--- /dev/null
+Copyright (c) 1994-1996, 1998-2005, 2007-2012
+ Todd C. Miller <Todd.Miller@courtesan.com>
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+Sponsored in part by the Defense Advanced Research Projects
+Agency (DARPA) and Air Force Research Laboratory, Air Force
+Materiel Command, USAF, under agreement number F39502-99-1-0512.
+
+=pod
+
+=head1 NAME
+
+sudoers - default sudo security policy module
+
+=head1 DESCRIPTION
+
+The I<sudoers> policy module determines a user's B<sudo> privileges.
+It is the default B<sudo> policy plugin. The policy is driven by
+the F<@sysconfdir@/sudoers> file or, optionally in LDAP. The policy
+format is described in detail in the L<"SUDOERS FILE FORMAT">
+section. For information on storing I<sudoers> policy information
+in LDAP, please see L<sudoers.ldap(5)>.
+
+=head2 Authentication and Logging
+
+The I<sudoers> security policy requires that most users authenticate
+themselves before they can use B<sudo>. A password is not required
+if the invoking user is root, if the target user is the same as the
+invoking user, or if the policy has disabled authentication for the
+user or command. Unlike L<su(1)>, when I<sudoers> requires
+authentication, it validates the invoking user's credentials, not
+the target user's (or root's) credentials. This can be changed via
+the I<rootpw>, I<targetpw> and I<runaspw> flags, described later.
+
+If a user who is not listed in the policy tries to run a command
+via B<sudo>, mail is sent to the proper authorities. The address
+used for such mail is configurable via the I<mailto> Defaults entry
+(described later) and defaults to C<@mailto@>.
+
+Note that mail will not be sent if an unauthorized user tries to
+run B<sudo> with the B<-l> or B<-v> option. This allows users to
+determine for themselves whether or not they are allowed to use
+B<sudo>.
+
+If B<sudo> is run by root and the C<SUDO_USER> environment variable
+is set, the I<sudoers> policy will use this value to determine who
+the actual user is. This can be used by a user to log commands
+through sudo even when a root shell has been invoked. It also
+allows the B<-e> option to remain useful even when invoked via a
+sudo-run script or program. Note, however, that the I<sudoers>
+lookup is still done for root, not the user specified by C<SUDO_USER>.
+
+I<sudoers> uses time stamp files for credential caching. Once a
+user has been authenticated, a time stamp is updated and the user
+may then use sudo without a password for a short period of time
+(C<@timeout@> minutes unless overridden by the I<timeout> option.
+By default, I<sudoers> uses a tty-based time stamp which means that
+there is a separate time stamp for each of a user's login sessions.
+The I<tty_tickets> option can be disabled to force the use of a
+single time stamp for all of a user's sessions.
+
+I<sudoers> can log both successful and unsuccessful attempts (as well
+as errors) to syslog(3), a log file, or both. By default, I<sudoers>
+will log via syslog(3) but this is changeable via the I<syslog>
+and I<logfile> Defaults settings.
+
+I<sudoers> also supports logging a command's input and output
+streams. I/O logging is not on by default but can be enabled using
+the I<log_input> and I<log_output> Defaults flags as well as the
+C<LOG_INPUT> and C<LOG_OUTPUT> command tags.
+
+=head2 Command Environment
+
+Since environment variables can influence program behavior, I<sudoers>
+provides a means to restrict which variables from the user's
+environment are inherited by the command to be run. There are two
+distinct ways I<sudoers> can deal with environment variables.
+
+By default, the I<env_reset> option is enabled. This causes commands
+to be executed with a new, minimal environment. On AIX (and Linux
+systems without PAM), the environment is initialized with the
+contents of the F</etc/environment> file. On BSD systems, if the
+I<use_loginclass> option is enabled, the environment is initialized
+based on the I<path> and I<setenv> settings in F</etc/login.conf>.
+The new environment contains the C<TERM>, C<PATH>, C<HOME>, C<MAIL>,
+C<SHELL>, C<LOGNAME>, C<USER>, C<USERNAME> and C<SUDO_*> variables
+in addition to variables from the invoking process permitted by the
+I<env_check> and I<env_keep> options. This is effectively a whitelist
+for environment variables.
+
+If, however, the I<env_reset> option is disabled, any variables not
+explicitly denied by the I<env_check> and I<env_delete> options are
+inherited from the invoking process. In this case, I<env_check>
+and I<env_delete> behave like a blacklist. Since it is not possible
+to blacklist all potentially dangerous environment variables, use
+of the default I<env_reset> behavior is encouraged.
+
+In all cases, environment variables with a value beginning with
+C<()> are removed as they could be interpreted as B<bash> functions.
+The list of environment variables that B<sudo> allows or denies is
+contained in the output of C<sudo -V> when run as root.
+
+Note that the dynamic linker on most operating systems will remove
+variables that can control dynamic linking from the environment of
+setuid executables, including B<sudo>. Depending on the operating
+system this may include C<_RLD*>, C<DYLD_*>, C<LD_*>, C<LDR_*>,
+C<LIBPATH>, C<SHLIB_PATH>, and others. These type of variables are
+removed from the environment before B<sudo> even begins execution
+and, as such, it is not possible for B<sudo> to preserve them.
+
+As a special case, if B<sudo>'s B<-i> option (initial login) is
+specified, I<sudoers> will initialize the environment regardless
+of the value of I<env_reset>. The I<DISPLAY>, I<PATH> and I<TERM>
+variables remain unchanged; I<HOME>, I<MAIL>, I<SHELL>, I<USER>,
+and I<LOGNAME> are set based on the target user. On AIX (and Linux
+systems without PAM), the contents of F</etc/environment> are also
+included. On BSD systems, if the I<use_loginclass> option is
+enabled, the I<path> and I<setenv> variables in F</etc/login.conf>
+are also applied. All other environment variables are removed.
+
+Finally, if the I<env_file> option is defined, any variables present
+in that file will be set to their specified values as long as they
+would not conflict with an existing environment variable.
+
+=head1 SUDOERS FILE FORMAT
+
+The I<sudoers> file is composed of two types of entries: aliases
+(basically variables) and user specifications (which specify who
+may run what).
+
+When multiple entries match for a user, they are applied in order.
+Where there are multiple matches, the last match is used (which is
+not necessarily the most specific match).
+
+The I<sudoers> grammar will be described below in Extended Backus-Naur
+Form (EBNF). Don't despair if you don't know what EBNF is; it is
+fairly simple, and the definitions below are annotated.
+
+=head2 Quick guide to EBNF
+
+EBNF is a concise and exact way of describing the grammar of a language.
+Each EBNF definition is made up of I<production rules>. E.g.,
+
+ symbol ::= definition | alternate1 | alternate2 ...
+
+Each I<production rule> references others and thus makes up a
+grammar for the language. EBNF also contains the following
+operators, which many readers will recognize from regular
+expressions. Do not, however, confuse them with "wildcard"
+characters, which have different meanings.
+
+=over 4
+
+=item C<?>
+
+Means that the preceding symbol (or group of symbols) is optional.
+That is, it may appear once or not at all.
+
+=item C<*>
+
+Means that the preceding symbol (or group of symbols) may appear
+zero or more times.
+
+=item C<+>
+
+Means that the preceding symbol (or group of symbols) may appear
+one or more times.
+
+=back
+
+Parentheses may be used to group symbols together. For clarity,
+we will use single quotes ('') to designate what is a verbatim character
+string (as opposed to a symbol name).
+
+=head2 Aliases
+
+There are four kinds of aliases: C<User_Alias>, C<Runas_Alias>,
+C<Host_Alias> and C<Cmnd_Alias>.
+
+ Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
+ 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
+ 'Host_Alias' Host_Alias (':' Host_Alias)* |
+ 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
+
+ User_Alias ::= NAME '=' User_List
+
+ Runas_Alias ::= NAME '=' Runas_List
+
+ Host_Alias ::= NAME '=' Host_List
+
+ Cmnd_Alias ::= NAME '=' Cmnd_List
+
+ NAME ::= [A-Z]([A-Z][0-9]_)*
+
+Each I<alias> definition is of the form
+
+ Alias_Type NAME = item1, item2, ...
+
+where I<Alias_Type> is one of C<User_Alias>, C<Runas_Alias>, C<Host_Alias>,
+or C<Cmnd_Alias>. A C<NAME> is a string of uppercase letters, numbers,
+and underscore characters ('_'). A C<NAME> B<must> start with an
+uppercase letter. It is possible to put several alias definitions
+of the same type on a single line, joined by a colon (':'). E.g.,
+
+ Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
+
+The definitions of what constitutes a valid I<alias> member follow.
+
+ User_List ::= User |
+ User ',' User_List
+
+ User ::= '!'* user name |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* +netgroup |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
+ '!'* User_Alias
+
+A C<User_List> is made up of one or more user names, user ids
+(prefixed with '#'), system group names and ids (prefixed with '%'
+and '%#' respectively), netgroups (prefixed with '+'), non-Unix
+group names and IDs (prefixed with '%:' and '%:#' respectively) and
+C<User_Alias>es. Each list item may be prefixed with zero or more
+'!' operators. An odd number of '!' operators negate the value of
+the item; an even number just cancel each other out.
+
+A C<user name>, C<uid>, C<group>, C<gid>, C<netgroup>, C<nonunix_group>
+or C<nonunix_gid> may be enclosed in double quotes to avoid the
+need for escaping special characters. Alternately, special characters
+may be specified in escaped hex mode, e.g. \x20 for space. When
+using double quotes, any prefix characters must be included inside
+the quotes.
