- targetpw If set, s\bsu\bud\bdo\bo will prompt for the password
- of the user specified by the -\b-u\bu flag
- (defaults to root) instead of the password
- of the invoking user. Note that this pre
- cludes the use of a uid not listed in the
- passwd database as an argument to the -\b-u\bu
- flag. This flag is _\bo_\bf_\bf by default.
-
- tty_tickets If set, users must authenticate on a per-
- tty basis. Normally, s\bsu\bud\bdo\bo uses a direc
- tory in the ticket dir with the same name
- as the user running it. With this flag
- enabled, s\bsu\bud\bdo\bo will use a file named for
- the tty the user is logged in on in that
- directory. This flag is _\bo_\bf_\bf by default.
-
- use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults spec
- ified for the target user's login class if
- one exists. Only available if s\bsu\bud\bdo\bo is
- configured with the --with-logincap
- option. This flag is _\bo_\bf_\bf by default.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
+ log_output If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
+ log all output that is sent to the screen, similar to
+ the _\bs_\bc_\br_\bi_\bp_\bt(1) command. If the standard output or
+ standard error is not connected to the user's tty, due
+ to I/O redirection or because the command is part of a
+ pipeline, that output is also captured and stored in
+ separate log files.
+
+ Output is logged to the _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo directory
+ using a unique session ID that is included in the
+ normal s\bsu\bud\bdo\bo log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
+
+ Output logs may be viewed with the _\bs_\bu_\bd_\bo_\br_\be_\bp_\bl_\ba_\by(1m)
+ utility, which can also be used to list or search the
+ available logs.
+
+ tty_tickets If set, users must authenticate on a per-tty basis.
+ With this flag enabled, s\bsu\bud\bdo\bo will use a file named for
+ the tty the user is logged in on in the user's time
+ stamp directory. If disabled, the time stamp of the
+ directory is used instead. This flag is _\bo_\bn by default.
+
+ umask_override If set, s\bsu\bud\bdo\bo will set the umask as specified by _\bs_\bu_\bd_\bo_\be_\br_\bs
+ without modification. This makes it possible to
+ specify a more permissive umask in _\bs_\bu_\bd_\bo_\be_\br_\bs than the
+ user's own umask and matches historical behavior. If
+ _\bu_\bm_\ba_\bs_\bk_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is not set, s\bsu\bud\bdo\bo will set the umask to
+ be the union of the user's umask and what is specified
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs. This flag is _\bo_\bf_\bf by default.
+
+ use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults specified for the
+ target user's login class if one exists. Only
+ available if s\bsu\bud\bdo\bo is configured with the
+ --with-logincap option. This flag is _\bo_\bf_\bf by default.
+
+ use_pty If set, s\bsu\bud\bdo\bo will run the command in a pseudo-pty even
+ if no I/O logging is being gone. A malicious program
+ run under s\bsu\bud\bdo\bo could conceivably fork a background
+ process that retains to the user's terminal device
+ after the main program has finished executing. Use of
+ this option will make that impossible.
+
+ visiblepw By default, s\bsu\bud\bdo\bo will refuse to run if the user must
+ enter a password but it is not possible to disable echo
+ on the terminal. If the _\bv_\bi_\bs_\bi_\bb_\bl_\be_\bp_\bw flag is set, s\bsu\bud\bdo\bo
+ will prompt for a password even when it would be
+ visible on the screen. This makes it possible to run
+ things like "rsh somehost sudo ls" since _\br_\bs_\bh(1) does
+ not allocate a tty. This flag is _\bo_\bf_\bf by default.