mirror of https://github.com/sudo-project/sudo.git
509 lines
13 KiB
Plaintext
509 lines
13 KiB
Plaintext
#
|
|
# Format:
|
|
#
|
|
# var_name
|
|
# TYPE
|
|
# description (or NULL)
|
|
# array of struct def_values if TYPE == T_TUPLE
|
|
#
|
|
# NOTE: for tuples that can be used in a boolean context the first
|
|
# value corresponds to boolean FALSE and the second to TRUE.
|
|
#
|
|
|
|
syslog
|
|
T_LOGFAC|T_BOOL
|
|
"Syslog facility if syslog is being used for logging: %s"
|
|
syslog_goodpri
|
|
T_LOGPRI|T_BOOL
|
|
"Syslog priority to use when user authenticates successfully: %s"
|
|
syslog_badpri
|
|
T_LOGPRI|T_BOOL
|
|
"Syslog priority to use when user authenticates unsuccessfully: %s"
|
|
long_otp_prompt
|
|
T_FLAG
|
|
"Put OTP prompt on its own line"
|
|
ignore_dot
|
|
T_FLAG
|
|
"Ignore '.' in $PATH"
|
|
mail_always
|
|
T_FLAG
|
|
"Always send mail when sudo is run"
|
|
mail_badpass
|
|
T_FLAG
|
|
"Send mail if user authentication fails"
|
|
mail_no_user
|
|
T_FLAG
|
|
"Send mail if the user is not in sudoers"
|
|
mail_no_host
|
|
T_FLAG
|
|
"Send mail if the user is not in sudoers for this host"
|
|
mail_no_perms
|
|
T_FLAG
|
|
"Send mail if the user is not allowed to run a command"
|
|
mail_all_cmnds
|
|
T_FLAG
|
|
"Send mail if the user tries to run a command"
|
|
tty_tickets
|
|
T_FLAG
|
|
"Use a separate timestamp for each user/tty combo"
|
|
lecture
|
|
T_TUPLE|T_BOOL
|
|
"Lecture user the first time they run sudo"
|
|
never once always
|
|
lecture_file
|
|
T_STR|T_PATH|T_BOOL
|
|
"File containing the sudo lecture: %s"
|
|
authenticate
|
|
T_FLAG
|
|
"Require users to authenticate by default"
|
|
root_sudo
|
|
T_FLAG
|
|
"Root may run sudo"
|
|
log_host
|
|
T_FLAG
|
|
"Log the hostname in the (non-syslog) log file"
|
|
log_year
|
|
T_FLAG
|
|
"Log the year in the (non-syslog) log file"
|
|
shell_noargs
|
|
T_FLAG
|
|
"If sudo is invoked with no arguments, start a shell"
|
|
set_home
|
|
T_FLAG
|
|
"Set $HOME to the target user when starting a shell with -s"
|
|
always_set_home
|
|
T_FLAG
|
|
"Always set $HOME to the target user's home directory"
|
|
path_info
|
|
T_FLAG
|
|
"Allow some information gathering to give useful error messages"
|
|
fqdn
|
|
T_FLAG
|
|
"Require fully-qualified hostnames in the sudoers file"
|
|
insults
|
|
T_FLAG
|
|
"Insult the user when they enter an incorrect password"
|
|
requiretty
|
|
T_FLAG
|
|
"Only allow the user to run sudo if they have a tty"
|
|
env_editor
|
|
T_FLAG
|
|
"Visudo will honor the EDITOR environment variable"
|
|
rootpw
|
|
T_FLAG
|
|
"Prompt for root's password, not the user's"
|
|
runaspw
|
|
T_FLAG
|
|
"Prompt for the runas_default user's password, not the user's"
|
|
targetpw
|
|
T_FLAG
|
|
"Prompt for the target user's password, not the user's"
|
|
use_loginclass
|
|
T_FLAG
|
|
"Apply defaults in the target user's login class if there is one"
|
|
set_logname
|
|
T_FLAG
|
|
"Set the LOGNAME and USER environment variables"
|
|
stay_setuid
|
|
T_FLAG
|
|
