Packages and Binaries:
libnss-sudo
This empty package provides the basic configuration needed to enable the
sudoers NSS service.
Installed size: 716 KB
How to install: sudo apt install libnss-sudo
sudo
Sudo is a program designed to allow a sysadmin to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow people to get their work done.
This version is built with minimal shared library dependencies, use the sudo-ldap package instead if you need LDAP support for sudoers.
Installed size: 6.39 MB
How to install: sudo apt install sudo
Dependencies:
- init-system-helpers
- libapparmor1
- libaudit1
- libc6
- libpam-modules
- libpam0g
- libselinux1
- libssl3
- zlib1g
cvtsudoers
Convert between sudoers file formats
root@kali:~# cvtsudoers -h
cvtsudoers - convert between sudoers file formats
usage: cvtsudoers [-ehMpV] [-b dn] [-c conf_file ] [-d deftypes] [-f output_format] [-i input_format] [-I increment] [-m filter] [-o output_file] [-O start_point] [-P padding] [-s sections] [input_file]
Options:
-b, --base=dn the base DN for sudo LDAP queries
-c, --config=conf_file the path to the configuration file
-d, --defaults=deftypes only convert Defaults of the specified types
-e, --expand-aliases expand aliases when converting
-f, --output-format=format set output format: JSON, LDIF or sudoers
-i, --input-format=format set input format: LDIF or sudoers
-I, --increment=num amount to increase each sudoOrder by
-h, --help display help message and exit
-m, --match=filter only convert entries that match the filter
-M, --match-local match filter uses passwd and group databases
-o, --output=output_file write converted sudoers to output_file
-O, --order-start=num starting point for first sudoOrder
-p, --prune-matches prune non-matching users, groups and hosts
-P, --padding=num base padding for sudoOrder increment
-s, --suppress=sections suppress output of certain sections
-V, --version display version information and exit
cvtsudoers
Convert between sudoers file formats
root@kali:~# cvtsudoers -h
cvtsudoers - convert between sudoers file formats
usage: cvtsudoers [-ehMpV] [-b dn] [-c conf_file ] [-d deftypes] [-f output_format] [-i input_format] [-I increment] [-m filter] [-o output_file] [-O start_point] [-P padding] [-s sections] [input_file]
Options:
-b, --base=dn the base DN for sudo LDAP queries
-c, --config=conf_file the path to the configuration file
-d, --defaults=deftypes only convert Defaults of the specified types
-e, --expand-aliases expand aliases when converting
-f, --output-format=format set output format: JSON, LDIF or sudoers
-i, --input-format=format set input format: LDIF or sudoers
-I, --increment=num amount to increase each sudoOrder by
-h, --help display help message and exit
-m, --match=filter only convert entries that match the filter
-M, --match-local match filter uses passwd and group databases
-o, --output=output_file write converted sudoers to output_file
-O, --order-start=num starting point for first sudoOrder
-p, --prune-matches prune non-matching users, groups and hosts
-P, --padding=num base padding for sudoOrder increment
-s, --suppress=sections suppress output of certain sections
-V, --version display version information and exit
sudo
Execute a command as another user
root@kali:~# sudo -h
sudo - execute a command as another user
usage: sudo -h | -K | -k | -V
usage: sudo -v [-ABkNnS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-ABkNnS] [-g group] [-h host] [-p prompt] [-U user]
[-u user] [command [arg ...]]
usage: sudo [-ABbEHkNnPS] [-r role] [-t type] [-C num] [-D directory]
[-g group] [-h host] [-p prompt] [-R directory] [-T timeout]
[-u user] [VAR=value] [-i | -s] [command [arg ...]]
usage: sudo -e [-ABkNnS] [-r role] [-t type] [-C num] [-D directory]
[-g group] [-h host] [-p prompt] [-R directory] [-T timeout]
[-u user] file ...
