1SUDO(1m) System Manager's Manual SUDO(1m) 2 3NNAAMMEE 4 ssuuddoo, ssuuddooeeddiitt - execute a command as another user 5 6SSYYNNOOPPSSIISS 7 ssuuddoo --hh | --KK | --kk | --LL | --VV 8 ssuuddoo --vv [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t] 9 [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] 10 ssuuddoo --ll[_l] [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t] 11 [--UU _u_s_e_r _n_a_m_e] [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] [_c_o_m_m_a_n_d] 12 ssuuddoo [--AAbbEEHHnnPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s | _-] 13 [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t] [--rr _r_o_l_e] [--tt _t_y_p_e] 14 [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] [VVAARR=_v_a_l_u_e] --ii | --ss [_c_o_m_m_a_n_d] 15 ssuuddooeeddiitt [--AAnnSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s | _-] 16 [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] file 17 ... 18 19DDEESSCCRRIIPPTTIIOONN 20 ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the superuser or 21 another user, as specified by the _s_u_d_o_e_r_s file. See the _C_O_M_M_A_N_D 22 _E_X_E_C_U_T_I_O_N section below for more details. 23 24 ssuuddoo determines who is an authorized user by consulting the file 25 _/_e_t_c_/_s_u_d_o_e_r_s. By running ssuuddoo with the --vv option, a user can update the 26 time stamp without running a _c_o_m_m_a_n_d. If authentication is required, 27 ssuuddoo will exit if the user's password is not entered within a 28 configurable time limit. The default password prompt timeout is 5 29 minutes. 30 31 When invoked as ssuuddooeeddiitt, the --ee option (described below), is implied. 32 33 The options are as follows: 34 35 --AA Normally, if ssuuddoo requires a password, it will read it from 36 the user's terminal. If the --AA (_a_s_k_p_a_s_s) option is 37 specified, a (possibly graphical) helper program is executed 38 to read the user's password and output the password to the 39 standard output. If the SUDO_ASKPASS environment variable is 40 set, it specifies the path to the helper program. Otherwise, 41 the value specified by the _a_s_k_p_a_s_s option in sudoers(4) is 42 used. If no askpass program is available, ssuuddoo will exit 43 with an error. 44 45 --aa _t_y_p_e The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use the 46 specified authentication type when validating the user, as 47 allowed by _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system administrator may 48 specify a list of sudo-specific authentication methods by 49 adding an ``auth-sudo'' entry in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This 50 option is only available on systems that support BSD 51 authentication. 52 53 --bb The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run the given 54 command in the background. Note that if you use the --bb 55 option you cannot use shell job control to manipulate the 56 process. Most interactive commands will fail to work 57 properly in background mode. 58 59 --CC _f_d Normally, ssuuddoo will close all open file descriptors other 60 than standard input, standard output and standard error. The 61 --CC (_c_l_o_s_e _f_r_o_m) option allows the user to specify a starting 62 point above the standard error (file descriptor three). 63 Values less than three are not permitted. This option is 64 only available when the administrator has enabled the 65 _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option in sudoers(4). 66 67 --cc _c_l_a_s_s The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified 68 command with resources limited by the specified login class. 69 The _c_l_a_s_s argument can be either a class name as defined in 70 _/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a single `-' character. Specifying a 71 _c_l_a_s_s of - indicates that the command should be run 72 restricted by the default login capabilities for the user the 73 command is run as. If the _c_l_a_s_s argument specifies an 74 existing user class, the command must be run as root, or the 75 ssuuddoo command must be run from a shell that is already root. 76 This option is only available on systems with BSD login 77 classes. 78 79 --EE The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option will override the 80 _e_n_v___r_e_s_e_t option in sudoers(4). It is only available when 81 either the matching command has the SETENV tag or the _s_e_t_e_n_v 82 option is set in sudoers(4). ssuuddoo will return an error if 83 the --EE option is specified and the user does not have 84 permission to preserve the environment. 85 86 --ee The --ee (_e_d_i_t) option indicates that, instead of running a 87 command, the user wishes to edit one or more files. In lieu 88 of a command, the string "sudoedit" is used when consulting 89 the _s_u_d_o_e_r_s file. If the user is authorized by _s_u_d_o_e_r_s, the 90 following steps are taken: 91 92 1. Temporary copies are made of the files to be edited 93 with the owner set to the invoking user. 94 95 2. The editor specified by the SUDO_EDITOR, VISUAL or 96 EDITOR environment variables (in that order) is run to 97 edit the temporary files. If none of SUDO_EDITOR, 98 VISUAL or EDITOR are set, the first program listed in 99 the _e_d_i_t_o_r sudoers(4) option is used. 100 101 3. If they have been modified, the temporary files are 102 copied back to their original location and the 103 temporary versions are removed. 