication is
+ required, ssuuddoo will exit if the user's password is not entered within a
+ configurable time limit. This limit is policy-specific; the default
+ password prompt timeout for the _s_u_d_o_e_r_s security policy is 5 minutes.
+
+ Security policies may support credential caching to allow the user to run
+ ssuuddoo again for a period of time without requiring authentication. The
+ _s_u_d_o_e_r_s policy caches credentials for 5 minutes, unless overridden in
+ sudoers(4). By running ssuuddoo with the --vv option, a user can update the
+ cached credentials without running a _c_o_m_m_a_n_d.
+
+ When invoked as ssuuddooeeddiitt, the --ee option (described below), is implied.
+
+ Security policies may log successful and failed attempts to use ssuuddoo. If
+ an I/O plugin is configured, the running command's input and output may
+ be logged as well.
+
+ The options are as follows:
+
+ --AA, ----aasskkppaassss
+ Normally, if ssuuddoo requires a password, it will read it from
+ the user's terminal. If the --AA (_a_s_k_p_a_s_s) option is
+ specified, a (possibly graphical) helper program is executed
+ to read the user's password and output the password to the
+ standard output. If the SUDO_ASKPASS environment variable is
+ set, it specifies the path to the helper program. Otherwise,
+ if sudo.conf(4) contains a line specifying the askpass
+ program, that value will be used. For example:
+
+ # Path to askpass helper program
+ Path askpass /usr/X11R6/bin/ssh-askpass
+
+ If no askpass program is available, ssuuddoo will exit with an
+ error.
+
+ --aa _t_y_p_e, ----aauutthh--ttyyppee=_t_y_p_e
+ Use the specified BSD authentication _t_y_p_e when validating the
+ user, if allowed by _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system
+ administrator may specify a list of sudo-specific
+ authentication methods by adding an "auth-sudo" entry in
+ _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This option is only available on systems
+ that support BSD authentication.
+
+ --bb, ----bbaacckkggrroouunndd
+ Run the given command in the background. Note that it is not
+ possible to use shell job control to manipulate background
+ processes started by ssuuddoo. Most interactive commands will
+ fail to work properly in background mode.
+
+ --CC _n_u_m, ----cclloossee--ffrroomm=_n_u_m
+ Close all file descriptors greater than or equal to _n_u_m
+ before executing a command. Values less than three are not
+ permitted. By default, ssuuddoo will close all open file
+ descriptors other than standard input, standard output and
+ standard error when executing a command. The security policy
+ may restrict the user's ability to use this option. The
+ _s_u_d_o_e_r_s policy only permits use of the --CC option when the
+ administrator has enabled the _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option.
+
+ --cc _c_l_a_s_s, ----llooggiinn--ccllaassss=_c_l_a_s_s
+ Run the command with resource limits and scheduling priority
+ of the specified login _c_l_a_s_s. The _c_l_a_s_s argument can be
+ either a class name as defined in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a
+ single `-' character. If _c_l_a_s_s is --, the default login class
+ of the target user will be used. Otherwise, the command must
+ be run as the superuser (user ID 0), or ssuuddoo must be run from
+ a shell that is already running as the superuser. If the
+ command is being run as a login shell, additional
+ _/_e_t_c_/_l_o_g_i_n_._c_o_n_f settings, such as the umask and environment
+ variables, will be applied, if present. This option is only
+ available on systems with BSD login classes.
+
+ --EE, ----pprreesseerrvvee--eennvv
+ Indicates to the security policy that the user wishes to
+ preserve their existing environment variables. The security
+ policy may return an error if the user does not have
+ permission to preserve the environment.
+
+ ----pprreesseerrvvee--eennvv==lliisstt
+ Indicates to the security policy that the user wishes to add
+ the comma-separated list of environment variables to those
+ preserved from the user's environment. The security policy
+ may return an error if the user does not have permission to
+ preserve the environment.
