diff options
Diffstat (limited to 'usr.bin/sudo/sudo.8')
| -rw-r--r-- | usr.bin/sudo/sudo.8 | 506 |
1 files changed, 506 insertions, 0 deletions
diff --git a/usr.bin/sudo/sudo.8 b/usr.bin/sudo/sudo.8 new file mode 100644 index 00000000000..ad88f7d6646 --- /dev/null +++ b/usr.bin/sudo/sudo.8 @@ -0,0 +1,506 @@ +.rn '' }` +''' $RCSfile: sudo.8,v $$Revision: 1.1 $$Date: 1999/11/18 16:29:01 $ +''' +''' $Log: sudo.8,v $ +''' Revision 1.1 1999/11/18 16:29:01 millert +''' Initial revision +''' +''' Revision 1.39 1999/11/16 05:42:28 millert +''' get rid of references to sudo-bugs. Now mention the web site or the sudo@ alias +''' +''' +.de Sh +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp +.if t .sp .5v +.if n .sp +.. +.de Ip +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb +.ft CW +.nf +.ne \\$1 +.. +.de Ve +.ft R + +.fi +.. +''' +''' +''' Set up \*(-- to give an unbreakable dash; +''' string Tr holds user defined translation string. +''' Bell System Logo is used as a dummy character. +''' +.tr \(*W-|\(bv\*(Tr +.ie n \{\ +.ds -- \(*W- +.ds PI pi +.if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +.if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +.ds L" "" +.ds R" "" +''' \*(M", \*(S", \*(N" and \*(T" are the equivalent of +''' \*(L" and \*(R", except that they are used on ".xx" lines, +''' such as .IP and .SH, which do another additional levels of +''' double-quote interpretation +.ds M" """ +.ds S" """ +.ds N" """"" +.ds T" """"" +.ds L' ' +.ds R' ' +.ds M' ' +.ds S' ' +.ds N' ' +.ds T' ' +'br\} +.el\{\ +.ds -- \(em\| +.tr \*(Tr +.ds L" `` +.ds R" '' +.ds M" `` +.ds S" '' +.ds N" `` +.ds T" '' +.ds L' ` +.ds R' ' +.ds M' ` +.ds S' ' +.ds N' ` +.ds T' ' +.ds PI \(*p +'br\} +.\" If the F register is turned on, we'll generate +.\" index entries out stderr for the following things: +.\" TH Title +.\" SH Header +.\" Sh Subsection +.\" Ip Item +.\" X<> Xref (embedded +.\" Of course, you have to process the output yourself +.\" in some meaninful fashion. +.if \nF \{ +.de IX +.tm Index:\\$1\t\\n%\t"\\$2" +.. +.nr % 0 +.rr F +.\} +.TH sudo 8 "1.6" "15/Nov/1999" "MAINTENANCE COMMANDS" +.UC +.if n .hy 0 +.if n .na +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.de CQ \" put $1 in typewriter font +.ft CW +'if n "\c +'if t \\&\\$1\c +'if n \\&\\$1\c +'if n \&" +\\&\\$2 \\$3 \\$4 \\$5 \\$6 \\$7 +'.ft R +.. +.\" @(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2 +. \" AM - accent mark definitions +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds ? ? +. ds ! ! +. ds / +. ds q +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds ? \s-2c\h'-\w'c'u*7/10'\u\h'\*(#H'\zi\d\s+2\h'\w'c'u*8/10' +. ds ! \s-2\(or\s+2\h'-\w'\(or'u'\v'-.8m'.\v'.8m' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +. ds q o\h'-\w'o'u*8/10'\s-4\v'.4m'\z\(*i\v'-.4m'\s+4\h'\w'o'u*8/10' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds v \\k:\h'-(\\n(.wu*9/10-\*(#H)'\v'-\*(#V'\*(#[\s-4v\s0\v'\*(#V'\h'|\\n:u'\*(#] +.ds _ \\k:\h'-(\\n(.wu*9/10-\*(#H+(\*(#F*2/3))'\v'-.4m'\z\(hy\v'.4m'\h'|\\n:u' +.ds . \\k:\h'-(\\n(.wu*8/10)'\v'\*(#V*4/10'\z.\v'-\*(#V*4/10'\h'|\\n:u' +.ds 3 \*(#[\v'.2m'\s-2\&3\s0\v'-.2m'\*(#] +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +.ds oe o\h'-(\w'o'u*4/10)'e +.ds Oe O\h'-(\w'O'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds v \h'-1'\o'\(aa\(ga' +. ds _ \h'-1'^ +. ds . \h'-1'. +. ds 3 3 +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +. ds oe oe +. ds Oe OE +.\} +.rm #[ #] #H #V #F C +.SH "NAME" +sudo \- execute a command as another user +.SH "SYNOPSIS" +\fBsudo\fR \fB\-V\fR | \fB\-h\fR | \fB\-l\fR | \fB\-L\fR | \fB\-v\fR | \fB\-k\fR | \fB\-K\fR | \fB\-s\fR | \fB\-H\fR | +[ \fB\-b\fR ] | [ \fB\-p\fR prompt ] [ \fB\-u\fR username/#uid] \fIcommand\fR +.SH "DESCRIPTION" +\fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the +superuser or another user, as specified in the sudoers file. The +real and effective uid and gid are set to match those of the target +user as specified in the passwd file (the group vector is also +initialized when the target user is not root). +.PP +\fBsudo\fR determines who is an authorized user by consulting the +file \fI/etc/sudoers\fR. By giving \fBsudo\fR the \f(CW-v\fR flag a user +can update the time stamp without running a \fIcommand.