allows a permitted user to execute a as the superuser or  another
     user,  as  specified by the security policy.  The invoking user's
     real user-ID is used to determine the user  name  with  which  to
     query  the  security  policy.  supports a plugin architecture for
     security policies and input/output logging.   Third  parties  can
     develop  and  distribute their own policy and I/O logging plugins
     to work seamlessly with the  front  end.   The  default  security
     policy  is which is configured via the file or via LDAP.  See the
     section for more information.   The  security  policy  determines
     what privileges, if any, a user has to run The policy may require
     that users authenticate themselves with  a  password  or  another
     authentication  mechanism.   If  authentication is required, will
     exit if the user's password is not entered within a  configurable
     time  limit.  This limit is policy-specific; the default password
     prompt timeout for the  security  policy  is  minutes.   Security
     policies  may support credential caching to allow the user to run
     again for a period of time without requiring authentication.   By
     default,  the  policy  caches credentials on a per-terminal basis
     for minutes.  See the and options in for  more  information.   By
     running with the option, a user can update the cached credentials
     without running a On systems  where  is  the  primary  method  of
     gaining  superuser  privileges,  it is imperative to avoid syntax
     errors in the  security  policy  configuration  files.   For  the
     default  security  policy,  changes  to  the  configuration files
     should be made using the utility which will ensure that no syntax
     errors  are  introduced.   When  invoked as the option (described
     below), is implied.  Security policies  may  log  successful  and
     failed  attempts  to  use  If  an  I/O  plugin is configured, the
     running command's input and output may be logged  as  well.   The
     options are as follows: Normally, if requires a password, it will
     read it from the user's terminal.  If the option is specified,  a
     (possibly  graphical)  helper  program  is  executed  to read the
     user's password and output the password to the  standard  output.
     If  the environment variable is set, it specifies the path to the
     helper program.  Otherwise, if contains  a  line  specifying  the
     askpass program, that value will be used.  For example: # Path to
     askpass helper program Path askpass /usr/X11R6/bin/ssh-askpass If
     no  askpass  program is available, will exit with an error.  Ring
     the bell as part  of  the  password  promp  when  a  terminal  is
     present.   This  option  has  no  effect if an askpass program is
     used.  Run the given command in the background.  Note that it  is
     not  possible  to  use shell job control to manipulate background
     processes started by Most interactive commands will fail to  work
     properly  in background mode.  Close all file descriptors greater
     than or equal to before executing a command.   Values  less  than
     three  are  not  permitted.  By default, will close all open file
     descriptors  other  than  standard  input,  standard  output  and
     standard error when executing a command.  The security policy may
     restrict the user's ability to use this option.  The policy  only
     permits  use of the option when the administrator has enabled the
     option.  Run the command in the specified instead of the  current
     working  directory.   The  security policy may return an error if
     the  user  does  not  have  permission  to  specify  the  working
     directory.  Indicates to the security policy that the user wishes
     to preserve their existing environment variables.   The  security
     policy  may  return an error if the user does not have permission
     to preserve the environment.  Indicates to  the  security  policy
     that   the  user  wishes  to  add  the  comma-separated  list  of
     environment  variables  to  those  preserved  from   the   user's
     environment.  The security policy may return an error if the user
     does not have  permission  to  preserve  the  environment.   This
     option  may  be specified multiple times.  Edit one or more files
     instead of running a command.  In lieu of a path name, the string
     "sudoedit"  is  used when consulting the security policy.  If the
     user is authorized by the policy, the following steps are  taken:
     Temporary  copies  are  made  of  the files to be edited with the
     owner set to the invoking user.   The  editor  specified  by  the
     policy  is  run to edit the temporary files.  The policy uses the
     and environment variables (in that order).  If  none  of  or  are
     set,  the  first  program  listed in the option is used.  If they
     have been modified, the temporary files are copied back to  their
     original  location  and  the  temporary versions are removed.  To
     help prevent the editing of  unauthorized  files,  the  following
     restrictions  are  enforced  unless  explicitly  allowed  by  the
     security policy: Symbolic links may not be edited (version 1.8.15
     and  higher).  Symbolic links along the path to be edited are not
     followed when the parent directory is writable  by  the  invoking
     user unless that user is root (version 1.8.16 and higher).  Files
     located in a directory that is writable by the invoking user  may
     not  be  edited  unless  that  user  is  root (version 1.8.16 and
     higher).  Users are never allowed to edit device  special  files.
