the command may only be run w\bwi\bit\bth\bho\bou\but\bt command line arguments. A directory
is a fully qualified path name ending in a `/'. When you specify a
directory in a Cmnd_List, the user will be able to run any file within
- that directory (but not in any subdirectories therein).
+ that directory (but not in any sub-directories therein).
If a Cmnd has associated command line arguments, then the arguments in
the Cmnd must match exactly those given by the user on the command line
D\bDe\bef\bfa\bau\bul\blt\bts\bs
Certain configuration options may be changed from their default values at
- runtime via one or more Default_Entry lines. These may affect all users
+ run-time via one or more Default_Entry lines. These may affect all users
on any host, all users on a specific host, a specific user, a specific
command, or commands being run as a specific user. Note that per-command
entries may not include command line arguments. If you need to specify
SELinux role and/or type associated with a command. If a role or type is
specified with the command it will override any default values specified
in _\bs_\bu_\bd_\bo_\be_\br_\bs. A role or type specified on the command line, however, will
- supercede the values in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+ supersede the values in _\bs_\bu_\bd_\bo_\be_\br_\bs.
S\bSo\bol\bla\bar\bri\bis\bs_\b_P\bPr\bri\biv\bv_\b_S\bSp\bpe\bec\bc
On Solaris systems, _\bs_\bu_\bd_\bo_\be_\br_\bs entries may optionally specify Solaris
without a password. Additionally, a user may only run ``sudo -v''
without a password if the NOPASSWD tag is present for all a user's
entries that pertain to the current host. This behavior may be
- overridden via the verifypw and listpw options.
+ overridden via the _\bv_\be_\br_\bi_\bf_\by_\bp_\bw and _\bl_\bi_\bs_\bt_\bp_\bw options.
_\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
When matching the command line arguments, however, a slash d\bdo\boe\bes\bs get
matched by wildcards since command line arguments may contain arbitrary
- strings and not just pathnames.
+ strings and not just path names.
Wildcards in command line arguments should be used with care. Because
command line arguments are matched as a single, concatenated string, a
$ sudo cat /var/log/messages /etc/shadow
- which is probaby not what was intended.
+ which is probably not what was intended.
E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
The following exceptions apply to the above rules:
with a\ban\bny\by arguments.
sudoedit Command line arguments to the _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt built-in command should
- always be pathnames, so a forward slash (`/') will not be
+ always be path names, so a forward slash (`/') will not be
matched by a wildcard.
I\bIn\bnc\bcl\blu\bud\bdi\bin\bng\bg o\bot\bth\bhe\ber\br f\bfi\bil\ble\bes\bs f\bfr\bro\bom\bm w\bwi\bit\bth\bhi\bin\bn s\bsu\bud\bdo\boe\ber\brs\bs
Long lines can be continued with a backslash (`\') as the last character
on the line.
- Whitespace between elements in a list as well as special syntactic
+ White space between elements in a list as well as special syntactic
characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn (`=', `:', `(', `)') is optional.
The following characters must be escaped with a backslash (`\') when used
since it accesses the file system, glob(3) can take a
long time to complete for some patterns, especially
when the pattern references a network file system that
- is mounted on demand (automounted). The _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb
+ is mounted on demand (auto mounted). The _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb
option causes s\bsu\bud\bdo\bo to use the fnmatch(3) function,
which does not access the file system to do its
matching. The disadvantage of _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is that it is
flag is _\bo_\bf_\bf by default.
fqdn Set this flag if you want to put fully qualified host
- names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. In other words, instead of
- myhost you would use myhost.mydomain.edu. You may
- still use the short form if you wish (and even mix the
- two). Beware that turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to
- make DNS lookups which may make s\bsu\bud\bdo\bo unusable if DNS
- stops working (for example if the machine is not
- plugged into the network). Also note that you must use
- the host's official name as DNS knows it. That is, you
- may not use a host alias (CNAME entry) due to
- performance issues and the fact that there is no way to
- get all aliases from DNS. If your machine's host name
- (as returned by the hostname command) is already fully
- qualified you shouldn't need to set _\bf_\bq_\bd_\bn. This flag is
- _\bo_\bf_\bf by default.
