From: Todd C. Miller Date: Mon, 11 Oct 1999 15:55:11 +0000 (+0000) Subject: Docuement "Defaults" lines in /etc/sudoers. Still needs some fleshing X-Git-Tag: SUDO_1_6_0~39 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8a33fc598e97983bcd5a325602a14e4aef6b3e23;p=sudo Docuement "Defaults" lines in /etc/sudoers. Still needs some fleshing out but this is a start. --- diff --git a/TODO b/TODO index 550326e5d..938ddefa1 100644 --- a/TODO +++ b/TODO @@ -78,3 +78,5 @@ TODO list (most will be addressed in sudo 2.0) 28) Make syslog stuff work on vanilla ultrix 29) Implement date_format and log_format options. + +30) Add support for: Default:user@host diff --git a/sample.sudoers b/sample.sudoers index 4af782d20..f4b471a10 100644 --- a/sample.sudoers +++ b/sample.sudoers @@ -48,6 +48,14 @@ Cmnd_Alias SU = /usr/bin/su Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \ /usr/bin/chfn +## +# Override builtin defaults +## +Defaults syslog=auth +Defaults:FULLTIMERS !lecture +Defaults:millert !authenticate +Defaults@SERVERS log_year, logfile=/var/log/sudo.log + ## # User specification ## diff --git a/sudoers.cat b/sudoers.cat index 1e4c85a73..0dd32fc53 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -1,7 +1,7 @@ -SUDOERS(5) FILE FORMATS SUDOERS(5) +sudoers(5) FILE FORMATS sudoers(5) NNNNAAAAMMMMEEEE @@ -49,10 +49,10 @@ DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN There are four kinds of aliases: the User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias. - Alias ::= User_Alias = User_Alias (':' User_Alias)* | - Runas_Alias (':' Runas_Alias)* | - Host_Alias (':' Host_Alias)* | - Cmnd_Alias (':' Cmnd_Alias)* + Alias ::= 'User_Alias' = User_Alias (':' User_Alias)* | + 'Runas_Alias' (':' Runas_Alias)* | + 'Host_Alias' (':' Host_Alias)* | + 'Cmnd_Alias' (':' Cmnd_Alias)* User_Alias ::= NAME '=' User_List @@ -61,13 +61,13 @@ DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN -25/Aug/1999 1.6 1 +10/Oct/1999 1.6 1 -SUDOERS(5) FILE FORMATS SUDOERS(5) +sudoers(5) FILE FORMATS sudoers(5) Host_Alias ::= NAME '=' Host_List @@ -127,13 +127,13 @@ SUDOERS(5) FILE FORMATS SUDOERS(5) -25/Aug/1999 1.6 2 +10/Oct/1999 1.6 2 -SUDOERS(5) FILE FORMATS SUDOERS(5) +sudoers(5) FILE FORMATS sudoers(5) Host ::= '!'* hostname | @@ -183,24 +183,194 @@ SUDOERS(5) FILE FORMATS SUDOERS(5) be escaped with a '\' if they are used in command arguments: ',', ':', '=', '\\'. - UUUUsssseeeerrrr SSSSppppeeeecccciiiiffffiiiiccccaaaattttiiiioooonnnn + DDDDeeeeffffaaaauuuullllttttssss + Certain configuration options may be changed from their + default values at runtime via one or more Default_Entry + lines. These may affect all users on any host, all users + on a specific host, or just a specific user. When + multiple entries match, they are applied in order. Where - Runas_Spec ::= '(' Runas_List ')' - Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd +10/Oct/1999 1.6 3 + + + + + +sudoers(5) FILE FORMATS sudoers(5) + + + there are conflicting values, the last value on a matching + line takes effect. + + Default_Type ::= 'Defaults' || + 'Defaults' ':' User || + 'Defaults' '@' Host + + Default_Entry ::= Default_Type Parameter_List + + Parameter ::= Parameter '=' Value || + '!'* Parameter || + + Parameters may be flags, integer values, or strings. + Flags are implicitly boolean and can be turned off via the + '!' operator. Some integer and string parameters may also + be used in a boolean context to disable them. Values may + be enclosed in double quotes (") when they contain + multiple words. Special characters may be escaped with a + backslash (\). + + FFFFllllaaaaggggssss: + + long_otp_prompt + Put OTP prompt on its own line + + ignore_dot Ignore '.' in $PATH + + mail_always Always send mail when sudo is run + + mail_no_user + Send mail if the user is not in sudoers + + mail_no_host + Send mail if the user is not in sudoers for + this host + + mail_no_perms + Send mail if the user is not allowed to run a + command + + tty_tickets Use a separate timestamp for each user/tty + combo + + lecture Lecture user the first time they run sudo + + authenticate + Require users to authenticate by default + + root_sudo Root may run sudo + + log_host Log the hostname in the (non-syslog) log file + + log_year Log the year in the (non-syslog) log file + + + + +10/Oct/1999 1.6 4 + + + + + +sudoers(5) FILE FORMATS sudoers(5) + + + shell_noargs + If sudo is invoked with no arguments, start a + shell + + set_home Set $HOME to the target user when starting a + shell with -s + + path_info Allow some information gathering to give + useful error messages + + fqdn Require fully-qualified hostnames in the + sudoers file + + insults Insult the user when they enter an incorrect + password + + requiretty Only allow the user to run sudo if they have a + tty + + IIIInnnntttteeeeggggeeeerrrrssss: + + passwd_tries + Number of tries to enter a password + + IIIInnnntttteeeeggggeeeerrrrssss tttthhhhaaaatttt ccccaaaannnn bbbbeeee uuuusssseeeedddd iiiinnnn aaaa bbbboooooooolllleeeeaaaannnn ccccoooonnnntttteeeexxxxtttt: + + loglinelen Length at which to wrap log file lines (use 0 + or negate for no wrap) + + timestamp_timeout + Authentication timestamp timeout + + passwd_timeout + Password prompt timeout + + umask Umask to use or 0777 to use user's + + SSSSttttrrrriiiinnnnggggssss: + + mailsub Subject line for mail messages + + badpass_message + Incorrect password message + + timestampdir + Path to authentication timestamp dir + + passprompt Default password prompt + + runas_default + Default user to run commands as + + syslog_goodpri + Syslog priority to use when user authenticates + + + +10/Oct/1999 1.6 5 + + + + + +sudoers(5) FILE FORMATS sudoers(5) + + + successfully + + syslog_badpri + Syslog priority to use when user authenticates + unsuccessfully + + SSSSttttrrrriiiinnnnggggssss tttthhhhaaaatttt ccccaaaannnn bbbbeeee uuuusssseeeedddd iiiinnnn aaaa bbbboooooooolllleeeeaaaannnn ccccoooonnnntttteeeexxxxtttt: + + syslog Syslog facility if syslog is being used for + logging (negate to disable syslog) + + mailerpath Path to mail program + mailerflags Flags for mail program + mailto Address to send mail to -25/Aug/1999 1.6 3 + exempt_group + Users in this group are exempt from password + and PATH requirements + secure_path Value to override user's $PATH with + When logging via _s_y_s_l_o_g(3), sudo accepts the following + values for the syslog facility (the value of the _s_y_s_l_o_g + Parameter): _a_u_t_h_p_r_i_v (if your OS supports it), _a_u_t_h, + _d_a_e_m_o_n, _u_s_e_r, _l_o_c_a_l_0, _l_o_c_a_l_1, _l_o_c_a_l_2, _l_o_c_a_l_3, _l_o_c_a_l_4, + _l_o_c_a_l_5, _l_o_c_a_l_6, and _l_o_c_a_l_7. The following syslog + priorities are supported: _a_l_e_r_t, _c_r_i_t, _d_e_b_u_g, _e_m_e_r_g, _e_r_r, + _i_n_f_o, _n_o_t_i_c_e, and _w_a_r_n_i_n_g. + UUUUsssseeeerrrr SSSSppppeeeecccciiiiffffiiiiccccaaaattttiiiioooonnnn -SUDOERS(5) FILE FORMATS SUDOERS(5) + Runas_Spec ::= '(' Runas_List ')' + Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd Cmnd_Spec_List ::= Cmnd_Spec | Cmnd_Spec ',' Cmnd_Spec_List @@ -218,6 +388,18 @@ SUDOERS(5) FILE FORMATS SUDOERS(5) A Runas_Spec is simply a Runas_List (as defined above) enclosed in a set of parentheses. If you do not specify a + + + +10/Oct/1999 1.6 6 + + + + + +sudoers(5) FILE FORMATS sudoers(5) + + Runas_Spec in the user specification, a default Runas_Spec of rrrrooooooootttt will be used. A Runas_Spec sets the default for commands that follow it. What this means is that for the @@ -258,16 +440,6 @@ SUDOERS(5) FILE FORMATS SUDOERS(5) ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm - -25/Aug/1999 1.6 4 - - - - - -SUDOERS(5) FILE FORMATS SUDOERS(5) - - WWWWiiiillllddddccccaaaarrrrddddssss ((((aaaakkkkaaaa mmmmeeeettttaaaa cccchhhhaaaarrrraaaacccctttteeeerrrrssss)))):::: ssssuuuuddddoooo allows shell-style _w_i_l_d_c_a_r_d_s to be used in pathnames @@ -281,6 +453,19 @@ SUDOERS(5) FILE FORMATS SUDOERS(5) [...] Matches any character in the specified range. + + + + +10/Oct/1999 1.6 7 + + + + + +sudoers(5) FILE FORMATS sudoers(5) + + [!...] Matches any character nnnnooootttt in the specified range. \x For any character "x", evaluates to "x". This is @@ -322,29 +507,30 @@ SUDOERS(5) FILE FORMATS SUDOERS(5) An exclamation point ('!') can be used as a logical _n_o_t operator both in an _a_l_i_a_s and in front of a Cmnd. This + allows one to exclude certain values. Note, however, that + using a ! in