1SUDO(8)                   BSD System Manager's Manual                  SUDO(8)
2

NAME

4     sudo, sudoedit — execute a command as another user
5

SYNOPSIS

7     sudo -h | -K | -k | -V
8     sudo -v [-ABkNnS] [-g group] [-h host] [-p prompt] [-u user]
9     sudo -l [-ABkNnS] [-g group] [-h host] [-p prompt] [-U user] [-u user]
10          [command]
11     sudo [-ABbEHnPS] [-C num] [-D directory] [-g group] [-h host] [-p prompt]
12          [-R directory] [-r role] [-t type] [-T timeout] [-u user]
13          [VAR=value] [-i | -s] [command]
14     sudoedit [-ABkNnS] [-C num] [-D directory] [-g group] [-h host]
15          [-p prompt] [-R directory] [-r role] [-t type] [-T timeout]
16          [-u user] file ...
17

DESCRIPTION

19     sudo allows a permitted user to execute a command as the superuser or an‐
20     other user, as specified by the security policy.  The invoking user's
21     real (not effective) user-ID is used to determine the user name with
22     which to query the security policy.
23
24     sudo supports a plugin architecture for security policies, auditing, and
25     input/output logging.  Third parties can develop and distribute their own
26     plugins to work seamlessly with the sudo front-end.  The default security
27     policy is sudoers, which is configured via the file /etc/sudoers, or via
28     LDAP.  See the Plugins section for more information.
29
30     The security policy determines what privileges, if any, a user has to run
31     sudo.  The policy may require that users authenticate themselves with a
32     password or another authentication mechanism.  If authentication is re‐
33     quired, sudo will exit if the user's password is not entered within a
34     configurable time limit.  This limit is policy-specific; the default
35     password prompt timeout for the sudoers security policy is 5 minutes.
36
37     Security policies may support credential caching to allow the user to run
38     sudo again for a period of time without requiring authentication.  By de‐
39     fault, the sudoers policy caches credentials on a per-terminal basis for
40     5 minutes.  See the timestamp_type and timestamp_timeout options in
41     sudoers(5) for more information.  By running sudo with the -v option, a
42     user can update the cached credentials without running a command.
43
44     On systems where sudo is the primary method of gaining superuser privi‐
45     leges, it is imperative to avoid syntax errors in the security policy
46     configuration files.  For the default security policy, sudoers(5),
47     changes to the configuration files should be made using the visudo(8)
48     utility which will ensure that no syntax errors are introduced.
49
50     When invoked as sudoedit, the -e option (described below), is implied.
51
52     Security policies and audit plugins may log successful and failed at‐
53     tempts to run sudo.  If an I/O plugin is configured, the running com‐
54     mand's input and output may be logged as well.
55
56     The options are as follows:
57
58     -A, --askpass
59                 Normally, if sudo requires a password, it will read it from
60                 the user's terminal.  If the -A (askpass) option is speci‐
61                 fied, a (possibly graphical) helper program is executed to
62                 read the user's password and output the password to the stan‐
63                 dard output.  If the SUDO_ASKPASS environment variable is
64                 set, it specifies the path to the helper program.  Otherwise,
65                 if sudo.conf(5) contains a line specifying the askpass pro‐
66                 gram, that value will be used.  For example:
67
68                     # Path to askpass helper program
69                     Path askpass /usr/X11R6/bin/ssh-askpass
70
71                 If no askpass program is available, sudo will exit with an
72                 error.
73
74     -B, --bell  Ring the bell as part of the password prompt when a terminal
75                 is present.  This option has no effect if an askpass program
76                 is used.
77
78     -b, --background
79                 Run the given command in the background.  It is not possible
80                 to use shell job control to manipulate background processes
81                 started by sudo.  Most interactive commands will fail to work
82                 properly in background mode.
83
84     -C num, --close-from=num
85                 Close all file descriptors greater than or equal to num be‐
86                 fore executing a command.  Values less than three are not
87                 permitted.  By default, sudo will close all open file de‐
88                 scriptors other than standard input, standard output, and
89                 standard error when executing a command.  The security policy
90                 may restrict the user's ability to use this option.  The
91                 sudoers policy only permits use of the -C option when the ad‐
92                 ministrator has enabled the closefrom_override option.
93
94     -D directory, --chdir=directory
95                 Run the command in the specified directory instead of the
96                 current working directory.  The security policy may return an
97                 error if the user does not have permission to specify the
98                 working directory.
99
100     -E, --preserve-env
101                 Indicates to the security policy that the user wishes to pre‐
