Substitute paths set by configure in examples. Bug #1023

MANIFEST

@@ -79,8 +79,8 @@ examples/Makefile.in
 examples/cvtsudoers.conf
 examples/pam.conf
 examples/sudo.conf.in
-examples/sudo_logsrvd.conf
-examples/sudoers
+examples/sudo_logsrvd.conf.in
+examples/sudoers.in
 examples/syslog.conf
 include/Makefile.in
 include/compat/charclass.h
@@ -245,8 +245,8 @@ lib/util/progname.c
 lib/util/pw_dup.c
 lib/util/pwrite.c
 lib/util/rcstr.c
-lib/util/regex.c
 lib/util/reallocarray.c
+lib/util/regex.c
 lib/util/regress/corpus/seed/sudo_conf/sudo.conf.1
 lib/util/regress/corpus/seed/sudo_conf/sudo.conf.2
 lib/util/regress/corpus/seed/sudo_conf/sudo.conf.3

configure

@@ -3676,7 +3676,7 @@ PYTHON_PLUGIN=#
 LOGSRVD=
 LOGSRVD_SRC=logsrvd
 LOGSRV_SRC=lib/logsrv
-LOGSRVD_CONF='$(srcdir)/sudo_logsrvd.conf'
+LOGSRVD_CONF='sudo_logsrvd.conf'
 LIBLOGSRV='$(top_builddir)/lib/logsrv/liblogsrv.la'
 PPFILES='$(srcdir)/etc/sudo.pp'
 
@@ -32257,7 +32257,7 @@ elif test X"$TMPFILES_D" != X""; then
 
 fi
 
-ac_config_files="$ac_config_files Makefile docs/Makefile examples/Makefile examples/sudo.conf include/Makefile lib/eventlog/Makefile lib/fuzzstub/Makefile lib/iolog/Makefile lib/logsrv/Makefile lib/protobuf-c/Makefile lib/util/Makefile lib/util/util.exp logsrvd/Makefile src/intercept.exp src/sudo_usage.h src/Makefile plugins/audit_json/Makefile plugins/sample/Makefile plugins/group_file/Makefile plugins/sample_approval/Makefile plugins/system_group/Makefile plugins/sudoers/Makefile plugins/sudoers/sudoers"
+ac_config_files="$ac_config_files Makefile docs/Makefile examples/Makefile examples/sudoers examples/sudo.conf examples/sudo_logsrvd.conf include/Makefile lib/eventlog/Makefile lib/fuzzstub/Makefile lib/iolog/Makefile lib/logsrv/Makefile lib/protobuf-c/Makefile lib/util/Makefile lib/util/util.exp logsrvd/Makefile src/intercept.exp src/sudo_usage.h src/Makefile plugins/audit_json/Makefile plugins/sample/Makefile plugins/group_file/Makefile plugins/sample_approval/Makefile plugins/system_group/Makefile plugins/sudoers/Makefile plugins/sudoers/sudoers"
 
 
 cat >confcache <<\_ACEOF
@@ -33251,7 +33251,9 @@ do
     "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
     "docs/Makefile") CONFIG_FILES="$CONFIG_FILES docs/Makefile" ;;
     "examples/Makefile") CONFIG_FILES="$CONFIG_FILES examples/Makefile" ;;
+    "examples/sudoers") CONFIG_FILES="$CONFIG_FILES examples/sudoers" ;;
     "examples/sudo.conf") CONFIG_FILES="$CONFIG_FILES examples/sudo.conf" ;;
+    "examples/sudo_logsrvd.conf") CONFIG_FILES="$CONFIG_FILES examples/sudo_logsrvd.conf" ;;
     "include/Makefile") CONFIG_FILES="$CONFIG_FILES include/Makefile" ;;
     "lib/eventlog/Makefile") CONFIG_FILES="$CONFIG_FILES lib/eventlog/Makefile" ;;
     "lib/fuzzstub/Makefile") CONFIG_FILES="$CONFIG_FILES lib/fuzzstub/Makefile" ;;

configure.ac

@@ -288,7 +288,7 @@ PYTHON_PLUGIN=#
 LOGSRVD=
 LOGSRVD_SRC=logsrvd
 LOGSRV_SRC=lib/logsrv
-LOGSRVD_CONF='$(srcdir)/sudo_logsrvd.conf'
+LOGSRVD_CONF='sudo_logsrvd.conf'
 LIBLOGSRV='$(top_builddir)/lib/logsrv/liblogsrv.la'
 PPFILES='$(srcdir)/etc/sudo.pp'
 