conjunction with the built in ALL alias to + allow a user to run "all but a few" commands rarely works + as intended (see SECURITY NOTES below). + Long lines can be continued with a backslash ('\\') as the + last character on the line. + Whitespace between elements in a list as well as specicial + syntactic characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', + '(', ')') is optional. -25/Aug/1999 1.6 5 +10/Oct/1999 1.6 8 -SUDOERS(5) FILE FORMATS SUDOERS(5) - allows one to exclude certain values. Note, however, that - using a ! in conjunction with the built in ALL alias to - allow a user to run "all but a few" commands rarely works - as intended (see SECURITY NOTES below). - Long lines can be continued with a backslash ('\\') as the - last character on the line. - Whitespace between elements in a list as well as specicial - syntactic characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', - '(', ')') is optional. +sudoers(5) FILE FORMATS sudoers(5) + EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS Below are example _s_u_d_o_e_r_s entries. Admittedly, some of @@ -382,23 +568,38 @@ EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS /usr/local/bin/zsh Cmnd_Alias SU = /usr/bin/su + Here we override some of the compiled in default values. + We want sudo to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility + in all cases. We don't want to subject the full time + staff to the ssssuuuuddddoooo lecture, and user mmmmiiiilllllllleeeerrrrtttt need not give + a password. In addition, on the machines in the _S_E_R_V_E_R_S + Host_Alias, we keep an additional local log file and make + sure we log the year in each log line since the log + entries will be kept around for several years. + + # Override builtin defaults + Defaults syslog=auth + Defaults:FULLTIMERS !lecture + Defaults:millert !authenticate + Defaults@SERVERS log_year, logfile=/var/log/sudo.log + The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run what. - root ALL = (ALL) ALL - %wheel ALL = (ALL) ALL +10/Oct/1999 1.6 9 -25/Aug/1999 1.6 6 +sudoers(5) FILE FORMATS sudoers(5) -SUDOERS(5) FILE FORMATS SUDOERS(5) + root ALL = (ALL) ALL + %wheel ALL = (ALL) ALL We let rrrrooooooootttt and any user in group wwwwhhhheeeeeeeellll run any command on any host as any user. @@ -451,20 +652,20 @@ SUDOERS(5) FILE FORMATS SUDOERS(5) bob SPARC = (OP) ALL : SGI = (OP) ALL The user bbbboooobbbb may run anything on the _S_P_A_R_C and _S_G_I - machines as any user listed in the _O_P Runas_Alias (rrrrooooooootttt - and ooooppppeeeerrrraaaattttoooorrrr). +10/Oct/1999 1.6 10 -25/Aug/1999 1.6 7 +sudoers(5) FILE FORMATS sudoers(5) -SUDOERS(5) FILE FORMATS SUDOERS(5) + machines as any user listed in the _O_P Runas_Alias (rrrrooooooootttt + and ooooppppeeeerrrraaaattttoooorrrr). jim +biglab = ALL @@ -516,22 +717,23 @@ SUDOERS(5) FILE FORMATS SUDOERS(5) (will, wendy, and wim), may run any command as user www (which owns the web pages) or simply _s_u(1) to www. - ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ - /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM - Any user may mount or unmount a CD-ROM on the machines in -25/Aug/1999 1.6 8 +10/Oct/1999 1.6 11 -SUDOERS(5) FILE FORMATS SUDOERS(5) +sudoers(5) FILE FORMATS sudoers(5) + ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ + /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM + + Any user may mount or unmount a CD-ROM on the machines in the CDROM Host_Alias (orion, perseus, hercules) without entering a password. This is a bit tedious for users to type, so it is a prime candiate for encapsulating in a @@ -585,17 +787,13 @@ SSSSEEEEEEEE AAAALLLLSSSSOOOO - - - - -25/Aug/1999 1.6 9 +10/Oct/1999 1.6 12 -SUDOERS(5) FILE FORMATS SUDOERS(5) +sudoers(5) FILE FORMATS sudoers(5) @@ -655,6 +853,6 @@ SUDOERS(5) FILE FORMATS SUDOERS(5) -25/Aug/1999 1.6 10 +10/Oct/1999 1.6 13 diff --git a/sudoers.html b/sudoers.html index c1839697c..50cf08144 100644 --- a/sudoers.html +++ b/sudoers.html @@ -16,6 +16,7 @@
  • Quick guide to EBNF
  • Aliases +
  • Defaults
  • User Specification
  • Runas_Spec
  • NOPASSWD and PASSWD @@ -95,10 +96,10 @@ There are four kinds of aliases: the User_Alias, Runas_Alias< Host_Alias and Cmnd_Alias.