102                 serve their existing environment variables.  The security
103                 policy may return an error if the user does not have permis‐
104                 sion to preserve the environment.
105
106     --preserve-env=list
107                 Indicates to the security policy that the user wishes to add
108                 the comma-separated list of environment variables to those
109                 preserved from the user's environment.  The security policy
110                 may return an error if the user does not have permission to
111                 preserve the environment.  This option may be specified mul‐
112                 tiple times.
113
114     -e, --edit  Edit one or more files instead of running a command.  In lieu
115                 of a path name, the string "sudoedit" is used when consulting
116                 the security policy.  If the user is authorized by the pol‐
117                 icy, the following steps are taken:
118
119                 1.   Temporary copies are made of the files to be edited with
120                      the owner set to the invoking user.
121
122                 2.   The editor specified by the policy is run to edit the
123                      temporary files.  The sudoers policy uses the
124                      SUDO_EDITOR, VISUAL and EDITOR environment variables (in
125                      that order).  If none of SUDO_EDITOR, VISUAL or EDITOR
126                      are set, the first program listed in the editor
127                      sudoers(5) option is used.
128
129                 3.   If they have been modified, the temporary files are
130                      copied back to their original location and the temporary
131                      versions are removed.
132
133                 To help prevent the editing of unauthorized files, the fol‐
134                 lowing restrictions are enforced unless explicitly allowed by
135                 the security policy:
136
137                 Symbolic links may not be edited (version 1.8.15 and
138                    higher).
139
140                 Symbolic links along the path to be edited are not fol‐
141                    lowed when the parent directory is writable by the invok‐
142                    ing user unless that user is root (version 1.8.16 and
143                    higher).
144
145                 Files located in a directory that is writable by the in‐
146                    voking user may not be edited unless that user is root
147                    (version 1.8.16 and higher).
148
149                 Users are never allowed to edit device special files.
150
151                 If the specified file does not exist, it will be created.
152                 Unlike most commands run by sudo, the editor is run with the
153                 invoking user's environment unmodified.  If the temporary
154                 file becomes empty after editing, the user will be prompted
155                 before it is installed.  If, for some reason, sudo is unable
156                 to update a file with its edited version, the user will re‐
157                 ceive a warning and the edited copy will remain in a tempo‐
158                 rary file.
159
160     -g group, --group=group
161                 Run the command with the primary group set to group instead
162                 of the primary group specified by the target user's password
163                 database entry.  The group may be either a group name or a
164                 numeric group-ID (GID) prefixed with the ‘#’ character (e.g.,
165                 ‘#0’ for GID 0).  When running a command as a GID, many
166                 shells require that the ‘#’ be escaped with a backslash
167                 (‘\’).  If no -u option is specified, the command will be run
168                 as the invoking user.  In either case, the primary group will
169                 be set to group.  The sudoers policy permits any of the tar‐
170                 get user's groups to be specified via the -g option as long
171                 as the -P option is not in use.
172
173     -H, --set-home
174                 Request that the security policy set the HOME environment
175                 variable to the home directory specified by the target user's
176                 password database entry.  Depending on the policy, this may
177                 be the default behavior.
178
179     -h, --help  Display a short help message to the standard output and exit.
180
181     -h host, --host=host
182                 Run the command on the specified host if the security policy
183                 plugin supports remote commands.  The sudoers plugin does not
184                 currently support running remote commands.  This may also be
185                 used in conjunction with the -l option to list a user's priv‐
186                 ileges for the remote host.
187
188     -i, --login
189                 Run the shell specified by the target user's password data‐
190                 base entry as a login shell.  This means that login-specific
191                 resource files such as .profile, .bash_profile, or .login
192                 will be read by the shell.  If a command is specified, it is
193                 passed to the shell as a simple command using the -c option.
194                 The command and any arguments are concatenated, separated by
195                 spaces, after escaping each character (including white space)