     If  the  specified file does not exist, it will be created.  Note
     that unlike most commands run by  the  editor  is  run  with  the
     invoking  user's  environment  unmodified.  If the temporary file
     becomes empty after editing, the user will be prompted before  it
     is  installed.   If,  for some reason, is unable to update a file
     with its edited version, the user will receive a warning and  the
     edited  copy  will  remain  in a temporary file.  Run the command
     with the primary group  set  to  instead  of  the  primary  group
     specified  by the target user's password database entry.  The may
     be either a group name or a numeric group-ID  prefixed  with  the
     character  (e.g.,  for  GID 0).  When running a command as a GID,
     many shells require that the be escaped with a  backslash  If  no
     option  is  specified,  the  command  will be run as the invoking
     user.  In either case, the primary  group  will  be  set  to  The
     policy  permits  any  of the target user's groups to be specified
     via the option as long as the option is not in use.  Request that
     the  security  policy  set  the  environment variable to the home
     directory specified by the target user's password database entry.
     Depending  on  the  policy,  this  may  be  the default behavior.
     Display a short help message to the  standard  output  and  exit.
     Run  the  command  on the specified if the security policy plugin
     supports  remote  commands.   Note  that  the  plugin  does   not
     currently support running remote commands.  This may also be used
     in conjunction with the option to list a  user's  privileges  for
     the  remote  host.   Run the shell specified by the target user's
     password database entry  as  a  login  shell.   This  means  that
     login-specific  resource  files  such  as  or will be read by the
     shell.  If a command is specified, it is passed to the shell  for
     execution via the shell's option.  If no command is specified, an
     interactive shell is executed.  attempts to change to that user's
     home directory before running the shell.  The command is run with
     an environment similar to the one a user would receive at log in.
     Note  that  most  shells  behave  differently  when  a command is
     specified as compared to  an  interactive  session;  consult  the
     shell's  manual for details.  The section in the manual documents
     how the option affects the environment in which a command is  run
     when the policy is in use.  Similar to the option, except that it
     removes the user's cached credentials entirely  and  may  not  be
     used  in conjunction with a command or other option.  This option
     does not require a password.  Not all security  policies  support
     credential caching.  When used without a command, invalidates the
     user's cached credentials.  In other words, the next time is  run
     a  password  will  be  required.   This option does not require a
     password and was added to allow a user to revoke permissions from
     a  file.   When  used  in conjunction with a command or an option
     that may require a password, this option will cause to ignore the
     user's  cached  credentials.   As  a  result,  will  prompt for a
     password (if one is required by the security policy) and will not
     update  the user's cached credentials.  Not all security policies
     support credential caching.  If no is specified, list the allowed
     (and  forbidden)  commands  for  the  invoking  user (or the user
     specified by the option) on the  current  host.   A  longer  list
     format is used if this option is specified multiple times and the
     security policy supports  a  verbose  output  format.   If  a  is
     specified  and  is  permitted  by the security policy, the fully-
     qualified path to the command is displayed along with any command
     line arguments.  If a is specified but not allowed by the policy,
     will exit with a status value of 1.  Avoid prompting the user for
     input  of any kind.  If a password is required for the command to
     run, will display  an  error  message  and  exit.   Preserve  the