+
+ --ee, ----eeddiitt Edit one or more files instead of running a command. In lieu
+ of a path name, the string "sudoedit" is used when consulting
+ the security policy. If the user is authorized by the
+ policy, the following steps are taken:
+
+ 1. Temporary copies are made of the files to be edited
+ with the owner set to the invoking user.
+
+ 2. The editor specified by the policy is run to edit the
+ temporary files. The _s_u_d_o_e_r_s policy uses the
+ SUDO_EDITOR, VISUAL and EDITOR environment variables
+ (in that order). If none of SUDO_EDITOR, VISUAL or
+ EDITOR are set, the first program listed in the _e_d_i_t_o_r
+ sudoers(4) option is used.
+
+ 3. If they have been modified, the temporary files are
+ copied back to their original location and the
+ temporary versions are removed.
+
+ To help prevent the editing of unauthorized files, the
+ following restrictions are enforced unless explicitly allowed
+ by the security policy:
+
+ ++oo Symbolic links may not be edited (version 1.8.15 and
+ higher).
+
+ ++oo Symbolic links along the path to be edited are not
+ followed when the parent directory is writable by the
+ invoking user unless that user is root (version 1.8.16
+ and higher).
+
+ ++oo Files located in a directory that is writable by the
+ invoking user may not be edited unless that user is root
+ (version 1.8.16 and higher).
+
+ Users are never allowed to edit device special files.
+
+ If the specified file does not exist, it will be created.
+ Note that unlike most commands run by _s_u_d_o, the editor is run
+ with the invoking user's environment unmodified. If, for
+ some reason, ssuuddoo is unable to update a file with its edited
+ version, the user will receive a warning and the edited copy
+ will remain in a temporary file.
+
+ --gg _g_r_o_u_p, ----ggrroouupp=_g_r_o_u_p
+ Run the command with the primary group set to _g_r_o_u_p instead
+ of the primary group specified by the target user's password
+ database entry. The _g_r_o_u_p may be either a group name or a
+ numeric group ID (GID) prefixed with the `#' character (e.g.,
+ #0 for GID 0). When running a command as a GID, many shells
+ require that the `#' be escaped with a backslash (`\'). If
+ no --uu option is specified, the command will be run as the
+ invoking user. In either case, the primary group will be set
+ to _g_r_o_u_p. The _s_u_d_o_e_r_s policy permits any of the target
+ user's groups to be specified via the --gg option as long as
+ the --PP option is not in use.
+
+ --HH, ----sseett--hhoommee
+ Request that the security policy set the HOME environment
+ variable to the home directory specified by the target user's
+ password database entry. Depending on the policy, this may
+ be the default behavior.
+
+ --hh, ----hheellpp Display a short help message to the standard output and exit.
+
+ --hh _h_o_s_t, ----hhoosstt=_h_o_s_t
+ Run the command on the specified _h_o_s_t if the security policy
+ plugin supports remote commands. Note that the _s_u_d_o_e_r_s
+ plugin does not currently support running remote commands.
+ This may also be used in conjunction with the --ll option to
+ list a user's privileges for the remote host.
+
+ --ii, ----llooggiinn
+ Run the shell specified by the target user's password
+ database entry as a login shell. This means that login-
+ specific resource files such as _._p_r_o_f_i_l_e, _._b_a_s_h___p_r_o_f_i_l_e or
+ _._l_o_g_i_n will be read by the shell. If a command is specified,
+ it is passed to the shell for execution via the shell's --cc
+ option. If no command is specified, an interactive shell is
+ executed. ssuuddoo attempts to change to that user's home
+ directory before running the shell. The command is run with
+ an environment similar to the one a user would receive at log
+ in. Note that most shells behave differently when a command
+ is specified as compared to an interactive session; consult
+ the shell's manual for details. The _C_o_m_m_a_n_d _e_n_v_i_r_o_n_m_e_n_t
+ section in the sudoers(4) manual documents how the --ii option
+ affects the environment in which a command is run when the
+ _s_u_d_o_e_r_s policy is in use.