+ names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file when the local host name (as
+ returned by the hostname command) does not contain the
+ domain name. In other words, instead of myhost you
+ would use myhost.mydomain.edu. You may still use the
+ short form if you wish (and even mix the two). This
+ option is only effective when the ``canonical'' host
+ name, as returned by the g\bge\bet\bta\bad\bdd\bdr\bri\bin\bnf\bfo\bo() or
+ g\bge\bet\bth\bho\bos\bst\btb\bby\byn\bna\bam\bme\be() function, is a fully-qualified domain
+ name. This is usually the case when the system is
+ configured to use DNS for host name resolution.
+
+ If the system is configured to use the _\b/_\be_\bt_\bc_\b/_\bh_\bo_\bs_\bt_\bs file
+ in preference to DNS, the ``canonical'' host name may
+ not be fully-qualified. The order that sources are
+ queried for hosts name resolution is usually specified
+ in the _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf, _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf,
+ _\b/_\be_\bt_\bc_\b/_\bh_\bo_\bs_\bt_\b._\bc_\bo_\bn_\bf, or, in some cases, _\b/_\be_\bt_\bc_\b/_\br_\be_\bs_\bo_\bl_\bv_\b._\bc_\bo_\bn_\bf
+ file. In the _\b/_\be_\bt_\bc_\b/_\bh_\bo_\bs_\bt_\bs file, the first host name of
+ the entry is considered to be the ``canonical'' name;
+ subsequent names are aliases that are not used by
+ s\bsu\bud\bdo\boe\ber\brs\bs. For example, the following hosts file line
+ for the machine ``xyzzy'' has the fully-qualified
+ domain name as the ``canonical'' host name, and the
+ short version as an alias.
+
+ 192.168.1.1 xyzzy.sudo.ws xyzzy
+
+ If the machine's hosts file entry is not formatted
+ properly, the _\bf_\bq_\bd_\bn option will not be effective if it
+ is queried before DNS.
+
+ Beware that when using DNS for host name resolution,
+ turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\boe\ber\brs\bs to make DNS lookups
+ which renders s\bsu\bud\bdo\bo unusable if DNS stops working (for
+ example if the machine is disconnected from the
+ network). Also note that just like with the hosts
+ file, you must use the ``canonical'' name as DNS knows
+ it. That is, you may not use a host alias (CNAME
+ entry) due to performance issues and the fact that
+ there is no way to get all aliases from DNS.
+
+ This flag is _\bo_\bf_\bf by default.
ignore_dot If set, s\bsu\bud\bdo\bo will ignore "." or "" (both denoting
current directory) in the PATH environment variable;
targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
specified by the -\b-u\bu option (defaults to root) instead
of the password of the invoking user. In addition, the
- timestamp file name will include the target user's
+ time stamp file name will include the target user's
name. Note that this flag precludes the use of a uid
not listed in the passwd database as an argument to the
-\b-u\bu option. This flag is _\bo_\bf_\bf by default.
fractional component if minute granularity is
insufficient, for example 2.5. The default is 5. Set
this to 0 to always prompt for a password. If set to a
- value less than 0 the user's timestamp will never
+ value less than 0 the user's time stamp will never
expire. This can be used to allow users to create or
- delete their own timestamps via ``sudo -v'' and ``sudo
+ delete their own time stamps via ``sudo -v'' and ``sudo
-k'' respectively.
umask Umask to use when running the command. Negate this
locale may affect how sudoers is interpreted. Defaults
to ``C''.
- timestampdir The directory in which s\bsu\bud\bdo\bo stores its timestamp files.
- The default is _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo.
+ timestampdir The directory in which s\bsu\bud\bdo\bo stores its time stamp
+ files. The default is _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo.
- timestampowner The owner of the timestamp directory and the timestamps
- stored therein. The default is root.
+ timestampowner The owner of the time stamp directory and the time
+ stamps stored therein. The default is root.
type The default SELinux type to use when constructing a new
security context to run the command. The default type
may be overridden on a per-command basis in _\bs_\bu_\bd_\bo_\be_\br_\bs or
via command line options. This option is only
- available whe s\bsu\bud\bdo\bo is built with SELinux support.