104 105 If the specified file does not exist, it will be created. 106 Note that unlike most commands run by _s_u_d_o, the editor is run 107 with the invoking user's environment unmodified. If, for 108 some reason, ssuuddoo is unable to update a file with its edited 109 version, the user will receive a warning and the edited copy 110 will remain in a temporary file. 111 112 --gg _g_r_o_u_p Normally, ssuuddoo runs a command with the primary group set to 113 the one specified by the password database for the user the 114 command is being run as (by default, root). The --gg (_g_r_o_u_p) 115 option causes ssuuddoo to run the command with the primary group 116 set to _g_r_o_u_p instead. To specify a _g_i_d instead of a _g_r_o_u_p 117 _n_a_m_e, use _#_g_i_d. When running commands as a _g_i_d, many shells 118 require that the `#' be escaped with a backslash (`\'). If 119 no --uu option is specified, the command will be run as the 120 invoking user (not root). In either case, the primary group 121 will be set to _g_r_o_u_p. 122 123 --HH The --HH (_H_O_M_E) option option sets the HOME environment 124 variable to the home directory of the target user (root by 125 default) as specified by the password database. The default 126 handling of the HOME environment variable depends on 127 sudoers(4) settings. By default, ssuuddoo will set HOME if 128 _e_n_v___r_e_s_e_t or _a_l_w_a_y_s___s_e_t___h_o_m_e are set, or if _s_e_t___h_o_m_e is set 129 and the --ss option is specified on the command line. 130 131 --hh The --hh (_h_e_l_p) option causes ssuuddoo to print a short help 132 message to the standard output and exit. 133 134 --ii [_c_o_m_m_a_n_d] 135 The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell 136 specified by the password database entry of the target user 137 as a login shell. This means that login-specific resource 138 files such as _._p_r_o_f_i_l_e or _._l_o_g_i_n will be read by the shell. 139 If a command is specified, it is passed to the shell for 140 execution via the shell's --cc option. If no command is 141 specified, an interactive shell is executed. ssuuddoo attempts 142 to change to that user's home directory before running the 143 shell. It also initializes the environment to a minimal set 144 of variables, similar to what is present when a user logs in. 145 The _C_o_m_m_a_n_d _e_n_v_i_r_o_n_m_e_n_t section below documents in detail how 146 the --ii option affects the environment in which a command is 147 run. 148 149 --KK The --KK (sure _k_i_l_l) option is like --kk except that it removes 150 the user's time stamp file entirely and may not be used in 151 conjunction with a command or other option. This option does 152 not require a password. 153 154 --kk [_c_o_m_m_a_n_d] 155 When used alone, the --kk (_k_i_l_l) option to ssuuddoo invalidates the 156 user's time stamp file. The next time ssuuddoo is run a password 157 will be required. This option does not require a password 158 and was added to allow a user to revoke ssuuddoo permissions from 159 a _._l_o_g_o_u_t file. 160 161 When used in conjunction with a command or an option that may 162 require a password, the --kk option will cause ssuuddoo to ignore 163 the user's time stamp file. As a result, ssuuddoo will prompt 164 for a password (if one is required by _s_u_d_o_e_r_s) and will not 165 update the user's time stamp file. 166 167 --LL The --LL (_l_i_s_t defaults) option will list the parameters that 168 may be set in a _D_e_f_a_u_l_t_s line along with a short description 169 for each. This option will be removed from a future version 170 of ssuuddoo. 171 172 --ll[ll] [_c_o_m_m_a_n_d] 173 If no _c_o_m_m_a_n_d is specified, the --ll (_l_i_s_t) option will list 174 the allowed (and forbidden) commands for the invoking user 175 (or the user specified by the --UU option) on the current host. 176 If a _c_o_m_m_a_n_d is specified and is permitted by _s_u_d_o_e_r_s, the 177 fully-qualified path to the command is displayed along with 178 any command line arguments. If _c_o_m_m_a_n_d is specified but not 179 allowed, ssuuddoo will exit with a status value of 1. If the --ll 180 option is specified with an _l argument (i.e. --llll), or if --ll 181 is specified multiple times, a longer list format is used. 182 183 --nn The --nn (_n_o_n_-_i_n_t_e_r_a_c_t_i_v_e) option prevents ssuuddoo from prompting 184 the user for a password. If a password is required for the 185 command to run, ssuuddoo will display an error message and exit. 186 187 --PP The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to preserve 188 the invoking user's group vector unaltered. By default, ssuuddoo 189 will initialize the group vector to the list of groups the 190 target user is in. The real and effective group IDs, 191 however, are still