.\"
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
-.\" Todd C. Miller <Todd.Miller@courtesan.com>
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2013
+.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.Dd July 16, 2012
+.Dd April 30, 2013
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudoers
-.Nd default sudo security policy module
+.Nd default sudo security policy plugin
.Sh DESCRIPTION
The
.Em sudoers
-policy module determines a user's
+policy plugin determines a user's
.Nm sudo
privileges.
It is the default
policy information
in LDAP, please see
.Xr sudoers.ldap @mansectform@ .
+.Ss Configuring sudo.conf for sudoers
+.Nm sudo
+consults the
+.Xr sudo.conf @mansectform@
+file to determine which policy and and I/O logging plugins to load.
+If no
+.Xr sudo.conf @mansectform@
+file is present, or if it contains no
+.Li Plugin
+lines,
+.Nm sudoers
+will be used for policy decisions and I/O logging.
+To explicitly configure
+.Xr sudo.conf @mansectform@
+to use the
+.Nm sudoers
+plugin, the following configuration can be used.
+.Bd -literal -offset indent
+Plugin sudoers_policy sudoers.so
+Plugin sudoers_io sudoers.so
+.Ed
+.Pp
+Starting with
+.Nm sudo
+1.8.5, it is possible to specify optional arguments to the
+.Nm sudoers
+plugin in the
+.Xr sudo.conf @mansectform@
+file.
+These arguments, if present, should be listed after the path to the plugin
+(i.e.\& after
+.Pa sudoers.so ) .
+Multiple arguments may be specified, separated by white space.
+For example:
+.Bd -literal -offset indent
+Plugin sudoers_policy sudoers.so sudoers_mode=0400
+.Ed
+.Pp
+The following plugin arguments are supported:
+.Bl -tag -width 8n
+.It ldap_conf=pathname
+The
+.Em ldap_conf
+argument can be used to override the default path to the
+.Pa ldap.conf
+file.
+.It ldap_secret=pathname
+The
+.Em ldap_secret
+argument can be used to override the default path to the
+.Pa ldap.secret
+file.
+.It sudoers_file=pathname
+The
+.Em sudoers_file
+argument can be used to override the default path to the
+.Em sudoers
+file.
+.It sudoers_uid=uid
+The
+.Em sudoers_uid
+argument can be used to override the default owner of the sudoers file.
+It should be specified as a numeric user ID.
+.It sudoers_gid=gid
+The
+.Em sudoers_gid
+argument can be used to override the default group of the sudoers file.
+It must be specified as a numeric group ID (not a group name).
+.It sudoers_mode=mode
+The
+.Em sudoers_mode
+argument can be used to override the default file mode for the sudoers file.
+It should be specified as an octal value.
+.El
+.Pp
+For more information on configuring
+.Xr sudo.conf @mansectform@ ,
+please refer to its manual.
.Ss Authentication and logging
The
.Em sudoers
.Pp
A
.Li User_List
-is made up of one or more user names, user ids
+is made up of one or more user names, user IDs
(prefixed with
.Ql # ) ,
-system group names and ids (prefixed with
+system group names and IDs (prefixed with
.Ql %
and
.Ql %#
and
.Li nonunix_gid
syntax depends on
-the underlying group provider plugin (see the
-.Em group_plugin
-description below).
+the underlying group provider plugin.
For instance, the QAS AD plugin supports the following formats:
.Bl -bullet -width 4n
.It
Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
.El
.Pp
+See
+.Sx "GROUP PROVIDER PLUGINS"
+for more information.
+.Pp
Note that quotes around group names are optional.
Unquoted strings must use a backslash
.Pq Ql \e
will only match if that is the actual host name, which is usually
only the case for non-networked systems.
.Bd -literal
+digest ::= [A-Fa-f0-9]+ |
+ [[A-Za-z0-9\+/=]+
+
+Digest_Spec ::= "sha224" ':' digest |
+ "sha256" ':' digest |
+ "sha384" ':' digest |
+ "sha512" ':' digest
+
Cmnd_List ::= Cmnd |
Cmnd ',' Cmnd_List
file name args |
file name '""'
-Cmnd ::= '!'* command name |
+Cmnd ::= Digest_Spec? '!'* command name |
'!'* directory |
'!'* "sudoedit" |
'!'* Cmnd_Alias
.Ql :\& ,
.Ql =\& ,
.Ql \e .
