diff -up sudo-1.8.6p7/doc/Makefile.in.sudoconfman sudo-1.8.6p7/doc/Makefile.in

--- sudo-1.8.6p7/doc/Makefile.in.sudoconfman	2013-07-30 13:57:00.000004193 +0200

+++ sudo-1.8.6p7/doc/Makefile.in	2013-07-30 13:58:25.732323525 +0200

@@ -64,12 +64,13 @@ DEVEL = @DEVEL@

 SHELL = @SHELL@

-DOCS =	sudo.$(mantype) visudo.$(mantype) sudoers.$(mantype) \

-	sudoers.ldap.$(mantype) sudoers.$(mantype) \

+DOCS =	sudo.$(mantype) visudo.$(mantype) sudo.conf.$(mantype) \

+	sudoers.$(mantype) sudoers.ldap.$(mantype) sudoers.$(mantype) \

 	sudoreplay.$(mantype) sudo_plugin.$(mantype)

 DEVDOCS = $(srcdir)/sudo.man.in $(srcdir)/sudo.cat \

 	  $(srcdir)/visudo.man.in $(srcdir)/visudo.cat \

+	  $(srcdir)/sudo.conf.man.in $(srcdir)/sudo.conf.cat \

 	  $(srcdir)/sudoers.man.in $(srcdir)/sudoers.cat \

 	  $(srcdir)/sudoers.ldap.man.in $(srcdir)/sudoers.ldap.cat \

 	  $(srcdir)/sudoers.man.in $(srcdir)/sudoers.cat \

@@ -158,6 +159,34 @@ $(srcdir)/visudo.cat: varsub $(srcdir)/v

 visudo.cat: $(srcdir)/visudo.cat

+$(srcdir)/sudo.conf.man.in: $(srcdir)/sudo.conf.mdoc.in

+	@if [ -n "$(DEVEL)" ]; then \

+	    echo "Generating $@"; \

+	    mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \

+	    mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \

+	    printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \

+	    printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudo.conf.mdoc.in\n' >> $@; \

+	    $(SED) -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudo.conf.mdoc.in >> $@; \

+	    $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo.conf.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "VISUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \

+	fi

+

+sudo.conf.man.sed: $(srcdir)/fixman.sh

+	$(SHELL) $(srcdir)/fixman.sh $@

+

+sudo.conf.man: $(srcdir)/sudo.conf.man.in sudo.conf.man.sed

+	(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/$@.in | $(SED) -f $@.sed > $@

+

+sudo.conf.mdoc: $(srcdir)/sudo.conf.mdoc.in

+	(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)

+

+$(srcdir)/sudo.conf.cat: varsub $(srcdir)/sudo.conf.mdoc.in

+	@if [ -n "$(DEVEL)" ]; then \

+	    echo "Generating $@"; \

+	    $(SED) -f varsub $(srcdir)/sudo.conf.mdoc.in | $(MANDOC) -mdoc | $(SED) -e 's/ OpenBSD \([^ ].*  \)/     \1    /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \

+	fi

+

+sudo.conf.cat: $(srcdir)/sudo.conf.cat

+

 $(srcdir)/sudoers.man.in: $(srcdir)/sudoers.mdoc.in

 	@if [ -n "$(DEVEL)" ]; then \

 	    echo "Generating $@"; \

@@ -292,10 +321,11 @@ install-doc: install-dirs

 	$(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 @mansrcdir@/sudo_plugin.$(mantype) $(DESTDIR)$(mandirsu)/sudo_plugin.$(mansectsu)

 	$(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 @mansrcdir@/sudoreplay.$(mantype) $(DESTDIR)$(mandirsu)/sudoreplay.$(mansectsu)

 	$(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 @mansrcdir@/visudo.$(mantype) $(DESTDIR)$(mandirsu)/visudo.$(mansectsu)

+	$(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 @mansrcdir@/sudo.conf.$(mantype) $(DESTDIR)$(mandirform)/sudo.conf.$(mansectform)

 	$(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 @mansrcdir@/sudoers.$(mantype) $(DESTDIR)$(mandirform)/sudoers.$(mansectform)

 	@LDAP@$(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 @mansrcdir@/sudoers.ldap.$(mantype) $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)