+ available when s\bsu\bud\bdo\bo is built with SELinux support.
S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
s\bsu\bud\bdo\boe\ber\brs\bs can log events using either syslog(3) or a simple log file. In
each case the log format is almost identical.
- C\bCo\bom\bmm\bma\ban\bnd\bd l\blo\bog\bg e\ben\bnt\btr\bri\bie\bes\bs
+ A\bAc\bcc\bce\bep\bpt\bte\bed\bd c\bco\bom\bmm\bma\ban\bnd\bd l\blo\bog\bg e\ben\bnt\btr\bri\bie\bes\bs
Commands that sudo runs are logged using the following format (split into
multiple lines for readability):
Messages are logged using the locale specified by _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bl_\bo_\bc_\ba_\bl_\be, which
defaults to the ``C'' locale.
- E\bEr\brr\bro\bor\br l\blo\bog\bg e\ben\bnt\btr\bri\bie\bes\bs
- If there was a problem running the command, an error string will follow
- the user name. Possible errors include:
+ D\bDe\ben\bni\bie\bed\bd c\bco\bom\bmm\bma\ban\bnd\bd l\blo\bog\bg e\ben\bnt\btr\bri\bie\bes\bs
+ If the user is not allowed to run the command, the reason for the denial
+ will follow the user name. Possible reasons include:
user NOT in sudoers
The user is not listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
commands on the host.
command not allowed
- The user is listed in the sudoers file for the host but they are not
+ The user is listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file for the host but they are not
allowed to run the specified command.
3 incorrect password attempts
a password is required
s\bsu\bud\bdo\bo's -\b-n\bn option was specified but a password was required.
+ sorry, you are not allowed to set the following environment variables
+ The user specified environment variables on the command line that were
+ not allowed by _\bs_\bu_\bd_\bo_\be_\br_\bs.
+
+ E\bEr\brr\bro\bor\br l\blo\bog\bg e\ben\bnt\btr\bri\bie\bes\bs
+ If an error occurs, s\bsu\bud\bdo\boe\ber\brs\bs will log a message and, in most cases, send a
+ message to the administrator via email. Possible errors include:
+
+ parse error in /etc/sudoers near line N
+ s\bsu\bud\bdo\boe\ber\brs\bs encountered an error when parsing the specified file. In some
+ cases, the actual error may be one line above or below the line number
+ listed, depending on the type of error.
+
+ problem with defaults entries
+ The sudoers file contains one or more unknown Defaults settings. This
+ does not prevent s\bsu\bud\bdo\bo from running, but the sudoers file should be
+ checked using v\bvi\bis\bsu\bud\bdo\bo.
+
+ timestamp owner (@timestampowner@): No such user
+ The time stamp directory owner, which defaults to @timestampowner@ but
+ which may be specified via the _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\bo_\bw_\bn_\be_\br setting, could not be
+ found in the password database.
+
+ unable to open/read /etc/sudoers
+ The sudoers file could not be opened for reading. This can happen
+ when the sudoers file is located on a remote file system that maps
+ user ID 0 to a different value. Normally, s\bsu\bud\bdo\boe\ber\brs\bs tries to open
+ sudoers using group permissions to avoid this problem. Consider
+ changing the ownership of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs by adding an option like
+ ``sudoers_uid=N'' (where `N' is the user ID that owns the sudoers
+ file) to the s\bsu\bud\bdo\boe\ber\brs\bs plugin line in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
+
+ unable to stat /etc/sudoers
+ The _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs file is missing.
+
+ /etc/sudoers is not a regular file
+ The _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs file exists but is not a regular file or symbolic
+ link.
+
+ /etc/sudoers is owned by uid N, should be 0
+ The sudoers file has the wrong owner. If you wish to change the
+ sudoers file owner, please add ``sudoers_uid=N'' (where `N' is the
+ user ID that owns the sudoers file) to the s\bsu\bud\bdo\boe\ber\brs\bs plugin line in the
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
+
+ /etc/sudoers is world writable
+ The permissions on the sudoers file allow all users to write to it.
