1# 2# Format: 3# 4# var_name 5# TYPE 6# description (or NULL) 7# array of struct def_values if TYPE == T_TUPLE 8# 9# NOTE: for tuples that can be used in a boolean context the first 10# value corresponds to boolean FALSE and the second to TRUE. 11# 12 13syslog 14 T_LOGFAC|T_BOOL 15 "Syslog facility if syslog is being used for logging: %s" 16syslog_goodpri 17 T_LOGPRI|T_BOOL 18 "Syslog priority to use when user authenticates successfully: %s" 19syslog_badpri 20 T_LOGPRI|T_BOOL 21 "Syslog priority to use when user authenticates unsuccessfully: %s" 22long_otp_prompt 23 T_FLAG 24 "Put OTP prompt on its own line" 25ignore_dot 26 T_FLAG 27 "Ignore '.' in $PATH" 28mail_always 29 T_FLAG 30 "Always send mail when sudo is run" 31mail_badpass 32 T_FLAG 33 "Send mail if user authentication fails" 34mail_no_user 35 T_FLAG 36 "Send mail if the user is not in sudoers" 37mail_no_host 38 T_FLAG 39 "Send mail if the user is not in sudoers for this host" 40mail_no_perms 41 T_FLAG 42 "Send mail if the user is not allowed to run a command" 43mail_all_cmnds 44 T_FLAG 45 "Send mail if the user tries to run a command" 46tty_tickets 47 T_FLAG 48 "Use a separate timestamp for each user/tty combo" 49lecture 50 T_TUPLE|T_BOOL 51 "Lecture user the first time they run sudo" 52 never once always 53lecture_file 54 T_STR|T_PATH|T_BOOL 55 "File containing the sudo lecture: %s" 56authenticate 57 T_FLAG 58 "Require users to authenticate by default" 59root_sudo 60 T_FLAG 61 "Root may run sudo" 62log_host 63 T_FLAG 64 "Log the hostname in the (non-syslog) log file" 65log_year 66 T_FLAG 67 "Log the year in the (non-syslog) log file" 68shell_noargs 69 T_FLAG 70 "If sudo is invoked with no arguments, start a shell" 71set_home 72 T_FLAG 73 "Set $HOME to the target user when starting a shell with -s" 74always_set_home 75 T_FLAG 76 "Always set $HOME to the target user's home directory" 77path_info 78 T_FLAG 79 "Allow some information gathering to give useful error messages" 80fqdn 81 T_FLAG 82 "Require fully-qualified hostnames in the sudoers file" 83insults 84 T_FLAG 85 "Insult the user when they enter an incorrect password" 86requiretty 87 T_FLAG 88 "Only allow the user to run sudo if they have a tty" 89env_editor 90 T_FLAG 91 "Visudo will honor the EDITOR environment variable" 92rootpw 93 T_FLAG 94 "Prompt for root's password, not the users's" 95runaspw 96 T_FLAG 97 "Prompt for the runas_default user's password, not the users's" 98targetpw 99 T_FLAG 100 "Prompt for the target user's password, not the users's" 101use_loginclass 102 T_FLAG 103 "Apply defaults in the target user's login class if there is one" 104set_logname 105 T_FLAG 106 "Set the LOGNAME and USER environment variables" 107stay_setuid 108 T_FLAG 109 "Only set the effective uid to the target user, not the real uid" 110preserve_groups 111 T_FLAG 112 "Don't initialize the group vector to that of the target user" 113loglinelen 114 T_UINT|T_BOOL 115 "Length at which to wrap log file lines (0 for no wrap): %u" 116timestamp_timeout 117 T_TIMESPEC|T_BOOL 118 "Authentication timestamp timeout: %.1f minutes" 119passwd_timeout 120 T_TIMESPEC|T_BOOL 121 "Password prompt timeout: %.1f minutes" 122passwd_tries 123 T_UINT 124 "Number of tries to enter a password: %u" 125umask 126 T_MODE|T_BOOL 127 "Umask to use or 0777 to use user's: 0%o" 128logfile 129 T_STR|T_BOOL|T_PATH 130 "Path to log file: %s" 131mailerpath 132 T_STR|T_BOOL|T_PATH 133 "Path to mail program: %s" 134mailerflags 135 T_STR|T_BOOL 136 "Flags for mail program: %s" 137mailto 138 T_STR|T_BOOL 139 "Address to send mail to: %s" 140mailfrom 141 T_STR|T_BOOL 142 "Address to send mail from: %s" 143mailsub 144 T_STR 145 "Subject line for mail messages: %s" 146badpass_message 147 T_STR 148 "Incorrect password message: %s" 149lecture_status_dir 150 T_STR|T_PATH 151 "Path to lecture status dir: %s" 152timestampdir 153 T_STR|T_PATH 154 "Path to authentication timestamp dir: %s" 155timestampowner 156 T_STR 157 "Owner of the authentication timestamp dir: %s" 158exempt_group 159 T_STR|T_BOOL 160 "Users in this group are exempt from password and PATH requirements: %s" 161passprompt 162 T_STR 163 "Default password prompt: %s" 164passprompt_override 165 T_FLAG 166 "If set, passprompt will override system prompt in all cases." 