 	@if test -n "$(MANCOMPRESS)"; then \

-	    for f in $(mandirsu)/sudo.$(mansectsu) $(mandirsu)/sudo_plugin.$(mansectsu) $(mandirsu)/sudoreplay.$(mansectsu) $(mandirsu)/visudo.$(mansectsu) $(mandirform)/sudoers.$(mansectform) $(mandirform)/sudoers.ldap.$(mansectform); do \

+	    for f in $(mandirsu)/sudo.$(mansectsu) $(mandirsu)/sudo_plugin.$(mansectsu) $(mandirsu)/sudoreplay.$(mansectsu) $(mandirsu)/visudo.$(mansectsu) $(mandirform)/sudo.conf.$(mansectform) $(mandirform)/sudoers.$(mansectform) $(mandirform)/sudoers.ldap.$(mansectform); do \

 		if test -f $(DESTDIR)$$f; then \

 		    echo $(MANCOMPRESS) -f $(DESTDIR)$$f; \

 		    $(MANCOMPRESS) -f $(DESTDIR)$$f; \

@@ -319,6 +349,7 @@ uninstall:

 		$(DESTDIR)$(mandirsu)/sudo_plugin.$(mansectsu) \

 		$(DESTDIR)$(mandirsu)/sudoreplay.$(mansectsu) \

 		$(DESTDIR)$(mandirsu)/visudo.$(mansectsu) \

+		$(DESTDIR)$(mandirform)/sudo.conf.$(mansectform) \

 		$(DESTDIR)$(mandirform)/sudoers.$(mansectform) \

 		$(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)

diff -up sudo-1.8.6p7/doc/sudo.conf.cat.sudoconfman sudo-1.8.6p7/doc/sudo.conf.cat

--- sudo-1.8.6p7/doc/sudo.conf.cat.sudoconfman	2013-07-30 13:58:15.401285217 +0200

+++ sudo-1.8.6p7/doc/sudo.conf.cat	2013-07-30 13:58:25.733323538 +0200

@@ -0,0 +1,263 @@

+SUDO(4)                       Programmer's Manual                      SUDO(4)

+

+N?NA?AM?ME?E

+     s?su?ud?do?o.?.c?co?on?nf?f - configuration for sudo front end

+

+D?DE?ES?SC?CR?RI?IP?PT?TI?IO?ON?N

+     The s?su?ud?do?o.?.c?co?on?nf?f file is used to configure the s?su?ud?do?o front end.  It specifies

+     the security policy and I/O logging plugins, debug flags as well as

+     plugin-agnostic path names and settings.

+

+     The s?su?ud?do?o.?.c?co?on?nf?f file supports the following directives, described in detail

+     below.

+

+     Plugin    a security policy or I/O logging plugin

+

+     Path      a plugin-agnostic path

+

+     Set       a front end setting, such as _?d_?i_?s_?a_?b_?l_?e_?__?c_?o_?r_?e_?d_?u_?m_?p or _?g_?r_?o_?u_?p_?__?s_?o_?u_?r_?c_?e

+

+     Debug     debug flags to aid in debugging s?su?ud?do?o, s?su?ud?do?or?re?ep?pl?la?ay?y, v?vi?is?su?ud?do?o, and

+               the s?su?ud?do?oe?er?rs?s plugin.

+

+     The pound sign (`#') is used to indicate a comment.  Both the comment

+     character and any text after it, up to the end of the line, are ignored.

+

+     Non-comment lines that don't begin with Plugin, Path, Debug, or Set are

+     silently ignored.

+

+     The s?su?ud?do?o.?.c?co?on?nf?f file is always parsed in the ``C'' locale.

+

+   P?Pl?lu?ug?gi?in?n c?co?on?nf?fi?ig?gu?ur?ra?at?ti?io?on?n

+     s?su?ud?do?o supports a plugin architecture for security policies and

+     input/output logging.  Third parties can develop and distribute their own

+     policy and I/O logging plugins to work seamlessly with the s?su?ud?do?o front

+     end.  Plugins are dynamically loaded based on the contents of s?su?ud?do?o.?.c?co?on?nf?f.