Options:
-A, --askpass use a helper program for password prompting
-b, --background run command in the background
-B, --bell ring bell when prompting
-C, --close-from=num close all file descriptors >= num
-D, --chdir=directory change the working directory before running
command
-E, --preserve-env preserve user environment when running command
--preserve-env=list preserve specific environment variables
-e, --edit edit files instead of running a command
-g, --group=group run command as the specified group name or ID
-H, --set-home set HOME variable to target user's home dir
-h, --help display help message and exit
-h, --host=host run command on host (if supported by plugin)
-i, --login run login shell as the target user; a command
may also be specified
-K, --remove-timestamp remove timestamp file completely
-k, --reset-timestamp invalidate timestamp file
-l, --list list user's privileges or check a specific
command; use twice for longer format
-n, --non-interactive non-interactive mode, no prompts are used
-P, --preserve-groups preserve group vector instead of setting to
target's
-p, --prompt=prompt use the specified password prompt
-R, --chroot=directory change the root directory before running command
-r, --role=role create SELinux security context with specified
role
-S, --stdin read password from standard input
-s, --shell run shell as the target user; a command may
also be specified
-t, --type=type create SELinux security context with specified
type
-T, --command-timeout=timeout terminate command after the specified time limit
-U, --other-user=user in list mode, display privileges for user
-u, --user=user run command (or edit file) as specified user
name or ID
-V, --version display version information and exit
-v, --validate update user's timestamp without running a
command
-- stop processing command line arguments
sudo
Execute a command as another user
root@kali:~# sudo -h
sudo - execute a command as another user
usage: sudo -h | -K | -k | -V
usage: sudo -v [-ABkNnS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-ABkNnS] [-g group] [-h host] [-p prompt] [-U user]
[-u user] [command [arg ...]]
usage: sudo [-ABbEHkNnPS] [-r role] [-t type] [-C num] [-D directory]
[-g group] [-h host] [-p prompt] [-R directory] [-T timeout]
[-u user] [VAR=value] [-i | -s] [command [arg ...]]
usage: sudo -e [-ABkNnS] [-r role] [-t type] [-C num] [-D directory]
[-g group] [-h host] [-p prompt] [-R directory] [-T timeout]
[-u user] file ...
Options:
-A, --askpass use a helper program for password prompting
-b, --background run command in the background
-B, --bell ring bell when prompting
-C, --close-from=num close all file descriptors >= num
-D, --chdir=directory change the working directory before running
command
-E, --preserve-env preserve user environment when running command
--preserve-env=list preserve specific environment variables
-e, --edit edit files instead of running a command
-g, --group=group run command as the specified group name or ID
-H, --set-home set HOME variable to target user's home dir
-h, --help display help message and exit
-h, --host=host run command on host (if supported by plugin)
-i, --login run login shell as the target user; a command
may also be specified
-K, --remove-timestamp remove timestamp file completely
-k, --reset-timestamp invalidate timestamp file
-l, --list list user's privileges or check a specific
command; use twice for longer format
-n, --non-interactive non-interactive mode, no prompts are used
-P, --preserve-groups preserve group vector instead of setting to
target's
-p, --prompt=prompt use the specified password prompt
-R, --chroot=directory change the root directory before running command
-r, --role=role create SELinux security context with specified
role
-S, --stdin read password from standard input
-s, --shell run shell as the target user; a command may
also be specified
-t, --type=type create SELinux security context with specified
type
-T, --command-timeout=timeout terminate command after the specified time limit
-U, --other-user=user in list mode, display privileges for user
-u, --user=user run command (or edit file) as specified user
name or ID
-V, --version display version information and exit
-v, --validate update user's timestamp without running a
command
-- stop processing command line arguments
sudo_logsrvd
Sudo event and I/O log server
root@kali:~# sudo_logsrvd -h