\fR +The password prompt itself will also time out if the user's password is +not entered with N minutes (again, this is defined at configure +time and defaults to 5 minutes). +.PP +If a user that is not listed in the \fIsudoers\fR file tries to run +a command via \fBsudo\fR, mail is sent to the proper authorities, +as defined at configure time (defaults to root). Note that the +mail will not be sent if an unauthorized user tries to run sudo +with the \f(CW-l\fR or \f(CW-v\fR flags. This allows users to determine +for themselves whether or not they are allowed to use \fBsudo\fR. +.PP +\fBsudo\fR can log both successful an unsuccessful attempts (as well +as errors) to \fIsyslog\fR\|(3), a log file, or both. By default \fBsudo\fR +will log via \fIsyslog\fR\|(3) but this is changeable at configure time. +.SH "OPTIONS" +\fBsudo\fR accepts the following command line options: +.Ip "-V" 4 +The \f(CW-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the +version number and exit. +.Ip "-l" 4 +The \f(CW-l\fR (\fIlist\fR) option will list out the allowed (and +forbidden) commands for the user on the current host. +.Ip "-L" 4 +The \f(CW-L\fR (\fIlist\fR defaults) option will list out the parameters +that may be set in a \fIDefaults\fR line along with a short description +for each. This option is useful in conjunction with \fIgrep\fR\|(1). +.Ip "-h" 4 +The \f(CW-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a usage message and exit. +.Ip "-v" 4 +If given the \f(CW-v\fR (\fIvalidate\fR) option, \fBsudo\fR will update the +user's timestamp, prompting for the user's password if necessary. +This extends the \fBsudo\fR timeout to for another N minutes +(where N is defined at installation time and defaults to 5 +minutes) but does not run a command. +.Ip "-k" 4 +The \f(CW-k\fR (\fIkill\fR) option to \fBsudo\fR invalidates the user's timestamp +by setting the time on it to the epoch. The next time \fBsudo\fR is +run a password will be required. This option does not require a password +and was added to allow a user to revoke \fBsudo\fR permissions from a .logout +file. +.Ip "-K" 4 +The \f(CW-K\fR (sure \fIkill\fR) option to \fBsudo\fR removes the user's timestamp +entirely. This option does not require a password. +.Ip "-b" 4 +The \f(CW-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given +command in the background. Note that if you use the \f(CW-b\fR +option you cannot use shell job control to manipulate the command. +.Ip "-p" 4 +The \f(CW-p\fR (\fIprompt\fR) option allows you to override the default +password prompt and use a custom one. If the password prompt +contains the \f(CW%u\fR escape, \f(CW%u\fR will be replaced with the user's +login name. Similarly, \f(CW%h\fR will be replaced with the local +hostname. +.Ip "-u" 4 +The \f(CW-u\fR (\fIuser\fR) option causes sudo to run the specified command +as a user other than \fIroot\fR. To specify a \fIuid\fR instead of a +\fIusername\fR, use \*(L"#uid\*(R". +.Ip "-s" 4 +The \f(CW-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\s0\fR +environment variable if it is set or the shell as specified +in \fIpasswd\fR\|(5). +.Ip "-H" 4 +The \f(CW-H\fR (\fI\s-1HOME\s0\fR) option sets the \fI\s-1HOME\s0\fR environment variable +to the homedir of the target user (root by default) as specified +in \fIpasswd\fR\|(5). By default, \fBsudo\fR does not modify \fI\s-1HOME\s0\fR. +.Ip "--" 4 +The \f(CW--\fR flag indicates that \fBsudo\fR should stop processing command +line arguments. It is most useful in conjunction with the \f(CW-s\fR flag. +.SH "RETURN VALUES" +\fBsudo\fR quits with an exit