+

+     A Plugin line consists of the Plugin keyword, followed by the _?s_?y_?m_?b_?o_?l_?__?n_?a_?m_?e

+     and the _?p_?a_?t_?h to the shared object containing the plugin.  The _?s_?y_?m_?b_?o_?l_?__?n_?a_?m_?e

+     is the name of the struct policy_plugin or struct io_plugin in the plugin

+     shared object.  The _?p_?a_?t_?h may be fully qualified or relative.  If not

+     fully qualified, it is relative to the _?/_?u_?s_?r_?/_?l_?o_?c_?a_?l_?/_?l_?i_?b_?e_?x_?e_?c directory.  In

+     other words:

+

+           Plugin sudoers_policy sudoers.so

+

+     is equivalent to:

+

+           Plugin sudoers_policy /usr/local/libexec/sudoers.so

+

+     Any additional parameters after the _?p_?a_?t_?h are passed as arguments to the

+     plugin's _?o_?p_?e_?n function.  For example, to override the compile-time

+     default sudoers file mode:

+

+           Plugin sudoers_policy sudoers.so sudoers_mode=0440

+

+     If no s?su?ud?do?o.?.c?co?on?nf?f file is present, or if it contains no Plugin lines, the

+     s?su?ud?do?oe?er?rs?s plugin will be used as the default security policy and for I/O

+     logging (if enabled by the policy).  This is equivalent to the following:

+

+           Plugin policy_plugin sudoers.so

+           Plugin io_plugin sudoers.so

+

+     For more information on the s?su?ud?do?o plugin architecture, see the

+     sudo_plugin(1m) manual.

+

+   P?Pa?at?th?h s?se?et?tt?ti?in?ng?gs?s

+     A Path line consists of the Path keyword, followed by the name of the

+     path to set and its value.  For example:

+

+           Path noexec /usr/local/libexec/sudo_noexec.so

+           Path askpass /usr/X11R6/bin/ssh-askpass

+

+     The following plugin-agnostic paths may be set in the _?/_?e_?t_?c_?/_?s_?u_?d_?o_?._?c_?o_?n_?f

+     file:

+

+     askpass   The fully qualified path to a helper program used to read the

+               user's password when no terminal is available.  This may be the

+               case when s?su?ud?do?o is executed from a graphical (as opposed to

+               text-based) application.  The program specified by _?a_?s_?k_?p_?a_?s_?s

+               should display the argument passed to it as the prompt and

+               write the user's password to the standard output.  The value of

+               _?a_?s_?k_?p_?a_?s_?s may be overridden by the SUDO_ASKPASS environment

+               variable.

+

+     noexec    The fully-qualified path to a shared library containing dummy

+               versions of the e?ex?xe?ec?cv?v(), e?ex?xe?ec?cv?ve?e() and f?fe?ex?xe?ec?cv?ve?e() library

+               functions that just return an error.  This is used to implement

+               the _?n_?o_?e_?x_?e_?c functionality on systems that support LD_PRELOAD or

+               its equivalent.  The default value is:

+               _?/_?u_?s_?r_?/_?l_?o_?c_?a_?l_?/_?l_?i_?b_?e_?x_?e_?c_?/_?s_?u_?d_?o_?__?n_?o_?e_?x_?e_?c_?._?s_?o.

+

+   O?Ot?th?he?er?r s?se?et?tt?ti?in?ng?gs?s

+     The s?su?ud?do?o.?.c?co?on?nf?f file also supports the following front end settings:

+

+     disable_coredump

+               Core dumps of s?su?ud?do?o itself are disabled by default.  To aid in

+               debugging s?su?ud?do?o crashes, you may wish to re-enable core dumps by

+               setting ``disable_coredump'' to false in s?su?ud?do?o.?.c?co?on?nf?f as follows:

+

+                     Set disable_coredump false

+

+               Note that most operating systems disable core dumps from setuid

+               programs, including s?su?ud?do?o.  To actually get a s?su?ud?do?o core file you

+               will likely need to enable core dumps for setuid processes.  On

+               BSD and Linux systems this is accomplished via the sysctl

+               command.  On Solaris, the coreadm command is used to configure

+               core dump behavior.

+

+               This setting is only available in s?su?ud?do?o version 1.8.4 and

+               higher.