+
+The actual C<nonunix_group> and C<nonunix_gid> syntax depends on
+the underlying group provider plugin (see the I<group_plugin>
+description below). For instance, the QAS AD plugin supports the
+following formats:
+
+=over 4
+
+=item *
+
+Group in the same domain: "Group Name"
+
+=item *
+
+Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
+
+=item *
+
+Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
+
+=back
+
+Note that quotes around group names are optional. Unquoted strings
+must use a backslash (\) to escape spaces and special characters.
+See L<"Other special characters and reserved words"> for a list of
+characters that need to be escaped.
+
+ Runas_List ::= Runas_Member |
+ Runas_Member ',' Runas_List
+
+ Runas_Member ::= '!'* user name |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
+ '!'* +netgroup |
+ '!'* Runas_Alias
+
+A C<Runas_List> is similar to a C<User_List> except that instead
+of C<User_Alias>es it can contain C<Runas_Alias>es. Note that
+user names and groups are matched as strings. In other words, two
+users (groups) with the same uid (gid) are considered to be distinct.
+If you wish to match all user names with the same uid (e.g.E<nbsp>root
+and toor), you can use a uid instead (#0 in the example given).
+
+ Host_List ::= Host |
+ Host ',' Host_List
+
+ Host ::= '!'* host name |
+ '!'* ip_addr |
+ '!'* network(/netmask)? |
+ '!'* +netgroup |
+ '!'* Host_Alias
+
+A C<Host_List> is made up of one or more host names, IP addresses,
+network numbers, netgroups (prefixed with '+') and other aliases.
+Again, the value of an item may be negated with the '!' operator.
+If you do not specify a netmask along with the network number,
+B<sudo> will query each of the local host's network interfaces and,
+if the network number corresponds to one of the hosts's network
+interfaces, the corresponding netmask will be used. The netmask
+may be specified either in standard IP address notation
+(e.g.E<nbsp>255.255.255.0 or ffff:ffff:ffff:ffff::),
+or CIDR notation (number of bits, e.g.E<nbsp>24 or 64). A host name may
+include shell-style wildcards (see the L<Wildcards> section below),
+but unless the C<host name> command on your machine returns the fully
+qualified host name, you'll need to use the I<fqdn> option for
+wildcards to be useful. Note B<sudo> only inspects actual network
+interfaces; this means that IP address 127.0.0.1 (localhost) will
+never match. Also, the host name "localhost" will only match if
+that is the actual host name, which is usually only the case for
+non-networked systems.
+
+ Cmnd_List ::= Cmnd |
+ Cmnd ',' Cmnd_List
+
+ commandname ::= file name |
+ file name args |
+ file name '""'
+
+ Cmnd ::= '!'* commandname |
+ '!'* directory |
+ '!'* "sudoedit" |
+ '!'* Cmnd_Alias
+
+A C<Cmnd_List> is a list of one or more commandnames, directories, and other
+aliases. A commandname is a fully qualified file name which may include
+shell-style wildcards (see the L<Wildcards> section below). A simple
+file name allows the user to run the command with any arguments he/she
+wishes. However, you may also specify command line arguments (including
+wildcards). Alternately, you can specify C<""> to indicate that the command
+may only be run B<without> command line arguments. A directory is a
+fully qualified path name ending in a '/'. When you specify a directory
+in a C<Cmnd_List>, the user will be able to run any file within that directory
+(but not in any subdirectories therein).
+
+If a C<Cmnd> has associated command line arguments, then the arguments
+in the C<Cmnd> must match exactly those given by the user on the command line
+(or match the wildcards if there are any). Note that the following
+characters must be escaped with a '\' if they are used in command
+arguments: ',', ':', '=', '\'. The special command C<"sudoedit">
+is used to permit a user to run B<sudo> with the B<-e> option (or
+as B<sudoedit>). It may take command line arguments just as
+a normal command does.
+
+=head2 Defaults
+
+Certain configuration options may be changed from their default
+values at runtime via one or more C<Default_Entry> lines. These
+may affect all users on any host, all users on a specific host, a
+specific user, a specific command, or commands being run as a specific user.
+Note that per-command entries may not include command line arguments.
+If you need to specify arguments, define a C<Cmnd_Alias> and reference
+that instead.
+
+ Default_Type ::= 'Defaults' |
+ 'Defaults' '@' Host_List |
+ 'Defaults' ':' User_List |
+ 'Defaults' '!' Cmnd_List |
+ 'Defaults' '>' Runas_List
+
+ Default_Entry ::= Default_Type Parameter_List
+
+ Parameter_List ::= Parameter |
+ Parameter ',' Parameter_List
+
+ Parameter ::= Parameter '=' Value |
+ Parameter '+=' Value |
+ Parameter '-=' Value |
+ '!'* Parameter
+
+Parameters may be B<flags>, B<integer> values, B<strings>, or B<lists>.
+Flags are implicitly boolean and can be turned off via the '!'
+operator. Some integer, string and list parameters may also be
+used in a boolean context to disable them. Values may be enclosed
+in double quotes (C<">) when they contain multiple words. Special
+characters may be escaped with a backslash (C<\>).
+
+Lists have two additional assignment operators, C<+=> and C<-=>.
+These operators are used to add to and delete from a list respectively.
+It is not an error to use the C<-=> operator to remove an element
+that does not exist in a list.
+
+Defaults entries are parsed in the following order: generic, host
+and user Defaults first, then runas Defaults and finally command
+defaults.
+
+See L<"SUDOERS OPTIONS"> for a list of supported Defaults parameters.
+
+=head2 User Specification
+
+ User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
+ (':' Host_List '=' Cmnd_Spec_List)*
+
+ Cmnd_Spec_List ::= Cmnd_Spec |
+ Cmnd_Spec ',' Cmnd_Spec_List
+
+ Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
+
+ Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
+
+ SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
+
+ Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
+ 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
+ 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
+
+A B<user specification> determines which commands a user may run
+(and as what user) on specified hosts. By default, commands are
+run as B<root>, but this can be changed on a per-command basis.
+
+The basic structure of a user specification is `who where = (as_whom)
+what'. Let's break that down into its constituent parts:
+
+=head2 Runas_Spec
+
+A C<Runas_Spec> determines the user and/or the group that a command
+may be run as. A fully-specified C<Runas_Spec> consists of two
+C<Runas_List>s (as defined above) separated by a colon (':') and
+enclosed in a set of parentheses. The first C<Runas_List> indicates
+which users the command may be run as via B<sudo>'s B<-u> option.
+The second defines a list of groups that can be specified via
+B<sudo>'s B<-g> option. If both C<Runas_List>s are specified, the
+command may be run with any combination of users and groups listed
+in their respective C<Runas_List>s. If only the first is specified,
+the command may be run as any user in the list but no B<-g> option
+may be specified. If the first C<Runas_List> is empty but the
+second is specified, the command may be run as the invoking user
+with the group set to any listed in the C<Runas_List>. If no
+C<Runas_Spec> is specified the command may be run as B<root> and
+no group may be specified.
+
+A C<Runas_Spec> sets the default for the commands that follow it.
+What this means is that for the entry:
+
+ dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
+
+The user B<dgb> may run F</bin/ls>, F</bin/kill>, and
+F</usr/bin/lprm> -- but only as B<operator>. E.g.,
+
+ $ sudo -u operator /bin/ls
+
+It is also possible to override a C<Runas_Spec> later on in an
+entry. If we modify the entry like so:
+
+ dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
+
+Then user B<dgb> is now allowed to run F</bin/ls> as B<operator>,
+but F</bin/kill> and F</usr/bin/lprm> as B<root>.
+
+We can extend this to allow B<dgb> to run C</bin/ls> with either
+the user or group set to B<operator>:
+
+ dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
+ /usr/bin/lprm
+
+Note that while the group portion of the C<Runas_Spec> permits the
+user to run as command with that group, it does not force the user
+to do so. If no group is specified on the command line, the command
+will run with the group listed in the target user's password database
+entry. The following would all be permitted by the sudoers entry above:
+
+ $ sudo -u operator /bin/ls
+ $ sudo -u operator -g operator /bin/ls
+ $ sudo -g operator /bin/ls
+
+In the following example, user B<tcm> may run commands that access
+a modem device file with the dialer group.
+
+ tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
+ /usr/local/bin/minicom
+
+Note that in this example only the group will be set, the command
+still runs as user B<tcm>. E.g.
+
+ $ sudo -g dialer /usr/bin/cu
+
+Multiple users and groups may be present in a C<Runas_Spec>, in
+which case the user may select any combination of users and groups
+via the B<-u> and B<-g> options. In this example:
+
+ alan ALL = (root, bin : operator, system) ALL
+
+user B<alan> may run any command as either user root or bin,
+optionally setting the group to operator or system.
+
+=head2 SELinux_Spec
+
+On systems with SELinux support, I<sudoers> entries may optionally have
+an SELinux role and/or type associated with a command. If a role or
+type is specified with the command it will override any default values
+specified in I<sudoers>. A role or type specified on the command line,
+however, will supercede the values in I<sudoers>.
+
+=head2 Tag_Spec
+
+A command may have zero or more tags associated with it. There are
+eight possible tag values, C<NOPASSWD>, C<PASSWD>, C<NOEXEC>,
+C<EXEC>, C<SETENV>, C<NOSETENV>, C<LOG_INPUT>, C<NOLOG_INPUT>,
+C<LOG_OUTPUT> and C<NOLOG_OUTPUT>. Once a tag is set on a C<Cmnd>,
+subsequent C<Cmnd>s in the C<Cmnd_Spec_List>, inherit the tag unless
+it is overridden by the opposite tag (i.e.: C<PASSWD> overrides
+C<NOPASSWD> and C<NOEXEC> overrides C<EXEC>).