set to match the target user. 192 193 --pp _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default 194 password prompt and use a custom one. The following percent 195 (`%') escapes are supported: 196 197 %H expanded to the host name including the domain name (on 198 if the machine's host name is fully qualified or the _f_q_d_n 199 option is set in sudoers(4)) 200 201 %h expanded to the local host name without the domain name 202 203 %p expanded to the name of the user whose password is being 204 requested (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w, and _r_u_n_a_s_p_w 205 flags in sudoers(4)) 206 207 %U expanded to the login name of the user the command will 208 be run as (defaults to root unless the --uu option is also 209 specified) 210 211 %u expanded to the invoking user's login name 212 213 %% two consecutive `%' characters are collapsed into a 214 single `%' character 215 216 The prompt specified by the --pp option will override the 217 system password prompt on systems that support PAM unless the 218 _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s. 219 220 --rr _r_o_l_e The --rr (_r_o_l_e) option causes the new (SELinux) security 221 context to have the role specified by _r_o_l_e. 222 223 --SS The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from 224 the standard input instead of the terminal device. The 225 password must be followed by a newline character. 226 227 --ss [_c_o_m_m_a_n_d] 228 The --ss (_s_h_e_l_l) option runs the shell specified by the SHELL 229 environment variable if it is set or the shell as specified 230 in the password database. If a command is specified, it is 231 passed to the shell for execution via the shell's --cc option. 232 If no command is specified, an interactive shell is executed. 233 234 --tt _t_y_p_e The --tt (_t_y_p_e) option causes the new (SELinux) security 235 context to have the type specified by _t_y_p_e. If no type is 236 specified, the default type is derived from the specified 237 role. 238 239 --UU _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the --ll 240 option to specify the user whose privileges should be listed. 241 Only root or a user with the ALL privilege on the current 242 host may use this option. 243 244 --uu _u_s_e_r The --uu (_u_s_e_r) option causes ssuuddoo to run the specified command 245 as a user other than _r_o_o_t. To specify a _u_i_d instead of a 246 _u_s_e_r _n_a_m_e, _#_u_i_d. When running commands as a _u_i_d, many shells 247 require that the `#' be escaped with a backslash (`\'). Note 248 that if the _t_a_r_g_e_t_p_w Defaults option is set (see sudoers(4)), 249 it is not possible to run commands with a uid not listed in 250 the password database. 251 252 --VV The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print its version 253 string and exit. If the invoking user is already root the --VV 254 option will display the arguments passed to configure when 255 ssuuddoo was built as well a list of the defaults ssuuddoo was 256 compiled with as well as the machine's local network 257 addresses. 258 259 --vv When given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the 260 user's time stamp file, authenticating the user's password if 261 necessary. This extends the ssuuddoo timeout for another 5 262 minutes (or whatever the timeout is set to in _s_u_d_o_e_r_s) but 263 does not run a command. 264 265 ---- The ---- option indicates that ssuuddoo should stop processing 266 command line arguments. 267 268 Environment variables to be set for the command may also be passed on the 269 command line in the form of VVAARR=_v_a_l_u_e, e.g. 270 LLDD__LLIIBBRRAARRYY__PPAATTHH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. Variables passed on the command line 271 are subject to the same restrictions as normal environment variables with 272 one important exception. If the _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s, the 273 command to be run has the SETENV tag set or the command matched is ALL, 274 the user may set variables that would otherwise be forbidden. See 275 sudoers(4) for more information. 276 277 AAuutthheennttiiccaattiioonn aanndd llooggggiinngg 278 ssuuddoo requires that most users authenticate themselves by default. A 279 password is not required if the invoking user is root, if the target user 280 is the same as the invoking user, or if the authentication has been 281 disabled for the user or command in the _s_u_d_o_e_r_s file. Unlike su(1), when 282 ssuuddoo requires authentication, it validates the invoking user's 283 credentials, not the target user's (or root's) credentials. This can be 284 changed via the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w Defaults entries in _s_u_d_o_e_r_s. 285 286 If a user who is not listed in _s_u_d_o_e_r_s tries to run a command via ssuuddoo, 287 mail is sent to the proper authorities. The address used for such mail 288 is configurable via the _m_a_i_l_t_o _s_u_d_o_e_r_s Defaults entry and defaults to 289 root. 290 291 Note that mail will not be sent if an unauthorized user tries to run ssuuddoo 292 with the --ll or --vv option. This allows users to determine for themselves 293 whether or not they are allowed to use ssuuddoo. 