+++ /dev/null
-The following options may be used to configure sudo 1.4
-
-RUNAS_DEFAULT
- The default user to run commands as if the -u flag is not specified
- on the command line. This defaults to "root".
-
-FQDN
- Define this if you want to put fully qualified hostnames in the sudoers
- file. Ie: instead of myhost you would use myhost.mydomain.edu.
- You may still use the short form if you wish (and even mix the two).
- Beware that turning FQDN on requires sudo to make DNS lookups which
- may make sudo unusable if your DNS is totally hosed.
- Also note that you must use the host's official name as DNS knows it.
- That is, you may not use a host alias (CNAME entry) due to performance
- issues and the fact that there is no way to get all aliases from DNS.
- This is off by default.
-
-LOGGING
- How you want to do your logging. Your choices are SLOG_SYSLOG, SLOG_FILE,
- or SLOG_BOTH. Setting this to SYSLOG is nice because you can keep all
- your sudo logs in one place. If you don't have syslog or if your syslog
- is of an ancient vintage (4.2BSD, SunOS 3.x and all versions of Ultrix)
- you should probably use FILE logging (the pathname for the log file is
- in pathnames.h). If you are really serious about security you may want
- to set LOGGING to SLOG_BOTH (to keep people from killing your syslog with
- a denial of service attack while they do something nasty).
- The default is to use SLOG_SYSLOG.
-
-LOGFAC
- What syslog facility to log to. This requires a 4.3BSD or later
- version of syslog. You can still set this for ancient syslogs
- but it will have no effect.
- The default is to use LOG_LOCAL2 but you may want to use LOG_AUTH.
-
-MAXLOGFILELEN
- Number of characters per line for the file log. This is only
- used if you are LOGGING to FILE or BOTH. MAXLOGFILELEN is used to
- decide when to wrap lines for nicer log files. You can set it to 0
- if you don't want any word wrapping in your log files.
- The default is 80.
-
-NO_ROOT_SUDO
- Don't let root run sudo. This can be used to prevent people from
- "chaining" sudo commands to get a root shell by doing something
- like "sudo sudo /bin/sh".
- This is off by default.
-
-ALERTMAIL
- User that mail from sudo is sent to. This should go to a sysadmin
- at your site.
- The default is "root".
-
-SEND_MAIL_WHEN_NO_USER
- Send mail to ALERMAIL if the user invoking sudo is not in the sudoers file.
- You probably want this on so you can yell at people trying to use sudo
- when they are not allowed to.
- This is on by default.
-
-SEND_MAIL_WHEN_NOT_OK
- Send mail to ALERMAIL if the user is allowed to use sudo but the
- command they are trying is not listed in their sudoers file entry.
- This is off by default.
-
-EXEMPTGROUP
- If this is defined then users in the group defined by EXEMPTGROUP
- don't need to enter a password when running sudo. This may be useful
- for sites that don't want their "core" sysadmins to have to enter
- a password but where Jr. sysadmins need to.
- This is off by default.
-
-ENV_EDITOR
- Makes visudo consult the EDITOR and VISUAL environmental variables
- before falling back on the default editor. Note that this may create
- a security hole as most editors allow a user to get a shell (which would
- be a root shell and hence, no logging).
- This is off by default.
-
-SHORT_MESSAGE
- Omits the copyright message from the "lecture" one gets when running
- sudo for the first time on a machine.
- This is on by default.
-
-NO_MESSAGE
- Omits the "lecture" one gets when running sudo for the first time
- on a machine.
- This is off by default.
-
-TIMEOUT
- Number of minutes that can elapse before sudo will ask for a passwd again.
- The default is 5, set this to 0 to always prompt for a password.
-
-PASSWORD_TIMEOUT
- Number of minutes before the sudo password prompt times out.
- The default is 5, set this to 0 for no password timeout.
-
-TRIES_FOR_PASSWORD
- Number of tries a user gets to enter his/her password before sudo
- logs the failure and exits.
- The default is 3.
-
-USE_INSULTS
- Define this if you want to be insulted for typing an incorrect password
- just like the original sudo(8).
- This is off by default.
-
-CLASSIC_INSULTS
- Uses insults from sudo "classic." If you just define USE_INSULTS
- you will get the classic and CSOps insults.
- This is on by default if USE_INSULTS is defined.
-
-HAL_INSULTS
- Uses 2001-like insults when an incorrect password is entered. You must
- define USE_INSULTS as well for this to have any effect.
- This is off by default.
-
-GOONS_INSULTS
- Insults the user with lines from the "Goon Show" when an incorrect
- password is entered. You must define USE_INSULTS as well for this
- to have any effect.
- This is off by default.
-
-CSOPS_INSULTS
- Insults the user with an extra set of insults (some quotes, some original)
- from a sysadmin group at CU (CSOps). You must define USE_INSULTS as well
- for this to have any effect.
