diff options
Diffstat (limited to 'plugins/sudoers/def_data.in')
-rw-r--r-- | plugins/sudoers/def_data.in | 502 |
1 files changed, 502 insertions, 0 deletions
diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in new file mode 100644 index 0000000..4d627e6 --- /dev/null +++ b/plugins/sudoers/def_data.in @@ -0,0 +1,502 @@ +# +# Format: +# +# var_name +# TYPE +# description (or NULL) +# array of struct def_values if TYPE == T_TUPLE +# +# NOTE: for tuples that can be used in a boolean context the first +# value corresponds to boolean FALSE and the second to TRUE. +# + +syslog + T_LOGFAC|T_BOOL + "Syslog facility if syslog is being used for logging: %s" +syslog_goodpri + T_LOGPRI|T_BOOL + "Syslog priority to use when user authenticates successfully: %s" +syslog_badpri + T_LOGPRI|T_BOOL + "Syslog priority to use when user authenticates unsuccessfully: %s" +long_otp_prompt + T_FLAG + "Put OTP prompt on its own line" +ignore_dot + T_FLAG + "Ignore '.' in $PATH" +mail_always + T_FLAG + "Always send mail when sudo is run" +mail_badpass + T_FLAG + "Send mail if user authentication fails" +mail_no_user + T_FLAG + "Send mail if the user is not in sudoers" +mail_no_host + T_FLAG + "Send mail if the user is not in sudoers for this host" +mail_no_perms + T_FLAG + "Send mail if the user is not allowed to run a command" +mail_all_cmnds + T_FLAG + "Send mail if the user tries to run a command" +tty_tickets + T_FLAG + "Use a separate timestamp for each user/tty combo" +lecture + T_TUPLE|T_BOOL + "Lecture user the first time they run sudo" + never once always +lecture_file + T_STR|T_PATH|T_BOOL + "File containing the sudo lecture: %s" +authenticate + T_FLAG + "Require users to authenticate by default" +root_sudo + T_FLAG + "Root may run sudo" +log_host + T_FLAG + "Log the hostname in the (non-syslog) log file" +log_year + T_FLAG + "Log the year in the (non-syslog) log file" +shell_noargs + T_FLAG + "If sudo is invoked with no arguments, start a shell" +set_home + T_FLAG + "Set $HOME to the target user when starting a shell with -s" +always_set_home + T_FLAG + "Always set $HOME to the target user's home directory" +path_info + T_FLAG + "Allow some information gathering to give useful error messages" +fqdn + T_FLAG + "Require fully-qualified hostnames in the sudoers file" +insults + T_FLAG + "Insult the user when they enter an incorrect password" +requiretty + T_FLAG + "Only allow the user to run sudo if they have a tty" +env_editor + T_FLAG + "Visudo will honor the EDITOR environment variable" +rootpw + T_FLAG + "Prompt for root's password, not the users's" +runaspw + T_FLAG + "Prompt for the runas_default user's password, not the users's" +targetpw + T_FLAG + "Prompt for the target user's password, not the users's" +use_loginclass + T_FLAG + "Apply defaults in the target user's login class if there is one" +set_logname + T_FLAG + "Set the LOGNAME and USER environment variables" +stay_setuid + T_FLAG + "Only set the effective uid to the target user, not the real uid" +preserve_groups + T_FLAG + "Don't initialize the group vector to that of the target user" +loglinelen + T_UINT|T_BOOL + "Length at which to wrap log file lines (0 for no wrap): %u" +timestamp_timeout + T_TIMESPEC|T_BOOL + "Authentication timestamp timeout: %.1f minutes" +passwd_timeout + T_TIMESPEC|T_BOOL + "Password prompt timeout: %.1f minutes" +passwd_tries + T_UINT + "Number of tries to enter a password: %u" +umask + T_MODE|T_BOOL + "Umask to use or 0777 to use user's: 0%o" +logfile + T_STR|T_BOOL|T_PATH + "Path to log file: %s" +mailerpath + T_STR|T_BOOL|T_PATH + "Path to mail program: %s" +mailerflags + T_STR|T_BOOL + "Flags for mail program: %s" +mailto + T_STR|T_BOOL + "Address to send mail to: %s" +mailfrom + T_STR|T_BOOL + "Address to send mail from: %s" +mailsub + T_STR + "Subject line for mail messages: %s" +badpass_message + T_STR + "Incorrect password message: %s" +lecture_status_dir + T_STR|T_PATH + "Path to lecture status dir: %s" +timestampdir + T_STR|T_PATH + "Path to authentication timestamp dir: %s" +timestampowner + T_STR + "Owner of the authentication timestamp dir: %s" +exempt_group + T_STR|T_BOOL + "Users in this group are exempt from password and PATH requirements: %s" +passprompt + T_STR + "Default password prompt: %s" +passprompt_override + T_FLAG + "If set, passprompt will override system prompt in all cases." +runas_default + T_STR + "Default user to run commands as: %s" +secure_path + T_STR|T_BOOL + "Value to override user's $PATH with: %s" +editor + T_STR|T_PATH + "Path to the editor for use by visudo: %s" +listpw + T_TUPLE|T_BOOL + "When to require a password for 'list' pseudocommand: %s" + never any all always +verifypw + T_TUPLE|T_BOOL + "When to require a password for 'verify' pseudocommand: %s" + never all any always +noexec + T_FLAG + "Preload the sudo_noexec library which replaces the exec functions" +ignore_local_sudoers + T_FLAG + "If LDAP directory is up, do we ignore local sudoers file" +closefrom + T_INT + "File descriptors >= %d will be closed before executing a command" +closefrom_override + T_FLAG + "If set, users may override the value of "closefrom" with the -C option" +setenv + T_FLAG + "Allow users to set arbitrary environment variables" +env_reset + T_FLAG + "Reset the environment to a default set of variables" +env_check + T_LIST|T_BOOL + "Environment variables to check for safety:" +env_delete + T_LIST|T_BOOL + "Environment variables to remove:" +env_keep + T_LIST|T_BOOL + "Environment variables to preserve:" +role + T_STR + "SELinux role to use in the new security context: %s" +type + T_STR + "SELinux type to use in the new security context: %s" +env_file + T_STR|T_PATH|T_BOOL + "Path to the sudo-specific environment file: %s" +restricted_env_file + T_STR|T_PATH|T_BOOL + "Path to the restricted sudo-specific environment file: %s" +sudoers_locale + T_STR + "Locale to use while parsing sudoers: %s" +visiblepw + T_FLAG + "Allow sudo to prompt for a password even if it would be visible" +pwfeedback + T_FLAG + "Provide visual feedback at the password prompt when there is user input" +fast_glob + T_FLAG + "Use faster globbing that is less accurate but does not access the filesystem" +umask_override + T_FLAG + "The umask specified in sudoers will override the user's, even if it is more permissive" +log_input + T_FLAG + "Log user's input for the command being run" +log_stdin + T_FLAG + "Log the command's standard input if not connected to a terminal" +log_ttyin + T_FLAG + "Log the user's terminal input for the command being run" +log_output + T_FLAG + "Log the output of the command being run" +log_stdout + T_FLAG + "Log the command's standard output if not connected to a terminal" +log_stderr + T_FLAG + "Log the command's standard error if not connected to a terminal" +log_ttyout + T_FLAG + "Log the terminal output of the command being run" +compress_io + T_FLAG + "Compress I/O logs using zlib" +use_pty + T_FLAG + "Always run commands in a pseudo-tty" +group_plugin + T_STR + "Plugin for non-Unix group support: %s" +iolog_dir + T_STR|T_PATH + "Directory in which to store input/output logs: %s" +iolog_file + T_STR + "File in which to store the input/output log: %s" +set_utmp + T_FLAG + "Add an entry to the utmp/utmpx file when allocating a pty" +utmp_runas + T_FLAG + "Set the user in utmp to the runas user, not the invoking user" +privs + T_STR + "Set of permitted privileges: %s" +limitprivs + T_STR + "Set of limit privileges: %s" +exec_background + T_FLAG + "Run commands on a pty in the background" +pam_service + T_STR + "PAM service name to use: %s" +pam_login_service + T_STR + "PAM service name to use for login shells: %s" +pam_askpass_service + T_STR + "PAM service name to use when sudo is run with the -A option: %s" +pam_setcred + T_FLAG + "Attempt to establish PAM credentials for the target user" +pam_session + T_FLAG + "Create a new PAM session for the command to run in" +pam_acct_mgmt + T_FLAG + "Perform PAM account validation management" +maxseq + T_STR + "Maximum I/O log sequence number: %s" +use_netgroups + T_FLAG + "Enable sudoers netgroup support" +sudoedit_checkdir + T_FLAG + "Check parent directories for writability when editing files with sudoedit" +sudoedit_follow + T_FLAG + "Follow symbolic links when editing files with sudoedit" +always_query_group_plugin + T_FLAG + "Query the group plugin for unknown system groups" +netgroup_tuple + T_FLAG + "Match netgroups based on the entire tuple: user, host and domain" +ignore_audit_errors + T_FLAG + "Allow commands to be run even if sudo cannot write to the audit log" +ignore_iolog_errors + T_FLAG + "Allow commands to be run even if sudo cannot write to the I/O log" +ignore_logfile_errors + T_FLAG + "Allow commands to be run even if sudo cannot write to the log file" +match_group_by_gid + T_FLAG + "Resolve groups in sudoers and match on the group ID, not the name" +syslog_maxlen + T_UINT + "Log entries larger than this value will be split into multiple syslog messages: %u" +iolog_user + T_STR|T_BOOL + "User that will own the I/O log files: %s" +iolog_group + T_STR|T_BOOL + "Group that will own the I/O log files: %s" +iolog_mode + T_MODE + "File mode