summaryrefslogtreecommitdiffstats
path: root/plugins/sudoers/def_data.in
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/sudoers/def_data.in')
-rw-r--r--plugins/sudoers/def_data.in502
1 files changed, 502 insertions, 0 deletions
diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in
new file mode 100644
index 0000000..4d627e6
--- /dev/null
+++ b/plugins/sudoers/def_data.in
@@ -0,0 +1,502 @@
+#
+# Format:
+#
+# var_name
+# TYPE
+# description (or NULL)
+# array of struct def_values if TYPE == T_TUPLE
+#
+# NOTE: for tuples that can be used in a boolean context the first
+# value corresponds to boolean FALSE and the second to TRUE.
+#
+
+syslog
+ T_LOGFAC|T_BOOL
+ "Syslog facility if syslog is being used for logging: %s"
+syslog_goodpri
+ T_LOGPRI|T_BOOL
+ "Syslog priority to use when user authenticates successfully: %s"
+syslog_badpri
+ T_LOGPRI|T_BOOL
+ "Syslog priority to use when user authenticates unsuccessfully: %s"
+long_otp_prompt
+ T_FLAG
+ "Put OTP prompt on its own line"
+ignore_dot
+ T_FLAG
+ "Ignore '.' in $PATH"
+mail_always
+ T_FLAG
+ "Always send mail when sudo is run"
+mail_badpass
+ T_FLAG
+ "Send mail if user authentication fails"
+mail_no_user
+ T_FLAG
+ "Send mail if the user is not in sudoers"
+mail_no_host
+ T_FLAG
+ "Send mail if the user is not in sudoers for this host"
+mail_no_perms
+ T_FLAG
+ "Send mail if the user is not allowed to run a command"
+mail_all_cmnds
+ T_FLAG
+ "Send mail if the user tries to run a command"
+tty_tickets
+ T_FLAG
+ "Use a separate timestamp for each user/tty combo"
+lecture
+ T_TUPLE|T_BOOL
+ "Lecture user the first time they run sudo"
+ never once always
+lecture_file
+ T_STR|T_PATH|T_BOOL
+ "File containing the sudo lecture: %s"
+authenticate
+ T_FLAG
+ "Require users to authenticate by default"
+root_sudo
+ T_FLAG
+ "Root may run sudo"
+log_host
+ T_FLAG
+ "Log the hostname in the (non-syslog) log file"
+log_year
+ T_FLAG
+ "Log the year in the (non-syslog) log file"
+shell_noargs
+ T_FLAG
+ "If sudo is invoked with no arguments, start a shell"
+set_home
+ T_FLAG
+ "Set $HOME to the target user when starting a shell with -s"
+always_set_home
+ T_FLAG
+ "Always set $HOME to the target user's home directory"
+path_info
+ T_FLAG
+ "Allow some information gathering to give useful error messages"
+fqdn
+ T_FLAG
+ "Require fully-qualified hostnames in the sudoers file"
+insults
+ T_FLAG
+ "Insult the user when they enter an incorrect password"
+requiretty
+ T_FLAG
+ "Only allow the user to run sudo if they have a tty"
+env_editor
+ T_FLAG
+ "Visudo will honor the EDITOR environment variable"
+rootpw
+ T_FLAG
+ "Prompt for root's password, not the users's"
+runaspw
+ T_FLAG
+ "Prompt for the runas_default user's password, not the users's"
+targetpw
+ T_FLAG
+ "Prompt for the target user's password, not the users's"
+use_loginclass
+ T_FLAG
+ "Apply defaults in the target user's login class if there is one"
+set_logname
+ T_FLAG
+ "Set the LOGNAME and USER environment variables"
+stay_setuid
+ T_FLAG
+ "Only set the effective uid to the target user, not the real uid"
+preserve_groups
+ T_FLAG
+ "Don't initialize the group vector to that of the target user"
+loglinelen
+ T_UINT|T_BOOL
+ "Length at which to wrap log file lines (0 for no wrap): %u"
+timestamp_timeout
+ T_TIMESPEC|T_BOOL
+ "Authentication timestamp timeout: %.1f minutes"
+passwd_timeout
+ T_TIMESPEC|T_BOOL
+ "Password prompt timeout: %.1f minutes"
+passwd_tries
+ T_UINT