294 295 If ssuuddoo is run by root and the SUDO_USER environment variable is set, its 296 value will be used to determine who the actual user is. This can be used 297 by a user to log commands through ssuuddoo even when a root shell has been 298 invoked. It also allows the --ee option to remain useful even when invoked 299 via a sudo-run script or program. Note, however, that the _s_u_d_o_e_r_s lookup 300 is still done for root, not the user specified by SUDO_USER. 301 302 ssuuddoo uses time stamp files for credential caching. Once a user has been 303 authenticated, the time stamp is updated and the user may then use sudo 304 without a password for a short period of time (5 minutes unless 305 overridden by the _t_i_m_e_o_u_t option). By default, ssuuddoo uses a tty-based 306 time stamp which means that there is a separate time stamp for each of a 307 user's login sessions. The _t_t_y___t_i_c_k_e_t_s option can be disabled to force 308 the use of a single time stamp for all of a user's sessions. 309 310 ssuuddoo can log both successful and unsuccessful attempts (as well as 311 errors) to syslog(3), a log file, or both. By default, ssuuddoo will log via 312 syslog(3) but this is changeable via the _s_y_s_l_o_g and _l_o_g_f_i_l_e Defaults 313 settings. 314 315 ssuuddoo also supports logging a command's input and output streams. I/O 316 logging is not on by default but can be enabled using the _l_o_g___i_n_p_u_t and 317 _l_o_g___o_u_t_p_u_t Defaults flags as well as the LOG_INPUT and LOG_OUTPUT command 318 tags. 319 320 CCoommmmaanndd eennvviirroonnmmeenntt 321 Since environment variables can influence program behavior, ssuuddoo provides 322 a means to restrict which variables from the user's environment are 323 inherited by the command to be run. There are two distinct ways _s_u_d_o_e_r_s 324 can be configured to handle with environment variables. 325 326 By default, the _e_n_v___r_e_s_e_t option is enabled. This causes commands to be 327 executed with a new, minimal environment. On AIX (and Linux systems 328 without PAM), the environment is initialized with the contents of the 329 _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t file. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s option is 330 enabled, the environment is initialized based on the _p_a_t_h and _s_e_t_e_n_v 331 settings in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The new environment contains the TERM, 332 PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in 333 addition to variables from the invoking process permitted by the 334 _e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p options. This is effectively a whitelist for 335 environment variables. 336 337 If, however, the _e_n_v___r_e_s_e_t option is disabled, any variables not 338 explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are inherited 339 from the invoking process. In this case, _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e behave 340 like a blacklist. Since it is not possible to blacklist all potentially 341 dangerous environment variables, use of the default _e_n_v___r_e_s_e_t behavior is 342 encouraged. 343 344 In all cases, environment variables with a value beginning with () are 345 removed as they could be interpreted as bbaasshh functions. The list of 346 environment variables that ssuuddoo allows or denies is contained in the 347 output of ``sudo -V'' when run as root. 348 349 Note that the dynamic linker on most operating systems will remove 350 variables that can control dynamic linking from the environment of setuid 351 executables, including ssuuddoo. Depending on the operating system this may 352 include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others. 353 These type of variables are removed from the environment before ssuuddoo even 354 begins execution and, as such, it is not possible for ssuuddoo to preserve 355 them. 356 357 As a special case, if ssuuddoo's --ii option (initial login) is specified, ssuuddoo 358 will initialize the environment regardless of the value of _e_n_v___r_e_s_e_t. 359 The DISPLAY, PATH and TERM variables remain unchanged; HOME, MAIL, SHELL, 360 USER, and LOGNAME are set based on the target user. On AIX (and Linux 361 systems without PAM), the contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are also included. 362 On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s option is enabled, the _p_a_t_h and 363 _s_e_t_e_n_v variables in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f are also applied. All other 364 environment variables are removed. 365 366 Finally, if the _e_n_v___f_i_l_e option is defined, any variables present in that 367 file will be set to their specified values as long as they would not 368 conflict with an existing environment variable. 