+ The sudoers file must not be world-writable, the default file mode is
+ 0440 (readable by owner and group, writable by none). The default
+ mode may be changed via the ``sudoers_mode'' option to the s\bsu\bud\bdo\boe\ber\brs\bs
+ plugin line in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
+
+ /etc/sudoers is owned by gid N, should be 1
+ The sudoers file has the wrong group ownership. If you wish to change
+ the sudoers file group ownership, please add ``sudoers_gid=N'' (where
+ `N' is the group ID that owns the sudoers file) to the s\bsu\bud\bdo\boe\ber\brs\bs plugin
+ line in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
+
+ unable to open /var/adm/sudo/username/ttyname
+ _\bs_\bu_\bd_\bo_\be_\br_\bs was unable to read or create the user's time stamp file.
+
+ unable to write to /var/adm/sudo/username/ttyname
+ _\bs_\bu_\bd_\bo_\be_\br_\bs was unable to write to the user's time stamp file.
+
+ unable to mkdir to /var/adm/sudo/username
+ _\bs_\bu_\bd_\bo_\be_\br_\bs was unable to create the user's time stamp directory.
+
N\bNo\bot\bte\bes\bs o\bon\bn l\blo\bog\bgg\bgi\bin\bng\bg v\bvi\bia\ba s\bsy\bys\bsl\blo\bog\bg
By default, _\bs_\bu_\bd_\bo_\be_\br_\bs logs messages via syslog(3). The _\bd_\ba_\bt_\be, _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be, and
_\bp_\br_\bo_\bg_\bn_\ba_\bm_\be fields are added by the syslog daemon, not _\bs_\bu_\bd_\bo_\be_\br_\bs itself. As
file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for
complete details.
-Sudo 1.8.6b4 July 16, 2012 Sudo 1.8.6b4
+Sudo 1.8.6 July 16, 2012 Sudo 1.8.6
When you specify a directory in a
\fRCmnd_List\fR,
the user will be able to run any file within that directory
-(but not in any subdirectories therein).
+(but not in any sub-directories therein).
.PP
If a
\fRCmnd\fR
It may take command line arguments just as a normal command does.
.SS "Defaults"
Certain configuration options may be changed from their default
-values at runtime via one or more
+values at run-time via one or more
\fRDefault_Entry\fR
lines.
These may affect all users on any host, all users on a specific host, a
specified in
\fIsudoers\fR.
A role or type specified on the command line,
-however, will supercede the values in
+however, will supersede the values in
\fIsudoers\fR.
.SS "Solaris_Priv_Spec"
On Solaris systems,
without a password if the
\fRNOPASSWD\fR
tag is present for all a user's entries that pertain to the current host.
-This behavior may be overridden via the verifypw and listpw options.
+This behavior may be overridden via the
+\fIverifypw\fR
+and
+\fIlistpw\fR
+options.
.PP
\fINOEXEC and EXEC\fR
.PP
When matching the command line arguments, however, a slash
\fBdoes\fR
get matched by wildcards since command line arguments may contain
-arbitrary strings and not just pathnames.
+arbitrary strings and not just path names.
.PP
Wildcards in command line arguments should be used with care.
Because command line arguments are matched as a single, concatenated
.RE
.fi
.PP
-which is probaby not what was intended.
+which is probably not what was intended.
.SS "Exceptions to wildcard rules"
The following exceptions apply to the above rules:
.TP 10n
sudoedit
Command line arguments to the
\fIsudoedit\fR
-built-in command should always be pathnames, so a forward slash
+built-in command should always be path names, so a forward slash
(`/')
will not be matched by a wildcard.
.SS "Including other files from within sudoers"
(`\e')
as the last character on the line.
.PP
-Whitespace between elements in a list as well as special syntactic
+White space between elements in a list as well as special syntactic
characters in a
\fIUser Specification\fR
(`=\&',
glob(3)
can take a long time to complete for some patterns, especially
when the pattern references a network file system that is mounted
-on demand (automounted).
+on demand (auto mounted).
The
\fIfast_glob\fR
option causes
fqdn
Set this flag if you want to put fully qualified host names in the
\fIsudoers\fR
-file.