+
+ --KK, ----rreemmoovvee--ttiimmeessttaammpp
+ Similar to the --kk option, except that it removes the user's
+ cached credentials entirely and may not be used in
+ conjunction with a command or other option. This option does
+ not require a password. Not all security policies support
+ credential caching.
+
+ --kk, ----rreesseett--ttiimmeessttaammpp
+ When used without a command, invalidates the user's cached
+ credentials. In other words, the next time ssuuddoo is run a
+ password will be required. This option does not require a
+ password and was added to allow a user to revoke ssuuddoo
+ permissions from a _._l_o_g_o_u_t file.
+
+ When used in conjunction with a command or an option that may
+ require a password, this option will cause ssuuddoo to ignore the
+ user's cached credentials. As a result, ssuuddoo will prompt for
+ a password (if one is required by the security policy) and
+ will not update the user's cached credentials.
+
+ Not all security policies support credential caching.
+
+ --ll, ----lliisstt If no _c_o_m_m_a_n_d is specified, list the allowed (and forbidden)
+ commands for the invoking user (or the user specified by the
+ --UU option) on the current host. A longer list format is used
+ if this option is specified multiple times and the security
+ policy supports a verbose output format.
+
+ If a _c_o_m_m_a_n_d is specified and is permitted by the security
+ policy, the fully-qualified path to the command is displayed
+ along with any command line arguments. If a _c_o_m_m_a_n_d is
+ specified but not allowed by the policy, ssuuddoo will exit with
+ a status value of 1.
+
+ --nn, ----nnoonn--iinntteerraaccttiivvee
+ Avoid prompting the user for input of any kind. If a
+ password is required for the command to run, ssuuddoo will
+ display an error message and exit.
+
+ --PP, ----pprreesseerrvvee--ggrroouuppss
+ Preserve the invoking user's group vector unaltered. By
+ default, the _s_u_d_o_e_r_s policy will initialize the group vector
+ to the list of groups the target user is a member of. The
+ real and effective group IDs, however, are still set to match
+ the target user.
+
+ --pp _p_r_o_m_p_t, ----pprroommpptt=_p_r_o_m_p_t
+ Use a custom password prompt with optional escape sequences.
+ The following percent (`%') escape sequences are supported by
+ the _s_u_d_o_e_r_s policy:
+
+ %H expanded to the host name including the domain name (on
+ if the machine's host name is fully qualified or the _f_q_d_n
+ option is set in sudoers(4))
+
+ %h expanded to the local host name without the domain name
+
+ %p expanded to the name of the user whose password is being
+ requested (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w, and _r_u_n_a_s_p_w
+ flags in sudoers(4))
+
+ %U expanded to the login name of the user the command will
+ be run as (defaults to root unless the --uu option is also
+ specified)
+
+ %u expanded to the invoking user's login name
+
+ %% two consecutive `%' characters are collapsed into a
+ single `%' character
+
+ The custom prompt will override the default prompt specified
+ by either the security policy or the SUDO_PROMPT environment
+ variable. On systems that use PAM, the custom prompt will
+ also override the prompt specified by a PAM module unless the
+ _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s.
+
+ --rr _r_o_l_e, ----rroollee=_r_o_l_e
+ Run the command with an SELinux security context that
+ includes the specified _r_o_l_e.
+
+ --SS, ----ssttddiinn
+ Write the prompt to the standard error and read the password
+ from the standard input instead of using the terminal device.
+
+ --ss, ----sshheellll
+ Run the shell specified by the SHELL environment variable if
+ it is set or the shell specified by the invoking user's
+ password database entry. If a command is specified, it is
+ passed to the shell for execution via the shell's --cc option.
+ If no command is specified, an interactive shell is executed.
+ Note that most shells behave differently when a command is
+ specified as compared to an interactive session; consult the
+ shell's manual for details.
+
+ --tt _t_y_p_e, ----ttyyppee=_t_y_p_e
+ Run the command with an SELinux security context that
+ includes the specified _t_y_p_e. If no _t_y_p_e is specified, the
+ default type is derived from the role.