369 370CCOOMMMMAANNDD EEXXEECCUUTTIIOONN 371 When ssuuddoo executes a command, the _s_u_d_o_e_r_s file specifies the execution 372 envionment for the command. Typically, the real and effective uid and 373 gid are set to match those of the target user, as specified in the 374 password database, and the group vector is initialized based on the group 375 database (unless the --PP option was specified). 376 377 The _s_u_d_o_e_r_s file settings affect the following execution parameters: 378 379 oo real and effective user ID 380 381 oo real and effective group ID 382 383 oo supplementary group IDs 384 385 oo the environment list 386 387 oo SELinux role and type 388 389 oo Solaris project 390 391 oo Solaris privileges 392 393 oo BSD login class 394 395 oo file creation mode mask (umask) 396 397 See the _C_o_m_m_a_n_d _e_n_v_i_r_o_n_m_e_n_t section for details on how the environment 398 list is constructed. 399 400 PPrroocceessss mmooddeell 401 If ssuuddoo has been configured with PAM support or if I/O logging is 402 enabled, ssuuddoo must wait until the command has completed before it will 403 exit. In the case of PAM, ssuuddoo must remain running so that it can close 404 the PAM session when the command is finished. If neither PAM nor I/O 405 logging are configured, ssuuddoo will execute the command without calling 406 fork(2). In either case, ssuuddoo sets up the execution environment as 407 described above, and calls the execve system call (potentially in a child 408 process). If I/O logging is enabled, a new pseudo-terminal (``pty'') is 409 created and a second ssuuddoo process is used to relay job control signals 410 between the user's existing pty and the new pty the command is being run 411 in. This extra process makes it possible to, for example, suspend and 412 resume the command. Without it, the command would be in what POSIX terms 413 an ``orphaned process group'' and it would not receive any job control 414 signals. 415 416 SSiiggnnaall hhaannddlliinngg 417 If the command is run as a child of the ssuuddoo process (due to PAM or I/O 418 logging), ssuuddoo will relay signals it receives to the command. Unless the 419 command is being run in a new pty, the SIGHUP, SIGINT and SIGQUIT signals 420 are not relayed unless they are sent by a user process, not the kernel. 421 Otherwise, the command would receive SIGINT twice every time the user 422 entered control-C. Some signals, such as SIGSTOP and SIGKILL, cannot be 423 caught and thus will not be relayed to the command. As a general rule, 424 SIGTSTP should be used instead of SIGSTOP when you wish to suspend a 425 command being run by ssuuddoo. 426 427 As a special case, ssuuddoo will not relay signals that were sent by the 428 command it is running. This prevents the command from accidentally 429 killing itself. On some systems, the reboot(1m) command sends SIGTERM to 430 all non-system processes other than itself before rebooting the systyem. 431 This prevents ssuuddoo from relaying the SIGTERM signal it received back to 432 reboot(1m), which might then exit before the system was actually rebooted, 433 leaving it in a half-dead state similar to single user mode. Note, 434 however, that this check only applies to the command run by ssuuddoo and not 435 any other processes that the command may create. As a result, running a 436 script that calls reboot(1m) or shutdown(1m) via ssuuddoo may cause the system 437 to end up in this undefined state unless the reboot(1m) or shutdown(1m) are 438 run using the eexxeecc() family of functions instead of ssyysstteemm() (which 439 interposes a shell between the command and the calling process). 440 441EEXXIITT VVAALLUUEE 442 Upon successful execution of a program, the exit status from _s_u_d_o will 443 simply be the exit status of the program that was executed. 444 445 Otherwise, ssuuddoo exits with a value of 1 if there is a 446 configuration/permission problem or if ssuuddoo cannot execute the given 447 command. In the latter case the error string is printed to the standard 448 error. If ssuuddoo cannot stat(2) one or more entries in the user's PATH, an 449 error is printed on stderr. (If the directory does not exist or if it is 450 not really a directory, the entry is ignored and no error is printed.) 451 This should not happen under normal circumstances. The most common 452 reason for stat(2) to return ``permission denied'' is if you are running 453 an automounter and one of the directories in your PATH is on a machine 454 that is currently unreachable. 455 456LLOOGG FFOORRMMAATT 457 ssuuddoo can log events using either syslog(3) or a simple log file. In each 458 case the log format is almost identical. 459 460 AAcccceepptteedd ccoommmmaanndd lloogg eennttrriieess 461 Commands that sudo runs are logged using the following format (split into 462 multiple lines for readability): 463 464 date hostname progname: username : TTY=ttyname ; PWD=cwd ; \ 465 USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \ 466 ENV=env_vars COMMAND=command 467 468 Where the fields are as follows: 469 470 date The date the command was run. Typically, this is in the 471 format ``MMM, DD, HH:MM:SS''. If logging via syslog(3), 472 the actual date format is controlled by the syslog daemon. 