8287e21d36
support requires an expensive substring match on the server. If netgroups are not needed, this option can be disabled to reduce the load on the LDAP server.
286 lines
6.5 KiB
Plaintext
286 lines
6.5 KiB
Plaintext
#
|
|
# Format:
|
|
#
|
|
# var_name
|
|
# TYPE
|
|
# description (or NULL)
|
|
# array of struct def_values if TYPE == T_TUPLE
|
|
#
|
|
# NOTE: for tuples that can be used in a boolean context the first
|
|
# value corresponds to boolean FALSE and the second to TRUE.
|
|
#
|
|
|
|
syslog
|
|
T_LOGFAC|T_BOOL
|
|
"Syslog facility if syslog is being used for logging: %s"
|
|
syslog_goodpri
|
|
T_LOGPRI
|
|
"Syslog priority to use when user authenticates successfully: %s"
|
|
syslog_badpri
|
|
T_LOGPRI
|
|
"Syslog priority to use when user authenticates unsuccessfully: %s"
|
|
long_otp_prompt
|
|
T_FLAG
|
|
"Put OTP prompt on its own line"
|
|
ignore_dot
|
|
T_FLAG
|
|
"Ignore '.' in $PATH"
|
|
mail_always
|
|
T_FLAG
|
|
"Always send mail when sudo is run"
|
|
mail_badpass
|
|
T_FLAG
|
|
"Send mail if user authentication fails"
|
|
mail_no_user
|
|
T_FLAG
|
|
"Send mail if the user is not in sudoers"
|
|
mail_no_host
|
|
T_FLAG
|
|
"Send mail if the user is not in sudoers for this host"
|
|
mail_no_perms
|
|
T_FLAG
|
|
"Send mail if the user is not allowed to run a command"
|
|
tty_tickets
|
|
T_FLAG
|
|
"Use a separate timestamp for each user/tty combo"
|
|
lecture
|
|
T_TUPLE|T_BOOL
|
|
"Lecture user the first time they run sudo"
|
|
never once always
|
|
lecture_file
|
|
T_STR|T_PATH|T_BOOL
|
|
"File containing the sudo lecture: %s"
|
|
authenticate
|
|
T_FLAG
|
|
"Require users to authenticate by default"
|
|
root_sudo
|
|
T_FLAG
|
|
"Root may run sudo"
|
|
log_host
|
|
T_FLAG
|
|
"Log the hostname in the (non-syslog) log file"
|
|
log_year
|
|
T_FLAG
|
|
"Log the year in the (non-syslog) log file"
|
|
shell_noargs
|
|
T_FLAG
|
|
"If sudo is invoked with no arguments, start a shell"
|
|
set_home
|
|
T_FLAG
|
|
"Set $HOME to the target user when starting a shell with -s"
|
|
always_set_home
|
|
T_FLAG
|
|
"Always set $HOME to the target user's home directory"
|
|
path_info
|
|
T_FLAG
|
|
"Allow some information gathering to give useful error messages"
|
|
fqdn
|
|
T_FLAG
|
|
"Require fully-qualified hostnames in the sudoers file"
|
|
insults
|
|
T_FLAG
|
|
"Insult the user when they enter an incorrect password"
|
|
requiretty
|
|
T_FLAG
|
|
"Only allow the user to run sudo if they have a tty"
|
|
env_editor
|
|
T_FLAG
|
|
"Visudo will honor the EDITOR environment variable"
|
|
rootpw
|
|
T_FLAG
|
|
"Prompt for root's password, not the users's"
|
|
runaspw
|
|
T_FLAG
|
|
"Prompt for the runas_default user's password, not the users's"
|
|
targetpw
|
|
T_FLAG
|
|
"Prompt for the target user's password, not the users's"
|
|
use_loginclass
|
|
T_FLAG
|
|
"Apply defaults in the target user's login class if there is one"
|
|
set_logname
|
|
T_FLAG
|
|
"Set the LOGNAME and USER environment variables"
|
|
stay_setuid
|
|
T_FLAG
|
|
"Only set the effective uid to the target user, not the real uid"
|
|
preserve_groups
|
|
T_FLAG
|
|
"Don't initialize the group vector to that of the target user"
|
|
loglinelen
|
|
T_UINT|T_BOOL
|
|
"Length at which to wrap log file lines (0 for no wrap): %u"
|
|
timestamp_timeout
|
|
T_FLOAT|T_BOOL
|
|
"Authentication timestamp timeout: %.1f minutes"
|
|
passwd_timeout
|
|
T_FLOAT|T_BOOL
|
|
"Password prompt timeout: %.1f minutes"
|
|
passwd_tries
|
|
T_UINT
|
|
"Number of tries to enter a password: %u"
|
|
umask
|
|
T_MODE|T_BOOL
|
|
"Umask to use or 0777 to use user's: 0%o"
|
|
logfile
|
|
T_STR|T_BOOL|T_PATH
|
|
"Path to log file: %s"
|
|
mailerpath
|
|
T_STR|T_BOOL|T_PATH
|
|
"Path to mail program: %s"
|
|
mailerflags
|
|
T_STR|T_BOOL
|
|
"Flags for mail program: %s"
|
|
mailto
|
|
T_STR|T_BOOL
|
|
"Address to send mail to: %s"
|
|
mailfrom
|
|
T_STR|T_BOOL
|
|
"Address to send mail from: %s"
|
|
mailsub
|
|
T_STR
|
|
"Subject line for mail messages: %s"
|
|
badpass_message
|
|
T_STR
|
|
"Incorrect password message: %s"
|
|
lecture_status_dir
|
|
T_STR|T_PATH
|
|
"Path to lecture status dir: %s"
|
|
timestampdir
|
|
T_STR|T_PATH
|
|
"Path to authentication timestamp dir: %s"
|
|
timestampowner
|
|
T_STR
|
|
"Owner of the authentication timestamp dir: %s"
|
|
exempt_group
|
|
T_STR|T_BOOL
|
|
"Users in this group are exempt from password and PATH requirements: %s"
|
|
passprompt
|
|
T_STR
|
|
"Default password prompt: %s"
|
|
passprompt_override
|
|
T_FLAG
|
|
"If set, passprompt will override system prompt in all cases."