+

+   D?De?eb?bu?ug?g f?fl?la?ag?gs?s

+     s?su?ud?do?o versions 1.8.4 and higher support a flexible debugging framework

+     that can help track down what s?su?ud?do?o is doing internally if there is a

+     problem.

+

+     A Debug line consists of the Debug keyword, followed by the name of the

+     program (or plugin) to debug (s?su?ud?do?o, v?vi?is?su?ud?do?o, s?su?ud?do?or?re?ep?pl?la?ay?y, s?su?ud?do?oe?er?rs?s), the

+     debug file name and a comma-separated list of debug flags.  The debug

+     flag syntax used by s?su?ud?do?o and the s?su?ud?do?oe?er?rs?s plugin is _?s_?u_?b_?s_?y_?s_?t_?e_?m@_?p_?r_?i_?o_?r_?i_?t_?y but

+     a plugin is free to use a different format so long as it does not include

+     a comma (`,').

+

+     For example:

+

+           Debug sudo /var/log/sudo_debug all@warn,plugin@info

+

+     would log all debugging statements at the _?w_?a_?r_?n level and higher in

+     addition to those at the _?i_?n_?f_?o level for the plugin subsystem.

+

+     Currently, only one Debug entry per program is supported.  The s?su?ud?do?o Debug

+     entry is shared by the s?su?ud?do?o front end, s?su?ud?do?oe?ed?di?it?t and the plugins.  A

+     future release may add support for per-plugin Debug lines and/or support

+     for multiple debugging files for a single program.

+

+     The priorities used by the s?su?ud?do?o front end, in order of decreasing

+     severity, are: _?c_?r_?i_?t, _?e_?r_?r, _?w_?a_?r_?n, _?n_?o_?t_?i_?c_?e, _?d_?i_?a_?g, _?i_?n_?f_?o, _?t_?r_?a_?c_?e and _?d_?e_?b_?u_?g.

+     Each priority, when specified, also includes all priorities higher than

+     it.  For example, a priority of _?n_?o_?t_?i_?c_?e would include debug messages

+     logged at _?n_?o_?t_?i_?c_?e and higher.

+

+     The following subsystems are used by the s?su?ud?do?o front-end:

+

+     _?a_?l_?l         matches every subsystem

+

+     _?a_?r_?g_?s        command line argument processing

+

+     _?c_?o_?n_?v        user conversation

+

+     _?e_?d_?i_?t        sudoedit

+

+     _?e_?x_?e_?c        command execution

+

+     _?m_?a_?i_?n        s?su?ud?do?o main function

+

+     _?n_?e_?t_?i_?f       network interface handling

+

+     _?p_?c_?o_?m_?m       communication with the plugin

+

+     _?p_?l_?u_?g_?i_?n      plugin configuration

+

+     _?p_?t_?y         pseudo-tty related code

+

+     _?s_?e_?l_?i_?n_?u_?x     SELinux-specific handling

+

+     _?u_?t_?i_?l        utility functions

+

+     _?u_?t_?m_?p        utmp handling

+

+F?FI?IL?LE?ES?S

+     _?/_?e_?t_?c_?/_?s_?u_?d_?o_?._?c_?o_?n_?f            s?su?ud?do?o front end configuration

+

+E?EX?XA?AM?MP?PL?LE?ES?S

+     #

+     # Default /etc/sudo.conf file

+     #

+     # Format:

+     #   Plugin plugin_name plugin_path plugin_options ...

+     #   Path askpass /path/to/askpass

+     #   Path noexec /path/to/sudo_noexec.so

+     #   Debug sudo /var/log/sudo_debug all@warn

+     #   Set disable_coredump true

+     #

+     # The plugin_path is relative to /usr/local/libexec unless

+     #   fully qualified.

+     # The plugin_name corresponds to a global symbol in the plugin

+     #   that contains the plugin interface structure.

+     # The plugin_options are optional.

+     #

+     # The sudoers plugin is used by default if no Plugin lines are

+     # present.

+     Plugin policy_plugin sudoers.so

+     Plugin io_plugin sudoers.so

+

+     #

+     # Sudo askpass:

+     #

+     # An askpass helper program may be specified to provide a graphical

+     # password prompt for "sudo -A" support.  Sudo does not ship with

+     # its own askpass program but can use the OpenSSH askpass.