+file when the local host name (as returned by the
+\fRhostname\fR
+command) does not contain the domain name.
In other words, instead of myhost you would use myhost.mydomain.edu.
You may still use the short form if you wish (and even mix the two).
-Beware that turning on
+This option is only effective when the
+``canonical''
+host name, as returned by the
+\fBgetaddrinfo\fR()
+or
+\fBgethostbyname\fR()
+function, is a fully-qualified domain name.
+This is usually the case when the system is configured to use DNS
+for host name resolution.
+.sp
+If the system is configured to use the
+\fI/etc/hosts\fR
+file in preference to DNS, the
+``canonical''
+host name may not be fully-qualified.
+The order that sources are queried for hosts name resolution
+is usually specified in the
+\fI@nsswitch_conf@\fR,
+\fI@netsvc_conf@\fR,
+\fI/etc/host.conf\fR,
+or, in some cases,
+\fI/etc/resolv.conf\fR
+file.
+In the
+\fI/etc/hosts\fR
+file, the first host name of the entry is considered to be the
+``canonical''
+name; subsequent names are aliases that are not used by
+\fBsudoers\fR.
+For example, the following hosts file line for the machine
+``xyzzy''
+has the fully-qualified domain name as the
+``canonical''
+host name, and the short version as an alias.
+.sp
+.RS 6n
+192.168.1.1 xyzzy.sudo.ws xyzzy
+.RE
+.sp
+If the machine's hosts file entry is not formatted properly, the
+\fIfqdn\fR
+option will not be effective if it is queried before DNS.
+.sp
+Beware that when using DNS for host name resolution, turning on
\fIfqdn\fR
requires
+\fBsudoers\fR
+to make DNS lookups which renders
\fBsudo\fR
-to make DNS lookups which may make
-\fBsudo\fR
-unusable if DNS stops working (for example if the machine is not plugged
-into the network).
-Also note that you must use the host's official name as DNS knows it.
+unusable if DNS stops working (for example if the machine is disconnected
+from the network).
+Also note that just like with the hosts file, you must use the
+``canonical''
+name as DNS knows it.
That is, you may not use a host alias
(\fRCNAME\fR
entry)
due to performance issues and the fact that there is no way to get all
aliases from DNS.
-If your machine's host name (as returned by the
-\fRhostname\fR
-command) is already fully qualified you shouldn't need to set
-\fIfqdn\fR.
+.sp
This flag is
\fI@fqdn@\fR
by default.
option (defaults to
\fRroot\fR)
instead of the password of the invoking user.
-In addition, the timestamp file name will include the target user's name.
+In addition, the time stamp file name will include the target user's name.
Note that this flag precludes the use of a uid not listed in the passwd
database as an argument to the
\fB\-u\fR
to always prompt for a password.
If set to a value less than
\fR0\fR
-the user's timestamp will never expire.
-This can be used to allow users to create or delete their own timestamps via
+the user's time stamp will never expire.
+This can be used to allow users to create or delete their own time stamps via
``\fRsudo -v\fR''
and
``\fRsudo -k\fR''
timestampdir
The directory in which
\fBsudo\fR
-stores its timestamp files.
+stores its time stamp files.
The default is
\fI@timedir@\fR.
.TP 18n
timestampowner
-The owner of the timestamp directory and the timestamps stored therein.
+The owner of the time stamp directory and the time stamps stored therein.
The default is
\fRroot\fR.
.TP 18n
The default type may be overridden on a per-command basis in
\fIsudoers\fR
or via command line options.
-This option is only available whe
+This option is only available when
\fBsudo\fR
is built with SELinux support.
.PP
syslog(3)
or a simple log file.
In each case the log format is almost identical.
-.SS "Command log entries"
+.SS "Accepted command log entries"
Commands that sudo runs are logged using the following format (split
into multiple lines for readability):
.nf
which defaults to the
``\fRC\fR''
locale.
-.SS "Error log entries"
-If there was a problem running the command, an error string will follow
-the user name.
-Possible errors include:
+.SS "Denied command log entries"
+If the user is not allowed to run the command, the reason for the denial
+will follow the user name.
