1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
|
static struct def_values def_data_lecture[] = {
{ "never", never },
{ "once", once },
{ "always", always },
{ NULL, 0 },
};
static struct def_values def_data_listpw[] = {
{ "never", never },
{ "any", any },
{ "all", all },
{ "always", always },
{ NULL, 0 },
};
static struct def_values def_data_verifypw[] = {
{ "never", never },
{ "all", all },
{ "any", any },
{ "always", always },
{ NULL, 0 },
};
struct sudo_defs_types sudo_defs_table[] = {
{
"syslog", T_LOGFAC|T_BOOL,
"Syslog facility if syslog is being used for logging: %s",
NULL,
}, {
"syslog_goodpri", T_LOGPRI,
"Syslog priority to use when user authenticates successfully: %s",
NULL,
}, {
"syslog_badpri", T_LOGPRI,
"Syslog priority to use when user authenticates unsuccessfully: %s",
NULL,
}, {
"long_otp_prompt", T_FLAG,
"Put OTP prompt on its own line",
NULL,
}, {
"ignore_dot", T_FLAG,
"Ignore '.' in $PATH",
NULL,
}, {
"mail_always", T_FLAG,
"Always send mail when sudo is run",
NULL,
}, {
"mail_badpass", T_FLAG,
"Send mail if user authentication fails",
NULL,
}, {
"mail_no_user", T_FLAG,
"Send mail if the user is not in sudoers",
NULL,
}, {
"mail_no_host", T_FLAG,
"Send mail if the user is not in sudoers for this host",
NULL,
}, {
"mail_no_perms", T_FLAG,
"Send mail if the user is not allowed to run a command",
NULL,
}, {
"tty_tickets", T_FLAG,
"Use a separate timestamp for each user/tty combo",
NULL,
}, {
"lecture", T_TUPLE|T_BOOL,
"Lecture user the first time they run sudo",
def_data_lecture,
}, {
"lecture_file", T_STR|T_PATH|T_BOOL,
"File containing the sudo lecture: %s",
NULL,
}, {
"authenticate", T_FLAG,
"Require users to authenticate by default",
NULL,
}, {
"root_sudo", T_FLAG,
"Root may run sudo",
NULL,
}, {
"log_host", T_FLAG,
"Log the hostname in the (non-syslog) log file",
NULL,
}, {
"log_year", T_FLAG,
"Log the year in the (non-syslog) log file",
NULL,
}, {
"shell_noargs", T_FLAG,
"If sudo is invoked with no arguments, start a shell",
NULL,
}, {
"set_home", T_FLAG,
"Set $HOME to the target user when starting a shell with -s",
NULL,
}, {
"always_set_home", T_FLAG,
"Always set $HOME to the target user's home directory",
NULL,
}, {
"path_info", T_FLAG,
"Allow some information gathering to give useful error messages",
NULL,
}, {
"fqdn", T_FLAG,
"Require fully-qualified hostnames in the sudoers file",
NULL,
}, {
"insults", T_FLAG,
"Insult the user when they enter an incorrect password",
NULL,
}, {
"requiretty", T_FLAG,
"Only allow the user to run sudo if they have a tty",
NULL,
}, {
"env_editor", T_FLAG,
"Visudo will honor the EDITOR environment variable",
NULL,
}, {
"rootpw", T_FLAG,
"Prompt for root's password, not the users's",
NULL,
}, {
"runaspw", T_FLAG,
"Prompt for the runas_default user's password, not the users's",
NULL,
}, {
"targetpw", T_FLAG,
"Prompt for the target user's password, not the users's",
NULL,
}, {
"use_loginclass", T_FLAG,
"Apply defaults in the target user's login class if there is one",
NULL,
}, {
"set_logname", T_FLAG,
"Set the LOGNAME and USER environment variables",
NULL,
}, {
"stay_setuid", T_FLAG,
"Only set the effective uid to the target user, not the real uid",
NULL,
}, {
"preserve_groups", T_FLAG,
"Don't initialize the group vector to that of the target user",
NULL,