+     #

+     # Use the OpenSSH askpass

+     #Path askpass /usr/X11R6/bin/ssh-askpass

+     #

+     # Use the Gnome OpenSSH askpass

+     #Path askpass /usr/libexec/openssh/gnome-ssh-askpass

+

+     #

+     # Sudo noexec:

+     #

+     # Path to a shared library containing dummy versions of the execv(),

+     # execve() and fexecve() library functions that just return an error.

+     # This is used to implement the "noexec" functionality on systems that

+     # support C<LD_PRELOAD> or its equivalent.

+     # The compiled-in value is usually sufficient and should only be

+     # changed if you rename or move the sudo_noexec.so file.

+     #

+     #Path noexec /usr/local/libexec/sudo_noexec.so

+

+     #

+     # Core dumps:

+     #

+     # By default, sudo disables core dumps while it is executing

+     # (they are re-enabled for the command that is run).

+     # To aid in debugging sudo problems, you may wish to enable core

+     # dumps by setting "disable_coredump" to false.

+     #

+     #Set disable_coredump false

+

+S?SE?EE?E A?AL?LS?SO?O

+     sudoers(4), sudo(1m), sudo_plugin(1m),

+

+H?HI?IS?ST?TO?OR?RY?Y

+     See the HISTORY file in the s?su?ud?do?o distribution

+     (http://www.sudo.ws/sudo/history.html) for a brief history of sudo.

+

+A?AU?UT?TH?HO?OR?RS?S

+     Many people have worked on s?su?ud?do?o over the years; this version consists of

+     code written primarily by:

+

+           Todd C. Miller

+

+     See the CONTRIBUTORS file in the s?su?ud?do?o distribution

+     (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of

+     people who have contributed to s?su?ud?do?o.

+

+B?BU?UG?GS?S

+     If you feel you have found a bug in s?su?ud?do?o, please submit a bug report at

+     http://www.sudo.ws/sudo/bugs/

+

+S?SU?UP?PP?PO?OR?RT?T

+     Limited free support is available via the sudo-users mailing list, see

+     http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the

+     archives.

+

+D?DI?IS?SC?CL?LA?AI?IM?ME?ER?R

+     s?su?ud?do?o is provided ``AS IS'' and any express or implied warranties,

+     including, but not limited to, the implied warranties of merchantability

+     and fitness for a particular purpose are disclaimed.  See the LICENSE

+     file distributed with s?su?ud?do?o or http://www.sudo.ws/sudo/license.html for

+     complete details.

+

+Sudo 1.8.6p7                     February 1, 2013                     Sudo 1.8.6p7

diff -up sudo-1.8.6p7/doc/sudo.conf.man.in.sudoconfman sudo-1.8.6p7/doc/sudo.conf.man.in

--- sudo-1.8.6p7/doc/sudo.conf.man.in.sudoconfman	2013-07-30 13:58:15.401285217 +0200

+++ sudo-1.8.6p7/doc/sudo.conf.man.in	2013-07-30 13:58:25.733323538 +0200

@@ -0,0 +1,470 @@

+.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!

+.\" IT IS GENERATED AUTOMATICALLY FROM sudo.conf.mdoc.in

+.\"

+.\" Copyright (c) 2010-2013 Todd C. Miller <Todd.Miller@courtesan.com>

+.\"

+.\" Permission to use, copy, modify, and distribute this software for any

+.\" purpose with or without fee is hereby granted, provided that the above

+.\" copyright notice and this permission notice appear in all copies.

+.\"

+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

+.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

+.\"

+.TH "SUDO" "5" "February 1, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"

+.nh

+.if n .ad l

+.SH "NAME"

+\fBsudo.conf\fR

+\- configuration for sudo front end

+.SH "DESCRIPTION"

+The

+\fBsudo.conf\fR

+file is used to configure the

+\fBsudo\fR

+front end.

+It specifies the security policy and I/O logging plugins, debug flags

+as well as plugin-agnostic path names and settings.

+.PP

+The

+\fBsudo.conf\fR

+file supports the following directives, described in detail below.

