Todd C. Miller <Todd.Miller@courtesan.com>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Sponsored in part by the Defense Advanced Research Projects
Agency (DARPA) and Air Force Research Laboratory, Air Force
Materiel Command, USAF, under agreement number F39502-99-1-0512.
.nr SL 0 .nr BA 0 .nr LC 0 .nr PT 5
Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
Standard preamble:
========================================================================
..
.... Set up some character translations and predefined strings. \*(-- will
give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
double quote, and \*(R" will give a right double quote. \*(C+ will
give a nicer C++. Capital omega is used to do unbreakable dashes and
therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
nothing in troff, for use with C<>.
.tr \(*W- . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` . ds C' 'br\} . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' 'br\}
Escape single quotes in literal strings from groff's Unicode transform.
If the F register is turned on, we'll generate index entries on stderr for
titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
entries marked with X<> in POD. Of course, you'll have to process the
output yourself in some meaningful fashion.
. de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . nr % 0 . rr F .\} . de IX .. .\}
Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] .\} . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents . \" corrections for vroff . \" for low resolution devices (crt and lpr) \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} ========================================================================
Title "SUDO 8"
way too many mistakes in technical documents.
\fBsudo -v [-AknS] [-g group name|#gid] [-p prompt] [-u username|#uid]
\fBsudo -l[l] [-AknS] [-g group name|#gid] [-p prompt] [-U user name] [-u user name|#uid] [command]
\fBsudo [-AbEHnPS] [-C fd] [-g group name|#gid] [-p prompt] [-u user name|#uid] [\s-1VAR\s0=value] [-i | -s] [command]
\fBsudoedit [-AnS] [-C fd] [-g group name|#gid] [-p prompt] [-u user name|#uid] file ...
When invoked as sudoedit, the -e option (described below), is implied.
\fBsudo determines who is an authorized user by consulting the file \fI/etc/sudoers. By running sudo with the -v option, a user can update the time stamp without running a command. If a password is required, sudo will exit if the user's password is not entered within a configurable time limit. The default password prompt timeout is
If a user who is not listed in the sudoers file tries to run a command via sudo, mail is sent to the proper authorities, as defined at configure time or in the sudoers file (defaults to \f(CW\*(C`root\*(C'). Note that the mail will not be sent if an unauthorized user tries to run sudo with the -l or -v option. This allows users to determine for themselves whether or not they are allowed to use sudo.
If sudo is run by root and the \*(C`SUDO_USER\*(C' environment variable is set, sudo will use this value to determine who the actual user is. This can be used by a user to log commands through sudo even when a root shell has been invoked. It also allows the -e option to remain useful even when being run via a sudo-run script or program. Note however, that the sudoers lookup is still done for root, not the user specified by \*(C`SUDO_USER\*(C'.
\fBsudo can log both successful and unsuccessful attempts (as well as errors) to syslog\|(3), a log file, or both. By default sudo will log via syslog\|(3) but this is changeable at configure time or via the sudoers file.
.Sp If the specified file does not exist, it will be created. Note that unlike most commands run by sudo, the editor is run with the invoking user's environment unmodified. If, for some reason, \fBsudo is unable to update a file with its edited version, the user will receive a warning and the edited copy will remain in a temporary file.
Item "%H" expanded to the local host name including the domain name (on if the machine's host name is fully qualified or the fqdn \fIsudoers option is set) Item "%h" expanded to the local host name without the domain name Item "%p" expanded to the user whose password is being asked for (respects the \fIrootpw, targetpw and runaspw flags in sudoers) Item "%U" expanded to the login name of the user the command will be run as (defaults to root) Item "%u" expanded to the invoking user's login name Item "%%" two consecutive \*(C`%\*(C' characters are collapsed into a single \*(C`%\*(C' character
.Sp The prompt specified by the -p option will override the system password prompt on systems that support \s-1PAM\s0 unless the \fIpassprompt_override flag is disabled in sudoers.
Environment variables to be set for the command may also be passed on the command line in the form of \s-1VAR\s0=value, e.g. \fB\s-1LD_LIBRARY_PATH\s0=/usr/local/pkg/lib. Variables passed on the command line are subject to the same restrictions as normal environment variables with one important exception. If the setenv option is set in sudoers, the command to be run has the \*(C`SETENV\*(C' tag set or the command matched is \*(C`ALL\*(C', the user may set variables that would overwise be forbidden. See sudoers\|(5) for more information.
Otherwise, sudo quits with an exit value of 1 if there is a configuration/permission problem or if sudo cannot execute the given command. In the latter case the error string is printed to stderr. If sudo cannot stat\|(2) one or more entries in the user's \f(CW\*(C`PATH\*(C' an error is printed on stderr. (If the directory does not exist or if it is not really a directory, the entry is ignored and no error is printed.) This should not happen under normal circumstances. The most common reason for stat\|(2) to return \*(L"permission denied\*(R" is if you are running an automounter and one of the directories in your \*(C`PATH\*(C' is on a machine that is currently unreachable.
There are two distinct ways to deal with environment variables. By default, the env_reset sudoers option is enabled. This causes commands to be executed with a minimal environment containing \*(C`TERM\*(C', \*(C`PATH\*(C', \*(C`HOME\*(C', \*(C`SHELL\*(C', \*(C`LOGNAME\*(C', \*(C`USER\*(C' and \*(C`USERNAME\*(C' in addition to variables from the invoking process permitted by the env_check and env_keep sudoers options. There is effectively a whitelist for environment variables.
