выполнить команду от имени другого пользователя (execute a command as another user)
Описание (Description)
sudo
allows a permitted user to execute a command as the superuser
or another user, as specified by the security policy. The invoking
user's real (not effective) user-ID is used to determine the user
name with which to query the security policy.
sudo
supports a plugin architecture for security policies and
input/output logging. Third parties can develop and distribute
their own policy and I/O logging plugins to work seamlessly with
the sudo
front end. The default security policy is sudoers, which
is configured via the file /etc/sudoers, or via LDAP. See the
Plugins section for more information.
The security policy determines what privileges, if any, a user has
to run sudo
. The policy may require that users authenticate
themselves with a password or another authentication mechanism. If
authentication is required, sudo
will exit if the user's password
is not entered within a configurable time limit. This limit is
policy-specific; the default password prompt timeout for the
sudoers security policy is 5 minutes.
Security policies may support credential caching to allow the user
to run sudo
again for a period of time without requiring
authentication. By default, the sudoers policy caches credentials
on a per-terminal basis for 5 minutes. See the timestamp_type and
timestamp_timeout options in sudoers(5) for more information. By
running sudo
with the -v
option, a user can update the cached
credentials without running a command.
On systems where sudo
is the primary method of gaining superuser
privileges, it is imperative to avoid syntax errors in the security
policy configuration files. For the default security policy,
sudoers(5), changes to the configuration files should be made using
the visudo(8) utility which will ensure that no syntax errors are
introduced.
When invoked as sudoedit
, the -e
option (described below), is
implied.
Security policies may log successful and failed attempts to use
sudo
. If an I/O plugin is configured, the running command's input
and output may be logged as well.
The options are as follows:
-A
, --askpass
Normally, if sudo
requires a password, it will read it
from the user's terminal. If the -A
(askpass) option
is specified, a (possibly graphical) helper program is
executed to read the user's password and output the
password to the standard output. If the SUDO_ASKPASS
environment variable is set, it specifies the path to
the helper program. Otherwise, if sudo.conf(5)
contains a line specifying the askpass program, that
value will be used. For example:
# Path to askpass helper program
Path askpass /usr/X11R6/bin/ssh-askpass
If no askpass program is available, sudo
will exit with
an error.
-B
, --bell
Ring the bell as part of the password prompt when a
terminal is present. This option has no effect if an
askpass program is used.
-b
, --background
Run the given command in the background. Note that it
is not possible to use shell job control to manipulate
background processes started by sudo
. Most interactive
commands will fail to work properly in background mode.
-C
num, --close-from
=num
Close all file descriptors greater than or equal to num
before executing a command. Values less than three are
not permitted. By default, sudo
will close all open
file descriptors other than standard input, standard
output and standard error when executing a command.
The security policy may restrict the user's ability to
use this option. The sudoers policy only permits use
of the -C
option when the administrator has enabled the
closefrom_override option.
-D
directory, --chdir
=directory
Run the command in the specified directory instead of
the current working directory. The security policy may
return an error if the user does not have permission to
specify the working directory.
-E
, --preserve-env
Indicates to the security policy that the user wishes
to preserve their existing environment variables. The
security policy may return an error if the user does
not have permission to preserve the environment.
--preserve-env=list
Indicates to the security policy that the user wishes
to add the comma-separated list of environment
variables to those preserved from the user's
environment. The security policy may return an error
if the user does not have permission to preserve the
environment. This option may be specified multiple
times.
-e
, --edit
Edit one or more files instead of running a command.
In lieu of a path name, the string "sudoedit" is used
when consulting the security policy. If the user is
authorized by the policy, the following steps are
taken:
1. Temporary copies are made of the files to be
edited with the owner set to the invoking user.
2. The editor specified by the policy is run to edit
the temporary files. The sudoers policy uses the
SUDO_EDITOR, VISUAL and EDITOR environment
variables (in that order). If none of
SUDO_EDITOR, VISUAL or EDITOR are set, the first
program listed in the editor sudoers(5) option is
used.
