Sudo Plugin supports the following sudo command options :
| Sudoers option | Type | Explanation |
|---|---|---|
| always_query_group_plugin | flag | Query the group plugin for unknown system groups. |
|
always_set_home |
flag |
Always set $HOME to the target user's home directory. |
|
authenticate |
flag |
Require users to authenticate by default. |
|
authfail_message |
string |
Authentication failure message. |
|
badpass_message |
string |
Incorrect password message. |
|
case_insensitive_group |
flag |
Ignore case when matching group names. |
|
case_insensitive_user |
flag |
Ignore case when matching user names. |
|
closefrom |
number |
File descriptors starting at this value will be closed when running a command. |
|
closefrom_override |
flag |
If set, the user may use sudo's -C option. |
|
command_timeout |
number |
Time in seconds after which the command will be terminated. |
|
editor |
string |
A colon-separated list of editor path names used by sudoedit and visudo. |
|
env_check |
list |
Environment variables to check for safety. |
|
env_delete |
list |
Environment variables to remove. |
|
env_editor |
flag |
Visudo will honor the SUDO_EDITOR, VISUAL and EDITOR EDITOR environment variables. |
|
env_file |
string |
Path to the sudo-specific environment file. |
|
env_keep |
list |
Environment variables to preserve. |
|
env_reset |
flag |
Reset the environment to a default set of variables. |
|
exec_background |
flag |
Start the command as a background process. |
|
exempt_group |
string |
Users in this group are exempt from password and PATH requirements. |
|
fqdn |
flag |
Require fully-qualified hostnames in the sudoers file. |
|
group_plugin |
string |
Plugin for non-Unix group support. |
|
ignore_audit_errors |
flag |
Allow commands to be run even if sudo cannot write to the audit log. |
|
ignore_dot |
flag |
Ignore '.' in the PATH environment variable. |
|
ignore_iolog_errors |
flag |
Allow commands to be run even if sudo cannot write to the I/O log. |
|
ignore_unknown_defaults |
flag |
Ignore unknown Defaults entries in sudoers instead of producing a warning. |
|
insults |
flag |
Insult the user when they enter an incorrect password. |
|
intercept |
flag |
Intercept further commands and apply sudoers restrictions to them. |
|
intercept_allow_setid |
flag |
Allow an intercepted command to run set setuid or setgid programs. |
|
intercept_authenticate |
flag |
Subsequent commands in an intercepted session must be authenticated. |
|
intercept_type |
string |
The mechanism used by the intercept and log_subcmds options: dso or ptrace. |
|
intercept_verify |
flag |
Whether to verify the command and arguments after execution. |
|
iolog_dir |
string |
Directory in which to store input/output logs. |
|
iolog_file |
string |
File in which to store the input/output log. |
|
lecture |
string |
Lecture user the first time they run sudo: never, once, always. |
|
lecture_file |
string |
File containing the sudo lecture. |
|
listpw |
string |
When to require a password for 'list' pseudocommand: never, any, all, always. |
|
log_allowed |
flag |
Log when a command is allowed by sudoers. |
|
log_denied |
flag |
Log when a command is denied by sudoers. |
|
log_exit_status |
flag |
Log the exit status of commands. |
|
log_format |
string |
The format of logs to produce: sudo or json. |
|
log_host |
flag |
Log the hostname in the (non-syslog) log file. |
|
log_input |
flag |
Log user's input for the command being run. |
|
log_output |
flag |
Log the output of the command being run. |
|
log_passwords |
flag |
Store plaintext passwords in I/O log input. |
|
log_subcmds |
flag |
Log sub-commands run by the original command. |
|
log_year |
flag |
Log the year in the (non-syslog) log file. |
|
logfile |
string |
Path to log file. |
|
loglinelen |
number |
Length at which to wrap log file lines (0 for no wrap). |
|
mail_all_cmnds |
flag |
Send mail if the user tries to run a command. |
|
mail_always |
flag |
Always send mail when sudo is run. |
|
mail_badpass |
flag |
Send mail if user authentication fails. |
|
mail_no_host |
flag |
Send mail if the user is not in sudoers for this host. |
|
mail_no_perms |
flag |
Send mail if the user is not allowed to run a command. |
|
mail_no_user |
flag |
Send mail if the user is not in sudoers. |
|
mailerflags |
string |
Flags for mail program. |
|
mailerpath |
string |
Path to mail program. |
|
mailfrom |
string |
Address to send mail from. |
|
mailsub |
string |
Subject line for mail messages. |