+.TP 10n

+Plugin

+a security policy or I/O logging plugin

+.TP 10n

+Path

+a plugin-agnostic path

+.TP 10n

+Set

+a front end setting, such as

+\fIdisable_coredump\fR

+or

+\fIgroup_source\fR

+.TP 10n

+Debug

+debug flags to aid in debugging

+\fBsudo\fR,

+\fBsudoreplay\fR,

+\fBvisudo\fR,

+and the

+\fBsudoers\fR

+plugin.

+.PP

+The pound sign

+(`#')

+is used to indicate a comment.

+Both the comment character and any text after it, up to the end of

+the line, are ignored.

+.PP

+Non-comment lines that don't begin with

+\fRPlugin\fR,

+\fRPath\fR,

+\fRDebug\fR,

+or

+\fRSet\fR

+are silently ignored.

+.PP

+The

+\fBsudo.conf\fR

+file is always parsed in the

+``\fRC\fR''

+locale.

+.SS "Plugin configuration"

+\fBsudo\fR

+supports a plugin architecture for security policies and input/output

+logging.

+Third parties can develop and distribute their own policy and I/O

+logging plugins to work seamlessly with the

+\fBsudo\fR

+front end.

+Plugins are dynamically loaded based on the contents of

+\fBsudo.conf\fR.

+.PP

+A

+\fRPlugin\fR

+line consists of the

+\fRPlugin\fR

+keyword, followed by the

+\fIsymbol_name\fR

+and the

+\fIpath\fR

+to the shared object containing the plugin.

+The

+\fIsymbol_name\fR

+is the name of the

+\fRstruct policy_plugin\fR

+or

+\fRstruct io_plugin\fR

+in the plugin shared object.

+The

+\fIpath\fR

+may be fully qualified or relative.

+If not fully qualified, it is relative to the

+\fI@PLUGINDIR@\fR

+directory.

+In other words:

+.nf

+.sp

+.RS 6n

+Plugin sudoers_policy sudoers.so

+.RE

+.fi

+.PP

+is equivalent to:

+.nf

+.sp

+.RS 6n

+Plugin sudoers_policy @PLUGINDIR@/sudoers.so

+.RE

+.fi

+.PP

+Any additional parameters after the

+\fIpath\fR

+are passed as arguments to the plugin's

+\fIopen\fR

+function.

+For example, to override the compile-time default sudoers file mode:

+.nf

+.sp

+.RS 6n

+Plugin sudoers_policy sudoers.so sudoers_mode=0440

+.RE

+.fi

+.PP

+If no

+\fBsudo.conf\fR

+file is present, or if it contains no

+\fRPlugin\fR

+lines, the

+\fBsudoers\fR

+plugin will be used as the default security policy and for I/O logging

+(if enabled by the policy).

+This is equivalent to the following:

+.nf

+.sp

+.RS 6n

+Plugin policy_plugin sudoers.so

+Plugin io_plugin sudoers.so

+.RE

+.fi

+.PP

+For more information on the

+\fBsudo\fR

+plugin architecture, see the

+sudo_plugin(@mansectsu@)

+manual.

+.SS "Path settings"

+A

+\fRPath\fR

+line consists of the

+\fRPath\fR

+keyword, followed by the name of the path to set and its value.

+For example:

+.nf

+.sp

+.RS 6n

+Path noexec @noexec_file@

+Path askpass /usr/X11R6/bin/ssh-askpass

+.RE

+.fi

+.PP

+The following plugin-agnostic paths may be set in the

+\fI@sysconfdir@/sudo.conf\fR

+file:

+.TP 10n

+askpass

+The fully qualified path to a helper program used to read the user's

+password when no terminal is available.

+This may be the case when

+\fBsudo\fR

+is executed from a graphical (as opposed to text-based) application.

+The program specified by

+\fIaskpass\fR

+should display the argument passed to it as the prompt and write

+the user's password to the standard output.

+The value of

+\fIaskpass\fR

+may be overridden by the

+\fRSUDO_ASKPASS\fR

+environment variable.

+.TP 10n

+noexec

+The fully-qualified path to a shared library containing dummy

+versions of the

+\fBexecv\fR(),

+\fBexecve\fR()

+and

+\fBfexecve\fR()

+library functions that just return an error.