+
+=head3 NOPASSWD and PASSWD
+
+By default, B<sudo> requires that a user authenticate him or herself
+before running a command. This behavior can be modified via the
+C<NOPASSWD> tag. Like a C<Runas_Spec>, the C<NOPASSWD> tag sets
+a default for the commands that follow it in the C<Cmnd_Spec_List>.
+Conversely, the C<PASSWD> tag can be used to reverse things.
+For example:
+
+ ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
+
+would allow the user B<ray> to run F</bin/kill>, F</bin/ls>, and
+F</usr/bin/lprm> as B<root> on the machine rushmore without
+authenticating himself. If we only want B<ray> to be able to
+run F</bin/kill> without a password the entry would be:
+
+ ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
+
+Note, however, that the C<PASSWD> tag has no effect on users who are
+in the group specified by the I<exempt_group> option.
+
+By default, if the C<NOPASSWD> tag is applied to any of the entries
+for a user on the current host, he or she will be able to run
+C<sudo -l> without a password. Additionally, a user may only run
+C<sudo -v> without a password if the C<NOPASSWD> tag is present
+for all a user's entries that pertain to the current host.
+This behavior may be overridden via the verifypw and listpw options.
+
+=head3 NOEXEC and EXEC
+
+If B<sudo> has been compiled with I<noexec> support and the underlying
+operating system supports it, the C<NOEXEC> tag can be used to prevent
+a dynamically-linked executable from running further commands itself.
+
+In the following example, user B<aaron> may run F</usr/bin/more>
+and F</usr/bin/vi> but shell escapes will be disabled.
+
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+
+See the L<Preventing Shell Escapes> section below for more details
+on how C<NOEXEC> works and whether or not it will work on your system.
+
+=head3 SETENV and NOSETENV
+
+These tags override the value of the I<setenv> option on a per-command
+basis. Note that if C<SETENV> has been set for a command, the user
+may disable the I<env_reset> option from the command line via the
+B<-E> option. Additionally, environment variables set on the command
+line are not subject to the restrictions imposed by I<env_check>,
+I<env_delete>, or I<env_keep>. As such, only trusted users should
+be allowed to set variables in this manner. If the command matched
+is B<ALL>, the C<SETENV> tag is implied for that command; this
+default may be overridden by use of the C<NOSETENV> tag.
+
+=head3 LOG_INPUT and NOLOG_INPUT
+
+These tags override the value of the I<log_input> option on a
+per-command basis. For more information, see the description of
+I<log_input> in the L<"SUDOERS OPTIONS"> section below.
+
+=head3 LOG_OUTPUT and NOLOG_OUTPUT
+
+These tags override the value of the I<log_output> option on a
+per-command basis. For more information, see the description of
+I<log_output> in the L<"SUDOERS OPTIONS"> section below.
+
+=head2 Wildcards
+
+B<sudo> allows shell-style I<wildcards> (aka meta or glob characters)
+to be used in host names, path names and command line arguments in
+the I<sudoers> file. Wildcard matching is done via the B<POSIX>
+L<glob(3)> and L<fnmatch(3)> routines. Note that these are I<not>
+regular expressions.
+
+=over 8
+
+=item C<*>
+
+Matches any set of zero or more characters.
+
+=item C<?>
+
+Matches any single character.
+
+=item C<[...]>
+
+Matches any character in the specified range.
+
+=item C<[!...]>
+
+Matches any character B<not> in the specified range.
+
+=item C<\x>
+
+For any character "x", evaluates to "x". This is used to
+escape special characters such as: "*", "?", "[", and "}".
+
+=back
+
+POSIX character classes may also be used if your system's L<glob(3)>
+and L<fnmatch(3)> functions support them. However, because the
+C<':'> character has special meaning in I<sudoers>, it must be
+escaped. For example:
+
+ /bin/ls [[\:alpha\:]]*
+
+Would match any file name beginning with a letter.
+
+Note that a forward slash ('/') will B<not> be matched by
+wildcards used in the path name. When matching the command
+line arguments, however, a slash B<does> get matched by
+wildcards. This is to make a path like:
+
+ /usr/bin/*
+
+match F</usr/bin/who> but not F</usr/bin/X11/xterm>.
+
+=head2 Exceptions to wildcard rules
+
+The following exceptions apply to the above rules:
+
+=over 8
+
+=item C<"">
+
+If the empty string C<""> is the only command line argument in the
+I<sudoers> entry it means that command is not allowed to be run
+with B<any> arguments.
+
+=back
+
+=head2 Including other files from within sudoers
+
+It is possible to include other I<sudoers> files from within the
+I<sudoers> file currently being parsed using the C<#include> and
+C<#includedir> directives.
+
+This can be used, for example, to keep a site-wide I<sudoers> file
+in addition to a local, per-machine file. For the sake of this
+example the site-wide I<sudoers> will be F</etc/sudoers> and the
+per-machine one will be F</etc/sudoers.local>. To include
+F</etc/sudoers.local> from within F</etc/sudoers> we would use the
+following line in F</etc/sudoers>:
+
+=over 4
+
+C<#include /etc/sudoers.local>
+
+=back
+
+When B<sudo> reaches this line it will suspend processing of the
+current file (F</etc/sudoers>) and switch to F</etc/sudoers.local>.
+Upon reaching the end of F</etc/sudoers.local>, the rest of
+F</etc/sudoers> will be processed. Files that are included may
+themselves include other files. A hard limit of 128 nested include
+files is enforced to prevent include file loops.
+
+If the path to the include file is not fully-qualified (does not
+begin with a F</>), it must be located in the same directory as the
+sudoers file it was included from. For example, if F</etc/sudoers>
+contains the line:
+
+=over 4
+
+C<#include sudoers.local>
+
+=back
+
+the file that will be included is F</etc/sudoers.local>.
+
+The file name may also include the C<%h> escape, signifying the short form
+of the host name. I.e., if the machine's host name is "xerxes", then
+
+C<#include /etc/sudoers.%h>
+
+will cause B<sudo> to include the file F</etc/sudoers.xerxes>.
+
+The C<#includedir> directive can be used to create a F<sudo.d>
+directory that the system package manager can drop I<sudoers> rules
+into as part of package installation. For example, given:
+
+C<#includedir /etc/sudoers.d>
+
+B<sudo> will read each file in F</etc/sudoers.d>, skipping file
+names that end in C<~> or contain a C<.> character to avoid causing
+problems with package manager or editor temporary/backup files.
+Files are parsed in sorted lexical order. That is,
+F</etc/sudoers.d/01_first> will be parsed before
+F</etc/sudoers.d/10_second>. Be aware that because the sorting is
+lexical, not numeric, F</etc/sudoers.d/1_whoops> would be loaded
+B<after> F</etc/sudoers.d/10_second>. Using a consistent number
+of leading zeroes in the file names can be used to avoid such
+problems.
+
+Note that unlike files included via C<#include>, B<visudo> will not
+edit the files in a C<#includedir> directory unless one of them
+contains a syntax error. It is still possible to run B<visudo>
+with the C<-f> flag to edit the files directly.
+
+=head2 Other special characters and reserved words
+
+The pound sign ('#') is used to indicate a comment (unless it is
+part of a #include directive or unless it occurs in the context of
+a user name and is followed by one or more digits, in which case
+it is treated as a uid). Both the comment character and any text
+after it, up to the end of the line, are ignored.
+
+The reserved word B<ALL> is a built-in I<alias> that always causes
+a match to succeed. It can be used wherever one might otherwise
+use a C<Cmnd_Alias>, C<User_Alias>, C<Runas_Alias>, or C<Host_Alias>.
+You should not try to define your own I<alias> called B<ALL> as the
+built-in alias will be used in preference to your own. Please note
+that using B<ALL> can be dangerous since in a command context, it
+allows the user to run B<any> command on the system.
+
+An exclamation point ('!') can be used as a logical I<not> operator
+both in an I<alias> and in front of a C<Cmnd>. This allows one to
+exclude certain values. Note, however, that using a C<!> in
+conjunction with the built-in C<ALL> alias to allow a user to
+run "all but a few" commands rarely works as intended (see SECURITY
+NOTES below).
+
+Long lines can be continued with a backslash ('\') as the last
+character on the line.
+
+Whitespace between elements in a list as well as special syntactic
+characters in a I<User Specification> ('=', ':', '(', ')') is optional.
+
+The following characters must be escaped with a backslash ('\') when
+used as part of a word (e.g.E<nbsp>a user name or host name):
+'!', '=', ':', ',', '(', ')', '\'.
+
+=head1 SUDOERS OPTIONS
+
+B<sudo>'s behavior can be modified by C<Default_Entry> lines, as
+explained earlier. A list of all supported Defaults parameters,
+grouped by type, are listed below.
+
+B<Boolean Flags>:
+
+=over 16
+
+=item always_set_home
+
+If enabled, B<sudo> will set the C<HOME> environment variable to the
+home directory of the target user (which is root unless the B<-u>
+option is used). This effectively means that the B<-H> option is
+always implied. Note that C<HOME> is already set when the the
+I<env_reset> option is enabled, so I<always_set_home> is only
+effective for configurations where either I<env_reset> is disabled
+or C<HOME> is present in the I<env_keep> list.