"Only set the effective uid to the target user, not the real uid"
|
|
preserve_groups
|
|
T_FLAG
|
|
"Don't initialize the group vector to that of the target user"
|
|
loglinelen
|
|
T_UINT|T_BOOL
|
|
"Length at which to wrap log file lines (0 for no wrap): %u"
|
|
timestamp_timeout
|
|
T_TIMESPEC|T_BOOL
|
|
"Authentication timestamp timeout: %.1f minutes"
|
|
passwd_timeout
|
|
T_TIMESPEC|T_BOOL
|
|
"Password prompt timeout: %.1f minutes"
|
|
passwd_tries
|
|
T_UINT
|
|
"Number of tries to enter a password: %u"
|
|
umask
|
|
T_MODE|T_BOOL
|
|
"Umask to use or 0777 to use user's: 0%o"
|
|
logfile
|
|
T_STR|T_BOOL|T_PATH
|
|
"Path to log file: %s"
|
|
mailerpath
|
|
T_STR|T_BOOL|T_PATH
|
|
"Path to mail program: %s"
|
|
mailerflags
|
|
T_STR|T_BOOL
|
|
"Flags for mail program: %s"
|
|
mailto
|
|
T_STR|T_BOOL
|
|
"Address to send mail to: %s"
|
|
mailfrom
|
|
T_STR|T_BOOL
|
|
"Address to send mail from: %s"
|
|
mailsub
|
|
T_STR
|
|
"Subject line for mail messages: %s"
|
|
badpass_message
|
|
T_STR
|
|
"Incorrect password message: %s"
|
|
lecture_status_dir
|
|
T_STR|T_PATH
|
|
"Path to lecture status dir: %s"
|
|
timestampdir
|
|
T_STR|T_PATH
|
|
"Path to authentication timestamp dir: %s"
|
|
timestampowner
|
|
T_STR
|
|
"Owner of the authentication timestamp dir: %s"
|
|
exempt_group
|
|
T_STR|T_BOOL
|
|
"Users in this group are exempt from password and PATH requirements: %s"
|
|
passprompt
|
|
T_STR
|
|
"Default password prompt: %s"
|
|
passprompt_override
|
|
T_FLAG
|
|
"If set, passprompt will override system prompt in all cases."
|
|
runas_default
|
|
T_STR
|
|
"Default user to run commands as: %s"
|
|
secure_path
|
|
T_STR|T_BOOL
|
|
"Value to override user's $PATH with: %s"
|
|
editor
|
|
T_STR|T_PATH
|
|
"Path to the editor for use by visudo: %s"
|
|
listpw
|
|
T_TUPLE|T_BOOL
|
|
"When to require a password for 'list' pseudocommand: %s"
|
|
never any all always
|
|
verifypw
|
|
T_TUPLE|T_BOOL
|
|
"When to require a password for 'verify' pseudocommand: %s"
|
|
never all any always
|
|
noexec
|
|
T_FLAG
|
|
"Preload the sudo_noexec library which replaces the exec functions"
|
|
ignore_local_sudoers
|
|
T_FLAG
|
|
"If LDAP directory is up, do we ignore local sudoers file"
|
|
closefrom
|
|
T_INT
|
|
"File descriptors >= %d will be closed before executing a command"
|
|
closefrom_override
|
|
T_FLAG
|
|
"If set, users may override the value of "closefrom" with the -C option"
|
|
setenv
|
|
T_FLAG
|
|
"Allow users to set arbitrary environment variables"
|
|
env_reset
|
|
T_FLAG
|
|
"Reset the environment to a default set of variables"
|
|
env_check
|
|
T_LIST|T_BOOL
|
|
"Environment variables to check for safety:"
|
|
env_delete
|
|
T_LIST|T_BOOL
|
|
"Environment variables to remove:"
|
|
env_keep
|
|
T_LIST|T_BOOL
|
|
"Environment variables to preserve:"
|
|
role
|
|
T_STR
|
|
"SELinux role to use in the new security context: %s"
|
|
type
|
|
T_STR
|
|
"SELinux type to use in the new security context: %s"
|
|
env_file
|
|