-The special command
+The built-in command
.Dq Li sudoedit
is used to permit a user to run
.Nm sudo
option (or as
.Nm sudoedit ) .
It may take command line arguments just as a normal command does.
+Note that
+.Dq Li sudoedit
+is a command built into
+.Nm sudo
+itself and must be specified in
+.Em sudoers
+without a leading path.
+.Pp
+If a
+.Li command name
+is prefixed with a
+.Li Digest_Spec ,
+the command will only match successfully if it can be verified
+using the specified SHA-2 digest.
+This may be useful in situations where the user invoking
+.Nm sudo
+has write access to the command or its parent directory.
+The following digest formats are supported: sha224, sha256, sha384 and sha512.
+The string may be specified in either hex or base64 format
+(base64 is more compact).
+There are several utilities capable of generating SHA-2 digests in hex
+format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
+.Pp
+For example, using openssl:
+.Bd -literal
+$ openssl dgst -sha224 /bin/ls
+SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
+.Ed
+.Pp
+It is also possible to use openssl to generate base64 output:
+.Bd -literal
+$ openssl dgst -binary -sha224 /bin/ls | openssl base64
+EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
+.Ed
+.Pp
+Command digests are only supported by version 1.8.7 or higher.
.Ss Defaults
Certain configuration options may be changed from their default
values at run-time via one or more
.Li NOEXEC
overrides
.Li EXEC ) .
-.Pp
-.Em NOPASSWD and PASSWD
-.Pp
+.Bl -hang -width 0n
+.It Em NOPASSWD No and Em PASSWD
+.sp
By default,
.Nm sudo
requires that a user authenticate him or herself
and
.Em listpw
options.
-.Pp
-.Em NOEXEC and EXEC
-.Pp
+.It Em NOEXEC No and Em EXEC
+.sp
If
.Nm sudo
has been compiled with
section below for more details on how
.Li NOEXEC
works and whether or not it will work on your system.
-.Pp
-.Em SETENV and NOSETENV
-.Pp
+.It Em SETENV No and Em NOSETENV
+.sp
These tags override the value of the
.Em setenv
option on a per-command basis.
tag is implied for that command; this default may be overridden by use of the
.Li NOSETENV
tag.
-.Pp
-.Em LOG_INPUT and NOLOG_INPUT
-.Pp
+.It Em LOG_INPUT No and Em NOLOG_INPUT
+.sp
These tags override the value of the
.Em log_input
option on a per-command basis.
in the
.Sx SUDOERS OPTIONS
section below.
-.Pp
-.Em LOG_OUTPUT and NOLOG_OUTPUT
-.Pp
+.It Em LOG_OUTPUT No and Em NOLOG_OUTPUT
+.sp
These tags override the value of the
.Em log_output
option on a per-command basis.
in the
.Sx SUDOERS OPTIONS
section below.
+.El
.Ss Wildcards
.Nm sudo
allows shell-style
.Em sudoers
file.
Wildcard matching is done via the
-.Sy POSIX
.Xr glob 3
and
.Xr fnmatch 3
-routines.
+functions as specified by
+.St -p1003.1 .
Note that these are
.Em not
regular expressions.
.Ql ]\& .
.El
.Pp
-POSIX character classes may also be used if your system's
+Character classes may also be used if your system's
.Xr glob 3
and
.Xr fnmatch 3
.Pq Ql \&!
can be used as a logical
.Em not
-operator both in an
+operator in a list or
.Em alias
-and in front of a
+as well as in front of a
.Li Cmnd .
This allows one to exclude certain values.
+For the
+.Ql \&!
+operator to be effective, there must be something for it to exclude.
+For example, to match all users except for root one would use:
+.Bd -literal -offset 4n
+ALL,!root
+.Ed
+.Pp
+If the
+.Sy ALL ,
+is omitted, as in:
+.Bd -literal -offset 4n
+!root
+.Ed
+.Pp
+it would explicitly deny root but not match any other users.
+This is different from a true
+.Dq negation
+operator.
+.Pp
Note, however, that using a
.Ql \&!
in conjunction with the built-in
is compiled with
.Sy zlib
support.