+This flag is I<off> by default.
+
+=item authenticate
+
+If set, users must authenticate themselves via a password (or other
+means of authentication) before they may run commands. This default
+may be overridden via the C<PASSWD> and C<NOPASSWD> tags.
+This flag is I<on> by default.
+
+=item closefrom_override
+
+If set, the user may use B<sudo>'s B<-C> option which
+overrides the default starting point at which B<sudo> begins
+closing open file descriptors. This flag is I<off> by default.
+
+=item compress_io
+
+If set, and B<sudo> is configured to log a command's input or output,
+the I/O logs will be compressed using B<zlib>. This flag is I<on>
+by default when B<sudo> is compiled with B<zlib> support.
+
+=item env_editor
+
+If set, B<visudo> will use the value of the EDITOR or VISUAL
+environment variables before falling back on the default editor list.
+Note that this may create a security hole as it allows the user to
+run any arbitrary command as root without logging. A safer alternative
+is to place a colon-separated list of editors in the C<editor>
+variable. B<visudo> will then only use the EDITOR or VISUAL if
+they match a value specified in C<editor>. This flag is I<@env_editor@> by
+default.
+
+=item env_reset
+
+If set, B<sudo> will run the command in a minimal environment
+containing the C<TERM>, C<PATH>, C<HOME>, C<MAIL>, C<SHELL>,
+C<LOGNAME>, C<USER>, C<USERNAME> and C<SUDO_*> variables. Any
+variables in the caller's environment that match the C<env_keep>
+and C<env_check> lists are then added, followed by any variables
+present in the file specified by the I<env_file> option (if any).
+The default contents of the C<env_keep> and C<env_check> lists are
+displayed when B<sudo> is run by root with the I<-V> option. If
+the I<secure_path> option is set, its value will be used for the
+C<PATH> environment variable. This flag is I<@env_reset@> by
+default.
+
+=item fast_glob
+
+Normally, B<sudo> uses the L<glob(3)> function to do shell-style
+globbing when matching path names. However, since it accesses the
+file system, L<glob(3)> can take a long time to complete for some
+patterns, especially when the pattern references a network file
+system that is mounted on demand (automounted). The I<fast_glob>
+option causes B<sudo> to use the L<fnmatch(3)> function, which does
+not access the file system to do its matching. The disadvantage
+of I<fast_glob> is that it is unable to match relative path names
+such as F<./ls> or F<../bin/ls>. This has security implications
+when path names that include globbing characters are used with the
+negation operator, C<'!'>, as such rules can be trivially bypassed.
+As such, this option should not be used when I<sudoers> contains rules
+that contain negated path names which include globbing characters.
+This flag is I<off> by default.
+
+=item fqdn
+
+Set this flag if you want to put fully qualified host names in the
+I<sudoers> file. I.e., instead of myhost you would use myhost.mydomain.edu.
+You may still use the short form if you wish (and even mix the two).
+Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups
+which may make B<sudo> unusable if DNS stops working (for example
+if the machine is not plugged into the network). Also note that
+you must use the host's official name as DNS knows it. That is,
+you may not use a host alias (C<CNAME> entry) due to performance
+issues and the fact that there is no way to get all aliases from
+DNS. If your machine's host name (as returned by the C<hostname>
+command) is already fully qualified you shouldn't need to set
+I<fqdn>. This flag is I<@fqdn@> by default.
+
+=item ignore_dot
+
+If set, B<sudo> will ignore '.' or '' (current dir) in the C<PATH>
+environment variable; the C<PATH> itself is not modified. This
+flag is I<@ignore_dot@> by default.
+
+=item ignore_local_sudoers
+
+If set via LDAP, parsing of F<@sysconfdir@/sudoers> will be skipped.
+This is intended for Enterprises that wish to prevent the usage of local
+sudoers files so that only LDAP is used. This thwarts the efforts of
+rogue operators who would attempt to add roles to F<@sysconfdir@/sudoers>.
+When this option is present, F<@sysconfdir@/sudoers> does not even need to
+exist. Since this option tells B<sudo> how to behave when no specific LDAP
+entries have been matched, this sudoOption is only meaningful for the
+C<cn=defaults> section. This flag is I<off> by default.
+
+=item insults
+
+If set, B<sudo> will insult users when they enter an incorrect
+password. This flag is I<@insults@> by default.
+
+=item log_host
+
+If set, the host name will be logged in the (non-syslog) B<sudo> log file.
+This flag is I<off> by default.
+
+=item log_input
+
+If set, B<sudo> will run the command in a I<pseudo tty> and log all
+user input.
+If the standard input is not connected to the user's tty, due to
+I/O redirection or because the command is part of a pipeline, that
+input is also captured and stored in a separate log file.
+
+Input is logged to the directory specified by the I<iolog_dir>
+option (F<@iolog_dir@> by default) using a unique session ID that
+is included in the normal B<sudo> log line, prefixed with I<TSID=>.
+The I<iolog_file> option may be used to control the format of the
+session ID.
+
+Note that user input may contain sensitive information such as
+passwords (even if they are not echoed to the screen), which will
+be stored in the log file unencrypted. In most cases, logging the
+command output via I<log_output> is all that is required.
+
+=item log_output
+
+If set, B<sudo> will run the command in a I<pseudo tty> and log all
+output that is sent to the screen, similar to the script(1) command.
+If the standard output or standard error is not connected to the
+user's tty, due to I/O redirection or because the command is part
+of a pipeline, that output is also captured and stored in separate
+log files.
+
+Output is logged to the directory specified by the I<iolog_dir>
+option (F<@iolog_dir@> by default) using a unique session ID that
+is included in the normal B<sudo> log line, prefixed with I<TSID=>.
+The I<iolog_file> option may be used to control the format of the
+session ID.
+
+Output logs may be viewed with the L<sudoreplay(8)> utility, which
+can also be used to list or search the available logs.
+
+=item log_year
+
+If set, the four-digit year will be logged in the (non-syslog) B<sudo> log file.
+This flag is I<off> by default.
+
+=item long_otp_prompt
+
+When validating with a One Time Password (OTP) scheme such as
+B<S/Key> or B<OPIE>, a two-line prompt is used to make it easier
+to cut and paste the challenge to a local window. It's not as
+pretty as the default but some people find it more convenient. This
+flag is I<@long_otp_prompt@> by default.
+
+=item mail_always
+
+Send mail to the I<mailto> user every time a users runs B<sudo>.
+This flag is I<off> by default.
+
+=item mail_badpass
+
+Send mail to the I<mailto> user if the user running B<sudo> does not
+enter the correct password. This flag is I<off> by default.
+
+=item mail_no_host
+
+If set, mail will be sent to the I<mailto> user if the invoking
+user exists in the I<sudoers> file, but is not allowed to run
+commands on the current host. This flag is I<@mail_no_host@> by default.
+
+=item mail_no_perms
+
+If set, mail will be sent to the I<mailto> user if the invoking
+user is allowed to use B<sudo> but the command they are trying is not
+listed in their I<sudoers> file entry or is explicitly denied.
+This flag is I<@mail_no_perms@> by default.
+
+=item mail_no_user
+
+If set, mail will be sent to the I<mailto> user if the invoking
+user is not in the I<sudoers> file. This flag is I<@mail_no_user@>
+by default.
+
+=item noexec
+
+If set, all commands run via B<sudo> will behave as if the C<NOEXEC>
+tag has been set, unless overridden by a C<EXEC> tag. See the
+description of I<NOEXEC and EXEC> below as well as the L<Preventing Shell
+Escapes> section at the end of this manual. This flag is I<off> by default.
+
+=item path_info
+
+Normally, B<sudo> will tell the user when a command could not be
+found in their C<PATH> environment variable. Some sites may wish
+to disable this as it could be used to gather information on the
+location of executables that the normal user does not have access
+to. The disadvantage is that if the executable is simply not in
+the user's C<PATH>, B<sudo> will tell the user that they are not
+allowed to run it, which can be confusing. This flag is I<@path_info@>
+by default.
+
+=item passprompt_override
+
+The password prompt specified by I<passprompt> will normally only
+be used if the password prompt provided by systems such as PAM matches
+the string "Password:". If I<passprompt_override> is set, I<passprompt>
+will always be used. This flag is I<off> by default.
+
+=item preserve_groups
+
+By default, B<sudo> will initialize the group vector to the list of
+groups the target user is in. When I<preserve_groups> is set, the
+user's existing group vector is left unaltered. The real and
+effective group IDs, however, are still set to match the target
+user. This flag is I<off> by default.
+
+=item pwfeedback
+
+By default, B<sudo> reads the password like most other Unix programs,
+by turning off echo until the user hits the return (or enter) key.
+Some users become confused by this as it appears to them that B<sudo>
+has hung at this point. When I<pwfeedback> is set, B<sudo> will
+provide visual feedback when the user presses a key. Note that
+this does have a security impact as an onlooker may be able to
+determine the length of the password being entered.
+This flag is I<off> by default.
+
+=item requiretty
+
+If set, B<sudo> will only run when the user is logged in to a real
+tty. When this flag is set, B<sudo> can only be run from a login
+session and not via other means such as L<cron(8)> or cgi-bin scripts.
+This flag is I<off> by default.
+
+=item root_sudo
+
+If set, root is allowed to run B<sudo> too. Disabling this prevents users
+from "chaining" B<sudo> commands to get a root shell by doing something
+like C<"sudo sudo /bin/sh">. Note, however, that turning off I<root_sudo>
+will also prevent root from running B<sudoedit>.