    -

     Alias ::= User_Alias = User_Alias (':' User_Alias)* |
-           Runas_Alias (':' Runas_Alias)* |
-           Host_Alias (':' Host_Alias)* |
-           Cmnd_Alias (':' Cmnd_Alias)*
+
     Alias ::= 'User_Alias' = User_Alias (':' User_Alias)* |
+           'Runas_Alias' (':' Runas_Alias)* |
+           'Host_Alias' (':' Host_Alias)* |
+           'Cmnd_Alias' (':' Cmnd_Alias)*
 
    
 
    
 
     User_Alias ::= NAME '=' User_List
@@ -215,6 +216,213 @@ the wildcards if there are any). Note that the following characters must be
 escaped with a '\' if they are used in command arguments: ',', ':', '=',
 '\\'.
 
+
    
+
    
+
    Defaults
    
+
    
+Certain configuration options may be changed from their default values at
+runtime via one or more Default_Entry lines. These may affect all users on any host, all users on a specific
+host, or just a specific user. When multiple entries match, they are
+applied in order. Where there are conflicting values, the last value on a
+matching line takes effect.
+
+
    
+
     Default_Type ::= 'Defaults' ||
+                  'Defaults' ':' User ||
+                  'Defaults' '@' Host
+
    
+
    
+
     Default_Entry ::= Default_Type Parameter_List
+
    
+
    
+
     Parameter ::= Parameter '=' Value ||
+               '!'* Parameter ||
+
    
+
    
+Parameters may be flags, integer values, or strings. Flags are implicitly
+boolean and can be turned off via the '!' operator. Some integer and string
+parameters may also be used in a boolean context to disable them. Values
+may be enclosed in double quotes (") when they contain multiple words. Special characters may be escaped with
+a backslash (\).
+
+
    
+Flags:
+
+
    
+
    long_otp_prompt
    
+
    
+Put OTP prompt on its own line
+
+
    ignore_dot
    
+
    
+Ignore '.' in $PATH
+
+
    mail_always
    
+
    
+Always send mail when sudo is run
+
+
    mail_no_user
    
+
    
+Send mail if the user is not in sudoers
+
+
    mail_no_host
    
+
    
+Send mail if the user is not in sudoers for this host
+
+
    mail_no_perms
    
+
    
+Send mail if the user is not allowed to run a command
+
+
    tty_tickets
    
+
    
+Use a separate timestamp for each user/tty combo
+
+
    lecture
    
+
    
+Lecture user the first time they run sudo
+
+
    authenticate
    
+
    
+Require users to authenticate by default
+
+
    root_sudo
    
+
    
+Root may run sudo
+
+
    log_host
    
+
    
+Log the hostname in the (non-syslog) log file
+
+
    log_year
    
+
    
+Log the year in the (non-syslog) log file
+
+
    shell_noargs
    
+
    
+If sudo is invoked with no arguments, start a shell
+
+
    set_home
    
+
    
+Set $HOME to the target user when starting a shell with -s
+
+
+
+
    path_info
    
+
    
+Allow some information gathering to give useful error messages
+
+
    fqdn
    
+
    
+Require fully-qualified hostnames in the sudoers file
+
+
    insults
    
+
    
+Insult the user when they enter an incorrect password
+
+
    requiretty
    
+
    
+Only allow the user to run sudo if they have a tty
+
+
    
+
    
+Integers:
+
+
    
+
    passwd_tries
    
+
    
+Number of tries to enter a password
+
+
    
+
    
+Integers that can be used in a boolean context:
+
+
    
+
    loglinelen
    
+
    
+Length at which to wrap log file lines (use 0 or negate for no wrap)
+
+
    timestamp_timeout
    