+
+ --UU _u_s_e_r, ----ootthheerr--uusseerr=_u_s_e_r
+ Used in conjunction with the --ll option to list the privileges
+ for _u_s_e_r instead of for the invoking user. The security
+ policy may restrict listing other users' privileges. The
+ _s_u_d_o_e_r_s policy only allows root or a user with the ALL
+ privilege on the current host to use this option.
+
+ --TT _t_i_m_e_o_u_t, ----ccoommmmaanndd--ttiimmeeoouutt=_t_i_m_e_o_u_t
+ Used to set a timeout for the command. If the timeout
+ expires before the command has exited, the command will be
+ terminated. The security policy may restrict the ability to
+ set command timeouts. The _s_u_d_o_e_r_s policy requires that user-
+ specified timeouts be explicitly enabled.
+
+ --uu _u_s_e_r, ----uusseerr=_u_s_e_r
+ Run the command as a user other than the default target user
+ (usually _r_o_o_t). The _u_s_e_r may be either a user name or a
+ numeric user ID (UID) prefixed with the `#' character (e.g.,
+ #0 for UID 0). When running commands as a UID, many shells
+ require that the `#' be escaped with a backslash (`\'). Some
+ security policies may restrict UIDs to those listed in the
+ password database. The _s_u_d_o_e_r_s policy allows UIDs that are
+ not in the password database as long as the _t_a_r_g_e_t_p_w option
+ is not set. Other security policies may not support this.
+
+ --VV, ----vveerrssiioonn
+ Print the ssuuddoo version string as well as the version string
+ of the security policy plugin and any I/O plugins. If the
+ invoking user is already root the --VV option will display the
+ arguments passed to configure when ssuuddoo was built and plugins
+ may display more verbose information such as default options.
+
+ --vv, ----vvaalliiddaattee
+ Update the user's cached credentials, authenticating the user
+ if necessary. For the _s_u_d_o_e_r_s plugin, this extends the ssuuddoo
+ timeout for another 5 minutes by default, but does not run a
+ command. Not all security policies support cached
+ credentials.
+
+ ---- The ---- option indicates that ssuuddoo should stop processing
+ command line arguments.
+
+ Environment variables to be set for the command may also be passed on the
+ command line in the form of _V_A_R=_v_a_l_u_e, e.g.,
+ LD_LIBRARY_PATH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. Variables passed on the command line
+ are subject to restrictions imposed by the security policy plugin. The
+ _s_u_d_o_e_r_s policy subjects variables passed on the command line to the same
+ restrictions as normal environment variables with one important
+ exception. If the _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s, the command to be run
+ has the SETENV tag set or the command matched is ALL, the user may set
+ variables that would otherwise be forbidden. See sudoers(4) for more
+ information.
+
+CCOOMMMMAANNDD EEXXEECCUUTTIIOONN
+ When ssuuddoo executes a command, the security policy specifies the execution
+ environment for the command. Typically, the real and effective user and
+ group and IDs are set to match those of the target user, as specified in
+ the password database, and the group vector is initialized based on the
+ group database (unless the --PP option was specified).
+
+ The following parameters may be specified by security policy:
+
+ ++oo real and effective user ID
+
+ ++oo real and effective group ID
+
+ ++oo supplementary group IDs
+
+ ++oo the environment list
+
+ ++oo current working directory
+
+ ++oo file creation mode mask (umask)
+
+ ++oo SELinux role and type
+
+ ++oo Solaris project
+
+ ++oo Solaris privileges
+
+ ++oo BSD login class
+
+ ++oo scheduling priority (aka nice value)
+
+ PPrroocceessss mmooddeell
+ There are two distinct ways ssuuddoo can run a command.