+Possible reasons include:
.TP 3n
user NOT in sudoers
The user is not listed in the
.TP 3n
command not allowed
The user is listed in the
-sudoers
+\fIsudoers\fR
file for the host but they are not allowed to run the specified command.
.TP 3n
3 incorrect password attempts
\fBsudo\fR's
\fB\-n\fR
option was specified but a password was required.
+.TP 3n
+sorry, you are not allowed to set the following environment variables
+The user specified environment variables on the command line that
+were not allowed by
+\fIsudoers\fR.
+.SS "Error log entries"
+If an error occurs,
+\fBsudoers\fR
+will log a message and, in most cases, send a message to the
+administrator via email.
+Possible errors include:
+.TP 3n
+parse error in @sysconfdir@/sudoers near line N
+\fBsudoers\fR
+encountered an error when parsing the specified file.
+In some cases, the actual error may be one line above or below the
+line number listed, depending on the type of error.
+.TP 3n
+problem with defaults entries
+The sudoers file contains one or more unknown Defaults settings.
+This does not prevent
+\fBsudo\fR
+from running, but the sudoers file should be checked using
+\fBvisudo\fR.
+.TP 3n
+timestamp owner (@timestampowner@): \&No such user
+The time stamp directory owner, which defaults to
+@timestampowner@ but which may be specified via the
+\fItimestampowner\fR
+setting, could not be found in the password database.
+.TP 3n
+unable to open/read @sysconfdir@/sudoers
+The sudoers file could not be opened for reading.
+This can happen when the sudoers file is located on a remote
+file system that maps user ID 0 to a different value.
+Normally,
+\fBsudoers\fR
+tries to open sudoers using group permissions to avoid this problem.
+Consider changing the ownership of
+\fI@sysconfdir@/sudoers\fR
+by adding an option like
+``sudoers_uid=N''
+(where
+`N'
+is the user ID that owns the sudoers file)
+to the
+\fBsudoers\fR
+plugin line in the
+\fI@sysconfdir@/sudo.conf\fR
+file.
+.TP 3n
+unable to stat @sysconfdir@/sudoers
+The
+\fI@sysconfdir@/sudoers\fR
+file is missing.
+.TP 3n
+@sysconfdir@/sudoers is not a regular file
+The
+\fI@sysconfdir@/sudoers\fR
+file exists but is not a regular file or symbolic link.
+.TP 3n
+@sysconfdir@/sudoers is owned by uid N, should be 0
+The sudoers file has the wrong owner.
+If you wish to change the sudoers file owner, please add
+``sudoers_uid=N''
+(where
+`N'
+is the user ID that owns the sudoers file) to the
+\fBsudoers\fR
+plugin line in the
+\fI@sysconfdir@/sudo.conf\fR
+file.
+.TP 3n
+@sysconfdir@/sudoers is world writable
+The permissions on the sudoers file allow all users to write to it.
+The sudoers file must not be world-writable, the default file mode
+is 0440 (readable by owner and group, writable by none).
+The default mode may be changed via the
+``sudoers_mode''
+option to the
+\fBsudoers\fR
+plugin line in the
+\fI@sysconfdir@/sudo.conf\fR
+file.
+.TP 3n
+@sysconfdir@/sudoers is owned by gid N, should be 1
+The sudoers file has the wrong group ownership.
+If you wish to change the sudoers file group ownership, please add
+``sudoers_gid=N''
+(where
+`N'
+is the group ID that owns the sudoers file) to the
+\fBsudoers\fR
+plugin line in the
+\fI@sysconfdir@/sudo.conf\fR
+file.
+.TP 3n
+unable to open @timedir@/username/ttyname
+\fIsudoers\fR
+was unable to read or create the user's time stamp file.
+.TP 3n
+unable to write to @timedir@/username/ttyname
+\fIsudoers\fR
+was unable to write to the user's time stamp file.
+.TP 3n
+unable to mkdir to @timedir@/username
+\fIsudoers\fR
+was unable to create the user's time stamp directory.
.SS "Notes on logging via syslog"
By default,
\fIsudoers\fR
projects / sudo / commitdiff