Home Explore Blog CI



man-pages
7th chunk of `sudo.man`
f44c2a90fa115f32720e0fda4ea8b16549c3eb2f392dda510000000100000fe8
 interactive session; consult the shell’s
               manual for details.

       -t type, -‐type=type
               Run the command with an SELinux security context  that  includes
               the  specified  type.  If no type is specified, the default type
               is derived from the role.

       -U user, -‐other‐user=user
               Used in conjunction with the -l option to  list  the  privileges
               for  user instead of for the invoking user.  The security policy
               may restrict listing other users’ privileges.   When  using  the
               sudoers policy, the -U option is restricted to the root user and
               users  with either the “list” priviege for the specified user or
               the ability to run any command as root or user  on  the  current
               host.

       -T timeout, -‐command‐timeout=timeout
               Used  to  set a timeout for the command.  If the timeout expires
               before the command has exited, the command will  be  terminated.
               The security policy may restrict the user’s ability to set time‐
               outs.   The sudoers policy requires that user‐specified timeouts
               be explicitly enabled.

       -u user, -‐user=user
               Run the command as a user other than  the  default  target  user
               (usually root).  The user may be either a user name or a numeric
               user‐ID  (UID)  prefixed  with the ‘#’ character (e.g., ‘#0’ for
               UID 0).  When running commands as a  UID,  many  shells  require
               that  the  ‘#’ be escaped with a backslash (‘\’).  Some security
               policies may restrict UIDs to those listed in the password data‐
               base.  The sudoers policy allows UIDs that are not in the  pass‐
               word  database as long as the targetpw option is not set.  Other
               security policies may not support this.

       -V, -‐version
               Print the sudo version string as well as the version  string  of
               any  configured  plugins.  If the invoking user is already root,
               the -V option will display the options passed to configure  when
               sudo  was built; plugins may display additional information such
               as default options.

       -v, -‐validate
               Update the user’s cached credentials, authenticating the user if
               necessary.  For the sudoers plugin, this extends the sudo  time‐
               out  for  another  15  minutes  by  default,  but does not run a
               command.  Not all security policies support cached credentials.

       --      The -- is used to delimit the end of the sudo  options.   Subse‐
               quent options are passed to the command.

       Options  that  take  a value may only be specified once unless otherwise
       indicated in the description.  This is to help  guard  against  problems
       caused  by  poorly written scripts that invoke sudo with user‐controlled
       input.

       Environment variables to be set for the command may also  be  passed  as
       options    to    sudo    in    the    form    VAR=value,   for   example
       LD_LIBRARY_PATH=/usr/local/pkg/lib.  Environment variables may  be  sub‐
       ject to restrictions imposed by the security policy plugin.  The sudoers
       policy  subjects environment variables passed as options to the same re‐
       strictions as existing environment variables with one important  differ‐
       ence.  If the setenv option is set in sudoers, the command to be run has
       the SETENV tag set or the command matched is ALL, the user may set vari‐
       ables that would otherwise be forbidden.  See sudoers(5) for more infor‐
       mation.

COMMAND EXECUTION
       When  sudo  executes a command, the security policy specifies the execu‐
       tion environment for the command.  Typically,  the  real  and  effective
Title: Sudo Command Options: SELinux Context, User Specification, Timeout, and Environment Variables
Summary
This section details several options for the `sudo` command. `-t type` allows running a command with a specific SELinux security context type. `-U user` is used with the `-l` option to list privileges for a specific user. `-T timeout` sets a timeout for the command execution, after which it is terminated. `-u user` runs the command as a specified user, either by username or UID. `-V` displays the sudo version and plugin versions. `-v` validates the user's cached credentials, extending the timeout period. `--` marks the end of sudo options. Environment variables can be set as options to sudo (VAR=value). The security policy plugin determines the execution environment when sudo executes a command.