value of 1 if there is a +configuration/permission problem or if \fBsudo\fR cannot execute the +given command. In the latter case the error string is printed to +stderr. If \fBsudo\fR cannot \fIstat\fR\|(2) one or more entries in the user's +\f(CWPATH\fR an error is printed on stderr. (If the directory does not +exist or if it is not really a directory, the entry is ignored and +no error is printed.) This should not happen under normal +circumstances. The most common reason for \fIstat\fR\|(2) to return +\*(L"permission denied\*(R" is if you are running an automounter and one +of the directories in your \f(CWPATH\fR is on a machine that is currently +unreachable. +.SH "SECURITY NOTES" +\fBsudo\fR tries to be safe when executing external commands. Variables +that control how dynamic loading and binding is done can be used +to subvert the program that \fBsudo\fR runs. To combat this the +\f(CWLD_*\fR, \f(CW_RLD_*\fR, \f(CWSHLIB_PATH\fR (HP\-UX only), and \f(CWLIBPATH\fR (AIX +only) environment variables are removed from the environment passed +on to all commands executed. \fBsudo\fR will also remove the \f(CWIFS\fR, +\f(CWENV\fR, \f(CWBASH_ENV\fR, \f(CWKRB_CONF\fR, \f(CWKRB5_CONFIG\fR, \f(CWLOCALDOMAIN\fR, +\f(CWRES_OPTIONS\fR and \f(CWHOSTALIASES\fR variables as they too can pose a +threat. +.PP +To prevent command spoofing, \fBsudo\fR checks "." and "" (both denoting +current directory) last when searching for a command in the user's +PATH (if one or both are in the PATH). Note, however, that the +actual \f(CWPATH\fR environment variable is \fInot\fR modified and is passed +unchanged to the program that \fBsudo\fR executes. +.PP +For security reasons, if your OS supports shared libraries and does +not disable user-defined library search paths for setuid programs +(most do), you should either use a linker option that disables this +behavior or link \fBsudo\fR statically. +.PP +\fBsudo\fR will check the ownership of its timestamp directory +(\fI/var/run/sudo\fR or \fI/tmp/.odus\fR by default) and ignore the +directory's contents if it is not owned by root and only writable +by root. On systems that allow non-root users to give away files +via \fIchown\fR\|(2), if the timestamp directory is located in a directory +writable by anyone (ie: \fI/tmp\fR), it is possible for a user to +create the timestamp directory before \fBsudo\fR is run. However, +because \fBsudo\fR checks the ownership and mode of the directory and +its contents, the only damage that can be done is to \*(L"hide\*(R" files +by putting them in the timestamp dir. This is unlikely to happen +since once the timestamp dir is owned by root and inaccessible by +any other user the user placing files there would be unable to get +them back out. To get around this issue you can use a directory +that is not world-writable for the timestamps (\fI/var/adm/sudo\fR for +instance) or create /tmp/.odus with the appropriate owner (root) +and permissions (0700) in the system startup files. +.PP +\fBsudo\fR will not honor timestamps set far in the future. +Timestamps with a date greater than current_time + 2 * \f(CWTIMEOUT\fR +will be ignored and sudo will log and complain. This is done to +keep a user from creating his/her own timestamp with a bogus +date on system that allow users to give away files. +.SH "EXAMPLES" +Note: the following examples assume suitable \fIsudoers\fR\|(5) entries. +.PP +To get a file listing of an unreadable directory: +.PP +.Vb 1 +\& % sudo ls /usr/local/protected +.Ve +To list the home directory of user yazza on a machine where the +filesystem holding ~yazza is not exported as root: +.PP +.Vb 1 +\& % sudo -u yazza ls ~yazza +.Ve +To edit the \fIindex.html\fR file as user www: +.PP +.Vb 1 +\& % sudo -u www vi ~www/htdocs/index.html +.Ve +To shutdown a machine: +.PP +.Vb 1 +\& % sudo shutdown -r +15 "quick reboot" +.Ve +To make a usage listing of the directories in the /home +partition. Note that