     invoking  user's  group vector unaltered.  By default, the policy
     will initialize the group vector to the list of groups the target
     user  is a member of.  The real and effective group-IDs, however,
     are still set to match the target user.  Use  a  custom  password
     prompt  with  optional  escape  sequences.  The following percent
     escape sequences are supported by the  policy:  expanded  to  the
     host  name  including  the  domain name (on if the machine's host
     name is fully qualified or the option is set in expanded  to  the
     local  host  name without the domain name expanded to the name of
     the user whose password is  being  requested  (respects  the  and
     flags  in expanded to the login name of the user the command will
     be run as (defaults to root unless the option is also  specified)
     expanded  to  the  invoking  user's  login  name  two consecutive
     characters are collapsed  into  a  single  character  The  custom
     prompt  will  override the default prompt specified by either the
     security policy or the environment variable.  On systems that use
     PAM, the custom prompt will also override the prompt specified by
     a PAM module unless  the  flag  is  disabled  in  Change  to  the
     specified  root  (see  before  running the command.  The security
     policy may return an error if the user does not  have  permission
     to  specify  the root directory.  Run the command with an SELinux
     security context that includes the specified Write the prompt  to
     the  standard error and read the password from the standard input
     instead of using the terminal device.  Run the shell specified by
     the  environment  variable if it is set or the shell specified by
     the invoking user's password database entry.   If  a  command  is
     specified,  it  is  passed  to  the  shell  for execution via the
     shell's option.  If no command is specified, an interactive shell
     is  executed.   Note  that  most shells behave differently when a
     command is specified  as  compared  to  an  interactive  session;
     consult  the shell's manual for details.  Run the command with an
     SELinux security context that includes the  specified  If  no  is
     specified,  the  default  type is derived from the role.  Used in
     conjunction with the option to list the privileges for instead of
     for  the invoking user.  The security policy may restrict listing
     other users' privileges.  The policy only allows root or  a  user
     with  the privilege on the current host to use this option.  Used
     to set a timeout for the command.  If the timeout expires  before
     the  command  has  exited,  the  command will be terminated.  The
     security policy may restrict the ability to set command timeouts.
     The  policy  requires  that user-specified timeouts be explicitly
     enabled.  Run the command as a user other than the default target
     user  (usually The may be either a user name or a numeric user-ID
     prefixed with the character (e.g.,  for  UID  0).   When  running
     commands as a UID, many shells require that the be escaped with a
     backslash Some security  policies  may  restrict  UIDs  to  those
     listed in the password database.  The policy allows UIDs that are
     not in the password database as long as the option  is  not  set.
     Other  security policies may not support this.  Print the version
     string as well as the  version  string  of  the  security  policy
     plugin and any I/O plugins.  If the invoking user is already root
     the option will display the arguments passed  to  configure  when
     was  built  and plugins may display more verbose information such
     as  default  options.   Update  the  user's  cached  credentials,
     authenticating  the  user  if  necessary.   For  the plugin, this
     extends the timeout for another minutes by default, but does  not
     run   a  command.   Not  all  security  policies  support  cached
     credentials.  The option indicates that  should  stop  processing
     command  line  arguments.   Options that take a value may only be
     specified once unless otherwise  indicated  in  the  description.