+
+ If an I/O logging plugin is configured or if the security policy
+ explicitly requests it, a new pseudo-terminal ("pty") is allocated and
+ fork(2) is used to create a second ssuuddoo process, referred to as the
+ _m_o_n_i_t_o_r. The _m_o_n_i_t_o_r creates a new terminal session with itself as the
+ leader and the pty as its controlling terminal, calls fork(2), sets up
+ the execution environment as described above, and then uses the execve(2)
+ system call to run the command in the child process. The _m_o_n_i_t_o_r exists
+ to relay job control signals between the user's existing terminal and the
+ pty the command is being run in. This makes it possible to suspend and
+ resume the command. Without the monitor, the command would be in what
+ POSIX terms an "orphaned process group" and it would not receive any job
+ control signals from the kernel. When the command exits or is terminated
+ by a signal, the _m_o_n_i_t_o_r passes the command's exit status to the main
+ ssuuddoo process and exits. After receiving the command's exit status, the
+ main ssuuddoo passes the command's exit status to the security policy's close
+ function and exits.
+
+ If no pty is used, ssuuddoo calls fork(2), sets up the execution environment
+ as described above, and uses the execve(2) system call to run the command
+ in the child process. The main ssuuddoo process waits until the command has
+ completed, then passes the command's exit status to the security policy's
+ close function and exits. As a special case, if the policy plugin does
+ not define a close function, ssuuddoo will execute the command directly
+ instead of calling fork(2) first. The _s_u_d_o_e_r_s policy plugin will only
+ define a close function when I/O logging is enabled, a pty is required,
+ or the _p_a_m___s_e_s_s_i_o_n or _p_a_m___s_e_t_c_r_e_d options are enabled. Note that
+ _p_a_m___s_e_s_s_i_o_n and _p_a_m___s_e_t_c_r_e_d are enabled by default on systems using PAM.
+
+ SSiiggnnaall hhaannddlliinngg
+ When the command is run as a child of the ssuuddoo process, ssuuddoo will relay
+ signals it receives to the command. The SIGINT and SIGQUIT signals are
+ only relayed when the command is being run in a new pty or when the
+ signal was sent by a user process, not the kernel. This prevents the
+ command from receiving SIGINT twice each time the user enters control-C.
+ Some signals, such as SIGSTOP and SIGKILL, cannot be caught and thus will
+ not be relayed to the command. As a general rule, SIGTSTP should be used
+ instead of SIGSTOP when you wish to suspend a command being run by ssuuddoo.
+
+ As a special case, ssuuddoo will not relay signals that were sent by the
+ command it is running. This prevents the command from accidentally
+ killing itself. On some systems, the reboot(1m) command sends SIGTERM to
+ all non-system processes other than itself before rebooting the system.
+ This prevents ssuuddoo from relaying the SIGTERM signal it received back to
+ reboot(1m), which might then exit before the system was actually rebooted,
+ leaving it in a half-dead state similar to single user mode. Note,
+ however, that this check only applies to the command run by ssuuddoo and not
+ any other processes that the command may create. As a result, running a
+ script that calls reboot(1m) or shutdown(1m) via ssuuddoo may cause the system
+ to end up in this undefined state unless the reboot(1m) or shutdown(1m) are
+ run using the eexxeecc() family of functions instead of ssyysstteemm() (which
+ interposes a shell between the command and the calling process).
+
+ If no I/O logging plugins are loaded and the policy plugin has not
+ defined a cclloossee() function, set a command timeout or required that the
+ command be run in a new pty, ssuuddoo may execute the command directly
+ instead of running it as a child process.
+
+ PPlluuggiinnss
+ Plugins may be specified via Plugin directives in the sudo.conf(4) file.
+ They may be loaded as dynamic shared objects (on systems that support
+ them), or compiled directly into the ssuuddoo binary. If no sudo.conf(4)
+ file is present, or it contains no Plugin lines, ssuuddoo will use the
+ traditional _s_u_d_o_e_r_s security policy and I/O logging. See the
+ sudo.conf(4) manual for details of the _/_e_t_c_/_s_u_d_o_._c_o_n_f file and the
+ sudo_plugin(4) manual for more information about the ssuuddoo plugin
+ architecture.
+
+EEXXIITT VVAALLUUEE
+ Upon successful execution of a command, the exit status from ssuuddoo will be
+ the exit status of the program that was executed. If the command
+ terminated due to receipt of a signal, ssuuddoo will send itself the same
+ signal that terminated the command.