473 If logging to a file and the _l_o_g___y_e_a_r option is enabled, 474 the date will also include the year. 475 476 hostname The name of the host ssuuddoo was run on. This field is only 477 present when logging via syslog(3). 478 479 progname The name of the program, usually _s_u_d_o or _s_u_d_o_e_d_i_t. This 480 field is only present when logging via syslog(3). 481 482 username The login name of the user who ran ssuuddoo. 483 484 ttyname The short name of the terminal (e.g. ``console'', 485 ``tty01'', or ``pts/0'') ssuuddoo was run on, or ``unknown'' if 486 there was no terminal present. 487 488 cwd The current working directory that ssuuddoo was run in. 489 490 runasuser The user the command was run as. 491 492 runasgroup The group the command was run as if one was specified on 493 the command line. 494 495 logid An I/O log identifier that can be used to replay the 496 command's output. This is only present when the _l_o_g___i_n_p_u_t 497 or _l_o_g___o_u_t_p_u_t option is enabled. 498 499 env_vars A list of environment variables specified on the command 500 line, if specified. 501 502 command The actual command that was executed. 503 504 Messages are logged using the locale specified by _s_u_d_o_e_r_s___l_o_c_a_l_e, which 505 defaults to the ``C'' locale. 506 507 DDeenniieedd ccoommmmaanndd lloogg eennttrriieess 508 If the user is not allowed to run the command, the reason for the denial 509 will follow the user name. Possible reasons include: 510 511 user NOT in sudoers 512 The user is not listed in the _s_u_d_o_e_r_s file. 513 514 user NOT authorized on host 515 The user is listed in the _s_u_d_o_e_r_s file but is not allowed to run 516 commands on the host. 517 518 command not allowed 519 The user is listed in the _s_u_d_o_e_r_s file for the host but they are not 520 allowed to run the specified command. 521 522 3 incorrect password attempts 523 The user failed to enter their password after 3 tries. The actual 524 number of tries will vary based on the number of failed attempts and 525 the value of the _p_a_s_s_w_d___t_r_i_e_s _s_u_d_o_e_r_s option. 526 527 a password is required 528 The --nn option was specified but a password was required. 529 530 sorry, you are not allowed to set the following environment variables 531 The user specified environment variables on the command line that were 532 not allowed by _s_u_d_o_e_r_s. 533 534 EErrrroorr lloogg eennttrriieess 535 If an error occurs, ssuuddoo will log a message and, in most cases, send a 536 message to the administrator via email. Possible errors include: 537 538 parse error in /etc/sudoers near line N 539 ssuuddoo encountered an error when parsing the specified file. In some 540 cases, the actual error may be one line above or below the line number 541 listed, depending on the type of error. 542 543 problem with defaults entries 544 The _s_u_d_o_e_r_s file contains one or more unknown Defaults settings. This 545 does not prevent ssuuddoo from running, but the _s_u_d_o_e_r_s file should be 546 checked using vviissuuddoo. 547 548 timestamp owner (username): No such user 549 The time stamp directory owner, as specified by the _t_i_m_e_s_t_a_m_p_o_w_n_e_r 550 setting, could not be found in the password database. 551 552 unable to open/read /etc/sudoers 553 The _s_u_d_o_e_r_s file could not be opened for reading. This can happen 554 when the _s_u_d_o_e_r_s file is located on a remote file system that maps 555 user ID 0 to a different value. Normally, ssuuddoo tries to open _s_u_d_o_e_r_s 556 using group permissions to avoid this problem. 557 558 unable to stat /etc/sudoers 559 The _/_e_t_c_/_s_u_d_o_e_r_s file is missing. 560 561 /etc/sudoers is not a regular file 562 The _/_e_t_c_/_s_u_d_o_e_r_s file exists but is not a regular file or symbolic 563 link. 564 565 /etc/sudoers is owned by uid N, should be 0 566 The _s_u_d_o_e_r_s file has the wrong owner. 567 568 /etc/sudoers is world writable 569 The permissions on the _s_u_d_o_e_r_s file allow all users to write to it. 570 The _s_u_d_o_e_r_s file must not be world-writable, the default file mode is 571 0440 (readable by owner and group, writable by none). 572 573 /etc/sudoers is owned by gid N, should be 1 574 The _s_u_d_o_e_r_s file has the wrong group ownership. 575 576 unable to open /var/adm/sudo/username/ttyname 577 _s_u_d_o_e_r_s was unable to read or create the user's time stamp file. 578 579 unable to write to /var/adm/sudo/username/ttyname 580 _s_u_d_o_e_r_s was unable to write to the user's time stamp file. 581 582 unable to mkdir to /var/adm/sudo/username 583 _s_u_d_o_e_r_s was unable to create the user's time stamp directory. 584 585 NNootteess oonn llooggggiinngg vviiaa ssyysslloogg 586 By default, _s_u_d_o_e_r_s logs messages via syslog(3). The _d_a_t_e, _h_o_s_t_n_a_m_e, and 587 _p_r_o_g_n_a_m_e fields are added by the syslog daemon, not _s_u_d_o_e_r_s itself. As 588 such, they may vary in format on different systems. 