=item set_logname
-Normally, B<sudo> will set the C<LOGNAME> and C<USER> environment variables
-to the name of the target user (usually root unless the B<-u> flag is given).
-However, since some programs (including the RCS revision control system)
-use C<LOGNAME> to determine the real identity of the user, it may be desirable
-to change this behavior. This can be done by negating the set_logname option.
-Note that if the I<env_reset> option has not been disabled, entries in
-the I<env_keep> list will override the value of I<set_logname>.
+Normally, B<sudo> will set the C<LOGNAME>, C<USER> and C<USERNAME>
+environment variables to the name of the target user (usually root
+unless the B<-u> flag is given). However, since some programs
+(including the RCS revision control system) use C<LOGNAME> to
+determine the real identity of the user, it may be desirable to
+change this behavior. This can be done by negating the set_logname
+option. Note that if the I<env_reset> option has not been disabled,
+entries in the I<env_keep> list will override the value of
+I<set_logname>.
=item stay_setuid
=item env_reset
If set, B<sudo> will reset the environment to only contain the
-following variables: C<DISPLAY>, C<HOME>, C<LOGNAME>, C<PATH>,
-C<SHELL>, C<TERM>, C<TZ> and C<USER> (in addition to the C<SUDO_*>
-variables). Of these, only C<DISPLAY>, C<PATH>, C<TZ> and C<TERM>
-are copied unaltered from the old environment. The other variables
-are set to default values (possibly modified by the value of the
-I<set_logname> option). If the I<secure_path> option is set, its
-value will be used for the C<PATH> environment variable. Other
-variables may be preserved via the I<env_keep> option.
+LOGNAME, SHELL, USER, USERNAME and the C<SUDO_*> variables. Any
+variables in the caller's environment that match the C<env_keep>
+and C<env_check> lists are then added. The default contents of the
+C<env_keep> and C<env_check> lists are displayed when B<sudo> is
+run by root with the I<-V> option. If the I<secure_path> option
+is set, its -value will be used for the C<PATH> environment variable.
This flag is I<on> by default.
=item use_loginclass
A colon (':') separated list of editors allowed to be used with
B<visudo>. B<visudo> will choose the editor that matches the user's
-USER environment variable if possible, or the first editor in the
+EDITOR environment variable if possible, or the first editor in the
list that exists and is executable. The default is the path to vi
on your system.
poorly-written programs. The argument may be a double-quoted,
space-separated list or a single value without double-quotes. The
list can be replaced, added to, deleted from, or disabled by using
-the C<=>, C<+=>, C<-=>, and C<!> operators respectively. The default
-list of environment variables to check is printed when B<sudo> is
-run by root with the I<-V> option.
+the C<=>, C<+=>, C<-=>, and C<!> operators respectively. Regardless
+of whether the C<env_reset> option is enabled or disabled, variables
+specified by C<env_check> will be preserved in the environment if
+they pass the aforementioned check. The default list of environment
+variables to check is displayed when B<sudo> is run by root with
+the I<-V> option.
=item env_delete
single value without double-quotes. The list can be replaced, added
to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
C<!> operators respectively. The default list of environment
-variables to remove is printed when B<sudo> is run by root with the
+variables to remove is displayed when B<sudo> is run by root with the
I<-V> option. Note that many operating systems will remove potentially
dangerous variables from the environment of any setuid process (such
as B<sudo>).
The argument may be a double-quoted, space-separated list or a
single value without double-quotes. The list can be replaced, added
to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
-C<!> operators respectively. This list has no default members.
+C<!> operators respectively. The default list of variables to keep
+is displayed when B<sudo> is run by root with the I<-V> option.
=back
B<sudo> to log via L<syslog(3)> using the I<auth> facility in all
cases. We don't want to subject the full time staff to the B<sudo>
lecture, user B<millert> need not give a password, and we don't
-want to reset the C<LOGNAME> or C<USER> environment variables when
-running commands as root. Additionally, on the machines in the
-I<SERVERS> C<Host_Alias>, we keep an additional local log file and
-make sure we log the year in each log line since the log entries
-will be kept around for several years. Lastly, we disable shell
-escapes for the commands in the PAGERS C<Cmnd_Alias> (/usr/bin/more,
-/usr/bin/pg and /usr/bin/less).
+want to reset the C<LOGNAME>, C<USER> or C<USERNAME> environment
+variables when running commands as root. Additionally, on the
+machines in the I<SERVERS> C<Host_Alias>, we keep an additional
+local log file and make sure we log the year in each log line since
+the log entries will be kept around for several years. Lastly, we
+disable shell escapes for the commands in the PAGERS C<Cmnd_Alias>
+(/usr/bin/more, /usr/bin/pg and /usr/bin/less).
# Override built-in defaults
Defaults syslog=auth
projects / sudo / commitdiff