T_STR|T_PATH|T_BOOL
|
|
"Path to the sudo-specific environment file: %s"
|
|
restricted_env_file
|
|
T_STR|T_PATH|T_BOOL
|
|
"Path to the restricted sudo-specific environment file: %s"
|
|
sudoers_locale
|
|
T_STR
|
|
"Locale to use while parsing sudoers: %s"
|
|
visiblepw
|
|
T_FLAG
|
|
"Allow sudo to prompt for a password even if it would be visible"
|
|
pwfeedback
|
|
T_FLAG
|
|
"Provide visual feedback at the password prompt when there is user input"
|
|
fast_glob
|
|
T_FLAG
|
|
"Use faster globbing that is less accurate but does not access the filesystem"
|
|
umask_override
|
|
T_FLAG
|
|
"The umask specified in sudoers will override the user's, even if it is more permissive"
|
|
log_input
|
|
T_FLAG
|
|
"Log user's input for the command being run"
|
|
log_stdin
|
|
T_FLAG
|
|
"Log the command's standard input if not connected to a terminal"
|
|
log_ttyin
|
|
T_FLAG
|
|
"Log the user's terminal input for the command being run"
|
|
log_output
|
|
T_FLAG
|
|
"Log the output of the command being run"
|
|
log_stdout
|
|
T_FLAG
|
|
"Log the command's standard output if not connected to a terminal"
|
|
log_stderr
|
|
T_FLAG
|
|
"Log the command's standard error if not connected to a terminal"
|
|
log_ttyout
|
|
T_FLAG
|
|
"Log the terminal output of the command being run"
|
|
compress_io
|
|
T_FLAG
|
|
"Compress I/O logs using zlib"
|
|
use_pty
|
|
T_FLAG
|
|
"Always run commands in a pseudo-tty"
|
|
group_plugin
|
|
T_STR
|
|
"Plugin for non-Unix group support: %s"
|
|
iolog_dir
|
|
T_STR|T_PATH
|
|
"Directory in which to store input/output logs: %s"
|
|
iolog_file
|
|
T_STR
|
|
"File in which to store the input/output log: %s"
|
|
set_utmp
|
|
T_FLAG
|
|
"Add an entry to the utmp/utmpx file when allocating a pty"
|
|
utmp_runas
|
|
T_FLAG
|
|
"Set the user in utmp to the runas user, not the invoking user"
|
|
privs
|
|
T_STR
|
|
"Set of permitted privileges: %s"
|
|
limitprivs
|
|
T_STR
|
|
"Set of limit privileges: %s"
|
|
exec_background
|
|
T_FLAG
|
|
"Run commands on a pty in the background"
|
|
pam_service
|
|
T_STR
|
|
"PAM service name to use: %s"
|
|
pam_login_service
|
|
T_STR
|
|
"PAM service name to use for login shells: %s"
|
|
pam_askpass_service
|
|
T_STR
|
|
"PAM service name to use when sudo is run with the -A option: %s"
|
|
pam_setcred
|
|
T_FLAG
|
|
"Attempt to establish PAM credentials for the target user"
|
|
pam_session
|
|
T_FLAG
|
|
"Create a new PAM session for the command to run in"
|
|
pam_acct_mgmt
|
|
T_FLAG
|
|
"Perform PAM account validation management"
|
|
pam_silent
|
|
T_FLAG
|
|
"Do not allow PAM authentication modules to generate output"
|
|
maxseq
|
|
T_STR
|
|
"Maximum I/O log sequence number: %s"
|
|
use_netgroups
|
|
T_FLAG
|
|
"Enable sudoers netgroup support"
|
|
sudoedit_checkdir
|
|
T_FLAG
|
|
"Check parent directories for writability when editing files with sudoedit"
|
|
sudoedit_follow
|
|
T_FLAG
|
|
"Follow symbolic links when editing files with sudoedit"
|
|
always_query_group_plugin