sudo_logsrvd - sudo log server
usage: sudo_logsrvd [-n] [-f conf_file] [-R percentage]
Options:
-f, --file path to configuration file
-h, --help display help message and exit
-n, --no-fork do not fork, run in the foreground
-R, --random-drop percent chance connections will drop
-V, --version display version information and exit
sudo_logsrvd
Sudo event and I/O log server
root@kali:~# sudo_logsrvd -h
sudo_logsrvd - sudo log server
usage: sudo_logsrvd [-n] [-f conf_file] [-R percentage]
Options:
-f, --file path to configuration file
-h, --help display help message and exit
-n, --no-fork do not fork, run in the foreground
-R, --random-drop percent chance connections will drop
-V, --version display version information and exit
sudo_sendlog
Send sudo I/O log to log server
root@kali:~# sudo_sendlog --help
sudo_sendlog - send sudo I/O log to remote server
usage: sudo_sendlog [-AnV] [-b ca_bundle] [-c cert_file] [-h host] [-i iolog-id] [-k key_file] [-p port] [-r restart-point] [-R reject-reason] [-s stop-point] [-t number] /path/to/iolog
Options:
--help display help message and exit
-A, --accept only send an accept event (no I/O)
-b, --ca-bundle certificate bundle file to verify server's cert against
-c, --cert certificate file for TLS handshake
-h, --host host to send logs to
-i, --iolog_id remote ID of I/O log to be resumed
-k, --key private key file
-n, --no-verify do not verify server certificate
-p, --port port to use when connecting to host
-r, --restart restart previous I/O log transfer
-R, --reject reject the command with the given reason
-s, --stop-after stop transfer after reaching this time
-t, --test test audit server by sending selected I/O log n times in parallel
-V, --version display version information and exit
sudo_sendlog
Send sudo I/O log to log server
root@kali:~# sudo_sendlog --help
sudo_sendlog - send sudo I/O log to remote server
usage: sudo_sendlog [-AnV] [-b ca_bundle] [-c cert_file] [-h host] [-i iolog-id] [-k key_file] [-p port] [-r restart-point] [-R reject-reason] [-s stop-point] [-t number] /path/to/iolog
Options:
--help display help message and exit
-A, --accept only send an accept event (no I/O)
-b, --ca-bundle certificate bundle file to verify server's cert against
-c, --cert certificate file for TLS handshake
-h, --host host to send logs to
-i, --iolog_id remote ID of I/O log to be resumed
-k, --key private key file
-n, --no-verify do not verify server certificate
-p, --port port to use when connecting to host
-r, --restart restart previous I/O log transfer
-R, --reject reject the command with the given reason
-s, --stop-after stop transfer after reaching this time
-t, --test test audit server by sending selected I/O log n times in parallel
-V, --version display version information and exit
sudoedit
Execute a command as another user
root@kali:~# sudoedit -h
sudoedit - edit files as another user
usage: sudoedit -h | -V
usage: sudoedit [-ABkNnS] [-r role] [-t type] [-C num] [-D directory]
[-g group] [-h host] [-p prompt] [-R directory] [-T timeout]
[-u user] file ...
Options:
-A, --askpass use a helper program for password prompting
-B, --bell ring bell when prompting
-C, --close-from=num close all file descriptors >= num
-D, --chdir=directory change the working directory before running
command
-g, --group=group run command as the specified group name or ID
-h, --help display help message and exit
-h, --host=host run command on host (if supported by plugin)
-k, --reset-timestamp invalidate timestamp file
-n, --non-interactive non-interactive mode, no prompts are used
-p, --prompt=prompt use the specified password prompt
-R, --chroot=directory change the root directory before running command
-r, --role=role create SELinux security context with specified
role
-S, --stdin read password from standard input
-t, --type=type create SELinux security context with specified
type
-T, --command-timeout=timeout terminate command after the specified time limit
-u, --user=user run command (or edit file) as specified user
name or ID
-V, --version display version information and exit
-- stop processing command line arguments
sudoedit
Execute a command as another user
root@kali:~# sudoedit -h
sudoedit - edit files as another user
usage: sudoedit -h | -V
usage: sudoedit [-ABkNnS] [-r role] [-t type] [-C num] [-D directory]
[-g group] [-h host] [-p prompt] [-R directory] [-T timeout]
[-u user] file ...