3. If they have been modified, the temporary files
are copied back to their original location and the
temporary versions are removed.
To help prevent the editing of unauthorized files, the
following restrictions are enforced unless explicitly
allowed by the security policy:
•
Symbolic links may not be edited (version 1.8.15 and
higher).
•
Symbolic links along the path to be edited are not
followed when the parent directory is writable by
the invoking user unless that user is root (version
1.8.16 and higher).
•
Files located in a directory that is writable by the
invoking user may not be edited unless that user is
root (version 1.8.16 and higher).
Users are never allowed to edit device special files.
If the specified file does not exist, it will be
created. Note that unlike most commands run by sudo,
the editor is run with the invoking user's environment
unmodified. If the temporary file becomes empty after
editing, the user will be prompted before it is
installed. If, for some reason, sudo
is unable to
update a file with its edited version, the user will
receive a warning and the edited copy will remain in a
temporary file.
-g
group, --group
=group
Run the command with the primary group set to group
instead of the primary group specified by the target
user's password database entry. The group may be
either a group name or a numeric group-ID (GID)
prefixed with the '#' character (e.g., #0 for GID 0).
When running a command as a GID, many shells require
that the '#' be escaped with a backslash ('\'). If no
-u
option is specified, the command will be run as the
invoking user. In either case, the primary group will
be set to group. The sudoers policy permits any of the
target user's groups to be specified via the -g
option
as long as the -P
option is not in use.
-H
, --set-home
Request that the security policy set the HOME
environment variable to the home directory specified by
the target user's password database entry. Depending
on the policy, this may be the default behavior.
-h
, --help
Display a short help message to the standard output and
exit.
-h
host, --host
=host
Run the command on the specified host if the security
policy plugin supports remote commands. Note that the
sudoers plugin does not currently support running
remote commands. This may also be used in conjunction
with the -l
option to list a user's privileges for the
remote host.
-i
, --login
Run the shell specified by the target user's password
database entry as a login shell. This means that
login-specific resource files such as .profile,
.bash_profile or .login will be read by the shell. If
a command is specified, it is passed to the shell for
execution via the shell's -c
option. If no command is
specified, an interactive shell is executed. sudo
attempts to change to that user's home directory before
running the shell. The command is run with an
environment similar to the one a user would receive at
log in. Note that most shells behave differently when
a command is specified as compared to an interactive
session; consult the shell's manual for details. The
Command environment section in the sudoers(5) manual
documents how the -i
option affects the environment in
which a command is run when the sudoers policy is in
use.
-K
, --remove-timestamp
Similar to the -k
option, except that it removes the
user's cached credentials entirely and may not be used
in conjunction with a command or other option. This
option does not require a password. Not all security
policies support credential caching.
-k
, --reset-timestamp
When used without a command, invalidates the user's
cached credentials. In other words, the next time sudo
is run a password will be required. This option does
not require a password and was added to allow a user to
revoke sudo
permissions from a .logout file.
When used in conjunction with a command or an option
that may require a password, this option will cause
sudo
to ignore the user's cached credentials. As a
result, sudo
will prompt for a password (if one is
required by the security policy) and will not update
the user's cached credentials.
Not all security policies support credential caching.
-l
, --list
If no command is specified, list the allowed (and
forbidden) commands for the invoking user (or the user
specified by the -U
option) on the current host. A
longer list format is used if this option is specified
multiple times and the security policy supports a
verbose output format.
If a command is specified and is permitted by the
security policy, the fully-qualified path to the
command is displayed along with any command line
arguments. If a command is specified but not allowed
by the policy, sudo
will exit with a status value of 1.
-n
, --non-interactive
Avoid prompting the user for input of any kind. If a
password is required for the command to run, sudo
will
display an error message and exit.