+
    
+Authentication timestamp timeout
+
+
    passwd_timeout
    
+
    
+Password prompt timeout
+
+
    umask
    
+
    
+Umask to use or 0777 to use user's
+
+
    
+
    
+Strings:
+
+
    
+
    mailsub
    
+
    
+Subject line for mail messages
+
+
    badpass_message
    
+
    
+Incorrect password message
+
+
    timestampdir
    
+
    
+Path to authentication timestamp dir
+
+
    passprompt
    
+
    
+Default password prompt
+
+
    runas_default
    
+
    
+Default user to run commands as
+
+
    syslog_goodpri
    
+
    
+Syslog priority to use when user authenticates successfully
+
+
    syslog_badpri
    
+
    
+Syslog priority to use when user authenticates unsuccessfully
+
+
    
+
    
+Strings that can be used in a boolean context:
+
+
    
+
    syslog
    
+
    
+Syslog facility if syslog is being used for logging (negate to disable
+syslog)
+
+
    mailerpath
    
+
    
+Path to mail program
+
+
    mailerflags
    
+
    
+Flags for mail program
+
+
    mailto
    
+
    
+Address to send mail to
+
+
    exempt_group
    
+
    
+Users in this group are exempt from password and PATH requirements
+
+
    secure_path
    
+
    
+Value to override user's $PATH with
+
+
    
+
    
+When logging via syslog(3), sudo accepts the following values
+for the syslog facility (the value of the syslog Parameter): authpriv (if your OS supports it), auth, daemon, user, local0, local1, local2,
+local3, local4, local5, local6, and local7. The following syslog priorities are supported: alert, crit, debug, emerg,
+err, info, notice, and warning.
+
 
    
 
    
 
    User Specification
    
@@ -406,6 +614,18 @@ our aliases:
  Cmnd_Alias     SU = /usr/bin/su
 
    
 
    
+Here we override some of the compiled in default values. We want sudo to
+log via syslog(3) using the auth facility in all cases. We don't want to subject the full time staff to the sudo lecture, and user millert need not give a password. In addition, on the machines in the SERVERS  Host_Alias, we keep an additional local log file and make sure we log the year in
+each log line since the log entries will be kept around for several years.
+
+
    
+
     # Override builtin defaults
+ Defaults               syslog=auth
+ Defaults:FULLTIMERS    !lecture
+ Defaults:millert       !authenticate
+ Defaults@SERVERS       log_year, logfile=/var/log/sudo.log
+
    
+
    
 The User specification is the part that actually determines who may run what.
 
 
    