@@ -5114,7 +5114,7 @@ elif test X"$TMPFILES_D" != X""; then
     AC_CONFIG_FILES([etc/init.d/sudo.conf])
 fi
 
-AC_CONFIG_FILES([Makefile docs/Makefile examples/Makefile examples/sudo.conf include/Makefile lib/eventlog/Makefile lib/fuzzstub/Makefile lib/iolog/Makefile lib/logsrv/Makefile lib/protobuf-c/Makefile lib/util/Makefile lib/util/util.exp logsrvd/Makefile src/intercept.exp src/sudo_usage.h src/Makefile plugins/audit_json/Makefile plugins/sample/Makefile plugins/group_file/Makefile plugins/sample_approval/Makefile plugins/system_group/Makefile plugins/sudoers/Makefile plugins/sudoers/sudoers])
+AC_CONFIG_FILES([Makefile docs/Makefile examples/Makefile examples/sudoers examples/sudo.conf examples/sudo_logsrvd.conf include/Makefile lib/eventlog/Makefile lib/fuzzstub/Makefile lib/iolog/Makefile lib/logsrv/Makefile lib/protobuf-c/Makefile lib/util/Makefile lib/util/util.exp logsrvd/Makefile src/intercept.exp src/sudo_usage.h src/Makefile plugins/audit_json/Makefile plugins/sample/Makefile plugins/group_file/Makefile plugins/sample_approval/Makefile plugins/system_group/Makefile plugins/sudoers/Makefile plugins/sudoers/sudoers])
 
 AC_OUTPUT
 

docs/sudo.conf.man.in

@@ -17,7 +17,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
 .nr SL @SEMAN@
-.TH "SUDO.CONF" "@mansectform@" "February 10, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDO.CONF" "@mansectform@" "February 11, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -588,7 +588,7 @@ Examples:
 .nf
 .sp
 .RS 4n
-Debug sudo /var/log/sudo_debug all@warn,plugin@info
+Debug sudo @log_dir@/sudo_debug all@warn,plugin@info
 .RE
 .fi
 .PP
@@ -600,7 +600,7 @@ level for the plugin subsystem.
 .nf
 .sp
 .RS 4n
-Debug sudo_intercept.so /var/log/intercept_debug all@debug
+Debug sudo_intercept.so @log_dir@/intercept_debug all@debug
 .RE
 .fi
 .PP
@@ -869,8 +869,8 @@ front-end configuration
 # Priority may be crit, err, warn, notice, diag, info, trace, or debug.
 # Multiple subsystem@priority may be specified, separated by a comma.
 #
-#Debug sudo /var/log/sudo_debug all@debug
-#Debug sudoers.so /var/log/sudoers_debug all@debug
+#Debug sudo @log_dir@/sudo_debug all@debug
+#Debug sudoers.so @log_dir@/sudoers_debug all@debug
 .RE
 .fi
 .SH "SEE ALSO"

docs/sudo.conf.mdoc.in

@@ -16,7 +16,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
 .nr SL @SEMAN@
-.Dd February 10, 2022
+.Dd February 11, 2022
 .Dt SUDO.CONF @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -536,7 +536,7 @@ as it does not include a comma
 .Pp
 Examples:
 .Bd -literal -offset 4n
-Debug sudo /var/log/sudo_debug all@warn,plugin@info
+Debug sudo @log_dir@/sudo_debug all@warn,plugin@info
 .Ed
 .Pp
 would log all debugging statements at the
@@ -545,7 +545,7 @@ level and higher in addition to those at the
 .Em info
 level for the plugin subsystem.
 .Bd -literal -offset 4n
-Debug sudo_intercept.so /var/log/intercept_debug all@debug
+Debug sudo_intercept.so @log_dir@/intercept_debug all@debug
 .Ed
 .Pp
 would log all debugging statements, regardless of level, for the
@@ -798,8 +798,8 @@ front-end configuration
 # Priority may be crit, err, warn, notice, diag, info, trace, or debug.
 # Multiple subsystem@priority may be specified, separated by a comma.
 #
-#Debug sudo /var/log/sudo_debug all@debug
-#Debug sudoers.so /var/log/sudoers_debug all@debug
+#Debug sudo @log_dir@/sudo_debug all@debug
+#Debug sudoers.so @log_dir@/sudoers_debug all@debug
 .Ed
 .Sh SEE ALSO
 .Xr sudo_plugin @mansectform@ ,