+ "Number of tries to enter a password: %u"
+umask
+ T_MODE|T_BOOL
+ "Umask to use or 0777 to use user's: 0%o"
+logfile
+ T_STR|T_BOOL|T_PATH
+ "Path to log file: %s"
+mailerpath
+ T_STR|T_BOOL|T_PATH
+ "Path to mail program: %s"
+mailerflags
+ T_STR|T_BOOL
+ "Flags for mail program: %s"
+mailto
+ T_STR|T_BOOL
+ "Address to send mail to: %s"
+mailfrom
+ T_STR|T_BOOL
+ "Address to send mail from: %s"
+mailsub
+ T_STR
+ "Subject line for mail messages: %s"
+badpass_message
+ T_STR
+ "Incorrect password message: %s"
+lecture_status_dir
+ T_STR|T_PATH
+ "Path to lecture status dir: %s"
+timestampdir
+ T_STR|T_PATH
+ "Path to authentication timestamp dir: %s"
+timestampowner
+ T_STR
+ "Owner of the authentication timestamp dir: %s"
+exempt_group
+ T_STR|T_BOOL
+ "Users in this group are exempt from password and PATH requirements: %s"
+passprompt
+ T_STR
+ "Default password prompt: %s"
+passprompt_override
+ T_FLAG
+ "If set, passprompt will override system prompt in all cases."
+runas_default
+ T_STR
+ "Default user to run commands as: %s"
+secure_path
+ T_STR|T_BOOL
+ "Value to override user's $PATH with: %s"
+editor
+ T_STR|T_PATH
+ "Path to the editor for use by visudo: %s"
+listpw
+ T_TUPLE|T_BOOL
+ "When to require a password for 'list' pseudocommand: %s"
+ never any all always
+verifypw
+ T_TUPLE|T_BOOL
+ "When to require a password for 'verify' pseudocommand: %s"
+ never all any always
+noexec
+ T_FLAG
+ "Preload the sudo_noexec library which replaces the exec functions"
+ignore_local_sudoers
+ T_FLAG
+ "If LDAP directory is up, do we ignore local sudoers file"
+closefrom
+ T_INT
+ "File descriptors >= %d will be closed before executing a command"
+closefrom_override
+ T_FLAG
+ "If set, users may override the value of "closefrom" with the -C option"
+setenv
+ T_FLAG
+ "Allow users to set arbitrary environment variables"
+env_reset
+ T_FLAG
+ "Reset the environment to a default set of variables"
+env_check
+ T_LIST|T_BOOL
+ "Environment variables to check for safety:"
+env_delete
+ T_LIST|T_BOOL
+ "Environment variables to remove:"
+env_keep
+ T_LIST|T_BOOL
+ "Environment variables to preserve:"
+role
+ T_STR
+ "SELinux role to use in the new security context: %s"
+type
+ T_STR
+ "SELinux type to use in the new security context: %s"
+env_file
+ T_STR|T_PATH|T_BOOL
+ "Path to the sudo-specific environment file: %s"
+restricted_env_file
+ T_STR|T_PATH|T_BOOL
+ "Path to the restricted sudo-specific environment file: %s"
+sudoers_locale
+ T_STR
+ "Locale to use while parsing sudoers: %s"
+visiblepw
+ T_FLAG
+ "Allow sudo to prompt for a password even if it would be visible"
+pwfeedback
+ T_FLAG
+ "Provide visual feedback at the password prompt when there is user input"
+fast_glob
+ T_FLAG
+ "Use faster globbing that is less accurate but does not access the filesystem"
+umask_override
+ T_FLAG
+ "The umask specified in sudoers will override the user's, even if it is more permissive"
+log_input
+ T_FLAG
+ "Log user's input for the command being run"
+log_stdin
+ T_FLAG
+ "Log the command's standard input if not connected to a terminal"
+log_ttyin
+ T_FLAG
+ "Log the user's terminal input for the command being run"
+log_output
+ T_FLAG
+ "Log the output of the command being run"
+log_stdout
+ T_FLAG
+ "Log the command's standard output if not connected to a terminal"
+log_stderr
+ T_FLAG
+ "Log the command's standard error if not connected to a terminal"
+log_ttyout
+ T_FLAG
+ "Log the terminal output of the command being run"
