SUDO(8)                      System Manager’s Manual                    SUDO(8)

NAME
       sudo, sudoedit — execute a command as another user

SYNOPSIS
       sudo -h | -K | -k | -V
       sudo -v [-ABkNnS] [-g group] [-h host] [-p prompt] [-u user]
       sudo  -l  [-ABkNnS] [-g group] [-h host] [-p prompt] [-U user] [-u user]
            [command [arg ...]]
       sudo  [-ABbEHnPS]  [-C  num]  [-D  directory]  [-g  group]   [-h   host]
            [-p  prompt]  [-R  directory]  [-r  role]  [-t  type]  [-T timeout]
            [-u user] [VAR=value] [-i | -s] [command [arg ...]]
       sudoedit  [-ABkNnS]  [-C  num]  [-D  directory]  [-g  group]  [-h  host]
            [-p  prompt]  [-R  directory]  [-r  role]  [-t  type]  [-T timeout]
            [-u user] file ...

DESCRIPTION
       sudo allows a permitted user to execute a command as  the  superuser  or
       another  user, as specified by the security policy.  The invoking user’s
       real (not effective) user‐ID is used to determine  the  user  name  with
       which to query the security policy.

       sudo supports a plugin architecture for security policies, auditing, and
       input/output  logging.   Third  parties can develop and distribute their
       own plugins to work seamlessly with the sudo front‐end.  The default se‐
       curity policy is sudoers, which is configured via the file /etc/sudoers,
       or via LDAP.  See the “Plugins” section for more information.

       The security policy determines what privileges, if any, a  user  has  to
       run  sudo.   The  policy  may require that users authenticate themselves
       with a password or another authentication mechanism.  If  authentication
       is required, sudo will exit if the user’s password is not entered within
       a  configurable  time limit.  This limit is policy‐specific; the default
       password prompt timeout for the sudoers security policy is 0 minutes.

       Security policies may support credential caching to allow  the  user  to
       run  sudo  again  for a period of time without requiring authentication.
       By default, the sudoers policy caches credentials on a per‐terminal  ba‐
       sis  for  15  minutes.  See the timestamp_type and timestamp_timeout op‐
       tions in sudoers(5) for more information.  By running sudo with  the  -v
       option,  a  user  can  update  the  cached credentials without running a
       command.

       On systems where sudo is the primary method of gaining superuser  privi‐
       leges,  it  is  imperative to avoid syntax errors in the security policy
       configuration files.   For  the  default  security  policy,  sudoers(5),
       changes  to  the  configuration files should be made using the visudo(8)
       utility which will ensure that no syntax errors are introduced.

       When invoked as sudoedit, the -e option (described below), is implied.

       Security policies and audit plugins may log successful  and  failed  at‐
       tempts  to  run  sudo.   If  an  I/O  plugin  is configured, the running
       command’s input and output may be logged as well.

       The options are as follows:

       -A, -‐askpass
               Normally, if sudo requires a password, it will read it from  the
               user’s  terminal.   If  the  -A (askpass) option is specified, a
               (possibly graphical) helper program  is  executed  to  read  the
               user’s  password and output the password to the standard output.
               If the SUDO_ASKPASS environment variable is  set,  it  specifies
               the path to the helper program.  Otherwise, if sudo.conf(5) con‐
               tains  a line specifying the askpass program, that value will be
               used.  For example:

                   # Path to askpass helper program
                   Path askpass /usr/X11R6/bin/ssh‐askpass

               If no askpass program is available, sudo will exit with  an  er‐
               ror.