+
+ If the --ll option was specified without a command, ssuuddoo will exit with a
+ value of 0 if the user is allowed to run ssuuddoo and they authenticated
+ successfully (as required by the security policy). If a command is
+ specified with the --ll option, the exit value will only be 0 if the
+ command is permitted by the security policy, otherwise it will be 1.
+
+ If there is an authentication failure, a configuration/permission problem
+ or if the given command cannot be executed, ssuuddoo exits with a value of 1.
+ In the latter case, the error string is printed to the standard error.
+ If ssuuddoo cannot stat(2) one or more entries in the user's PATH, an error
+ is printed to the standard error. (If the directory does not exist or if
+ it is not really a directory, the entry is ignored and no error is
+ printed.) This should not happen under normal circumstances. The most
+ common reason for stat(2) to return "permission denied" is if you are
+ running an automounter and one of the directories in your PATH is on a
+ machine that is currently unreachable.
+
+SSEECCUURRIITTYY NNOOTTEESS
+ ssuuddoo tries to be safe when executing external commands.
+
+ To prevent command spoofing, ssuuddoo checks "." and "" (both denoting
+ current directory) last when searching for a command in the user's PATH
+ (if one or both are in the PATH). Note, however, that the actual PATH
+ environment variable is _n_o_t modified and is passed unchanged to the
+ program that ssuuddoo executes.
+
+ Users should _n_e_v_e_r be granted ssuuddoo privileges to execute files that are
+ writable by the user or that reside in a directory that is writable by
+ the user. If the user can modify or replace the command there is no way
+ to limit what additional commands they can run.
+
+ Please note that ssuuddoo will normally only log the command it explicitly
+ runs. If a user runs a command such as sudo su or sudo sh, subsequent
+ commands run from that shell are not subject to ssuuddoo's security policy.
+ The same is true for commands that offer shell escapes (including most
+ editors). If I/O logging is enabled, subsequent commands will have their
+ input and/or output logged, but there will not be traditional logs for
+ those commands. Because of this, care must be taken when giving users
+ access to commands via ssuuddoo to verify that the command does not
+ inadvertently give the user an effective root shell. For more
+ information, please see the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section in
+ sudoers(4).
+
+ To prevent the disclosure of potentially sensitive information, ssuuddoo
+ disables core dumps by default while it is executing (they are re-enabled
+ for the command that is run). This historical practice dates from a time
+ when most operating systems allowed setuid processes to dump core by
+ default. To aid in debugging ssuuddoo crashes, you may wish to re-enable
+ core dumps by setting "disable_coredump" to false in the sudo.conf(4)
+ file as follows:
+
+ Set disable_coredump false
+
+ See the sudo.conf(4) manual for more information.
+
+EENNVVIIRROONNMMEENNTT
+ ssuuddoo utilizes the following environment variables. The security policy
+ has control over the actual content of the command's environment.
+
+ EDITOR Default editor to use in --ee (sudoedit) mode if neither
+ SUDO_EDITOR nor VISUAL is set.
+
+ MAIL Set to the mail spool of the target user when the --ii
+ option is specified or when _e_n_v___r_e_s_e_t is enabled in
+ _s_u_d_o_e_r_s (unless MAIL is present in the _e_n_v___k_e_e_p list).
+
+ HOME Set to the home directory of the target user when the --ii
+ or --HH options are specified, when the --ss option is
+ specified and _s_e_t___h_o_m_e is set in _s_u_d_o_e_r_s, when
+ _a_l_w_a_y_s___s_e_t___h_o_m_e is enabled in _s_u_d_o_e_r_s, or when _e_n_v___r_e_s_e_t
+ is enabled in _s_u_d_o_e_r_s and _H_O_M_E is not present in the
+ _e_n_v___k_e_e_p list.