+compress_io
+ T_FLAG
+ "Compress I/O logs using zlib"
+use_pty
+ T_FLAG
+ "Always run commands in a pseudo-tty"
+group_plugin
+ T_STR
+ "Plugin for non-Unix group support: %s"
+iolog_dir
+ T_STR|T_PATH
+ "Directory in which to store input/output logs: %s"
+iolog_file
+ T_STR
+ "File in which to store the input/output log: %s"
+set_utmp
+ T_FLAG
+ "Add an entry to the utmp/utmpx file when allocating a pty"
+utmp_runas
+ T_FLAG
+ "Set the user in utmp to the runas user, not the invoking user"
+privs
+ T_STR
+ "Set of permitted privileges: %s"
+limitprivs
+ T_STR
+ "Set of limit privileges: %s"
+exec_background
+ T_FLAG
+ "Run commands on a pty in the background"
+pam_service
+ T_STR
+ "PAM service name to use: %s"
+pam_login_service
+ T_STR
+ "PAM service name to use for login shells: %s"
+pam_askpass_service
+ T_STR
+ "PAM service name to use when sudo is run with the -A option: %s"
+pam_setcred
+ T_FLAG
+ "Attempt to establish PAM credentials for the target user"
+pam_session
+ T_FLAG
+ "Create a new PAM session for the command to run in"
+pam_acct_mgmt
+ T_FLAG
+ "Perform PAM account validation management"
+maxseq
+ T_STR
+ "Maximum I/O log sequence number: %s"
+use_netgroups
+ T_FLAG
+ "Enable sudoers netgroup support"
+sudoedit_checkdir
+ T_FLAG
+ "Check parent directories for writability when editing files with sudoedit"
+sudoedit_follow
+ T_FLAG
+ "Follow symbolic links when editing files with sudoedit"
+always_query_group_plugin
+ T_FLAG
+ "Query the group plugin for unknown system groups"
+netgroup_tuple
+ T_FLAG
+ "Match netgroups based on the entire tuple: user, host and domain"
+ignore_audit_errors
+ T_FLAG
+ "Allow commands to be run even if sudo cannot write to the audit log"
+ignore_iolog_errors
+ T_FLAG
+ "Allow commands to be run even if sudo cannot write to the I/O log"
+ignore_logfile_errors
+ T_FLAG
+ "Allow commands to be run even if sudo cannot write to the log file"
+match_group_by_gid
+ T_FLAG
+ "Resolve groups in sudoers and match on the group ID, not the name"
+syslog_maxlen
+ T_UINT
+ "Log entries larger than this value will be split into multiple syslog messages: %u"
+iolog_user
+ T_STR|T_BOOL
+ "User that will own the I/O log files: %s"
+iolog_group
+ T_STR|T_BOOL
+ "Group that will own the I/O log files: %s"
+iolog_mode
+ T_MODE
+ "File mode to use for the I/O log files: 0%o"
+fdexec
+ T_TUPLE|T_BOOL
+ "Execute commands by file descriptor instead of by path: %s"
+ never digest_only always
+ignore_unknown_defaults
+ T_FLAG
+ "Ignore unknown Defaults entries in sudoers instead of producing a warning"
+command_timeout
+ T_TIMEOUT|T_BOOL
+ "Time in seconds after which the command will be terminated: %u"
+user_command_timeouts
+ T_FLAG
+ "Allow the user to specify a timeout on the command line"
+iolog_flush
+ T_FLAG
+ "Flush I/O log data to disk immediately instead of buffering it"
+syslog_pid
+ T_FLAG
+ "Include the process ID when logging via syslog"
+timestamp_type
+ T_TUPLE
+ "Type of authentication timestamp record: %s"
+ global ppid tty kernel
+authfail_message
+ T_STR
+ "Authentication failure message: %s"
+case_insensitive_user
+ T_FLAG
+ "Ignore case when matching user names"
+case_insensitive_group
+ T_FLAG
+ "Ignore case when matching group names"
+log_allowed
+ T_FLAG
+ "Log when a command is allowed by sudoers"
+log_denied
+ T_FLAG
+ "Log when a command is denied by sudoers"
+log_servers
+ T_LIST|T_BOOL
+ "Sudo log server(s) to connect to with optional port"