- This is on by default if USE_INSULTS is defined.
-
-EDITOR
- This is the default editor used by visudo (and the only editor used unless
- ENV_EDITOR is defined).
- The default is _PATH_VI (where vi lives).
-
-MAILER
- Mailer used to send mail when someone tries to sudo and access is denied.
- As such, this should not be /usr/ucb/Mail or mailx. Sudo is setup to
- use sendmail, but it should be possible to use smail as well.
- The default is _PATH_SENDMAIL (where sendmail lives).
-
-UMASK
- Umask to use when running the root command. If you do not define this
- sudo will preserve the umask of the user invoking sudo.
- The default is 0022.
-
-INCORRECT_PASSWORD
- Message that is displayed if a user enters an incorrect password.
- The default is "Sorry, try again."
-
-MAILSUBJECT
- Subject of the mail sent to the ALERTMAIL user. The token "%h"
- will expand to the hostname of the machine.
- Default is "*** SECURITY information for %h ***".
-
-PASSPROMPT
- Default prompt to use when asking for a password. Can be overridden
- via the -p option. Supports two escapes: "%u" expands to the
- user's login name and "%h" expands to the local hostname.
- Default is "Password:".
-
-SECURE_PATH
- Path used for every command run from sudo(8). If you don't trust
- the people running sudo to have a sane PATH environmental variable
- you may want to define SECURE_PATH. Another use is if you want to
- have the "root path" be separate from the "user path." You will
- need to customize the path for your site.
- NOTE: SECURE_PATH is not applied to users in the EXEMPTGROUP.
- This is off by default.
-
-IGNORE_DOT_PATH
- If defined, sudo will ignore '.' or '' (current dir) in $PATH.
- The $PATH itself is not modified.
- This is off by default.
-
-USE_EXECV
- Use execv() to exec the command instead of execvp(). I can't think of
- a reason to actually do this since execvp() is passed a fully qualified
- pathname but someone might thoroughly distrust execvp(). Note that if
- you define this you lose the ability to exec scripts that are missing the
- '#!/bin/sh' cookie (like /bin/kill on sunos and /etc/fastboot on 4.3BSD).
- This is off by default.
-
-SHELL_IF_NO_ARGS
- If sudo is invoked with no arguments it acts as if the "-s" flag
- had been given. Namely, it runs a shell as root (the shell is
- determined by the SHELL envariable, falling back on the shell listed
- in the invoking user's /etc/passwd entry).
- This is off by default.
-
-SHELL_SETS_HOME
- If sudo is invoked with the "-s" flag the HOME environmental variable
- will be set to the home directory of the target user (which is root
- unless the "-u" option is used). This option effectively makes the
- "-s" flag imply "-H".
- This is off by default.
-
-USE_TTY_TICKETS
- This makes sudo use a different ticket file for each tty (per user).
- Ie: instead of the ticket file being "username" it is "username.tty".
- This offers increased security in an open lab or with "shared"
- accounts like "operator." Note that this means that there will
- be more files in the timestamp dir. This is not a problem is your
- system has a cron job to remove of files from /tmp (or wherever
- you specified the timestamp dir to be).
- This feature is off by default.
-
-STUB_LOAD_INTERFACES
- This option keeps sudo from trying to glean the ip address from
- each attached ethernet interface. It is only useful on a machine
- where sudo's interface reading support does not work, which may
- be the case on some SysV-based OS's.
-
-FAST_MATCH
- When matching a given command to a path listed in the sudoers file,
- only check the inodes for a match if the basenames match.
- If you want links to a command to be allowed then you should turn
- this off, but it will make things take a little longer.
- This is on by default.
-
-OTP_ONLY
- When validating the user, only allow a One Time Password (OTP)
- passkey. Do not compare against the passwd file or use any
- other authentication scheme. This is only useful if you want
- to force people to use s/key or opie.
- This feature is off by default.
-
-LONG_OTP_PROMPT
- When validating with a One Time Password scheme (s/key or opie)
- a two-line prompt is used to make it easier to cut and paste
- the challenge to a local window. It's not as pretty as the
- default but some people find it more convenient.
- This feature is off by default.
-
-SUDOERS_MODE
- File mode for the sudoers file (octal). Note that if you
- wish to NFS-mount the sudoers file this must be group
- readable. Also Note that this is usually set in the Makefile.
- The default mode is 0440.
-
-SUDOERS_UID
- User id that "owns" the sudoers file. Note that this is the
- numeric id, *not* the symbolic name. Also Note that this is
- usually set in the Makefile.
- The default is 0.
-
-SUDOERS_GID
- Group id that "owns" the sudoers file. Note that this is the
- numeric id, *not* the symbolic name. Also note that this is
- usually set in the Makefile.
- The default is 0.
projects / sudo / commitdiff