+Disabling I<root_sudo> provides no real additional security; it
+exists purely for historical reasons.
+This flag is I<@root_sudo@> by default.
+
+=item rootpw
+
+If set, B<sudo> will prompt for the root password instead of the password
+of the invoking user. This flag is I<off> by default.
+
+=item runaspw
+
+If set, B<sudo> will prompt for the password of the user defined by the
+I<runas_default> option (defaults to C<@runas_default@>) instead of the
+password of the invoking user. This flag is I<off> by default.
+
+=item set_home
+
+If enabled and B<sudo> is invoked with the B<-s> option the C<HOME>
+environment variable will be set to the home directory of the target
+user (which is root unless the B<-u> option is used). This effectively
+makes the B<-s> option imply B<-H>. Note that C<HOME> is already
+set when the the I<env_reset> option is enabled, so I<set_home> is
+only effective for configurations where either I<env_reset> is disabled
+or C<HOME> is present in the I<env_keep> list.
+This flag is I<off> by default.
+
+=item set_logname
+
+Normally, B<sudo> will set the C<LOGNAME>, C<USER> and C<USERNAME>
+environment variables to the name of the target user (usually root
+unless the B<-u> option is given). However, since some programs
+(including the RCS revision control system) use C<LOGNAME> to
+determine the real identity of the user, it may be desirable to
+change this behavior. This can be done by negating the set_logname
+option. Note that if the I<env_reset> option has not been disabled,
+entries in the I<env_keep> list will override the value of
+I<set_logname>. This flag is I<on> by default.
+
+=item set_utmp
+
+When enabled, B<sudo> will create an entry in the utmp (or utmpx)
+file when a pseudo-tty is allocated. A pseudo-tty is allocated by
+B<sudo> when the I<log_input>, I<log_output> or I<use_pty> flags
+are enabled. By default, the new entry will be a copy of the user's
+existing utmp entry (if any), with the tty, time, type and pid
+fields updated. This flag is I<on> by default.
+
+=item setenv
+
+Allow the user to disable the I<env_reset> option from the command
+line via the B<-E> option. Additionally, environment variables set
+via the command line are not subject to the restrictions imposed
+by I<env_check>, I<env_delete>, or I<env_keep>. As such, only
+trusted users should be allowed to set variables in this manner.
+This flag is I<off> by default.
+
+=item shell_noargs
+
+If set and B<sudo> is invoked with no arguments it acts as if the
+B<-s> option had been given. That is, it runs a shell as root (the
+shell is determined by the C<SHELL> environment variable if it is
+set, falling back on the shell listed in the invoking user's
+/etc/passwd entry if not). This flag is I<off> by default.
+
+=item stay_setuid
+
+Normally, when B<sudo> executes a command the real and effective
+UIDs are set to the target user (root by default). This option
+changes that behavior such that the real UID is left as the invoking
+user's UID. In other words, this makes B<sudo> act as a setuid
+wrapper. This can be useful on systems that disable some potentially
+dangerous functionality when a program is run setuid. This option
+is only effective on systems with either the setreuid() or setresuid()
+function. This flag is I<off> by default.
+
+=item targetpw
+
+If set, B<sudo> will prompt for the password of the user specified
+by the B<-u> option (defaults to C<root>) instead of the password
+of the invoking user. In addition, the timestamp file name will
+include the target user's name. Note that this flag precludes the
+use of a uid not listed in the passwd database as an argument to
+the B<-u> option. This flag is I<off> by default.
+
+=item tty_tickets
+
+If set, users must authenticate on a per-tty basis. With this flag
+enabled, B<sudo> will use a file named for the tty the user is
+logged in on in the user's time stamp directory. If disabled, the
+time stamp of the directory is used instead. This flag is
+I<@tty_tickets@> by default.
+
+=item umask_override
+
+If set, B<sudo> will set the umask as specified by I<sudoers> without
+modification. This makes it possible to specify a more permissive
+umask in I<sudoers> than the user's own umask and matches historical
+behavior. If I<umask_override> is not set, B<sudo> will set the
+umask to be the union of the user's umask and what is specified in
+I<sudoers>. This flag is I<@umask_override@> by default.
+
+=item use_loginclass
+
+If set, B<sudo> will apply the defaults specified for the target user's
+login class if one exists. Only available if B<sudo> is configured with
+the --with-logincap option. This flag is I<off> by default.
+
+=item use_pty
+
+If set, B<sudo> will run the command in a pseudo-pty even if no I/O
+logging is being gone. A malicious program run under B<sudo> could
+conceivably fork a background process that retains to the user's
+terminal device after the main program has finished executing. Use
+of this option will make that impossible. This flag is I<off> by default.
+
+=item utmp_runas
+
+If set, B<sudo> will store the name of the runas user when updating
+the utmp (or utmpx) file. By default, B<sudo> stores the name of
+the invoking user. This flag is I<off> by default.
+
+=item visiblepw
+
+By default, B<sudo> will refuse to run if the user must enter a
+password but it is not possible to disable echo on the terminal.
+If the I<visiblepw> flag is set, B<sudo> will prompt for a password
+even when it would be visible on the screen. This makes it possible
+to run things like C<"rsh somehost sudo ls"> since L<rsh(1)> does
+not allocate a tty. This flag is I<off> by default.
+
+=back
+
+B<Integers>:
+
+=over 16
+
+=item closefrom
+
+Before it executes a command, B<sudo> will close all open file
+descriptors other than standard input, standard output and standard
+error (ie: file descriptors 0-2). The I<closefrom> option can be used
+to specify a different file descriptor at which to start closing.
+The default is C<3>.
+
+=item passwd_tries
+
+The number of tries a user gets to enter his/her password before
+B<sudo> logs the failure and exits. The default is C<@passwd_tries@>.
+
+=back
+
+B<Integers that can be used in a boolean context>:
+
+=over 16
+
+=item loglinelen
+
+Number of characters per line for the file log. This value is used
+to decide when to wrap lines for nicer log files. This has no
+effect on the syslog log file, only the file log. The default is
+C<@loglen@> (use 0 or negate the option to disable word wrap).
+
+=item passwd_timeout
+
+Number of minutes before the B<sudo> password prompt times out, or
+C<0> for no timeout. The timeout may include a fractional component
+if minute granularity is insufficient, for example C<2.5>. The
+default is C<@password_timeout@>.
+
+=item timestamp_timeout
+
+Number of minutes that can elapse before B<sudo> will ask for a
+passwd again. The timeout may include a fractional component if
+minute granularity is insufficient, for example C<2.5>. The default
+is C<@timeout@>. Set this to C<0> to always prompt for a password.
+If set to a value less than C<0> the user's timestamp will never
+expire. This can be used to allow users to create or delete their
+own timestamps via C<sudo -v> and C<sudo -k> respectively.
+
+=item umask
+
+Umask to use when running the command. Negate this option or set
+it to 0777 to preserve the user's umask. The actual umask that is
+used will be the union of the user's umask and the value of the
+I<umask> option, which defaults to C<@sudo_umask@>. This guarantees
+that B<sudo> never lowers the umask when running a command. Note
+on systems that use PAM, the default PAM configuration may specify
+its own umask which will override the value set in I<sudoers>.
+
+=back
+
+B<Strings>:
+
+=over 16
+
+=item badpass_message
+
+Message that is displayed if a user enters an incorrect password.
+The default is C<@badpass_message@> unless insults are enabled.
+
+=item editor
+
+A colon (':') separated list of editors allowed to be used with
+B<visudo>. B<visudo> will choose the editor that matches the user's
+EDITOR environment variable if possible, or the first editor in the
+list that exists and is executable. The default is C<"@editor@">.
+
+=item iolog_dir
+
+The top-level directory to use when constructing the path name for
+the input/output log directory. Only used if the I<log_input> or
+I<log_output> options are enabled or when the C<LOG_INPUT> or
+C<LOG_OUTPUT> tags are present for a command. The session sequence
+number, if any, is stored in the directory.
+The default is C<"@iolog_dir@">.
+
+The following percent (`C<%>') escape sequences are supported:
+
+=over 4
+
+=item C<%{seq}>
+
+expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
+where every two digits are used to form a new directory, e.g. F<01/00/A5>
+
+=item C<%{user}>
+
+expanded to the invoking user's login name
+
+=item C<%{group}>
+
+expanded to the name of the invoking user's real group ID
+
+=item C<%{runas_user}>
+
+expanded to the login name of the user the command will
+be run as (e.g. root)
+
+=item C<%{runas_group}>
+
+expanded to the group name of the user the command will
+be run as (e.g. wheel)
+
+=item C<%{hostname}>
+
+expanded to the local host name without the domain name
+
+=item C<%{command}>
+
+expanded to the base name of the command being run
+
+=back
+
+In addition, any escape sequences supported by the system's strftime()
+function will be expanded.
+
+To include a literal `C<%>' character, the string `C<%%>' should
+be used.
+
+=item iolog_file
+
+The path name, relative to I<iolog_dir>, in which to store input/output
+logs when the I<log_input> or I<log_output> options are enabled or
+when the C<LOG_INPUT> or C<LOG_OUTPUT> tags are present for a command.
+Note that I<iolog_file> may contain directory components.
+The default is C<"%{seq}">.
+
+See the I<iolog_dir> option above for a list of supported percent
+(`C<%>') escape sequences.