167runas_default 168 T_STR 169 "Default user to run commands as: %s" 170secure_path 171 T_STR|T_BOOL 172 "Value to override user's $PATH with: %s" 173editor 174 T_STR|T_PATH 175 "Path to the editor for use by visudo: %s" 176listpw 177 T_TUPLE|T_BOOL 178 "When to require a password for 'list' pseudocommand: %s" 179 never any all always 180verifypw 181 T_TUPLE|T_BOOL 182 "When to require a password for 'verify' pseudocommand: %s" 183 never all any always 184noexec 185 T_FLAG 186 "Preload the sudo_noexec library which replaces the exec functions" 187ignore_local_sudoers 188 T_FLAG 189 "If LDAP directory is up, do we ignore local sudoers file" 190closefrom 191 T_INT 192 "File descriptors >= %d will be closed before executing a command" 193closefrom_override 194 T_FLAG 195 "If set, users may override the value of "closefrom" with the -C option" 196setenv 197 T_FLAG 198 "Allow users to set arbitrary environment variables" 199env_reset 200 T_FLAG 201 "Reset the environment to a default set of variables" 202env_check 203 T_LIST|T_BOOL 204 "Environment variables to check for safety:" 205env_delete 206 T_LIST|T_BOOL 207 "Environment variables to remove:" 208env_keep 209 T_LIST|T_BOOL 210 "Environment variables to preserve:" 211role 212 T_STR 213 "SELinux role to use in the new security context: %s" 214type 215 T_STR 216 "SELinux type to use in the new security context: %s" 217env_file 218 T_STR|T_PATH|T_BOOL 219 "Path to the sudo-specific environment file: %s" 220restricted_env_file 221 T_STR|T_PATH|T_BOOL 222 "Path to the restricted sudo-specific environment file: %s" 223sudoers_locale 224 T_STR 225 "Locale to use while parsing sudoers: %s" 226visiblepw 227 T_FLAG 228 "Allow sudo to prompt for a password even if it would be visible" 229pwfeedback 230 T_FLAG 231 "Provide visual feedback at the password prompt when there is user input" 232fast_glob 233 T_FLAG 234 "Use faster globbing that is less accurate but does not access the filesystem" 235umask_override 236 T_FLAG 237 "The umask specified in sudoers will override the user's, even if it is more permissive" 238log_input 239 T_FLAG 240 "Log user's input for the command being run" 241log_output 242 T_FLAG 243 "Log the output of the command being run" 244compress_io 245 T_FLAG 246 "Compress I/O logs using zlib" 247use_pty 248 T_FLAG 249 "Always run commands in a pseudo-tty" 250group_plugin 251 T_STR 252 "Plugin for non-Unix group support: %s" 253iolog_dir 254 T_STR|T_PATH 255 "Directory in which to store input/output logs: %s" 256iolog_file 257 T_STR 258 "File in which to store the input/output log: %s" 259set_utmp 260 T_FLAG 261 "Add an entry to the utmp/utmpx file when allocating a pty" 262utmp_runas 263 T_FLAG 264 "Set the user in utmp to the runas user, not the invoking user" 265privs 266 T_STR 267 "Set of permitted privileges: %s" 268limitprivs 269 T_STR 270 "Set of limit privileges: %s" 271exec_background 272 T_FLAG 273 "Run commands on a pty in the background" 274pam_service 275 T_STR 276 "PAM service name to use: %s" 277pam_login_service 278 T_STR 279 "PAM service name to use for login shells: %s" 280pam_setcred 281 T_FLAG 282 "Attempt to establish PAM credentials for the target user" 283pam_session 284 T_FLAG 285 "Create a new PAM session for the command to run in" 286pam_acct_mgmt 287 T_FLAG 288 "Perform PAM account validation management" 289maxseq 290 T_STR 291 "Maximum I/O log sequence number: %s" 292use_netgroups 293 T_FLAG 294 "Enable sudoers netgroup support" 295sudoedit_checkdir 296 T_FLAG 297 "Check parent directories for writability when editing files with sudoedit" 298sudoedit_follow 299 T_FLAG 300 "Follow symbolic links when editing files with sudoedit" 301always_query_group_plugin 