diff --git a/sudoers.man b/sudoers.man
index 64374408f..dff34caad 100644
--- a/sudoers.man
+++ b/sudoers.man
@@ -2,8 +2,9 @@
 ''' $RCSfile$$Revision$$Date$
 '''
 ''' $Log$
-''' Revision 1.11  1999/08/26 09:00:58  millert
-''' new sudoers(8) man page
+''' Revision 1.12  1999/10/11 15:55:11  millert
+''' Docuement "Defaults" lines in /etc/sudoers.  Still needs some fleshing
+''' out but this is a start.
 '''
 '''
 .de Sh
@@ -96,7 +97,7 @@
 .nr % 0
 .rr F
 .\}
-.TH SUDOERS 5 "1.6" "25/Aug/1999" "FILE FORMATS"
+.TH sudoers 5 "1.6" "10/Oct/1999" "FILE FORMATS"
 .UC
 .if n .hy 0
 .if n .na
@@ -229,10 +230,10 @@ There are four kinds of aliases: the \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR,
 \f(CWHost_Alias\fR and \f(CWCmnd_Alias\fR.
 .PP
 .Vb 4
-\& Alias ::= User_Alias = User_Alias (':' User_Alias)* |
-\&           Runas_Alias (':' Runas_Alias)* |
-\&           Host_Alias (':' Host_Alias)* |
-\&           Cmnd_Alias (':' Cmnd_Alias)*
+\& Alias ::= 'User_Alias' = User_Alias (':' User_Alias)* |
+\&           'Runas_Alias' (':' Runas_Alias)* |
+\&           'Host_Alias' (':' Host_Alias)* |
+\&           'Cmnd_Alias' (':' Cmnd_Alias)*
 .Ve
 .Vb 1
 \& User_Alias ::= NAME '=' User_List
@@ -347,6 +348,121 @@ in the \f(CWCmnd\fR must match exactly those given by the user on the command li
 (or match the wildcards if there are any).  Note that the following
 characters must be escaped with a \*(L'\e\*(R' if they are used in command
 arguments: \*(L',\*(R', \*(L':\*(R', \*(L'=\*(R', \*(L'\e\e\*(R'.
+.Sh "Defaults"
+Certain configuration options may be changed from their default
+values at runtime via one or more \f(CWDefault_Entry\fR lines.  These
+may affect all users on any host, all users on a specific host,
+or just a specific user.  When multiple entries match, they are
+applied in order.  Where there are conflicting values, the last
+value on a matching line takes effect.
+.PP
+.Vb 3
+\& Default_Type ::= 'Defaults' ||
+\&                  'Defaults' ':' User ||
+\&                  'Defaults' '@' Host
+.Ve
+.Vb 1
+\& Default_Entry ::= Default_Type Parameter_List
+.Ve
+.Vb 2
+\& Parameter ::= Parameter '=' Value ||
+\&               '!'* Parameter ||
+.Ve
+Parameters may be flags, integer values, or strings.  Flags are
+implicitly boolean and can be turned off via the \*(L'!\*(R' operator.
+Some integer and string parameters may also be used in a boolean
+context to disable them.  Values may be enclosed in double quotes
+(\f(CW"\fR) when they contain multiple words.  Special characters may
+be escaped with a backslash (\f(CW\e\fR).
+.PP
+\fBFlags\fR:
+.Ip "long_otp_prompt" 12
+Put \s-1OTP\s0 prompt on its own line
+.Ip "ignore_dot" 12
+Ignore \*(L'.\*(R' in \f(CW$PATH\fR
+.Ip "mail_always" 12
+Always send mail when sudo is run
+.Ip "mail_no_user" 12
+Send mail if the user is not in sudoers
+.Ip "mail_no_host" 12
+Send mail if the user is not in sudoers for this host
+.Ip "mail_no_perms" 12
+Send mail if the user is not allowed to run a command
+.Ip "tty_tickets" 12
+Use a separate timestamp for each user/tty combo
+.Ip "lecture" 12
+Lecture user the first time they run sudo
+.Ip "authenticate" 12
+Require users to authenticate by default
+.Ip "root_sudo" 12
+Root may run sudo
+.Ip "log_host" 12
+Log the hostname in the (non-syslog) log file
+.Ip "log_year" 12
+Log the year in the (non-syslog) log file
+.Ip "shell_noargs" 12
+If sudo is invoked with no arguments, start a shell
+.Ip "set_home" 12
+Set \f(CW$HOME\fR to the target user when starting a shell with \f(CW-s\fR
+.Ip "path_info" 12
+Allow some information gathering to give useful error messages
+.Ip "fqdn" 12
+Require fully-qualified hostnames in the sudoers file
+.Ip "insults" 12
+Insult the user when they enter an incorrect password
+.Ip "requiretty" 12
+Only allow the user to run sudo if they have a tty
+.PP
+\fBIntegers\fR:
+.Ip "passwd_tries" 12
+Number of tries to enter a password
+.PP
+\fBIntegers that can be used in a boolean context\fR:
+.Ip "loglinelen" 12
+Length at which to wrap log file lines (use 0 or negate for no wrap)
+.Ip "timestamp_timeout" 12
+Authentication timestamp timeout
+.Ip "passwd_timeout" 12
+Password prompt timeout
+.Ip "umask" 12
+Umask to use or 0777 to use user's
+.PP
+\fBStrings\fR:
+.Ip "mailsub" 12
+Subject line for mail messages
+.Ip "badpass_message" 12
+Incorrect password message
+.Ip "timestampdir" 12
+Path to authentication timestamp dir
+.Ip "passprompt" 12
+Default password prompt
+.Ip "runas_default" 12
+Default user to run commands as
+.Ip "syslog_goodpri" 12
+Syslog priority to use when user authenticates successfully
+.Ip "syslog_badpri" 12
+Syslog priority to use when user authenticates unsuccessfully
+.PP
+\fBStrings that can be used in a boolean context\fR:
+.Ip "syslog" 12
+Syslog facility if syslog is being used for logging (negate to disable syslog)
+.Ip "mailerpath" 12
+Path to mail program
+.Ip "mailerflags" 12
+Flags for mail program
+.Ip "mailto" 12
+Address to send mail to
+.Ip "exempt_group" 12
+Users in this group are exempt from password and \s-1PATH\s0 requirements
+.Ip "secure_path" 12
+Value to override user's \f(CW$PATH\fR with
+.PP
+When logging via \fIsyslog\fR\|(3), sudo accepts the following values for the syslog
+facility (the value of the \fIsyslog\fR Parameter): \fIauthpriv\fR (if your \s-1OS\s0
+supports it), \fIauth\fR, \fIdaemon\fR, \fIuser\fR, \fIlocal0\fR, \fIlocal1\fR, \fIlocal2\fR,
+\fIlocal3\fR, \fIlocal4\fR, \fIlocal5\fR, \fIlocal6\fR, and \fIlocal7\fR.  The following
+syslog priorities are supported: \fIalert\fR, \fIcrit\fR, \fIdebug\fR, \fIemerg\fR,
+\fIerr\fR, \fIinfo\fR, \fInotice\fR, and \fIwarning\fR.
 .Sh "User Specification"
 .PP
 .Vb 1
@@ -507,6 +623,21 @@ these are a bit contrived.  First, we define our \fIaliases\fR:
 \&                         /usr/local/bin/zsh
 \& Cmnd_Alias     SU = /usr/bin/su
 .Ve
+Here we override some of the compiled in default values.  We want
+sudo to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all cases.
+We don't want to subject the full time staff to the \fBsudo\fR lecture,
+and user \fBmillert\fR need not give a password.  In addition, on the
+machines in the \fISERVERS\fR \f(CWHost_Alias\fR, we keep an additional
+local log file and make sure we log the year in each log line since
+the log entries will be kept around for several years.
+.PP
+.Vb 5
+\& # Override builtin defaults
+\& Defaults               syslog=auth
+\& Defaults:FULLTIMERS    !lecture
+\& Defaults:millert       !authenticate
+\& Defaults@SERVERS       log_year, logfile=/var/log/sudo.log
+.Ve
 The \fIUser specification\fR is the part that actually determines who may
 run what.
 .PP
@@ -668,7 +799,7 @@ will not run with a syntactically incorrect \fIsudoers\fR file.
 \fIsudo\fR\|(8), \fIvisudo\fR\|(8), \fIsu\fR\|(1), \fIfnmatch\fR\|(3).
 