this runs the commands in a sub-shell +to make the \f(CWcd\fR and file redirection work. +.PP +.Vb 1 +\& % sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" +.Ve +.SH "ENVIRONMENT" +\fBsudo\fR utilizes the following environment variables: +.PP +.Vb 13 +\& PATH Set to a sane value if SECURE_PATH is set +\& SHELL Used to determine shell to run with -s option +\& USER Set to the target user (root unless the -u option +\& is specified) +\& HOME In -s or -H mode (or if sudo was configured with +\& the --enable-shell-sets-home option), set to +\& homedir of the target user. +\& SUDO_PROMPT Used as the default password prompt +\& SUDO_COMMAND Set to the command run by sudo +\& SUDO_USER Set to the login of the user who invoked sudo +\& SUDO_UID Set to the uid of the user who invoked sudo +\& SUDO_GID Set to the gid of the user who invoked sudo +\& SUDO_PS1 If set, PS1 will be set to its value +.Ve +.SH "FILES" +.PP +.Vb 2 +\& /etc/sudoers List of who can run what +\& /var/run/sudo Directory containing timestamps +.Ve +\fBsudo\fR utilizes the following environment variables: +.PP +.Vb 13 +\& PATH Set to a sane value if SECURE_PATH is set +\& SHELL Used to determine shell to run with -s option +\& USER Set to the target user (root unless the -u option +\& is specified) +\& HOME In -s or -H mode (or if sudo was configured with +\& the --enable-shell-sets-home option), set to +\& homedir of the target user. +\& SUDO_PROMPT Used as the default password prompt +\& SUDO_COMMAND Set to the command run by sudo +\& SUDO_USER Set to the login of the user who invoked sudo +\& SUDO_UID Set to the uid of the user who invoked sudo +\& SUDO_GID Set to the gid of the user who invoked sudo +\& SUDO_PS1 If set, PS1 will be set to its value +.Ve +.SH "FILES" +.PP +.Vb 3 +\& /etc/sudoers List of who can run what +\& /var/run/sudo Directory containing timestamps +\& /tmp/.odus Same as above if no /var/run exists +.Ve +.SH "AUTHORS" +Many people have worked on \fBsudo\fR over the years, this +version consists of code written primarily by: +.PP +.Vb 2 +\& Todd Miller +\& Chris Jepeway +.Ve +See the HISTORY file in the \fBsudo\fR distribution for a short history +of \fBsudo\fR. +.SH "BUGS" +If you feel you have found a bug in sudo, please submit a bug report +at http://www.courtesan.com/sudo/bugs/. +.SH "DISCLAIMER" +\fBSudo\fR is provided ``AS IS'\*(R' and any express or implied warranties, +including, but not limited to, the implied warranties of merchantability +and fitness for a particular purpose are disclaimed. +See the LICENSE file distributed with \fBsudo\fR for complete details. +.SH "CAVEATS" +There is no easy way to prevent a user from gaining a root shell if +that user has access to commands allowing shell escapes. +.PP +If users have sudo \f(CWALL\fR there is nothing to prevent them from creating +their own program that gives them a root shell regardless of any \*(L'!\*(R' +elements in the user specification. +.PP +Running shell scripts via \fBsudo\fR can expose the same kernel bugs +that make setuid shell scripts unsafe on some operating systems +(if your OS supports the /dev/fd/ directory, setuid shell scripts +are generally safe). +.SH "SEE ALSO" +\fIsudoers\fR\|(5), \fIvisudo\fR\|(8), \fIsu\fR\|(1). + +.rn }` '' +.IX Title "sudo 8" +.IX Name "sudo - execute a command as another user" + +.IX Header "NAME" + +.IX Header "SYNOPSIS" + +.IX Header "DESCRIPTION" + +.IX Header "OPTIONS" + +.IX Item "-V" + +.IX Item "-l" + +.IX Item "-L" + +.IX Item "-h" + +.IX Item "-v" + +.IX Item "-k" + +.IX Item "-K" + +.IX Item "-b" + +.IX Item "-p" + +.IX Item "-u" + +.IX Item "-s" + +.IX Item "-H" + +.IX Item "--" + +.IX Header "RETURN VALUES" + +.IX Header "SECURITY NOTES" + +.IX Header "EXAMPLES" + +.IX Header "ENVIRONMENT" + +.IX Header "FILES" + +.IX Header "FILES" + +.IX Header "AUTHORS" + +.IX Header "BUGS" + +.IX Header "DISCLAIMER" + +.IX Header "CAVEATS" + +.IX Header "SEE ALSO" + |