     This  is  to help guard against problems caused by poorly written
     scripts that  invoke  with  user-controlled  input.   Environment
     variables  to  be  set  for the command may also be passed on the
     command line in the form of e.g., Variables passed on the command
     line  are  subject to restrictions imposed by the security policy
     plugin.  The policy subjects variables passed on the command line
     to the same restrictions as normal environment variables with one
     important exception.  If the option is set in the command  to  be
     run  has  the  tag set or the command matched is the user may set
     variables that  would  otherwise  be  forbidden.   See  for  more
     information.   When  executes  a  command,  the  security  policy
     specifies the execution environment for the command.   Typically,
     the  real  and  effective user and group and IDs are set to match
     those of the target user, as specified in the password  database,
     and  the  group vector is initialized based on the group database
     (unless the option was specified).  The following parameters  may
     be  specified by security policy: real and effective user-ID real
     and effective group-ID supplementary  group-IDs  the  environment
     list  current  working  directory file creation mode mask (umask)
     SELinux role and type scheduling priority (aka nice value)  There
     are  two  distinct  ways  can  run  a command.  If an I/O logging
     plugin  is  configured  or  if  the  security  policy  explicitly
     requests  it,  a  new pseudo-terminal is allocated and is used to
     create a second process, referred to as the  The  creates  a  new
     terminal  session  with  itself  as the leader and the pty as its
     controlling terminal, calls sets up the execution environment  as
     described above, and then uses the system call to run the command
     in the child process.  The exists to relay  job  control  signals
     between  the  user's existing terminal and the pty the command is
     being run in.  This makes it possible to suspend and  resume  the
     command.  Without the monitor, the command would be in what POSIX
     terms an and it would not receive any job  control  signals  from
     the kernel.  When the command exits or is terminated by a signal,
     the passes the command's exit status  to  the  main  process  and
     exits.   After  receiving  the  command's  exit  status, the main
     passes the command's exit status to the security  policy's  close
     function  and  exits.   If  no  pty  is  used,  calls sets up the
     execution environment as described above,  and  uses  the  system
     call  to  run the command in the child process.  The main process
     waits until the command has completed, then passes the  command's
     exit  status  to  the security policy's close function and exits.
     As a special case, if the policy plugin does not define  a  close
     function,  will  execute  the command directly instead of calling
     first.  The policy plugin will only define a close function  when
     I/O  logging is enabled, a pty is required, or the or options are
     enabled.  Note that and are enabled by default on  systems  using
     PAM.   On  systems  that  use  PAM,  the  security policy's close
     function is responsible for closing the PAM session.  It may also
     log  the  command's  exit  status.   When the command is run as a
     child of the process, will  relay  signals  it  receives  to  the
     command.   The  and  signals are only relayed when the command is
     being run in a new pty or when the signal  was  sent  by  a  user
     process,   not  the  kernel.   This  prevents  the  command  from
     receiving twice  each  time  the  user  enters  control-C.   Some
     signals,  such  as  and  cannot  be  caught  and thus will not be
     relayed to the command.   As  a  general  rule,  should  be  used
     instead  of  when you wish to suspend a command being run by As a
     special case, will not  relay  signals  that  were  sent  by  the
     command   it   is   running.   This  prevents  the  command  from
     accidentally killing itself.  On some systems, the command  sends
     to  all  non-system  processes other than itself before rebooting
     the system.  This prevents from relaying the signal  it  received
     back  to  which  might  then  exit before the system was actually
     rebooted, leaving it in a half-dead state similar to single  user
     mode.  Note, however, that this check only applies to the command
     run by and not any other processes that the command  may  create.
     As  a  result,  running  a script that calls or via may cause the
     system to end up in this undefined state unless the  or  are  run
     using  the  family  of  functions  instead of (which interposes a
     shell between the command and the calling process).   If  no  I/O
     logging  plugins are loaded and the policy plugin has not defined
     a function, set a command timeout or required that the command be
     run  in  a  new  pty, may execute the command directly instead of
     running it as a child process.   Plugins  may  be  specified  via
     directives  in  the  file.   They may be loaded as dynamic shared
     objects (on systems that support them), or compiled directly into
     the  binary.  If no file is present, or if it doesn't contain any
     lines, will use for the policy, auditing and I/O logging plugins.
     See  the  manual  for details of the file and the manual for more
     information  about  the  plugin  architecture.   Upon  successful
     execution  of  a  command,  the exit status from will be the exit
     status  of  the  program  that  was  executed.   If  the  command
     terminated  due to receipt of a signal, will send itself the same
     signal that terminated the command.  If the option was  specified
     without  a  command,  will  exit with a value of 0 if the user is
     allowed to run and they authenticated successfully  (as  required
     by  the  security  policy).   If  a command is specified with the
     option, the exit value will only be 0 if the command is permitted
     by  the  security policy, otherwise it will be 1.  If there is an
     authentication failure, a configuration/permission problem or  if
     the  given  command  cannot be executed, exits with a value of 1.