589 590 On most systems, syslog(3) has a relatively small log buffer. To prevent 591 the command line arguments from being truncated, ssuuddoo will split up log 592 messages that are larger than 960 characters (not including the date, 593 hostname, and the string ``sudo''). When a message is split, additional 594 parts will include the string ``(command continued)'' after the user name 595 and before the continued command line arguments. 596 597 NNootteess oonn llooggggiinngg ttoo aa ffiillee 598 If the _l_o_g_f_i_l_e option is set, _s_u_d_o_e_r_s will log to a local file, such as 599 _/_v_a_r_/_l_o_g_/_s_u_d_o. When logging to a file, _s_u_d_o_e_r_s uses a format similar to 600 syslog(3), with a few important differences: 601 602 1. The _p_r_o_g_n_a_m_e and _h_o_s_t_n_a_m_e fields are not present. 603 604 2. If the _l_o_g___y_e_a_r _s_u_d_o_e_r_s option is enabled, the date will also 605 include the year. 606 607 3. Lines that are longer than _l_o_g_l_i_n_e_l_e_n characters (80 by default) are 608 word-wrapped and continued on the next line with a four character 609 indent. This makes entries easier to read for a human being, but 610 makes it more difficult to use grep(1) on the log files. If the 611 _l_o_g_l_i_n_e_l_e_n _s_u_d_o_e_r_s option is set to 0 (or negated with a `!'), word 612 wrap will be disabled. 613 614SSEECCUURRIITTYY NNOOTTEESS 615 ssuuddoo tries to be safe when executing external commands. 616 617 To prevent command spoofing, ssuuddoo checks "." and "" (both denoting 618 current directory) last when searching for a command in the user's PATH 619 (if one or both are in the PATH). Note, however, that the actual PATH 620 environment variable is _n_o_t modified and is passed unchanged to the 621 program that ssuuddoo executes. 622 623 ssuuddoo will check the ownership of its time stamp directory (_/_v_a_r_/_a_d_m_/_s_u_d_o 624 by default) and ignore the directory's contents if it is not owned by 625 root or if it is writable by a user other than root. On systems that 626 allow non-root users to give away files via chown(2), if the time stamp 627 directory is located in a world-writable directory (e.g., _/_t_m_p), it is 628 possible for a user to create the time stamp directory before ssuuddoo is 629 run. However, because ssuuddoo checks the ownership and mode of the 630 directory and its contents, the only damage that can be done is to 631 ``hide'' files by putting them in the time stamp dir. This is unlikely 632 to happen since once the time stamp dir is owned by root and inaccessible 633 by any other user, the user placing files there would be unable to get 634 them back out. 635 636 ssuuddoo will not honor time stamps set far in the future. Time stamps with 637 a date greater than current_time + 2 * TIMEOUT will be ignored and sudo 638 will log and complain. This is done to keep a user from creating his/her 639 own time stamp with a bogus date on systems that allow users to give away 640 files if the time stamp directory is located in a world-writable 641 directory. 642 643 On systems where the boot time is available, ssuuddoo will ignore time stamps 644 that date from before the machine booted. 645 646 Since time stamp files live in the file system, they can outlive a user's 647 login session. As a result, a user may be able to login, run a command 648 with ssuuddoo after authenticating, logout, login again, and run ssuuddoo without 649 authenticating so long as the time stamp file's modification time is 650 within 5 minutes (or whatever the timeout is set to in _s_u_d_o_e_r_s). When 651 the _t_t_y___t_i_c_k_e_t_s _s_u_d_o_e_r_s option is enabled, the time stamp has per-tty 652 granularity but still may outlive the user's session. On Linux systems 653 where the devpts filesystem is used, Solaris systems with the devices 654 filesystem, as well as other systems that utilize a devfs filesystem that 655 monotonically increase the inode number of devices as they are created 656 (such as Mac OS X), ssuuddoo is able to determine when a tty-based time stamp 657 file is stale and will ignore it. Administrators should not rely on this 658 feature as it is not universally available. 659 660 Please note that ssuuddoo will normally only log the command it explicitly 661 runs. If a user runs a command such as sudo su or sudo sh, subsequent 662 commands run from that shell are not subject to ssuuddoo's security policy. 663 The same is true for commands that offer shell escapes (including most 664 editors). If I/O logging is enabled, subsequent commands will have their 665 input and/or output logged, but there will not be traditional logs for 666 those commands. Because of this, care must be taken when giving users 667 access to commands via ssuuddoo to verify that the command does not 668 inadvertently give the user an effective root shell. For more 669 information, please see the _P_R_E_V_E_N_T_I_N_G _S_H_E_L_L _E_S_C_A_P_E_S section in 670 sudoers(4). 671 672 To prevent the disclosure of potentially sensitive information, ssuuddoo 673 disables core dumps by default while it is executing (they are re-enabled 674 for the command that is run). 675 676 For information on the security implications of _s_u_d_o_e_r_s entries, please 677 see the _S_E_C_U_R_I_T_Y _N_O_T_E_S section in sudoers(4). 