+.It exec_background
+By default,
+.Nm sudo
+runs a command as the foreground process as long as
+.Nm sudo
+itself is running in the foreground.
+When the
+.Em exec_background
+flag is enabled and the command is being run in a pty (due to I/O logging
+or the
+.Em use_pty
+flag), the command will be run as a background process.
+Attempts to read from the controlling terminal (or to change terminal
+settings) will result in the command being suspended with the
+.Dv SIGTTIN
+signal (or
+.Dv SIGTTOU
+in the case of terminal settings).
+If this happens when
+.Nm sudo
+is a foreground process, the command will be granted the controlling terminal
+and resumed in the foreground with no user intervention required.
+The advantage of initially running the command in the background is that
+.Nm sudo
+need not read from the terminal unless the command explicitly requests it.
+Otherwise, any terminal input must be passed to the command, whether it
+has required it or not (the kernel buffers terminals so it is not possible
+to tell whether the command really wants the input).
+This is different from historic
+.Em sudo
+behavior or when the command is not being run in a pty.
+.Pp
+For this to work seamlessly, the operating system must support the
+automatic restarting of system calls.
+Unfortunately, not all operating systems do this by default,
+and even those that do may have bugs.
+For example, Mac OS X fails to restart the
+.Fn tcgetattr
+and
+.Fn tcsetattr
+system calls (this is a bug in Mac OS X).
+Furthermore, because this behavior depends on the command stopping with the
+.Dv SIGTTIN
+or
+.Dv SIGTTOU
+signals, programs that catch these signals and suspend themselves
+with a different signal (usually
+.Dv SIGTOP )
+will not be automatically foregrounded.
+Some versions of the linux
+.Xr su 1
+command behave this way.
+.Pp
+This setting is only supported by version 1.8.7 or higher.
+It has no effect unless I/O logging is enabled or the
+.Em use_pty
+flag is enabled.
.It env_editor
If set,
.Nm visudo
This flag is
.Em off
by default.
-.It path_info
-Normally,
+.It pam_session
+On systems that use PAM for authentication,
.Nm sudo
-will tell the user when a command could not be
-found in their
-.Ev PATH
-environment variable.
-Some sites may wish to disable this as it could be used to gather
-information on the location of executables that the normal user does
-not have access to.
-The disadvantage is that if the executable is simply not in the user's
-.Ev PATH ,
-.Nm sudo
-will tell the user that they are not allowed to run it, which can be confusing.
+will create a new PAM session for the command to be run in.
+Disabling
+.Em pam_session
+may be needed on older PAM implementations or on operating systems where
+opening a PAM session changes the utmp or wtmp files.
+If PAM session support is disabled, resource limits may not be updated
+for the command being run.
This flag is
-.Em @path_info@
+.Em @pam_session@
by default.
+.Pp
+This setting is only supported by version 1.8.7 or higher.
.It passprompt_override
The password prompt specified by
.Em passprompt
This flag is
.Em off
by default.
+.It path_info
+Normally,
+.Nm sudo
+will tell the user when a command could not be
+found in their
+.Ev PATH
+environment variable.
+Some sites may wish to disable this as it could be used to gather
+information on the location of executables that the normal user does
+not have access to.
+The disadvantage is that if the executable is simply not in the user's
+.Ev PATH ,
+.Nm sudo
+will tell the user that they are not allowed to run it, which can be confusing.
+This flag is
+.Em @path_info@
+by default.
.It preserve_groups
By default,
.Nm sudo
replaced with a unique combination of digits and letters, similar to the
.Xr mktemp 3
function.
+.Pp
+If the path created by concatenating
+.Em iolog_dir
+and
+.Em iolog_file
+already exists, the existing I/O log file will be truncated and
+overwritten unless
+.Em iolog_file
+ends in six or
+more
+.Li X Ns No s .
.It limitprivs
The default Solaris limit privileges to use when constructing a new
privilege set for a command.
will expand to the host name of the machine.
Default is
.Dq Li @mailsub@ .
+.It maxseq
+The maximum sequence number that will be substituted for the
+.Dq Li %{seq}
+escape in the I/O log file (see the
+.Em iolog_dir
+description above for more information).
