-=cut
Copyright (c) 1994-1996, 1998-2005, 2007
Todd C. Miller <Todd.Miller@courtesan.com>
Agency (DARPA) and Air Force Research Laboratory, Air Force
Materiel Command, USAF, under agreement number F39502-99-1-0512.
-$Sudo: sudoers.pod,v 1.95.2.20 2007/08/27 19:52:28 millert Exp $
+$Sudo: sudoers.pod,v 1.95.2.26 2008/02/19 18:13:17 millert Exp $
=pod
=head1 NAME
environment variables set on the command line way are not subject
to the restrictions imposed by I<env_check>, I<env_delete>, or
I<env_keep>. As such, only trusted users should be allowed to set
-variables in this manner.
+variables in this manner. If the command matched is B<ALL>, the
+C<SETENV> tag is implied for that command; this default may
+be overridden by use of the C<UNSETENV> tag.
=head2 Wildcards
=over 16
-=item always_set_home
+=item mail_badpass
-If set, B<sudo> will set the C<HOME> environment variable to the home
-directory of the target user (which is root unless the B<-u> option is used).
-This effectively means that the B<-H> flag is always implied.
-This flag is I<off> by default.
+Send mail to the I<mailto> user if the user running B<sudo> does not
+enter the correct password. This flag is I<off> by default.
+
+=item mail_no_host
+
+If set, mail will be sent to the I<mailto> user if the invoking
+user exists in the I<sudoers> file, but is not allowed to run
+commands on the current host. This flag is I<@mail_no_host@> by default.
+
+=item mail_no_perms
+
+If set, mail will be sent to the I<mailto> user if the invoking
+user is allowed to use B<sudo> but the command they are trying is not
+listed in their I<sudoers> file entry or is explicitly denied.
+This flag is I<@mail_no_perms@> by default.
+
+=item mail_no_user
+
+If set, mail will be sent to the I<mailto> user if the invoking
+user is not in the I<sudoers> file. This flag is I<@mail_no_user@>
+by default.
+
+=item noexec
+
+If set, all commands run via B<sudo> will behave as if the C<NOEXEC>
+tag has been set, unless overridden by a C<EXEC> tag. See the
+description of I<NOEXEC and EXEC> below as well as the L<PREVENTING SHELL
+ESCAPES> section at the end of this manual. This flag is I<off> by default.
=item authenticate
I<sudoers> file. I.e., instead of myhost you would use myhost.mydomain.edu.
You may still use the short form if you wish (and even mix the two).
Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups
-which may make affect B<sudo> performance if DNS stops working (for example
-if the machine is not plugged into the network). The default behavior for
-Debian has been modified to minimize the potential of a problem, but there
-may still be some cases in which lack of working DNS might make sudo work
-very slowly. Also note that
+which may make B<sudo> unusable if DNS stops working (for example
+if the machine is not plugged into the network). Also note that
you must use the host's official name as DNS knows it. That is,
you may not use a host alias (C<CNAME> entry) due to performance
issues and the fact that there is no way to get all aliases from
=item ignore_local_sudoers
-If set via LDAP, parsing of @sysconfdir@/sudoers will be skipped.
+If set via LDAP, parsing of F<@sysconfdir@/sudoers> will be skipped.
This is intended for Enterprises that wish to prevent the usage of local
sudoers files so that only LDAP is used. This thwarts the efforts of
-rogue operators who would attempt to add roles to @sysconfdir@/sudoers.
-When this option is present, @sysconfdir@/sudoers does not even need to exist.
-Since this option tells B<sudo> how to behave when no specific LDAP entries
-have been matched, this sudoOption is only meaningful for the cn=defaults
-section. This flag is I<off> by default.
+rogue operators who would attempt to add roles to F<@sysconfdir@/sudoers>.
+When this option is present, F<@sysconfdir@/sudoers> does not even need to
+exist. Since this option tells B<sudo> how to behave when no specific LDAP
+entries have been matched, this sudoOption is only meaningful for the
+C<cn=defaults> section. This flag is I<off> by default.
=item insults
allowed to run it, which can be confusing. This flag is I<@path_info@>
by default.
+=item passprompt_override
+
+The password prompt specified by I<passprompt> will normally only
+be used if the passwod prompt provided by systems such as PAM matches
+the string "Password:". If I<passprompt_override> is set, I<passprompt>
+will always be used. This flag is I<off> by default.
+
=item preserve_groups
By default B<sudo> will initialize the group vector to the list of
expanded to the local hostname without the domain name
+=item C<%p>
+
+expanded to the user whose password is being asked for (respects the
+I<rootpw>, I<targetpw> and I<runaspw> flags in I<sudoers>)
+
=item C<%U>
expanded to the login name of the user the command will
The default value is C<@passprompt@>.
+=item role
+
+The default SELinux role to use when constructing a new security
+context to run the command. The default role may be overridden on
+a per-command basis in I<sudoers> or via command line options.
+This option is only available whe B<sudo> is built with SELinux support.
+
=item runas_default
The default user to run commands as if the B<-u> flag is not specified
The owner of the timestamp directory and the timestamps stored therein.
The default is C<root>.
+=item type
+
+The default SELinux type to use when constructing a new security
+context to run the command. The default type may be overridden on
+a per-command basis in I<sudoers> or via command line options.
+This option is only available whe B<sudo> is built with SELinux support.
+
=back
B<Strings that can be used in a boolean context>:
=item env_check
-Like I<env_keep>, but listed environment variables are taken from the user's environment if
-the variable's value does B<not> contain C<%> or C</> characters. This can
+Environment variables to be removed from the user's environment if
+the variable's value contains C<%> or C</> characters. This can
be used to guard against printf-style format vulnerabilities in
poorly-written programs. The argument may be a double-quoted,
space-separated list or a single value without double-quotes. The
=head1 FILES
-=over 4
+=over 24
+
+=item F<@sysconfdir@/sudoers>
-=item F<@sysconfdir@/sudoers>C< >
List of who can run what
-=item F</etc/group>C< >
+=item F</etc/group>
+
Local groups file
-=item F</etc/netgroup>C< >
+=item F</etc/netgroup>
+
List of network groups
=back
the C<Host_Alias>, C<User_Alias>, and C<Cmnd_Alias> specifications
come first, followed by any C<Default_Entry> lines, and finally the
C<Runas_Alias> and user specifications. The basic rule of thumb
-is that you cannot reference an Alias that has not already been defined.
+is you cannot reference an Alias that has not already been defined.
+
+Below are example I<sudoers> entries. Admittedly, some of
+these are a bit contrived. First, we define our I<aliases>:
Below are example I<sudoers> entries. Admittedly, some of
these are a bit contrived. First, we allow a few environment