678 679EENNVVIIRROONNMMEENNTT 680 ssuuddoo utilizes the following environment variables: 681 682 EDITOR Default editor to use in --ee (sudoedit) mode if neither 683 SUDO_EDITOR nor VISUAL is set. 684 685 MAIL In --ii mode or when _e_n_v___r_e_s_e_t is enabled in _s_u_d_o_e_r_s, set 686 to the mail spool of the target user. 687 688 HOME Set to the home directory of the target user if --ii or --HH 689 are specified, _e_n_v___r_e_s_e_t or _a_l_w_a_y_s___s_e_t___h_o_m_e are set in 690 _s_u_d_o_e_r_s, or when the --ss option is specified and _s_e_t___h_o_m_e 691 is set in _s_u_d_o_e_r_s. 692 693 PATH Set to a sane value if the _s_e_c_u_r_e___p_a_t_h option is set in 694 the _s_u_d_o_e_r_s file. 695 696 SHELL Used to determine shell to run with --ss option. 697 698 SUDO_ASKPASS Specifies the path to a helper program used to read the 699 password if no terminal is available or if the --AA option 700 is specified. 701 702 SUDO_COMMAND Set to the command run by sudo. 703 704 SUDO_EDITOR Default editor to use in --ee (sudoedit) mode. 705 706 SUDO_GID Set to the group ID of the user who invoked sudo. 707 708 SUDO_PROMPT Used as the default password prompt. 709 710 SUDO_PS1 If set, PS1 will be set to its value for the program 711 being run. 712 713 SUDO_UID Set to the user ID of the user who invoked sudo. 714 715 SUDO_USER Set to the login name of the user who invoked sudo. 716 717 USER Set to the target user (root unless the --uu option is 718 specified). 719 720 VISUAL Default editor to use in --ee (sudoedit) mode if 721 SUDO_EDITOR is not set. 722 723FFIILLEESS 724 _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what 725 726 _/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps 727 728 _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on AIX and 729 Linux systems 730 731EEXXAAMMPPLLEESS 732 Note: the following examples assume suitable sudoers(4) entries. 733 734 To get a file listing of an unreadable directory: 735 736 $ sudo ls /usr/local/protected 737 738 To list the home directory of user yaz on a machine where the file system 739 holding ~yaz is not exported as root: 740 741 $ sudo -u yaz ls ~yaz 742 743 To edit the _i_n_d_e_x_._h_t_m_l file as user www: 744 745 $ sudo -u www vi ~www/htdocs/index.html 746 747 To view system logs only accessible to root and users in the adm group: 748 749 $ sudo -g adm view /var/log/syslog 750 751 To run an editor as jim with a different primary group: 752 753 $ sudo -u jim -g audio vi ~jim/sound.txt 754 755 To shut down a machine: 756 757 $ sudo shutdown -r +15 "quick reboot" 758 759 To make a usage listing of the directories in the /home partition. Note 760 that this runs the commands in a sub-shell to make the cd and file 761 redirection work. 762 763 $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" 764 765SSEEEE AALLSSOO 766 grep(1), su(1), stat(2), login_cap(3), passwd(4), sudoers(4), 767 sudoreplay(1m), visudo(1m) 768 769HHIISSTTOORRYY 770 See the HISTORY file in the ssuuddoo distribution 771 (http://www.sudo.ws/sudo/history.html) for a brief history of sudo. 772 773AAUUTTHHOORRSS 774 Many people have worked on ssuuddoo over the years; this version consists of 775 code written primarily by: 776 777 Todd C. Miller 778 779 See the CONTRIBUTORS file in the ssuuddoo distribution 780 (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of 781 people who have contributed to ssuuddoo. 782 783CCAAVVEEAATTSS 784 There is no easy way to prevent a user from gaining a root shell if that 785 user is allowed to run arbitrary commands via ssuuddoo. Also, many programs 786 (such as editors) allow the user to run commands via shell escapes, thus 787 avoiding ssuuddoo's checks. However, on most systems it is possible to 788 prevent shell escapes with ssuuddoo '' ss _n_o_e_x_e_c functionality. See the 789 sudoers(4) manual for details. 790 791 It is not meaningful to run the cd command directly via sudo, e.g., 792 793 $ sudo cd /usr/local/protected 794 795 since when the command exits the parent process (your shell) will still 796 be the same. Please see the _E_X_A_M_P_L_E_S section for more information. 797 798 Running shell scripts via ssuuddoo can expose the same kernel bugs that make 799 setuid shell scripts unsafe on some operating systems (if your OS has a 800 /dev/fd/ directory, setuid shell scripts are generally safe). 801 802BBUUGGSS 803 If you feel you have found a bug in ssuuddoo, please submit a bug report at 804 http://www.sudo.ws/sudo/bugs/ 805 806SSUUPPPPOORRTT 807 Limited free support is available via the sudo-users mailing list, see 808 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the 809 archives. 810 811DDIISSCCLLAAIIMMEERR 812 ssuuddoo is provided ``AS IS'' and any express or implied warranties, 813 including, but not limited to, the implied warranties of merchantability 814 and fitness for a particular purpose are disclaimed. See the LICENSE 815 file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for 816 complete details. 817 818Sudo 1.7.10 July 10, 2012 Sudo 1.7.10 819