|
|
runas_default
|
|
T_STR
|
|
"Default user to run commands as: %s"
|
|
secure_path
|
|
T_STR|T_BOOL
|
|
"Value to override user's $PATH with: %s"
|
|
editor
|
|
T_STR|T_PATH
|
|
"Path to the editor for use by visudo: %s"
|
|
listpw
|
|
T_TUPLE|T_BOOL
|
|
"When to require a password for 'list' pseudocommand: %s"
|
|
never any all always
|
|
verifypw
|
|
T_TUPLE|T_BOOL
|
|
"When to require a password for 'verify' pseudocommand: %s"
|
|
never all any always
|
|
noexec
|
|
T_FLAG
|
|
"Preload the dummy exec functions contained in the sudo_noexec library"
|
|
ignore_local_sudoers
|
|
T_FLAG
|
|
"If LDAP directory is up, do we ignore local sudoers file"
|
|
closefrom
|
|
T_INT
|
|
"File descriptors >= %d will be closed before executing a command"
|
|
closefrom_override
|
|
T_FLAG
|
|
"If set, users may override the value of `closefrom' with the -C option"
|
|
setenv
|
|
T_FLAG
|
|
"Allow users to set arbitrary environment variables"
|
|
env_reset
|
|
T_FLAG
|
|
"Reset the environment to a default set of variables"
|
|
env_check
|
|
T_LIST|T_BOOL
|
|
"Environment variables to check for sanity:"
|
|
env_delete
|
|
T_LIST|T_BOOL
|
|
"Environment variables to remove:"
|
|
env_keep
|
|
T_LIST|T_BOOL
|
|
"Environment variables to preserve:"
|
|
role
|
|
T_STR
|
|
"SELinux role to use in the new security context: %s"
|
|
type
|
|
T_STR
|
|
"SELinux type to use in the new security context: %s"
|
|
env_file
|
|
T_STR|T_PATH|T_BOOL
|
|
"Path to the sudo-specific environment file: %s"
|
|
sudoers_locale
|
|
T_STR
|
|
"Locale to use while parsing sudoers: %s"
|
|
visiblepw
|
|
T_FLAG
|
|
"Allow sudo to prompt for a password even if it would be visible"
|
|
pwfeedback
|
|
T_FLAG
|
|
"Provide visual feedback at the password prompt when there is user input"
|
|
fast_glob
|
|
T_FLAG
|
|
"Use faster globbing that is less accurate but does not access the filesystem"
|
|
umask_override
|
|
T_FLAG
|
|
"The umask specified in sudoers will override the user's, even if it is more permissive"
|
|
log_input
|
|
T_FLAG
|
|
"Log user's input for the command being run"
|
|
log_output
|
|
T_FLAG
|
|
"Log the output of the command being run"
|
|
compress_io
|
|
T_FLAG
|
|
"Compress I/O logs using zlib"
|
|
use_pty
|
|
T_FLAG
|
|
"Always run commands in a pseudo-tty"
|
|
group_plugin
|
|
T_STR
|
|
"Plugin for non-Unix group support: %s"
|
|
iolog_dir
|
|
T_STR|T_PATH
|
|
"Directory in which to store input/output logs: %s"
|
|
iolog_file
|
|
T_STR
|
|
"File in which to store the input/output log: %s"
|
|
set_utmp
|
|
T_FLAG
|
|
"Add an entry to the utmp/utmpx file when allocating a pty"
|
|
utmp_runas
|
|
T_FLAG
|
|
"Set the user in utmp to the runas user, not the invoking user"
|
|
privs
|
|
T_STR
|
|
"Set of permitted privileges"
|
|
limitprivs
|
|
T_STR
|
|
"Set of limit privileges"
|
|
exec_background
|
|
T_FLAG
|
|
"Run commands on a pty in the background"
|
|
pam_service
|
|
T_STR
|
|
"PAM service name to use"
|
|
pam_login_service
|
|
T_STR
|
|
"PAM service name to use for login shells"
|
|
pam_setcred
|
|
T_FLAG
|
|
"Attempt to establish PAM credentials for the target user"
|
|
pam_session
|
|
T_FLAG
|
|
"Create a new PAM session for the command to run in"
|
|
maxseq
|
|
T_UINT
|
|
"Maximum I/O log sequence number: %u"
|
|
use_netgroups
|
|
T_FLAG
|
|
"Enable sudoers netgroup support"
|