Options:
-A, --askpass use a helper program for password prompting
-B, --bell ring bell when prompting
-C, --close-from=num close all file descriptors >= num
-D, --chdir=directory change the working directory before running
command
-g, --group=group run command as the specified group name or ID
-h, --help display help message and exit
-h, --host=host run command on host (if supported by plugin)
-k, --reset-timestamp invalidate timestamp file
-n, --non-interactive non-interactive mode, no prompts are used
-p, --prompt=prompt use the specified password prompt
-R, --chroot=directory change the root directory before running command
-r, --role=role create SELinux security context with specified
role
-S, --stdin read password from standard input
-t, --type=type create SELinux security context with specified
type
-T, --command-timeout=timeout terminate command after the specified time limit
-u, --user=user run command (or edit file) as specified user
name or ID
-V, --version display version information and exit
-- stop processing command line arguments
sudoreplay
Replay sudo session logs
root@kali:~# sudoreplay -h
sudoreplay - replay sudo session logs
usage: sudoreplay [-hnRS] [-d dir] [-m num] [-s num] ID
usage: sudoreplay [-h] [-d dir] -l [search expression]
Options:
-d, --directory=dir specify directory for session logs
-f, --filter=filter specify which I/O type(s) to display
-h, --help display help message and exit
-l, --list list available session IDs, with optional expression
-m, --max-wait=num max number of seconds to wait between events
-n, --non-interactive no prompts, session is sent to the standard output
-R, --no-resize do not attempt to re-size the terminal
-S, --suspend-wait wait while the command was suspended
-s, --speed=num speed up or slow down output
-V, --version display version information and exit
sudoreplay
Replay sudo session logs
root@kali:~# sudoreplay -h
sudoreplay - replay sudo session logs
usage: sudoreplay [-hnRS] [-d dir] [-m num] [-s num] ID
usage: sudoreplay [-h] [-d dir] -l [search expression]
Options:
-d, --directory=dir specify directory for session logs
-f, --filter=filter specify which I/O type(s) to display
-h, --help display help message and exit
-l, --list list available session IDs, with optional expression
-m, --max-wait=num max number of seconds to wait between events
-n, --non-interactive no prompts, session is sent to the standard output
-R, --no-resize do not attempt to re-size the terminal
-S, --suspend-wait wait while the command was suspended
-s, --speed=num speed up or slow down output
-V, --version display version information and exit
visudo
Edit the sudoers file
root@kali:~# visudo -h
visudo - safely edit the sudoers file
usage: visudo [-chqsV] [[-f] sudoers ]
Options:
-c, --check check-only mode
-f, --file=sudoers specify sudoers file location
-h, --help display help message and exit
-I, --no-includes do not edit include files
-q, --quiet less verbose (quiet) syntax error messages
-s, --strict strict syntax checking
-V, --version display version information and exit
visudo
Edit the sudoers file
root@kali:~# visudo -h
visudo - safely edit the sudoers file
usage: visudo [-chqsV] [[-f] sudoers ]
Options:
-c, --check check-only mode
-f, --file=sudoers specify sudoers file location
-h, --help display help message and exit
-I, --no-includes do not edit include files
-q, --quiet less verbose (quiet) syntax error messages
-s, --strict strict syntax checking
-V, --version display version information and exit
sudo-ldap
Sudo is a program designed to allow a sysadmin to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow people to get their work done.
sudo-ldap will be supported up to Debian 13 “trixie” and will be removed in Debian 14. Please do not use sudo-ldap for new installations and consider migrating your existing installations to libsss-sudo and sssd.