+
+In addition to the escape sequences, path names that end in six or
+more C<X>s will have the C<X>s replaced with a unique combination
+of digits and letters, similar to the mktemp() function.
+
+=item mailsub
+
+Subject of the mail sent to the I<mailto> user. The escape C<%h>
+will expand to the host name of the machine.
+Default is C<@mailsub@>.
+
+=item noexec_file
+
+This option is no longer supported. The path to the noexec file
+should now be set in the F<@sysconfdir@/sudo.conf> file.
+
+=item passprompt
+
+The default prompt to use when asking for a password; can be overridden
+via the B<-p> option or the C<SUDO_PROMPT> environment variable.
+The following percent (`C<%>') escape sequences are supported:
+
+=over 4
+
+=item C<%H>
+
+expanded to the local host name including the domain name
+(only if the machine's host name is fully qualified or the I<fqdn>
+option is set)
+
+=item C<%h>
+
+expanded to the local host name without the domain name
+
+=item C<%p>
+
+expanded to the user whose password is being asked for (respects the
+I<rootpw>, I<targetpw> and I<runaspw> flags in I<sudoers>)
+
+=item C<%U>
+
+expanded to the login name of the user the command will
+be run as (defaults to root)
+
+=item C<%u>
+
+expanded to the invoking user's login name
+
+=item C<%%>
+
+two consecutive C<%> characters are collapsed into a single C<%> character
+
+=back
+
+The default value is C<@passprompt@>.
+
+=item role
+
+The default SELinux role to use when constructing a new security
+context to run the command. The default role may be overridden on
+a per-command basis in I<sudoers> or via command line options.
+This option is only available whe B<sudo> is built with SELinux support.
+
+=item runas_default
+
+The default user to run commands as if the B<-u> option is not specified
+on the command line. This defaults to C<@runas_default@>.
+
+=item syslog_badpri
+
+Syslog priority to use when user authenticates unsuccessfully.
+Defaults to C<@badpri@>.
+
+The following syslog priorities are supported: B<alert>, B<crit>,
+B<debug>, B<emerg>, B<err>, B<info>, B<notice>, and B<warning>.
+
+=item syslog_goodpri
+
+Syslog priority to use when user authenticates successfully.
+Defaults to C<@goodpri@>.
+
+See L<syslog_badpri> for the list of supported syslog priorities.
+
+=item sudoers_locale
+
+Locale to use when parsing the sudoers file, logging commands, and
+sending email. Note that changing the locale may affect how sudoers
+is interpreted. Defaults to C<"C">.
+
+=item timestampdir
+
+The directory in which B<sudo> stores its timestamp files.
+The default is F<@timedir@>.
+
+=item timestampowner
+
+The owner of the timestamp directory and the timestamps stored therein.
+The default is C<root>.
+
+=item type
+
+The default SELinux type to use when constructing a new security
+context to run the command. The default type may be overridden on
+a per-command basis in I<sudoers> or via command line options.
+This option is only available whe B<sudo> is built with SELinux support.
+
+=back
+
+B<Strings that can be used in a boolean context>:
+
+=over 12
+
+=item env_file
+
+The I<env_file> option specifies the fully qualified path to a
+file containing variables to be set in the environment of the program
+being run. Entries in this file should either be of the form
+C<VARIABLE=value> or C<export VARIABLE=value>. The value may
+optionally be surrounded by single or double quotes. Variables in
+this file are subject to other B<sudo> environment settings such
+as I<env_keep> and I<env_check>.
+
+=item exempt_group
+
+Users in this group are exempt from password and PATH requirements.
+The group name specified should not include a C<%> prefix.
+This is not set by default.
+
+=item group_plugin
+
+A string containing a I<sudoers> group plugin with optional arguments.
+This can be used to implement support for the C<nonunix_group>
+syntax described earlier. The string should consist of the plugin
+path, either fully-qualified or relative to the F<@prefix@/libexec>
+directory, followed by any configuration arguments the plugin
+requires. These arguments (if any) will be passed to the plugin's
+initialization function. If arguments are present, the string must
+be enclosed in double quotes (C<">).
+
+For example, given F</etc/sudo-group>, a group file in Unix group
+format, the sample group plugin can be used:
+
+ Defaults group_plugin="sample_group.so /etc/sudo-group"
+
+For more information see L<sudo_plugin(5)>.
+
+=item lecture
+
+This option controls when a short lecture will be printed along with
+the password prompt. It has the following possible values:
+
+=over 8
+
+=item always
+
+Always lecture the user.
+
+=item never
+
+Never lecture the user.
+
+=item once
+
+Only lecture the user the first time they run B<sudo>.
+
+=back
+
+If no value is specified, a value of I<once> is implied.
+Negating the option results in a value of I<never> being used.
+The default value is I<@lecture@>.
+
+=item lecture_file
+
+Path to a file containing an alternate B<sudo> lecture that will
+be used in place of the standard lecture if the named file exists.
+By default, B<sudo> uses a built-in lecture.
+
+=item listpw
+
+This option controls when a password will be required when a
+user runs B<sudo> with the B<-l> option. It has the following possible values:
+
+=over 8
+
+=item all
+
+All the user's I<sudoers> entries for the current host must have
+the C<NOPASSWD> flag set to avoid entering a password.
+
+=item always
+
+The user must always enter a password to use the B<-l> option.
+
+=item any
+
+At least one of the user's I<sudoers> entries for the current host
+must have the C<NOPASSWD> flag set to avoid entering a password.
+
+=item never
+
+The user need never enter a password to use the B<-l> option.
+
+=back
+
+If no value is specified, a value of I<any> is implied.
+Negating the option results in a value of I<never> being used.
+The default value is I<any>.
+
+=item logfile
+
+Path to the B<sudo> log file (not the syslog log file). Setting a path
+turns on logging to a file; negating this option turns it off.
+By default, B<sudo> logs via syslog.
+
+=item mailerflags
+
+Flags to use when invoking mailer. Defaults to B<-t>.
+
+=item mailerpath
+
+Path to mail program used to send warning mail.
+Defaults to the path to sendmail found at configure time.
+
+=item mailfrom
+
+Address to use for the "from" address when sending warning and error
+mail. The address should be enclosed in double quotes (C<">) to
+protect against B<sudo> interpreting the C<@> sign. Defaults to
+the name of the user running B<sudo>.
+
+=item mailto
+
+Address to send warning and error mail to. The address should
+be enclosed in double quotes (C<">) to protect against B<sudo>
+interpreting the C<@> sign. Defaults to C<@mailto@>.
+
+=item secure_path
+
+Path used for every command run from B<sudo>. If you don't trust the
+people running B<sudo> to have a sane C<PATH> environment variable you may
+want to use this. Another use is if you want to have the "root path"
+be separate from the "user path." Users in the group specified by the
+I<exempt_group> option are not affected by I<secure_path>.
+This option is @secure_path@ by default.
+
+=item syslog
+
+Syslog facility if syslog is being used for logging (negate to
+disable syslog logging). Defaults to C<@logfac@>.
+
+The following syslog facilities are supported: B<authpriv> (if your
+OS supports it), B<auth>, B<daemon>, B<user>, B<local0>, B<local1>,
+B<local2>, B<local3>, B<local4>, B<local5>, B<local6>, and B<local7>.
+
+=item verifypw
+
+This option controls when a password will be required when a user runs
+B<sudo> with the B<-v> option. It has the following possible values:
+
+=over 8
+
+=item all
+
+All the user's I<sudoers> entries for the current host must have
+the C<NOPASSWD> flag set to avoid entering a password.
+
+=item always
+
+The user must always enter a password to use the B<-v> option.
+
+=item any
+
+At least one of the user's I<sudoers> entries for the current host
+must have the C<NOPASSWD> flag set to avoid entering a password.
+
+=item never
+
+The user need never enter a password to use the B<-v> option.
+
+=back
+
+If no value is specified, a value of I<all> is implied.
+Negating the option results in a value of I<never> being used.
+The default value is I<all>.
+
+=back
+
+B<Lists that can be used in a boolean context>:
+
+=over 16
+
+=item env_check
+
+Environment variables to be removed from the user's environment if
+the variable's value contains C<%> or C</> characters. This can
+be used to guard against printf-style format vulnerabilities in
+poorly-written programs. The argument may be a double-quoted,
+space-separated list or a single value without double-quotes. The
+list can be replaced, added to, deleted from, or disabled by using
+the C<=>, C<+=>, C<-=>, and C<!> operators respectively. Regardless
+of whether the C<env_reset> option is enabled or disabled, variables
+specified by C<env_check> will be preserved in the environment if
+they pass the aforementioned check. The default list of environment
+variables to check is displayed when B<sudo> is run by root with
+the I<-V> option.
+
+=item env_delete
+
+Environment variables to be removed from the user's environment
+when the I<env_reset> option is not in effect. The argument may
+be a double-quoted, space-separated list or a single value without
+double-quotes. The list can be replaced, added to, deleted from,
+or disabled by using the C<=>, C<+=>, C<-=>, and C<!> operators
+respectively. The default list of environment variables to remove
+is displayed when B<sudo> is run by root with the I<-V> option.
+Note that many operating systems will remove potentially dangerous
+variables from the environment of any setuid process (such as
+B<sudo>).
+
+=item env_keep
+
+Environment variables to be preserved in the user's environment
+when the I<env_reset> option is in effect. This allows fine-grained
+control over the environment B<sudo>-spawned processes will receive.