+While the value substituted for
+.Dq Li %{seq}
+is in base 36,
+.Em maxseq
+itself should be expressed in decimal.
+Values larger than 2176782336 (which corresponds to the
+base 36 sequence number
+.Dq ZZZZZZ )
+will be silently truncated to 2176782336.
+The default value is 2176782336.
+.Pp
+Once the local sequence number reaches the value of
+.Em maxseq ,
+it will
+.Dq roll over
+to zero, after which
+.Nm sudoers
+will truncate and re-use any existing I/O log pathnames.
+.Pp
+This setting is only supported by version 1.8.7 or higher.
.It noexec_file
-This option is no longer supported.
+As of
+.Nm sudo
+version 1.8.1 this option is no longer supported.
The path to the noexec file should now be set in the
-.Pa @sysconfdir@/sudo.conf
+.Xr sudo.conf @mansectform@
file.
.It passprompt
The default prompt to use when asking for a password; can be overridden via the
A string containing a
.Em sudoers
group plugin with optional arguments.
-This can be used to implement support for the
-.Li nonunix_group
-syntax described earlier.
The string should consist of the plugin
path, either fully-qualified or relative to the
-.Pa @prefix@/libexec
+.Pa @PLUGINDIR@
directory, followed by any configuration arguments the plugin requires.
These arguments (if any) will be passed to the plugin's initialization function.
If arguments are present, the string must be enclosed in double quotes
.Pq \&"" .
.Pp
-For example, given
-.Pa /etc/sudo-group ,
-a group file in Unix group format, the sample group plugin can be used:
-.Bd -literal
-Defaults group_plugin="sample_group.so /etc/sudo-group"
-.Ed
-.Pp
For more information see
-.Xr sudo_plugin @mansectform@ .
+.Xr "GROUP PROVIDER PLUGINS" .
.It lecture
This option controls when a short lecture will be printed along with
the password prompt.
.Fl V
option.
.El
+.Sh GROUP PROVIDER PLUGINS
+The
+.Nm sudoers
+plugin supports its own plugin interface to allow non-Unix
+group lookups which can query a group source other
+than the standard Unix group database.
+This can be used to implement support for the
+.Li nonunix_group
+syntax described earlier.
+.Pp
+Group provider plugins are specified via the
+.Em group_plugin
+Defaults setting.
+The argument to
+.Em group_plugin
+should consist of the plugin path, either fully-qualified or relative to the
+.Pa @PLUGINDIR@
+directory, followed by any configuration options the plugin requires.
+These options (if specified) will be passed to the plugin's initialization
+function.
+If options are present, the string must be enclosed in double quotes
+.Pq \&"" .
+.Pp
+The following group provider plugins are installed by default:
+.Bl -tag -width 8n
+.It group_file
+The
+.Em group_file
+plugin supports an alternate group file that uses the same syntax as the
+.Pa /etc/group
+file.
+The path to the group file should be specified as an option
+to the plugin.
+For example, if the group file to be used is
+.Pa /etc/sudo-group :
+.Bd -literal
+Defaults group_plugin="group_file.so /etc/sudo-group"
+.Ed
+.It system_group
+The
+.Em system_group
+plugin supports group lookups via the standard C library functions
+.Fn getgrnam
+and
+.Fn getgrid .
+This plugin can be used in instances where the user belongs to
+groups not present in the user's supplemental group vector.
+This plugin takes no options:
+.Bd -literal
+Defaults group_plugin=system_group.so
+.Ed
+.El
+.Pp
+The group provider plugin API is described in detail in
+.Xr sudo_plugin @mansectsu@ .
.Sh LOG FORMAT
.Nm sudoers
can log events using either
tries to open
.Em sudoers
using group permissions to avoid this problem.
-Consider changing the ownership of
+Consider either changing the ownership of
.Pa @sysconfdir@/sudoers
-by adding an option like
+or adding an argument like
.Dq sudoers_uid=N
(where
.Sq N
is the user ID that owns the
.Em sudoers
-file) to the
+file) to the end of the
.Nm sudoers
-plugin line in the
-.Pa @sysconfdir@/sudo.conf
+.Li Plugin
+line in the
+.Xr sudo.conf @mansectform@
file.