 .rn }` ''
-.IX Title "SUDOERS 5"
+.IX Title "sudoers 5"
 .IX Name "sudoers - list of which users may execute what"
 
 .IX Header "NAME"
@@ -685,6 +816,80 @@ will not run with a syntactically incorrect \fIsudoers\fR file.
 
 .IX Subsection "Aliases"
 
+.IX Subsection "Defaults"
+
+.IX Item "long_otp_prompt"
+
+.IX Item "ignore_dot"
+
+.IX Item "mail_always"
+
+.IX Item "mail_no_user"
+
+.IX Item "mail_no_host"
+
+.IX Item "mail_no_perms"
+
+.IX Item "tty_tickets"
+
+.IX Item "lecture"
+
+.IX Item "authenticate"
+
+.IX Item "root_sudo"
+
+.IX Item "log_host"
+
+.IX Item "log_year"
+
+.IX Item "shell_noargs"
+
+.IX Item "set_home"
+
+.IX Item "path_info"
+
+.IX Item "fqdn"
+
+.IX Item "insults"
+
+.IX Item "requiretty"
+
+.IX Item "passwd_tries"
+
+.IX Item "loglinelen"
+
+.IX Item "timestamp_timeout"
+
+.IX Item "passwd_timeout"
+
+.IX Item "umask"
+
+.IX Item "mailsub"
+
+.IX Item "badpass_message"
+
+.IX Item "timestampdir"
+
+.IX Item "passprompt"
+
+.IX Item "runas_default"
+
+.IX Item "syslog_goodpri"
+
+.IX Item "syslog_badpri"
+
+.IX Item "syslog"
+
+.IX Item "mailerpath"
+
+.IX Item "mailerflags"
+
+.IX Item "mailto"
+
+.IX Item "exempt_group"
+
+.IX Item "secure_path"
+
 .IX Subsection "User Specification"
 
 .IX Subsection "Runas_Spec"
diff --git a/sudoers.pod b/sudoers.pod
index 654d89b0c..ab3be70ae 100644
--- a/sudoers.pod
+++ b/sudoers.pod
@@ -89,10 +89,10 @@ string (as opposed to a symbol name).
 There are four kinds of aliases: the C, C,
 C and C.
 
- Alias ::= User_Alias = User_Alias (':' User_Alias)* |
-	   Runas_Alias (':' Runas_Alias)* |
-	   Host_Alias (':' Host_Alias)* |
-	   Cmnd_Alias (':' Cmnd_Alias)*
+ Alias ::= 'User_Alias' = User_Alias (':' User_Alias)* |
+	   'Runas_Alias' (':' Runas_Alias)* |
+	   'Host_Alias' (':' Host_Alias)* |
+	   'Cmnd_Alias' (':' Cmnd_Alias)*
 
  User_Alias ::= NAME '=' User_List
 
@@ -192,6 +192,212 @@ in the C must match exactly those given by the user on the command line
 characters must be escaped with a '\' if they are used in command
 arguments: ',', ':', '=', '\\'.
 