-P
, --preserve-groups
Preserve the invoking user's group vector unaltered.
By default, the sudoers policy will initialize the
group vector to the list of groups the target user is a
member of. The real and effective group-IDs, however,
are still set to match the target user.
-p
prompt, --prompt
=prompt
Use a custom password prompt with optional escape
sequences. The following percent ('%') escape
sequences are supported by the sudoers policy:
%H expanded to the host name including the domain name
(on if the machine's host name is fully qualified
or the fqdn option is set in sudoers(5))
%h expanded to the local host name without the domain
name
%p expanded to the name of the user whose password is
being requested (respects the rootpw, targetpw, and
runaspw flags in sudoers(5))
%U expanded to the login name of the user the command
will be run as (defaults to root unless the -u
option is also specified)
%u expanded to the invoking user's login name
%% two consecutive '%' characters are collapsed into a
single '%' character
The custom prompt will override the default prompt
specified by either the security policy or the
SUDO_PROMPT environment variable. On systems that use
PAM, the custom prompt will also override the prompt
specified by a PAM module unless the
passprompt_override flag is disabled in sudoers.
-R
directory, --chroot
=directory
Change to the specified root directory (see chroot(8))
before running the command. The security policy may
return an error if the user does not have permission to
specify the root directory.
-S
, --stdin
Write the prompt to the standard error and read the
password from the standard input instead of using the
terminal device.
-s
, --shell
Run the shell specified by the SHELL environment
variable if it is set or the shell specified by the
invoking user's password database entry. If a command
is specified, it is passed to the shell for execution
via the shell's -c
option. If no command is specified,
an interactive shell is executed. Note that most
shells behave differently when a command is specified
as compared to an interactive session; consult the
shell's manual for details.
-U
user, --other-user
=user
Used in conjunction with the -l
option to list the
privileges for user instead of for the invoking user.
The security policy may restrict listing other users'
privileges. The sudoers policy only allows root or a
user with the ALL privilege on the current host to use
this option.
-T
timeout, --command-timeout
=timeout
Used to set a timeout for the command. If the timeout
expires before the command has exited, the command will
be terminated. The security policy may restrict the
ability to set command timeouts. The sudoers policy
requires that user-specified timeouts be explicitly
enabled.
-u
user, --user
=user
Run the command as a user other than the default target
user (usually root). The user may be either a user
name or a numeric user-ID (UID) prefixed with the '#'
character (e.g., #0 for UID 0). When running commands
as a UID, many shells require that the '#' be escaped
with a backslash ('\'). Some security policies may
restrict UIDs to those listed in the password database.
The sudoers policy allows UIDs that are not in the
password database as long as the targetpw option is not
set. Other security policies may not support this.
-V
, --version
Print the sudo
version string as well as the version
string of the security policy plugin and any I/O
plugins. If the invoking user is already root the -V
option will display the arguments passed to configure
when sudo
was built and plugins may display more
verbose information such as default options.
-v
, --validate
Update the user's cached credentials, authenticating
the user if necessary. For the sudoers plugin, this
extends the sudo
timeout for another 5 minutes by
default, but does not run a command. Not all security
policies support cached credentials.
--
The --
option indicates that sudo
should stop
processing command line arguments.
Options that take a value may only be specified once unless
otherwise indicated in the description. This is to help guard
against problems caused by poorly written scripts that invoke sudo
with user-controlled input.
Environment variables to be set for the command may also be passed
on the command line in the form of VAR=value, e.g.,
LD_LIBRARY_PATH=/usr/local/pkg/lib. Variables passed on the
command line are subject to restrictions imposed by the security
policy plugin. The sudoers policy subjects variables passed on the
command line to the same restrictions as normal environment
variables with one important exception. If the setenv option is
set in sudoers, the command to be run has the SETENV tag set or the
command matched is ALL, the user may set variables that would
otherwise be forbidden. See sudoers(5) for more information.