|
|
T_FLAG
|
|
"Query the group plugin for unknown system groups"
|
|
netgroup_tuple
|
|
T_FLAG
|
|
"Match netgroups based on the entire tuple: user, host and domain"
|
|
ignore_audit_errors
|
|
T_FLAG
|
|
"Allow commands to be run even if sudo cannot write to the audit log"
|
|
ignore_iolog_errors
|
|
T_FLAG
|
|
"Allow commands to be run even if sudo cannot write to the I/O log"
|
|
ignore_logfile_errors
|
|
T_FLAG
|
|
"Allow commands to be run even if sudo cannot write to the log file"
|
|
match_group_by_gid
|
|
T_FLAG
|
|
"Resolve groups in sudoers and match on the group ID, not the name"
|
|
syslog_maxlen
|
|
T_UINT
|
|
"Log entries larger than this value will be split into multiple syslog messages: %u"
|
|
iolog_user
|
|
T_STR|T_BOOL
|
|
"User that will own the I/O log files: %s"
|
|
iolog_group
|
|
T_STR|T_BOOL
|
|
"Group that will own the I/O log files: %s"
|
|
iolog_mode
|
|
T_MODE
|
|
"File mode to use for the I/O log files: 0%o"
|
|
fdexec
|
|
T_TUPLE|T_BOOL
|
|
"Execute commands by file descriptor instead of by path: %s"
|
|
never digest_only always
|
|
ignore_unknown_defaults
|
|
T_FLAG
|
|
"Ignore unknown Defaults entries in sudoers instead of producing a warning"
|
|
command_timeout
|
|
T_TIMEOUT|T_BOOL
|
|
"Time in seconds after which the command will be terminated: %u"
|
|
user_command_timeouts
|
|
T_FLAG
|
|
"Allow the user to specify a timeout on the command line"
|
|
iolog_flush
|
|
T_FLAG
|
|
"Flush I/O log data to disk immediately instead of buffering it"
|
|
syslog_pid
|
|
T_FLAG
|
|
"Include the process ID when logging via syslog"
|
|
timestamp_type
|
|
T_TUPLE
|
|
"Type of authentication timestamp record: %s"
|
|
global ppid tty kernel
|
|
authfail_message
|
|
T_STR
|
|
"Authentication failure message: %s"
|
|
case_insensitive_user
|
|
T_FLAG
|
|
"Ignore case when matching user names"
|
|
case_insensitive_group
|
|
T_FLAG
|
|
"Ignore case when matching group names"
|
|
log_allowed
|
|
T_FLAG
|
|
"Log when a command is allowed by sudoers"
|
|
log_denied
|
|
T_FLAG
|
|
"Log when a command is denied by sudoers"
|
|
log_servers
|
|
T_LIST|T_BOOL
|
|
"Sudo log server(s) to connect to with optional port"
|
|
log_server_timeout
|
|
T_TIMEOUT|T_BOOL
|
|
"Sudo log server timeout in seconds: %u"
|
|
log_server_keepalive
|
|
T_FLAG
|
|
"Enable SO_KEEPALIVE socket option on the socket connected to the logserver"
|
|
log_server_cabundle
|
|
T_STR|T_BOOL|T_PATH
|
|
"Path to the audit server's CA bundle file: %s"
|
|
log_server_peer_cert
|
|
T_STR|T_BOOL|T_PATH
|
|
"Path to the sudoers certificate file: %s"
|
|
log_server_peer_key
|
|
T_STR|T_BOOL|T_PATH
|
|
"Path to the sudoers private key file: %s"
|
|
log_server_verify
|
|
T_FLAG
|
|
"Verify that the log server's certificate is valid"
|
|
runas_allow_unknown_id
|
|
T_FLAG
|
|
"Allow the use of unknown runas user and/or group ID"
|
|
runas_check_shell
|
|
T_FLAG
|
|
"Only permit running commands as a user with a valid shell"
|
|
pam_ruser
|
|
T_FLAG
|
|