+=head2 Defaults
+
+Certain configuration options may be changed from their default
+values at runtime via one or more C lines.  These
+may affect all users on any host, all users on a specific host,
+or just a specific user.  When multiple entries match, they are
+applied in order.  Where there are conflicting values, the last
+value on a matching line takes effect.
+
+ Default_Type ::= 'Defaults' ||
+		  'Defaults' ':' User ||
+		  'Defaults' '@' Host
+
+ Default_Entry ::= Default_Type Parameter_List
+
+ Parameter ::= Parameter '=' Value ||
+	       '!'* Parameter ||
+
+Parameters may be flags, integer values, or strings.  Flags are
+implicitly boolean and can be turned off via the '!' operator.
+Some integer and string parameters may also be used in a boolean
+context to disable them.  Values may be enclosed in double quotes
+(C<">) when they contain multiple words.  Special characters may
+be escaped with a backslash (C<\>).
+
+B:
+
+=over 12
+
+=item long_otp_prompt
+
+Put OTP prompt on its own line
+
+=item ignore_dot
+
+Ignore '.' in $PATH
+
+=item mail_always
+
+Always send mail when sudo is run
+
+=item mail_no_user
+
+Send mail if the user is not in sudoers
+
+=item mail_no_host
+
+Send mail if the user is not in sudoers for this host
+
+=item mail_no_perms
+
+Send mail if the user is not allowed to run a command
+
+=item tty_tickets
+
+Use a separate timestamp for each user/tty combo
+
+=item lecture
+
+Lecture user the first time they run sudo
+
+=item authenticate
+
+Require users to authenticate by default
+
+=item root_sudo
+
+Root may run sudo
+
+=item log_host
+
+Log the hostname in the (non-syslog) log file
+
+=item log_year
+
+Log the year in the (non-syslog) log file
+
+=item shell_noargs
+
+If sudo is invoked with no arguments, start a shell
+
+=item set_home
+
+Set $HOME to the target user when starting a shell with C<-s>
+
+=item path_info
+
+Allow some information gathering to give useful error messages
+
+=item fqdn
+
+Require fully-qualified hostnames in the sudoers file
+
+=item insults
+
+Insult the user when they enter an incorrect password
+
+=item requiretty
+
+Only allow the user to run sudo if they have a tty
+
+=back
+
+B:
+
+=over 12
+
+=item passwd_tries
+
+Number of tries to enter a password
+
+=back
+
+B:
+
+=over 12
+
+=item loglinelen
+
+Length at which to wrap log file lines (use 0 or negate for no wrap)
+
+=item timestamp_timeout
+
+Authentication timestamp timeout
+
+=item passwd_timeout
+
+Password prompt timeout
+
+=item umask
+
+Umask to use or 0777 to use user's
+
+=back
+
+B:
+
+=over 12
+
+=item mailsub
+
+Subject line for mail messages
+
+=item badpass_message
+
+Incorrect password message
+
+=item timestampdir
+
+Path to authentication timestamp dir
+
+=item passprompt
+
+Default password prompt
+
+=item runas_default
+
+Default user to run commands as
+
+=item syslog_goodpri
+
+Syslog priority to use when user authenticates successfully
+
+=item syslog_badpri
+
+Syslog priority to use when user authenticates unsuccessfully
+
+=back 12
+
+B:
+
+=over 12
+
+=item syslog
+
+Syslog facility if syslog is being used for logging (negate to disable syslog)
+
+=item mailerpath
+
+Path to mail program
+
+=item mailerflags
+
+Flags for mail program
+
+=item mailto
+
+Address to send mail to
+
+=item exempt_group
+
+Users in this group are exempt from password and PATH requirements
+
+=item secure_path
+
+Value to override user's $PATH with
+
+=back 12
+
+When logging via syslog(3), sudo accepts the following values for the syslog
+facility (the value of the I Parameter): I (if your OS
+supports it), I, I, I, I, I, I,
+I, I, I, I, and I.  The following
+syslog priorities are supported: I, I, I, I,
+I, I, I, and I.
+
 =head2 User Specification
 
  Runas_Spec ::= '(' Runas_List ')'
@@ -369,6 +575,20 @@ these are a bit contrived.  First, we define our I:
 			 /usr/local/bin/zsh
  Cmnd_Alias	SU = /usr/bin/su
 
+Here we override some of the compiled in default values.  We want
+sudo to log via syslog(3) using the I facility in all cases.
+We don't want to subject the full time staff to the B lecture,
+and user B need not give a password.  In addition, on the
+machines in the I C, we keep an additional
+local log file and make sure we log the year in each log line since
+the log entries will be kept around for several years.
+
+ # Override builtin defaults
+ Defaults		syslog=auth
+ Defaults:FULLTIMERS	!lecture
+ Defaults:millert	!authenticate
+ Defaults@SERVERS	log_year, logfile=/var/log/sudo.log
+
 The I is the part that actually determines who may
 run what.