User Commands                                             SUDO(1)


sudo - do a super thing


sudo command


Sudo allows a permitted user to execute a command as root. Sudo determines who is an authorized user by consulting the file /usr/sue/adm/sudo/sudo.conf. If a match is found com- mand is executed with root id. Sudo might also prompt for a user's password to initiate a validation period. By default sudo removes the IFS shell variable, sets the USER variable to "sudo" and resets the PATH variable to some reasonable value. This is designed to enable shell scripts calls without security problems. However only Bourne shell was considered. By other shells special care should be taken. If basename of sudo is different than sudo it is treated as the first argument, so user may make an apropriate link to sudo and than skip typing "sudo" as by the rlogin command. Lines in sudo.conf beginning with a hash '#' are considered comments and are ignored. The lines in the sudo.conf must have the format: userlist|hostlist|timeout|cmd1|cmd2 ... |cmd3|cmd4 ... Lines beginning with a pipe '|' are continuation lines but split is only allowed between consecutiv commands. userlist is an asterix '*' or a comma ',' separated list of users' login names. This is a list of users allowed to execute following commands. An asterix '*' means any user. hostlist is an asterix '*' or a comma ',' separated list of hostnames. This is a list of hosts at which the users are allowed to execute fol- lowing commands. An asterix '*' means any host. This field is useful in computer clus- ters. timeout is duration of validation period in seconds. "-1" means - do not ask for password. cmdn is a pattern of command to execute. No escape character for '|' is provided. Pattern of command is of the form: cmd_name=options/path/comd arguments Utility Commands Last change: DESY ZDV 1 User Commands SUDO(1) cmd_name is the first argument for sudo - name of the command to execute. options might be p - do not modify the PATH environ- ment variable, u - do not modify the USER en- vironment variable, or a string beginning with dollar sign '$' and ending with backslash '\' which sets an environment vari- able. No escape character for '\' is provid- ed. If the whole part cmd_name=options is missing comd is assumed to be the cmd_name. /path/comd is the full path name for command to execute. arguments are the arguments for the command to execute. Arguments are separated with spaces - two spaces make an empty argument. Moreover "$0", "$1" ... "$9" are sustituted by an apropriate parameter and "$*" means the rest of parame- ters. All user activities are logged by syslog. Unauthorized ac- cess has level ALERT, sudo execution errors have level NO- TICE and succesful attempts have level INFO.


The sudo.conf file: operator|*|300|/usr/etc/lpc $*|motd=/usr/bin/vi /etc/motd |/etc/wall joe,ann|lemon,orange|600|/etc/shutdown -y -g$1 -i0 daemon|*|-1|disable=/usr/etc/lpc down $1 $2 admin|*|600|root=p$USER=root/bin/ksh $* lp|*|-1|lpr=/bin/su $1 -c /usr/ucb/lpr $* The operator may invoke lpc with any arguments (typing "sudo lpc ..."), edit "/etc/motd" file (typing "sudo motd") and wall (typing "sudo wall <message"). He can also make a link "bin/wall -> /usr/local/bin/sudo" and then typing "wall <message" is enough. If sudo was not invoked for 5 minutes (300 seconds) it asks for operator's password. Users joe and ann may shutdown their their workstations lemon and orange (typing "shutdown " grace_period"). An lpd filter (user daemon) may stop the print queue in case of some serious failure giving the reason (executing "sudo disable printer_name reason"). User admin may become root without typing root's password (typing "sudo root"). Admin's PATH is preserved. Utility Commands Last change: DESY ZDV 2 User Commands SUDO(1) An lp filter may forward jobs to lpr spooler preserving own- ers name (executing "sudo lpr user_name lpr_options files").


The root user is treated as ordinary user and needs explicit entry. If you forget that you already are as root sudo will fail.


/usr/sue/adm/sudo.conf list of authorized users


su(1), rlogin(1), sh(1)


Created at University of Colorado Major parts rewritten 3/94 by Michal Kisielewski at DESY - Hamburg ( Utility Commands Last change: DESY ZDV 3