+The argument may be a double-quoted, space-separated list or a
+single value without double-quotes. The list can be replaced, added
+to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
+C<!> operators respectively. The default list of variables to keep
+is displayed when B<sudo> is run by root with the I<-V> option.
+
+=back
+
+=head1 SUDO.CONF
+
+The F<@sysconfdir@/sudo.conf> file determines which plugins the
+B<sudo> front end will load. If no F<@sysconfdir@/sudo.conf> file
+is present, or it contains no C<Plugin> lines, B<sudo> will use the
+I<sudoers> security policy and I/O logging, which corresponds to
+the following F<@sysconfdir@/sudo.conf> file.
+
+ #
+ # Default @sysconfdir@/sudo.conf file
+ #
+ # Format:
+ # Plugin plugin_name plugin_path plugin_options ...
+ # Path askpass /path/to/askpass
+ # Path noexec /path/to/sudo_noexec.so
+ # Debug sudo /var/log/sudo_debug all@warn
+ # Set disable_coredump true
+ #
+ # The plugin_path is relative to @prefix@/libexec unless
+ # fully qualified.
+ # The plugin_name corresponds to a global symbol in the plugin
+ # that contains the plugin interface structure.
+ # The plugin_options are optional.
+ #
+ Plugin policy_plugin sudoers.so
+ Plugin io_plugin sudoers.so
+
+=head2 PLUGIN OPTIONS
+
+Starting with B<sudo> 1.8.5 it is possible to pass options to the
+I<sudoers> plugin. Options may be listed after the path to the
+plugin (i.e. after F<sudoers.so>); multiple options should be
+space-separated. For example:
+
+ Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
+
+The following plugin options are supported:
+
+=over 10
+
+=item sudoers_file=pathname
+
+The I<sudoers_file> option can be used to override the default path
+to the I<sudoers> file.
+
+=item sudoers_uid=uid
+
+The I<sudoers_uid> option can be used to override the default owner
+of the sudoers file. It should be specified as a numeric user ID.
+
+=item sudoers_gid=gid
+
+The I<sudoers_gid> option can be used to override the default group
+of the sudoers file. It should be specified as a numeric group ID.
+
+=item sudoers_mode=mode
+
+The I<sudoers_mode> option can be used to override the default file
+mode for the sudoers file. It should be specified as an octal value.
+
+=back
+
+=head2 DEBUG FLAGS
+
+Versions 1.8.4 and higher of the I<sudoers> plugin supports a
+debugging framework that can help track down what the plugin is
+doing internally if there is a problem. This can be configured in
+the F<@sysconfdir@/sudo.conf> file as described in L<sudo(8)>.
+
+The I<sudoers> plugin uses the same debug flag format as B<sudo>
+itself: I<subsystem>@I<priority>.
+
+The priorities used by I<sudoers>, in order of decreasing severity,
+are: I<crit>, I<err>, I<warn>, I<notice>, I<diag>, I<info>, I<trace>
+and I<debug>. Each priority, when specified, also includes all
+priorities higher than it. For example, a priority of I<notice>
+would include debug messages logged at I<notice> and higher.
+
+The following subsystems are used by I<sudoers>:
+
+=over 10
+
+=item I<alias>
+
+C<User_Alias>, C<Runas_Alias>, C<Host_Alias> and C<Cmnd_Alias> processing
+
+=item I<all>
+
+matches every subsystem
+
+=item I<audit>
+
+BSM and Linux audit code
+
+=item I<auth>
+
+user authentication
+
+=item I<defaults>
+
+I<sudoers> I<Defaults> settings
+
+=item I<env>
+
+environment handling
+
+=item I<ldap>
+
+LDAP-based sudoers
+
+=item I<logging>
+
+logging support
+
+=item I<match>
+
+matching of users, groups, hosts and netgroups in I<sudoers>
+
+=item I<netif>
+
+network interface handling
+
+=item I<nss>
+
+network service switch handling in I<sudoers>
+
+=item I<parser>
+
+I<sudoers> file parsing
+
+=item I<perms>
+
+permission setting
+
+=item I<plugin>
+
+The equivalent of I<main> for the plugin.
+
+=item I<pty>
+
+pseudo-tty related code
+
+=item I<rbtree>
+
+redblack tree internals
+
+=item I<util>
+
+utility functions
+
+=back
+
+=head1 FILES
+
+=over 24
+
+=item F<@sysconfdir@/sudo.conf>
+
+Sudo front end configuration
+
+=item F<@sysconfdir@/sudoers>
+
+List of who can run what
+
+=item F</etc/group>
+
+Local groups file
+
+=item F</etc/netgroup>
+
+List of network groups
+
+=item F<@iolog_dir@>
+
+I/O log files
+
+=item F<@timedir@>
+
+Directory containing time stamps for the I<sudoers> security policy
+
+=item F</etc/environment>
+
+Initial environment for B<-i> mode on AIX and Linux systems
+
+=back
+
+=head1 EXAMPLES
+
+Below are example I<sudoers> entries. Admittedly, some of
+these are a bit contrived. First, we allow a few environment
+variables to pass and then define our I<aliases>:
+
+ # Run X applications through sudo; HOME is used to find the
+ # .Xauthority file. Note that other programs use HOME to find
+ # configuration files and this may lead to privilege escalation!
+ Defaults env_keep += "DISPLAY HOME"
+
+ # User alias specification
+ User_Alias FULLTIMERS = millert, mikef, dowdy
+ User_Alias PARTTIMERS = bostley, jwfox, crawl
+ User_Alias WEBMASTERS = will, wendy, wim
+
+ # Runas alias specification
+ Runas_Alias OP = root, operator
+ Runas_Alias DB = oracle, sybase
+ Runas_Alias ADMINGRP = adm, oper
+
+ # Host alias specification
+ Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
+ SGI = grolsch, dandelion, black :\
+ ALPHA = widget, thalamus, foobar :\
+ HPPA = boa, nag, python
+ Host_Alias CUNETS = 128.138.0.0/255.255.0.0
+ Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
+ Host_Alias SERVERS = master, mail, www, ns
+ Host_Alias CDROM = orion, perseus, hercules
+
+ # Cmnd alias specification
+ Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
+ /usr/sbin/restore, /usr/sbin/rrestore
+ Cmnd_Alias KILL = /usr/bin/kill
+ Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
+ Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
+ Cmnd_Alias HALT = /usr/sbin/halt
+ Cmnd_Alias REBOOT = /usr/sbin/reboot
+ Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
+ /usr/local/bin/tcsh, /usr/bin/rsh, \
+ /usr/local/bin/zsh
+ Cmnd_Alias SU = /usr/bin/su
+ Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
+
+Here we override some of the compiled in default values. We want
+B<sudo> to log via L<syslog(3)> using the I<auth> facility in all
+cases. We don't want to subject the full time staff to the B<sudo>
+lecture, user B<millert> need not give a password, and we don't
+want to reset the C<LOGNAME>, C<USER> or C<USERNAME> environment
+variables when running commands as root. Additionally, on the
+machines in the I<SERVERS> C<Host_Alias>, we keep an additional
+local log file and make sure we log the year in each log line since
+the log entries will be kept around for several years. Lastly, we
+disable shell escapes for the commands in the PAGERS C<Cmnd_Alias>
+(F</usr/bin/more>, F</usr/bin/pg> and F</usr/bin/less>).
+
+ # Override built-in defaults
+ Defaults syslog=auth
+ Defaults>root !set_logname
+ Defaults:FULLTIMERS !lecture
+ Defaults:millert !authenticate
+ Defaults@SERVERS log_year, logfile=/var/log/sudo.log
+ Defaults!PAGERS noexec
+
+The I<User specification> is the part that actually determines who may
+run what.
+
+ root ALL = (ALL) ALL
+ %wheel ALL = (ALL) ALL
+
+We let B<root> and any user in group B<wheel> run any command on any
+host as any user.
+
+ FULLTIMERS ALL = NOPASSWD: ALL
+
+Full time sysadmins (B<millert>, B<mikef>, and B<dowdy>) may run any
+command on any host without authenticating themselves.
+
+ PARTTIMERS ALL = ALL
+
+Part time sysadmins (B<bostley>, B<jwfox>, and B<crawl>) may run any
+command on any host but they must authenticate themselves first
+(since the entry lacks the C<NOPASSWD> tag).
+
+ jack CSNETS = ALL
+
+The user B<jack> may run any command on the machines in the I<CSNETS> alias
+(the networks C<128.138.243.0>, C<128.138.204.0>, and C<128.138.242.0>).
+Of those networks, only C<128.138.204.0> has an explicit netmask (in
+CIDR notation) indicating it is a class C network. For the other
+networks in I<CSNETS>, the local machine's netmask will be used
+during matching.
+
+ lisa CUNETS = ALL
+
+The user B<lisa> may run any command on any host in the I<CUNETS> alias
+(the class B network C<128.138.0.0>).
+
+ operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
+ sudoedit /etc/printcap, /usr/oper/bin/
+
+The B<operator> user may run commands limited to simple maintenance.
+Here, those are commands related to backups, killing processes, the
+printing system, shutting down the system, and any commands in the
+directory F</usr/oper/bin/>.
+
+ joe ALL = /usr/bin/su operator
+
+The user B<joe> may only L<su(1)> to operator.
+
+ pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
+
+ %opers ALL = (: ADMINGRP) /usr/sbin/
+
+Users in the B<opers> group may run commands in F</usr/sbin/> as themselves
+with any group in the I<ADMINGRP> C<Runas_Alias> (the B<adm> and B<oper>
+groups).