docs/sudo.man.in

@@ -25,7 +25,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.TH "SUDO" "@mansectsu@" "February 10, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
+.TH "SUDO" "@mansectsu@" "February 11, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -1277,7 +1277,7 @@ group:
 .nf
 .sp
 .RS 4n
-$ sudo -g adm more /var/log/syslog
+$ sudo -g adm more @log_dir@/syslog
 .RE
 .fi
 .PP

docs/sudo.mdoc.in

@@ -24,7 +24,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.Dd February 10, 2022
+.Dd February 11, 2022
 .Dt SUDO @mansectsu@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -1191,7 +1191,7 @@ $ sudoedit -u www ~www/htdocs/index.html
 To view system logs only accessible to root and users in the adm
 group:
 .Bd -literal -offset 4n
-$ sudo -g adm more /var/log/syslog
+$ sudo -g adm more @log_dir@/syslog
 .Ed
 .Pp
 To run an editor as jim with a different primary group:

docs/sudo_logsrvd.conf.man.in

@@ -898,8 +898,8 @@ Sudo log server configuration file
 
 # The directory to store messages in before they are sent to the relay.
 # Messages are stored in wire format.
-# The default value is /var/log/sudo_logsrvd.
-#relay_dir = /var/log/sudo_logsrvd
+# The default value is @relay_dir@.
+#relay_dir = @relay_dir@
 
 # The number of seconds to wait after a connection error before
 # making a new attempt to forward a message to a relay host.
@@ -957,7 +957,7 @@ Sudo log server configuration file
 [iolog]
 # The top-level directory to use when constructing the path name for the
 # I/O log directory.  The session sequence number, if any, is stored here.
-#iolog_dir = /var/log/sudo-io
+#iolog_dir = @iolog_dir@
 
 # The path name, relative to iolog_dir, in which to store I/O logs.
 # Note that iolog_file may contain directory components.
@@ -1034,20 +1034,20 @@ Sudo log server configuration file
 # The following syslog facilities are supported: authpriv (if your OS
 # supports it), auth, daemon, user, local0, local1, local2, local3,
 # local4, local5, local6, and local7.
-#facility = authpriv
+#facility = @logfac@
 
 # Syslog priority to use for event log accept messages, when the command
 # is allowed by the security policy.  The following syslog priorities are
 # supported: alert, crit, debug, emerg, err, info, notice, warning, none.
-#accept_priority = notice
+#accept_priority = @goodpri@
 
 # Syslog priority to use for event log reject messages, when the command
 # is not allowed by the security policy.
-#reject_priority = alert
+#reject_priority = @badpri@
 
 # Syslog priority to use for event log alert messages reported by the
 # client.
-#alert_priority = alert
+#alert_priority = @badpri@
 
 # The syslog facility to use for server warning messages.
 # Defaults to daemon.
@@ -1056,7 +1056,7 @@ Sudo log server configuration file
 [logfile]
 # The path to the file-based event log.
 # This path must be fully-qualified and start with a '/' character.
-#path = /var/log/sudo
+#path = @logpath@
 
 # The format string used when formatting the date and time for
 # file-based event logs.  Formatting is performed via strftime(3) so

docs/sudo_logsrvd.conf.mdoc.in

@@ -824,8 +824,8 @@ Sudo log server configuration file
 
 # The directory to store messages in before they are sent to the relay.
 # Messages are stored in wire format.
-# The default value is /var/log/sudo_logsrvd.
-#relay_dir = /var/log/sudo_logsrvd
+# The default value is @relay_dir@.
+#relay_dir = @relay_dir@
 