.It unable to stat @sysconfdir@/sudoers
The
.Em sudoers
file) to the
.Nm sudoers
-plugin line in the
-.Pa @sysconfdir@/sudo.conf
+.Li Plugin
+line in the
+.Xr sudo.conf @mansectform@
file.
.It @sysconfdir@/sudoers is world writable
The permissions on the
.Dq sudoers_mode
option to the
.Nm sudoers
-plugin line in the
-.Pa @sysconfdir@/sudo.conf
+.Li Plugin
+line in the
+.Xr sudo.conf @mansectform@
file.
.It @sysconfdir@/sudoers is owned by gid N, should be 1
The
.Em sudoers
file) to the
.Nm sudoers
-plugin line in the
-.Pa @sysconfdir@/sudo.conf
+.Li Plugin
+line in the
+.Xr sudo.conf @mansectform@
file.
.It unable to open @timedir@/username/ttyname
.Em sudoers
.Ql \&! ) ,
word wrap will be disabled.
.El
-.Sh SUDO.CONF
-The
-.Pa @sysconfdir@/sudo.conf
-file determines which plugins the
-.Nm sudo
-front end will load.
-If no
-.Pa @sysconfdir@/sudo.conf
-file
-is present, or it contains no
-.Li Plugin
-lines,
-.Nm sudo
-will use the
-.Em sudoers
-security policy and I/O logging, which corresponds to the following
-.Pa @sysconfdir@/sudo.conf
-file.
-.Bd -literal
-#
-# Default @sysconfdir@/sudo.conf file
-#
-# Format:
-# Plugin plugin_name plugin_path plugin_options ...
-# Path askpass /path/to/askpass
-# Path noexec /path/to/sudo_noexec.so
-# Debug sudo /var/log/sudo_debug all@warn
-# Set disable_coredump true
-#
-# The plugin_path is relative to @prefix@/libexec unless
-# fully qualified.
-# The plugin_name corresponds to a global symbol in the plugin
-# that contains the plugin interface structure.
-# The plugin_options are optional.
-#
-Plugin policy_plugin sudoers.so
-Plugin io_plugin sudoers.so
-.Ed
-.Ss Plugin options
-Starting with
-.Nm sudo
-1.8.5, it is possible to pass options to the
-.Em sudoers
-plugin.
-Options may be listed after the path to the plugin (i.e.\& after
-.Pa sudoers.so ) ;
-multiple options should be space-separated.
-For example:
-.Bd -literal
-Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
-.Ed
-.Pp
-The following plugin options are supported:
-.Bl -tag -width 8n
-.It sudoers_file=pathname
-The
-.Em sudoers_file
-option can be used to override the default path
-to the
-.Em sudoers
-file.
-.It sudoers_uid=uid
-The
-.Em sudoers_uid
-option can be used to override the default owner of the sudoers file.
-It should be specified as a numeric user ID.
-.It sudoers_gid=gid
-The
-.Em sudoers_gid
-option can be used to override the default group of the sudoers file.
-It should be specified as a numeric group ID.
-.It sudoers_mode=mode
-The
-.Em sudoers_mode
-option can be used to override the default file mode for the sudoers file.
-It should be specified as an octal value.
-.El
-.Ss Debug flags
-Versions 1.8.4 and higher of the
-.Em sudoers
-plugin supports a debugging framework that can help track down what the
-plugin is doing internally if there is a problem.
-This can be configured in the
-.Pa @sysconfdir@/sudo.conf
-file as described in
-.Xr sudo @mansectsu@ .
-.Pp
-The
-.Em sudoers
-plugin uses the same debug flag format as the
-.Nm sudo
-front-end:
-.Em subsystem Ns No @ Ns Em priority .
-.Pp
-The priorities used by
-.Em sudoers ,
-in order of decreasing severity,
-are:
-.Em crit ,
-.Em err ,
-.Em warn ,
-.Em notice ,
-.Em diag ,
-.Em info ,
-.Em trace
-and
-.Em debug .
-Each priority, when specified, also includes all priorities higher than it.
-For example, a priority of
-.Em notice
-would include debug messages logged at
-.Em notice
-and higher.