This version is built with LDAP support, which allows an equivalent of the sudoers database to be distributed via LDAP. Authentication is still performed via pam.
Installed size: 6.48 MB
How to install: sudo apt install sudo-ldap
Dependencies:
- debconf | cdebconf
- debconf | debconf-2.0
- init-system-helpers
- libapparmor1
- libaudit1
- libc6
- libldap-2.5-0
- libnss-sudo
- libpam-modules
- libpam0g
- libselinux1
- libssl3
- zlib1g
cvtsudoers
Convert between sudoers file formats
root@kali:~# cvtsudoers -h
cvtsudoers - convert between sudoers file formats
usage: cvtsudoers [-ehMpV] [-b dn] [-c conf_file ] [-d deftypes] [-f output_format] [-i input_format] [-I increment] [-m filter] [-o output_file] [-O start_point] [-P padding] [-s sections] [input_file]
Options:
-b, --base=dn the base DN for sudo LDAP queries
-c, --config=conf_file the path to the configuration file
-d, --defaults=deftypes only convert Defaults of the specified types
-e, --expand-aliases expand aliases when converting
-f, --output-format=format set output format: JSON, LDIF or sudoers
-i, --input-format=format set input format: LDIF or sudoers
-I, --increment=num amount to increase each sudoOrder by
-h, --help display help message and exit
-m, --match=filter only convert entries that match the filter
-M, --match-local match filter uses passwd and group databases
-o, --output=output_file write converted sudoers to output_file
-O, --order-start=num starting point for first sudoOrder
-p, --prune-matches prune non-matching users, groups and hosts
-P, --padding=num base padding for sudoOrder increment
-s, --suppress=sections suppress output of certain sections
-V, --version display version information and exit
sudo
Execute a command as another user
root@kali:~# sudo -h
sudo - execute a command as another user
usage: sudo -h | -K | -k | -V
usage: sudo -v [-ABkNnS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-ABkNnS] [-g group] [-h host] [-p prompt] [-U user]
[-u user] [command [arg ...]]
usage: sudo [-ABbEHkNnPS] [-r role] [-t type] [-C num] [-D directory]
[-g group] [-h host] [-p prompt] [-R directory] [-T timeout]
[-u user] [VAR=value] [-i | -s] [command [arg ...]]
usage: sudo -e [-ABkNnS] [-r role] [-t type] [-C num] [-D directory]
[-g group] [-h host] [-p prompt] [-R directory] [-T timeout]
[-u user] file ...
Options:
-A, --askpass use a helper program for password prompting
-b, --background run command in the background
-B, --bell ring bell when prompting
-C, --close-from=num close all file descriptors >= num
-D, --chdir=directory change the working directory before running
command
-E, --preserve-env preserve user environment when running command
--preserve-env=list preserve specific environment variables
-e, --edit edit files instead of running a command
-g, --group=group run command as the specified group name or ID
-H, --set-home set HOME variable to target user's home dir
-h, --help display help message and exit
-h, --host=host run command on host (if supported by plugin)
-i, --login run login shell as the target user; a command
may also be specified
-K, --remove-timestamp remove timestamp file completely
-k, --reset-timestamp invalidate timestamp file
-l, --list list user's privileges or check a specific
command; use twice for longer format
-n, --non-interactive non-interactive mode, no prompts are used
-P, --preserve-groups preserve group vector instead of setting to
target's
-p, --prompt=prompt use the specified password prompt
-R, --chroot=directory change the root directory before running command
-r, --role=role create SELinux security context with specified
role
-S, --stdin read password from standard input
-s, --shell run shell as the target user; a command may
also be specified
-t, --type=type create SELinux security context with specified
type
-T, --command-timeout=timeout terminate command after the specified time limit
-U, --other-user=user in list mode, display privileges for user
-u, --user=user run command (or edit file) as specified user
name or ID
-V, --version display version information and exit