 # The number of seconds to wait after a connection error before
 # making a new attempt to forward a message to a relay host.
@@ -883,7 +883,7 @@ Sudo log server configuration file
 [iolog]
 # The top-level directory to use when constructing the path name for the
 # I/O log directory.  The session sequence number, if any, is stored here.
-#iolog_dir = /var/log/sudo-io
+#iolog_dir = @iolog_dir@
 
 # The path name, relative to iolog_dir, in which to store I/O logs.
 # Note that iolog_file may contain directory components.
@@ -960,20 +960,20 @@ Sudo log server configuration file
 # The following syslog facilities are supported: authpriv (if your OS
 # supports it), auth, daemon, user, local0, local1, local2, local3,
 # local4, local5, local6, and local7.
-#facility = authpriv
+#facility = @logfac@
 
 # Syslog priority to use for event log accept messages, when the command
 # is allowed by the security policy.  The following syslog priorities are
 # supported: alert, crit, debug, emerg, err, info, notice, warning, none.
-#accept_priority = notice
+#accept_priority = @goodpri@
 
 # Syslog priority to use for event log reject messages, when the command
 # is not allowed by the security policy.
-#reject_priority = alert
+#reject_priority = @badpri@
 
 # Syslog priority to use for event log alert messages reported by the
 # client.
-#alert_priority = alert
+#alert_priority = @badpri@
 
 # The syslog facility to use for server warning messages.
 # Defaults to daemon.
@@ -982,7 +982,7 @@ Sudo log server configuration file
 [logfile]
 # The path to the file-based event log.
 # This path must be fully-qualified and start with a '/' character.
-#path = /var/log/sudo
+#path = @logpath@
 
 # The format string used when formatting the date and time for
 # file-based event logs.  Formatting is performed via strftime(3) so

docs/sudo_plugin_python.man.in

@@ -17,7 +17,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.TH "SUDO_PLUGIN_PYTHON" "5" "February 10, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDO_PLUGIN_PYTHON" "5" "February 11, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -1613,12 +1613,12 @@ sudo.conf(@mansectform@)
 with the program set to
 \fIpython_plugin.so\fR.
 For example, to store debug output in
-\fI/var/log/sudo_python_debug\fR,
+\fI@log_dir@/sudo_python_debug\fR,
 use a line like the following:
 .nf
 .sp
 .RS 4n
-Debug python_plugin.so /var/log/sudo_python_debug \e
+Debug python_plugin.so @log_dir@/sudo_python_debug \e
     plugin@trace,c_calls@trace
 .RE
 .fi
@@ -1633,7 +1633,7 @@ calls, use:
 .nf
 .sp
 .RS 4n
-Debug python_plugin.so /var/log/sudo_python_debug plugin@trace
+Debug python_plugin.so @log_dir@/sudo_python_debug plugin@trace
 .RE
 .fi
 .PP
@@ -1741,7 +1741,7 @@ Plugin python_io python_plugin.so \e
     ClassName=DebugDemoPlugin
 
 Debug python_plugin.so \e
-    /var/log/sudo_python_debug plugin@trace,c_calls@trace
+    @log_dir@/sudo_python_debug plugin@trace,c_calls@trace
 .RE
 .fi
 .SS "Option conversion API"

docs/sudo_plugin_python.mdoc.in

@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd February 10, 2022
+.Dd February 11, 2022
 .Dt SUDO_PLUGIN_PYTHON @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -1300,10 +1300,10 @@ line to
 with the program set to
 .Pa python_plugin.so .
 For example, to store debug output in
-.Pa /var/log/sudo_python_debug ,
+.Pa @log_dir@/sudo_python_debug ,
 use a line like the following:
 .Bd -literal -offset 4n
-Debug python_plugin.so /var/log/sudo_python_debug \e
+Debug python_plugin.so @log_dir@/sudo_python_debug \e
     plugin@trace,c_calls@trace
 .Ed
 .Pp
@@ -1315,7 +1315,7 @@ For example to just see the debug output of
 .Fn sudo.debug
 calls, use:
 .Bd -literal -offset 4n
-Debug python_plugin.so /var/log/sudo_python_debug plugin@trace
+Debug python_plugin.so @log_dir@/sudo_python_debug plugin@trace
 .Ed
 .Pp
 See
@@ -1402,7 +1402,7 @@ Plugin python_io python_plugin.so \e
     ClassName=DebugDemoPlugin
 