     In the latter case, the error string is printed to  the  standard
     error.   If  cannot one or more entries in the user's an error is
     printed to the standard error.  (If the directory does not  exist
     or  if  it is not really a directory, the entry is ignored and no
     error  is  printed.)   This  should  not  happen   under   normal
     circumstances.   The  most  common reason for to return is if you
     are running an automounter and one of the directories in your  is
     on  a  machine  that  is currently unreachable.  tries to be safe
     when executing external commands.  To prevent  command  spoofing,
     checks  "."  and  ""  (both denoting current directory) last when
     searching for a command in the user's (if one or both are in  the
     Note,  however,  that the actual environment variable is modified
     and is passed unchanged to  the  program  that  executes.   Users
     should  be  granted privileges to execute files that are writable
     by the user or that reside in a directory that is writable by the
     user.   If the user can modify or replace the command there is no
     way to limit what additional commands they can run.  Please  note
     that will normally only log the command it explicitly runs.  If a
     user runs a command such as or subsequent commands run from  that
     shell  are  not subject to security policy.  The same is true for
     commands that offer shell escapes (including most  editors).   If
     I/O logging is enabled, subsequent commands will have their input
     and/or output logged, but there will not be traditional logs  for
     those  commands.  Because of this, care must be taken when giving
     users access to commands via to verify that the command does  not
     inadvertently  give  the  user an effective root shell.  For more
     information, please see the section in To prevent the  disclosure
     of  potentially  sensitive  information,  disables  core dumps by
     default while it  is  executing  (they  are  re-enabled  for  the
     command that is run).  This historical practice dates from a time
     when most operating systems allowed set-user-ID processes to dump
     core  by  default.   To aid in debugging crashes, you may wish to
     re-enable core dumps by setting to false in the file as  follows:
     Set  disable_coredump  false See the manual for more information.
     utilizes  the  following  environment  variables.   The  security
     policy  has  control  over  the  actual  content of the command's
     environment.  Default editor to use in (sudoedit) mode if neither
     nor  is  set.   Set to the mail spool of the target user when the
     option is specified or when is enabled in (unless is  present  in
     the list).  Set to the home directory of the target user when the
     or options are specified, when the option is specified and is set
     in when is enabled in or when is enabled in and is not present in
     the list.  Set to the login name of  the  target  user  when  the
     option  is  specified,  when the option is enabled in or when the
     option is enabled in (unless is present in  the  list).   May  be
     overridden  by  the  security policy.  Used to determine shell to
     run with option.  Specifies the path to a helper program used  to
     read the password if no terminal is available or if the option is
     specified.  Set to the command run  by  sudo,  including  command
     line arguments.  The command line arguments are truncated at 4096
     characters to  prevent  a  potential  execution  error.   Default
     editor  to  use  in  (sudoedit) mode.  Set to the group-ID of the
     user who invoked sudo.   Used  as  the  default  password  prompt
     unless  the  option  was  specified.   If set, will be set to its
     value for the program being run.  Set to the user-ID of the  user
     who  invoked sudo.  Set to the login name of the user who invoked
     sudo.  Set to the same value as described above.  Default  editor
     to use in (sudoedit) mode if is not set.  front end configuration
     Note:  the  following  examples  assume  a  properly   configured
     security  policy.   To  get  a  file  listing  of  an  unreadable
     directory: $  sudo  ls  /usr/local/protected  To  list  the  home
     directory  of user yaz on a machine where the file system holding
     ~yaz is not exported as root: $ sudo -u yaz ls ~yaz To  edit  the
     file  as  user  www:  $ sudoedit -u www ~www/htdocs/index.html To
     view system logs only accessible to root and  users  in  the  adm
     group: $ sudo -g adm more /var/log/syslog To run an editor as jim
     with a different primary  group:  $  sudoedit  -u  jim  -g  audio
     ~jim/sound.txt  To  shut  down  a machine: $ sudo shutdown -r +15
     "quick reboot" To make a usage listing of the directories in  the
     /home partition.  Note that this runs the commands in a sub-shell
     to make the and file redirection work.  $ sudo sh -c "cd /home  ;
     du  -s  * | sort -rn > USAGE" Error messages produced by include:
     By default, does not permit editing a file when any of the parent
     directories  are  writable  by  the invoking user.  This avoids a
     race  condition  that  could  allow  the  user  to  overwrite  an
     arbitrary  file.   See  the  option  in for more information.  By
     default, does not follow symbolic links when opening files.   See
     the  option  in  for  more  information.   was  not run with root
     privileges.  The binary must be owned by the root user  and  have
     the  set-user-ID bit set.  Also, it must not be located on a file
     system mounted with the option or on an NFS file system that maps
     uid  0 to an unprivileged uid.  was not run with root privileges.
