ido - execute a command as another user in an iamroot environment
ido -h | -V
ido [-EH] [-C num] [-D directory] [-g group] [-R directory] [-T timeout] [-u user] [VAR=value] [-i | -s] [command [arg …]]
ido executes a command as the superuser or another user, in an iamroot(7) environment ready to emulate the chroot(2) syscall for unprivileged users.
For a more thorough description of sudo(1), please refers to its manuals.
The options are as follows:
- -C num, --close-from=num
-
Close all file descriptors greater than or equal to num before executing a command. Values less than three are not permitted. By default, ido will close all open file descriptors other than standard input, standard output, and standard error when executing a command.
- -D directory, --chdir=directory
-
Run the command in the specified directory instead of the current working directory.
- -E, --preserve-env
-
Indicates that the user wishes to preserve their existing environment variables.
- --preserve-env=list
-
Indicates that the user wishes to add the comma-separated list of environment variables to those preserved from the user’s environment. This option may be specified multiple times.
- -g group, --group=group
-
Run the command with the primary group set to group instead of the primary group specified by the target user’s password database entry. The group may be either a group name or a numeric group-ID (GID) prefixed with the ‘’ character (e.g., ‘#0’ for GID 0). When running a command as a GID, many shells require that the ‘’ be escaped with a backslash (‘\’). If no -u option is specified, the command will be run as the invoking user. In either case, the primary group will be set to group. The idoers policy permits any of the target user’s groups to be specified via the -g option as long as the -P option is not in use.
- -H, --set-home
-
Set the HOME environment variable to the home directory specified by the target user’s password database entry.
- -h, --help
-
Display a short help message to the standard output and exit.
- -i, --login
-
Run the shell specified by the target user’s password database entry as a login shell. This means that login-specific resource files such as .profile, .bash_profile, or .login will be read by the shell. If a command is specified, it is passed to the shell as a simple command using the -c option. The command and any args are concatenated, separated by spaces, after escaping each character (including white space) with a backslash (‘\’) except for alphanumerics, underscores, hyphens, and dollar signs. If no command is specified, an interactive shell is executed. ido attempts to change to that user’s home directory before running the shell. The command is run with an environment similar to the one a user would receive at log in. Most shells behave differently when a command is specified as compared to an interactive session; consult the shell’s manual for details.
- -P, --preserve-groups
-
Preserve the invoking user’s group vector unaltered. By default, the idoers policy will initialize the group vector to the list of groups the target user is a member of. The real and effective group-IDs, however, are still set to match the target user.
- -R directory, --chroot=directory
-
Change to the specified root directory (see chroot(8)) before running the command.
- -s, --shell
-
Run the shell specified by the SHELL environment variable if it is set or the shell specified by the invoking user’s password database entry. If a command is specified, it is passed to the shell as a simple command using the -c option. The command and any args are concatenated, separated by spaces, after escaping each character (including white space) with a backslash (‘\’) except for alphanumerics, underscores, hyphens, and dollar signs. If no command is specified, an interactive shell is executed. Most shells behave differently when a command is specified as compared to an interactive session; consult the shell’s manual for details.
- -T timeout, --command-timeout=timeout
-
Used to set a timeout for the command. If the timeout expires before the command has exited, the command will be terminated.
- -u user, --user=user
-
Run the command as a user other than the default target user (usually root). The user may be either a user name or a numeric user-ID (UID) prefixed with the ‘’ character (e.g., ‘#0’ for UID 0). When running commands as a UID, many shells require that the ‘’ be escaped with a backslash (‘\’). Some security policies may restrict UIDs to those listed in the password database. The _idoers* policy allows UIDs that are not in the password database as long as the targetpw option is not set.
- -V, --version
-
Print the ido version string.
- --
-
The -- is used to delimit the end of the ido options. Subsequent options are passed to the command.
ido specific options
- --secure-path=list
-
Path used for every command run from ido.
iamroot specific options
- --multiarch
-
Use multiarch library path in chroot.
- --libdir
-
Set /lib:/usr/lib as default library path in chroot.
- --deflib=list
-
Default library path to use in chroot.
- --exec=file
-
Absolute path to the iamroot exec script to use.
- --library=file
-
Absolute path to the iamroot library to use.
- --no-color
-
Turn off color.
- --debug
-
Turn on debug mode.
- --debug-fd=num
-
Set debug fd.
- --debug-ignore=regex
-
Regular expression of functions to ignore in debug mode. Does not imply --debug.
- --exec-ignore=regex
-
Regular expression of executable path to ignore at execve().
- --path-resolution-ignore=regex
-
Regular expression of path to ignore for path resolution in chroot.
Environment variables to be set for the command may also be passed as options to ido in the form VAR=value.
Upon successful execution of a command, the exit status from ido will be the exit status of the program that was executed.
ido utilizes the following environment variables.
- HOME
-
Set to the home directory of the target user when the -i or -H options are specified, or when the -s option is specified.
- LOGNAME
-
Set to the login name of the target user when the -i option is specified.
- SHELL
-
Used to determine shell to run with -s option.
- IDO_COMMAND
-
Set to the command run by ido, including any args.
- IDO_GID
-
Set to the group-ID of the user who invoked ido.
- IDO_UID
-
Set to the user-ID of the user who invoked ido.
- IDO_USER
-
Set to the login name of the user who invoked ido.
- USER
-
Set to the same value as LOGNAME, described above.
Report bugs at https://github.com/gportay/iamroot/issues
Written by Gaël PORTAY [email protected]
Copyright (c) 2023-2024 Gaël PORTAY
This program is free software: you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation, either version 2.1 of the License, or (at your option) any later version.