-=cut
Copyright (c) 1994-1996, 1998-2005, 2007
Todd C. Miller <Todd.Miller@courtesan.com>
Agency (DARPA) and Air Force Research Laboratory, Air Force
Materiel Command, USAF, under agreement number F39502-99-1-0512.
-$Sudo: sudoers.pod,v 1.95.2.20 2007/08/27 19:52:28 millert Exp $
+$Sudo: sudoers.pod,v 1.95.2.26 2008/02/19 18:13:17 millert Exp $
=pod
=head1 NAME
environment variables set on the command line way are not subject
to the restrictions imposed by I<env_check>, I<env_delete>, or
I<env_keep>. As such, only trusted users should be allowed to set
-variables in this manner.
+variables in this manner. If the command matched is B<ALL>, the
+C<SETENV> tag is implied for that command; this default may
+be overridden by use of the C<UNSETENV> tag.
=head2 Wildcards
=item ignore_local_sudoers
-If set via LDAP, parsing of @sysconfdir@/sudoers will be skipped.
+If set via LDAP, parsing of F<@sysconfdir@/sudoers> will be skipped.
This is intended for Enterprises that wish to prevent the usage of local
sudoers files so that only LDAP is used. This thwarts the efforts of
-rogue operators who would attempt to add roles to @sysconfdir@/sudoers.
-When this option is present, @sysconfdir@/sudoers does not even need to exist.
-Since this option tells B<sudo> how to behave when no specific LDAP entries
-have been matched, this sudoOption is only meaningful for the cn=defaults
-section. This flag is I<off> by default.
+rogue operators who would attempt to add roles to F<@sysconfdir@/sudoers>.
+When this option is present, F<@sysconfdir@/sudoers> does not even need to
+exist. Since this option tells B<sudo> how to behave when no specific LDAP
+entries have been matched, this sudoOption is only meaningful for the
+C<cn=defaults> section. This flag is I<off> by default.
=item insults
allowed to run it, which can be confusing. This flag is I<@path_info@>
by default.
+=item passprompt_override
+
+The password prompt specified by I<passprompt> will normally only
+be used if the passwod prompt provided by systems such as PAM matches
+the string "Password:". If I<passprompt_override> is set, I<passprompt>
+will always be used. This flag is I<off> by default.
+
=item preserve_groups
By default B<sudo> will initialize the group vector to the list of
expanded to the local hostname without the domain name
+=item C<%p>
+
+expanded to the user whose password is being asked for (respects the
+I<rootpw>, I<targetpw> and I<runaspw> flags in I<sudoers>)
+
=item C<%U>
expanded to the login name of the user the command will
The default value is C<@passprompt@>.
+=item role
+
+The default SELinux role to use when constructing a new security
+context to run the command. The default role may be overridden on
+a per-command basis in I<sudoers> or via command line options.
+This option is only available whe B<sudo> is built with SELinux support.
+
=item runas_default
The default user to run commands as if the B<-u> flag is not specified
The owner of the timestamp directory and the timestamps stored therein.
The default is C<root>.
+=item type
+
+The default SELinux type to use when constructing a new security
+context to run the command. The default type may be overridden on
+a per-command basis in I<sudoers> or via command line options.
+This option is only available whe B<sudo> is built with SELinux support.
+
=back
B<Strings that can be used in a boolean context>:
=head1 FILES
-=over 4
+=over 24
+
+=item F<@sysconfdir@/sudoers>
-=item F<@sysconfdir@/sudoers>C< >
List of who can run what
-=item F</etc/group>C< >
+=item F</etc/group>
+
Local groups file
-=item F</etc/netgroup>C< >
+=item F</etc/netgroup>
+
List of network groups
=back