196                 with a backslash (‘\’) except for alphanumerics, underscores,
197                 hyphens, and dollar signs.  If no command is specified, an
198                 interactive shell is executed.  sudo attempts to change to
199                 that user's home directory before running the shell.  The
200                 command is run with an environment similar to the one a user
201                 would receive at log in.  Most shells behave differently when
202                 a command is specified as compared to an interactive session;
203                 consult the shell's manual for details.  The Command
204                 environment section in the sudoers(5) manual documents how
205                 the -i option affects the environment in which a command is
206                 run when the sudoers policy is in use.
207
208     -K, --remove-timestamp
209                 Similar to the -k option, except that it removes the user's
210                 cached credentials entirely and may not be used in conjunc‐
211                 tion with a command or other option.  This option does not
212                 require a password.  Not all security policies support cre‐
213                 dential caching.
214
215     -k, --reset-timestamp
216                 When used without a command, invalidates the user's cached
217                 credentials.  In other words, the next time sudo is run a
218                 password will be required.  This option does not require a
219                 password, and was added to allow a user to revoke sudo per‐
220                 missions from a .logout file.
221
222                 When used in conjunction with a command or an option that may
223                 require a password, this option will cause sudo to ignore the
224                 user's cached credentials.  As a result, sudo will prompt for
225                 a password (if one is required by the security policy) and
226                 will not update the user's cached credentials.
227
228                 Not all security policies support credential caching.
229
230     -l, --list  If no command is specified, list the allowed (and forbidden)
231                 commands for the invoking user (or the user specified by the
232                 -U option) on the current host.  A longer list format is used
233                 if this option is specified multiple times and the security
234                 policy supports a verbose output format.
235
236                 If a command is specified and is permitted by the security
237                 policy, the fully-qualified path to the command is displayed
238                 along with any command line arguments.  If a command is spec‐
239                 ified but not allowed by the policy, sudo will exit with a
240                 status value of 1.
241
242     -N, --no-update
243                 Do not update the user's cached credentials, even if the user
244                 successfully authenticates.  Unlike the -k flag, existing
245                 cached credentials are used if they are valid.  To detect
246                 when the user's cached credentials are valid (or when no au‐
247                 thentication is required), the following command can be used:
248                       sudo -Nnv
249
250                 Not all security policies support credential caching.
251
252     -n, --non-interactive
253                 Avoid prompting the user for input of any kind.  If a pass‐
254                 word is required for the command to run, sudo will display an
255                 error message and exit.
256
257     -P, --preserve-groups
258                 Preserve the invoking user's group vector unaltered.  By de‐
259                 fault, the sudoers policy will initialize the group vector to
260                 the list of groups the target user is a member of.  The real
261                 and effective group-IDs, however, are still set to match the
262                 target user.
263
264     -p prompt, --prompt=prompt
265                 Use a custom password prompt with optional escape sequences.
266                 The following percent (‘%’) escape sequences are supported by
267                 the sudoers policy:
268
269                 %H  expanded to the host name including the domain name (only
270                     if the machine's host name is fully qualified or the fqdn
271                     option is set in sudoers(5))
272
273                 %h  expanded to the local host name without the domain name
274
275                 %p  expanded to the name of the user whose password is being
276                     requested (respects the rootpw, targetpw, and runaspw
277                     flags in sudoers(5))
278
279                 %U  expanded to the login name of the user the command will
280                     be run as (defaults to root unless the -u option is also
281                     specified)
282
283                 %u  expanded to the invoking user's login name
284
285                 %%  two consecutive ‘%’ characters are collapsed into a sin‐
286                     gle ‘%’ character
287
288                 The custom prompt will override the default prompt specified
289                 by either the security policy or the SUDO_PROMPT environment
290                 variable.  On systems that use PAM, the custom prompt will
