.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.\" $Sudo: sudoers.man.in,v 1.45.2.15 2007/10/09 13:30:47 millert Exp $
+.\" $Sudo: sudoers.man.in,v 1.45.2.27 2008/03/23 19:43:51 millert Exp $
.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
.\"
.\" Standard preamble:
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "October 9, 2007" "1.6.9p6" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "March 23, 2008" "1.6.9p15" "MAINTENANCE COMMANDS"
.SH "NAME"
sudoers \- list of which users may execute what
.SH "DESCRIPTION"
environment variables set on the command line way are not subject
to the restrictions imposed by \fIenv_check\fR, \fIenv_delete\fR, or
\&\fIenv_keep\fR. As such, only trusted users should be allowed to set
-variables in this manner.
+variables in this manner. If the command matched is \fB\s-1ALL\s0\fR, the
+\&\f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this default may
+be overridden by use of the \f(CW\*(C`UNSETENV\*(C'\fR tag.
.Sh "Wildcards"
.IX Subsection "Wildcards"
\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
of \fBsudo\fR).
.IP "ignore_local_sudoers" 16
.IX Item "ignore_local_sudoers"
-If set via \s-1LDAP\s0, parsing of \f(CW@sysconfdir\fR@/sudoers will be skipped.
+If set via \s-1LDAP\s0, parsing of \fI@sysconfdir@/sudoers\fR will be skipped.
This is intended for Enterprises that wish to prevent the usage of local
sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of
-rogue operators who would attempt to add roles to \f(CW@sysconfdir\fR@/sudoers.
-When this option is present, \f(CW@sysconfdir\fR@/sudoers does not even need to exist.
-Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0 entries
-have been matched, this sudoOption is only meaningful for the cn=defaults
-section. This flag is \fIoff\fR by default.
+rogue operators who would attempt to add roles to \fI@sysconfdir@/sudoers\fR.
+When this option is present, \fI@sysconfdir@/sudoers\fR does not even need to
+exist. Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0
+entries have been matched, this sudoOption is only meaningful for the
+\&\f(CW\*(C`cn=defaults\*(C'\fR section. This flag is \fIoff\fR by default.
.IP "insults" 16
.IX Item "insults"
If set, \fBsudo\fR will insult users when they enter an incorrect
the user's \f(CW\*(C`PATH\*(C'\fR, \fBsudo\fR will tell the user that they are not
allowed to run it, which can be confusing. This flag is \fI@path_info@\fR
by default.
+.IP "passprompt_override" 16
+.IX Item "passprompt_override"
+The password prompt specified by \fIpassprompt\fR will normally only
+be used if the passwod prompt provided by systems such as \s-1PAM\s0 matches
+the string \*(L"Password:\*(R". If \fIpassprompt_override\fR is set, \fIpassprompt\fR
+will always be used. This flag is \fIoff\fR by default.
.IP "preserve_groups" 16
.IX Item "preserve_groups"
By default \fBsudo\fR will initialize the group vector to the list of
the user running it. With this flag enabled, \fBsudo\fR will use a
file named for the tty the user is logged in on in that directory.
This flag is \fI@tty_tickets@\fR by default.
-.IP "use_loginclass" 16
-.IX Item "use_loginclass"
-If set, \fBsudo\fR will apply the defaults specified for the target user's
-login class if one exists. Only available if \fBsudo\fR is configured with
-the \-\-with\-logincap option. This flag is \fIoff\fR by default.
+@LCMAN@.IP "use_loginclass" 16
+@LCMAN@.IX Item "use_loginclass"
+@LCMAN@If set, \fBsudo\fR will apply the defaults specified for the target user's
+@LCMAN@login class if one exists. Only available if \fBsudo\fR is configured with
+@LCMAN@the \-\-with\-logincap option. This flag is \fIoff\fR by default.
.PP
\&\fBIntegers\fR:
.IP "passwd_tries" 16
.el .IP "\f(CW%h\fR" 4
.IX Item "%h"
expanded to the local hostname without the domain name
+.ie n .IP "%p" 4
+.el .IP "\f(CW%p\fR" 4
+.IX Item "%p"
+expanded to the user whose password is being asked for (respects the
+\&\fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags in \fIsudoers\fR)
.ie n .IP "%U" 4
.el .IP "\f(CW%U\fR" 4
.IX Item "%U"
.Sp
The default value is \f(CW\*(C`@passprompt@\*(C'\fR.
.RE
+@SEMAN@.IP "role" 16
+@SEMAN@.IX Item "role"
+@SEMAN@The default SELinux role to use when constructing a new security
+@SEMAN@context to run the command. The default role may be overridden on
+@SEMAN@a per-command basis in \fIsudoers\fR or via command line options.
+@SEMAN@This option is only available whe \fBsudo\fR is built with SELinux support.
.IP "runas_default" 16
.IX Item "runas_default"
The default user to run commands as if the \fB\-u\fR flag is not specified
.IX Item "timestampowner"
The owner of the timestamp directory and the timestamps stored therein.
The default is \f(CW\*(C`root\*(C'\fR.
+@SEMAN@.IP "type" 16
+@SEMAN@.IX Item "type"
+@SEMAN@The default SELinux type to use when constructing a new security
+@SEMAN@context to run the command. The default type may be overridden on
+@SEMAN@a per-command basis in \fIsudoers\fR or via command line options.
+@SEMAN@This option is only available whe \fBsudo\fR is built with SELinux support.
.PP
\&\fBStrings that can be used in a boolean context\fR:
.IP "exempt_group" 12
\&\fBnotice\fR, and \fBwarning\fR.
.SH "FILES"
.IX Header "FILES"
-.ie n .IP "\fI@sysconfdir@/sudoers\fR\*(C` \*(C' List of who can run what" 4
-.el .IP "\fI@sysconfdir@/sudoers\fR\f(CW\*(C` \*(C'\fR List of who can run what" 4
-.IX Item "@sysconfdir@/sudoers List of who can run what"
-.PD 0
-.ie n .IP "\fI/etc/group\fR\*(C` \*(C' Local groups file" 4
-.el .IP "\fI/etc/group\fR\f(CW\*(C` \*(C'\fR Local groups file" 4
-.IX Item "/etc/group Local groups file"
-.ie n .IP "\fI/etc/netgroup\fR\*(C` \*(C' List of network groups" 4
-.el .IP "\fI/etc/netgroup\fR\f(CW\*(C` \*(C'\fR List of network groups" 4
-.IX Item "/etc/netgroup List of network groups"
-.PD
+.IP "\fI@sysconfdir@/sudoers\fR" 24
+.IX Item "@sysconfdir@/sudoers"
+List of who can run what
+.IP "\fI/etc/group\fR" 24
+.IX Item "/etc/group"
+Local groups file
+.IP "\fI/etc/netgroup\fR" 24
+.IX Item "/etc/netgroup"
+List of network groups
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Since the \fIsudoers\fR file is parsed in a single pass, order is
projects / debian / sudo / blobdiff