--- /dev/null
+The following options may be used to configure sudo 1.3.1
+
+FQDN
+ Define this if you want to put fully qualified hostnames in the sudoers
+ file. Ie: instead of myhost you would use myhost.mydomain.edu.
+ Beware that turning FQDN on requires sudo to make DNS lookups which
+ may make sudo unusable if your DNS is totally hosed.
+ This is off by default.
+
+LOGGING
+ How you want to do your logging. Your choices are SLOG_SYSLOG, SLOG_FILE,
+ or SLOG_BOTH. Setting this to SYSLOG is nice because you can keep all
+ your sudo logs in one place. If you don't have syslog or if your syslog
+ is of an ancient vintage (4.2BSD, SunOS 3.x and all versions of Ultrix)
+ you should probably use FILE logging (the pathname for the log file is
+ in pathnames.h). If you are really serious about security you may want
+ to set LOGGING to SLOG_BOTH (to keep people from killing your syslog with
+ a denial of service attack while they do something nasty).
+ The default is to use SLOG_SYSLOG.
+
+LOGFAC
+ What syslog facility to log to. This requires a 4.3BSD or later
+ version of syslog. You can still set this for ancient syslogs
+ but it will have no effect.
+ The default is to use LOG_LOCAL2 but you may want to use LOG_AUTH.
+
+MAXLOGFILELEN
+ Number of characters per line for the file log. This is only
+ used if you are LOGGING to FILE or BOTH. MAXLOGFILELEN is used to
+ decide when to wrap lines for nicer log files. You can set it to MAXLOGLEN
+ if you don't want any word wrapping in your log files.
+ The default is 80.
+
+NO_ROOT_SUDO
+ Don't let root run sudo. This is historical from when doing "sudo sudo"
+ would give you a root shell. You probably don't want to define this.
+ This is off by default.
+
+SUDOERS_OWNER
+ Who should own the sudoers file. This must be a username, *not* a uid.
+ The default is "root" (remember the quotes).
+
+EXEMPTGROUP
+ If this is defined then the gid EXEMPTGROUP is set to doesn't need
+ to enter a password when running sudo. This may be useful for sites
+ that don't want their "core" sysadmins to have to enter a password
+ but where Jr. sysadmins need to.
+ This is of by default.
+
+ALERTMAIL
+ User that mail from sudo is sent to. This should go to a sysadmin
+ at your site.
+ The default is "root".
+
+SEND_MAIL_WHEN_NO_USER
+ Send mail to ALERMAIL if the user invoking sudo is not in the sudoers file.
+ You probably want this on so you can yell at people trying to use sudo
+ when they are not allowed to.
+ This is on by default.
+
+SEND_MAIL_WHEN_NOT_OK
+ Send mail to ALERMAIL if the user is allowed to use sudo but the
+ command they are trying is not listed in their sudoers file entry.
+ This is off by default.
+
+ENV_EDITOR
+ Makes visudo consult the EDITOR and VISUAL environmental variables
+ before falling back on the default editor. Note that this may create
+ a security hole as most editors allow a user to get a shell (which would
+ be a root shell and hence, no logging).
+ This is off by default.
+
+SHORT_MESSAGE
+ Omits the copyright message from the "lecture" one gets when running
+ sudo for the first time on a machine.
+ This is on by default.
+
+TIMEOUT
+ Number of minutes that can elapse before sudo will ask for a passwd again.
+ The default is 5.
+
+PASSWORD_TIMEOUT
+ Number of minutes before the sudo password prompt times out.
+ The default is 5.
+
+TRIES_FOR_PASSWORD
+ Number of tries a user gets to enter his/her password before sudo
+ logs the failure and exits.
+ The default is 3.
+
+USE_INSULTS
+ Define this if you want to be insulted for typing an incorrect password
+ just like the original sudo(8).
+ This is off by default.
+
+HAL
+ Uses 2001-like insults when an incorrect password is entered. You must
+ define USE_INSULTS as well for this to have any effect.
+ This is off by default.
+
+USE_EXECV
+ Use execv() to exec the command instead of execvp(). I can't think of
+ a reason to actually do this since execvp() is passed a fully qualified
+ pathname but someone might thoroughly distrust execvp(). Note that if
+ you define this you lose the ability to exec scripts that are missing the
+ '#!/bin/sh' cookie (like /bin/kill on sunos and /etc/fastboot on 4.3BSD).
+ This is off by default.
+
+EDITOR
+ This is the default editor used by visudo (and the only editor used unless
+ ENV_EDITOR is defined).
+ The default is _PATH_VI (where vi lives).
