SUDO.CONF(4) SUDO.CONF(4)
NAME
sudo.conf - configuration for sudo front-end
DESCRIPTION
The sudo.conf file is used to configure the sudo front-end. It is
used to configure sudo plugins, plugin-agnostic path names, debug
flags, and other settings.
The sudo.conf file supports the following directives, described in
detail below.
Plugin an approval, audit, I/O logging, or security policy plugin
Path a plugin-agnostic path
Set a front-end setting, such as disable_coredump or group_source
Debug debug flags to aid in debugging sudo, sudoreplay, visudo, and
the sudoers plugin.
The pound sign (#) is used to indicate a comment. Both the comment
character and any text after it, up to the end of the line, are
ignored.
Long lines can be continued with a backslash (\) as the last character
on the line. Leading white space is removed from the beginning of
lines even when a continuation character is used.
Non-comment lines that don't begin with Plugin, Path, Debug, or Set
are silently ignored.
The sudo.conf file is always parsed in the C locale.
Plugin configuration
sudo supports a plugin architecture for security policies and
input/output logging. Third parties can develop and distribute their
own policy and I/O logging plugins to work seamlessly with the sudo
front-end. Plugins are dynamically loaded based on the contents of
sudo.conf.
A Plugin line consists of the Plugin keyword, followed by the
symbol_name and the path to the dynamic shared object that contains
the plugin. The symbol_name is the name of the struct
approval_plugin, struct audit_plugin, struct io_plugin, or struct
policy_plugin defined by the plugin. If a plugin implements multiple
plugin types, there must be a Plugin line for each unique symbol name.
The path may be fully qualified or relative. If not fully qualified,
it is relative to the directory specified by the plugin_dir Path
setting, which defaults to /usr/local/libexec/sudo. In other words:
Plugin sudoers_policy sudoers.so
Sudo 1.9.17 - 1 - November 6, 2023
SUDO.CONF(4) SUDO.CONF(4)
is equivalent to:
Plugin sudoers_policy /usr/local/libexec/sudo/sudoers.so
If the plugin was compiled statically into the sudo binary instead of
being installed as a dynamic shared object, the path should be
specified without a leading directory, as it does not actually exist
in the file system. For example:
Plugin sudoers_policy sudoers.so
On AIX systems, the plugin may be either a shared object ending in
Sudo 1.9.17 - 2 - November 6, 2023
