.\" Automatically generated by Pandoc 3.1.11.1
.\"
.TH "" "" "" "" ""
.SH NAME
\f[CR]sudo\f[R] \- execute a command as another user
.SH SYNOPSIS
\f[CR]sudo\f[R] [\f[CR]\-u\f[R] \f[I]user\f[R]] [\f[CR]\-g\f[R]
\f[I]group\f[R]] [\f[CR]\-D\f[R] \f[I]directory\f[R]] [\f[CR]\-knS\f[R]]
[\f[CR]\-i\f[R] | \f[CR]\-s\f[R]] [\f[CR]VAR=value\f[R]]
[<\f[I]command\f[R]>]
.PD 0
.P
.PD
\f[CR]sudo\f[R] \f[CR]\-h\f[R] | \f[CR]\-K\f[R] | \f[CR]\-k\f[R] |
\f[CR]\-V\f[R]
.SH DESCRIPTION
\f[CR]sudo\f[R] allows a user that is permitted to do so to execute a
\f[I]command\f[R] as another user (for example \f[I]root\f[R]).
Permissions are specified by a security policy specified in
\f[CR]/etc/sudoers\f[R] (see sudoers(5)).
.PP
Sudo\-rs is a safety oriented and memory safe re\-implementation of the
original sudo implementation by Todd Miller.
.PP
When a command is run, a session record is stored for that specific
session allowing users to run additional commands without having to
re\-authenticate.
The timeout for session records can be specified in the policy.
.PP
Some care is taken to pass signals received by sudo\-rs to the child
process, even if that process runs in its own pseudo terminal.
.SH OPTIONS
.TP
\f[CR]\-D\f[R] \f[I]directory\f[R], \f[CR]\-\-chdir\f[R]=\f[I]directory\f[R]
Run the \f[I]command\f[R] in the specified \f[I]directory\f[R] instead
of the current working directory.
The security policy may return an error if the user does not have the
permission to specify the working directory.
.TP
\f[CR]\-g\f[R] \f[I]group\f[R], \f[CR]\-\-group\f[R]=\f[I]group\f[R]
Use this \f[I]group\f[R] as the primary group instead of using the
primary group specified in the password database for the target user.
.TP
\f[CR]\-h\f[R], \f[CR]\-\-help\f[R]
Show a help message.
.TP
\f[CR]\-i\f[R], \f[CR]\-\-login\f[R]
Run the shell specified by the target user\[cq]s password database entry
as a login shell.
This means that login\-specific resource files such as
\f[I].profile\f[R], \f[I].bash_profile\f[R] or \f[I].login\f[R] will be
read by the shell.
If a \f[I]command\f[R] is specified, it is passed to the shell using the
\f[CR]\-c\f[R] option.
.TP
\f[CR]\-K\f[R], \f[CR]\-\-remove\-timestamp\f[R]
Removes every cached session record for the user, regardless of where
the command is executed.
The next time sudo\-rs is run, authentication will take place if the
policy requires it.
No password is required to run this command.
.TP
\f[CR]\-k\f[R], \f[CR]\-\-reset\-timestamp\f[R]
When used without a command, invalidates the user\[cq]s session record
for the current session.
The next time sudo\-rs is run, authentication will take place if the
policy requires it.
.RS
.PP
When used in conjunction with a \f[I]command\f[R] or an option that may
require a password, this option will cause sudo\-rs to ignore the
user\[cq]s session record.
As a result, authentication will take place if the policy requires it.
When used in conjunction with a \f[I]command\f[R] no invalidation of
existing session records will take place.
.RE
.TP
\f[CR]\-n\f[R], \f[CR]\-\-non\-interactive\f[R]
Avoid prompting the user for input of any kind.
If any input is required for the \f[I]command\f[R] to run, sudo\-rs will
display an error message and exit.
.TP
\f[CR]\-S\f[R], \f[CR]\-\-stdin\f[R]
Read from standard input instead of using the terminal device.
.TP
\f[CR]\-s\f[R], \f[CR]\-\-shell\f[R]
Run the shell specified by the \f[CR]SHELL\f[R] environment variable.
If no shell was specified, the shell from the user\[cq]s password
database entry will be used instead.
If a \f[I]command\f[R] is specified, it is passed to the shell using the
\f[CR]\-c\f[R] option.
.TP
\f[CR]\-u\f[R] \f[I]user\f[R], \f[CR]\-\-user\f[R]=\f[I]user\f[R]
Run the \f[I]command\f[R] as another user than the default
(\f[B]root\f[R]).
.TP
\f[CR]\-V\f[R], \f[CR]\-\-version\f[R]
Display the current version of sudo\-rs.
.TP
\f[CR]\-v\f[R], \f[CR]\-\-validate\f[R]
Update the session record for the current session, authenticating the
user if necessary.
.TP
\f[CR]\-\-\f[R]
Indicates the end of the sudo\-rs options and start of the
\f[I]command\f[R].
.PP
Environment variables to be set for the command may be passed on the
command line in the form of VAR=value.
Variables passed on the command line are subject to restrictions imposed
by the security policy.
Variables passed on the command line are subject to the same
restrictions as normal environment variables with one important
exception: If the command to be run has the SETENV tag set or the
command matched is ALL, the user may set variables that would otherwise
be forbidden.
See sudoers(5) for more information.
.SH SEE ALSO
su(1), sudoers(5), visudo(8)