 Debug python_plugin.so \e
-    /var/log/sudo_python_debug plugin@trace,c_calls@trace
+    @log_dir@/sudo_python_debug plugin@trace,c_calls@trace
 .Ed
 .Ss Option conversion API
 The Python plugin API includes two convenience functions to

docs/sudoers.man.in

@@ -2092,7 +2092,7 @@ For example, while a sudoers entry like:
 .nf
 .sp
 .RS 4n
-%operator ALL = /bin/cat /var/log/messages*
+%operator ALL = /bin/cat @log_dir@/messages*
 .RE
 .fi
 .PP
@@ -2100,7 +2100,7 @@ will allow command like:
 .nf
 .sp
 .RS 4n
-$ sudo cat /var/log/messages.1
+$ sudo cat @log_dir@/messages.1
 .RE
 .fi
 .PP
@@ -2108,7 +2108,7 @@ It will also allow:
 .nf
 .sp
 .RS 4n
-$ sudo cat /var/log/messages /etc/shadow
+$ sudo cat @log_dir@/messages /etc/shadow
 .RE
 .fi
 .PP
@@ -5817,7 +5817,7 @@ If the
 option is set,
 \fBsudoers\fR
 will log to a local file, such as
-\fI/var/log/sudo\fR.
+\fI@log_dir@/sudo\fR.
 When logging to a file,
 \fBsudoers\fR
 uses a format similar to
@@ -6215,7 +6215,7 @@ Defaults		syslog=auth,runcwd=~
 Defaults>root		!set_logname
 Defaults:FULLTIMERS	!lecture,runchroot=*
 Defaults:millert	!authenticate
-Defaults@SERVERS	log_year, logfile=/var/log/sudo.log
+Defaults@SERVERS	log_year, logfile=@log_dir@/sudo.log
 Defaults!PAGERS		noexec
 .RE
 .fi
@@ -7110,7 +7110,7 @@ For example:
 .nf
 .sp
 .RS 0n
-Debug sudoers.so /var/log/sudoers_debug match@info,nss@info
+Debug sudoers.so @log_dir@/sudoers_debug match@info,nss@info
 .RE
 .fi
 .PP

docs/sudoers.mdoc.in

@@ -1977,17 +1977,17 @@ or
 will match across word boundaries, which may be unexpected.
 For example, while a sudoers entry like:
 .Bd -literal -offset 4n
-%operator ALL = /bin/cat /var/log/messages*
+%operator ALL = /bin/cat @log_dir@/messages*
 .Ed
 .Pp
 will allow command like:
 .Bd -literal -offset 4n
-$ sudo cat /var/log/messages.1
+$ sudo cat @log_dir@/messages.1
 .Ed
 .Pp
 It will also allow:
 .Bd -literal -offset 4n
-$ sudo cat /var/log/messages /etc/shadow
+$ sudo cat @log_dir@/messages /etc/shadow
 .Ed
 .Pp
 which is probably not what was intended.
@@ -5423,7 +5423,7 @@ If the
 option is set,
 .Nm
 will log to a local file, such as
-.Pa /var/log/sudo .
+.Pa @log_dir@/sudo .
 When logging to a file,
 .Nm
 uses a format similar to
@@ -5773,7 +5773,7 @@ Defaults		syslog=auth,runcwd=~
 Defaults>root		!set_logname
 Defaults:FULLTIMERS	!lecture,runchroot=*
 Defaults:millert	!authenticate
-Defaults@SERVERS	log_year, logfile=/var/log/sudo.log
+Defaults@SERVERS	log_year, logfile=@log_dir@/sudo.log
 Defaults!PAGERS		noexec
 .Ed
 .Pp
@@ -6572,7 +6572,7 @@ utility functions
 .Pp
 For example:
 .Bd -literal
-Debug sudoers.so /var/log/sudoers_debug match@info,nss@info
+Debug sudoers.so @log_dir@/sudoers_debug match@info,nss@info
 .Ed
 .Pp
 For more information, see the

examples/Makefile.in

@@ -55,7 +55,7 @@ SHELL = @SHELL@
 LOGSRVD_CONF = @LOGSRVD_CONF@
 
 EXAMPLES = $(srcdir)/cvtsudoers.conf $(srcdir)/pam.conf sudo.conf \
-	   $(LOGSRVD_CONF) $(srcdir)/sudoers $(srcdir)/syslog.conf
+	   $(LOGSRVD_CONF) sudoers $(srcdir)/syslog.conf
 