291                 also override the prompt specified by a PAM module unless the
292                 passprompt_override flag is disabled in sudoers.
293
294     -R directory, --chroot=directory
295                 Change to the specified root directory (see chroot(8)) before
296                 running the command.  The security policy may return an error
297                 if the user does not have permission to specify the root di‐
298                 rectory.
299
300     -r role, --role=role
301                 Run the command with an SELinux security context that in‐
302                 cludes the specified role.
303
304     -S, --stdin
305                 Write the prompt to the standard error and read the password
306                 from the standard input instead of using the terminal device.
307
308     -s, --shell
309                 Run the shell specified by the SHELL environment variable if
310                 it is set or the shell specified by the invoking user's pass‐
311                 word database entry.  If a command is specified, it is passed
312                 to the shell as a simple command using the -c option.  The
313                 command and any arguments are concatenated, separated by spa‐
314                 ces, after escaping each character (including white space)
315                 with a backslash (‘\’) except for alphanumerics, underscores,
316                 hyphens, and dollar signs.  If no command is specified, an
317                 interactive shell is executed.  Most shells behave differ‐
318                 ently when a command is specified as compared to an interac‐
319                 tive session; consult the shell's manual for details.
320
321     -t type, --type=type
322                 Run the command with an SELinux security context that in‐
323                 cludes the specified type.  If no type is specified, the de‐
324                 fault type is derived from the role.
325
326     -U user, --other-user=user
327                 Used in conjunction with the -l option to list the privileges
328                 for user instead of for the invoking user.  The security pol‐
329                 icy may restrict listing other users' privileges.  When using
330                 the sudoers policy, only root or a user with the ability to
331                 run any command as either root or the specified user on the
332                 current host may use this option.
333
334     -T timeout, --command-timeout=timeout
335                 Used to set a timeout for the command.  If the timeout ex‐
336                 pires before the command has exited, the command will be ter‐
337                 minated.  The security policy may restrict the ability to set
338                 command timeouts.  The sudoers policy requires that user-
339                 specified timeouts be explicitly enabled.
340
341     -u user, --user=user
342                 Run the command as a user other than the default target user
343                 (usually root).  The user may be either a user name or a nu‐
344                 meric user-ID (UID) prefixed with the ‘#’ character (e.g.,
345                 ‘#0’ for UID 0).  When running commands as a UID, many shells
346                 require that the ‘#’ be escaped with a backslash (‘\’).  Some
347                 security policies may restrict UIDs to those listed in the
348                 password database.  The sudoers policy allows UIDs that are
349                 not in the password database as long as the targetpw option
350                 is not set.  Other security policies may not support this.
351
352     -V, --version
353                 Print the sudo version string as well as the version string
354                 of any configured plugins.  If the invoking user is already
355                 root, the -V option will display the arguments passed to con‐
356                 figure when sudo was built; plugins may display additional
357                 information such as default options.
358
359     -v, --validate
360                 Update the user's cached credentials, authenticating the user
361                 if necessary.  For the sudoers plugin, this extends the sudo
362                 timeout for another 5 minutes by default, but does not run a
363                 command.  Not all security policies support cached creden‐
364                 tials.
365
366     --          The -- option indicates that sudo should stop processing com‐
367                 mand line arguments.
368
369     Options that take a value may only be specified once unless otherwise in‐
370     dicated in the description.  This is to help guard against problems
371     caused by poorly written scripts that invoke sudo with user-controlled
372     input.
373
374     Environment variables to be set for the command may also be passed on the
375     command line in the form of VAR=value, e.g.,
376     LD_LIBRARY_PATH=/usr/local/pkg/lib.  Variables passed on the command line
377     are subject to restrictions imposed by the security policy plugin.  The
378     sudoers policy subjects variables passed on the command line to the same
379     restrictions as normal environment variables with one important excep‐
380     tion.  If the setenv option is set in sudoers, the command to be run has
381     the SETENV tag set or the command matched is ALL, the user may set vari‐
382     ables that would otherwise be forbidden.  See sudoers(5) for more infor‐
383     mation.
384