+
+ LOGNAME Set to the login name of the target user when the --ii
+ option is specified, when the _s_e_t___l_o_g_n_a_m_e option is
+ enabled in _s_u_d_o_e_r_s or when the _e_n_v___r_e_s_e_t option is
+ enabled in _s_u_d_o_e_r_s (unless LOGNAME is present in the
+ _e_n_v___k_e_e_p list).
+
+ PATH May be overridden by the security policy.
+
+ SHELL Used to determine shell to run with --ss option.
+
+ SUDO_ASKPASS Specifies the path to a helper program used to read the
+ password if no terminal is available or if the --AA option
+ is specified.
+
+ SUDO_COMMAND Set to the command run by sudo.
+
+ SUDO_EDITOR Default editor to use in --ee (sudoedit) mode.
+
+ SUDO_GID Set to the group ID of the user who invoked sudo.
+
+ SUDO_PROMPT Used as the default password prompt unless the --pp option
+ was specified.
+
+ SUDO_PS1 If set, PS1 will be set to its value for the program
+ being run.
+
+ SUDO_UID Set to the user ID of the user who invoked sudo.
+
+ SUDO_USER Set to the login name of the user who invoked sudo.
+
+ USER Set to the same value as LOGNAME, described above.
+
+ VISUAL Default editor to use in --ee (sudoedit) mode if
+ SUDO_EDITOR is not set.
+
+FFIILLEESS
+ _/_e_t_c_/_s_u_d_o_._c_o_n_f ssuuddoo front end configuration
+
+EEXXAAMMPPLLEESS
+ Note: the following examples assume a properly configured security
+ policy.
+
+ To get a file listing of an unreadable directory:
+
+ $ sudo ls /usr/local/protected
+
+ To list the home directory of user yaz on a machine where the file system
+ holding ~yaz is not exported as root:
+
+ $ sudo -u yaz ls ~yaz
+
+ To edit the _i_n_d_e_x_._h_t_m_l file as user www:
+
+ $ sudoedit -u www ~www/htdocs/index.html
+
+ To view system logs only accessible to root and users in the adm group:
+
+ $ sudo -g adm more /var/log/syslog
+
+ To run an editor as jim with a different primary group:
+
+ $ sudoedit -u jim -g audio ~jim/sound.txt
+
+ To shut down a machine:
+
+ $ sudo shutdown -r +15 "quick reboot"
+
+ To make a usage listing of the directories in the /home partition. Note
+ that this runs the commands in a sub-shell to make the cd and file
+ redirection work.
+
+ $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
+
+DDIIAAGGNNOOSSTTIICCSS
+ Error messages produced by ssuuddoo include:
+
+ editing files in a writable directory is not permitted
+ By default, ssuuddooeeddiitt does not permit editing a file when any of the
+ parent directories are writable by the invoking user. This avoids
+ a race condition that could allow the user to overwrite an
+ arbitrary file. See the _s_u_d_o_e_d_i_t___c_h_e_c_k_d_i_r option in sudoers(4) for
+ more information.
+
+ editing symbolic links is not permitted
+ By default, ssuuddooeeddiitt does not follow symbolic links when opening
+ files. See the _s_u_d_o_e_d_i_t___f_o_l_l_o_w option in sudoers(4) for more
+ information.
+
+ effective uid is not 0, is sudo installed setuid root?
+ ssuuddoo was not run with root privileges. The ssuuddoo binary must be
+ owned by the root user and have the Set-user-ID bit set. Also, it
+ must not be located on a file system mounted with the `nosuid'
+ option or on an NFS file system that maps uid 0 to an unprivileged
+ uid.
+
+ effective uid is not 0, is sudo on a file system with the 'nosuid' option
+ set or an NFS file system without root privileges?
+ ssuuddoo was not run with root privileges. The ssuuddoo binary has the
+ proper owner and permissions but it still did not run with root
+ privileges. The most common reason for this is that the file
+ system the ssuuddoo binary is located on is mounted with the `nosuid'
+ option or it is an NFS file system that maps uid 0 to an
+ unprivileged uid.
+
+ fatal error, unable to load plugins
+ An error occurred while loading or initializing the plugins
+ specified in sudo.conf(4).