-v, --validate update user's timestamp without running a
command
-- stop processing command line arguments
sudo_logsrvd
Sudo event and I/O log server
root@kali:~# sudo_logsrvd -h
sudo_logsrvd - sudo log server
usage: sudo_logsrvd [-n] [-f conf_file] [-R percentage]
Options:
-f, --file path to configuration file
-h, --help display help message and exit
-n, --no-fork do not fork, run in the foreground
-R, --random-drop percent chance connections will drop
-V, --version display version information and exit
sudo_sendlog
Send sudo I/O log to log server
root@kali:~# sudo_sendlog --help
sudo_sendlog - send sudo I/O log to remote server
usage: sudo_sendlog [-AnV] [-b ca_bundle] [-c cert_file] [-h host] [-i iolog-id] [-k key_file] [-p port] [-r restart-point] [-R reject-reason] [-s stop-point] [-t number] /path/to/iolog
Options:
--help display help message and exit
-A, --accept only send an accept event (no I/O)
-b, --ca-bundle certificate bundle file to verify server's cert against
-c, --cert certificate file for TLS handshake
-h, --host host to send logs to
-i, --iolog_id remote ID of I/O log to be resumed
-k, --key private key file
-n, --no-verify do not verify server certificate
-p, --port port to use when connecting to host
-r, --restart restart previous I/O log transfer
-R, --reject reject the command with the given reason
-s, --stop-after stop transfer after reaching this time
-t, --test test audit server by sending selected I/O log n times in parallel
-V, --version display version information and exit
sudoedit
Execute a command as another user
root@kali:~# sudoedit -h
sudoedit - edit files as another user
usage: sudoedit -h | -V
usage: sudoedit [-ABkNnS] [-r role] [-t type] [-C num] [-D directory]
[-g group] [-h host] [-p prompt] [-R directory] [-T timeout]
[-u user] file ...
Options:
-A, --askpass use a helper program for password prompting
-B, --bell ring bell when prompting
-C, --close-from=num close all file descriptors >= num
-D, --chdir=directory change the working directory before running
command
-g, --group=group run command as the specified group name or ID
-h, --help display help message and exit
-h, --host=host run command on host (if supported by plugin)
-k, --reset-timestamp invalidate timestamp file
-n, --non-interactive non-interactive mode, no prompts are used
-p, --prompt=prompt use the specified password prompt
-R, --chroot=directory change the root directory before running command
-r, --role=role create SELinux security context with specified
role
-S, --stdin read password from standard input
-t, --type=type create SELinux security context with specified
type
-T, --command-timeout=timeout terminate command after the specified time limit
-u, --user=user run command (or edit file) as specified user
name or ID
-V, --version display version information and exit
-- stop processing command line arguments
sudoreplay
Replay sudo session logs
root@kali:~# sudoreplay -h
sudoreplay - replay sudo session logs
usage: sudoreplay [-hnRS] [-d dir] [-m num] [-s num] ID
usage: sudoreplay [-h] [-d dir] -l [search expression]
Options:
-d, --directory=dir specify directory for session logs
-f, --filter=filter specify which I/O type(s) to display
-h, --help display help message and exit
-l, --list list available session IDs, with optional expression
-m, --max-wait=num max number of seconds to wait between events
-n, --non-interactive no prompts, session is sent to the standard output
-R, --no-resize do not attempt to re-size the terminal
-S, --suspend-wait wait while the command was suspended
-s, --speed=num speed up or slow down output
-V, --version display version information and exit
visudo
Edit the sudoers file
root@kali:~# visudo -h
visudo - safely edit the sudoers file
usage: visudo [-chqsV] [[-f] sudoers ]
Options:
-c, --check check-only mode
-f, --file=sudoers specify sudoers file location
-h, --help display help message and exit
-I, --no-includes do not edit include files
-q, --quiet less verbose (quiet) syntax error messages
-s, --strict strict syntax checking
-V, --version display version information and exit
Updated on: 2024-Feb-16