"Set the pam remote user to the user running sudo"
|
|
pam_rhost
|
|
T_FLAG
|
|
"Set the pam remote host to the local host name"
|
|
runcwd
|
|
T_STR|T_BOOL|T_CHPATH
|
|
"Working directory to change to before executing the command: %s"
|
|
runchroot
|
|
T_STR|T_BOOL|T_CHPATH
|
|
"Root directory to change to before executing the command: %s"
|
|
log_format
|
|
T_TUPLE
|
|
"The format of logs to produce: %s"
|
|
sudo json json_compact json_pretty
|
|
selinux
|
|
T_FLAG
|
|
"Enable SELinux RBAC support"
|
|
admin_flag
|
|
T_STR|T_BOOL|T_CHPATH
|
|
"Path to the file that is created the first time sudo is run: %s"
|
|
intercept
|
|
T_FLAG
|
|
"Intercept further commands and apply sudoers restrictions to them"
|
|
log_subcmds
|
|
T_FLAG
|
|
"Log sub-commands run by the original command"
|
|
log_exit_status
|
|
T_FLAG
|
|
"Log the exit status of commands"
|
|
intercept_authenticate
|
|
T_FLAG
|
|
"Subsequent commands in an intercepted session must be authenticated"
|
|
intercept_allow_setid
|
|
T_FLAG
|
|
"Allow an intercepted command to run set setuid or setgid programs"
|
|
rlimit_as
|
|
T_RLIMIT|T_BOOL
|
|
"The maximum size to which the process's address space may grow (in bytes): %s"
|
|
rlimit_core
|
|
T_RLIMIT|T_BOOL
|
|
"The largest size core dump file that may be created (in bytes): %s"
|
|
rlimit_cpu
|
|
T_RLIMIT|T_BOOL
|
|
"The maximum amount of CPU time that the process may use (in seconds): %s"
|
|
rlimit_data
|
|
T_RLIMIT|T_BOOL
|
|
"The maximum size of the data segment for the process (in bytes): %s"
|
|
rlimit_fsize
|
|
T_RLIMIT|T_BOOL
|
|
"The largest size file that the process may create (in bytes): %s"
|
|
rlimit_locks
|
|
T_RLIMIT|T_BOOL
|
|
"The maximum number of locks that the process may establish: %s"
|
|
rlimit_memlock
|
|
T_RLIMIT|T_BOOL
|
|
"The maximum size that the process may lock in memory (in bytes): %s"
|
|
rlimit_nofile
|
|
T_RLIMIT|T_BOOL
|
|
"The maximum number of files that the process may have open: %s"
|
|
rlimit_nproc
|
|
T_RLIMIT|T_BOOL
|
|
"The maximum number of processes that the user may run simultaneously: %s"
|
|
rlimit_rss
|
|
T_RLIMIT|T_BOOL
|
|
"The maximum size to which the process's resident set size may grow (in bytes): %s"
|
|
rlimit_stack
|
|
T_RLIMIT|T_BOOL
|
|
"The maximum size to which the process's stack may grow (in bytes): %s"
|
|
noninteractive_auth
|
|
T_FLAG
|
|
"Attempt authentication even when in non-interactive mode"
|
|
log_passwords
|
|
T_FLAG
|
|
"Store plaintext passwords in I/O log input"
|
|
passprompt_regex
|
|
T_LIST|T_SPACE|T_BOOL
|
|
"List of regular expressions to use when matching a password prompt"
|
|
intercept_type
|
|
T_TUPLE
|
|
"The mechanism used by the intercept and log_subcmds options: %s"
|
|
dso trace
|
|
intercept_verify
|
|
T_FLAG
|
|
"Attempt to verify the command and arguments after execution"
|
|
apparmor_profile
|
|
T_STR
|
|
"AppArmor profile to use in the new security context: %s"
|
|
cmddenial_message
|
|
T_STR
|
|
"Command denial message: %s"
|