COMMAND EXECUTION

386     When sudo executes a command, the security policy specifies the execution
387     environment for the command.  Typically, the real and effective user and
388     group and IDs are set to match those of the target user, as specified in
389     the password database, and the group vector is initialized based on the
390     group database (unless the -P option was specified).
391
392     The following parameters may be specified by security policy:
393
394     real and effective user-ID
395
396     real and effective group-ID
397
398     supplementary group-IDs
399
400     the environment list
401
402     current working directory
403
404     file creation mode mask (umask)
405
406     SELinux role and type
407
408     scheduling priority (aka nice value)
409
410   Process model
411     There are two distinct ways sudo can run a command.
412
413     If an I/O logging plugin is configured or if the security policy explic‐
414     itly requests it, a new pseudo-terminal (“pty”) is allocated and fork(2)
415     is used to create a second sudo process, referred to as the monitor.  The
416     monitor creates a new terminal session with itself as the leader and the
417     pty as its controlling terminal, calls fork(2), sets up the execution en‐
418     vironment as described above, and then uses the execve(2) system call to
419     run the command in the child process.  The monitor exists to relay job
420     control signals between the user's existing terminal and the pty the com‐
421     mand is being run in.  This makes it possible to suspend and resume the
422     command.  Without the monitor, the command would be in what POSIX terms
423     an “orphaned process group” and it would not receive any job control sig‐
424     nals from the kernel.  When the command exits or is terminated by a sig‐
425     nal, the monitor passes the command's exit status to the main sudo
426     process and exits.  After receiving the command's exit status, the main
427     sudo passes the command's exit status to the security policy's close
428     function and exits.
429
430     If no pty is used, sudo calls fork(2), sets up the execution environment
431     as described above, and uses the execve(2) system call to run the command
432     in the child process.  The main sudo process waits until the command has
433     completed, then passes the command's exit status to the security policy's
434     close function and exits.  As a special case, if the policy plugin does
435     not define a close function, sudo will execute the command directly in‐
436     stead of calling fork(2) first.  The sudoers policy plugin will only de‐
437     fine a close function when I/O logging is enabled, a pty is required, an
438     SELinux role is specified, the command has an associated timeout, or the
439     pam_session or pam_setcred options are enabled.  Both pam_session and
440     pam_setcred are enabled by default on systems using PAM.
441
442     On systems that use PAM, the security policy's close function is respon‐
443     sible for closing the PAM session.  It may also log the command's exit
444     status.
445
446   Signal handling
447     When the command is run as a child of the sudo process, sudo will relay
448     signals it receives to the command.  The SIGINT and SIGQUIT signals are
449     only relayed when the command is being run in a new pty or when the sig‐
450     nal was sent by a user process, not the kernel.  This prevents the com‐
451     mand from receiving SIGINT twice each time the user enters control-C.
452     Some signals, such as SIGSTOP and SIGKILL, cannot be caught and thus will
453     not be relayed to the command.  As a general rule, SIGTSTP should be used
454     instead of SIGSTOP when you wish to suspend a command being run by sudo.
455
456     As a special case, sudo will not relay signals that were sent by the com‐
457     mand it is running.  This prevents the command from accidentally killing
458     itself.  On some systems, the reboot(8) command sends SIGTERM to all non-
459     system processes other than itself before rebooting the system.  This
460     prevents sudo from relaying the SIGTERM signal it received back to
461     reboot(8), which might then exit before the system was actually rebooted,
462     leaving it in a half-dead state similar to single user mode.  Note, how‐
463     ever, that this check only applies to the command run by sudo and not any
464     other processes that the command may create.  As a result, running a
465     script that calls reboot(8) or shutdown(8) via sudo may cause the system
466     to end up in this undefined state unless the reboot(8) or shutdown(8) are
467     run using the exec() family of functions instead of system() (which in‐
468     terposes a shell between the command and the calling process).
469
470     If no I/O logging plugins are loaded and the policy plugin has not de‐
471     fined a close() function, set a command timeout, or required that the
472     command be run in a new pty, sudo may execute the command directly in‐
473     stead of running it as a child process.
474
475   Plugins
476     Plugins may be specified via Plugin directives in the sudo.conf(5) file.
477     They may be loaded as dynamic shared objects (on systems that support
478     them), or compiled directly into the sudo binary.  If no sudo.conf(5)
479     file is present, or if it doesn't contain any Plugin lines, sudo will use
480     sudoers(5) for the policy, auditing, and I/O logging plugins.  See the
481     sudo.conf(5) manual for details of the /etc/sudo.conf file and the
482     sudo_plugin(5) manual for more information about the sudo plugin archi‐
483     tecture.
484