 VERSION = @PACKAGE_VERSION@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
@@ -67,9 +67,15 @@ depend:
 Makefile: $(srcdir)/Makefile.in
 	cd $(top_builddir) && ./config.status --file examples/Makefile
 
+sudoers: $(srcdir)/sudoers.in
+	cd $(top_builddir) && ./config.status --file examples/sudoers
+
 sudo.conf: $(srcdir)/sudo.conf.in
 	cd $(top_builddir) && ./config.status --file examples/sudo.conf
 
+sudo_logsrvd.conf: $(srcdir)/sudo_logsrvd.conf.in
+	cd $(top_builddir) && ./config.status --file examples/sudo_logsrvd.conf
+
 pre-install:
 
 install: install-doc

examples/sudo_logsrvd.conf.in

@@ -22,7 +22,7 @@
 #listen_address = *:30344(tls)
 
 # The file containing the ID of the running sudo_logsrvd process.
-#pid_file = /var/run/sudo/sudo_logsrvd.pid
+#pid_file = @rundir@/sudo_logsrvd.pid
 
 # Where to log server warnings: none, stderr, syslog, or a path name.
 #server_log = syslog
@@ -86,8 +86,8 @@
 
 # The directory to store messages in before they are sent to the relay.
 # Messages are stored in wire format.
-# The default value is /var/log/sudo_logsrvd.
-#relay_dir = /var/log/sudo_logsrvd
+# The default value is @relay_dir@.
+#relay_dir = @relay_dir@
 
 # The number of seconds to wait after a connection error before
 # making a new attempt to forward a message to a relay host.
@@ -145,7 +145,7 @@
 [iolog]
 # The top-level directory to use when constructing the path name for the
 # I/O log directory.  The session sequence number, if any, is stored here.
-#iolog_dir = /var/log/sudo-io
+#iolog_dir = @iolog_dir@
 
 # The path name, relative to iolog_dir, in which to store I/O logs.
 # Note that iolog_file may contain directory components.
@@ -223,20 +223,20 @@
 # The following syslog facilities are supported: authpriv (if your OS
 # supports it), auth, daemon, user, local0, local1, local2, local3,
 # local4, local5, local6, and local7.
-#facility = authpriv
+#facility = @logfac@
 
 # Syslog priority to use for event log accept messages, when the command
 # is allowed by the security policy.  The following syslog priorities are
 # supported: alert, crit, debug, emerg, err, info, notice, warning, none.
-#accept_priority = notice
+#accept_priority = @goodpri@
 
 # Syslog priority to use for event log reject messages, when the command
 # is not allowed by the security policy.
-#reject_priority = alert
+#reject_priority = @badpri@
 
 # Syslog priority to use for event log alert messages reported by the
 # client.
-#alert_priority = alert
+#alert_priority = @badpri@
 
 # The syslog facility to use for server warning messages.
 # Defaults to daemon.
@@ -245,7 +245,7 @@
 [logfile]
 # The path to the file-based event log.
 # This path must be fully-qualified and start with a '/' character.
-#path = /var/log/sudo
+#path = @logpath@
 
 # The format string used when formatting the date and time for
 # file-based event logs.  Formatting is performed via strftime(3) so

examples/sudoers.in

@@ -12,7 +12,7 @@ Defaults		syslog=auth,runcwd=~
 Defaults>root		!set_logname
 Defaults:FULLTIMERS	!lecture,runchroot=*
 Defaults:millert	!authenticate
-Defaults@SERVERS	log_year, logfile=/var/log/sudo.log
+Defaults@SERVERS	log_year, logfile=@log_dir@/sudo.log
 Defaults!PAGERS		noexec
 
 ##