}, {
"loglinelen", T_UINT|T_BOOL,
"Length at which to wrap log file lines (0 for no wrap): %d",
NULL,
}, {
"timestamp_timeout", T_INT|T_BOOL,
"Authentication timestamp timeout: %d minutes",
NULL,
}, {
"passwd_timeout", T_UINT|T_BOOL,
"Password prompt timeout: %d minutes",
NULL,
}, {
"passwd_tries", T_UINT,
"Number of tries to enter a password: %d",
NULL,
}, {
"umask", T_MODE|T_BOOL,
"Umask to use or 0777 to use user's: 0%o",
NULL,
}, {
"logfile", T_STR|T_BOOL|T_PATH,
"Path to log file: %s",
NULL,
}, {
"mailerpath", T_STR|T_BOOL|T_PATH,
"Path to mail program: %s",
NULL,
}, {
"mailerflags", T_STR|T_BOOL,
"Flags for mail program: %s",
NULL,
}, {
"mailto", T_STR|T_BOOL,
"Address to send mail to: %s",
NULL,
}, {
"mailfrom", T_STR|T_BOOL,
"Address to send mail from: %s",
NULL,
}, {
"mailsub", T_STR,
"Subject line for mail messages: %s",
NULL,
}, {
"badpass_message", T_STR,
"Incorrect password message: %s",
NULL,
}, {
"timestampdir", T_STR|T_PATH,
"Path to authentication timestamp dir: %s",
NULL,
}, {
"timestampowner", T_STR,
"Owner of the authentication timestamp dir: %s",
NULL,
}, {
"exempt_group", T_STR|T_BOOL,
"Users in this group are exempt from password and PATH requirements: %s",
NULL,
}, {
"passprompt", T_STR,
"Default password prompt: %s",
NULL,
}, {
"passprompt_override", T_FLAG,
"If set, passprompt will override system prompt in all cases.",
NULL,
}, {
"runas_default", T_STR,
"Default user to run commands as: %s",
NULL,
}, {
"secure_path", T_STR|T_BOOL,
"Value to override user's $PATH with: %s",
NULL,
}, {
"editor", T_STR|T_PATH,
"Path to the editor for use by visudo: %s",
NULL,
}, {
"listpw", T_TUPLE|T_BOOL,
"When to require a password for 'list' pseudocommand: %s",
def_data_listpw,
}, {
"verifypw", T_TUPLE|T_BOOL,
"When to require a password for 'verify' pseudocommand: %s",
def_data_verifypw,
}, {
"noexec", T_FLAG,
"Preload the dummy exec functions contained in 'noexec_file'",
NULL,
}, {
"noexec_file", T_STR|T_PATH,
"File containing dummy exec functions: %s",
NULL,
}, {
"ignore_local_sudoers", T_FLAG,
"If LDAP directory is up, do we ignore local sudoers file",
NULL,
}, {
"closefrom", T_INT,
"File descriptors >= %d will be closed before executing a command",
NULL,
}, {
"closefrom_override", T_FLAG,
"If set, users may override the value of `closefrom' with the -C option",
NULL,
}, {
"setenv", T_FLAG,
"Allow users to set arbitrary environment variables",
NULL,
}, {
"env_reset", T_FLAG,
"Reset the environment to a default set of variables",
NULL,
}, {
"env_check", T_LIST|T_BOOL,
"Environment variables to check for sanity:",
NULL,
}, {
"env_delete", T_LIST|T_BOOL,
"Environment variables to remove:",
NULL,
}, {
"env_keep", T_LIST|T_BOOL,
"Environment variables to preserve:",
NULL,
}, {
"role", T_STR,
"SELinux role to use in the new security context: %s",
NULL,
}, {
"type", T_STR,
"SELinux type to use in the new security context: %s",
NULL,
}, {
"askpass", T_STR|T_PATH|T_BOOL,
"Path to the askpass helper program: %s",
NULL,
}, {
"env_file", T_STR|T_PATH|T_BOOL,
"Path to the sudo-specific environment file: %s",
NULL,
}, {
"sudoers_locale", T_STR,
"Locale to use while parsing sudoers: %s",
NULL,
}, {
"visiblepw", T_FLAG,
"Allow sudo to prompt for a password even if it would be visisble",
NULL,
}, {
NULL, 0, NULL
}
};
|