If, however, the env_reset option is disabled in sudoers, any variables not explicitly denied by the env_check and env_delete options are inherited from the invoking process. In this case, \fIenv_check and env_delete behave like a blacklist. Since it is not possible to blacklist all potentially dangerous environment variables, use of the default env_reset behavior is encouraged.
In all cases, environment variables with a value beginning with \f(CW\*(C`()\*(C' are removed as they could be interpreted as bash functions. The list of environment variables that sudo allows or denies is contained in the output of \*(C`sudo -V\*(C' when run as root. This list reflects the built-in defaults, which may be overridden in sudoers.
On Mac OS X, sudoers has been configured to only whitelist a small set of environment variables by default. See the sudoers file for more information.
Note that the dynamic linker on most operating systems will remove variables that can control dynamic linking from the environment of setuid executables, including sudo. Depending on the operating system this may include \*(C`_RLD*\*(C', \*(C`DYLD_*\*(C', \*(C`LD_*\*(C', \*(C`LDR_*\*(C', \f(CW\*(C`LIBPATH\*(C', \*(C`SHLIB_PATH\*(C', and others. These type of variables are removed from the environment before sudo even begins execution and, as such, it is not possible for sudo to preserve them.
To prevent command spoofing, sudo checks \*(L".\*(R" and "" (both denoting current directory) last when searching for a command in the user's \s-1PATH\s0 (if one or both are in the \s-1PATH\s0). Note, however, that the actual \*(C`PATH\*(C' environment variable is not modified and is passed unchanged to the program that sudo executes.
\fBsudo will check the ownership of its time stamp directory (/var/db/sudo by default) and ignore the directory's contents if it is not owned by root or if it is writable by a user other than root. On systems that allow non-root users to give away files via \fIchown\|(2), if the time stamp directory is located in a directory writable by anyone (e.g., /tmp), it is possible for a user to create the time stamp directory before sudo is run. However, because sudo checks the ownership and mode of the directory and its contents, the only damage that can be done is to \*(L"hide\*(R" files by putting them in the time stamp dir. This is unlikely to happen since once the time stamp dir is owned by root and inaccessible by any other user, the user placing files there would be unable to get them back out. To get around this issue you can use a directory that is not world-writable for the time stamps (/var/adm/sudo for instance) or create /var/db/sudo with the appropriate owner (root) and permissions (0700) in the system startup files.
\fBsudo will not honor time stamps set far in the future. Timestamps with a date greater than current_time + 2 * \*(C`TIMEOUT\*(C' will be ignored and sudo will log and complain. This is done to keep a user from creating his/her own time stamp with a bogus date on systems that allow users to give away files.
On systems where the boot time is available, sudo will also not honor time stamps from before the machine booted.
Since time stamp files live in the file system, they can outlive a user's login session. As a result, a user may be able to login, run a command with sudo after authenticating, logout, login again, and run sudo without authenticating so long as the time stamp file's modification time is within \*(C`5\*(C' minutes (or whatever the timeout is set to in sudoers). When the tty_tickets option is enabled in sudoers, the time stamp has per-tty granularity but still may outlive the user's session. On Linux systems where the devpts filesystem is used, Solaris systems with the devices filesystem, as well as other systems that utilize a devfs filesystem that monotonically increase the inode number of devices as they are created (such as Mac \s-1OS\s0 X), sudo is able to determine when a tty-based time stamp file is stale and will ignore it. Administrators should not rely on this feature as it is not universally available.
Please note that sudo will normally only log the command it explicitly runs. If a user runs a command such as \*(C`sudo su\*(C' or \f(CW\*(C`sudo sh\*(C', subsequent commands run from that shell will not be logged, nor will sudo's access control affect them. The same is true for commands that offer shell escapes (including most editors). Because of this, care must be taken when giving users access to commands via sudo to verify that the command does not inadvertently give the user an effective root shell. For more information, please see the \*(C`PREVENTING SHELL ESCAPES\*(C' section in \fIsudoers\|(5).
To get a file listing of an unreadable directory:
.Vb 1 $ sudo ls /usr/local/protected .Ve
To list the home directory of user yaz on a machine where the file system holding ~yaz is not exported as root:
.Vb 1 $ sudo -u yaz ls ~yaz .Ve
To edit the index.html file as user www:
.Vb 1 $ sudo -u www vi ~www/htdocs/index.html .Ve
To view system logs only accessible to root and users in the adm group:
.Vb 1 $ sudo -g adm view /var/log/syslog .Ve
To run an editor as jim with a different primary group:
.Vb 1 $ sudo -u jim -g audio vi ~jim/sound.txt .Ve
To shutdown a machine:
.Vb 1 $ sudo shutdown -r +15 "quick reboot" .Ve
To make a usage listing of the directories in the /home partition. Note that this runs the commands in a sub-shell to make the \*(C`cd\*(C' and file redirection work.
.Vb 1 $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" .Ve
.Vb 1 Todd C. Miller .Ve
See the \s-1HISTORY\s0 file in the sudo distribution or visit http://www.sudo.ws/sudo/history.html for a short history of sudo.
It is not meaningful to run the \*(C`cd\*(C' command directly via sudo, e.g.,
.Vb 1 $ sudo cd /usr/local/protected .Ve
since when the command exits the parent process (your shell) will still be the same. Please see the \s-1EXAMPLES\s0 section for more information.
If users have sudo \*(C`ALL\*(C' there is nothing to prevent them from creating their own program that gives them a root shell regardless of any '!' elements in the user specification.
Running shell scripts via sudo can expose the same kernel bugs that make setuid shell scripts unsafe on some operating systems (if your \s-1OS\s0 has a /dev/fd/ directory, setuid shell scripts are generally safe).