+log_server_timeout
+ T_TIMEOUT|T_BOOL
+ "Sudo log server timeout in seconds: %u"
+log_server_keepalive
+ T_FLAG
+ "Enable SO_KEEPALIVE socket option on the socket connected to the logserver"
+log_server_cabundle
+ T_STR|T_BOOL|T_PATH
+ "Path to the audit server's CA bundle file: %s"
+log_server_peer_cert
+ T_STR|T_BOOL|T_PATH
+ "Path to the sudoers certificate file: %s"
+log_server_peer_key
+ T_STR|T_BOOL|T_PATH
+ "Path to the sudoers private key file: %s"
+log_server_verify
+ T_FLAG
+ "Verify that the log server's certificate is valid"
+runas_allow_unknown_id
+ T_FLAG
+ "Allow the use of unknown runas user and/or group ID"
+runas_check_shell
+ T_FLAG
+ "Only permit running commands as a user with a valid shell"
+pam_ruser
+ T_FLAG
+ "Set the pam remote user to the user running sudo"
+pam_rhost
+ T_FLAG
+ "Set the pam remote host to the local host name"
+runcwd
+ T_STR|T_BOOL|T_CHPATH
+ "Working directory to change to before executing the command: %s"
+runchroot
+ T_STR|T_BOOL|T_CHPATH
+ "Root directory to change to before executing the command: %s"
+log_format
+ T_TUPLE
+ "The format of logs to produce: %s"
+ sudo json
+selinux
+ T_FLAG
+ "Enable SELinux RBAC support"
+admin_flag
+ T_STR|T_BOOL|T_CHPATH
+ "Path to the file that is created the first time sudo is run: %s"
+intercept
+ T_FLAG
+ "Intercept further commands and apply sudoers restrictions to them"
+log_subcmds
+ T_FLAG
+ "Log sub-commands run by the original command"
+log_exit_status
+ T_FLAG
+ "Log the exit status of commands"
+intercept_authenticate
+ T_FLAG
+ "Subsequent commands in an intercepted session must be authenticated"
+intercept_allow_setid
+ T_FLAG
+ "Allow an intercepted command to run set setuid or setgid programs"
+rlimit_as
+ T_RLIMIT|T_BOOL
+ "The maximum size to which the process's address space may grow (in bytes): %s"
+rlimit_core
+ T_RLIMIT|T_BOOL
+ "The largest size core dump file that may be created (in bytes): %s"
+rlimit_cpu
+ T_RLIMIT|T_BOOL
+ "The maximum amount of CPU time that the process may use (in seconds): %s"
+rlimit_data
+ T_RLIMIT|T_BOOL
+ "The maximum size of the data segment for the process (in bytes): %s"
+rlimit_fsize
+ T_RLIMIT|T_BOOL
+ "The largest size file that the process may create (in bytes): %s"
+rlimit_locks
+ T_RLIMIT|T_BOOL
+ "The maximum number of locks that the process may establish: %s"
+rlimit_memlock
+ T_RLIMIT|T_BOOL
+ "The maximum size that the process may lock in memory (in bytes): %s"
+rlimit_nofile
+ T_RLIMIT|T_BOOL
+ "The maximum number of files that the process may have open: %s"
+rlimit_nproc
+ T_RLIMIT|T_BOOL
+ "The maximum number of processes that the user may run simultaneously: %s"
+rlimit_rss
+ T_RLIMIT|T_BOOL
+ "The maximum size to which the process's resident set size may grow (in bytes): %s"
+rlimit_stack
+ T_RLIMIT|T_BOOL
+ "The maximum size to which the process's stack may grow (in bytes): %s"
+noninteractive_auth
+ T_FLAG
+ "Attempt authentication even when in non-interactive mode"
+log_passwords
+ T_FLAG
+ "Store plaintext passwords in I/O log input"
+passprompt_regex
+ T_LIST|T_SPACE|T_BOOL
+ "List of regular expressions to use when matching a password prompt"
+intercept_type
+ T_TUPLE
+ "The mechanism used by the intercept and log_subcmds options: %s"
+ dso trace
+intercept_verify
+ T_FLAG
+ "Attempt to verify the command and arguments after execution"
+apparmor_profile
+ T_STR
+ "AppArmor profile to use in the new security context: %s"