+This is used to implement the

+\fInoexec\fR

+functionality on systems that support

+\fRLD_PRELOAD\fR

+or its equivalent.

+The default value is:

+\fI@noexec_file@\fR.

+.SS "Other settings"

+The

+\fBsudo.conf\fR

+file also supports the following front end settings:

+.TP 10n

+disable_coredump

+Core dumps of

+\fBsudo\fR

+itself are disabled by default.

+To aid in debugging

+\fBsudo\fR

+crashes, you may wish to re-enable core dumps by setting

+``disable_coredump''

+to false in

+\fBsudo.conf\fR

+as follows:

+.RS

+.nf

+.sp

+.RS 6n

+Set disable_coredump false

+.RE

+.fi

+.sp

+Note that most operating systems disable core dumps from setuid programs,

+including

+\fBsudo\fR.

+To actually get a

+\fBsudo\fR

+core file you will likely need to enable core dumps for setuid processes.

+On BSD and Linux systems this is accomplished via the

+sysctl

+command.

+On Solaris, the

+coreadm

+command is used to configure core dump behavior.

+.sp

+This setting is only available in

+\fBsudo\fR

+version 1.8.4 and higher.

+.PP

+.RE

+.SS "Debug flags"

+\fBsudo\fR

+versions 1.8.4 and higher support a flexible debugging framework

+that can help track down what

+\fBsudo\fR

+is doing internally if there is a problem.

+.PP

+A

+\fRDebug\fR

+line consists of the

+\fRDebug\fR

+keyword, followed by the name of the program (or plugin) to debug

+(\fBsudo\fR, \fBvisudo\fR, \fBsudoreplay\fR, \fBsudoers\fR),

+the debug file name and a comma-separated list of debug flags.

+The debug flag syntax used by

+\fBsudo\fR

+and the

+\fBsudoers\fR

+plugin is

+\fIsubsystem\fR@\fIpriority\fR

+but a plugin is free to use a different format so long as it does

+not include a comma

+(`\&,').

+.PP

+For example:

+.nf

+.sp

+.RS 6n

+Debug sudo /var/log/sudo_debug all@warn,plugin@info

+.RE

+.fi

+.PP

+would log all debugging statements at the

+\fIwarn\fR

+level and higher in addition to those at the

+\fIinfo\fR

+level for the plugin subsystem.

+.PP

+Currently, only one

+\fRDebug\fR

+entry per program is supported.

+The

+\fBsudo\fR

+\fRDebug\fR

+entry is shared by the

+\fBsudo\fR

+front end,

+\fBsudoedit\fR

+and the plugins.

+A future release may add support for per-plugin

+\fRDebug\fR

+lines and/or support for multiple debugging files for a single

+program.

+.PP

+The priorities used by the

+\fBsudo\fR

+front end, in order of decreasing severity, are:

+\fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR

+and

+\fIdebug\fR.

+Each priority, when specified, also includes all priorities higher

+than it.

+For example, a priority of

+\fInotice\fR

+would include debug messages logged at

+\fInotice\fR

+and higher.

+.PP

+The following subsystems are used by the

+\fBsudo\fR

+front-end:

+.TP 12n

+\fIall\fR

+matches every subsystem

+.TP 12n

+\fIargs\fR

+command line argument processing

+.TP 12n

+\fIconv\fR

+user conversation

+.TP 12n

+\fIedit\fR

+sudoedit

+.TP 12n

+\fIexec\fR

+command execution

+.TP 12n

+\fImain\fR

+\fBsudo\fR

+main function

+.TP 12n

+\fInetif\fR

+network interface handling

+.TP 12n

+\fIpcomm\fR

+communication with the plugin

+.TP 12n

+\fIplugin\fR

+plugin configuration

+.TP 12n

+\fIpty\fR

+pseudo-tty related code

+.TP 12n

+\fIselinux\fR

+SELinux-specific handling

+.TP 12n

+\fIutil\fR

+utility functions

+.TP 12n

+\fIutmp\fR

+utmp handling

+.SH "FILES"

+.TP 26n

+\fI@sysconfdir@/sudo.conf\fR

+\fBsudo\fR

+front end configuration

+.SH "EXAMPLES"

+.nf

+.RS 0n

+#