+
+The user B<pete> is allowed to change anyone's password except for
+root on the I<HPPA> machines. Note that this assumes L<passwd(1)>
+does not take multiple user names on the command line.
+
+ bob SPARC = (OP) ALL : SGI = (OP) ALL
+
+The user B<bob> may run anything on the I<SPARC> and I<SGI> machines
+as any user listed in the I<OP> C<Runas_Alias> (B<root> and B<operator>).
+
+ jim +biglab = ALL
+
+The user B<jim> may run any command on machines in the I<biglab> netgroup.
+B<sudo> knows that "biglab" is a netgroup due to the '+' prefix.
+
+ +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
+
+Users in the B<secretaries> netgroup need to help manage the printers
+as well as add and remove users, so they are allowed to run those
+commands on all machines.
+
+ fred ALL = (DB) NOPASSWD: ALL
+
+The user B<fred> can run commands as any user in the I<DB> C<Runas_Alias>
+(B<oracle> or B<sybase>) without giving a password.
+
+ john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+
+On the I<ALPHA> machines, user B<john> may su to anyone except root
+but he is not allowed to specify any options to the L<su(1)> command.
+
+ jen ALL, !SERVERS = ALL
+
+The user B<jen> may run any command on any machine except for those
+in the I<SERVERS> C<Host_Alias> (master, mail, www and ns).
+
+ jill SERVERS = /usr/bin/, !SU, !SHELLS
+
+For any machine in the I<SERVERS> C<Host_Alias>, B<jill> may run
+any commands in the directory F</usr/bin/> except for those commands
+belonging to the I<SU> and I<SHELLS> C<Cmnd_Aliases>.
+
+ steve CSNETS = (operator) /usr/local/op_commands/
+
+The user B<steve> may run any command in the directory /usr/local/op_commands/
+but only as user operator.
+
+ matt valkyrie = KILL
+
+On his personal workstation, valkyrie, B<matt> needs to be able to
+kill hung processes.
+
+ WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
+
+On the host www, any user in the I<WEBMASTERS> C<User_Alias> (will,
+wendy, and wim), may run any command as user www (which owns the
+web pages) or simply L<su(1)> to www.
+
+ ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
+ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
+
+Any user may mount or unmount a CD-ROM on the machines in the CDROM
+C<Host_Alias> (orion, perseus, hercules) without entering a password.
+This is a bit tedious for users to type, so it is a prime candidate
+for encapsulating in a shell script.
+
+=head1 SECURITY NOTES
+
+=head2 Limitations of the '!' operator
+
+It is generally not effective to "subtract" commands from C<ALL>
+using the '!' operator. A user can trivially circumvent this
+by copying the desired command to a different name and then
+executing that. For example:
+
+ bill ALL = ALL, !SU, !SHELLS
+
+Doesn't really prevent B<bill> from running the commands listed in
+I<SU> or I<SHELLS> since he can simply copy those commands to a
+different name, or use a shell escape from an editor or other
+program. Therefore, these kind of restrictions should be considered
+advisory at best (and reinforced by policy).
+
+In general, if a user has sudo C<ALL> there is nothing to prevent
+them from creating their own program that gives them a root shell
+(or making their own copy of a shell) regardless of any '!' elements
+in the user specification.
+
+=head2 Security implications of I<fast_glob>
+
+If the I<fast_glob> option is in use, it is not possible
+to reliably negate commands where the path name includes globbing
+(aka wildcard) characters. This is because the C library's
+L<fnmatch(3)> function cannot resolve relative paths. While this
+is typically only an inconvenience for rules that grant privileges,
+it can result in a security issue for rules that subtract or revoke
+privileges.
+
+For example, given the following I<sudoers> entry:
+
+ john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
+ /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
+
+User B<john> can still run C</usr/bin/passwd root> if I<fast_glob> is
+enabled by changing to F</usr/bin> and running C<./passwd root> instead.
+
+=head2 Preventing Shell Escapes
+
+Once B<sudo> executes a program, that program is free to do whatever
+it pleases, including run other programs. This can be a security
+issue since it is not uncommon for a program to allow shell escapes,
+which lets a user bypass B<sudo>'s access control and logging.
+Common programs that permit shell escapes include shells (obviously),
+editors, paginators, mail and terminal programs.
+
+There are two basic approaches to this problem:
+
+=over 10
+
+=item restrict
+
+Avoid giving users access to commands that allow the user to run
+arbitrary commands. Many editors have a restricted mode where shell
+escapes are disabled, though B<sudoedit> is a better solution to
+running editors via B<sudo>. Due to the large number of programs that
+offer shell escapes, restricting users to the set of programs that
+do not is often unworkable.
+
+=item noexec
+
+Many systems that support shared libraries have the ability to
+override default library functions by pointing an environment
+variable (usually C<LD_PRELOAD>) to an alternate shared library.
+On such systems, B<sudo>'s I<noexec> functionality can be used to
+prevent a program run by B<sudo> from executing any other programs.
+Note, however, that this applies only to native dynamically-linked
+executables. Statically-linked executables and foreign executables
+running under binary emulation are not affected.
+
+The I<noexec> feature is known to work on SunOS, Solaris, *BSD,
+Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
+It should be supported on most operating systems that support the
+C<LD_PRELOAD> environment variable. Check your operating system's
+manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
+dld.sl, rld, or loader) to see if C<LD_PRELOAD> is supported.
+
+On Solaris 10 and higher, I<noexec> uses Solaris privileges instead
+of the C<LD_PRELOAD> environment variable.
+
+To enable I<noexec> for a command, use the C<NOEXEC> tag as documented
+in the User Specification section above. Here is that example again:
+
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+
+This allows user B<aaron> to run F</usr/bin/more> and F</usr/bin/vi>
+with I<noexec> enabled. This will prevent those two commands from
+executing other commands (such as a shell). If you are unsure
+whether or not your system is capable of supporting I<noexec> you
+can always just try it out and check whether shell escapes work
+when I<noexec> is enabled.
+
+=back
+
+Note that restricting shell escapes is not a panacea. Programs
+running as root are still capable of many potentially hazardous
+operations (such as changing or overwriting files) that could lead
+to unintended privilege escalation. In the specific case of an
+editor, a safer approach is to give the user permission to run
+B<sudoedit>.
+
+=head2 Time stamp file checks
+
+I<sudoers> will check the ownership of its time stamp directory
+(F<@timedir@> by default) and ignore the directory's contents if
+it is not owned by root or if it is writable by a user other than
+root. On systems that allow non-root users to give away files via
+L<chown(2)>, if the time stamp directory is located in a world-writable
+directory (e.g., F</tmp>), it is possible for a user to create the
+time stamp directory before B<sudo> is run. However, because
+I<sudoers> checks the ownership and mode of the directory and its
+contents, the only damage that can be done is to "hide" files by
+putting them in the time stamp dir. This is unlikely to happen
+since once the time stamp dir is owned by root and inaccessible by
+any other user, the user placing files there would be unable to get
+them back out.
+
+I<sudoers> will not honor time stamps set far in the future. Time
+stamps with a date greater than current_time + 2 * C<TIMEOUT> will
+be ignored and sudo will log and complain. This is done to keep a
+user from creating his/her own time stamp with a bogus date on
+systems that allow users to give away files if the time stamp directory
+is located in a world-writable directory.
+
+On systems where the boot time is available, I<sudoers> will ignore
+time stamps that date from before the machine booted.
+
+Since time stamp files live in the file system, they can outlive a
+user's login session. As a result, a user may be able to login,
+run a command with B<sudo> after authenticating, logout, login
+again, and run B<sudo> without authenticating so long as the time
+stamp file's modification time is within C<@timeout@> minutes (or
+whatever the timeout is set to in I<sudoers>). When the I<tty_tickets>
+option is enabled, the time stamp has per-tty granularity but still
+may outlive the user's session. On Linux systems where the devpts
+filesystem is used, Solaris systems with the devices filesystem,
+as well as other systems that utilize a devfs filesystem that
+monotonically increase the inode number of devices as they are
+created (such as Mac OS X), I<sudoers> is able to determine when a
+tty-based time stamp file is stale and will ignore it. Administrators
+should not rely on this feature as it is not universally available.
+
+=head1 SEE ALSO
+
+L<rsh(1)>, L<su(1)>, L<fnmatch(3)>, L<glob(3)>, L<mktemp(3)>, L<strftime(3)>,
+L<sudoers.ldap(5)>, L<sudo_plugin(8)>, L<sudo(8)>, L<visudo(8)>
+
+=head1 CAVEATS
+
+The I<sudoers> file should B<always> be edited by the B<visudo>
+command which locks the file and does grammatical checking. It is
+imperative that I<sudoers> be free of syntax errors since B<sudo>
+will not run with a syntactically incorrect I<sudoers> file.
+
+When using netgroups of machines (as opposed to users), if you
+store fully qualified host name in the netgroup (as is usually the
+case), you either need to have the machine's host name be fully qualified
+as returned by the C<hostname> command or use the I<fqdn> option in
+I<sudoers>.
+
+=head1 BUGS
+
+If you feel you have found a bug in B<sudo>, please submit a bug report
+at http://www.sudo.ws/sudo/bugs/
+
+=head1 SUPPORT
+
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
+search the archives.
+
+=head1 DISCLAIMER
+
+B<sudo> is provided ``AS IS'' and any express or implied warranties,
+including, but not limited to, the implied warranties of merchantability
+and fitness for a particular purpose are disclaimed. See the LICENSE
+file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
+for complete details.
projects / debian / sudo / blobdiff