-.Pp
-The following subsystems are used by
-.Em sudoers :
-.Bl -tag -width 8n
-.It Em alias
-.Li User_Alias ,
-.Li Runas_Alias ,
-.Li Host_Alias
-and
-.Li Cmnd_Alias
-processing
-.It Em all
-matches every subsystem
-.It Em audit
-BSM and Linux audit code
-.It Em auth
-user authentication
-.It Em defaults
-.Em sudoers
-.Em Defaults
-settings
-.It Em env
-environment handling
-.It Em ldap
-LDAP-based sudoers
-.It Em logging
-logging support
-.It Em match
-matching of users, groups, hosts and netgroups in
-.Em sudoers
-.It Em netif
-network interface handling
-.It Em nss
-network service switch handling in
-.Em sudoers
-.It Em parser
-.Em sudoers
-file parsing
-.It Em perms
-permission setting
-.It Em plugin
-The equivalent of
-.Em main
-for the plugin.
-.It Em pty
-pseudo-tty related code
-.It Em rbtree
-redblack tree internals
-.It Em util
-utility functions
-.El
.Sh FILES
.Bl -tag -width 24n
.It Pa @sysconfdir@/sudo.conf
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
- /usr/sbin/restore, /usr/sbin/rrestore
+ /usr/sbin/restore, /usr/sbin/rrestore,\e
+ sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \e
+ /home/operator/bin/start_backups
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
printing system, shutting down the system, and any commands in the
directory
.Pa /usr/oper/bin/ .
+Note that one command in the
+.Li DUMPS
+Cmnd_Alias includes a sha224 digest,
+.Pa /home/operator/bin/start_backups .
+This is because the directory containing the script is writable by the
+operator user.
+If the script is modified (resulting in a digest mismatch) it will no longer
+be possible to run it via
+.Nm sudo .
.Bd -literal
joe ALL = /usr/bin/su operator
.Ed
ignore it.
Administrators should not rely on this feature as it is not universally
available.
+.Sh DEBUGGING
+Versions 1.8.4 and higher of the
+.Nm sudoers
+plugin support a flexible debugging framework that can help track
+down what the plugin is doing internally if there is a problem.
+This can be configured in the
+.Xr sudo.conf @mansectform@
+file.
+.Pp
+The
+.Nm sudoers
+plugin uses the same debug flag format as the
+.Nm sudo
+front-end:
+.Em subsystem Ns No @ Ns Em priority .
+.Pp
+The priorities used by
+.Nm sudoers ,
+in order of decreasing severity,
+are:
+.Em crit , err , warn , notice , diag , info , trace
+and
+.Em debug .
+Each priority, when specified, also includes all priorities higher
+than it.
+For example, a priority of
+.Em notice
+would include debug messages logged at
+.Em notice
+and higher.
+.Pp
+The following subsystems are used by the
+.Nm sudoers
+plugin:
+.Bl -tag -width 8n
+.It Em alias
+.Li User_Alias ,
+.Li Runas_Alias ,
+.Li Host_Alias
+and
+.Li Cmnd_Alias
+processing
+.It Em all
+matches every subsystem
+.It Em audit
+BSM and Linux audit code
+.It Em auth
+user authentication
+.It Em defaults
+.Em sudoers
+.Em Defaults
+settings
+.It Em env
+environment handling
+.It Em ldap
+LDAP-based sudoers
+.It Em logging
+logging support
+.It Em match
+matching of users, groups, hosts and netgroups in
+.Em sudoers
+.It Em netif
+network interface handling
+.It Em nss
+network service switch handling in
+.Em sudoers
+.It Em parser
+.Em sudoers
+file parsing
+.It Em perms
+permission setting
+.It Em plugin
+The equivalent of
+.Em main
+for the plugin.
+.It Em pty
+pseudo-tty related code
+.It Em rbtree
+redblack tree internals
+.It Em util
+utility functions
+.El
+For example:
+.Bd -literal
+Debug sudo /var/log/sudo_debug match@info,nss@info
+.Ed
+.Pp
+For more information, see the
+.Xr sudo.conf @mansectform@
+manual.
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr su 1 ,
.Xr glob 3 ,
.Xr mktemp 3 ,
.Xr strftime 3 ,
+.Xr sudo.conf @mansectform@ ,
.Xr sudoers.ldap @mansectform@ ,
.Xr sudo_plugin @mansectsu@ ,
.Xr sudo @mansectsu@ ,