to use for the I/O log files: 0%o" +fdexec + T_TUPLE|T_BOOL + "Execute commands by file descriptor instead of by path: %s" + never digest_only always +ignore_unknown_defaults + T_FLAG + "Ignore unknown Defaults entries in sudoers instead of producing a warning" +command_timeout + T_TIMEOUT|T_BOOL + "Time in seconds after which the command will be terminated: %u" +user_command_timeouts + T_FLAG + "Allow the user to specify a timeout on the command line" +iolog_flush + T_FLAG + "Flush I/O log data to disk immediately instead of buffering it" +syslog_pid + T_FLAG + "Include the process ID when logging via syslog" +timestamp_type + T_TUPLE + "Type of authentication timestamp record: %s" + global ppid tty kernel +authfail_message + T_STR + "Authentication failure message: %s" +case_insensitive_user + T_FLAG + "Ignore case when matching user names" +case_insensitive_group + T_FLAG + "Ignore case when matching group names" +log_allowed + T_FLAG + "Log when a command is allowed by sudoers" +log_denied + T_FLAG + "Log when a command is denied by sudoers" +log_servers + T_LIST|T_BOOL + "Sudo log server(s) to connect to with optional port" +log_server_timeout + T_TIMEOUT|T_BOOL + "Sudo log server timeout in seconds: %u" +log_server_keepalive + T_FLAG + "Enable SO_KEEPALIVE socket option on the socket connected to the logserver" +log_server_cabundle + T_STR|T_BOOL|T_PATH + "Path to the audit server's CA bundle file: %s" +log_server_peer_cert + T_STR|T_BOOL|T_PATH + "Path to the sudoers certificate file: %s" +log_server_peer_key + T_STR|T_BOOL|T_PATH + "Path to the sudoers private key file: %s" +log_server_verify + T_FLAG + "Verify that the log server's certificate is valid" +runas_allow_unknown_id + T_FLAG + "Allow the use of unknown runas user and/or group ID" +runas_check_shell + T_FLAG + "Only permit running commands as a user with a valid shell" +pam_ruser + T_FLAG + "Set the pam remote user to the user running sudo" +pam_rhost + T_FLAG + "Set the pam remote host to the local host name" +runcwd + T_STR|T_BOOL|T_CHPATH + "Working directory to change to before executing the command: %s" +runchroot + T_STR|T_BOOL|T_CHPATH + "Root directory to change to before executing the command: %s" +log_format + T_TUPLE + "The format of logs to produce: %s" + sudo json +selinux + T_FLAG + "Enable SELinux RBAC support" +admin_flag + T_STR|T_BOOL|T_CHPATH + "Path to the file that is created the first time sudo is run: %s" +intercept + T_FLAG + "Intercept further commands and apply sudoers restrictions to them" +log_subcmds + T_FLAG + "Log sub-commands run by the original command" +log_exit_status + T_FLAG + "Log the exit status of commands" +intercept_authenticate + T_FLAG + "Subsequent commands in an intercepted session must be authenticated" +intercept_allow_setid + T_FLAG + "Allow an intercepted command to run set setuid or setgid programs" +rlimit_as + T_RLIMIT|T_BOOL + "The maximum size to which the process's address space may grow (in bytes): %s" +rlimit_core + T_RLIMIT|T_BOOL + "The largest size core dump file that may be created (in bytes): %s" +rlimit_cpu + T_RLIMIT|T_BOOL + "The maximum amount of CPU time that the process may use (in seconds): %s" +rlimit_data + T_RLIMIT|T_BOOL + "The maximum size of the data segment for the process (in bytes): %s" +rlimit_fsize + T_RLIMIT|T_BOOL + "The largest size file that the process may create (in bytes): %s" +rlimit_locks + T_RLIMIT|T_BOOL + "The maximum number of locks that the process may establish: %s" +rlimit_memlock + T_RLIMIT|T_BOOL + "The maximum size that the process may lock in memory (in bytes): %s" +rlimit_nofile + T_RLIMIT|T_BOOL + "The maximum number of files that the process may have open: %s" +rlimit_nproc + T_RLIMIT|T_BOOL + "The maximum number of processes that the user may run simultaneously: %s" +rlimit_rss + T_RLIMIT|T_BOOL + "The maximum size to which the process's resident set size may grow (in bytes): %s" +rlimit_stack + T_RLIMIT|T_BOOL + "The maximum size to which the process's stack may grow (in bytes): %s" +noninteractive_auth + T_FLAG + "Attempt authentication even when in non-interactive mode" +log_passwords + T_FLAG + "Store plaintext passwords in I/O log input" +passprompt_regex + T_LIST|T_SPACE|T_BOOL + "List of regular expressions to use when matching a password prompt" +intercept_type + T_TUPLE + "The mechanism used by the intercept and log_subcmds options: %s" + dso trace +intercept_verify + T_FLAG + "Attempt to verify the command and arguments after execution" +apparmor_profile + T_STR + "AppArmor profile to use in the new security context: %s" |