     The binary has the proper owner and permissions but it still  did
     not run with root privileges.  The most common reason for this is
     that the file system the binary is located on is mounted with the
     option  or  it  is  an  NFS  file  system  that  maps uid 0 to an
     unprivileged  uid.   An   error   occurred   while   loading   or
     initializing  the  plugins  specified  in One or more environment
     variable names specified via the option contained an  equal  sign
     The  arguments to the option should be environment variable names
     without an associated value.  When tried to read the password, it
     did  not  receive any characters.  This may happen if no terminal
     is available (or the option is specified) and the standard  input
     has  been redirected from needs to read the password but there is
     no mechanism available for it  to  do  so.   A  terminal  is  not
     present  to  read  the  password from, has not been configured to
     read from the standard input, the option was  not  used,  and  no
     askpass  helper  has  been  specified  either via the file or the
     environment variable.  was unable  to  find  a  usable  temporary
     directory  in which to store its intermediate files.  was not run
     with root privileges.  The binary does not have the correct owner
     or  permissions.   It must be owned by the root user and have the
     set-user-ID bit set.  It is only possible to run on systems  that
     support  setting the effective user-ID.  The user did not enter a
     password before the  password  timeout  (5  minutes  by  default)
     expired.   Your  user-ID  does  not  appear  in the system passwd
     database.  It is only possible to specify  environment  variables
     when  running  a command.  When editing a file, the editor is run
     with the user's environment unmodified.  See the HISTORY file  in
     the  distribution  (https://www.sudo.ws/history.html) for a brief
     history of sudo.  Many people have worked on over the years; this
     version   consists   of   code  written  primarily  by:  See  the
     CONTRIBUTORS        file        in        the        distribution
     (https://www.sudo.ws/contributors.html) for an exhaustive list of
     people who have contributed to There is no easy way to prevent  a
     user  from  gaining  a  root shell if that user is allowed to run
     arbitrary commands via Also,  many  programs  (such  as  editors)
     allow  the  user to run commands via shell escapes, thus avoiding
     checks.  However, on most systems it is possible to prevent shell
     escapes with the plugin's functionality.  It is not meaningful to
     run  the  command  directly   via   sudo,   e.g.,   $   sudo   cd
     /usr/local/protected  since  when  the  command  exits the parent
     process (your shell) will still be  the  same.   Please  see  the
     section  for  more  information.   Running  shell scripts via can
     expose the same kernel bugs that make set-user-ID  shell  scripts
     unsafe  on  some  operating  systems  (if  your OS has a /dev/fd/
     directory, set-user-ID shell scripts are generally safe).  If you
     feel  you  have  found  a  bug  in  please submit a bug report at
     https://bugzilla.sudo.ws/ Limited free support is  available  via
     the          sudo-users         mailing         list,         see
     https://www.sudo.ws/mailman/listinfo/sudo-users to  subscribe  or
     search  the  archives.   is  provided  and any express or implied
     warranties, including, but not limited to, the implied warranties
     of  merchantability  and  fitness  for  a  particular purpose are
     disclaimed.   See  the   LICENSE   file   distributed   with   or
     https://www.sudo.ws/license.html for complete details.