EXIT VALUE

486     Upon successful execution of a command, the exit status from sudo will be
487     the exit status of the program that was executed.  If the command termi‐
488     nated due to receipt of a signal, sudo will send itself the same signal
489     that terminated the command.
490
491     If the -l option was specified without a command, sudo will exit with a
492     value of 0 if the user is allowed to run sudo and they authenticated suc‐
493     cessfully (as required by the security policy).  If a command is speci‐
494     fied with the -l option, the exit value will only be 0 if the command is
495     permitted by the security policy, otherwise it will be 1.
496
497     If there is an authentication failure, a configuration/permission prob‐
498     lem, or if the given command cannot be executed, sudo exits with a value
499     of 1.  In the latter case, the error string is printed to the standard
500     error.  If sudo cannot stat(2) one or more entries in the user's PATH, an
501     error is printed to the standard error.  (If the directory does not exist
502     or if it is not really a directory, the entry is ignored and no error is
503     printed.)  This should not happen under normal circumstances.  The most
504     common reason for stat(2) to return “permission denied” is if you are
505     running an automounter and one of the directories in your PATH is on a
506     machine that is currently unreachable.
507

SECURITY NOTES

509     sudo tries to be safe when executing external commands.
510
511     To prevent command spoofing, sudo checks "." and "" (both denoting cur‐
512     rent directory) last when searching for a command in the user's PATH (if
513     one or both are in the PATH).  Depending on the security policy, the
514     user's PATH environment variable may be modified, replaced, or passed un‐
515     changed to the program that sudo executes.
516
517     Users should never be granted sudo privileges to execute files that are
518     writable by the user or that reside in a directory that is writable by
519     the user.  If the user can modify or replace the command there is no way
520     to limit what additional commands they can run.
521
522     By default, sudo will only log the command it explicitly runs.  If a user
523     runs a command such as ‘sudo su’ or ‘sudo sh’, subsequent commands run
524     from that shell are not subject to sudo's security policy.  The same is
525     true for commands that offer shell escapes (including most editors).  If
526     I/O logging is enabled, subsequent commands will have their input and/or
527     output logged, but there will not be traditional logs for those commands.
528     Because of this, care must be taken when giving users access to commands
529     via sudo to verify that the command does not inadvertently give the user
530     an effective root shell.  For information on ways to address this, see
531     the Preventing shell escapes section in sudoers(5).
532
533     To prevent the disclosure of potentially sensitive information, sudo dis‐
534     ables core dumps by default while it is executing (they are re-enabled
535     for the command that is run).  This historical practice dates from a time
536     when most operating systems allowed set-user-ID processes to dump core by
537     default.  To aid in debugging sudo crashes, you may wish to re-enable
538     core dumps by setting “disable_coredump” to false in the sudo.conf(5)
539     file as follows:
540
541         Set disable_coredump false
542
543     See the sudo.conf(5) manual for more information.
544