+
+ invalid environment variable name
+ One or more environment variable names specified via the --EE option
+ contained an equal sign (`='). The arguments to the --EE option
+ should be environment variable names without an associated value.
+
+ no password was provided
+ When ssuuddoo tried to read the password, it did not receive any
+ characters. This may happen if no terminal is available (or the --SS
+ option is specified) and the standard input has been redirected
+ from _/_d_e_v_/_n_u_l_l.
+
+ no tty present and no askpass program specified
+ ssuuddoo needs to read the password but there is no mechanism available
+ to do so. A terminal is not present to read the password from,
+ ssuuddoo has not been configured to read from the standard input, and
+ no askpass program has been specified either via the --AA option or
+ the SUDO_ASKPASS environment variable.
+
+ no writable temporary directory found
+ ssuuddooeeddiitt was unable to find a usable temporary directory in which
+ to store its intermediate files.
+
+ sudo must be owned by uid 0 and have the setuid bit set
+ ssuuddoo was not run with root privileges. The ssuuddoo binary does not
+ have the correct owner or permissions. It must be owned by the
+ root user and have the Set-user-ID bit set.
+
+ sudoedit is not supported on this platform
+ It is only possible to run ssuuddooeeddiitt on systems that support setting
+ the effective user-ID.
+
+ timed out reading password
+ The user did not enter a password before the password timeout (5
+ minutes by default) expired.
+
+ you do not exist in the passwd database
+ Your user ID does not appear in the system passwd database.
+
+ you may not specify environment variables in edit mode
+ It is only possible to specify environment variables when running a
+ command. When editing a file, the editor is run with the user's
+ environment unmodified.
+
+SSEEEE AALLSSOO
+ su(1), stat(2), login_cap(3), passwd(4), sudo.conf(4), sudo_plugin(4),
+ sudoers(4), sudoreplay(1m), visudo(1m)
+
+HHIISSTTOORRYY
+ See the HISTORY file in the ssuuddoo distribution
+ (https://www.sudo.ws/history.html) for a brief history of sudo.
+
+AAUUTTHHOORRSS
+ Many people have worked on ssuuddoo over the years; this version consists of
+ code written primarily by:
+
+ Todd C. Miller
+
+ See the CONTRIBUTORS file in the ssuuddoo distribution
+ (https://www.sudo.ws/contributors.html) for an exhaustive list of people
+ who have contributed to ssuuddoo.
+
+CCAAVVEEAATTSS
+ There is no easy way to prevent a user from gaining a root shell if that
+ user is allowed to run arbitrary commands via ssuuddoo. Also, many programs
+ (such as editors) allow the user to run commands via shell escapes, thus
+ avoiding ssuuddoo's checks. However, on most systems it is possible to
+ prevent shell escapes with the sudoers(4) plugin's _n_o_e_x_e_c functionality.
+
+ It is not meaningful to run the cd command directly via sudo, e.g.,
+
+ $ sudo cd /usr/local/protected
+
+ since when the command exits the parent process (your shell) will still
+ be the same. Please see the _E_X_A_M_P_L_E_S section for more information.
+
+ Running shell scripts via ssuuddoo can expose the same kernel bugs that make
+ setuid shell scripts unsafe on some operating systems (if your OS has a
+ /dev/fd/ directory, setuid shell scripts are generally safe).
+
+BBUUGGSS
+ If you feel you have found a bug in ssuuddoo, please submit a bug report at
+ https://bugzilla.sudo.ws/
+
+SSUUPPPPOORRTT
+ Limited free support is available via the sudo-users mailing list, see
+ https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
+ the archives.
+
+DDIISSCCLLAAIIMMEERR
+ ssuuddoo is provided "AS IS" and any express or implied warranties,
+ including, but not limited to, the implied warranties of merchantability
+ and fitness for a particular purpose are disclaimed. See the LICENSE
+ file distributed with ssuuddoo or https://www.sudo.ws/license.html for
+ complete details.
+
+Sudo 1.8.26 November 25, 2018 Sudo 1.8.26