sudo allows a permitted user to execute a command as the superuser or another user, as specified by the
security policy. The real and effective uid and gid are set to match those of the target user, as
specified in the password database, and the group vector is initialized based on the group database
(unless the -P option was specified).
|
-A Normally, if sudo requires a password, it will read it from the user's terminal. If the -A
(askpass) option is specified, a (possibly graphical) helper program is executed to read the
user's password and output the password to the standard output. If the SUDO_ASKPASS
environment variable is set, it specifies the path to the helper program. Otherwise, if
/etc/sudo.conf contains a line specifying the askpass program, that value will be used. For
example:
# Path to askpass helper program
Path askpass /usr/X11R6/bin/ssh-askpass
If no askpass program is available, sudo will exit with an error.
|
-b The -b (background) option tells sudo to run the given command in the background. Note that
if you use the -b option you cannot use shell job control to manipulate the process. Most
interactive commands will fail to work properly in background mode.
|
-C fd Normally, sudo will close all open file descriptors other than standard input, standard
output and standard error. The -C (close from) option allows the user to specify a starting
point above the standard error (file descriptor three). Values less than three are not
permitted. The security policy may restrict the user's ability to use the -C option. The
sudoers policy only permits use of the -C option when the administrator has enabled the
closefrom_override option.
|
-D level Enable debugging of sudo plugins and sudo itself. The level may be a value from 1 through 9.
|
-E The -E (preserve environment) option indicates to the security policy that the user wishes to
preserve their existing environment variables. The security policy may return an error if
the -E option is specified and the user does not have permission to preserve the environment.
|
-e The -e (edit) option indicates that, instead of running a command, the user wishes to edit
one or more files. In lieu of a command, the string "sudoedit" is used when consulting the
security policy. If the user is authorized by the policy, the following steps are taken:
1. Temporary copies are made of the files to be edited with the owner set to the invoking
user.
2. The editor specified by the policy is run to edit the temporary files. The sudoers
policy uses the SUDO_EDITOR, VISUAL and EDITOR environment variables (in that order). If
none of SUDO_EDITOR, VISUAL or EDITOR are set, the first program listed in the editor
sudoers(5) option is used.
3. If they have been modified, the temporary files are copied back to their original
location and the temporary versions are removed.
If the specified file does not exist, it will be created. Note that unlike most commands run
by sudo, the editor is run with the invoking user's environment unmodified. If, for some
reason, sudo is unable to update a file with its edited version, the user will receive a
warning and the edited copy will remain in a temporary file.
|
-g group Normally, sudo runs a command with the primary group set to the one specified by the password
database for the user the command is being run as (by default, root). The -g (group) option
causes sudo to run the command with the primary group set to group instead. To specify a gid
instead of a group name, use #gid. When running commands as a gid, many shells require that
the '#' be escaped with a backslash ('\'). If no -u option is specified, the command will be
run as the invoking user (not root). In either case, the primary group will be set to group.
|
-H The -H (HOME) option requests that the security policy set the HOME environment variable to
the home directory of the target user (root by default) as specified by the password
database. Depending on the policy, this may be the default behavior.
|
-h The -h (help) option causes sudo to print a short help message to the standard output and
exit.
|
-i [command]
The -i (simulate initial login) option runs the shell specified by the password database
entry of the target user as a login shell. This means that login-specific resource files
such as .profile or .login will be read by the shell. If a command is specified, it is
passed to the shell for execution via the shell's -c option. If no command is specified, an
interactive shell is executed. sudo attempts to change to that user's home directory before
running the shell. The security policy shall initialize the environment to a minimal set of
variables, similar to what is present when a user logs in. The Command Environment section
in the sudoers(5) manual documents how the -i option affects the environment in which a
command is run when the sudoers policy is in use.
|
-K The -K (sure kill) option is like -k except that it removes the user's cached credentials
entirely and may not be used in conjunction with a command or other option. This option does
not require a password. Not all security policies support credential caching.
|
-k [command]
When used alone, the -k (kill) option to sudo invalidates the user's cached credentials. The
next time sudo is run a password will be required. This option does not require a password
and was added to allow a user to revoke sudo permissions from a .logout file. Not all
security policies support credential caching.
When used in conjunction with a command or an option that may require a password, the -k
option will cause sudo to ignore the user's cached credentials. As a result, sudo will
prompt for a password (if one is required by the security policy) and will not update the
user's cached credentials.
|
-l[l] [command]
If no command is specified, the -l (list) option will list the allowed (and forbidden)
commands for the invoking user (or the user specified by the -U option) on the current host.
If a command is specified and is permitted by the security policy, the fully-qualified path
to the command is displayed along with any command line arguments. If command is specified
but not allowed, sudo will exit with a status value of 1. If the -l option is specified with
an l argument (i.e. -ll), or if -l is specified multiple times, a longer list format is used.
|
-n The -n (non-interactive) option prevents sudo from prompting the user for a password. If a
password is required for the command to run, sudo will display an error messages and exit.
|
-P The -P (preserve group vector) option causes sudo to preserve the invoking user's group
vector unaltered. By default, the sudoers policy will initialize the group vector to the
list of groups the target user is in. The real and effective group IDs, however, are still
set to match the target user.
|
-p prompt The -p (prompt) option allows you to override the default password prompt and use a custom
one. The following percent (`%') escapes are supported by the sudoers policy:
%H expanded to the host name including the domain name (on if the machine's host name is
fully qualified or the fqdn option is set in sudoers(5))
%h expanded to the local host name without the domain name
%p expanded to the name of the user whose password is being requested (respects the rootpw,
targetpw and runaspw flags in sudoers(5))
%U expanded to the login name of the user the command will be run as (defaults to root
unless the -u option is also specified)
%u expanded to the invoking user's login name
%% two consecutive % characters are collapsed into a single % character
The prompt specified by the -p option will override the system password prompt on systems
that support PAM unless the passprompt_override flag is disabled in sudoers.
|
-S The -S (stdin) option causes sudo to read the password from the standard input instead of the
terminal device. The password must be followed by a newline character.
|
-s [command]
The -s (shell) option runs the shell specified by the SHELL environment variable if it is set
or the shell as specified in the password database. If a command is specified, it is passed
to the shell for execution via the shell's -c option. If no command is specified, an
interactive shell is executed.
|
-U user The -U (other user) option is used in conjunction with the -l option to specify the user
whose privileges should be listed. The security policy may restrict listing other users'
privileges. The sudoers policy only allows root or a user with the ALL privilege on the
current host to use this option.
|
-u user The -u (user) option causes sudo to run the specified command as a user other than root. To
specify a uid instead of a user name, use #uid. When running commands as a uid, many shells
require that the '#' be escaped with a backslash ('\'). Security policies may restrict uids
to those listed in the password database. The sudoers policy allows uids that are not in the
password database as long as the targetpw option is not set. Other security policies may not
support this.
|
-V The -V (version) option causes sudo to print its version string and the version string of the
security policy plugin and any I/O plugins. If the invoking user is already root the -V
option will display the arguments passed to configure when sudo was built and plugins may
display more verbose information such as default options.
|
-v When given the -v (validate) option, sudo will update the user's cached credentials,
authenticating the user's password if necessary. For the sudoers plugin, this extends the
sudo timeout for another 15 minutes (or whatever the timeout is set to in sudoers) but does
not run a command. Not all security policies support cached credentials.
|