Sudo Command Options: Host, Login, and Timestamp Management

escaped with a backslash (‘\’). If no -u option is specified, the command will be run as the invoking user. In either case, the primary group will be set to group. The sudoers policy permits any of the target user’s groups to be specified via the -g option as long as the -P option is not in use. -H, -‐set‐home Request that the security policy set the HOME environment vari‐ able to the home directory specified by the target user’s pass‐ word database entry. Depending on the policy, this may be the default behavior. -h, -‐help Display a short help message to the standard output and exit. -h host, -‐host=host Run the command on the specified host if the security policy plugin supports remote commands. The sudoers plugin does not currently support running remote commands. This may also be used in conjunction with the -l option to list a user’s privileges for the remote host. -i, -‐login Run the shell specified by the target user’s password database entry as a login shell. This means that login‐specific resource files such as .profile, .bash_profile, or .login will be read by the shell. If a command is specified, it is passed to the shell as a simple command using the -c option. The command and any args are concatenated, separated by spaces, after escaping each character (including white space) with a backslash (‘\’) except for alphanumerics, underscores, hyphens, and dollar signs. If no command is specified, an interactive shell is executed. sudo attempts to change to that user’s home directory before running the shell. The command is run with an environment similar to the one a user would receive at log in. Most shells behave dif‐ ferently when a command is specified as compared to an interac‐ tive session; consult the shell’s manual for details. The Command environment section in the sudoers(5) manual documents how the -i option affects the environment in which a command is run when the sudoers policy is in use. -K, -‐remove‐timestamp Similar to the -k option, except that it removes every cached credential for the user, regardless of the terminal or parent process ID. The next time sudo is run, a password must be en‐ tered if the security policy requires authentication. It is not possible to use the -K option in conjunction with a command or other option. This option does not require a password. Not all security policies support credential caching. -k, -‐reset‐timestamp When used without a command, invalidates the user’s cached cre‐ dentials for the current session. The next time sudo is run in the session, a password must be entered if the security policy requires authentication. By default, the sudoers policy uses a separate record in the credential cache for each terminal (or parent process ID if no terminal is present). This prevents the -k option from interfering with sudo commands run in a different terminal session. See the timestamp_type option in sudoers(5) for more information. This option does not require a password, and was added to allow a user to revoke sudo permissions from a .logout file. When used in conjunction with a command

This section describes several `sudo` command options. `-h host` specifies a remote host for command execution (not supported by the sudoers plugin). `-i` (login) executes the target user's shell as a login shell, reading login-specific resource files and setting up a login-like environment. `-K` (remove-timestamp) removes all cached credentials, forcing password entry for the next sudo command. `-k` (reset-timestamp) invalidates cached credentials for the current session, requiring a password for subsequent sudo commands in that session. It also mentions how `-k` can be used with a command.