+
+MAILER
+ Mailer used to send mail when someone tries to sudo and access is denied.
+ As such, this should not be /usr/ucb/Mail or mailx. Sudo is setup to
+ use sendmail, but it should be possible to use smail as well.
+ The default is _PATH_SENDMAIL (where sendmail lives).
+
+UMASK
+ Umask to use when running the root command. If you do not define this
+ sudo will preserve the umask of the user invoking sudo.
+ The default is 0022.
+
+INCORRECT_PASSWORD
+ Message that is displayed if a user enters an incorrect password.
+ The default is "Sorry, try again."
+
+MAILSUBJECT
+ Subject of the mail sent to the ALERTMAIL user.
+ Default is "*** SECURITY information ***".
+
+SECURE_PATH
+ Path used for every command run from sudo(8). If you don't trust
+ the people running sudo to have a sane PATH environmental variable
+ you may want to define SECURE_PATH.
+ This is turned off by default.
--- /dev/null
+/*
+ * CU sudo version 1.3.1
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 1, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ *
+ * Please send bugs, changes, problems to sudo-bugs@cs.colorado.edu
+ */
+
+/* XXX - this should be include *AFTER* sudo.h */
+
+#ifndef _SUDO_OPTIONS_H
+#define _SUDO_OPTINOS_H
+
+/*
+ * DANGER DANGER DANGER!
+ * Before you change anything here read through the OPTIONS file
+ * for a description of what this stuff does.
+ */
+
+/* Configurable Sudo options */
+
+/*#define FQDN /* expect fully qualified hosts in sudoers */
+#define LOGGING SLOG_SYSLOG /* log via SLOG_SYSLOG, SLOG_FILE, SLOG_BOTH */
+#define LOGFAC LOG_LOCAL2 /* syslog facility for sudo to use */
+#define MAXLOGFILELEN 80 /* max chars per log line (for line wrapping) */
+/*#define NO_ROOT_SUDO /* root is not allowed to use sudo */
+#define SUDOERS_OWNER "root" /* sudoers file owner (usually root) */
+/*#define EXEMPTGROUP 100 /* no passwd needed for users in this group */
+#define ALERTMAIL "root" /* user that gets sudo mail */
+#define SEND_MAIL_WHEN_NO_USER /* send mail when user not in sudoers file */
+/*#define SEND_MAIL_WHEN_NOT_OK /* send mail if no permissions to run command */
+/*#define ENV_EDITOR /* visudo honors EDITOR and VISUAL envars */
+#define SHORT_MESSAGE /* short sudo message, no copyright printed */
+#define TIMEOUT 5 /* minutes before sudo asks for passwd again */
+#define PASSWORD_TIMEOUT 5 /* passwd prompt timeout (in minutes) */
+#define TRIES_FOR_PASSWORD 3 /* number of tries to enter passwd correctly */
+/*#define USE_INSULTS /* insult the user for incorrect passwords */
+/*#define HAL /* 2001-like insults--must define USE_INSULTS */
+/*#define USE_EXECV /* use execv() instead of execvp() */
+#define EDITOR _PATH_VI /* default editor to use */
+#define MAILER _PATH_SENDMAIL /* what mailer to use */
+#define UMASK 0022 /* umask that the root-run prog should use */
+#define INCORRECT_PASSWORD "Sorry, try again." /* message for bad passwd */
+#define MAILSUBJECT "*** SECURITY information ***" /* subject of mail sent */
+/*#define SECURE_PATH "/bin:/usr/ucb:/usr/bin:/usr/etc:/etc" /* secure path */
+
+/********** You probably don't want to modify anything below here ***********/
+
+#ifdef USE_EXECV
+# define EXEC execv
+#else
+# define EXEC execvp
+#endif /* USE_EXECV */
+
+/*
+ * syslog(3) parameters
+ */
+
+#if (LOGGING & SLOG_SYSLOG)
+# include <syslog.h>
+# ifndef Syslog_ident
+# define Syslog_ident "sudo"
+# endif
+# ifndef Syslog_options
+# define Syslog_options 0
+# endif
+# if !defined(Syslog_facility) && defined(LOG_NFACILITIES)
+# define Syslog_facility LOGFAC
+# endif
+# ifndef Syslog_priority_OK
+# define Syslog_priority_OK LOG_NOTICE
+# endif
+# ifndef Syslog_priority_NO
+# define Syslog_priority_NO LOG_ALERT
+# endif
+#endif /* LOGGING & SLOG_SYSLOG */
+
+#endif /* _SUDO_OPTIONS_H */
projects / sudo / commitdiff