ENVIRONMENT

546     sudo utilizes the following environment variables.  The security policy
547     has control over the actual content of the command's environment.
548
549     EDITOR           Default editor to use in -e (sudoedit) mode if neither
550                      SUDO_EDITOR nor VISUAL is set.
551
552     MAIL             Set to the mail spool of the target user when the -i op‐
553                      tion is specified, or when env_reset is enabled in
554                      sudoers (unless MAIL is present in the env_keep list).
555
556     HOME             Set to the home directory of the target user when the -i
557                      or -H options are specified, when the -s option is spec‐
558                      ified and set_home is set in sudoers, when
559                      always_set_home is enabled in sudoers, or when env_reset
560                      is enabled in sudoers and HOME is not present in the
561                      env_keep list.
562
563     LOGNAME          Set to the login name of the target user when the -i op‐
564                      tion is specified, when the set_logname option is en‐
565                      abled in sudoers, or when the env_reset option is en‐
566                      abled in sudoers (unless LOGNAME is present in the
567                      env_keep list).
568
569     PATH             May be overridden by the security policy.
570
571     SHELL            Used to determine shell to run with -s option.
572
573     SUDO_ASKPASS     Specifies the path to a helper program used to read the
574                      password if no terminal is available or if the -A option
575                      is specified.
576
577     SUDO_COMMAND     Set to the command run by sudo, including command line
578                      arguments.  The command line arguments are truncated at
579                      4096 characters to prevent a potential execution error.
580
581     SUDO_EDITOR      Default editor to use in -e (sudoedit) mode.
582
583     SUDO_GID         Set to the group-ID of the user who invoked sudo.
584
585     SUDO_PROMPT      Used as the default password prompt unless the -p option
586                      was specified.
587
588     SUDO_PS1         If set, PS1 will be set to its value for the program be‐
589                      ing run.
590
591     SUDO_UID         Set to the user-ID of the user who invoked sudo.
592
593     SUDO_USER        Set to the login name of the user who invoked sudo.
594
595     USER             Set to the same value as LOGNAME, described above.
596
597     VISUAL           Default editor to use in -e (sudoedit) mode if
598                      SUDO_EDITOR is not set.
599

FILES

601     /etc/sudo.conf            sudo front-end configuration
602

EXAMPLES

604     The following examples assume a properly configured security policy.
605
606     To get a file listing of an unreadable directory:
607
608         $ sudo ls /usr/local/protected
609
610     To list the home directory of user yaz on a machine where the file system
611     holding ~yaz is not exported as root:
612
613         $ sudo -u yaz ls ~yaz
614
615     To edit the index.html file as user www:
616
617         $ sudoedit -u www ~www/htdocs/index.html
618
619     To view system logs only accessible to root and users in the adm group:
620
621         $ sudo -g adm more /var/log/syslog
622
623     To run an editor as jim with a different primary group:
624
625         $ sudoedit -u jim -g audio ~jim/sound.txt
626
627     To shut down a machine:
628
629         $ sudo shutdown -r +15 "quick reboot"
630
631     To make a usage listing of the directories in the /home partition.  The
632     commands are run in a sub-shell to allow the ‘cd’ command and file redi‐
633     rection to work.
634
635         $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
636