302 T_FLAG 303 "Query the group plugin for unknown system groups" 304netgroup_tuple 305 T_FLAG 306 "Match netgroups based on the entire tuple: user, host and domain" 307ignore_audit_errors 308 T_FLAG 309 "Allow commands to be run even if sudo cannot write to the audit log" 310ignore_iolog_errors 311 T_FLAG 312 "Allow commands to be run even if sudo cannot write to the I/O log" 313ignore_logfile_errors 314 T_FLAG 315 "Allow commands to be run even if sudo cannot write to the log file" 316match_group_by_gid 317 T_FLAG 318 "Resolve groups in sudoers and match on the group ID, not the name" 319syslog_maxlen 320 T_UINT 321 "Log entries larger than this value will be split into multiple syslog messages: %u" 322iolog_user 323 T_STR|T_BOOL 324 "User that will own the I/O log files: %s" 325iolog_group 326 T_STR|T_BOOL 327 "Group that will own the I/O log files: %s" 328iolog_mode 329 T_MODE 330 "File mode to use for the I/O log files: 0%o" 331fdexec 332 T_TUPLE|T_BOOL 333 "Execute commands by file descriptor instead of by path: %s" 334 never digest_only always 335ignore_unknown_defaults 336 T_FLAG 337 "Ignore unknown Defaults entries in sudoers instead of producing a warning" 338command_timeout 339 T_TIMEOUT|T_BOOL 340 "Time in seconds after which the command will be terminated: %u" 341user_command_timeouts 342 T_FLAG 343 "Allow the user to specify a timeout on the command line" 344iolog_flush 345 T_FLAG 346 "Flush I/O log data to disk immediately instead of buffering it" 347syslog_pid 348 T_FLAG 349 "Include the process ID when logging via syslog" 350timestamp_type 351 T_TUPLE 352 "Type of authentication timestamp record: %s" 353 global ppid tty kernel 354authfail_message 355 T_STR 356 "Authentication failure message: %s" 357case_insensitive_user 358 T_FLAG 359 "Ignore case when matching user names" 360case_insensitive_group 361 T_FLAG 362 "Ignore case when matching group names" 363log_allowed 364 T_FLAG 365 "Log when a command is allowed by sudoers" 366log_denied 367 T_FLAG 368 "Log when a command is denied by sudoers" 369log_servers 370 T_LIST|T_BOOL 371 "Sudo log server(s) to connect to with optional port" 372log_server_timeout 373 T_TIMEOUT|T_BOOL 374 "Sudo log server timeout in seconds: %u" 375log_server_keepalive 376 T_FLAG 377 "Enable SO_KEEPALIVE socket option on the socket connected to the logserver" 378log_server_cabundle 379 T_STR|T_BOOL|T_PATH 380 "Path to the audit server's CA bundle file: %s" 381log_server_peer_cert 382 T_STR|T_BOOL|T_PATH 383 "Path to the sudoers certificate file: %s" 384log_server_peer_key 385 T_STR|T_BOOL|T_PATH 386 "Path to the sudoers private key file: %s" 387log_server_verify 388 T_FLAG 389 "Verify that the log server's certificate is valid" 390runas_allow_unknown_id 391 T_FLAG 392 "Allow the use of unknown runas user and/or group ID" 393runas_check_shell 394 T_FLAG 395 "Only permit running commands as a user with a valid shell" 396pam_ruser 397 T_FLAG 398 "Set the pam remote user to the user running sudo" 399pam_rhost 400 T_FLAG 401 "Set the pam remote host to the local host name" 402runcwd 403 T_STR|T_BOOL|T_CHPATH 404 "Working directory to change to before executing the command: %s" 405runchroot 406 T_STR|T_BOOL|T_CHPATH 407 "Root directory to change to before executing the command: %s" 408log_format 409 T_TUPLE 410 "The format of logs to produce: %s" 411 sudo json 412selinux 413 T_FLAG 414 "Enable SELinux RBAC support" 415admin_flag 416 T_STR|T_BOOL|T_CHPATH 417 "Path to the file that is created the first time sudo is run: %s" 418intercept 419 T_FLAG 420 "Intercept further commands and apply sudoers restrictions to them" 421log_subcmds 422 T_FLAG 423 "Log sub-commands run by the original command" 424log_exit_status 425 T_FLAG 426 "Log the exit status of commands" 427intercept_authenticate 428 T_FLAG 429 "Subsequent commands in an intercepted session must be authenticated" 430intercept_allow_setid 431 T_FLAG 432 "Allow an intercepted command to run set setuid or setgid programs" 433