|
mailto |
string |
Address to send mail to. |
|
match_group_by_gid |
flag |
Resolve groups in sudoers and match on the group ID, not the name. |
|
netgroup_tuple |
flag |
Match netgroups based on the entire tuple: user, host and domain. |
|
noexec |
flag |
Preload the sudo_noexec library which replaces the exec functions. |
|
passprompt |
string |
Default password prompt. |
|
passprompt_regex |
flag |
List of regular expressions to use when matching a password prompt. |
|
passwd_timeout |
number |
Password prompt timeout. |
|
passwd_tries |
number |
Number of tries to enter a password. |
|
path_info |
flag |
Allow some information gathering to give useful error messages. |
|
preserve_groups |
flag |
Don't initialize the group vector to that of the target user. |
|
requiretty |
flag |
Only allow the user to run sudo if they have a tty. |
|
restricted_env_file |
string |
Path to the restricted sudo-specific environment file. |
|
rlimit_as |
number |
The maximum size to which the process's address space may grow (in bytes). |
|
rlimit_core |
number |
The largest size core dump file that may be created (in bytes). |
|
rlimit_cpu |
number |
The maximum amount of CPU time that the process may use (in seconds). |
|
rlimit_data |
number |
The maximum size of the data segment for the process (in bytes). |
|
rlimit_fsize |
number |
The largest size file that the process may create (in bytes). |
|
rlimit_locks |
number |
The maximum number of locks that the process may establish. |
|
rlimit_memlock |
number |
The maximum size that the process may lock in memory (in bytes). |
|
rlimit_nofile |
number |
The maximum number of files that the process may have open. |
|
rlimit_nproc |
number |
The maximum number of processes that the user may run simultaneously. |
|
rlimit_rss |
number |
The maximum size to which the process's resident set size may grow (in bytes). |
|
rlimit_stack |
number |
The maximum size to which the process's stack may grow (in bytes). |
|
root_sudo |
flag |
Root may run sudo. |
|
rootpw |
flag |
Prompt for root's password, not the users's. |
|
runas_allow_unknown_id |
flag |
Allow the use of unknown runas user and/or group ID. |
|
runas_check_shell |
flag |
Only permit running commands as a user with a valid shell. |
|
runas_default |
string |
Default user to run commands as. |
|
runaspw |
flag |
Prompt for the runas_default user's password, not the users's. |
|
runchroot |
string |
Root directory to change to before executing the command. |
|
runcwd |
string |
Working directory to change to before executing the command. |
|
secure_path |
string |
Override the user's PATH environment variable. |
|
set_home |
flag |
Set HOME to the target user when starting a shell with -s. |
|
set_logname |
flag |
Set the LOGNAME and USER environment variables. |
|
set_utmp |
flag |
Add an entry to the utmp/utmpx file when allocating a pty. |
|
setenv |
flag |
Allow users to set arbitrary environment variables. |
|
shell_noargs |
flag |
If sudo is invoked with no arguments, start a shell. |
|
sudoedit_checkdir |
flag |
Check parent directories for writability when editing files with sudoedit. |
|
sudoedit_follow |
flag |
Follow symbolic links when editing files with sudoedit. |
|
sudoers_locale |
string |
Locale to use while parsing sudoers. |
|
syslog |
string |
Syslog facility if syslog is being used for logging. |
|
syslog_badpri |
string |
Syslog priority to use when user authenticates unsuccessfully. |
|
syslog_goodpri |
string |
Syslog priority to use when user authenticates successfully. |
|
syslog_maxlen |
number |
Log entries larger than this value will be split into multiple syslog messages. |
|
syslog_pid |
flag |
Include the process ID when logging via syslog. |
|
targetpw |
flag |
Prompt for the target user's password, not the users's. |
|
timestamp_timeout |
number |
Authentication timestamp timeout. |
|
tty_tickets |
flag |
Use a separate timestamp for each user/tty combo. |
|
umask |
number |
Umask to use or 0777 to use user's. |
|
umask_override |
flag |
The umask specified in sudoers will override the user's, even if it is more permissive. |
|
use_netgroups |
flag |
Enable sudoers netgroup support. |
|
user_command_timeouts |
flag |
Allow the user to specify a timeout on the command line. |
|
utmp_runas |
flag |
Set the user in utmp to the runas user, not the invoking user. |
| verifypw | string | When to require a password for 'verify' pseudocommand: never, any, all, always. |