DIAGNOSTICS

638     Error messages produced by sudo include:
639
640     editing files in a writable directory is not permitted
641           By default, sudoedit does not permit editing a file when any of the
642           parent directories are writable by the invoking user.  This avoids
643           a race condition that could allow the user to overwrite an arbi‐
644           trary file.  See the sudoedit_checkdir option in sudoers(5) for
645           more information.
646
647     editing symbolic links is not permitted
648           By default, sudoedit does not follow symbolic links when opening
649           files.  See the sudoedit_follow option in sudoers(5) for more in‐
650           formation.
651
652     effective uid is not 0, is sudo installed setuid root?
653           sudo was not run with root privileges.  The sudo binary must be
654           owned by the root user and have the set-user-ID bit set.  Also, it
655           must not be located on a file system mounted with the ‘nosuid’ op‐
656           tion or on an NFS file system that maps uid 0 to an unprivileged
657           uid.
658
659     effective uid is not 0, is sudo on a file system with the 'nosuid' option
660           set or an NFS file system without root privileges?
661           sudo was not run with root privileges.  The sudo binary has the
662           proper owner and permissions but it still did not run with root
663           privileges.  The most common reason for this is that the file sys‐
664           tem the sudo binary is located on is mounted with the ‘nosuid’ op‐
665           tion or it is an NFS file system that maps uid 0 to an unprivileged
666           uid.
667
668     fatal error, unable to load plugins
669           An error occurred while loading or initializing the plugins speci‐
670           fied in sudo.conf(5).
671
672     invalid environment variable name
673           One or more environment variable names specified via the -E option
674           contained an equal sign (‘=’).  The arguments to the -E option
675           should be environment variable names without an associated value.
676
677     no password was provided
678           When sudo tried to read the password, it did not receive any char‐
679           acters.  This may happen if no terminal is available (or the -S op‐
680           tion is specified) and the standard input has been redirected from
681           /dev/null.
682
683     a terminal is required to read the password
684           sudo needs to read the password but there is no mechanism available
685           for it to do so.  A terminal is not present to read the password
686           from, sudo has not been configured to read from the standard input,
687           the -S option was not used, and no askpass helper has been speci‐
688           fied either via the sudo.conf(5) file or the SUDO_ASKPASS environ‐
689           ment variable.
690
691     no writable temporary directory found
692           sudoedit was unable to find a usable temporary directory in which
693           to store its intermediate files.
694
695     The “no new privileges” flag is set, which prevents sudo from running as
696           root.
697           sudo was run by a process that has the Linux “no new privileges”
698           flag is set.  This causes the set-user-ID bit to be ignored when
699           running an executable, which will prevent sudo from functioning.
700           The most likely cause for this is running sudo within a container
701           that sets this flag.  Check the documentation to see if it is pos‐
702           sible to configure the container such that the flag is not set.
703
704     sudo must be owned by uid 0 and have the setuid bit set
705           sudo was not run with root privileges.  The sudo binary does not
706           have the correct owner or permissions.  It must be owned by the
707           root user and have the set-user-ID bit set.
708
709     sudoedit is not supported on this platform
710           It is only possible to run sudoedit on systems that support setting
711           the effective user-ID.
712
713     timed out reading password
714           The user did not enter a password before the password timeout (5
715           minutes by default) expired.
716
717     you do not exist in the passwd database
718           Your user-ID does not appear in the system passwd database.
719
720     you may not specify environment variables in edit mode
721           It is only possible to specify environment variables when running a
722           command.  When editing a file, the editor is run with the user's
723           environment unmodified.
724

SEE ALSO

726     su(1), stat(2), login_cap(3), passwd(5), sudo.conf(5), sudo_plugin(5),
727     sudoers(5), sudoers_timestamp(5), sudoreplay(8), visudo(8)
728

HISTORY

730     See the HISTORY.md file in the sudo distribution
731     (https://www.sudo.ws/about/history/) for a brief history of sudo.
732

AUTHORS

734     Many people have worked on sudo over the years; this version consists of
735     code written primarily by:
736
737           Todd C. Miller
738
739     See the CONTRIBUTORS.md file in the sudo distribution
740     (https://www.sudo.ws/about/contributors/) for an exhaustive list of peo‐
741     ple who have contributed to sudo.
742

CAVEATS

744     There is no easy way to prevent a user from gaining a root shell if that
745     user is allowed to run arbitrary commands via sudo.  Also, many programs
746     (such as editors) allow the user to run commands via shell escapes, thus
747     avoiding sudo's checks.  However, on most systems it is possible to pre‐
748     vent shell escapes with the sudoers(5) plugin's noexec functionality.
749
750     It is not meaningful to run the ‘cd’ command directly via sudo, e.g.,
751
752         $ sudo cd /usr/local/protected
753
754     since when the command exits the parent process (your shell) will still
755     be the same.  See the EXAMPLES section for more information.
756
757     Running shell scripts via sudo can expose the same kernel bugs that make
758     set-user-ID shell scripts unsafe on some operating systems (if your OS
759     has a /dev/fd/ directory, set-user-ID shell scripts are generally safe).
760

BUGS

762     If you believe you have found a bug in sudo, you can submit a bug report
763     at https://bugzilla.sudo.ws/
764

SUPPORT

766     Limited free support is available via the sudo-users mailing list, see
767     https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
768     the archives.
769

DISCLAIMER

771     sudo is provided “AS IS” and any express or implied warranties, includ‐
772     ing, but not limited to, the implied warranties of merchantability and
773     fitness for a particular purpose are disclaimed.  See the LICENSE.md file
774     distributed with sudo or https://www.sudo.ws/about/license/ for complete
775     details.
776
777Sudo 1.9.12p2                 September 13, 2022                 Sudo 1.9.12p2
Impressum